2abeb0987516bfb76b65e4b437645687498fcd69aa8af689a18cc7a72b5521b7

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 17:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e6640716f8310749a1712836f5ac2520_NeikiAnalytics.exe
Size

144KB
MD5

e6640716f8310749a1712836f5ac2520
SHA1

f4f37ffd8c1277743591e8c289b3e3c729418392
SHA256

2abeb0987516bfb76b65e4b437645687498fcd69aa8af689a18cc7a72b5521b7
SHA512

e1ebdbe744d0372f328cc0c0ba2e0c3bc72ee5cd0391abf7165484a83385a67e5d50ea6cf4475794200cd8a05d23f166ab7e67e4dc232a02c25815b1a74e6af8
SSDEEP

3072:ebjgryD0QtFrsQTryJRb/eeeyKpwoTRBmDRGGurhUXvBj2QE2HegPL:iHpvsQ3kG1cm7U5j2QE2+gT

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ggfglb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ihmfco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpnjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lckboblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cggimh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaebef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hppeim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpbjfjci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kifojnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Omdieb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpnjah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfpell32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fajbjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lckboblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpbjfjci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhqefjpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfqnbjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfqnbjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgpcliao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jhplpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iahgad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gaebef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhplpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojqcnhkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddifgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hppeim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihmfco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilphdlqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilphdlqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kofdhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggfglb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbldphde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chiblk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbldphde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fajbjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iahgad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhqefjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mfpell32.exe

Executes dropped EXE 41 IoCs

pid	Process
4972	Amcehdod.exe
3580	Bgpcliao.exe
1896	Bpkdjofm.exe
780	Cggimh32.exe
4224	Cdkifmjq.exe
208	Chiblk32.exe
1084	Cnhgjaml.exe
3756	Dddllkbf.exe
2352	Dpkmal32.exe
2816	Ddifgk32.exe
1684	Fkfcqb32.exe
2924	Feqeog32.exe
2572	Fajbjh32.exe
4652	Ggfglb32.exe
5056	Gaebef32.exe
2100	Hpioin32.exe
4812	Hbldphde.exe
2708	Hppeim32.exe
1176	Ihmfco32.exe
1288	Iahgad32.exe
2720	Ilphdlqh.exe
3392	Jpnakk32.exe
1908	Jpbjfjci.exe
772	Jhplpl32.exe
4516	Kakmna32.exe
3408	Kpnjah32.exe
5016	Kifojnol.exe
4544	Kofdhd32.exe
4272	Lhqefjpo.exe
2940	Legben32.exe
4964	Lckboblp.exe
4332	Mfkkqmiq.exe
4412	Mfpell32.exe
1776	Nmfmde32.exe
1836	Nimmifgo.exe
3864	Nfqnbjfi.exe
4572	Ojqcnhkl.exe
4856	Ocihgnam.exe
3568	Omdieb32.exe
3996	Pjjfdfbb.exe
4164	Pififb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fkfcqb32.exe	Ddifgk32.exe
File created	C:\Windows\SysWOW64\Ggfglb32.exe	Fajbjh32.exe
File opened for modification	C:\Windows\SysWOW64\Lckboblp.exe	Legben32.exe
File created	C:\Windows\SysWOW64\Nmfmde32.exe	Mfpell32.exe
File created	C:\Windows\SysWOW64\Nfqnbjfi.exe	Nimmifgo.exe
File opened for modification	C:\Windows\SysWOW64\Cnhgjaml.exe	Chiblk32.exe
File created	C:\Windows\SysWOW64\Dpkmal32.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Feqeog32.exe	Fkfcqb32.exe
File created	C:\Windows\SysWOW64\Kofdhd32.exe	Kifojnol.exe
File opened for modification	C:\Windows\SysWOW64\Pjjfdfbb.exe	Omdieb32.exe
File created	C:\Windows\SysWOW64\Dagdgfkf.dll	Ihmfco32.exe
File opened for modification	C:\Windows\SysWOW64\Ocihgnam.exe	Ojqcnhkl.exe
File opened for modification	C:\Windows\SysWOW64\Bgpcliao.exe	Amcehdod.exe
File created	C:\Windows\SysWOW64\Lelgfl32.dll	Cggimh32.exe
File opened for modification	C:\Windows\SysWOW64\Jpnakk32.exe	Ilphdlqh.exe
File opened for modification	C:\Windows\SysWOW64\Lhqefjpo.exe	Kofdhd32.exe
File created	C:\Windows\SysWOW64\Pjjfdfbb.exe	Omdieb32.exe
File opened for modification	C:\Windows\SysWOW64\Jpbjfjci.exe	Jpnakk32.exe
File created	C:\Windows\SysWOW64\Nalhik32.dll	Cnhgjaml.exe
File opened for modification	C:\Windows\SysWOW64\Legben32.exe	Lhqefjpo.exe
File created	C:\Windows\SysWOW64\Dkjfaikb.dll	Nfqnbjfi.exe
File opened for modification	C:\Windows\SysWOW64\Amcehdod.exe	e6640716f8310749a1712836f5ac2520_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Iahgad32.exe	Ihmfco32.exe
File created	C:\Windows\SysWOW64\Klndfknp.dll	Nmfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Nfqnbjfi.exe	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Ecpfpo32.dll	Amcehdod.exe
File opened for modification	C:\Windows\SysWOW64\Gaebef32.exe	Ggfglb32.exe
File created	C:\Windows\SysWOW64\Mfpell32.exe	Mfkkqmiq.exe
File opened for modification	C:\Windows\SysWOW64\Bpkdjofm.exe	Bgpcliao.exe
File created	C:\Windows\SysWOW64\Paoinm32.dll	Fkfcqb32.exe
File created	C:\Windows\SysWOW64\Cgmbbe32.dll	Ilphdlqh.exe
File created	C:\Windows\SysWOW64\Kqkplq32.dll	Omdieb32.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Pjjfdfbb.exe
File created	C:\Windows\SysWOW64\Bpkdjofm.exe	Bgpcliao.exe
File created	C:\Windows\SysWOW64\Hjaqmkhl.dll	Jpnakk32.exe
File created	C:\Windows\SysWOW64\Ijcomn32.dll	Lckboblp.exe
File created	C:\Windows\SysWOW64\Njogfipp.dll	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Omdieb32.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Hiciojhd.dll	Kakmna32.exe
File opened for modification	C:\Windows\SysWOW64\Fkfcqb32.exe	Ddifgk32.exe
File created	C:\Windows\SysWOW64\Kakmna32.exe	Jhplpl32.exe
File created	C:\Windows\SysWOW64\Oipgkfab.dll	Mfkkqmiq.exe
File opened for modification	C:\Windows\SysWOW64\Cggimh32.exe	Bpkdjofm.exe
File created	C:\Windows\SysWOW64\Jlobem32.dll	Bpkdjofm.exe
File opened for modification	C:\Windows\SysWOW64\Chiblk32.exe	Cdkifmjq.exe
File opened for modification	C:\Windows\SysWOW64\Ddifgk32.exe	Dpkmal32.exe
File created	C:\Windows\SysWOW64\Gaebef32.exe	Ggfglb32.exe
File opened for modification	C:\Windows\SysWOW64\Kakmna32.exe	Jhplpl32.exe
File opened for modification	C:\Windows\SysWOW64\Mfpell32.exe	Mfkkqmiq.exe
File created	C:\Windows\SysWOW64\Mfkkqmiq.exe	Lckboblp.exe
File opened for modification	C:\Windows\SysWOW64\Mfkkqmiq.exe	Lckboblp.exe
File created	C:\Windows\SysWOW64\Clpchk32.dll	Jpbjfjci.exe
File created	C:\Windows\SysWOW64\Llobhg32.dll	Dpkmal32.exe
File opened for modification	C:\Windows\SysWOW64\Iahgad32.exe	Ihmfco32.exe
File opened for modification	C:\Windows\SysWOW64\Dpkmal32.exe	Dddllkbf.exe
File opened for modification	C:\Windows\SysWOW64\Ggfglb32.exe	Fajbjh32.exe
File created	C:\Windows\SysWOW64\Kifojnol.exe	Kpnjah32.exe
File opened for modification	C:\Windows\SysWOW64\Kifojnol.exe	Kpnjah32.exe
File created	C:\Windows\SysWOW64\Egopbhnc.dll	Lhqefjpo.exe
File created	C:\Windows\SysWOW64\Amcehdod.exe	e6640716f8310749a1712836f5ac2520_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Iohmnmmb.dll	e6640716f8310749a1712836f5ac2520_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hbldphde.exe	Hpioin32.exe
File created	C:\Windows\SysWOW64\Kpnjah32.exe	Kakmna32.exe
File opened for modification	C:\Windows\SysWOW64\Kpnjah32.exe	Kakmna32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4992	4164	WerFault.exe	130

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjbpn32.dll"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Feqeog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjohgj32.dll"	Kpnjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njogfipp.dll"	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ggfglb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kofdhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nmfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klambq32.dll"	Ddifgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chgnfq32.dll"	Kofdhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amcehdod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fkfcqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceknlgnl.dll"	Ggfglb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmnmmb.dll"	e6640716f8310749a1712836f5ac2520_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiciojhd.dll"	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amcpgoem.dll"	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lckboblp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e6640716f8310749a1712836f5ac2520_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	e6640716f8310749a1712836f5ac2520_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpfpo32.dll"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fajbjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e6640716f8310749a1712836f5ac2520_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hppeim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpnakk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lckboblp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmmde32.dll"	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Legben32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gaebef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbdco32.dll"	Hpioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egopbhnc.dll"	Lhqefjpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpbjfjci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddifgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hpioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iahgad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlofiddl.dll"	Hbldphde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipgkfab.dll"	Mfkkqmiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Feqeog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ihmfco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ilphdlqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gillppii.dll"	Gaebef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balgcpkn.dll"	Ojqcnhkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paoinm32.dll"	Fkfcqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpbjfjci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kifojnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hppeim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qejpnh32.dll"	Iahgad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpnjah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kakmna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ihmfco32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 4972	792	e6640716f8310749a1712836f5ac2520_NeikiAnalytics.exe	90
PID 792 wrote to memory of 4972	792	e6640716f8310749a1712836f5ac2520_NeikiAnalytics.exe	90
PID 792 wrote to memory of 4972	792	e6640716f8310749a1712836f5ac2520_NeikiAnalytics.exe	90
PID 4972 wrote to memory of 3580	4972	Amcehdod.exe	91
PID 4972 wrote to memory of 3580	4972	Amcehdod.exe	91
PID 4972 wrote to memory of 3580	4972	Amcehdod.exe	91
PID 3580 wrote to memory of 1896	3580	Bgpcliao.exe	92
PID 3580 wrote to memory of 1896	3580	Bgpcliao.exe	92
PID 3580 wrote to memory of 1896	3580	Bgpcliao.exe	92
PID 1896 wrote to memory of 780	1896	Bpkdjofm.exe	93
PID 1896 wrote to memory of 780	1896	Bpkdjofm.exe	93
PID 1896 wrote to memory of 780	1896	Bpkdjofm.exe	93
PID 780 wrote to memory of 4224	780	Cggimh32.exe	94
PID 780 wrote to memory of 4224	780	Cggimh32.exe	94
PID 780 wrote to memory of 4224	780	Cggimh32.exe	94
PID 4224 wrote to memory of 208	4224	Cdkifmjq.exe	95
PID 4224 wrote to memory of 208	4224	Cdkifmjq.exe	95
PID 4224 wrote to memory of 208	4224	Cdkifmjq.exe	95
PID 208 wrote to memory of 1084	208	Chiblk32.exe	96
PID 208 wrote to memory of 1084	208	Chiblk32.exe	96
PID 208 wrote to memory of 1084	208	Chiblk32.exe	96
PID 1084 wrote to memory of 3756	1084	Cnhgjaml.exe	97
PID 1084 wrote to memory of 3756	1084	Cnhgjaml.exe	97
PID 1084 wrote to memory of 3756	1084	Cnhgjaml.exe	97
PID 3756 wrote to memory of 2352	3756	Dddllkbf.exe	98
PID 3756 wrote to memory of 2352	3756	Dddllkbf.exe	98
PID 3756 wrote to memory of 2352	3756	Dddllkbf.exe	98
PID 2352 wrote to memory of 2816	2352	Dpkmal32.exe	99
PID 2352 wrote to memory of 2816	2352	Dpkmal32.exe	99
PID 2352 wrote to memory of 2816	2352	Dpkmal32.exe	99
PID 2816 wrote to memory of 1684	2816	Ddifgk32.exe	100
PID 2816 wrote to memory of 1684	2816	Ddifgk32.exe	100
PID 2816 wrote to memory of 1684	2816	Ddifgk32.exe	100
PID 1684 wrote to memory of 2924	1684	Fkfcqb32.exe	101
PID 1684 wrote to memory of 2924	1684	Fkfcqb32.exe	101
PID 1684 wrote to memory of 2924	1684	Fkfcqb32.exe	101
PID 2924 wrote to memory of 2572	2924	Feqeog32.exe	102
PID 2924 wrote to memory of 2572	2924	Feqeog32.exe	102
PID 2924 wrote to memory of 2572	2924	Feqeog32.exe	102
PID 2572 wrote to memory of 4652	2572	Fajbjh32.exe	103
PID 2572 wrote to memory of 4652	2572	Fajbjh32.exe	103
PID 2572 wrote to memory of 4652	2572	Fajbjh32.exe	103
PID 4652 wrote to memory of 5056	4652	Ggfglb32.exe	104
PID 4652 wrote to memory of 5056	4652	Ggfglb32.exe	104
PID 4652 wrote to memory of 5056	4652	Ggfglb32.exe	104
PID 5056 wrote to memory of 2100	5056	Gaebef32.exe	105
PID 5056 wrote to memory of 2100	5056	Gaebef32.exe	105
PID 5056 wrote to memory of 2100	5056	Gaebef32.exe	105
PID 2100 wrote to memory of 4812	2100	Hpioin32.exe	106
PID 2100 wrote to memory of 4812	2100	Hpioin32.exe	106
PID 2100 wrote to memory of 4812	2100	Hpioin32.exe	106
PID 4812 wrote to memory of 2708	4812	Hbldphde.exe	107
PID 4812 wrote to memory of 2708	4812	Hbldphde.exe	107
PID 4812 wrote to memory of 2708	4812	Hbldphde.exe	107
PID 2708 wrote to memory of 1176	2708	Hppeim32.exe	108
PID 2708 wrote to memory of 1176	2708	Hppeim32.exe	108
PID 2708 wrote to memory of 1176	2708	Hppeim32.exe	108
PID 1176 wrote to memory of 1288	1176	Ihmfco32.exe	109
PID 1176 wrote to memory of 1288	1176	Ihmfco32.exe	109
PID 1176 wrote to memory of 1288	1176	Ihmfco32.exe	109
PID 1288 wrote to memory of 2720	1288	Iahgad32.exe	110
PID 1288 wrote to memory of 2720	1288	Iahgad32.exe	110
PID 1288 wrote to memory of 2720	1288	Iahgad32.exe	110
PID 2720 wrote to memory of 3392	2720	Ilphdlqh.exe	111

C:\Users\Admin\AppData\Local\Temp\e6640716f8310749a1712836f5ac2520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e6640716f8310749a1712836f5ac2520_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\SysWOW64\Amcehdod.exe
  C:\Windows\system32\Amcehdod.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\SysWOW64\Bgpcliao.exe
    C:\Windows\system32\Bgpcliao.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\SysWOW64\Bpkdjofm.exe
      C:\Windows\system32\Bpkdjofm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:780
      - C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Feqeog32.exe
        
        C:\Windows\system32\Feqeog32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Fajbjh32.exe
        
        C:\Windows\system32\Fajbjh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Iahgad32.exe
        
        C:\Windows\system32\Iahgad32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:772
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3864
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        42⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 420
        43⤵
        Program crash
        
        PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4164 -ip 4164
1⤵
PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amcehdod.exe

Filesize
144KB

MD5
15b0cfdfa37b1d1497894f9924ce4604

SHA1
259970709017b5bff6ce9538791bc629f63bbb10

SHA256
cdfd0e3cc8e8700f69ba66b9743bbf5677a2d2c2cfa61415b5d5ccfd1a9398be

SHA512
6c2fb92ecbae41f9f40bbf3d6c619963b492af54e99df4c34385530c138194b0edfb86e36ffd3087a26d9227aab507516521be88b659cc3906e89fa27dab4d23

Download Submit
C:\Windows\SysWOW64\Bgpcliao.exe

Filesize
144KB

MD5
549aebba578704a20796982fb904c518

SHA1
1f78e2f17b7ab80db20cd4950142b75e8eccc88f

SHA256
c8ddd1a06b65483ee7028c64ba4643b517129ba3ea467f04de12f6958e96e6c6

SHA512
1d4603e2d026af5f07ff582eca4ff086607261580881d04cc011b76d394f054af02db97501d400c8331c5db88240290900e1e8568054b1a728781d6fda12d0c2

Download Submit
C:\Windows\SysWOW64\Bpkdjofm.exe

Filesize
144KB

MD5
0eb6e5a0b9ebcd417cb6e53a83a8947a

SHA1
4a9f900426f5d89ff3793fa7a76ee8f67b10f30c

SHA256
653154aeae7cac27aa713f631e93a64a6177398405dd176760873fadad94b088

SHA512
7f9dd3b4d6a89d2f8cdd7a57f18cb42a8538309f227f802ed5af3793d2c782b580d4d06845496c2feede324cb287e22db366b0514e4684560d81374dbe4b2c66

Download Submit
C:\Windows\SysWOW64\Cdkifmjq.exe

Filesize
144KB

MD5
3ee3ae84df51592a28c758173cd9d64e

SHA1
70dee14f217c2877eb9a99512f1638095d6ae5da

SHA256
ff3db7c5f880009fe159ea3b30179115977f86f12a6663948c10f33cc4d595a0

SHA512
b866d7ebddca1cd3fcf22b9978b493ad02f5f732a446529b3be8c21ad98fb1407d601ff47a32bfa573530c34de2296966f35ac5bd1cdf8aefccc2352a5552ba6

Download Submit
C:\Windows\SysWOW64\Cggimh32.exe

Filesize
144KB

MD5
31301f471947dbabc081a23f5d17e38c

SHA1
29e9c82d9c19c003973c34cde1eea95ce6cc8321

SHA256
2aaf98c1b303f9efa44f29a0ebf84bf42551b3f94ff3a6bfaea8f350eea528f2

SHA512
3da0d73e1a1e43422405ccf55034f45839642b674550ca0552e81237c391985eac70db82b0c6eb13dbcd651462219c4dad290987aa3a88c2ec5e54093a8c67df

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
144KB

MD5
b0085bda6b4385dc10c86bac6bdbefec

SHA1
c4b3808c8f81e27d5e4938cb39dc4ab444dc3794

SHA256
2305497953a4c916e58dcfb4066ade272f5070d5d4e5083acd00f07f399d64c0

SHA512
5ef1c594dce08468a63a1873054e1e22daeacccfe5bce14a7ea723b2c8acf510b82729bd40a9f588a553e51ca46d6c3abfbcba95b22a07922c009a6185f149cf

Download Submit
C:\Windows\SysWOW64\Cnhgjaml.exe

Filesize
144KB

MD5
c3ce7ca5a74b13f0cb2ca3362837d719

SHA1
d43cb85f4432cd5c6d30c1a8339585d9391a8cb4

SHA256
07a44e893011c4d667cf8c8c3505b86ce1143a304f85c7a0a6846debfc8785c5

SHA512
97c786b70cffaa61b5840db4e95324c616c0a135ea12ec7aa73767f57ddffb53c8502e863b1b60c4c37832fdb66ccbde1276c71c48271783712c4d11e3685d5d

Download Submit
C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
144KB

MD5
087abc7114e001f0ba16a60bf7e5c02c

SHA1
c937f4e78a882fabd1e5da3a51eb4e2bcd763760

SHA256
5464aee056816776de8b11c3df62ee719c9f4381b33365bdad4f6d9a4eff13a2

SHA512
0934991b5c0f0d31b04037cbf54698ebeb83aae7386c5843528dac7faa0ee07055950d9b1f0c20c14e3dcaf5159d68c0e0415b23ffd98b673428ad57aa289d46

Download Submit
C:\Windows\SysWOW64\Ddifgk32.exe

Filesize
144KB

MD5
a6cfc929f74c2dcd3ab436ef15afddd5

SHA1
ad1eb417a01dcb70696bc3fb2b1fcbfea5cc2384

SHA256
175caf73d9b7708b37fd724b7391bfc6482d24f589b1d79c3cbbe76feeff756b

SHA512
4eb77d2b32b92dffbf056a180e0d3d290f1e4b911d4c43493605754dcef5f6800bad4946db6eb6b0a195892cc93bab5cf59edbba9f606370c9c7af9197c50462

Download Submit
C:\Windows\SysWOW64\Dpkmal32.exe

Filesize
144KB

MD5
249e8a19c10e71efc816784ea0d0f201

SHA1
aa52cee30682ab2d39cfaaa9e4cf595634b5cd4e

SHA256
ae84cce9a29d1bf65f320415b3baf92acc219bca0840326871d4576ee75b84a0

SHA512
b6e0a4c684182a246b8ccb2cf01da61eef0b9879670e79ffb15c4dcf241910c4d1ba16d5f51cd20476fad8167d4fdafb36c23e725c798c2c32009f8201cf4543

Download Submit
C:\Windows\SysWOW64\Fajbjh32.exe

Filesize
144KB

MD5
5cc23a886cb12065f2f8d5dde61bd9b6

SHA1
787bb3cc0b4585fb039f4c2a8208c680656aa554

SHA256
b0ea9da968d26cdb9d86b1fc34d68c74edb3a5f8aa30f11ac54f2df5a76cfa2e

SHA512
2da6c57ac655cecd4598363a9248d034fd44084f42898126348b0175a6ad3991cbacbfa2bb556ebd80673e688a880d41e551de4050bafe6ab8279115c9120e92

Download Submit
C:\Windows\SysWOW64\Feqeog32.exe

Filesize
144KB

MD5
a4bcb9171d5034dee369b26580041c5c

SHA1
3c2238e31120d029b70bff0c211be4e46ec2b26d

SHA256
380776ac8e46f8357ef0a4957b0f50efd513a1148dcc5db8e66a54f26c66815e

SHA512
ee2b9839190ef7a427df6fe073535bd9a3c162a242845c1f99db476479ed9f6cc73d702275b086c61c046cab561f0665c24595b5382f4c5ee9b444ec877e5eda

Download Submit
C:\Windows\SysWOW64\Fkfcqb32.exe

Filesize
144KB

MD5
5b35c1d175b4ac71a8d53790a3ca9b88

SHA1
4748a11ce045d50e53a2812ec0f538bc2aa18865

SHA256
7e1e1f5a3bd1ce2e8bbe1af102dd065edbd8837329e785d73a76f0b9f429d6cf

SHA512
6cf0998e80fcd1e695026c6949d82de4aaf5e22496c29f34c48ae2724d91f5a1a7997f83f30f74ce9c5cfc8165b149a625c53f8734065489e27d90015a29367f

Download Submit
C:\Windows\SysWOW64\Gaebef32.exe

Filesize
144KB

MD5
7ad0f516279b86693db4fc4cac4270d8

SHA1
23ec1eb35bfb512c92da3614c0e0eda2d13a162e

SHA256
6df6f6ac25d9e1854b7727fecc256d3fcb562a5e3c4e156a0531064ee9793006

SHA512
dcee92b969dd1a93e6b244ca39b6b2eebf8800744bb2bae535ef5d59f681581cb8e5130eddf1a1821e09c52c7b1e17743f8ea7cee38264ef5836ce2263c5e2b3

Download Submit
C:\Windows\SysWOW64\Ggfglb32.exe

Filesize
144KB

MD5
7e23a5f877a4c43bb9233a8abd687cb7

SHA1
ccbcfea71f4abd685f2a4ab68e141c4adb55041e

SHA256
84e2ea462b87d20c77e78f07455a3cf4b9df8b0b3c1caadbb41dc89d7d571073

SHA512
46e2f59d476f1f0f0a4b98a480e90ca060310afe03211e0f845dbc1aba16770e6067a54e9934a882735bf95b9cebc05fbe68b48556d54237db0f6ccaec980c69

Download Submit
C:\Windows\SysWOW64\Hbldphde.exe

Filesize
144KB

MD5
9ef2b34adf6bc7d35ce13f3424297938

SHA1
843e54ab44a6ac63daa90d28834fd49b57c84f18

SHA256
782688071feca40b54370b92f852016dc64e0ba87abe03890c7d351155aae79b

SHA512
98dd472f84a343831b6a2ff285f27336101fc9c63324bb0bb208e75d3c44693775f2d7fbc05cc8d0007fb8af2454df1cc018f1d507973ea0c96511d59805d44c

Download Submit
C:\Windows\SysWOW64\Hpioin32.exe

Filesize
144KB

MD5
08e7c0deaef4b1779828b36bbf68ac7f

SHA1
e15f750df534b5a1d2421fd60ab623e62266e06f

SHA256
402cc1245052d11880aa1898daab58eaf32150ebd519220675d0d9b4e033f747

SHA512
4689540b9ab4c8425927d5999d22bdf94a8a92e095213bf2b20134efc08f1defd1aca16fee8fcc2c3ca24fcba0458ae9938501339db69388aa4a1c72f6455127

Download Submit
C:\Windows\SysWOW64\Hppeim32.exe

Filesize
144KB

MD5
57c6c9915ef3248fda4556a22fe30a9c

SHA1
e4aab0f202a148d12e8cc2134453e1f40d570fff

SHA256
85544918eb5ccb9faae1120b912c7a57c3d4bde679bcb32f1432040db48aeedf

SHA512
0a0c071de19254a45737e79c28c160d06ec89f8e7c810c8705c91dfa52b77f01c15f9924edeedf8b40188214cea5f3f7f89985860a39145827bb38e25cb540b3

Download Submit
C:\Windows\SysWOW64\Iahgad32.exe

Filesize
144KB

MD5
bea4e2013c8a454e5066d6733a3a9453

SHA1
9e37a91b0964e2dc8ee55128c5bf2a63f871cd04

SHA256
4f1433e0a282767b3183690179b303686fafb361160723d7481c9b68c5ee3ee1

SHA512
7fa7d4d48a0509e71a5d62d69085ce18bbe247adfdae21c149cb1d2ab3f10077ee69ff5eb17431a60e6aab2a790e9d1dad8d45154cde07595979a6843ccb0233

Download Submit
C:\Windows\SysWOW64\Ihmfco32.exe

Filesize
144KB

MD5
03f8c5328047f4a482bdf63132b94b12

SHA1
9b5c541b7d2a13aa7a84402502676ef61b543610

SHA256
bb2c29eb30af92e4bc810bddfb098090a4a7b27b9457140ad078d6e3cf22a9b4

SHA512
f23f5396e5d5d73641955588cfc333f877607a5ce629d948f6bad28a76550da8421fcbcac7f3b7099542a242aa4c724bd16b9c446a9d163ccf3cff02db1a5764

Download Submit
C:\Windows\SysWOW64\Ilphdlqh.exe

Filesize
144KB

MD5
5374717c7049920cd7622862a1aaca2c

SHA1
8942bf61e50d7f60a171b6e0d31165c880393918

SHA256
eb97e1c39ce998b6b1463e1c7ed532bce2d26e967fcc25c595d8ff4f98c6944d

SHA512
a115fca9d54d03d7352efd506ac59eea99756f9b6f361f1395264523f18d77b84343f4b3756377434f67e01d867963d5d402fd788cb6f4414faa31640e2fe2c7

Download Submit
C:\Windows\SysWOW64\Jhplpl32.exe

Filesize
144KB

MD5
d15979092d9017da9875fba71ea1cfb1

SHA1
a5a7a38bcaf08564fd94f64b28785ccd5e67dcf9

SHA256
f867f81aa421d49fb0ec95639a1e33617a1a3e5b6ef499927cd1490779490676

SHA512
23d9a2de0db874eefaf55a4ca8792a23e452470def2e0711fe1fc86daf3279a359fcdee5ee8248c219f757c20aceb4a01a7105a9afea64fd2c2350c755251b4e

Download Submit
C:\Windows\SysWOW64\Jpbjfjci.exe

Filesize
144KB

MD5
768caf7806db79143f2336bdb682ee5f

SHA1
720e1d7d315af6b32d37c1ff5b6a5ab3f31b3116

SHA256
8635722f4e75f62064846e845d67ea033fed3911ce4b3a4af61338f79ceee440

SHA512
919f98601154a40cd827fd3b6ba94923369c618ccd5785fd04890fe7ab86de7e67553d44f202c982cac992b37ad054d08b219d032d7d60a882399d89f749d0fa

Download Submit
C:\Windows\SysWOW64\Jpnakk32.exe

Filesize
144KB

MD5
e7790972d2cb07c3f36224701a78cfc7

SHA1
ccc733c75accda70f2ba710da31464b9dd7540c9

SHA256
9836afe91a0a12e98b4cf444591dea1031ce3cb8c798ff4158928671b25bd933

SHA512
57ef1de6a3b1177c36a60c454e3042bc72d981ae419ef61adf9c58f9431125c617f84d559eb2f520a2274bd026ffc178540fbf0527ba4235a505effb8e5189d3

Download Submit
C:\Windows\SysWOW64\Kakmna32.exe

Filesize
144KB

MD5
d4b615fe2b0e0aa21148bac50b85176e

SHA1
1372e3f9575cfe4348afbc6982eaed33e745ea14

SHA256
522808ab527723adfef728c40eee9e833af89a10aa9bc8c9305a5a0d957f4fe1

SHA512
a6ad24e430a0e1f7b537fb455ac3b2f409d00e8d129c365e00786cd211a996338691301daf6d7ae715b806c3664c3823aaf0e17f48d181846f5eb926b915c05f

Download Submit
C:\Windows\SysWOW64\Kifojnol.exe

Filesize
144KB

MD5
7fc03c196c31645dcc44594508379005

SHA1
22c3b8ebacaa803eae2d5a5a4c47eccf01112499

SHA256
01307eb2622f39fccac8946e94bf002ac565c972c6dccdab74a577ec82874598

SHA512
3734598ac9693f0a14629195039d62ea177f225a8a4950e9431087c7c662b4e5aca5a4365ebb6ae44e6fb456bcefc4bca51b7c7445077766acc6f39d2813e329

Download Submit
C:\Windows\SysWOW64\Kofdhd32.exe

Filesize
144KB

MD5
7d0b90d5fe3b00c3e9126ce6da2cc159

SHA1
36bebada781e7552937818c94e1a9ddbe828d4d1

SHA256
635b13efc42b528d8f75c7fbb9f2c31d1ac433acb6e7a91462adba2134835e52

SHA512
b8fbef876e3ffda55852c728dcbe7329e688944df0b8f784c489eb6fb9ccdbf9cd93e80ca11a67c5b6dcc3486740a46d73f44af63d098a4bb1db407cc36ff7d0

Download Submit
C:\Windows\SysWOW64\Kpnjah32.exe

Filesize
144KB

MD5
1caaeea149b3fa0c9d1c1b93b6000286

SHA1
8b9117aac5e2b1dac35dd29e6021e0efce8a16c5

SHA256
abff182ec215f9930a09cff0cad86df9629f3e6427d01a0c03f655290727b0bb

SHA512
176d61dbc534e18ab7569b8f658907773abb47cf998a4cc2931b2e1b7828a3082fb4911e8490b159c35ecac57f343ab9668a2d47715c8787fdf81c7b6e40752a

Download Submit
C:\Windows\SysWOW64\Lckboblp.exe

Filesize
144KB

MD5
891a271e503a65de51f9271182d51c2e

SHA1
cb8f03d6951d30733535f9f5707f550d294cd1d1

SHA256
546334e3d60532fd24197cd272a21cb9caa9241b53fa89570b36c3b40e54e5ae

SHA512
bfee1418332083599e3892b423912f8e500c6146d63f63190fb4e5cd851d001db739858e668404a5bd26bbd729f0f9959d8dac2c3a73364f31ea84a177eb4809

Download Submit
C:\Windows\SysWOW64\Legben32.exe

Filesize
144KB

MD5
ec03253937d0fab4d96c14be219bfb0f

SHA1
c176375b14ac1764ac31beecf7369bf89b165ae5

SHA256
f411196f5153cce816630fd76ae053feab0211565ec035e2216bc37ad86c1bef

SHA512
f6ff4d67d69c70d7bff8ee33c1bf86b0c20dfea6c4ca81bd90cadba021e320c9a0ac407f3d50c359390c8f72a9cc956b7b98e93450f9a9ba8321558a9f4f1d18

Download Submit
C:\Windows\SysWOW64\Lelgfl32.dll

Filesize
7KB

MD5
c90ce665888bb42f356ed001610a4232

SHA1
9818b791a7cc11643af36dc6c030faa6c4c087ea

SHA256
190fa3f525bfcaf41c5a5fc5f80d0fe1285b090d3877a70ac1098f74f5ff76c0

SHA512
c4ac26c409e272704d1d89174786f3791561c5dc9d8e2aae1784424f3b6d471cd189e6a054b8e01ac1b4635b0aed25a6f9fb649fd024aebca2ec7925cf86ae15

Download Submit
C:\Windows\SysWOW64\Lhqefjpo.exe

Filesize
144KB

MD5
ae75ec0a144fa0f556de5abf9d764d45

SHA1
0464a41025f0534065c93dc56f4a11c963a46907

SHA256
9060824510e9ba9c3b8edea802cb9fbafd7570ad3a1e9d8311d282bb762c53c6

SHA512
1917fc8ee2f5f90af1e2c8a6e8aaa1446e955fc1d9b94123e6eec18a7c75e2e028ac7a3649669f66b433f38261d776f377fd3fdbdf26f9604f964785cf7b05d7

Download Submit
C:\Windows\SysWOW64\Mfkkqmiq.exe

Filesize
144KB

MD5
6e1f0f661f5ba934304995f301785d5b

SHA1
949b9469194fb1e799ce98ce04acbee2b129ebba

SHA256
fb648ca5084555f06e7bac27e8e01f0b2c7680fad43c9421a7ac283727cf71e6

SHA512
8ed3209e46a4cf98389017368cbe6c061609ce8c761ec0bf6469678629a2216b99b3de725430df7fe21dffe4acf6c75fee692261ff620df14f95beaa87c97ad5

Download Submit
C:\Windows\SysWOW64\Mfpell32.exe

Filesize
144KB

MD5
4b7b138f04141c559397a5550416308a

SHA1
f0c67ea7ad545abc5b11a8fda0e0cadddcd6edc8

SHA256
8fb0caebcc7d50d251425361fcbb7a5e60b41acfb2bc084e581c53b87d25da97

SHA512
ad7f864786aa837063b35b21f7694ed96143a2c3f60a441ffe79a09ef93db93ed518f62911c0f02d7ae61b67f7821750e168fb4912df63d1dba802e789633e14

Download Submit
C:\Windows\SysWOW64\Pjjfdfbb.exe

Filesize
64KB

MD5
a510a6cd53b3d30931ce0265c0e41802

SHA1
f022c8ab2850ce0ccf608ed34bf0ea79d7e5f843

SHA256
83d3d429a89f67d7b133c944ccd1f1a66435eb8faaf6f3850432ba32856ed73a

SHA512
105a1caf4b442e1856dd6ab08ebc066987cd0482f94f4d078ed1c6900dd58def5f2e1494a316a23b5f33752b28cba8de29e24cd0b155bb1e815dc68a4671e75d

Download Submit
memory/208-134-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/208-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/772-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/772-206-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/780-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/780-115-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/792-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/792-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1084-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1084-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1176-250-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1176-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1288-170-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1288-259-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1684-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1684-179-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1776-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1776-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1836-350-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1836-300-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1896-107-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1896-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1908-198-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1908-285-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2100-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2100-227-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2352-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2352-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2572-197-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2572-108-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2708-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2708-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2720-180-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2720-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2816-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2816-169-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2924-187-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2924-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2940-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2940-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3392-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3392-277-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3408-306-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3408-228-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3568-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3568-345-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3580-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3580-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3756-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3756-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3864-307-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3864-349-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3996-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3996-344-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4164-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4164-343-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4224-125-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4224-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4272-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4272-251-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4332-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4332-278-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4412-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4412-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4516-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4516-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4544-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4544-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4572-348-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4572-314-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4652-117-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4652-205-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4812-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4812-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-321-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4964-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4972-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4972-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-234-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-313-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5056-126-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5056-214-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads