0a5ef309bf0ad984c4f4531705c9d185e923d5189f3578702f2d9cab0d8d50f1

Analysis

max time kernel
51s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/06/2024, 21:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0a5ef309bf0ad984c4f4531705c9d185e923d5189f3578702f2d9cab0d8d50f1_NeikiAnalytics.exe
Size

361KB
MD5

0e89d971c128d5409e645f4dfdac8a60
SHA1

ff9a0e9a95c61cee67c110b04c908a24efc690bb
SHA256

0a5ef309bf0ad984c4f4531705c9d185e923d5189f3578702f2d9cab0d8d50f1
SHA512

a48720bc6fc846a539f47d94d204ba10d4eb1b6acd079d790a2876da161e0140ccac24dcecf757578cd3bada26a49af30bbebebf7b1293676de341ddc1ae7ee4
SSDEEP

6144:EQYlDB8IsVQ///NR5fLvQ///NREQ///NR5fLYG3eujPQ///NR5f:EQY1Bgw/Nq/NZ/NcZ7/N

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0a5ef309bf0ad984c4f4531705c9d185e923d5189f3578702f2d9cab0d8d50f1_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0a5ef309bf0ad984c4f4531705c9d185e923d5189f3578702f2d9cab0d8d50f1_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe

Executes dropped EXE 61 IoCs

pid	Process
2244	Hfjmgdlf.exe
400	Hihicplj.exe
1424	Hmfbjnbp.exe
2056	Hjjbcbqj.exe
3940	Hmioonpn.exe
3480	Hbeghene.exe
4500	Hbhdmd32.exe
2744	Hibljoco.exe
4416	Ipldfi32.exe
2512	Iidipnal.exe
64	Iakaql32.exe
3104	Imbaemhc.exe
3568	Ijfboafl.exe
3068	Idofhfmm.exe
3060	Iabgaklg.exe
972	Ijkljp32.exe
5012	Jfaloa32.exe
4144	Jfdida32.exe
2152	Jmpngk32.exe
2704	Jmbklj32.exe
3884	Jfkoeppq.exe
2756	Kbapjafe.exe
3920	Kmgdgjek.exe
1796	Kkkdan32.exe
2068	Kdcijcke.exe
944	Kmlnbi32.exe
3456	Kgdbkohf.exe
4420	Kpmfddnf.exe
4760	Liekmj32.exe
2684	Lgikfn32.exe
3664	Lpappc32.exe
3508	Lijdhiaa.exe
2532	Lgneampk.exe
4544	Lilanioo.exe
216	Lcdegnep.exe
3432	Lnjjdgee.exe
5056	Lddbqa32.exe
5108	Lgbnmm32.exe
1292	Mjqjih32.exe
2792	Mciobn32.exe
3856	Mjcgohig.exe
4464	Majopeii.exe
3608	Mcklgm32.exe
1816	Mnapdf32.exe
1512	Mpolqa32.exe
4740	Mgidml32.exe
4736	Maohkd32.exe
1608	Mcpebmkb.exe
900	Mjjmog32.exe
4644	Mpdelajl.exe
4968	Mgnnhk32.exe
1944	Nnhfee32.exe
1392	Ndbnboqb.exe
2828	Ngpjnkpf.exe
1336	Nqiogp32.exe
4436	Ngcgcjnc.exe
2052	Nbhkac32.exe
3000	Nkqpjidj.exe
4640	Nbkhfc32.exe
1140	Nqmhbpba.exe
4992	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jjcfkp32.dll	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jfdida32.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mgblmpji.dll	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Hfjmgdlf.exe	0a5ef309bf0ad984c4f4531705c9d185e923d5189f3578702f2d9cab0d8d50f1_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hmioonpn.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Hmioonpn.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mjjmog32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1592	4992	WerFault.exe	140

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0a5ef309bf0ad984c4f4531705c9d185e923d5189f3578702f2d9cab0d8d50f1_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adakia32.dll"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0a5ef309bf0ad984c4f4531705c9d185e923d5189f3578702f2d9cab0d8d50f1_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mjjmog32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 2244	3956	0a5ef309bf0ad984c4f4531705c9d185e923d5189f3578702f2d9cab0d8d50f1_NeikiAnalytics.exe	80
PID 3956 wrote to memory of 2244	3956	0a5ef309bf0ad984c4f4531705c9d185e923d5189f3578702f2d9cab0d8d50f1_NeikiAnalytics.exe	80
PID 3956 wrote to memory of 2244	3956	0a5ef309bf0ad984c4f4531705c9d185e923d5189f3578702f2d9cab0d8d50f1_NeikiAnalytics.exe	80
PID 2244 wrote to memory of 400	2244	Hfjmgdlf.exe	81
PID 2244 wrote to memory of 400	2244	Hfjmgdlf.exe	81
PID 2244 wrote to memory of 400	2244	Hfjmgdlf.exe	81
PID 400 wrote to memory of 1424	400	Hihicplj.exe	82
PID 400 wrote to memory of 1424	400	Hihicplj.exe	82
PID 400 wrote to memory of 1424	400	Hihicplj.exe	82
PID 1424 wrote to memory of 2056	1424	Hmfbjnbp.exe	83
PID 1424 wrote to memory of 2056	1424	Hmfbjnbp.exe	83
PID 1424 wrote to memory of 2056	1424	Hmfbjnbp.exe	83
PID 2056 wrote to memory of 3940	2056	Hjjbcbqj.exe	84
PID 2056 wrote to memory of 3940	2056	Hjjbcbqj.exe	84
PID 2056 wrote to memory of 3940	2056	Hjjbcbqj.exe	84
PID 3940 wrote to memory of 3480	3940	Hmioonpn.exe	85
PID 3940 wrote to memory of 3480	3940	Hmioonpn.exe	85
PID 3940 wrote to memory of 3480	3940	Hmioonpn.exe	85
PID 3480 wrote to memory of 4500	3480	Hbeghene.exe	86
PID 3480 wrote to memory of 4500	3480	Hbeghene.exe	86
PID 3480 wrote to memory of 4500	3480	Hbeghene.exe	86
PID 4500 wrote to memory of 2744	4500	Hbhdmd32.exe	87
PID 4500 wrote to memory of 2744	4500	Hbhdmd32.exe	87
PID 4500 wrote to memory of 2744	4500	Hbhdmd32.exe	87
PID 2744 wrote to memory of 4416	2744	Hibljoco.exe	88
PID 2744 wrote to memory of 4416	2744	Hibljoco.exe	88
PID 2744 wrote to memory of 4416	2744	Hibljoco.exe	88
PID 4416 wrote to memory of 2512	4416	Ipldfi32.exe	89
PID 4416 wrote to memory of 2512	4416	Ipldfi32.exe	89
PID 4416 wrote to memory of 2512	4416	Ipldfi32.exe	89
PID 2512 wrote to memory of 64	2512	Iidipnal.exe	90
PID 2512 wrote to memory of 64	2512	Iidipnal.exe	90
PID 2512 wrote to memory of 64	2512	Iidipnal.exe	90
PID 64 wrote to memory of 3104	64	Iakaql32.exe	91
PID 64 wrote to memory of 3104	64	Iakaql32.exe	91
PID 64 wrote to memory of 3104	64	Iakaql32.exe	91
PID 3104 wrote to memory of 3568	3104	Imbaemhc.exe	92
PID 3104 wrote to memory of 3568	3104	Imbaemhc.exe	92
PID 3104 wrote to memory of 3568	3104	Imbaemhc.exe	92
PID 3568 wrote to memory of 3068	3568	Ijfboafl.exe	93
PID 3568 wrote to memory of 3068	3568	Ijfboafl.exe	93
PID 3568 wrote to memory of 3068	3568	Ijfboafl.exe	93
PID 3068 wrote to memory of 3060	3068	Idofhfmm.exe	94
PID 3068 wrote to memory of 3060	3068	Idofhfmm.exe	94
PID 3068 wrote to memory of 3060	3068	Idofhfmm.exe	94
PID 3060 wrote to memory of 972	3060	Iabgaklg.exe	95
PID 3060 wrote to memory of 972	3060	Iabgaklg.exe	95
PID 3060 wrote to memory of 972	3060	Iabgaklg.exe	95
PID 972 wrote to memory of 5012	972	Ijkljp32.exe	96
PID 972 wrote to memory of 5012	972	Ijkljp32.exe	96
PID 972 wrote to memory of 5012	972	Ijkljp32.exe	96
PID 5012 wrote to memory of 4144	5012	Jfaloa32.exe	97
PID 5012 wrote to memory of 4144	5012	Jfaloa32.exe	97
PID 5012 wrote to memory of 4144	5012	Jfaloa32.exe	97
PID 4144 wrote to memory of 2152	4144	Jfdida32.exe	98
PID 4144 wrote to memory of 2152	4144	Jfdida32.exe	98
PID 4144 wrote to memory of 2152	4144	Jfdida32.exe	98
PID 2152 wrote to memory of 2704	2152	Jmpngk32.exe	99
PID 2152 wrote to memory of 2704	2152	Jmpngk32.exe	99
PID 2152 wrote to memory of 2704	2152	Jmpngk32.exe	99
PID 2704 wrote to memory of 3884	2704	Jmbklj32.exe	100
PID 2704 wrote to memory of 3884	2704	Jmbklj32.exe	100
PID 2704 wrote to memory of 3884	2704	Jmbklj32.exe	100
PID 3884 wrote to memory of 2756	3884	Jfkoeppq.exe	101

C:\Users\Admin\AppData\Local\Temp\0a5ef309bf0ad984c4f4531705c9d185e923d5189f3578702f2d9cab0d8d50f1_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0a5ef309bf0ad984c4f4531705c9d185e923d5189f3578702f2d9cab0d8d50f1_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Windows\SysWOW64\Hfjmgdlf.exe
  C:\Windows\system32\Hfjmgdlf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\Hihicplj.exe
    C:\Windows\system32\Hihicplj.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\SysWOW64\Hmfbjnbp.exe
      C:\Windows\system32\Hmfbjnbp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
      - C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:944
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4544
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3608
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2052
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        62⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 400
        63⤵
        Program crash
        
        PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4992 -ip 4992
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hbeghene.exe

Filesize
361KB

MD5
581ac2cd363192e76c4895582d127715

SHA1
8c211b59033073f8bd0814000fcbba53ffe6f9d5

SHA256
bd0212da393bdd6c008e843e39ea5f70d06cf973f35cbe19104bc77594ba9b19

SHA512
2d32be18c6cd9406e4f0f4ee3b4d9fa53a613ff0755583d4b77e0ee4d88fcd13b8c954ab440e893707173ecbc05f864c0474a9637c641fc76bc482c224726b2a

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
361KB

MD5
625a91fc987a8208a91f9319b6a75aed

SHA1
ffdfae67f724a6a97875b0ed7bf8df1775459746

SHA256
2fcaeda35d129d5d41691ec6656b1a84e560021637515ea08bbb1346ee7a323d

SHA512
4de17ce6377c95c969793be5156ebc935295c37188646f7bb80fbdf0e6f52e3c3aca573448782ad216f80203b2900dea70cb188e398db493b7f319c08c66a630

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
361KB

MD5
40f3ce1d1abdbd7d2c30cc13cce59627

SHA1
435f1c4ed5cf83653f2f38ae25ffc93715b9731b

SHA256
45472f50aeebe381d92ff58b70dc9842a0ba2ef9a37ad90b79e4483951e4a09d

SHA512
b058036432e7250940e6ba4d68376cad3f1c6f2edfb0ba61effd6c9275a2f8e33d6e60c61e05d583c3ae0ae80bb07e0631159b4434b0d93dad735e2faeda82d2

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
361KB

MD5
c1c83109256d837cac317ab0169d919c

SHA1
587a03ab3f45389a83fda9debc53d98d924d99b4

SHA256
66ad3037a9c4e5c092c51e7435545c3286e86c89a6867cce556bd8e34485638a

SHA512
c64a6441c885fda18c4c0c42c993c29ea6c066c9c83b196b671c07bc723ca2f5d8a6047aee0e3b32616e1476d90dd609b99a9c1f5623d99c6af99a9930d31733

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
361KB

MD5
1667fc6372e10ad283b7d6f4e170f533

SHA1
92d6d85da2f2903f65dfbcbc93427eecae195aee

SHA256
7989fbe98524eeb20fa3bc9f2e3533b6410f5a4ea9e66da9937ed07be83bbcc3

SHA512
458a548c75537ce3d005d208ef71a87d3dcf78eb631831f18df9c6218cf81fc952814c787996bda869b7484be609c332d5cdd26d5333b5c406ee3a335d0d8104

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
361KB

MD5
44e23b7936f1dfc4108e799305692355

SHA1
6b4efb5f62fa14429287318211805be04164a173

SHA256
8c4349a2f64b05111e73d1e28a9521ff454cb5f953a237aa84baee73590b790e

SHA512
a7ad37638937d0159eee1ed48a8818fc28cdfc2d2205d3a0d2d03c9ae47e6abdf09c45ab3b17c78bbf339c68562787a509ccdb76a525d9348b1b6776e84df8c8

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
361KB

MD5
b9bbe54095df8b6df0c5005883993fd3

SHA1
ef92805b6bcac09c2453f6b23dfac4cde4898012

SHA256
69b7c4d9f251a69d885d909ec2a9bddf1962947136304eaa338b6497beed888a

SHA512
aa2ad364f7663d6ef49deadee3fea6dba0cfa5a32698846c4043a9bbce4502d6944429553afdf9163d6ae1fa0f5ff0e49e26f03504f9299e90bada32a73b3d71

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
361KB

MD5
bc0e6d104d65797a5cd8ce5dc4f80540

SHA1
9511250da44437c2313f7b236b29eb5cb28f2c25

SHA256
448a23a7df850d1495f7ae7bc28932fce73572cfec420d36f08a2b62f41fcb74

SHA512
d36689fcf66879a8c4c2916ffbf327a01d247abb7ee2b92cdaeaa2b79f2a84d1a5e6dd6c437b0787cb49b8352500f657379be08b1e9245917475a30224b505d8

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
361KB

MD5
a7e58d5498c8f74f52af14a6c9cbd219

SHA1
3cda01ca59ad442fe1e126f821392a22457c1a2f

SHA256
92e1ba1849e64a58ec1d65b30c71346450f682991e7332bf4ce0c8e5fa404c63

SHA512
810fe551a2cf0a9ca0109da276ab518f7bb710742e2a463cf44cae19ab6ca325280812ec631889dd89e590f7cb328965ad7193dc0fbd5d1db97eb566f9aaaa52

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
361KB

MD5
0a93a270f989a2e32a35d43177884017

SHA1
b67bc1572ddef024845529ae6f9995e611eab542

SHA256
061667dcf99cb4b320b386b17bd7c061a320b9936721f4520ef01687f52cb02f

SHA512
0bad585cf2729d803371e19aa58aca85f7805a37df2fed10040df3063f8b2ee3b889982dd47c4108f86cca9971eab509701ad89b326aef87d0967f45db94eb20

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
361KB

MD5
37cc568dad8047c4ff207bcca5374862

SHA1
4c961b9977e51f87f7e23f388ad23e9bec490dd6

SHA256
b228e755e18db585d5371336e8c8787814d72d6bc9db9e030de665d39fca6cf2

SHA512
39457ca4ccb7d4a191a786621602c0ff7b394f2213bcf3a4b22aac122bf785c7dc9f475b668cf79d86e17a6cdff9ff64f683ed1246bc0c89a2ef04477d600e0d

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
361KB

MD5
e7c6c046aa353704cf59164d3219d35c

SHA1
79ed6f827b6de5cdf6c89a179388155b8b0c9016

SHA256
4f8f169109e248453932c02aa3dbe133c1db8e082053bce25547f8198e60a44a

SHA512
c7ac41a0fc919d5b3f7fd0846a51d12ccf787fcfd450341d117c5c78f50ceba80d72f7599533f1b71b0c5ecca43d8ac1e1a19a52104c8c0a5050cc5655948d92

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
361KB

MD5
4696d8f065ad741ad5d6366379c5c22e

SHA1
1725af7dd28395a153a165cee27afba76f63f0e8

SHA256
ea38ff7979d2f926007d0346bdb2b68c500247b6fd95b172249182028f065e4b

SHA512
5dc5c99bbd67a8d639cbb66db6dc940115fd6ec3c4c6c0dc425c673ba3a6babb3287582de996205c0db31c6a54b548046e4beb8f62a3b40d4dd1050cd90d551e

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
361KB

MD5
72cbd27108ec43c6d6a331595e05555d

SHA1
87fd7a5449780c7379bb6d312ab88ab88ea2498e

SHA256
9ff6b3a8a0796e140ddc86cf3b4c9043e36071b6665c23a66772efa91df50787

SHA512
d6cf1c78faef4a4e9af145f04e18d7dadf59a6c24f8120e4532f5177e7e9b5193dcd1e2571a1afff267d00fb71169704d2f79cd4eaa281608cf64991b683a30c

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
361KB

MD5
fd0e5140ad5be63450630d66cdb98cef

SHA1
036c4de2dccd6401b91dd1197e507c63627b0ceb

SHA256
10dbe65c1415c71401b60a0228619a7bc5d04b5374e84e34ef363c5aa863d568

SHA512
7daa984c333136fbe9f6a98709434dceebd5b0404da951ac985005b813e80c50ad1d8674574c40d836d4d565126ca3e3bceb58d4ea7fa24b23de333dc71d1e18

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
361KB

MD5
eeee127360ed5867bdadcbc42ca5f98b

SHA1
c1f07579dc39a741df8c90c5a2f16de154c7f16e

SHA256
ceaed1fb26416b0f59ed16f89d2dff9c93e30b77c628876789d81f42a78d0f96

SHA512
9579c950e8f23326b4d07daf822a8ebd34e396f518103a2850b7e44ffb1a11c6ae99417aca7db6db94ab25e9d2261d5ccb49bfeee2da3697f5de268710eec84f

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
361KB

MD5
1ab3a5ccae05753a39ac1fcecfec0d4d

SHA1
50b36789b09d58ef53c54f39565eca0af371840a

SHA256
cbf747adf0c80315dd45c07efedea4c602530092c3b9626828fcbaa514d61ec8

SHA512
26a922db454d79f50dd08c5b080441535037751fcbd208dcf879bc8522cc310653d3a56795a6d2d57ac5766e1469124ccf51d9fe2684b33f537a5f4d86a84c87

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
361KB

MD5
a4a464de4d332126d8eaa0def68ca2d6

SHA1
b7e7570ba0689a6965240940add0138f7c93f5f7

SHA256
6f7143017784ebc3be5b03c0b9dacd4632919d608f4823eea5f6daab66645eb1

SHA512
0f9aa3e8011a169c1d46bd5adc5de0d110e512e86416f7a8adc96ae932fc2b835009ddabbdd2a120c97105387bd1d79d06b800ecd990b767c52a362e3cf6926f

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
361KB

MD5
6b69137e240318aa5bc4cde3fdcad577

SHA1
533ac2c96467653b18aa19c9ec855abb6083d419

SHA256
df4e74172f174339f80a27c03d6aba3e86a8fbc9ef290c8da78c46547b42b3d0

SHA512
95bf051ba68dfd2ffe9ecefc24946fc1108a42518cb695f86ef9e4bde7cbeb8b8099040ee1b9cd85199c499cca22ae13ca9a7ced1215f9f6b12d97ce00b0de15

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
361KB

MD5
7af8d513397c28631052e555ce1547da

SHA1
1834f175659e5e10be434b1510bc4aabd7a385ac

SHA256
f3d6411e3b9262471315185efc659d36d41334326abae6039b1079ad410e9033

SHA512
842ad08201da27d8de5af0ca2d5fe6712d9be90dde1cc188d2ad2e35a3200aeaadd9eedab3b9a346dc57892385a83a64b5dbfe80a5a46f8dc07e6f97d4d71705

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
361KB

MD5
eb84a3f437c071d36c36743b5ad60273

SHA1
5133514fc10e9382deb0fd25384f941e90ae5131

SHA256
f1f28ceb82bd7fd25f10788e36f95d43a5dbb218a93fe281bab1aa37f5f0cb86

SHA512
e0607a88d0fa6c320f9ab74fda6b164b4003d2e9e1f0a62b8ba01701a5afa4cb2a16bee1f6acf2d23e23f4eca92e8748c8754713c0879f9db9dc4507ea297aa4

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
361KB

MD5
3c1fd9bf522f3998b6f2c15a42662c6b

SHA1
94f20c093ea7483a2f6dfcb45701379eb978fb35

SHA256
e8801082a439b47038863fb498860e3de3e7c743427ade61b85aeedff12788b8

SHA512
502963c66e41fffd7851f7f78ed3bce8d2eb534476f05b4d99cbd15396b30b7f65f30fc4449c6fc5fe23832bfe40bf25ebc284c794781a85e3005b6359f14591

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
361KB

MD5
307e601e256483a011da3aa5baa4e23b

SHA1
e13b21e0e26b49b6e4bf8b4d034d9fc129cd6b11

SHA256
2841176e39b45ff013666a9a1b772de1e9c71ce2b299368656f17a43daabe7f7

SHA512
5924369cee140669663fe0ceda3bc9615ff8b8c8870ea51820c031766b64fe2eaac64650573f285b94962b30ca68b5f768d23174ed84cc50b3a7a972fb63c21e

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
361KB

MD5
0df5e5ebfbd1bfe1e7039f93adb4c785

SHA1
31b727e913b198d516916b99859fee3d440b3290

SHA256
7c5a7eeb6bc19446f970adc79d12ae0df438feb7eda8365b145d4415072595c9

SHA512
a288fec208c5ec0626915cc04641fc87150f84c32cdefae3e07052fcc3a4e874824e59475e971b9409e85d42e5a14da23cdac4d21f32ea7598360d201622cff2

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
361KB

MD5
0ceebad621d4de7168ac1d4dcc1c3ce8

SHA1
8d4a7a2be0327b92d2f13f2d6ea2dfcac9c44b33

SHA256
0715b53f21f0d47355e09d8a263b07a9f53229c1517b341d11d7080e366809db

SHA512
906b810e8362551b6cd61e7ab8388e580ea559409e87716ecb8c50ecb1d1c1c22ab19a81a1c559e8ea7fc48242333245b97eb8f43c7c24d351ef749f328393a8

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
361KB

MD5
201321cd20ddf65573242c7c0518a59f

SHA1
3f409750cf8cdea28f2756d18c86ef5781a1de45

SHA256
600392841d3dc8ca19a01589f9230c483698b4eb299f17c6da6f85b6f7a14af4

SHA512
185d44c4ac4b5a5917aa3dee7cc268ae6050decc41db6f514f1911317099b6d4a013670b64ab17bc73a560d228ad43edb7824e36d3593be2f3945bfa2ec99f0c

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
361KB

MD5
51c31f5350df2597db23d6f30632df4e

SHA1
2549af9b038ac0247931132fe7f12bdb770bf9c1

SHA256
e5fce90bbbaa71b05fc9a4fc0187c1f62001364773851e7c8127dac30c284cdf

SHA512
228f2a74d0edfc0550edf0aed224d76b4a9d8bd14eab33e25433c4884f28ab1062a2f3efb9ccce0fc8c2811199ae687f370520c344b0232cf0aed77a2d9b5a14

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
361KB

MD5
58e18c887caf2562b3ecf35442b69619

SHA1
786e15ae2a42f4b2538bbd9b261d0ea26dfe3c8d

SHA256
090692a17cd48138015b6b077a2e15f2ff0f9d33bc7b961099deb1b1b1972e1a

SHA512
c9edb24a2ac4717ea8cb38bc46bd3b53555df4dff622e1d9da7a71dfb227a5d006d217c59a9d006e51ab4c8fd83058ea62d61fe5e804f8f3c37aaf222742e00a

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
361KB

MD5
48846ed1762e9fd584f32d1e1c70c6a1

SHA1
e0878aa786f2ce245ed608e3b258425030887f16

SHA256
547f0910ef7f5c26ebbe9b8d7818a778b15f5ae096d414f2dad841c8c9c9c5d4

SHA512
1e208f82ce9863cf97fd3369c403070105be1f91decce2e020d1ba367b5a2c112f9990c94c738388b02675a19ca3c646c7e3ba783cfc764771285117e4b366b8

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
361KB

MD5
f8509be6da5df39276d01b11fe9b443a

SHA1
fc7f13adf7bdc741b9951da5d4ecb999497a0ca1

SHA256
db434a89c6af3cff5ff7b3cb8edcf9bf97bcb7941565f7ffeb84ff2aa1c8e2b0

SHA512
1a412ea22ade2dd46693e90156b6097a81f73f7e0d0f2ca82622c9d315931493056f628fb8358def7a493b18f69ce8550d4c15782b164c6d17961f88ce4900c7

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
361KB

MD5
99351ca7e4d4d4a4ce325df075f28459

SHA1
a0eaf8cf3f9d4047b89f7f7acd61c64d9756091b

SHA256
19d5d0304687afb823ab769c0f0d4517d069bb69b4e214f0ff0e809109a3b281

SHA512
b27933114f17a5cf8dd190a9f9809581ddbf59e3c4d4cf24f80805dc85426909aede16eb6a2fbf9f0486affae983d206bcc7552bf856c4b4f675605ef8fdf1a1

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
361KB

MD5
0e584e9a129e5152900bdc3f7726478c

SHA1
b7dc3ddc00cd34b266e60a5318f52fba3e56419a

SHA256
f7c92fdbc10a380d76d51e432e17dd24b9bafd16631e572b33d33c5d9cd05f9e

SHA512
d0818cd2e5f8189e0608b99261959dd4dd12e679d40471f8614491c4704f981e5e2e31af82940838a27def3880125c6bc82dd7ec7c35b51f71ec80b89e53eb19

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
361KB

MD5
b3dc4c7ccd8e1867f7a89a069b4c090f

SHA1
387de414f8489db7a53bf7cf16c316b6432574d9

SHA256
5bdfff5319ce3db06deec2b1feada36dc425da342fe1340df1f0b8b387df63df

SHA512
cd8554c7b35ee6024f4599ea81db8e192983a81c7a29c2124aa130a829dbcab497d1f270c297319ee36b7f8c36c16c9e5e15547c32c2bbec4c7447f1196e9a40

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
361KB

MD5
51227b0bd8d4972b9434ccd14d26aeb5

SHA1
2f6e2ce3377671a11be7cd225db27cf449345ea3

SHA256
ce42d160f58f69da8388123ab1f1e5c15f4f0aeb5ed9c613e41ac17acf72b401

SHA512
e257daad2ad38a0c1de8f0cf1c5ad4eee83a5bf0f53125e31c37d26e5dfcd480a9f9fc90d99a0b0deb99f11135c1dba73b8f68a8efabf9a6be6b82bdf6b0feed

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
361KB

MD5
415e9349318d03a8550f9d3821c4134d

SHA1
c3d40e7f5180bb648dee365d6861714fa429c4c8

SHA256
ce298aba24b726d6abd2661c25435e12b64214e907a098b0ca920ec437899f95

SHA512
3a16628d3e22aba8f39f1ead236b3cc1a361fbe80e7b92cf7acda1b9c7cb08bf70b4891acdb1120a065134c0691150f60dc7a25b1bc16b3f54de4f786deb8910

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
361KB

MD5
c951e3bc42f0bd0de71bd85e1f562565

SHA1
fb702d9ead9a19846e9f08d9ee2ecb29f9e84e47

SHA256
90de826f63bcc1c70733d57bf284e839a9bd1d8b71a29e4fbd50f2af5736a053

SHA512
a9ef2eb81de7fe2f8691f9d552ed93ad1a2acf334659b3281e55a5c22e577a186fe16670e27c94c968e093a134d7f392e1e0baeeecad0ab6f8e075531e2340ba

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
361KB

MD5
da097e82ee74e6c8612bcae25b28517a

SHA1
373c950095bc053e3620a2f37f9ab06ba4ad0343

SHA256
fc9d93fcb0307cf613c41464338b4c9b5df55b5403e70edb583ee81903e3e33b

SHA512
fb1dc81ba96e284b2d42958b3dda2b1dce9c84e13212cd877069491fe34c1574b4317fb14908b7371227482dba8a6615c8775f915f576ea3428d8d8ab90787dd

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
361KB

MD5
ee6d4ed29a5ffe58fc8d9268d5372cbc

SHA1
ac38e222544c2ac1f2c688bef7b693f078cae58f

SHA256
690a206b80485488e81810d390f6eb83b88e925fa1839c4a84f1c27b1a03b862

SHA512
65cec0a81e13eb1b893ae0036126ba479a5176c5eb5c8fd3c83ed1c7adf752a4f4009d4447665c10fa58036d2fee712474418c03a2d25d138b77f4273719194b

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
361KB

MD5
1dd7bd37c721be3918c94be85640fde8

SHA1
bf4923df5629019266148b76b90672c55729f657

SHA256
a88e6aba44ac63f40f4ad181c1ce2bc3e8ecfb5c45a2c1e0ec0396d610316556

SHA512
33e0225e24303e7221f3fda26dc4974adfabd8268e12f5c84449a19428d82f10baa1fd0af7aa0c416802f7d88b4ad15d91eb91841e828ad889b32878567bc684

Download Submit
memory/64-89-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/216-482-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/216-275-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/400-17-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/900-357-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/900-454-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/944-209-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/944-500-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/972-129-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1140-422-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1140-432-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1292-474-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1292-298-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1336-440-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1336-441-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1336-392-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1392-380-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1392-446-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1424-25-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1512-462-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1512-333-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1608-354-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1608-456-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1796-192-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1816-464-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1816-327-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1944-448-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1944-374-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2052-404-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2052-442-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2056-34-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2068-201-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2152-152-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2244-13-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2512-81-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2532-266-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2532-486-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2684-492-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2684-240-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2704-161-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2744-65-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2756-176-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2792-472-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2828-386-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2828-444-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3000-410-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3000-436-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3060-121-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3068-113-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3104-96-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3432-281-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3432-480-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3456-216-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3456-498-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3480-48-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3508-256-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3508-488-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3568-104-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3608-466-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3608-321-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3664-248-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3664-490-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3856-470-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3856-309-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3884-168-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3920-184-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3940-45-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3956-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3956-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4144-144-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4416-73-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4420-496-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4420-224-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4436-398-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4436-439-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4464-319-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4464-468-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4500-56-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4544-484-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4544-269-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4640-434-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4640-416-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4644-452-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4644-363-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4736-345-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4736-458-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4740-460-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4740-339-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4760-232-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4760-494-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4968-450-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4992-431-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4992-428-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5012-136-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5056-478-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5108-476-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5108-296-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads