4779e4c1ea81c999601ae2918973090d57ea816ad2dae6aa8a0c4fe2172aed0f

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5c3202c8631fc9b1ff63371ca71f4d0_NeikiAnalytics.exe
Size

128KB
MD5

c5c3202c8631fc9b1ff63371ca71f4d0
SHA1

cac59ced6c7c376396732dbe075aabc6b2956ca0
SHA256

4779e4c1ea81c999601ae2918973090d57ea816ad2dae6aa8a0c4fe2172aed0f
SHA512

91cadb509b86acf5565d8d332269f704f7e1b3d7968eab2b945f11993be6e563b7fdb7e0af6644fd56480fd30b533466273e48d9e03cd4ab774facc798e3b3c1
SSDEEP

3072:XcyeWzrqzY6iE8bVYRHqxEteA87DxSvITW/cbFGS9n:Myei/EGiRHqxEwAAhCw9n

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	c5c3202c8631fc9b1ff63371ca71f4d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qpeahb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicpgc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhnojl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Egcaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eomffaag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Geoapenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbnaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpochfji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhikci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilkoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geoapenf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hioflcbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjoppf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fkjmlaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gnnccl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhgiim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpochfji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjidgkog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nhhdnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfojdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbkml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edbiniff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fkfcqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hioflcbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbnaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lchfib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ommceclc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eomffaag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkfcqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gghdaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kekbjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbeml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omalpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilkoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jocnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jhnojl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfojdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c5c3202c8631fc9b1ff63371ca71f4d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Edbiniff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkjmlaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kekbjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egcaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kidben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khlklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doojec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gghdaa32.exe

Executes dropped EXE 42 IoCs

pid	Process
1032	Qpeahb32.exe
3068	Bmhocd32.exe
1204	Bhpofl32.exe
5108	Cnaaib32.exe
2340	Cpfcfmlp.exe
4664	Ddgibkpc.exe
220	Doojec32.exe
1216	Dhikci32.exe
5024	Edbiniff.exe
3132	Egcaod32.exe
2980	Eomffaag.exe
1720	Fkfcqb32.exe
4560	Fkjmlaac.exe
3528	Gnnccl32.exe
3536	Gghdaa32.exe
1984	Geoapenf.exe
5068	Hioflcbj.exe
4736	Hicpgc32.exe
2388	Hbnaeh32.exe
3804	Ilkoim32.exe
2496	Ilnlom32.exe
3764	Jhgiim32.exe
1096	Jocnlg32.exe
316	Jhnojl32.exe
4548	Kidben32.exe
2444	Kekbjo32.exe
4632	Khlklj32.exe
4000	Lebijnak.exe
4160	Lchfib32.exe
4640	Lpochfji.exe
1244	Mjidgkog.exe
3468	Nhhdnf32.exe
3024	Nbbeml32.exe
900	Nqfbpb32.exe
636	Ommceclc.exe
4476	Omalpc32.exe
2376	Oikjkc32.exe
3248	Pfojdh32.exe
3464	Pcbkml32.exe
4276	Pjoppf32.exe
1872	Pfepdg32.exe
4576	Pififb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nbbeml32.exe	Nhhdnf32.exe
File created	C:\Windows\SysWOW64\Panlem32.dll	Hicpgc32.exe
File opened for modification	C:\Windows\SysWOW64\Jhgiim32.exe	Ilnlom32.exe
File created	C:\Windows\SysWOW64\Falmlm32.dll	Jocnlg32.exe
File created	C:\Windows\SysWOW64\Lchfib32.exe	Lebijnak.exe
File opened for modification	C:\Windows\SysWOW64\Nhhdnf32.exe	Mjidgkog.exe
File created	C:\Windows\SysWOW64\Gghdaa32.exe	Gnnccl32.exe
File created	C:\Windows\SysWOW64\Dndfnlpc.dll	Ommceclc.exe
File created	C:\Windows\SysWOW64\Mlcdqdie.dll	c5c3202c8631fc9b1ff63371ca71f4d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Dognaofl.dll	Jhnojl32.exe
File created	C:\Windows\SysWOW64\Nhhdnf32.exe	Mjidgkog.exe
File created	C:\Windows\SysWOW64\Doojec32.exe	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Edbiniff.exe	Dhikci32.exe
File created	C:\Windows\SysWOW64\Gnnccl32.exe	Fkjmlaac.exe
File created	C:\Windows\SysWOW64\Gmefoohh.dll	Fkjmlaac.exe
File created	C:\Windows\SysWOW64\Cohddjgl.dll	Pcbkml32.exe
File created	C:\Windows\SysWOW64\Bmhocd32.exe	Qpeahb32.exe
File opened for modification	C:\Windows\SysWOW64\Ilkoim32.exe	Hbnaeh32.exe
File created	C:\Windows\SysWOW64\Ilnlom32.exe	Ilkoim32.exe
File created	C:\Windows\SysWOW64\Gikgni32.dll	Qpeahb32.exe
File created	C:\Windows\SysWOW64\Mjpnkbfj.dll	Lchfib32.exe
File created	C:\Windows\SysWOW64\Nqfbpb32.exe	Nbbeml32.exe
File created	C:\Windows\SysWOW64\Nflnbh32.dll	Bhpofl32.exe
File opened for modification	C:\Windows\SysWOW64\Dhikci32.exe	Doojec32.exe
File created	C:\Windows\SysWOW64\Cagdge32.dll	Egcaod32.exe
File opened for modification	C:\Windows\SysWOW64\Hicpgc32.exe	Hioflcbj.exe
File opened for modification	C:\Windows\SysWOW64\Hbnaeh32.exe	Hicpgc32.exe
File created	C:\Windows\SysWOW64\Eomffaag.exe	Egcaod32.exe
File created	C:\Windows\SysWOW64\Ekjali32.dll	Ilnlom32.exe
File opened for modification	C:\Windows\SysWOW64\Kekbjo32.exe	Kidben32.exe
File opened for modification	C:\Windows\SysWOW64\Mjidgkog.exe	Lpochfji.exe
File created	C:\Windows\SysWOW64\Jhnojl32.exe	Jocnlg32.exe
File created	C:\Windows\SysWOW64\Omalpc32.exe	Ommceclc.exe
File opened for modification	C:\Windows\SysWOW64\Pfepdg32.exe	Pjoppf32.exe
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Pfepdg32.exe
File created	C:\Windows\SysWOW64\Dmncdk32.dll	Bmhocd32.exe
File created	C:\Windows\SysWOW64\Klambq32.dll	Eomffaag.exe
File created	C:\Windows\SysWOW64\Picoja32.dll	Hbnaeh32.exe
File created	C:\Windows\SysWOW64\Lpochfji.exe	Lchfib32.exe
File created	C:\Windows\SysWOW64\Kajefoog.dll	Pfojdh32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfcfmlp.exe	Cnaaib32.exe
File created	C:\Windows\SysWOW64\Ddgibkpc.exe	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Gcmjja32.dll	Jhgiim32.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Pfepdg32.exe
File created	C:\Windows\SysWOW64\Fkjmlaac.exe	Fkfcqb32.exe
File created	C:\Windows\SysWOW64\Jhgiim32.exe	Ilnlom32.exe
File opened for modification	C:\Windows\SysWOW64\Khlklj32.exe	Kekbjo32.exe
File created	C:\Windows\SysWOW64\Pjphcf32.dll	Nqfbpb32.exe
File opened for modification	C:\Windows\SysWOW64\Omalpc32.exe	Ommceclc.exe
File opened for modification	C:\Windows\SysWOW64\Qpeahb32.exe	c5c3202c8631fc9b1ff63371ca71f4d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Bmhocd32.exe	Qpeahb32.exe
File created	C:\Windows\SysWOW64\Geoapenf.exe	Gghdaa32.exe
File created	C:\Windows\SysWOW64\Bpenhh32.dll	Nhhdnf32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbkml32.exe	Pfojdh32.exe
File created	C:\Windows\SysWOW64\Pjoppf32.exe	Pcbkml32.exe
File created	C:\Windows\SysWOW64\Cnaaib32.exe	Bhpofl32.exe
File created	C:\Windows\SysWOW64\Fomnhddq.dll	Cnaaib32.exe
File created	C:\Windows\SysWOW64\Jocnlg32.exe	Jhgiim32.exe
File created	C:\Windows\SysWOW64\Lebijnak.exe	Khlklj32.exe
File opened for modification	C:\Windows\SysWOW64\Lpochfji.exe	Lchfib32.exe
File opened for modification	C:\Windows\SysWOW64\Edbiniff.exe	Dhikci32.exe
File created	C:\Windows\SysWOW64\Mjidgkog.exe	Lpochfji.exe
File created	C:\Windows\SysWOW64\Lhnoigkk.dll	Omalpc32.exe
File created	C:\Windows\SysWOW64\Nohjfifo.dll	Pjoppf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
368	4576	WerFault.exe	132

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gghdaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Geoapenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfojdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gikgni32.dll"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eomffaag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cohddjgl.dll"	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhikci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ilkoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdjokcd.dll"	Kekbjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbnaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjja32.dll"	Jhgiim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpnkbfj.dll"	Lchfib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	c5c3202c8631fc9b1ff63371ca71f4d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Egcaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kidben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipamlopb.dll"	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lchfib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjidgkog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll"	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfepdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhikci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fkfcqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhmgagf.dll"	Dhikci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kidben32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Khlklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpenhh32.dll"	Nhhdnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpochfji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqfbpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdjqkoj.dll"	Gnnccl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jhnojl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Edbiniff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnckkha.dll"	Edbiniff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kekbjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohjfifo.dll"	Pjoppf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Doojec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Doojec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobmce32.dll"	Fkfcqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gghdaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjali32.dll"	Ilnlom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjidgkog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjoppf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ilnlom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Pfepdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fkjmlaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jocnlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhjimfo.dll"	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Geoapenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emkbpmep.dll"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ommceclc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oikjkc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 1032	3932	c5c3202c8631fc9b1ff63371ca71f4d0_NeikiAnalytics.exe	91
PID 3932 wrote to memory of 1032	3932	c5c3202c8631fc9b1ff63371ca71f4d0_NeikiAnalytics.exe	91
PID 3932 wrote to memory of 1032	3932	c5c3202c8631fc9b1ff63371ca71f4d0_NeikiAnalytics.exe	91
PID 1032 wrote to memory of 3068	1032	Qpeahb32.exe	92
PID 1032 wrote to memory of 3068	1032	Qpeahb32.exe	92
PID 1032 wrote to memory of 3068	1032	Qpeahb32.exe	92
PID 3068 wrote to memory of 1204	3068	Bmhocd32.exe	93
PID 3068 wrote to memory of 1204	3068	Bmhocd32.exe	93
PID 3068 wrote to memory of 1204	3068	Bmhocd32.exe	93
PID 1204 wrote to memory of 5108	1204	Bhpofl32.exe	94
PID 1204 wrote to memory of 5108	1204	Bhpofl32.exe	94
PID 1204 wrote to memory of 5108	1204	Bhpofl32.exe	94
PID 5108 wrote to memory of 2340	5108	Cnaaib32.exe	95
PID 5108 wrote to memory of 2340	5108	Cnaaib32.exe	95
PID 5108 wrote to memory of 2340	5108	Cnaaib32.exe	95
PID 2340 wrote to memory of 4664	2340	Cpfcfmlp.exe	96
PID 2340 wrote to memory of 4664	2340	Cpfcfmlp.exe	96
PID 2340 wrote to memory of 4664	2340	Cpfcfmlp.exe	96
PID 4664 wrote to memory of 220	4664	Ddgibkpc.exe	97
PID 4664 wrote to memory of 220	4664	Ddgibkpc.exe	97
PID 4664 wrote to memory of 220	4664	Ddgibkpc.exe	97
PID 220 wrote to memory of 1216	220	Doojec32.exe	98
PID 220 wrote to memory of 1216	220	Doojec32.exe	98
PID 220 wrote to memory of 1216	220	Doojec32.exe	98
PID 1216 wrote to memory of 5024	1216	Dhikci32.exe	99
PID 1216 wrote to memory of 5024	1216	Dhikci32.exe	99
PID 1216 wrote to memory of 5024	1216	Dhikci32.exe	99
PID 5024 wrote to memory of 3132	5024	Edbiniff.exe	100
PID 5024 wrote to memory of 3132	5024	Edbiniff.exe	100
PID 5024 wrote to memory of 3132	5024	Edbiniff.exe	100
PID 3132 wrote to memory of 2980	3132	Egcaod32.exe	101
PID 3132 wrote to memory of 2980	3132	Egcaod32.exe	101
PID 3132 wrote to memory of 2980	3132	Egcaod32.exe	101
PID 2980 wrote to memory of 1720	2980	Eomffaag.exe	102
PID 2980 wrote to memory of 1720	2980	Eomffaag.exe	102
PID 2980 wrote to memory of 1720	2980	Eomffaag.exe	102
PID 1720 wrote to memory of 4560	1720	Fkfcqb32.exe	103
PID 1720 wrote to memory of 4560	1720	Fkfcqb32.exe	103
PID 1720 wrote to memory of 4560	1720	Fkfcqb32.exe	103
PID 4560 wrote to memory of 3528	4560	Fkjmlaac.exe	104
PID 4560 wrote to memory of 3528	4560	Fkjmlaac.exe	104
PID 4560 wrote to memory of 3528	4560	Fkjmlaac.exe	104
PID 3528 wrote to memory of 3536	3528	Gnnccl32.exe	105
PID 3528 wrote to memory of 3536	3528	Gnnccl32.exe	105
PID 3528 wrote to memory of 3536	3528	Gnnccl32.exe	105
PID 3536 wrote to memory of 1984	3536	Gghdaa32.exe	106
PID 3536 wrote to memory of 1984	3536	Gghdaa32.exe	106
PID 3536 wrote to memory of 1984	3536	Gghdaa32.exe	106
PID 1984 wrote to memory of 5068	1984	Geoapenf.exe	107
PID 1984 wrote to memory of 5068	1984	Geoapenf.exe	107
PID 1984 wrote to memory of 5068	1984	Geoapenf.exe	107
PID 5068 wrote to memory of 4736	5068	Hioflcbj.exe	108
PID 5068 wrote to memory of 4736	5068	Hioflcbj.exe	108
PID 5068 wrote to memory of 4736	5068	Hioflcbj.exe	108
PID 4736 wrote to memory of 2388	4736	Hicpgc32.exe	109
PID 4736 wrote to memory of 2388	4736	Hicpgc32.exe	109
PID 4736 wrote to memory of 2388	4736	Hicpgc32.exe	109
PID 2388 wrote to memory of 3804	2388	Hbnaeh32.exe	110
PID 2388 wrote to memory of 3804	2388	Hbnaeh32.exe	110
PID 2388 wrote to memory of 3804	2388	Hbnaeh32.exe	110
PID 3804 wrote to memory of 2496	3804	Ilkoim32.exe	111
PID 3804 wrote to memory of 2496	3804	Ilkoim32.exe	111
PID 3804 wrote to memory of 2496	3804	Ilkoim32.exe	111
PID 2496 wrote to memory of 3764	2496	Ilnlom32.exe	112

C:\Users\Admin\AppData\Local\Temp\c5c3202c8631fc9b1ff63371ca71f4d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c5c3202c8631fc9b1ff63371ca71f4d0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\SysWOW64\Qpeahb32.exe
  C:\Windows\system32\Qpeahb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\Bmhocd32.exe
    C:\Windows\system32\Bmhocd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\Bhpofl32.exe
      C:\Windows\system32\Bhpofl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1204
    - - C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
      - C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Edbiniff.exe
        
        C:\Windows\system32\Edbiniff.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Eomffaag.exe
        
        C:\Windows\system32\Eomffaag.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Fkjmlaac.exe
        
        C:\Windows\system32\Fkjmlaac.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Hicpgc32.exe
        
        C:\Windows\system32\Hicpgc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        43⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 432
        44⤵
        Program crash
        
        PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4576 -ip 4576
1⤵
PID:2872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bhpofl32.exe

Filesize
128KB

MD5
f5a8c8a8eef1aebe6a339415c607ef82

SHA1
14ee45b2c87760e0cadeef7e83877925953449b9

SHA256
b4a1833243dbf8feb19ebdaff92fcf3eb7fb6cf694685916fcd1c5944f876e38

SHA512
da107b9144d106ae49d8fecd62976926dd009cd5eedeb50de98ad1e575ea7a5e89c1188c49288b55cdcf71e0b0e9ef42ff79ee919624a2c66026cca259cc0584

Download Submit
C:\Windows\SysWOW64\Bmhocd32.exe

Filesize
128KB

MD5
97237aa59fa076328ad1c491965b2074

SHA1
0db2c5eb04349ea9efb20baeb2296b28377f7667

SHA256
02008875e0b64f4620784abfd508aaf9fc41d3f97d56b29ef6ec6ac8f02252f4

SHA512
6db04fcdc4cad531c0482253e465e0c9428c5e88f932248bf96f087c38163c700c6a4f28e0cea4e20df44e013cb4b2edde18f691b3f36cd86a2c359f53778960

Download Submit
C:\Windows\SysWOW64\Cnaaib32.exe

Filesize
128KB

MD5
be679050f354b283ced2e916292fd999

SHA1
7952677c95baebade1e775ee6c0fd68327eb6959

SHA256
64bf526ad4e68a42291b354d6d116e5296cda97f84728504668f8be7882c23d4

SHA512
8a140891d0a327e05c55ab72baf2d86036a27cc6908456f02e215a79f8d4686e36fcb5d58a29d0b4b901d73aebf535bd6c3ddf60341fe634a3865fd8920edd4c

Download Submit
C:\Windows\SysWOW64\Cpfcfmlp.exe

Filesize
128KB

MD5
43984cfa9afbbbf86b15b06f30292519

SHA1
645597bef45846ce22230d35355712bc32d37ded

SHA256
af50677fc60f331ce074e205b6df2655c81c11c07cf79d05db5e888296825ff0

SHA512
1b99ccafb6904610d09cbad7944a1e3eea1a01a30ab675ba615715a2b766c8001a33bf3498ce946c411dd031f809e44bec2f18e68d87ab572af75c6d94aefea5

Download Submit
C:\Windows\SysWOW64\Ddgibkpc.exe

Filesize
128KB

MD5
b401c5341149bf243c301b1a2e911e03

SHA1
3503bec155c8ade3a64ff0f56684fc10e917f597

SHA256
ef64680230c9cf489f67b435d0197b0c1ff17fa0ae304f084692a923e0e8253e

SHA512
ea3b3f8a7502519c3da9e03a30cad8a222524f9d23f4e5dd668135485fc9dda453fb581e64814ac5f3560f2ae970be1d134a82f187a2a003bd5493d149aade91

Download Submit
C:\Windows\SysWOW64\Dhikci32.exe

Filesize
128KB

MD5
4bcc2541a390a5c1ffa775314e797994

SHA1
6464bd87806907fd90edac3541150bf891cc3305

SHA256
6a281c9e7ad263593193faf5d8224814de882a9226cb1070d9fd8aac85f779cf

SHA512
1d78897047f0eb9093de98cd5af4e0111901482ceabf0cd8ab19842d54109fa6eeaabb5d3bebcb83921e99d486580ca4942eaeb992fd490c1dc6cf254826d6be

Download Submit
C:\Windows\SysWOW64\Doojec32.exe

Filesize
128KB

MD5
1f8368bcab391b9b9d73e30ae1d4c487

SHA1
a05121e3f82cfbd0cdd84e61cd3cf96720a53b56

SHA256
acfc9b18c7e484e65b8c474b0e7db562228438c2ebe9f04a60b9199b365f526e

SHA512
dde909b4cde6c2e24022dea7aa7ee6f8a41defdbf27a8dc88089bff9db6bff0317fdfe8a50b6aeec39cb25e3a45b63adca82f2882b465be22a777aa79c53cf0c

Download Submit
C:\Windows\SysWOW64\Edbiniff.exe

Filesize
128KB

MD5
c5b9efb9d2b46343fafd7f5b2cb08e55

SHA1
881f03ab06ae8fdb2eeeb9c66b6462f503d5d5a4

SHA256
143659c6574b5732c7f7cc0ece87c9e1c784bdb10a4158d8fbea88de49507ce3

SHA512
a5c61112f2c0024c81884343e41e67d1c692fbb92af48b1fece405c66ae1e98872a2d791a0480564f21e943c936e05326f80983e3731b6d4e621306a4b228206

Download Submit
C:\Windows\SysWOW64\Egcaod32.exe

Filesize
128KB

MD5
a1eb2c4a34fa7aeb246d8d69a655b58c

SHA1
19a15be5992b2e4043d9776b750f4ed1351bd14b

SHA256
b41b6801122a084569c3fb2a8f053fbbdf88e784ec85e3b9481317b3ee06d7d8

SHA512
c2c22e1f1f259439cf4c9edad27a290e1668d0a77b0dabbe6c66f2ba1b18fc07f1e1f3c1cab9c348d9b87dfc888e3495b9a4077a2bb26310e87382fd9cdfd0ae

Download Submit
C:\Windows\SysWOW64\Eomffaag.exe

Filesize
128KB

MD5
2724a5b1b3e5d1886e5d41c6f7362009

SHA1
08826674e468f959bd584c78b58e62b21c6f266c

SHA256
49d20590f817301fccbac7011093ab6671a78086b3693c202ebbd1ce3ab05051

SHA512
c9737ef7404e9d6b76627c9f7f40114f2dd662ccbef2918473421fa8e9952f77a331dcabd95ed7abaf38449668c47fdf3a5798bddc250f2ec1d1bb6837f13a3f

Download Submit
C:\Windows\SysWOW64\Fkfcqb32.exe

Filesize
128KB

MD5
568f92831ddca3dd2504b58d69e079b2

SHA1
4455efc2d00afe653a9dbd8ba688be909a10039c

SHA256
4bedafb9ab83fe7b0e1207835b4d0b9cc3cd1ab6332285e55b6f1cacae96420b

SHA512
92e050faf45f28bd81c583798666b07b120016bd5d55083493e102587b15af06dc4ac7a47cebbe0f4530d53ea486b79398fde086730db031cbf1f68516dc2c64

Download Submit
C:\Windows\SysWOW64\Fkjmlaac.exe

Filesize
128KB

MD5
7c2e0bb9f7e34c030b9bfc5b000a0b55

SHA1
7716890df8f5470b415f721da75357c0336ae3fe

SHA256
e41c0d67ef0df497a903c0162855eca1fe1177f142bf8a022d3131c41ee7219c

SHA512
de535c3bad90423cb69e5ebc05827c8da27285cd4952e80771c575127097cd25f301b9a2dcbc4bf1fe6a1977efaab9d4e407227378840953d50b2ab5ff25173f

Download Submit
C:\Windows\SysWOW64\Fomnhddq.dll

Filesize
7KB

MD5
d158da803d6a9e722c8d3eec76dabfba

SHA1
e547ccde183fd2874f13e817e4fe1042bbdb0099

SHA256
4e788138e8e277b4449527c6b2186e25ef502d1c2c2bcf9a74d3061862639948

SHA512
176760639da27fcbf74d993b6e313eb23e7cc15fed2b32d8aa394ed21250f2938b967cdf791774a189019ae44261dcf9db86a07bff8815c545b76c537d2a36e5

Download Submit
C:\Windows\SysWOW64\Geoapenf.exe

Filesize
128KB

MD5
15becec5171676b44321a777b4dae308

SHA1
77f8f285cc8b69aedaec605f671fdc6dbcd3d10a

SHA256
d9b04d3cb3f61ea3f0e0632ad9ac5fd954e46198759ebe8023a1cd5f10cd83bb

SHA512
4a8466147d561d2b981f268bd840628a3809e4e6db7f316de1e1e4dc53c8530d2fd955c9f77ea6337d927dc31b700d38ef2273fd4302ef4cce3b6a3a4575012f

Download Submit
C:\Windows\SysWOW64\Gghdaa32.exe

Filesize
128KB

MD5
5093c55358cd15ab0deb8e1abbb363f5

SHA1
a17ed41f7511cc61bf6a1f021d8a5a529f7933ce

SHA256
67574d55808a05f7b579e1e1590dccf9aa208551d35b0382f430bde6344fbe0d

SHA512
c8883bf23127518c445e66045ce544078b7b97a65fff4e4478a853cc1b13f13050e6975991d4608c50649fdd78ce108f26a4868c2101ff0c1c7908ffe913cb0c

Download Submit
C:\Windows\SysWOW64\Gnnccl32.exe

Filesize
128KB

MD5
4c1c39069d5f92faeb835c93fd907d6f

SHA1
93d02e2ba73b116a864fedacee97c07735e213f3

SHA256
6503d8ca74047d8ded4a98fde905e70dd4897aa816b2de6e03c0506da9c461c1

SHA512
6dda13a78d52dd09d6b18cf895e0f0f2ad50d5f537c63774f71a4fd3719f9641c7c8c8d86fadefef00256c9315a8a3d84fe817395743b3bf5022d3da63b2d729

Download Submit
C:\Windows\SysWOW64\Hbnaeh32.exe

Filesize
128KB

MD5
96179bc85c969d4cad18081a2b82a054

SHA1
a6374aec86c55904e6a4fbea6416d1790232b214

SHA256
f678301f2484f0955ac4df88f98657ae4f389c0b283781fc7f152bd36152c705

SHA512
026a5912e81ed0a0bf635b60fea4bf81e20f351e15df6f35a237d76c46355f0288ca78378601339addc4eb45e7456495efc3c7aa1004d985a6ad246123227624

Download Submit
C:\Windows\SysWOW64\Hicpgc32.exe

Filesize
128KB

MD5
183213d6682483d252509dbc17890b7f

SHA1
6d6c0a4a3404cbd4636cc516fffb91fd4250dc3f

SHA256
b0134e003cb463b2be199d86ce624f77897340014ba5ea745684d8c3395499d7

SHA512
fb3af03d2713275e923ec40b1506ce8ab8a4ba12e5050b0bd13c70c6167d855f45b5ceec89ec881e593d4aa7aee0745e7e3851da0c3732b1b599d5e0ab972d2e

Download Submit
C:\Windows\SysWOW64\Hioflcbj.exe

Filesize
128KB

MD5
9cdf799e3fc3f3c0cc57a72367117071

SHA1
10a8b691849938c87cecd490cd4079e1a7298408

SHA256
95c022342e416ced996f276cc3ccc0fe11a397c8a0d8249c73581bcc3c4f25ea

SHA512
381be94514c76c0590e41b559af688339abdc3ac5cd2475e0a7f6f0d225f9e996275a99bf8d50a9a9e890b16405b1fc60f4358cfd5bdde1a45771b3324b7d1e9

Download Submit
C:\Windows\SysWOW64\Ilkoim32.exe

Filesize
128KB

MD5
f84341b0608596a25c8cc74e1c0aaa00

SHA1
1fb5e3d01188012f84300d297ce4e92241f0e444

SHA256
85e363f4f253aec9a3d8bc7dd0ad7ee001ae5d74f5f755be4ccc60dc89a5718f

SHA512
6d04364bb35fbc1f0684a1acbff003b518af62815d28b853b66ae0a1349ab0a46fc866972355dfcf65a432014d00985c309d0d2a414b7ff8957ed403103a5a4d

Download Submit
C:\Windows\SysWOW64\Ilnlom32.exe

Filesize
128KB

MD5
32d0ff35bc324e9f6a3dc28910aac505

SHA1
8a16c79de63214e0c6c0760727e86458453bf8ac

SHA256
04703bd5cb4359113e0b7aa05b34101e7fdbad4fac1be6447c26d7f05e299005

SHA512
8c1182f5462fcd6ac2ae80dff3856138b751620988e315b097f5f1c8610fc237994dd0fe2b08640a2c740af249aad7f9217b58a52479216a8a3f066b5fc62936

Download Submit
C:\Windows\SysWOW64\Jhgiim32.exe

Filesize
128KB

MD5
4e8abdf24996a416a671283890ac1f12

SHA1
af42b74c2deae459cf085caafde16e66be668082

SHA256
27dceb8194aeba838aa6aee9182f677e55907d1539d5123b70e742556fe5d87c

SHA512
1560126122e5885a16acd7015b56c916fb5c15324bd6229ae2c1e6e2c367d31b463c7475266c5cf4591ef37188ce3d1550ee6a432b29c00dbf9c8f1d75a849f0

Download Submit
C:\Windows\SysWOW64\Jhnojl32.exe

Filesize
128KB

MD5
e0aeb9b71d7f4a79ff9b8c397479d230

SHA1
12b61764735e4ad5ec1fe527a92acf40c73ff062

SHA256
8ec383721ddef02b5a8e263172f22d4c304f22b3b97e496e06d8704f4cfce382

SHA512
0ec1b967b365c237b4ad390c4b4d690d43aa8b5cd5a3ca605cbbda78a0c674e9bb0b12cc7cf0b0cde67a590fd94977fe0532553108ce95efc764bea366c0314b

Download Submit
C:\Windows\SysWOW64\Jocnlg32.exe

Filesize
128KB

MD5
1d9f64ef0b28442e40d8f419391472ea

SHA1
82ec366bc1f627380bf611b1e0c8a7d86f0a4350

SHA256
4918db33ebbc0242318ac76de829aa09a7c342a4f0674a5403a3b690d97ad6d5

SHA512
59126e2d84a1c4a099719782ec5ed7377db976f0fcb659fff0795a11b79885f2d991e42970bf73d9a9410c0fd52e009d709d76b231226b20ee506fcb32412cf2

Download Submit
C:\Windows\SysWOW64\Kekbjo32.exe

Filesize
128KB

MD5
88a60a68979dacacc5380810292d1b95

SHA1
fedb7abc40c2b047fee55e5babd036a7928376f6

SHA256
360c11e2e0e893f50092048ccbadc0d7620e4e74f5eed9bf606b670e8b82329e

SHA512
9fc1b866d79e41802834fe4edacf513946d5c5f8582d16e256e892eefdf0cbc3f09757aed7300598009fcea2e500c467f9e548c4de720f063c5ce2e1cccc9146

Download Submit
C:\Windows\SysWOW64\Khlklj32.exe

Filesize
128KB

MD5
75ca17207b8778b0b43e79cb93cb53b5

SHA1
4e2772a09f9e73effc5e391406a0a31d250caf3c

SHA256
2fb31721600390cc6491db45a982930086645c50c426e6763b80576b9bce0ccf

SHA512
b137c24c3b03fa193059bf577459806ff6bd6c062e599e444e7ac6ea33be776451a0db0cd8bbd485b87c8b12fa9d00779cd9cefea11f9e02385ae806ff997e5f

Download Submit
C:\Windows\SysWOW64\Kidben32.exe

Filesize
128KB

MD5
f8ebfa3587e3c2e2cd2b55a585730884

SHA1
70addd2bc5c3c602270a6d186d1c54dc985a34fe

SHA256
1149fc8ca4a380345d63a248f984feacc920abf7bfffa78ba75359530f9ff612

SHA512
8b4aa43eb7363d70575fdb670043eaffc2b3259f373b3549492b5f4d439144eab0cdfafad47f9a48e337c9429132a36d956742f88c7b97516a3b8de197ee3a7f

Download Submit
C:\Windows\SysWOW64\Lchfib32.exe

Filesize
128KB

MD5
998c633054ee22d4244eee87b61d3827

SHA1
12fc5f767878ffaac72d9c215d2599df301f599e

SHA256
5ed6f4f38d5c7c75aa8aa7bcd066630b5a3b167fa2d4f0a77b63d24d452ebb1b

SHA512
b099bce6267f388459607c02dfcdd84226e58881503f8f85f4581a7ae13055fb1089ce506322fd9e352af28a7d6bd9ef0092cce8f1477da694e7e1fd45883d72

Download Submit
C:\Windows\SysWOW64\Lebijnak.exe

Filesize
128KB

MD5
a3192cfb31821fd3f05b64693eb71d2a

SHA1
973f5ae2a469d1df97bf759ffcff3f597e71516c

SHA256
325f18ab0dd313331df770ccef2b32896049eebcfecaf2eee68334ec0532f627

SHA512
101ceba460ca64fcafc2992303e1e58d03622bdbf0b9f49ffc90e8b34f1cbffe9ea7c87b3a923c6f813f1de785cf74abff748dad1fb6f5fe40de1b844bfb658b

Download Submit
C:\Windows\SysWOW64\Lpochfji.exe

Filesize
128KB

MD5
2d6eb7a2662fd8d77b01719d778fc4c1

SHA1
ab03fe258b8749cbc928dc861559c0ba7d5dbda5

SHA256
babac2ab93d2084ef69b16063638a3364194a3391d9a1d2860a0a7d3100b66cd

SHA512
219278a4d6386643bf172afa745f475ab4d5e8a11d080a64a76267ec26be46d20a83dd191eb73efd893d47fb28158b8ffb315364640a2d20168a207d12a583a7

Download Submit
C:\Windows\SysWOW64\Mjidgkog.exe

Filesize
128KB

MD5
db595f562ff597552560fc48ec8c3ed9

SHA1
9a108fce6176530bacc0cbe959c53dbc0e453361

SHA256
e84455ff237aeac5a9f62563089f78449ae4ee7d9b07ee469c0948ce629abeaa

SHA512
3e1d328bf735b95c8bdf8443aa67e57f17d8acd8bce58b9b0a793e537585b13f57d064654afddeda869b5708d6645faf20a74e423ff845cc457ae4cd99264e05

Download Submit
C:\Windows\SysWOW64\Nhhdnf32.exe

Filesize
128KB

MD5
94cf6ad8dbdb8e283dd93b4321771433

SHA1
1895610de66de653f1519f74c43413ba2c14bda7

SHA256
7f91732f00c74898a254d2a5afb546da0e64b9807f451898cda707ae7b9c325b

SHA512
99bd839cdc98a2849d77f1abf508d6b4e47a40f677e9227a63e9a932915a856345628667970a45933f720b468637aeaf6889f6c87268e227dc9e2926c583634b

Download Submit
C:\Windows\SysWOW64\Ommceclc.exe

Filesize
128KB

MD5
2d0b56e02d0e3122ec6f0365f1d235cd

SHA1
db90aba3511341bf7a9076e639bd37989cf98aa5

SHA256
59ae9c19e777e8726a939f80377c9e558d16c242baaeebadc7fc2f97dc8f8b93

SHA512
d8e08ba40412e6a6a38aaeebf34c4568b111ed347e31eb171951ba9fb959ba418fdcd3f87eec92f19ceb11d43d40d93b409cf9e237223c55d93ccd3f0e8e683b

Download Submit
C:\Windows\SysWOW64\Pcbkml32.exe

Filesize
128KB

MD5
affd6ed9bacbb941311b4678a79ee7bb

SHA1
f520097c1542de01b3d91bd70a3e88e380f16852

SHA256
e89dcaf320bc63355f7ae56656ef6dd56c6f7902abd22d80de1bfbf29db714e9

SHA512
980b04ab917c7ce4edecaa07fc9ec465e26d1ba9b37b7585fe559f5e0c4c70742822ede68602783ac67d7c2f5c446dbe7eb9f04b16da2c98499411f3313a9020

Download Submit
C:\Windows\SysWOW64\Pififb32.exe

Filesize
128KB

MD5
77f40b8bb14cda2a908671176fbc6f52

SHA1
cdf17e98e9a5929766c4f1fbe29add4414ba5f9d

SHA256
250007c4e7934b8876c054e212d33cfa140f13e3f36d288c83ff729acee61013

SHA512
c441723bb3cd66b4b40df96607224bbbf13a9d510222d7b7bee4ac616a56ad3409f7c74834be0894e2b22dfc05952f6ea23eb5c42fe8194f9822bdac20e2b6d5

Download Submit
C:\Windows\SysWOW64\Qpeahb32.exe

Filesize
128KB

MD5
1598fd022e819919e280d59aa8c23318

SHA1
ccb000ffc5c6165691549f18434a4357a276fa6a

SHA256
89704487ee94cfc79b58741c0352e78e8dca4dab5f181f22a7f99c45cccca6f9

SHA512
cf2089fb2facdcf8f1560d5a8ae68abecdd7dd033cdddaf9eada197d8c040d8d56df3b2b6a1833bdf74899efdb2e6138cdf389d55c80fb22f71f4267eb933cae

Download Submit
memory/220-352-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/220-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/316-191-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/316-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/636-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/636-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/900-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/900-330-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1032-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1032-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1096-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1096-336-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1204-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1204-356-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1216-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1216-351-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1244-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1244-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1720-95-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1720-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1872-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1872-318-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-343-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2340-354-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2340-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2376-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2376-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2388-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2388-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2444-333-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2444-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2496-167-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2496-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2980-348-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2980-88-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3024-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3024-325-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3068-357-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3068-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3132-349-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3132-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3248-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3248-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3464-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3464-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3468-326-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3468-255-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3528-112-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3528-345-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3536-344-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3536-119-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3764-337-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3764-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3804-339-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3804-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3932-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3932-359-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4000-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4000-332-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4160-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4160-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4276-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4276-319-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4476-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4476-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4548-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4548-200-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4560-104-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4560-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4576-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4576-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4632-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4632-331-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4640-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4640-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4664-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4664-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4736-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4736-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5024-350-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5024-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5068-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5068-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5108-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5108-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads