8c07ec9d47b71a2908a9e091af5e181c7370d8a6248c663805ca1a7064173fc2

Analysis

max time kernel
141s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95acba26bb6fc0d4bc0306dc5caf5ab0_NeikiAnalytics.exe
Size

96KB
MD5

95acba26bb6fc0d4bc0306dc5caf5ab0
SHA1

f55245b32886027080805acfb613af0e476c16d1
SHA256

8c07ec9d47b71a2908a9e091af5e181c7370d8a6248c663805ca1a7064173fc2
SHA512

1466fc612a8fc9dd179da0d6ea480fc1b7bbe7648a04940dfd616c4643d57dddc179d7f24b9c3f5d5c5cd1e7df81dfa2882b6bda79068321d1c279b9eec6158c
SSDEEP

1536:CnfI87zChGQFX0rlGMlmDULc4HVcdZ2JVQBKoC/CKniTCvVAva61hLDnePhVsWz2:2fI87mhGQFX0rMoo4HVqZ2fQkbn1vVAT

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqpfmlce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnbcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbnhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihibbjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oghghb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjiipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edbiniff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkjmlaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loacdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iafkld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqpfmlce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gijmad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcapicdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lindkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngjkfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pagbaglh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khbiello.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookoaokf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpoihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfqlfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjiipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihibbjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jikoopij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfojdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfqlfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pffgom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kheekkjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Galoohke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Galoohke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hajkqfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hajkqfoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oplfkeob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkjmlaac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gijmad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidinqpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njedbjej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ookoaokf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nadleilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oplfkeob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnbcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jikoopij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqafhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjaabq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iafkld32.exe

Executes dropped EXE 47 IoCs

pid	Process
3676	Lgpoihnl.exe
2416	Mqafhl32.exe
2436	Mfqlfb32.exe
1028	Mjaabq32.exe
3528	Nqmfdj32.exe
4604	Ngjkfd32.exe
2548	Nadleilm.exe
860	Oplfkeob.exe
5020	Oghghb32.exe
1392	Ocaebc32.exe
3948	Pagbaglh.exe
3280	Pffgom32.exe
2792	Qhhpop32.exe
2208	Qjiipk32.exe
2628	Adcjop32.exe
1388	Aaldccip.exe
884	Bobabg32.exe
4620	Bacjdbch.exe
1596	Bgelgi32.exe
640	Cnaaib32.exe
4636	Cpbjkn32.exe
3120	Dqpfmlce.exe
2556	Edbiniff.exe
3632	Fnbcgn32.exe
3976	Fkjmlaac.exe
4380	Galoohke.exe
4984	Gbnhoj32.exe
772	Gijmad32.exe
3012	Hajkqfoe.exe
2616	Hihibbjo.exe
4764	Iafkld32.exe
3908	Jidinqpb.exe
3804	Jikoopij.exe
1968	Khbiello.exe
2788	Kheekkjl.exe
2156	Kpnjah32.exe
2440	Kcapicdj.exe
1676	Lindkm32.exe
1480	Loacdc32.exe
1840	Mfnhfm32.exe
1328	Njedbjej.exe
5076	Nbbeml32.exe
4944	Ookoaokf.exe
1444	Oblhcj32.exe
4924	Pfojdh32.exe
2808	Pmmlla32.exe
4336	Pififb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Blknem32.dll	Gbnhoj32.exe
File opened for modification	C:\Windows\SysWOW64\Kcapicdj.exe	Kpnjah32.exe
File opened for modification	C:\Windows\SysWOW64\Dqpfmlce.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Ghehjh32.dll	Edbiniff.exe
File created	C:\Windows\SysWOW64\Kpqfid32.dll	Galoohke.exe
File created	C:\Windows\SysWOW64\Gijmad32.exe	Gbnhoj32.exe
File created	C:\Windows\SysWOW64\Mleggmck.dll	Kcapicdj.exe
File created	C:\Windows\SysWOW64\Dicdcemd.dll	Nqmfdj32.exe
File created	C:\Windows\SysWOW64\Pagbaglh.exe	Ocaebc32.exe
File opened for modification	C:\Windows\SysWOW64\Qjiipk32.exe	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Dqpfmlce.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Cpbjkn32.exe	Cnaaib32.exe
File created	C:\Windows\SysWOW64\Fkjmlaac.exe	Fnbcgn32.exe
File created	C:\Windows\SysWOW64\Ojnkocdc.dll	Mqafhl32.exe
File opened for modification	C:\Windows\SysWOW64\Adcjop32.exe	Qjiipk32.exe
File created	C:\Windows\SysWOW64\Mfgomdnj.dll	Qjiipk32.exe
File opened for modification	C:\Windows\SysWOW64\Cnaaib32.exe	Bgelgi32.exe
File opened for modification	C:\Windows\SysWOW64\Bgelgi32.exe	Bacjdbch.exe
File created	C:\Windows\SysWOW64\Fnbcgn32.exe	Edbiniff.exe
File created	C:\Windows\SysWOW64\Hodlgn32.dll	Fkjmlaac.exe
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Pmmlla32.exe
File created	C:\Windows\SysWOW64\Ookoaokf.exe	Nbbeml32.exe
File created	C:\Windows\SysWOW64\Holpib32.dll	Ookoaokf.exe
File created	C:\Windows\SysWOW64\Pfojdh32.exe	Oblhcj32.exe
File opened for modification	C:\Windows\SysWOW64\Ngjkfd32.exe	Nqmfdj32.exe
File created	C:\Windows\SysWOW64\Bgagea32.dll	Ngjkfd32.exe
File opened for modification	C:\Windows\SysWOW64\Bacjdbch.exe	Bobabg32.exe
File created	C:\Windows\SysWOW64\Jidinqpb.exe	Iafkld32.exe
File created	C:\Windows\SysWOW64\Blqhpg32.dll	Nadleilm.exe
File created	C:\Windows\SysWOW64\Oghghb32.exe	Oplfkeob.exe
File created	C:\Windows\SysWOW64\Anjcohke.dll	Jikoopij.exe
File created	C:\Windows\SysWOW64\Gpdbcaok.dll	Khbiello.exe
File created	C:\Windows\SysWOW64\Hajkqfoe.exe	Gijmad32.exe
File opened for modification	C:\Windows\SysWOW64\Jidinqpb.exe	Iafkld32.exe
File opened for modification	C:\Windows\SysWOW64\Pagbaglh.exe	Ocaebc32.exe
File created	C:\Windows\SysWOW64\Pffgom32.exe	Pagbaglh.exe
File opened for modification	C:\Windows\SysWOW64\Fkjmlaac.exe	Fnbcgn32.exe
File created	C:\Windows\SysWOW64\Loacdc32.exe	Lindkm32.exe
File created	C:\Windows\SysWOW64\Pjehnm32.dll	Pagbaglh.exe
File created	C:\Windows\SysWOW64\Lindkm32.exe	Kcapicdj.exe
File created	C:\Windows\SysWOW64\Folnlh32.dll	Mjaabq32.exe
File created	C:\Windows\SysWOW64\Ocaebc32.exe	Oghghb32.exe
File created	C:\Windows\SysWOW64\Hiciojhd.dll	Kheekkjl.exe
File created	C:\Windows\SysWOW64\Pnjiffif.dll	Iafkld32.exe
File created	C:\Windows\SysWOW64\Njedbjej.exe	Mfnhfm32.exe
File opened for modification	C:\Windows\SysWOW64\Ookoaokf.exe	Nbbeml32.exe
File created	C:\Windows\SysWOW64\Gadiippo.dll	Oghghb32.exe
File created	C:\Windows\SysWOW64\Adcjop32.exe	Qjiipk32.exe
File created	C:\Windows\SysWOW64\Aaldccip.exe	Adcjop32.exe
File opened for modification	C:\Windows\SysWOW64\Gijmad32.exe	Gbnhoj32.exe
File created	C:\Windows\SysWOW64\Nadleilm.exe	Ngjkfd32.exe
File opened for modification	C:\Windows\SysWOW64\Ocaebc32.exe	Oghghb32.exe
File created	C:\Windows\SysWOW64\Edbiniff.exe	Dqpfmlce.exe
File opened for modification	C:\Windows\SysWOW64\Mfnhfm32.exe	Loacdc32.exe
File created	C:\Windows\SysWOW64\Jikoopij.exe	Jidinqpb.exe
File created	C:\Windows\SysWOW64\Kheekkjl.exe	Khbiello.exe
File created	C:\Windows\SysWOW64\Naagioah.dll	Mfnhfm32.exe
File created	C:\Windows\SysWOW64\Nqmfdj32.exe	Mjaabq32.exe
File opened for modification	C:\Windows\SysWOW64\Pffgom32.exe	Pagbaglh.exe
File created	C:\Windows\SysWOW64\Cpkhqmjb.dll	Cnaaib32.exe
File opened for modification	C:\Windows\SysWOW64\Edbiniff.exe	Dqpfmlce.exe
File opened for modification	C:\Windows\SysWOW64\Lgpoihnl.exe	95acba26bb6fc0d4bc0306dc5caf5ab0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Fnihkq32.dll	Mfqlfb32.exe
File created	C:\Windows\SysWOW64\Kldgkp32.dll	Kpnjah32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4836	4336	WerFault.exe	136

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loacdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	95acba26bb6fc0d4bc0306dc5caf5ab0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfqlfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobmce32.dll"	Fnbcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgddkelm.dll"	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njedbjej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpnjah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfnhfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkjmlaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lindkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfojdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdbcaok.dll"	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njedbjej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghehjh32.dll"	Edbiniff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbnhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpnjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmgil32.dll"	Oblhcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdcemd.dll"	Nqmfdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhmgagf.dll"	Dqpfmlce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kheekkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkhqmjb.dll"	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodlgn32.dll"	Fkjmlaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Galoohke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlllhigk.dll"	Lgpoihnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqafhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichqihli.dll"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldgkp32.dll"	Kpnjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbnhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iafkld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loacdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpoihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojnkocdc.dll"	Mqafhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgagea32.dll"	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqppgj32.dll"	Bobabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mleggmck.dll"	Kcapicdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holpib32.dll"	Ookoaokf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Galoohke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgpfqchb.dll"	Jidinqpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjaabq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmfdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmmnd32.dll"	Lindkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckbcpc32.dll"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjiipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidinqpb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 3676	4752	95acba26bb6fc0d4bc0306dc5caf5ab0_NeikiAnalytics.exe	90
PID 4752 wrote to memory of 3676	4752	95acba26bb6fc0d4bc0306dc5caf5ab0_NeikiAnalytics.exe	90
PID 4752 wrote to memory of 3676	4752	95acba26bb6fc0d4bc0306dc5caf5ab0_NeikiAnalytics.exe	90
PID 3676 wrote to memory of 2416	3676	Lgpoihnl.exe	91
PID 3676 wrote to memory of 2416	3676	Lgpoihnl.exe	91
PID 3676 wrote to memory of 2416	3676	Lgpoihnl.exe	91
PID 2416 wrote to memory of 2436	2416	Mqafhl32.exe	92
PID 2416 wrote to memory of 2436	2416	Mqafhl32.exe	92
PID 2416 wrote to memory of 2436	2416	Mqafhl32.exe	92
PID 2436 wrote to memory of 1028	2436	Mfqlfb32.exe	93
PID 2436 wrote to memory of 1028	2436	Mfqlfb32.exe	93
PID 2436 wrote to memory of 1028	2436	Mfqlfb32.exe	93
PID 1028 wrote to memory of 3528	1028	Mjaabq32.exe	94
PID 1028 wrote to memory of 3528	1028	Mjaabq32.exe	94
PID 1028 wrote to memory of 3528	1028	Mjaabq32.exe	94
PID 3528 wrote to memory of 4604	3528	Nqmfdj32.exe	95
PID 3528 wrote to memory of 4604	3528	Nqmfdj32.exe	95
PID 3528 wrote to memory of 4604	3528	Nqmfdj32.exe	95
PID 4604 wrote to memory of 2548	4604	Ngjkfd32.exe	96
PID 4604 wrote to memory of 2548	4604	Ngjkfd32.exe	96
PID 4604 wrote to memory of 2548	4604	Ngjkfd32.exe	96
PID 2548 wrote to memory of 860	2548	Nadleilm.exe	97
PID 2548 wrote to memory of 860	2548	Nadleilm.exe	97
PID 2548 wrote to memory of 860	2548	Nadleilm.exe	97
PID 860 wrote to memory of 5020	860	Oplfkeob.exe	98
PID 860 wrote to memory of 5020	860	Oplfkeob.exe	98
PID 860 wrote to memory of 5020	860	Oplfkeob.exe	98
PID 5020 wrote to memory of 1392	5020	Oghghb32.exe	99
PID 5020 wrote to memory of 1392	5020	Oghghb32.exe	99
PID 5020 wrote to memory of 1392	5020	Oghghb32.exe	99
PID 1392 wrote to memory of 3948	1392	Ocaebc32.exe	100
PID 1392 wrote to memory of 3948	1392	Ocaebc32.exe	100
PID 1392 wrote to memory of 3948	1392	Ocaebc32.exe	100
PID 3948 wrote to memory of 3280	3948	Pagbaglh.exe	101
PID 3948 wrote to memory of 3280	3948	Pagbaglh.exe	101
PID 3948 wrote to memory of 3280	3948	Pagbaglh.exe	101
PID 3280 wrote to memory of 2792	3280	Pffgom32.exe	102
PID 3280 wrote to memory of 2792	3280	Pffgom32.exe	102
PID 3280 wrote to memory of 2792	3280	Pffgom32.exe	102
PID 2792 wrote to memory of 2208	2792	Qhhpop32.exe	103
PID 2792 wrote to memory of 2208	2792	Qhhpop32.exe	103
PID 2792 wrote to memory of 2208	2792	Qhhpop32.exe	103
PID 2208 wrote to memory of 2628	2208	Qjiipk32.exe	104
PID 2208 wrote to memory of 2628	2208	Qjiipk32.exe	104
PID 2208 wrote to memory of 2628	2208	Qjiipk32.exe	104
PID 2628 wrote to memory of 1388	2628	Adcjop32.exe	105
PID 2628 wrote to memory of 1388	2628	Adcjop32.exe	105
PID 2628 wrote to memory of 1388	2628	Adcjop32.exe	105
PID 1388 wrote to memory of 884	1388	Aaldccip.exe	106
PID 1388 wrote to memory of 884	1388	Aaldccip.exe	106
PID 1388 wrote to memory of 884	1388	Aaldccip.exe	106
PID 884 wrote to memory of 4620	884	Bobabg32.exe	107
PID 884 wrote to memory of 4620	884	Bobabg32.exe	107
PID 884 wrote to memory of 4620	884	Bobabg32.exe	107
PID 4620 wrote to memory of 1596	4620	Bacjdbch.exe	108
PID 4620 wrote to memory of 1596	4620	Bacjdbch.exe	108
PID 4620 wrote to memory of 1596	4620	Bacjdbch.exe	108
PID 1596 wrote to memory of 640	1596	Bgelgi32.exe	109
PID 1596 wrote to memory of 640	1596	Bgelgi32.exe	109
PID 1596 wrote to memory of 640	1596	Bgelgi32.exe	109
PID 640 wrote to memory of 4636	640	Cnaaib32.exe	110
PID 640 wrote to memory of 4636	640	Cnaaib32.exe	110
PID 640 wrote to memory of 4636	640	Cnaaib32.exe	110
PID 4636 wrote to memory of 3120	4636	Cpbjkn32.exe	111

C:\Users\Admin\AppData\Local\Temp\95acba26bb6fc0d4bc0306dc5caf5ab0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\95acba26bb6fc0d4bc0306dc5caf5ab0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\SysWOW64\Lgpoihnl.exe
  C:\Windows\system32\Lgpoihnl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Windows\SysWOW64\Mqafhl32.exe
    C:\Windows\system32\Mqafhl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\SysWOW64\Mfqlfb32.exe
      C:\Windows\system32\Mfqlfb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
      - C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Dqpfmlce.exe
        
        C:\Windows\system32\Dqpfmlce.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Edbiniff.exe
        
        C:\Windows\system32\Edbiniff.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Fnbcgn32.exe
        
        C:\Windows\system32\Fnbcgn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Fkjmlaac.exe
        
        C:\Windows\system32\Fkjmlaac.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Galoohke.exe
        
        C:\Windows\system32\Galoohke.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Gijmad32.exe
        
        C:\Windows\system32\Gijmad32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:772
        
        C:\Windows\SysWOW64\Hajkqfoe.exe
        
        C:\Windows\system32\Hajkqfoe.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3804
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        48⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 400
        49⤵
        Program crash
        
        PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4336 -ip 4336
1⤵
PID:3096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1348 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaldccip.exe

Filesize
96KB

MD5
8826000f1ff893a2419e931367ee894a

SHA1
517e24e85fe21113637f474a86ce207e91149e68

SHA256
3a7457aee00bc05462e30369715b7e1ac41fe8cc61eaf3f0f5659ed0725b1dc5

SHA512
49cb6d64b2e2547475fac6a7c7c64843107ad969f37f15494942ae2dfbc1d88ac7cbb88ecb10f28dbcc07ae2abf97bdb1b0e1e5e1db18e580483e44394f411d6

Download Submit
C:\Windows\SysWOW64\Adcjop32.exe

Filesize
96KB

MD5
123cd2fe65484cba49222936050f0aa9

SHA1
4185eae977f31a40670cd749385caef9d6a94973

SHA256
ad728e16cb32dd2d2cfc4c1541fb31d70687ac0e4dc195704421bef43ba04c06

SHA512
19f4675930b26f2914bd9b725738d2e323bc670bbe56fe160ba5eeddbe8623c999c8f795dc6f92ff96ff25eda12ceaa2d7b6847aa5ea079f05657ec611c51e09

Download Submit
C:\Windows\SysWOW64\Bacjdbch.exe

Filesize
96KB

MD5
34957c420ce378fe2cd2f9ce01e23372

SHA1
8bebf81e9065b89af72d63efe65a29276b60c4d7

SHA256
5faee282dcfc62c3045f0dcf284d009d8150df830569eb8ceb1d1c5a771f2d75

SHA512
6e2618751a64f697b687ba7b1522693786d230c8ce498707760ab08a683761275b6b1697e5d09a7dbe3321277737b5c540f063415bc85dad22973a62ca616476

Download Submit
C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
96KB

MD5
530e06263732d48caed9013f7d3b7bf8

SHA1
73fb2f75c64b1ca1fcacc4e167b4b7423f66d576

SHA256
8dfc48276b3f83819279a1b288f280f051bbacf24ae45ab0adec16eb7cb60700

SHA512
ab3d494621ef2fc13a8e90f2b083baed87b2f5bea65b64ee272c06116713504f96400cfa4e5ca7633c1a19f59f61010b17fab0d03746cb0513a0c3a45df9f572

Download Submit
C:\Windows\SysWOW64\Bobabg32.exe

Filesize
96KB

MD5
91317fe47d633a2da75e3fd726d068fb

SHA1
29ea4e8f462b4ed32002bf2ae1541d8f32aa1bc7

SHA256
367b0c9cb7f6748a60c9e43a313f43d9770c6aded819428b9ecdb16d9e421add

SHA512
d5964fff62290fac9e9021daa4a6817bac03cf534bacbebc03d0ac0ab5241166e6c3a22d1929b1b8154c7622485a0ad48b3e5217dab61e9d92ed943294bd6595

Download Submit
C:\Windows\SysWOW64\Cnaaib32.exe

Filesize
96KB

MD5
1707ae96a73f6624c2919d932d3f3451

SHA1
6ae8a392003687319892561f0dc41d29bb845173

SHA256
8f74170b967ea761674b5065802007878fbc139ff3de177840fccfc24e387a55

SHA512
58527e6d4f63b2966d8644b327f165043db4cf5787212103f7b509ba36a07bbe9b499654977d86449638de025721707186ecb005e9d5c7f2234f8350f6d90cb2

Download Submit
C:\Windows\SysWOW64\Cpbjkn32.exe

Filesize
96KB

MD5
a5f23b25201a15016d26371a0962631b

SHA1
f3f0eab3cc05168f496578dff79884b29a8c287b

SHA256
e62e780e40cd12c8dcdc67693dd3f8c386fb8ed8ef8e4c0e022409cb10d89889

SHA512
22365d4ccb9b358dc1c36bf10f41b1f1a18cd0f1681f0303c307b969ab70d705f10ff474727e91402c25bbea5fd1833957a0fb0522d745eef68e9148633fffdd

Download Submit
C:\Windows\SysWOW64\Dqpfmlce.exe

Filesize
96KB

MD5
df7ff9a056aa6f91456c512fa3007967

SHA1
f25cd2526eecc89910fcf5b9efaa192589dbeeef

SHA256
b1f4d7155ccbbeedb4c8773ff2580a5f4b58455562bdd89803175f24864c5e20

SHA512
88416bd6b1e96d2210483f423f2eb24033ac887350266795bc71a173268064e8c927dbb342d6b914f322c8f36f35f00bb696d388888625f2e4d2152c7aa30abb

Download Submit
C:\Windows\SysWOW64\Edbiniff.exe

Filesize
96KB

MD5
a0041811f515b36c8a505f219858bd11

SHA1
f7fa065a7ed5dd26f9a52c02b04e923211720226

SHA256
9f36b6e244b27ff790b381c2ea0398fe0f385ede4f9ed0bec0e30df5474f2f06

SHA512
cf2e3ec3653c85c012afa84a257ad4f5b11095deac180bde92cafba04ba167eab790dbe78f1941928257ec45a292210bcb8825ca40f3851dd305c7517e00450d

Download Submit
C:\Windows\SysWOW64\Fkjmlaac.exe

Filesize
96KB

MD5
e78c9c50afe0e11236953d0799e27e97

SHA1
c0d4c3e1becb1658a595fbd0486d9f9cd68697ad

SHA256
3ffeef40b58215337d89e8c3341235292b2f1b4924a52c98659171d3cb72e334

SHA512
efb33c3926a39bdbf2522d19b26af33f63d516f609de58f5555816324f3a5bc259dcc46ae3eae53fb76d15274994d2b6fa2926a97349ebcbb8b103ccf9d10222

Download Submit
C:\Windows\SysWOW64\Fnbcgn32.exe

Filesize
96KB

MD5
0b7aed05648cac763b00a86ed4589a22

SHA1
2849135cbdb8e51e035cfc101bb342c0afa526c3

SHA256
a2d8580dd40d816c73e127a422954fa878b9780f72dbeef15e4995860da36a9b

SHA512
96875b08e945ab6d2090f6b342d8c3a47039440cea53ab119adfe20d920af4362e05c04844cbd427c5f025a6b04bb1046f5c7934054ee215940240e05c2cb910

Download Submit
C:\Windows\SysWOW64\Galoohke.exe

Filesize
96KB

MD5
8e9d788055136496ffc492975f3e8865

SHA1
03f5e9ec340899c2bcf513a8d27f61a9a44d07f0

SHA256
fce7a9756ea2253fb145e3829ca81e81d5d535d952a48576dd3f177cbbf73eb8

SHA512
db57f1242e161da8fa749c419e859af394a0c02e4cf43d4ae6873d89cd14e4fa8dcc848737b84604e3499b22294c36417ff8fc83bc64f941714286a3d3ca0e59

Download Submit
C:\Windows\SysWOW64\Gbnhoj32.exe

Filesize
96KB

MD5
08b438ae07fe30a487dae93745a2435d

SHA1
0acdaf9fa0cb541352472df09e7c12b6a07881b0

SHA256
b40029c625f90b8a02cc6bba935c50fadac51bc05dbeab9a277af97a88ec1186

SHA512
529d8f9ecffcbde624b47c1d99205ed4ad11856fca6aacf4dd0d8cd81b5de0b3bf607bc23d73e57ce04358055649cdddb03615cf6cb7a7aee22acaf7dbc1aed5

Download Submit
C:\Windows\SysWOW64\Gijmad32.exe

Filesize
96KB

MD5
0c325cffac58830cc6ddfe119f551f72

SHA1
44e689b611c98da3a4c1d7cd80a5c48ff3938625

SHA256
52f177dbd69ba16b189c48f1e21d7891ae524bad00fa533edd714ea94fb8e745

SHA512
dc3869c710f312779c5544805f04ce4a326dc520d5681e648bc67e8c73bedf75ff06a8cf46b0895710d7c463dc2477c1585d4376324d7f3e857d27b96925fe38

Download Submit
C:\Windows\SysWOW64\Hajkqfoe.exe

Filesize
96KB

MD5
4ebcbd26a0d85349c55510b15874bfee

SHA1
2288311f5cef0f6c07a1bfcf383cc887119bbb58

SHA256
003d97e55180938e3656ae9afbe157bae2c2c40ec7592ff2f5bc36fa5cffc133

SHA512
12f1850af715a972d86173a3e891829d740af62550d01d3c7a81462c9ce318e498d03fdcfd2e187bf5a13cfca324139c32f0fc3ad5b52e7bc89b2cf0ce09c868

Download Submit
C:\Windows\SysWOW64\Hihibbjo.exe

Filesize
96KB

MD5
a3aef89f9c3606540479499c00e74244

SHA1
3a3a6f69c8e514c3f0f9d758561908878c167da0

SHA256
9b51721fde7dfb1fa5da1b651dd4348750fd044a80db74af9c1f30cd0039170c

SHA512
f0714b0ccd2fc0eb3aa15c1c81ca8b1be72f5a8cbe5a6bf5d912ba1e766d77125fb2302ad90e289ed1a9ddd432913ccfe56bf6046a2b5ed05a9a5c9a4caf45d8

Download Submit
C:\Windows\SysWOW64\Iafkld32.exe

Filesize
96KB

MD5
034bb32db0e4f89712136866c979ce24

SHA1
785280d7e75bdbf8312d6e222967011fae3f85b5

SHA256
d89e863e0a8a8489301f8ecfc17479f79989feeafd4fba893620aa41a3cfd2eb

SHA512
9435807b139f47d48a7c9142a42b781cba1f118e684f1c85104fd22968995a0df433e36884f4299b905cd7ffe868fcacebb5a59b7002885dbeaa5ab5782df5c4

Download Submit
C:\Windows\SysWOW64\Jidinqpb.exe

Filesize
96KB

MD5
e8acc5187330ccfb6c44465a937c5f59

SHA1
0d562bd86e25911da07fa18ca82419e4ea356487

SHA256
a81ed9b5ff7936616a647ac0bd50308827c0eb2908c66963febfc2bc2316eb8e

SHA512
277ce9b63a2fb7491414eee6a85ecbe7ad13ecfa373461f14b9b669a2fdc8c9d0a34010a4d461d843e62f5ac86ee39bbe70020743f622bb64480d71a61a9ee77

Download Submit
C:\Windows\SysWOW64\Lgpoihnl.exe

Filesize
96KB

MD5
efefed594f3e43d65f38f77b9e0dbbea

SHA1
1210e2fe7a6b6e9cd5f99df54d9acc5fb97a9f1f

SHA256
2f9a4634207c7c4b25eee27a79dbc4227dbaf9b5176da7196536f2c88824e75d

SHA512
100387f56414c234c91cd5db390de16f5a0dd2f4cfca9b5cb10cd1e441d3a056aa02b43f5dba41cfd5e178e79cc0e369801439dc3da6c47a7b94af06b21535f6

Download Submit
C:\Windows\SysWOW64\Loacdc32.exe

Filesize
96KB

MD5
a7974245cc97e60c14d670a18b2cd956

SHA1
bc44b83ff8d672a9fb1525990b871dce2bb9dbf7

SHA256
845d2918208984633795cbeb78c3ec993f5d2504f967394f88efcf47ba9ad723

SHA512
fb473a3c4aada79b31f29f0027480fea699e4df6a01938c4be1d5efaa920536ccf9828ecd9cb9e8f31f952df77ed7a9d0183ee4f5b82d786851ffc3a12c7fb52

Download Submit
C:\Windows\SysWOW64\Mfqlfb32.exe

Filesize
96KB

MD5
aa0d1b97322565d57a0bb0334cd05113

SHA1
0b5fe34c7a739bf7e3bd7106d20420f8f758c136

SHA256
d4d0ece5aef9220e85432a1972ea465d9d5bff6736b34370a03b6214e40cd10e

SHA512
753841d7698fcc8d92181833496c8758d26b35f4b050fecc5738795a33575df26def76ae58b7dd7e7d75911b993213d315176abb80adb9ccc58b9eb2f39d45a0

Download Submit
C:\Windows\SysWOW64\Mjaabq32.exe

Filesize
96KB

MD5
0b6c7b6d605dfaf0a42728db228222ea

SHA1
4bb9a3280199c946677f891dadb3f607b770c73e

SHA256
a973548d20fafde4332c4b4537e6c4df17f1fdbea43d85b5e710b1c5bf2dba86

SHA512
323c553813713e5a9fc505f46e007e1afc6b88f1e935c4b87e64a85e46eba4f819c294460315a6a0a0fc0a66679bcac3ca2a88b2e951614460ebcd3523c92de4

Download Submit
C:\Windows\SysWOW64\Mqafhl32.exe

Filesize
96KB

MD5
5450bf1e97e02a4d711e6ed23c910356

SHA1
062f9698fe77f2125c865f3113736fe7b27c3a0e

SHA256
f7e61f1512c4cd6edac36ad55e5c539f05bc5bf357827722fe09e4241d1b3c2f

SHA512
cda9fb8c5951338b53a8ccced33587f673a2166b66483a7a4af1a359350f21d160352e73612a01e525de0cce978854213726f890d42a9f06dc9fad9953702154

Download Submit
C:\Windows\SysWOW64\Nadleilm.exe

Filesize
96KB

MD5
f46d196d279e0ef8716467e2b66fea08

SHA1
bf5ea3eec34c3f8669400dee2ad81d58d639a47e

SHA256
8d43975880aced00d08697acb6353cc3f5e4f36d4f9c0de36ed77df321bdaa17

SHA512
ff9304d8afee62809890e6bbda30e7fca0206dfa6472652908afb60b2f96097bc02f5aa06e219ea825f84037bceef4304a1e3b9d54943a39c265653939ef76cb

Download Submit
C:\Windows\SysWOW64\Ngjkfd32.exe

Filesize
96KB

MD5
64d63bc934d4caa557fd5a14ec39dbe1

SHA1
79a3a8c9389a2658828be3d6614961c634581fdc

SHA256
eccd7b836a9fd8237bf4d14f9d46854149166bd3ee2ae5a0ab5a7c94c6dcdb50

SHA512
0915d73131a44b516cfbfd811fd55d6d870189afc255b8b994a4a8f8027e1c6c495f72e0256a9163a39364d51df7f5d5211b03b290979ce84b26997aad05c1be

Download Submit
C:\Windows\SysWOW64\Nqmfdj32.exe

Filesize
96KB

MD5
363f4f3cc2ce6d35b1cbdc9d962f89ca

SHA1
971fdd1d7207955c6695caa1be67e362eaa91804

SHA256
960aef92a072dc7353f373620ccc5deaa838de9e768218ec442d73581fddc645

SHA512
f1e5c6e7005844d6fe1938892db08d0fb1d8d1767506b38d092ea4d3c3860e1d49e411b7da2ab2e27d9327b9c992523953ba3431f1de7056473916613d64f4a5

Download Submit
C:\Windows\SysWOW64\Ocaebc32.exe

Filesize
96KB

MD5
278ac672a017964bf13f81e7f0b777d7

SHA1
c19a059dbbc58fe5971e575f214295f8dae4ab1f

SHA256
678356034365471275cae32b714e4625edfc91d4fed82bbdb9002b964d1eac9b

SHA512
d75654d4af6ad3d3f9f7faf2166bed93dd09e00f447ec926a0b8dfaeb72aa527fc705afbc71d98520332a208177681f00f01188dc8114f2b4e77d3eec6f133a0

Download Submit
C:\Windows\SysWOW64\Oghghb32.exe

Filesize
96KB

MD5
3b94e029d68a7445c88033e72af9e2c7

SHA1
8566a6c84fcb187214d7d983ccddc485e2ccc481

SHA256
9e5f053dc346db32b29ec410768757284d709afad5adb8c0de72982560f0c0cb

SHA512
a68197fa741d70712316852379298133bbfd955488463df33657790f15faee169aa1876e6a2b8f723c7d53d7d5d04e13fc93eba576fca60107bdc4382d9c2b82

Download Submit
C:\Windows\SysWOW64\Oplfkeob.exe

Filesize
96KB

MD5
bc4371d1540ff8ca9b9e3847eaf483a2

SHA1
e5525bcfaf6efa1fa8f86a2a9490c7d48ef06d7f

SHA256
1a4ede6aeaf800ee1fd9d6e6d95e0f0df3361a739c10c30ea18de44911ece3d5

SHA512
e60bda776320a37498389462abe97adf8c577eeeace75611eaf8f3c463bf3634ec9967498650244c086ae95d1c85e60f5e6af9f369fbc705450ec776a13ec82b

Download Submit
C:\Windows\SysWOW64\Pagbaglh.exe

Filesize
96KB

MD5
137a8e1fc2e3874422f36735b664173b

SHA1
05f13843bc86bf1d9bdbd45d48fb49309cade98c

SHA256
472d843e2c0d4b2b69856f1bd897f06874420a42dc2d558f88bae0fec1fda709

SHA512
4536bc04f27b087d873c240aab6b6e5d54b2bbf0f5a6164df3d7648a4ec14ae8a0ba79b94dd6aac09b92750d916cb7907830949b23ed376b64a9590c4f21898f

Download Submit
C:\Windows\SysWOW64\Pffgom32.exe

Filesize
96KB

MD5
6493494202907e34bb8f755492d07f84

SHA1
2f1297073304b12c1649fb8d2f9742b6017449f0

SHA256
9f11bf897b255d5827689e831ee1b27e833d453b5eaba3943cb786f4eb639d53

SHA512
2cf2f04e8ec9c3764f12db437a2b9306b3b9b96860b0a2698a6ecafa8dc08380672e09c2c863a309b24a7597ffb0752b2a36a13e6e2db0ccf6015753360a4c2a

Download Submit
C:\Windows\SysWOW64\Pmmlla32.exe

Filesize
96KB

MD5
1c2657d5e75e896d663442b30923721e

SHA1
ef03fcaef48dc79acca27c514990357720b570a7

SHA256
909b2d97df21675106448419cfe4b20eed0a2e8d60cfaf5170686f22a93d4239

SHA512
663e2fdbe644757fe85b3c31d01b4ead78f6a6a095d9837cbb0c1690d90439d62ee2fe9d23415074f23451c20171dcff9f41a1926c2d352deac221efc9c50745

Download Submit
C:\Windows\SysWOW64\Qhhpop32.exe

Filesize
96KB

MD5
90bb20f98e242f7da5734761dc5b60f4

SHA1
82cf96b23a01ceaa1a05e02bab481b88256a7dfc

SHA256
2feb1800b639c0ebcf8165986a8b0422c068045ab9d86f2934eff481ce2bcce7

SHA512
8fbe8c5654f95573af28e04b436100f80d54ac34d2668f19409c8d992123b4d21727aee0bb8334d2371d0e98a3bd9d74d43be2d4b5e835922f510b62ac197543

Download Submit
C:\Windows\SysWOW64\Qjiipk32.exe

Filesize
96KB

MD5
de627f5e69ea5547853ee2a0f91e0e4b

SHA1
faeef15e3dfbec25d2ab3884d08069a91c3b8370

SHA256
c1cf492e46ee72121707bd9ab5ee97bb1edeba4099ec43a3bb9c1cfdcda19666

SHA512
d6afcdad518dba9dca5e0faae6d444aed79abb1f3e910e3af0fd66899746e5f6a7f4243b10820161218cf97f983044d0b3b21217be8d091cae42934d6d14babc

Download Submit
memory/640-171-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/640-260-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/772-321-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/772-243-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/860-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/860-66-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/884-233-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/884-145-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1028-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1028-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1328-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1328-343-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1388-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1388-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1392-170-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1392-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1444-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1444-391-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1480-387-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1480-333-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1596-251-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1596-162-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1676-386-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1676-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1840-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1968-363-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1968-294-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2156-377-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2156-308-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2208-206-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2208-117-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2416-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2416-98-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2436-107-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2436-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2440-315-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2440-384-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2548-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2548-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2556-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2556-198-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2616-337-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2616-261-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2628-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2628-126-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2788-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2788-301-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2792-197-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2792-109-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2808-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3012-252-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3012-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3120-190-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3120-278-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3280-189-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3280-100-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3528-125-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3528-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3632-207-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3632-293-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3676-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3676-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3804-287-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3804-356-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3908-349-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3908-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3948-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3948-179-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3976-300-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3976-216-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4336-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4336-385-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4380-307-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4380-225-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4604-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4604-392-0x00000000767A0000-0x00000000768C0000-memory.dmp

Filesize
1.1MB

Download
memory/4604-134-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4620-242-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4620-153-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4636-180-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4636-269-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4752-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4752-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4752-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4764-270-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4764-342-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4924-393-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4924-371-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4944-390-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4944-357-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4984-235-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4984-314-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5020-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5020-73-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5076-389-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5076-350-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads