47a1166c86572c6104510a827af253743a194d1b8c64ad83a75d3019cfcdc7fb

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
17/06/2024, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ce1062254a9323447fbc409e0a6b420_NeikiAnalytics.exe
Size

94KB
MD5

2ce1062254a9323447fbc409e0a6b420
SHA1

3572184abff514e7ff9341f3e7ab3301791956c8
SHA256

47a1166c86572c6104510a827af253743a194d1b8c64ad83a75d3019cfcdc7fb
SHA512

8139a9bd6234d5dd2123c7e9744e499ea7ace39676bc657bc7bb7bba9edf3cd115668b3c90602f1df4f5f201b1a8c1986b27b90fbc03be921768d0b2d86d6b6b
SSDEEP

1536:2L2y1P6M2uLtFaQQe/6Ub522LFfaIZTJ+7LhkiB0MPiKeEAgv:2L2yVlQebb5bxaMU7uihJ5v

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2ce1062254a9323447fbc409e0a6b420_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odhfob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgjfkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcfqkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oomjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onecbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odlojanh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ackkppma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhohda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onecbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kohkfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kohkfj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lclnemgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcfqkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odlojanh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lclnemgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgjfkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkidlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2ce1062254a9323447fbc409e0a6b420_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjdilgpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjdilgpc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apdhjq32.exe

Executes dropped EXE 34 IoCs

pid	Process
2148	Kohkfj32.exe
2188	Kjdilgpc.exe
2500	Lclnemgd.exe
2520	Lgjfkk32.exe
2608	Lmikibio.exe
2892	Lcfqkl32.exe
1068	Mooaljkh.exe
1084	Mieeibkn.exe
2864	Mhloponc.exe
2440	Mmihhelk.exe
1188	Nibebfpl.exe
1364	Niebhf32.exe
2264	Ncpcfkbg.exe
2292	Nhohda32.exe
2776	Odhfob32.exe
2592	Oomjlk32.exe
2388	Odlojanh.exe
2112	Onecbg32.exe
2080	Pkidlk32.exe
1776	Pmlmic32.exe
896	Pqjfoa32.exe
1284	Pjbjhgde.exe
1724	Qbplbi32.exe
328	Qbbhgi32.exe
1072	Qgoapp32.exe
1576	Aganeoip.exe
2028	Amnfnfgg.exe
2744	Ackkppma.exe
2760	Aaolidlk.exe
2668	Apdhjq32.exe
2884	Bjdplm32.exe
2936	Bfkpqn32.exe
696	Chkmkacq.exe
592	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2764	2ce1062254a9323447fbc409e0a6b420_NeikiAnalytics.exe
2764	2ce1062254a9323447fbc409e0a6b420_NeikiAnalytics.exe
2148	Kohkfj32.exe
2148	Kohkfj32.exe
2188	Kjdilgpc.exe
2188	Kjdilgpc.exe
2500	Lclnemgd.exe
2500	Lclnemgd.exe
2520	Lgjfkk32.exe
2520	Lgjfkk32.exe
2608	Lmikibio.exe
2608	Lmikibio.exe
2892	Lcfqkl32.exe
2892	Lcfqkl32.exe
1068	Mooaljkh.exe
1068	Mooaljkh.exe
1084	Mieeibkn.exe
1084	Mieeibkn.exe
2864	Mhloponc.exe
2864	Mhloponc.exe
2440	Mmihhelk.exe
2440	Mmihhelk.exe
1188	Nibebfpl.exe
1188	Nibebfpl.exe
1364	Niebhf32.exe
1364	Niebhf32.exe
2264	Ncpcfkbg.exe
2264	Ncpcfkbg.exe
2292	Nhohda32.exe
2292	Nhohda32.exe
2776	Odhfob32.exe
2776	Odhfob32.exe
2592	Oomjlk32.exe
2592	Oomjlk32.exe
2388	Odlojanh.exe
2388	Odlojanh.exe
2112	Onecbg32.exe
2112	Onecbg32.exe
2080	Pkidlk32.exe
2080	Pkidlk32.exe
1776	Pmlmic32.exe
1776	Pmlmic32.exe
896	Pqjfoa32.exe
896	Pqjfoa32.exe
1284	Pjbjhgde.exe
1284	Pjbjhgde.exe
1724	Qbplbi32.exe
1724	Qbplbi32.exe
328	Qbbhgi32.exe
328	Qbbhgi32.exe
1072	Qgoapp32.exe
1072	Qgoapp32.exe
1576	Aganeoip.exe
1576	Aganeoip.exe
2028	Amnfnfgg.exe
2028	Amnfnfgg.exe
2744	Ackkppma.exe
2744	Ackkppma.exe
2760	Aaolidlk.exe
2760	Aaolidlk.exe
2668	Apdhjq32.exe
2668	Apdhjq32.exe
2884	Bjdplm32.exe
2884	Bjdplm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ibebkc32.dll	Kohkfj32.exe
File created	C:\Windows\SysWOW64\Ajdlmi32.dll	Mooaljkh.exe
File created	C:\Windows\SysWOW64\Nkeghkck.dll	Mhloponc.exe
File created	C:\Windows\SysWOW64\Odlojanh.exe	Oomjlk32.exe
File created	C:\Windows\SysWOW64\Onecbg32.exe	Odlojanh.exe
File opened for modification	C:\Windows\SysWOW64\Kohkfj32.exe	2ce1062254a9323447fbc409e0a6b420_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hkijpd32.dll	Lgjfkk32.exe
File created	C:\Windows\SysWOW64\Nhohda32.exe	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Qgoapp32.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Lclnemgd.exe	Kjdilgpc.exe
File created	C:\Windows\SysWOW64\Diaagb32.dll	Lcfqkl32.exe
File opened for modification	C:\Windows\SysWOW64\Ncpcfkbg.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Pfdmil32.dll	Niebhf32.exe
File created	C:\Windows\SysWOW64\Pqjfoa32.exe	Pmlmic32.exe
File created	C:\Windows\SysWOW64\Gcnmkd32.dll	Qbplbi32.exe
File created	C:\Windows\SysWOW64\Amnfnfgg.exe	Aganeoip.exe
File created	C:\Windows\SysWOW64\Kmfoak32.dll	2ce1062254a9323447fbc409e0a6b420_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mhloponc.exe	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Gbdalp32.dll	Mmihhelk.exe
File opened for modification	C:\Windows\SysWOW64\Oomjlk32.exe	Odhfob32.exe
File created	C:\Windows\SysWOW64\Ackkppma.exe	Amnfnfgg.exe
File opened for modification	C:\Windows\SysWOW64\Lclnemgd.exe	Kjdilgpc.exe
File created	C:\Windows\SysWOW64\Aeqmqeba.dll	Pjbjhgde.exe
File created	C:\Windows\SysWOW64\Chkmkacq.exe	Bfkpqn32.exe
File opened for modification	C:\Windows\SysWOW64\Odlojanh.exe	Oomjlk32.exe
File created	C:\Windows\SysWOW64\Daekko32.dll	Oomjlk32.exe
File created	C:\Windows\SysWOW64\Pmlmic32.exe	Pkidlk32.exe
File opened for modification	C:\Windows\SysWOW64\Amnfnfgg.exe	Aganeoip.exe
File created	C:\Windows\SysWOW64\Gdplpd32.dll	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Lgjfkk32.exe	Lclnemgd.exe
File created	C:\Windows\SysWOW64\Hcgdenbm.dll	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Pmmani32.dll	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Bfqgjgep.dll	Ackkppma.exe
File created	C:\Windows\SysWOW64\Mmdcie32.dll	Lclnemgd.exe
File opened for modification	C:\Windows\SysWOW64\Niebhf32.exe	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Qniedg32.dll	Aganeoip.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Apdhjq32.exe
File opened for modification	C:\Windows\SysWOW64\Nibebfpl.exe	Mmihhelk.exe
File opened for modification	C:\Windows\SysWOW64\Pmlmic32.exe	Pkidlk32.exe
File created	C:\Windows\SysWOW64\Nibebfpl.exe	Mmihhelk.exe
File created	C:\Windows\SysWOW64\Ncpcfkbg.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Gneolbel.dll	Pmlmic32.exe
File created	C:\Windows\SysWOW64\Apdhjq32.exe	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Nibebfpl.exe
File opened for modification	C:\Windows\SysWOW64\Aganeoip.exe	Qgoapp32.exe
File opened for modification	C:\Windows\SysWOW64\Lgjfkk32.exe	Lclnemgd.exe
File created	C:\Windows\SysWOW64\Mhloponc.exe	Mieeibkn.exe
File opened for modification	C:\Windows\SysWOW64\Pkidlk32.exe	Onecbg32.exe
File opened for modification	C:\Windows\SysWOW64\Pjbjhgde.exe	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Apdhjq32.exe
File opened for modification	C:\Windows\SysWOW64\Qbplbi32.exe	Pjbjhgde.exe
File opened for modification	C:\Windows\SysWOW64\Aaolidlk.exe	Ackkppma.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Mmihhelk.exe	Mhloponc.exe
File opened for modification	C:\Windows\SysWOW64\Qbbhgi32.exe	Qbplbi32.exe
File created	C:\Windows\SysWOW64\Jmihnd32.dll	Odhfob32.exe
File created	C:\Windows\SysWOW64\Jbhihkig.dll	Odlojanh.exe
File created	C:\Windows\SysWOW64\Njelgo32.dll	Aaolidlk.exe
File opened for modification	C:\Windows\SysWOW64\Chkmkacq.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Pkidlk32.exe	Onecbg32.exe
File created	C:\Windows\SysWOW64\Hjojco32.dll	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Aaolidlk.exe	Ackkppma.exe
File created	C:\Windows\SysWOW64\Bfkpqn32.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Qbplbi32.exe	Pjbjhgde.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2564	592	WerFault.exe	61

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2ce1062254a9323447fbc409e0a6b420_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfoak32.dll"	2ce1062254a9323447fbc409e0a6b420_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kohkfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjdilgpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhohda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2ce1062254a9323447fbc409e0a6b420_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2ce1062254a9323447fbc409e0a6b420_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll"	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oomjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjakbabj.dll"	Pkidlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll"	Ackkppma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2ce1062254a9323447fbc409e0a6b420_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odhfob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkidlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faflglmh.dll"	Onecbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkidlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgjfkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odlojanh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmani32.dll"	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onecbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcicn32.dll"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkijpd32.dll"	Lgjfkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnmkd32.dll"	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmihnd32.dll"	Odhfob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghhkllb.dll"	Kjdilgpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdlmi32.dll"	Mooaljkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odlojanh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeghkck.dll"	Mhloponc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcfqkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lclnemgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdcie32.dll"	Lclnemgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcfqkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll"	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnalpimd.dll"	Nhohda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdalp32.dll"	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odhfob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gneolbel.dll"	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdplpd32.dll"	Pqjfoa32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2148	2764	2ce1062254a9323447fbc409e0a6b420_NeikiAnalytics.exe	28
PID 2764 wrote to memory of 2148	2764	2ce1062254a9323447fbc409e0a6b420_NeikiAnalytics.exe	28
PID 2764 wrote to memory of 2148	2764	2ce1062254a9323447fbc409e0a6b420_NeikiAnalytics.exe	28
PID 2764 wrote to memory of 2148	2764	2ce1062254a9323447fbc409e0a6b420_NeikiAnalytics.exe	28
PID 2148 wrote to memory of 2188	2148	Kohkfj32.exe	29
PID 2148 wrote to memory of 2188	2148	Kohkfj32.exe	29
PID 2148 wrote to memory of 2188	2148	Kohkfj32.exe	29
PID 2148 wrote to memory of 2188	2148	Kohkfj32.exe	29
PID 2188 wrote to memory of 2500	2188	Kjdilgpc.exe	30
PID 2188 wrote to memory of 2500	2188	Kjdilgpc.exe	30
PID 2188 wrote to memory of 2500	2188	Kjdilgpc.exe	30
PID 2188 wrote to memory of 2500	2188	Kjdilgpc.exe	30
PID 2500 wrote to memory of 2520	2500	Lclnemgd.exe	31
PID 2500 wrote to memory of 2520	2500	Lclnemgd.exe	31
PID 2500 wrote to memory of 2520	2500	Lclnemgd.exe	31
PID 2500 wrote to memory of 2520	2500	Lclnemgd.exe	31
PID 2520 wrote to memory of 2608	2520	Lgjfkk32.exe	32
PID 2520 wrote to memory of 2608	2520	Lgjfkk32.exe	32
PID 2520 wrote to memory of 2608	2520	Lgjfkk32.exe	32
PID 2520 wrote to memory of 2608	2520	Lgjfkk32.exe	32
PID 2608 wrote to memory of 2892	2608	Lmikibio.exe	33
PID 2608 wrote to memory of 2892	2608	Lmikibio.exe	33
PID 2608 wrote to memory of 2892	2608	Lmikibio.exe	33
PID 2608 wrote to memory of 2892	2608	Lmikibio.exe	33
PID 2892 wrote to memory of 1068	2892	Lcfqkl32.exe	34
PID 2892 wrote to memory of 1068	2892	Lcfqkl32.exe	34
PID 2892 wrote to memory of 1068	2892	Lcfqkl32.exe	34
PID 2892 wrote to memory of 1068	2892	Lcfqkl32.exe	34
PID 1068 wrote to memory of 1084	1068	Mooaljkh.exe	35
PID 1068 wrote to memory of 1084	1068	Mooaljkh.exe	35
PID 1068 wrote to memory of 1084	1068	Mooaljkh.exe	35
PID 1068 wrote to memory of 1084	1068	Mooaljkh.exe	35
PID 1084 wrote to memory of 2864	1084	Mieeibkn.exe	36
PID 1084 wrote to memory of 2864	1084	Mieeibkn.exe	36
PID 1084 wrote to memory of 2864	1084	Mieeibkn.exe	36
PID 1084 wrote to memory of 2864	1084	Mieeibkn.exe	36
PID 2864 wrote to memory of 2440	2864	Mhloponc.exe	37
PID 2864 wrote to memory of 2440	2864	Mhloponc.exe	37
PID 2864 wrote to memory of 2440	2864	Mhloponc.exe	37
PID 2864 wrote to memory of 2440	2864	Mhloponc.exe	37
PID 2440 wrote to memory of 1188	2440	Mmihhelk.exe	38
PID 2440 wrote to memory of 1188	2440	Mmihhelk.exe	38
PID 2440 wrote to memory of 1188	2440	Mmihhelk.exe	38
PID 2440 wrote to memory of 1188	2440	Mmihhelk.exe	38
PID 1188 wrote to memory of 1364	1188	Nibebfpl.exe	39
PID 1188 wrote to memory of 1364	1188	Nibebfpl.exe	39
PID 1188 wrote to memory of 1364	1188	Nibebfpl.exe	39
PID 1188 wrote to memory of 1364	1188	Nibebfpl.exe	39
PID 1364 wrote to memory of 2264	1364	Niebhf32.exe	40
PID 1364 wrote to memory of 2264	1364	Niebhf32.exe	40
PID 1364 wrote to memory of 2264	1364	Niebhf32.exe	40
PID 1364 wrote to memory of 2264	1364	Niebhf32.exe	40
PID 2264 wrote to memory of 2292	2264	Ncpcfkbg.exe	41
PID 2264 wrote to memory of 2292	2264	Ncpcfkbg.exe	41
PID 2264 wrote to memory of 2292	2264	Ncpcfkbg.exe	41
PID 2264 wrote to memory of 2292	2264	Ncpcfkbg.exe	41
PID 2292 wrote to memory of 2776	2292	Nhohda32.exe	42
PID 2292 wrote to memory of 2776	2292	Nhohda32.exe	42
PID 2292 wrote to memory of 2776	2292	Nhohda32.exe	42
PID 2292 wrote to memory of 2776	2292	Nhohda32.exe	42
PID 2776 wrote to memory of 2592	2776	Odhfob32.exe	43
PID 2776 wrote to memory of 2592	2776	Odhfob32.exe	43
PID 2776 wrote to memory of 2592	2776	Odhfob32.exe	43
PID 2776 wrote to memory of 2592	2776	Odhfob32.exe	43

C:\Users\Admin\AppData\Local\Temp\2ce1062254a9323447fbc409e0a6b420_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2ce1062254a9323447fbc409e0a6b420_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\Kohkfj32.exe
  C:\Windows\system32\Kohkfj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\Kjdilgpc.exe
    C:\Windows\system32\Kjdilgpc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\SysWOW64\Lclnemgd.exe
      C:\Windows\system32\Lclnemgd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\SysWOW64\Lgjfkk32.exe
        
        C:\Windows\system32\Lgjfkk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\SysWOW64\Lmikibio.exe
        
        C:\Windows\system32\Lmikibio.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Lcfqkl32.exe
        
        C:\Windows\system32\Lcfqkl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Mooaljkh.exe
        
        C:\Windows\system32\Mooaljkh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Mieeibkn.exe
        
        C:\Windows\system32\Mieeibkn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Mhloponc.exe
        
        C:\Windows\system32\Mhloponc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Mmihhelk.exe
        
        C:\Windows\system32\Mmihhelk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Nibebfpl.exe
        
        C:\Windows\system32\Nibebfpl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Nhohda32.exe
        
        C:\Windows\system32\Nhohda32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Odhfob32.exe
        
        C:\Windows\system32\Odhfob32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Oomjlk32.exe
        
        C:\Windows\system32\Oomjlk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Odlojanh.exe
        
        C:\Windows\system32\Odlojanh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Onecbg32.exe
        
        C:\Windows\system32\Onecbg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Pkidlk32.exe
        
        C:\Windows\system32\Pkidlk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Pmlmic32.exe
        
        C:\Windows\system32\Pmlmic32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Pqjfoa32.exe
        
        C:\Windows\system32\Pqjfoa32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Pjbjhgde.exe
        
        C:\Windows\system32\Pjbjhgde.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Qbplbi32.exe
        
        C:\Windows\system32\Qbplbi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:328
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        35⤵
        Executes dropped EXE
        
        PID:592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 140
        36⤵
        Program crash
        
        PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaolidlk.exe

Filesize
94KB

MD5
e73bdcc2baca78bf20b36613745f13e7

SHA1
c7f5f21827ce4493ee4628a85476a7bed045cb32

SHA256
8345fdff760be28185b41c1b367d9f34492226e2eb6bc859f04370b34dca9cf3

SHA512
5cbd53c0f2e935fc5ac140ff100fdc3b1ab1b538c0ee8b0a7be40c35e458877f5e257dbebbcf3a913167b7a320ea1bd8ef17e55c25c860d39c7132ded20feb34

Download Submit
C:\Windows\SysWOW64\Ackkppma.exe

Filesize
94KB

MD5
98b6316b96dfa175ff6b43b9190840af

SHA1
fbdd6f6018ba4f388c650c1f0090c9a10f0e4457

SHA256
f3d5b45ec1a0bc0f7ff5bb85cebd142cab4f1d676050418890684df0efbb903d

SHA512
d4a50943394728c917b790322e7dee09f67f24b101b128cbb605b323b30d200c5ae6308c87e52e77c48bb2707410cd6e4e3482885efdf699705c9eb00771f6b5

Download Submit
C:\Windows\SysWOW64\Aganeoip.exe

Filesize
94KB

MD5
baef4c33a0e28337f08462afd4cbcdba

SHA1
ea6627cacd1d4ae8871143fbfbaab480007d2069

SHA256
407fccc831e5fb5e1e24219fd5d105b7db3e735e93dfce43d3b72b17d8ce25d2

SHA512
0a2ed98bdc8faa6b736fa47a4a35caac2119b2c479895cea0ba52d15f7f1b6ec2be5e04eca1f74208e85c889cc5fabf236bfebcdda9251415bcd9c667da9d9c1

Download Submit
C:\Windows\SysWOW64\Amnfnfgg.exe

Filesize
94KB

MD5
57d5de4387831c01ad71ec2ff9481260

SHA1
4e560338e1ea2f62b27d1986176f893b470fb8ed

SHA256
14f188d4294d673911c69b160c7590ecfb208d55a5faf27e2942e79673e771c2

SHA512
bd33381320f02d9fa29e5a64055f817b1a7c43ac4ef22a52ceac9cb4cc1a07762c076a978e614587409b9e2905411537a60c04246f84d263d96a79e803336c81

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
94KB

MD5
cb8c4eb564b1d7fe27cfca450446343f

SHA1
a94bca6ccbf8c5bd76b205cce5189d1b2623741a

SHA256
99f94a0df37b2e85a097c23f74001f32bb72efac995a1f25d03c92c192da8d5e

SHA512
26bd66d055a91ba1bc5e8177b52daa8f8b07ad6b2baf48bde1cfed0e22c84def5e7ea44d43c901ebad0cb77351f8a05dc50bc3acf8d630cef3d7d9c2cc2683d9

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
94KB

MD5
b925310d81a681cbb1139f9ee55005f9

SHA1
d59f5fbbc859a619ffa5a7983e00099e83ae5dff

SHA256
1071ea386e930f8c4198eded60cb5769ebb9a69857c72229daa1abd6c03251a0

SHA512
f5a20241f7ba9107cf4cfb8ac6c2b1aacd4fe1e89d7b51da171b1f3e818f6119eb8b5be6ee6c6f36200bb85fd934a6e8051002f2444b09dcd806b64e4b4a099d

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
94KB

MD5
8a83d36f78170a5cf6f4faba43c05fc0

SHA1
33e1f8c5d0de24e48c80d5dd46ccfb0a6182a0e0

SHA256
e07da08f7249aabe17c5086972030a08e8486ba26fcaea39af4a02f303c89c43

SHA512
31c526e00861cef4a4dc705f179658d1a63fee31963e2e6044bb8ecb804987d6ff042400348de7dfab917c96fa7a521e40db954eaa984e8f8c44dedf387b166d

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
94KB

MD5
f283a74752fc7d6839d632146a8d2448

SHA1
4348ba5f3fc53783785ab2f18d8a62eae2f2e299

SHA256
a1fa0853d6db648ecd6e616ae80ab65ee6eabc62bf0bdd4cf88439e97f318505

SHA512
9d1872588c9169fb942a3fefe3c0d743f9d51c1f24d92b9f9f0092b0f524c367e4d17732678ae6b4fb93abcf8d444754ffad4e5e03472707b384e1470f272131

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
94KB

MD5
36ca1ad7dd80f06281cb1f0c4b7249cd

SHA1
eb3f86e1b7c2c4d28067b7b73124cd878e64300b

SHA256
3e2c477c2b12874c8ed88a4cc136a00e7bb21c301bfa19be6fb2d44478946b55

SHA512
f44ab8d200a634fbff9020b86a573214f7f0effb6f1e36982ac8b33a6940d84e3fda49546513f4362b11a52fdf689e95f630e5aed6df35920ce8ad80d3de3bd8

Download Submit
C:\Windows\SysWOW64\Mieeibkn.exe

Filesize
94KB

MD5
625539b005683e43aaea7f7b4ce6480e

SHA1
ec96a36834ab2c1abe911f60f6efcecf183ffb0b

SHA256
edfdb0f27a29421777e8f5ed5c4d440428e4a5a42c380e7b9a4d452550eaaa34

SHA512
d267854f1b5a52f7b2dedee5b13cbc68600fcb373871a4dc9dab07f1b6132f69d82c017069a6bc91ba228892f8e6fe0046d5774779bd55f860e8934bfea40fd5

Download Submit
C:\Windows\SysWOW64\Mmihhelk.exe

Filesize
94KB

MD5
b9595addfa75932f41047a747970520a

SHA1
186bc7352c717ab4a2549fa0459e5c96754fbec2

SHA256
b933e629ec60cd26525e12be82476d684242d5106ee3154b3bda618905788116

SHA512
ac425839ff088ceb0ff5e124342677637378aa195e9a316823d997eb08431069f65179332961f8762779d3a6c41b6be9e5cf87b261f28acb027e1b574bed7ff1

Download Submit
C:\Windows\SysWOW64\Odlojanh.exe

Filesize
94KB

MD5
6dae3667d266d34d1255c98821d17454

SHA1
273a1df7501bc10eac3ef1f6d83e0225deb5f10e

SHA256
bb2c9dac666a7b476fb936cfdeaaf6cc250d63b8f6448148d25c149f0174c4f2

SHA512
9ed1e55905e319a746666e1be869a4e8ded954edd82bb569c83b28812d64009c6f22d5bb2995a07aff697089ff527340111513ed835815438eaa68ca86ee2261

Download Submit
C:\Windows\SysWOW64\Onecbg32.exe

Filesize
94KB

MD5
90da625a465e0dcfc2f2c18fd2b01a47

SHA1
35effb07f8cc270989cb9bb3ec5bb183f5538414

SHA256
3bf3a816b5facb137c3c02f4d0048c5ca2fcd207e81fb06ee0ecea04820cc0b1

SHA512
f84efb6ed3936cd04264ff13df24958a5c6b7a3f2e1441c3a017a5934717534644fa4e0a4728fb7ba2f1f8b1fd8497dcffb69f836e80001b823b7125d9c95d16

Download Submit
C:\Windows\SysWOW64\Pjbjhgde.exe

Filesize
94KB

MD5
71f0e25f966c67b23822e7177b02358c

SHA1
753673783738b6b82a3dae3485ac2f4ea7b683b1

SHA256
19cb38cec61c0059a1e5d1608e47973b0ac5682d99d5cb7d8dfe4ebeb2c1a3b0

SHA512
a61e0e40988475f582b49dba4bfff42e8ef998ef3e87afac9dc0bf3a48c0c42bf56b226854fb4beb04fbc6d432fea19158bfaedf9be3f9de5ab16848f33950ac

Download Submit
C:\Windows\SysWOW64\Pkidlk32.exe

Filesize
94KB

MD5
024a1c3b31b74b226d8a4423d2c48ec4

SHA1
ffea8276db4c55d798f6f2b6b1e909330c7f1bab

SHA256
e99e346a4b2705e964da18fd83ad0b0189a6d558660cc3fa34fcc75f82668c9a

SHA512
34290ed334e9168d1978c5396fced2891088edf79c9ddf2341fdfd6afd933b195b453b639f7233e0a1421350e54a053d2a2b4f8dc50844ec1f6df5a806a44f0f

Download Submit
C:\Windows\SysWOW64\Pmlmic32.exe

Filesize
94KB

MD5
1870996337fd5b6e28a345cf5f800962

SHA1
b705401cbe6fa4c5a760b699946c6c8f00bcbb7d

SHA256
cc64054fbc37fe770efab9b7514b9dad7f264a29222f98934c81415ba43367ae

SHA512
4f13a90188f1f51fe84d97d4c4ad59011fc407dd99ebb50f866ba6ba3e9109c2b92500b4194e9f8c31c6bbacc0400f5a4a182e6abfbdda4bb524f628a19ef091

Download Submit
C:\Windows\SysWOW64\Pqjfoa32.exe

Filesize
94KB

MD5
3ef66900429f39f5f6ed8b0527f7df1e

SHA1
994833f6c27ccc8048b1700966132328e7deec52

SHA256
435d2e5d6edf26562c2248dfcd5a82b72986958f83f80007f0d12153b07c1313

SHA512
6a38d9aefe5ef5ce8c3aea0829820a7d3b932b2cabd3b0caf1ac3aa4f0454d21e9c47d3cbbdd1caafed6dca8682d1bbf6395b9361b6b57333366545c984bac2f

Download Submit
C:\Windows\SysWOW64\Qbbhgi32.exe

Filesize
94KB

MD5
73fc400b31adcc1ed0eb0be6b01a1896

SHA1
c0a915a3be6e553c8ea0b1d93cd6ffeb4a333f98

SHA256
1659dc08a679fee629cf6a5ff908b9f18818f384e90cacab4fc57bd500dd8370

SHA512
8b4fd11faf075efeeced22c22b2a3d8d758462bd0fb3e1eb82934fd4e345fde671394bacf6d889dae97382615d3b434cc6268f22bc7e9968b5db907b96e7cd3e

Download Submit
C:\Windows\SysWOW64\Qbplbi32.exe

Filesize
94KB

MD5
e673fdc907e5adbaea6969895785e683

SHA1
30ba4e6941660ec133eebfcc6eb2e8b4f81e0e69

SHA256
77546e270f702f6c0ade6d14eef4d33e683ea5fddf2dbc9090117d4a63348365

SHA512
fb1de708d6a8710fbb4581eb3cb2b37a4860078e25cf649f065e3efa686eb30ccb2cc73e6552ecee92532ab227685dae325ed9abcf56b86a4764097bd4069cda

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
94KB

MD5
a047660a8bbbe59b0e5c9d9d7621488b

SHA1
ffa23dd6bd24a786d2c8b010ab68a795127d1f9e

SHA256
05959074ce4c9e3b8f46d3d971eb78de85d998e8d51a255d993f76d9e48f9be0

SHA512
ed653460c0be90582c05b31c04e173c7bc91c7111e29c7cb9a606af3c1fa81aa09c568149abdf8252befcb297de2567355560ae9f3e3b4a2c00a3ce2620390ed

Download Submit
\Windows\SysWOW64\Kjdilgpc.exe

Filesize
94KB

MD5
d53bec49ce9f8dcaabafca165fa5107f

SHA1
589f93473a487dc01c222b8a76b5cde169e04456

SHA256
c9d3586c58a7f63856e9c6ad30ec57f4a21ce0257a14c6a6ad43a6c66756aacd

SHA512
e61b85393d4a71c6a00c9ceba17bdfcdab175cab0ab8e2f2fbf2ccc485d7e796d7a78d54a3953035f0735001756195bb45d2a8727d884f32a56614c4e520f5cf

Download Submit
\Windows\SysWOW64\Kohkfj32.exe

Filesize
94KB

MD5
0a334667e6d46de473bb11305eff4a1b

SHA1
f452b05856bf3a4a26993190bd91376435c721d2

SHA256
0f0a0bf118d8b87d4f23ec3eb5013645f4e76968d4056d58a9a311dff1ea91cc

SHA512
8616f55250dddeaf0e4d74c2a55c93d9aead79fba89efe0b6ff4c1766eae65581f80171e9d5d517ee6f4ea7f3c6fc0ae8c652386bebae7aea2305c0a44cd10e0

Download Submit
\Windows\SysWOW64\Lcfqkl32.exe

Filesize
94KB

MD5
b7085e1440b93fec9e9b1b1a8f7039bb

SHA1
63ee029fe410024e6d97f46c940ae276c971c6f0

SHA256
47a940e86c33cf35b2f5700db4b50c2c9e98214140690ac69bbc4e75449a9e68

SHA512
d660b796133df85dd778ceb0a8cb0257b5c57161ed5f44df8bd368e2b29120736afe6eb42df325e5a5acf1c922dc8a3745c64f0dd178957d62154fffe8f2e49a

Download Submit
\Windows\SysWOW64\Lclnemgd.exe

Filesize
94KB

MD5
030694cc0217920643713ba8c729ea99

SHA1
3bd5f8f056e6d7c5535e3cce9d3584fe6c2fa821

SHA256
7d0bdbbfd9a106877f51fd57423d9b1b6788553225c2b0128ab8f63a28320f37

SHA512
7ba8eea4f0920d72b2f23be481b016293fb122cd99e06ddf769a62b1a823f5adc4df5f96d8c8654bc77210fcac28de3524c0cf383630f6111074a61d00d1c1f8

Download Submit
\Windows\SysWOW64\Lgjfkk32.exe

Filesize
94KB

MD5
5d1b9a8345f3e1752602f6fb7b1b189a

SHA1
944cb059879bb328e0c1e5437d122bdfd5c9b1e6

SHA256
79e21bccc513a7ad0e4225eaeb14f57c367e7edeb4c0a8f8fdd15530fa214a16

SHA512
b7989ed9ed9395c067653fae8000eb3bf928d7c438d910613a931b021b740d51a4b97e773ec5f9e923b053ae21bff89a4b92d37a17ab3df6a21273869f2011f5

Download Submit
\Windows\SysWOW64\Lmikibio.exe

Filesize
94KB

MD5
ad6f4d1aa7fc3e1e9d1699aa7f6d96b4

SHA1
82b3917a06214e2ca69a09d3e00904d3b1318d38

SHA256
a403d50b65cc09988030abc2883cea896a4e533be1046443155a57877f4c9615

SHA512
b43c55c1d20490060e1512c4abe6fcd1461b9db03ccdf8cb49679b81179dd058f33376e52aaf8bc8201eaf0c7d60f1a1611a28b2f792fee7823026583792b4fd

Download Submit
\Windows\SysWOW64\Mhloponc.exe

Filesize
94KB

MD5
925637154b62e9417d995a06fc1fe528

SHA1
b01b280fc505080460e25a8dfeea045b5b8248eb

SHA256
72f7bf1c7d4f25214631b37e6e9e1dd7221d639df405021e76e70bc0e690b2a7

SHA512
ea8db5207ed25baa188832271fa0d51123788b8dc2a5b75c588448d470135746c2a6a47b989c8f1e1b3ca4a15161aa2588e080cb625ba81dd519349601162fe8

Download Submit
\Windows\SysWOW64\Mooaljkh.exe

Filesize
94KB

MD5
d5872b38fc15f8e2328d627bd4021ee4

SHA1
a85685342ae4211743395bb9aaf1ede7b61b788b

SHA256
18a5b983820556b90384c8d12bf10811916dd3c7dc71773fdff26ace6b322b73

SHA512
b5aec6fe689d8bb54975ed506073c3f80cb64246b2fd75a8a2c87e9090cf8cbfb4eedf3ce4b1703a29c5c013b7e50a5f79b6d26f82062edf5b095481a1fe5786

Download Submit
\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
94KB

MD5
c9c1bad44f8d0b478ad7a53543263873

SHA1
085082c4d385ba23afb5968fa108f7421d10d34d

SHA256
190be103a39e46ef41bef87285dbe8477450de482298dc48732a1b04f62b7b40

SHA512
a1eeda9799436e1b0b3d4477641a8cc449e1e852c82f0c83dcb44f971a29d36dfbf1778198335ea910af061148f0d371dd2e6aa2417955e52495035643f6d3f2

Download Submit
\Windows\SysWOW64\Nhohda32.exe

Filesize
94KB

MD5
638dfc68ae82b82ced6364ea2faa0538

SHA1
ce8b01d5c4e388eb43856a4de9810be474a493e7

SHA256
856a8477331f68708e2999edcd4afceb1d6eecc96553315fcdf60ce4dd5a0a8b

SHA512
665e3afd5425706ce0aa17214db9f0fb5015872e88dc9b07871b4469bbd6677fbf7d1434aedeb6491296183d21088818dcbcfa0c86bba6b087bdb8e01d1d0cbb

Download Submit
\Windows\SysWOW64\Nibebfpl.exe

Filesize
94KB

MD5
0e3ba3ba21bad8529da12cd50030aa99

SHA1
bfe350e714d13b9bdd9670d5cadbcbd644c9badf

SHA256
ed8c86da97c13eb9f2a1eb44f1158894caa9acdaee5af1a24f51c7b3702c1361

SHA512
595afc9788f388d2fedadfa1db250c86e354588f16ea7a6cd816ffbffb023cfa7c6a160430a31c0241d4a3f00b2adb142301a0c4b8f9c7e438e935c2eb093f23

Download Submit
\Windows\SysWOW64\Niebhf32.exe

Filesize
94KB

MD5
806cd776525c4896911dcf0129d4d08d

SHA1
44ef7a9c90627b7e841a36cbea7235bff0658627

SHA256
435093ae873d4d8b355640a76a5bd47b4fdc0596da111a0ebd62e6b3dcded043

SHA512
b7d88d787d4ad81d9a48ee2c2f9b416e0b3bab38d38ce0434dc56a7685a8a8e9fa1fe767995f75989fa64c0d45b528c2e85875f3bbd612422eaf880c68ef8123

Download Submit
\Windows\SysWOW64\Odhfob32.exe

Filesize
94KB

MD5
a336e9fa7abc095d4fffa04cb8f908a3

SHA1
c5b704b98e83575319fe4c9b11b3e691e86577d7

SHA256
cd582b6b98a84dfc05afe397063f5b2c6fcf2fbead1ef5b3c4c20155ce8a4be9

SHA512
87a0a17e08fe0f0b2a6ae89594b03d5c87eb77d5c0dafe0d6d3905edc34bd0d24f4c96e001657f3183d04a310617ea525b19145d80eeebff58b9ccf2e7cb40db

Download Submit
\Windows\SysWOW64\Oomjlk32.exe

Filesize
94KB

MD5
9022e48592795a920cc3fec3127b5800

SHA1
6795c648d920e158bf6602f0860ba460276ab972

SHA256
22b609be96422137879be0ca6b59b5fd91477d31168504db7e41763891e44150

SHA512
76ad59580347c1fc8b717bb6565d81cd3eefcc198daf46d0f1c44d8848970be8ab18422016f4f020bb63fa13c70951d17a81c218be3bf9a338dfa6d17b419200

Download Submit
memory/328-395-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/328-337-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/328-393-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/328-394-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/328-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/896-304-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/896-356-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/896-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/896-303-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/896-355-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/1068-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1068-175-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/1068-173-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1068-111-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/1068-112-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/1072-347-0x00000000002A0000-0x00000000002DC000-memory.dmp

Filesize
240KB

Download
memory/1072-350-0x00000000002A0000-0x00000000002DC000-memory.dmp

Filesize
240KB

Download
memory/1072-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1072-415-0x00000000002A0000-0x00000000002DC000-memory.dmp

Filesize
240KB

Download
memory/1072-414-0x00000000002A0000-0x00000000002DC000-memory.dmp

Filesize
240KB

Download
memory/1084-183-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1084-126-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/1084-184-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/1084-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1084-128-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/1188-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1188-235-0x00000000002C0000-0x00000000002FC000-memory.dmp

Filesize
240KB

Download
memory/1188-172-0x00000000002C0000-0x00000000002FC000-memory.dmp

Filesize
240KB

Download
memory/1284-306-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1284-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1284-313-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/1364-185-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/1364-237-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1364-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1576-352-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1576-360-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/1724-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1724-373-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1776-290-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/1776-333-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1776-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2028-370-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/2028-377-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/2028-372-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2080-272-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2080-326-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2112-263-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2112-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2148-24-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2148-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2148-25-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2188-27-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2188-95-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2188-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2264-200-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2264-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2264-207-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2264-265-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2292-267-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2292-266-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2388-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2388-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2388-264-0x0000000001B60000-0x0000000001B9C000-memory.dmp

Filesize
240KB

Download
memory/2388-258-0x0000000001B60000-0x0000000001B9C000-memory.dmp

Filesize
240KB

Download
memory/2388-312-0x0000000001B60000-0x0000000001B9C000-memory.dmp

Filesize
240KB

Download
memory/2440-220-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2440-146-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2440-153-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2500-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2500-110-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2500-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-53-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-64-0x00000000001B0000-0x00000000001EC000-memory.dmp

Filesize
240KB

Download
memory/2520-114-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-244-0x00000000001B0000-0x00000000001EC000-memory.dmp

Filesize
240KB

Download
memory/2592-254-0x00000000001B0000-0x00000000001EC000-memory.dmp

Filesize
240KB

Download
memory/2592-292-0x00000000001B0000-0x00000000001EC000-memory.dmp

Filesize
240KB

Download
memory/2592-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2608-130-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2668-396-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2744-383-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2744-371-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2760-384-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-65-0x00000000003B0000-0x00000000003EC000-memory.dmp

Filesize
240KB

Download
memory/2764-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-6-0x00000000003B0000-0x00000000003EC000-memory.dmp

Filesize
240KB

Download
memory/2776-230-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2776-229-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2864-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2864-143-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/2864-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2864-215-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/2884-405-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2892-145-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2892-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads