36ec32e9b9464381558e7c86d8f1565f040b4f1b96d47b7d1bab01dbf732b320

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36ec32e9b9464381558e7c86d8f1565f040b4f1b96d47b7d1bab01dbf732b320_NeikiAnalytics.exe
Size

108KB
MD5

37fd5526c28e404c785a03b74ff2cf90
SHA1

752b11b70150ab51a4633f628a926b24e36f9ebe
SHA256

36ec32e9b9464381558e7c86d8f1565f040b4f1b96d47b7d1bab01dbf732b320
SHA512

f813b58a5a8bbf1cbfc8d47aedd1064ac4ef9f6c2e40a59e29431824ece5d27259dd35d3079a761cc930dcb022a001bb30a0df38983d5c753198e732ad5931ea
SSDEEP

1536:H6oAsxtGNZadbhAZshNiMpMwB+rjm8NiIqhn3HQ8BawTj2wQ3K:H6oZeseEUjmOiBn3w8BdTj2h3K

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akpoaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhegig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amlogfel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibgdlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modpib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjpjgj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lckboblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klndfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lakfeodm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klbnajqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbenoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iehmmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilfennic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jekjcaef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amlogfel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahdob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbenoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lafmjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conanfli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgkan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lafmjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	36ec32e9b9464381558e7c86d8f1565f040b4f1b96d47b7d1bab01dbf732b320_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akblfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iehmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhkbdmbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khiofk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccmhdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcghg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oonlfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akblfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledepn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lakfeodm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjpjgj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgkan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibgdlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpegkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klbnajqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llcghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oonlfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilfennic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khiofk32.exe

Executes dropped EXE 40 IoCs

pid	Process
1584	Qdoacabq.exe
448	Amjbbfgo.exe
1896	Amlogfel.exe
780	Akpoaj32.exe
4224	Akblfj32.exe
208	Bmhocd32.exe
3272	Bklomh32.exe
852	Bahdob32.exe
1612	Conanfli.exe
1160	Cncnob32.exe
1676	Caageq32.exe
3112	Cacckp32.exe
1760	Dkndie32.exe
4632	Hbenoi32.exe
4708	Ilfennic.exe
1128	Ibgdlg32.exe
4148	Iehmmb32.exe
928	Jekjcaef.exe
1508	Jhkbdmbg.exe
4660	Jpegkj32.exe
1036	Klndfj32.exe
4784	Klbnajqc.exe
1528	Khiofk32.exe
4408	Kpccmhdg.exe
2236	Lafmjp32.exe
4864	Ledepn32.exe
2876	Lckboblp.exe
5024	Llcghg32.exe
4156	Modpib32.exe
3336	Mofmobmo.exe
228	Mjpjgj32.exe
3836	Nhegig32.exe
3308	Nmcpoedn.exe
2492	Ncpeaoih.exe
5064	Njljch32.exe
1708	Ocgkan32.exe
3152	Oonlfo32.exe
3544	Ocnabm32.exe
5056	Pjaleemj.exe
2100	Pififb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eepmqdbn.dll	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Caageq32.exe	Cncnob32.exe
File created	C:\Windows\SysWOW64\Biepfnpi.dll	Ilfennic.exe
File created	C:\Windows\SysWOW64\Jekjcaef.exe	Iehmmb32.exe
File created	C:\Windows\SysWOW64\Khiofk32.exe	Klbnajqc.exe
File created	C:\Windows\SysWOW64\Kpccmhdg.exe	Khiofk32.exe
File created	C:\Windows\SysWOW64\Qdoacabq.exe	36ec32e9b9464381558e7c86d8f1565f040b4f1b96d47b7d1bab01dbf732b320_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Cncnob32.exe	Conanfli.exe
File opened for modification	C:\Windows\SysWOW64\Ocgkan32.exe	Njljch32.exe
File created	C:\Windows\SysWOW64\Dapgni32.dll	Akpoaj32.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Cncnob32.exe
File created	C:\Windows\SysWOW64\Fnebjidl.dll	Kpccmhdg.exe
File created	C:\Windows\SysWOW64\Ledepn32.exe	Lafmjp32.exe
File opened for modification	C:\Windows\SysWOW64\Mofmobmo.exe	Modpib32.exe
File created	C:\Windows\SysWOW64\Fpgkbmbm.dll	Ncpeaoih.exe
File opened for modification	C:\Windows\SysWOW64\Klndfj32.exe	Jpegkj32.exe
File created	C:\Windows\SysWOW64\Ncpeaoih.exe	Nmcpoedn.exe
File created	C:\Windows\SysWOW64\Hmjbog32.dll	Jhkbdmbg.exe
File opened for modification	C:\Windows\SysWOW64\Khiofk32.exe	Klbnajqc.exe
File opened for modification	C:\Windows\SysWOW64\Njljch32.exe	Ncpeaoih.exe
File created	C:\Windows\SysWOW64\Qgaeof32.dll	Amjbbfgo.exe
File opened for modification	C:\Windows\SysWOW64\Caageq32.exe	Cncnob32.exe
File created	C:\Windows\SysWOW64\Idkobdie.dll	Klbnajqc.exe
File created	C:\Windows\SysWOW64\Dhlbgmif.dll	Ocnabm32.exe
File created	C:\Windows\SysWOW64\Jhkbdmbg.exe	Jekjcaef.exe
File opened for modification	C:\Windows\SysWOW64\Mjpjgj32.exe	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Pjaleemj.exe
File created	C:\Windows\SysWOW64\Bahdob32.exe	Bklomh32.exe
File created	C:\Windows\SysWOW64\Qdhlclpe.dll	Jpegkj32.exe
File opened for modification	C:\Windows\SysWOW64\Modpib32.exe	Llcghg32.exe
File created	C:\Windows\SysWOW64\Mjpjgj32.exe	Mofmobmo.exe
File opened for modification	C:\Windows\SysWOW64\Nmcpoedn.exe	Nhegig32.exe
File created	C:\Windows\SysWOW64\Cknmplfo.dll	Ocgkan32.exe
File created	C:\Windows\SysWOW64\Akpoaj32.exe	Amlogfel.exe
File created	C:\Windows\SysWOW64\Bljlpjaf.dll	Bmhocd32.exe
File opened for modification	C:\Windows\SysWOW64\Nhegig32.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Akblfj32.exe	Akpoaj32.exe
File opened for modification	C:\Windows\SysWOW64\Dkndie32.exe	Cacckp32.exe
File created	C:\Windows\SysWOW64\Ajiqfi32.dll	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Jekjcaef.exe	Iehmmb32.exe
File created	C:\Windows\SysWOW64\Klndfj32.exe	Jpegkj32.exe
File created	C:\Windows\SysWOW64\Cmgilf32.dll	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Lfqedp32.dll	Lafmjp32.exe
File opened for modification	C:\Windows\SysWOW64\Lckboblp.exe	Lakfeodm.exe
File created	C:\Windows\SysWOW64\Mofmobmo.exe	Modpib32.exe
File created	C:\Windows\SysWOW64\Bmhocd32.exe	Akblfj32.exe
File created	C:\Windows\SysWOW64\Aamebb32.dll	Caageq32.exe
File opened for modification	C:\Windows\SysWOW64\Lafmjp32.exe	Kpccmhdg.exe
File opened for modification	C:\Windows\SysWOW64\Ledepn32.exe	Lafmjp32.exe
File created	C:\Windows\SysWOW64\Kpikki32.dll	Oonlfo32.exe
File opened for modification	C:\Windows\SysWOW64\Cacckp32.exe	Caageq32.exe
File created	C:\Windows\SysWOW64\Dkndie32.exe	Cacckp32.exe
File created	C:\Windows\SysWOW64\Hbenoi32.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Ibgdlg32.exe	Ilfennic.exe
File created	C:\Windows\SysWOW64\Lafmjp32.exe	Kpccmhdg.exe
File created	C:\Windows\SysWOW64\Nhegig32.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Keoaokpd.dll	Hbenoi32.exe
File created	C:\Windows\SysWOW64\Hghklqmm.dll	Khiofk32.exe
File opened for modification	C:\Windows\SysWOW64\Pjaleemj.exe	Ocnabm32.exe
File created	C:\Windows\SysWOW64\Bklomh32.exe	Bmhocd32.exe
File created	C:\Windows\SysWOW64\Pfigmnlg.dll	Nmcpoedn.exe
File created	C:\Windows\SysWOW64\Phgibp32.dll	Njljch32.exe
File opened for modification	C:\Windows\SysWOW64\Qdoacabq.exe	36ec32e9b9464381558e7c86d8f1565f040b4f1b96d47b7d1bab01dbf732b320_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gikgni32.dll	Akblfj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4768	2100	WerFault.exe	130

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghklqmm.dll"	Khiofk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ledepn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npakijcp.dll"	Modpib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Modpib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akblfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibgdlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohlemeao.dll"	Jekjcaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpegkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpegkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ledepn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnekbm32.dll"	Ledepn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcfpl32.dll"	Mjpjgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oonlfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	36ec32e9b9464381558e7c86d8f1565f040b4f1b96d47b7d1bab01dbf732b320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khiofk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjpjgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lakfeodm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amlogfel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibgdlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idkobdie.dll"	Klbnajqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lafmjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phgibp32.dll"	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	36ec32e9b9464381558e7c86d8f1565f040b4f1b96d47b7d1bab01dbf732b320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepmqdbn.dll"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilfennic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbenoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jekjcaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhkbdmbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgilf32.dll"	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caageq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llcghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgkbmbm.dll"	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	36ec32e9b9464381558e7c86d8f1565f040b4f1b96d47b7d1bab01dbf732b320_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okddnh32.dll"	36ec32e9b9464381558e7c86d8f1565f040b4f1b96d47b7d1bab01dbf732b320_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbenoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhkbdmbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lckboblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepjbf32.dll"	Nhegig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biepfnpi.dll"	Ilfennic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhlclpe.dll"	Jpegkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	36ec32e9b9464381558e7c86d8f1565f040b4f1b96d47b7d1bab01dbf732b320_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keoaokpd.dll"	Hbenoi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 1584	3696	36ec32e9b9464381558e7c86d8f1565f040b4f1b96d47b7d1bab01dbf732b320_NeikiAnalytics.exe	90
PID 3696 wrote to memory of 1584	3696	36ec32e9b9464381558e7c86d8f1565f040b4f1b96d47b7d1bab01dbf732b320_NeikiAnalytics.exe	90
PID 3696 wrote to memory of 1584	3696	36ec32e9b9464381558e7c86d8f1565f040b4f1b96d47b7d1bab01dbf732b320_NeikiAnalytics.exe	90
PID 1584 wrote to memory of 448	1584	Qdoacabq.exe	91
PID 1584 wrote to memory of 448	1584	Qdoacabq.exe	91
PID 1584 wrote to memory of 448	1584	Qdoacabq.exe	91
PID 448 wrote to memory of 1896	448	Amjbbfgo.exe	92
PID 448 wrote to memory of 1896	448	Amjbbfgo.exe	92
PID 448 wrote to memory of 1896	448	Amjbbfgo.exe	92
PID 1896 wrote to memory of 780	1896	Amlogfel.exe	93
PID 1896 wrote to memory of 780	1896	Amlogfel.exe	93
PID 1896 wrote to memory of 780	1896	Amlogfel.exe	93
PID 780 wrote to memory of 4224	780	Akpoaj32.exe	94
PID 780 wrote to memory of 4224	780	Akpoaj32.exe	94
PID 780 wrote to memory of 4224	780	Akpoaj32.exe	94
PID 4224 wrote to memory of 208	4224	Akblfj32.exe	95
PID 4224 wrote to memory of 208	4224	Akblfj32.exe	95
PID 4224 wrote to memory of 208	4224	Akblfj32.exe	95
PID 208 wrote to memory of 3272	208	Bmhocd32.exe	96
PID 208 wrote to memory of 3272	208	Bmhocd32.exe	96
PID 208 wrote to memory of 3272	208	Bmhocd32.exe	96
PID 3272 wrote to memory of 852	3272	Bklomh32.exe	97
PID 3272 wrote to memory of 852	3272	Bklomh32.exe	97
PID 3272 wrote to memory of 852	3272	Bklomh32.exe	97
PID 852 wrote to memory of 1612	852	Bahdob32.exe	98
PID 852 wrote to memory of 1612	852	Bahdob32.exe	98
PID 852 wrote to memory of 1612	852	Bahdob32.exe	98
PID 1612 wrote to memory of 1160	1612	Conanfli.exe	99
PID 1612 wrote to memory of 1160	1612	Conanfli.exe	99
PID 1612 wrote to memory of 1160	1612	Conanfli.exe	99
PID 1160 wrote to memory of 1676	1160	Cncnob32.exe	100
PID 1160 wrote to memory of 1676	1160	Cncnob32.exe	100
PID 1160 wrote to memory of 1676	1160	Cncnob32.exe	100
PID 1676 wrote to memory of 3112	1676	Caageq32.exe	101
PID 1676 wrote to memory of 3112	1676	Caageq32.exe	101
PID 1676 wrote to memory of 3112	1676	Caageq32.exe	101
PID 3112 wrote to memory of 1760	3112	Cacckp32.exe	102
PID 3112 wrote to memory of 1760	3112	Cacckp32.exe	102
PID 3112 wrote to memory of 1760	3112	Cacckp32.exe	102
PID 1760 wrote to memory of 4632	1760	Dkndie32.exe	103
PID 1760 wrote to memory of 4632	1760	Dkndie32.exe	103
PID 1760 wrote to memory of 4632	1760	Dkndie32.exe	103
PID 4632 wrote to memory of 4708	4632	Hbenoi32.exe	104
PID 4632 wrote to memory of 4708	4632	Hbenoi32.exe	104
PID 4632 wrote to memory of 4708	4632	Hbenoi32.exe	104
PID 4708 wrote to memory of 1128	4708	Ilfennic.exe	105
PID 4708 wrote to memory of 1128	4708	Ilfennic.exe	105
PID 4708 wrote to memory of 1128	4708	Ilfennic.exe	105
PID 1128 wrote to memory of 4148	1128	Ibgdlg32.exe	106
PID 1128 wrote to memory of 4148	1128	Ibgdlg32.exe	106
PID 1128 wrote to memory of 4148	1128	Ibgdlg32.exe	106
PID 4148 wrote to memory of 928	4148	Iehmmb32.exe	107
PID 4148 wrote to memory of 928	4148	Iehmmb32.exe	107
PID 4148 wrote to memory of 928	4148	Iehmmb32.exe	107
PID 928 wrote to memory of 1508	928	Jekjcaef.exe	108
PID 928 wrote to memory of 1508	928	Jekjcaef.exe	108
PID 928 wrote to memory of 1508	928	Jekjcaef.exe	108
PID 1508 wrote to memory of 4660	1508	Jhkbdmbg.exe	109
PID 1508 wrote to memory of 4660	1508	Jhkbdmbg.exe	109
PID 1508 wrote to memory of 4660	1508	Jhkbdmbg.exe	109
PID 4660 wrote to memory of 1036	4660	Jpegkj32.exe	110
PID 4660 wrote to memory of 1036	4660	Jpegkj32.exe	110
PID 4660 wrote to memory of 1036	4660	Jpegkj32.exe	110
PID 1036 wrote to memory of 4784	1036	Klndfj32.exe	111

C:\Users\Admin\AppData\Local\Temp\36ec32e9b9464381558e7c86d8f1565f040b4f1b96d47b7d1bab01dbf732b320_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\36ec32e9b9464381558e7c86d8f1565f040b4f1b96d47b7d1bab01dbf732b320_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\SysWOW64\Qdoacabq.exe
  C:\Windows\system32\Qdoacabq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\Amjbbfgo.exe
    C:\Windows\system32\Amjbbfgo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Windows\SysWOW64\Amlogfel.exe
      C:\Windows\system32\Amlogfel.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:780
      - C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3544
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        42⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 400
        43⤵
        Program crash
        
        PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2100 -ip 2100
1⤵
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akblfj32.exe

Filesize
108KB

MD5
fa91f8a49c3b5eab0c9f3d2739a8f8b8

SHA1
d729c2ee11a1990cf8f4ccb8720faf61c50d43df

SHA256
1bc2aa0696b2bd54ed984032635b8b10f187065cde5f94bd7f9de49267729e87

SHA512
ab7616e2c04d87d067169da9a0b7665864bd9448c76cdf241f9250e89578ce4a0b1c780e696a929c6d53064c9a5e1b5d414884d2581538d6381d4f2b12ff186d

Download Submit
C:\Windows\SysWOW64\Akpoaj32.exe

Filesize
108KB

MD5
c25804acbfc6c33054b4f1837c517835

SHA1
5a1b439f90fe718700dd32467df64f4d8de01413

SHA256
69f0f7f7e2361ffc8363ef719c32a385be566c7d55622733577fdb3c3189fd5b

SHA512
7e4cad2917e1b997e339c7749422ff0d4e968be6de364de20c3562b865e48bab2f558e017419e5e0f4efa25b1f461968cbcc7053b1f83a7e265439454e91aa11

Download Submit
C:\Windows\SysWOW64\Amjbbfgo.exe

Filesize
108KB

MD5
8a2a0aa2b8213b48b585cd4d12d2e469

SHA1
b9750a64ddee1e54a0e82b7a495379ae7aa9d33f

SHA256
221a72dc91c5be32edd8a9afe589ab29bd17f3f12af0cf8c5dcba49d8a390c1f

SHA512
313cbe31e94ab52d56672a6a19f04b8b98636d54aa0993158eecaf4f7c530ab90f2662a28946259bf339ee2b2b145438deeb9e36e68486a89010d9e61de1fb2f

Download Submit
C:\Windows\SysWOW64\Amlogfel.exe

Filesize
108KB

MD5
2aebf250bb8d5c9611d2637f29b05931

SHA1
153040118d44775b81fefe9858e7d4b99f03eb71

SHA256
4bcbb021275bd95131717fb6eb024eefb9d208afd7142f4e0f58ac2b6c639957

SHA512
ff19824f77175e7eb04f2b51b7423eb37853f7462a9e2f04822b4358cfeb802594c7b4fab0590f9d54b52601d119bab49093f5897e37e9185fb0cb755515269d

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
108KB

MD5
a22ff726a5295ee4b0daaa64c6bc0f61

SHA1
140a43156debbbeba3905731b540b1a19a4f0df3

SHA256
11df79fe30c0ec02bbe559abaeb19e6de0b4dbc7bd085856964c917656100340

SHA512
3dccb4fe7de9c5a6f9e88d9b345a40a0554a1ef91c0f93f4b15c1288d8d5d01d951dc17339e27dae1944c542c677991be71ac51c8d4b1c9ee76f228db797d820

Download Submit
C:\Windows\SysWOW64\Bklomh32.exe

Filesize
108KB

MD5
a9271df46f33aa9ee8ffec9407eda119

SHA1
4a72610d6edfdd663cad4fd3e9705111a060253d

SHA256
1997b19293a6164d48512e230daf5bcd8b2386348031bd39dbe8e7ec26d61690

SHA512
f9e4b64c6fb9fd286d5febb31b8511aa002d839f71ead825b1030d7d61c64d0ab6b4c4f7ff476b3cfac41774c8f76c5dd44f2d2a6645e28aa58d3b897538b1ce

Download Submit
C:\Windows\SysWOW64\Bmhocd32.exe

Filesize
108KB

MD5
5e06bce006f3d3c5ca48bcf16d7f0b47

SHA1
abc0c1fce86cd74a831d817d94f0c2d1f2586466

SHA256
5cf7b9ecddc7de5a6bc642c5c3f29cb89148e2f9af493501652b936d85c7a544

SHA512
47da294b5a43c153c6eca1fcebb01cf91529c2f083331a69d8c0b0e5a08bb7b5304f2cbcaf316f3b934ca5c848be64c5cda681848795e9f14ef2a0e490d2c0d1

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
108KB

MD5
cd636d08338cb90e9cb7d5e36dc8ea07

SHA1
12fe1b07ce352007389db1b30329f2cffe332b2c

SHA256
24c754a53f2e247e697f258625e5a60a1b5a24a902d0e661210c6c0bdb978038

SHA512
81be3bbb1bad63db9936f5521f22c0d5b81eb960554e57b1f752426f2f1ae0ebf589b4dcb583bc6d472580b22526626b0fdf7ba27b353b3e3361c06e8c43aa32

Download Submit
C:\Windows\SysWOW64\Cacckp32.exe

Filesize
108KB

MD5
0b7ad26366088929bdeb97aeea190651

SHA1
d7e8aaf5290e399d738fcc1e20565321d7c93133

SHA256
089cfc8d7bfa6161325b4fafa955053fdb73608f3e96244ca6e8cb9d4346a0d5

SHA512
12b126a784fcf1606aa1599a47a9520f8cc80778e41bdbcd542483bf0212c587a0fa6245e35e34b2b6089c2f3d7a2373c052a62e8965faba2a5378c150b805ef

Download Submit
C:\Windows\SysWOW64\Cncnob32.exe

Filesize
108KB

MD5
820a504624c475bc959890213e4c6829

SHA1
a63efc48fe170d566b7987751e173833dd98df16

SHA256
2424e2682cb26097b7322537c0da2992e912e3dd72cdd88bb62ab5bba6e28192

SHA512
6e7fe7f2f20a3eb9afe18746f79d7b1b5c10166398ba5086571255711d86e57e380a046fa0ca3a3d13641cef563675f0e46362866a81799b4a01d50ba828ef27

Download Submit
C:\Windows\SysWOW64\Conanfli.exe

Filesize
108KB

MD5
d2a0c7383320058c3694e69b59d69614

SHA1
b3b158fb0b10dabbe6f49b1b76cbb681348720e3

SHA256
e1aefebc67a79ff9af74071dc36769e7199d4547c1d6e903a68ecf8bb4b435c9

SHA512
b3d06c5c3509eb19e79c4add211e5d94c7d626558444c2281457d22e1e344c10208efc41d1f66978da53b7b1345374f3776bf8acd7db621570e5d74f54e12973

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe

Filesize
108KB

MD5
622f48d8d0714813a2d9b5ec97d13d22

SHA1
9d90545d1aea34465236aba2cfc6de9597723e68

SHA256
a3a75ad73b3f4e145f7cb87709d011cf68f896c12d087127d663a151e2ba828b

SHA512
cbf17c8f11e3e08bb76e724d2bd8d2738b9559aadff73e36e75b691fc9777a553e967be0e34ee740e1f3ea9c91e14fb82b6aa06e7452c8352884c5c612771fd3

Download Submit
C:\Windows\SysWOW64\Hbenoi32.exe

Filesize
108KB

MD5
bccccab573b2d5936f86f189b52fe1c9

SHA1
b2fbbbbcc59e42f7965ddf06ba381836c064264d

SHA256
f6ea5adbf6f188650610d9304fe1787a304b8cf3bb389a98d1833be80dd50936

SHA512
3b2f1b8190e1a636433367d9cc71ccfc93a188c56d363a7d60dc88d652b5d299a222c1212e2bfe064f58d91bc17b101c16525b59e8682b0eddc7fdcd99297278

Download Submit
C:\Windows\SysWOW64\Ibgdlg32.exe

Filesize
108KB

MD5
6df8a7fd817fe0ff680a21a9bc4711f8

SHA1
2018f27eb1d91488368f95917224fcea8ce48394

SHA256
fe5fb09fd4bcc6ab467611e44e55303d63f900b096cc9abe9679454daf43bad4

SHA512
be26e53380a1cb0e5bf1cf1614d9fafe8736f81481fe444fb6f58309c654b64dcbf746b683d56dc0e705ff33ede18738ef72e44ce1ed5c34328cce8129787431

Download Submit
C:\Windows\SysWOW64\Iehmmb32.exe

Filesize
108KB

MD5
77edb26995b5eed7d5e0da23a606e89b

SHA1
1281e63bf1975774c3ec6d0815dcb21b5f1f00ba

SHA256
55384b2e2d33dc3d4c8969c59442610736be4531cf4524b3eb7f351478a5da6f

SHA512
b64dac54d5155e285f41d7fbd7e4685a0ed5031adc31c8ab62b224beb928c429aef0c0eae538da4e674f814899ccf804633a1a915bf6fc4d750c4ad41519d4ba

Download Submit
C:\Windows\SysWOW64\Ilfennic.exe

Filesize
108KB

MD5
a676a10431901c4c554f11e0496b9998

SHA1
f166bebdfb1667657b8a2bc8bf1f14157c3899c9

SHA256
e06de7031d6183ec4cda36aa35c0b27ce95316747c24f641c2aa5b1b85b535dd

SHA512
636080d8f6609b90416b5bb3da46b22e42b389ef3291e2cf4d1acdd73b387fc9e02d65b8ff87dd4a701edf1f6e76d14edbfc11e76c942b3b86ee316fb0a0bd0f

Download Submit
C:\Windows\SysWOW64\Jekjcaef.exe

Filesize
108KB

MD5
4230c32edbfca64f3a0f14b5012f2915

SHA1
66563fb9be1b2aca7d2d95eee662210938fcec27

SHA256
37bd9dd4a04fa39bc98aeaa45f862f5ab368bc5665837bce21f48eb4dbc9e38e

SHA512
8740a4f7a2870ee353a7fd99e8ff1735f639334a11efcc7aae065b9ed93e0ab72bf7bb3f9214b666da9ed3316b7536d660c5bc394eae2836c68e0e286bace45b

Download Submit
C:\Windows\SysWOW64\Jhkbdmbg.exe

Filesize
108KB

MD5
d61885298976b328c7172fba0febe3fc

SHA1
24d5e1f7175c6a59402ac289f1e47f73d60ba50d

SHA256
b353639bbb77841987a3b1bdb3ea5dbe147e4576bb3733112530188f3ed0db02

SHA512
8957a2b54172176a7820f9f41b671e11a2b1cd2e08c9cfa672cc38d5006037410ddcafa0fc72e0c51f8a2bd16c47520d3f9140eb1c211c89bd8e2c29ea3e3b2b

Download Submit
C:\Windows\SysWOW64\Jpegkj32.exe

Filesize
108KB

MD5
3edf8a574a8352c2e195214b28720d28

SHA1
e5744eeb1b501132362553777a59bed6c71f2097

SHA256
0d32a0f77958b65b9a9aa22a439b551b1033785dc3a504b77bb40741c1c35d0c

SHA512
5f44190a7fdee73e0ad6fce39b9ae4f5a38e25798207e4dae4bcd82e6c30554a5abcfe8fb8f55409fe444dd1089f8dec504b3983a1caef9bd2431d60e3a92c38

Download Submit
C:\Windows\SysWOW64\Khiofk32.exe

Filesize
108KB

MD5
c5ed5fead1dd4c2841e14665d5d1b9a1

SHA1
0880e242868a7b1807fb3da9ab0dc63835ac79a3

SHA256
dbff246d2041826537fa99a647e8b586f2b3494bde0add8d3fe285713bf1380a

SHA512
44b41b5c97f3cf6fede3bebb96f4f3feb81261c02a9e48ed200af45f20d07c93d96e562d7bbaa696f5a86037f274ce2b71086525c6c8c8eaced019bc5a9d4e7e

Download Submit
C:\Windows\SysWOW64\Klbnajqc.exe

Filesize
108KB

MD5
80a797ef5460105110dade3ce7fd0484

SHA1
b142395efb6b558ae89d9a68b6236ccf6c55558a

SHA256
ab28b5fec5cb502c33906b39930d323d3889e0efbfbb1901e1bad39b965a2fc1

SHA512
a6f83e28e5f8a70ef9f64c2e0f3cadcbabc99708284ff2b5256de429b2bd453674d36cf0f8feb90f3820a23a656425636036477125bbaeec5f8ddec570829aa9

Download Submit
C:\Windows\SysWOW64\Klndfj32.exe

Filesize
108KB

MD5
032066351aa35bcbbd4208bba035fef5

SHA1
5031395039d82009a115f18cb0e8e9587801c660

SHA256
48e02ceb44e9a60c70d509292474ba270b007d86751ab4c0e393832eecaab35b

SHA512
9f0fcb5d480de51f4ff721c134ab80333fbf10111db3dcce5f5b62558224cd2aa536ad60ad0a8193f87ffdf69378f7172705c215763fcdc34bc6dbb56bdf00d6

Download Submit
C:\Windows\SysWOW64\Kpccmhdg.exe

Filesize
108KB

MD5
88459cda17ec98a8a4dbfde7c2b309ba

SHA1
54b3cffa99ca77f3ff5f2461bb601e92aed31225

SHA256
8eb86e485826d0507356d7a5533acc16d65f00acbaff95e4c6fff74105db55f7

SHA512
c9390dea4ad583eb0f4c5cdb878c41012af682571fa3b1fbe511ed7d2d44601b525e7dfa7555c9fd1a3cfc555748ca59f88e56b1e920cc81d4fc18fe9e3f632c

Download Submit
C:\Windows\SysWOW64\Lafmjp32.exe

Filesize
108KB

MD5
cc44a78f0a2da0af166fe3a40d131273

SHA1
04aa7e4e48aa0d70964809ee3f1dc3c9a4cd0be3

SHA256
b92cca46f07a80678108866d130ded143574be83201c6422f3112f34ab2918d4

SHA512
fb51db1ad832d696f874777c68b17d2c97d667789b8a38bed52ca1d16339b1ee2885d9c392089b8ec1048720d4147971b869ca370687fd0a3cdf5a1c4072ed75

Download Submit
C:\Windows\SysWOW64\Lckboblp.exe

Filesize
108KB

MD5
074a0148e257df6ee35e328a305986f2

SHA1
14b69b7ab4169657d7f98b5e99dc77ac56f2f781

SHA256
98eb26c30113482f959ed9c5f4b9e330700f8d1413ddd2edd65604fb08494ef4

SHA512
352328166a5689110d4bbc8ddaf89dd2b5b22cab88229bbd24bfbda6e1f63be2e2236b4d15e310594bb7542652b098492a7b750e1e4670126260424c205b9845

Download Submit
C:\Windows\SysWOW64\Ledepn32.exe

Filesize
108KB

MD5
5be3ee9f1b46e1d3494570ac47b1c516

SHA1
d11cd3d093da9eadad8e221a9e0aca6bd36359a9

SHA256
0935f75e8987ed2803178e33383d21266083c63ef429ebb066c1abc51e7e28a1

SHA512
0b0b673496b2b0bf98fcb20a9e11c8c694009e1c2284fa0182cab7621410a88d4cda99fd965018caeed0c950edb875a62781a802edcb68adf686fe7f35b3e527

Download Submit
C:\Windows\SysWOW64\Llcghg32.exe

Filesize
108KB

MD5
2013d6d2005fbea76c5091083748f79f

SHA1
a6cd6ed61687eaccc7b11872b910cbcd1355fe21

SHA256
98217d10cbd6104622e1fe4badf93f6febf875b51d4b132a91d84c02ec736ec7

SHA512
d9a92aede1c445795fe749ddda738fc74483fdec933075aec7ec6b0e6e3e2b62833c5fccf546b15f39d0aa3c96feba3ab472806581a67cb8fce4a8787f4a4f5b

Download Submit
C:\Windows\SysWOW64\Mjpjgj32.exe

Filesize
108KB

MD5
fead05e0c1da6ac46d47f794d428c556

SHA1
077733372b2eda497373a8fbe193cf750f7aa437

SHA256
ff18a7fcbe938602aa13cfad133197d0d103a4b8075eec4760c690e48570e2d1

SHA512
0263f4b467bac27817c8b952cdda8163ed941cc45879a4ad5cc34c3d3099b55031840bc66dd473c7c759f0410f31a31ad1d756c7a64c2bf1182081f6b8744658

Download Submit
C:\Windows\SysWOW64\Modpib32.exe

Filesize
108KB

MD5
730985fcd7ecd636d6bcad8f11a55dcb

SHA1
e8655b79885d3d79f726a995840e65f60af1ce6a

SHA256
00c2c7994383e0a1be9b934520b52c48a7fa9d048d1b847287d287c417578748

SHA512
2143184316e043c59fbea8bdcb1e3093c17523664a950662b4e3063cb2e35c4a9e5066b20da29529dd005ac80395059ab17f25f1eaa1e42dbf2baf59846e0adb

Download Submit
C:\Windows\SysWOW64\Mofmobmo.exe

Filesize
108KB

MD5
5355f140e565a81bf0636804c11100d6

SHA1
12ad3784ce123cd1c54b0d74841f118626e77426

SHA256
050f13470fe2e0c6214801e08c5140faa0bdc8e791d94db998a706d37bce2ecc

SHA512
a00263f33a9d6340bb0159fbe1fe5a95c01d44028b892e2c23ca495d4dfd42a5c074a3a2b14ef2a4befdf027fb12c4457414379e9129d5008d1c41a6e8ce183e

Download Submit
C:\Windows\SysWOW64\Nhegig32.exe

Filesize
108KB

MD5
f45062dd18a04543af9d1eea54e1c6dc

SHA1
103746a48cbe0c376392d312adbdbb0eae3f656c

SHA256
64f6cdd88d69eec7a49ce3c2edd0620f282f3b616a2ca11fc0ee2ebadf9fea48

SHA512
d9ca7f4b0ad6b468920c84f31a50cb0d6a39fafa8c0db1042544045f452b0ccbf9381d4e0c75581e9ae386a420a3f042b8a7d6c3a3be73e78c42aaa14abd9551

Download Submit
C:\Windows\SysWOW64\Njljch32.exe

Filesize
108KB

MD5
01f3b1e6303381b9196003ebe398ca75

SHA1
6d93191a1eeb5aa2390fc6b8c326ca0b306a2a0d

SHA256
55ba4bcd4eff58fb7c55f2c1064dcc2a7c683b3523c982ff71a09eb312f1de88

SHA512
51523e4232864fdcf17e70ae6713bba40528468c127757ba033738b2a04752c385521df7ed75d947fe525dab78d56d18de096883ea9969955e02b6d703ea0f9e

Download Submit
C:\Windows\SysWOW64\Nmcpoedn.exe

Filesize
108KB

MD5
9122bdb70dc982f689a39c3e866a5095

SHA1
cb8b4355d51ca848265b6797d2828b8a04326620

SHA256
1d382f9a253cc137ecbd909839c02f84ded320b701579f1321443db52dffe932

SHA512
927d8c9645440298ed9bea02f822356e495ec749fa924473417fff9c74efffc6cddb4466a5b6c64766b53d169d846666e0d489045b505f3e00c2d9db49d4f38d

Download Submit
C:\Windows\SysWOW64\Pififb32.exe

Filesize
108KB

MD5
2981e0dc026b63a1cb7b1985ad2accca

SHA1
c92cd327c5ae86b336331de2be4abef3c8dd6518

SHA256
c77987406258ec1759db154083cd6c7906796cb2e291e1c45ae40fded9d78d70

SHA512
2e8d0af84f6024e06731af369ab8a48b7c112579ab694d3f249121e48fb4c21a07313a3df681c47105904a00a285f15147b3a7b21930ed3b7c410fccb4e9d258

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
108KB

MD5
f3279627c6a0b801ad5b6ea31214f755

SHA1
2a4760c69f0d4419a90a2202103cca9e1b91ec05

SHA256
c59c48c306eb97a63d387ff029456272ee86c8e1dc2e16267443bec06b794c51

SHA512
4df6923640652703ccd3e66d6db7df91aee2d226c16bc3335b6fc28db4f82421d8a26dda334dce0a37020d5bd3e6a3ad443057a364ec623e3ac3613b52cf691f

Download Submit
memory/208-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/208-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/228-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/228-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/448-344-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/448-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/780-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/780-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/852-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/852-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/928-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/928-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1036-325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1036-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1128-330-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1128-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1160-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1160-336-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1508-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1508-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1528-323-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1528-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1584-345-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1584-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1612-337-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1612-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1676-87-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1676-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1708-281-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1708-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1760-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1760-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1896-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1896-343-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-305-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2236-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2236-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2492-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2492-312-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2876-220-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3112-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3112-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3152-287-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3152-309-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3272-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3272-339-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3308-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3308-263-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3336-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3336-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3544-308-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3544-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3696-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3696-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3836-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3836-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4148-329-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4148-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4156-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4156-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4224-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4224-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4408-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4408-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4552-208-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4552-319-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4632-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4632-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4660-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4660-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4708-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4708-331-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4784-324-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4784-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4864-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4864-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5024-318-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5024-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5056-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5056-307-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5064-275-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5064-311-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads