0e9d48a0fea6359a9fde6e606aeedfe877f430fe4772e5a690ba60a362b78c2f

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e9d48a0fea6359a9fde6e606aeedfe877f430fe4772e5a690ba60a362b78c2f_NeikiAnalytics.exe
Size

99KB
MD5

64595e8d762d8ce266dcb2a7bc2e5d40
SHA1

c33e8ae643b8b5b2aa4d0e9cfb246f8dc9d1a50f
SHA256

0e9d48a0fea6359a9fde6e606aeedfe877f430fe4772e5a690ba60a362b78c2f
SHA512

47ffc77cefd090ccbf36003a8704b2856ff54ec3cbdead18b06792e88814653dd8a19919e424fab6f1251ab4f1eda7279f63af3cb5ecf87d4bfc21802d01c4c6
SSDEEP

1536:2goh6SX5+Qm8MDjjDfrnFhR+C4eDv13lYjaSxxgVYRRQygRvwtycORTRQ6mRQQRg:2VoKANnjSTeygpwoTRBmDRGGurhUI

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0e9d48a0fea6359a9fde6e606aeedfe877f430fe4772e5a690ba60a362b78c2f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqacic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjldghjm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjdilgpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kjdilgpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljibgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbkmlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocfigjlp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Picnndmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poocpnbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kilfcpqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbkmlh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqacic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Picnndmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilfcpqm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfigjlp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfbcbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljkomfjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amqccfed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljibgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Niikceid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nilhhdga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjldghjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	0e9d48a0fea6359a9fde6e606aeedfe877f430fe4772e5a690ba60a362b78c2f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kofopj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcefjgf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lccdel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ohendqhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kocbkk32.exe

Executes dropped EXE 36 IoCs

pid	Process
1460	Kocbkk32.exe
1652	Kilfcpqm.exe
2688	Kofopj32.exe
2744	Kfbcbd32.exe
2504	Kkolkk32.exe
2600	Kjdilgpc.exe
1180	Llcefjgf.exe
2800	Ljibgg32.exe
2868	Ljkomfjl.exe
1472	Lccdel32.exe
1780	Mbkmlh32.exe
936	Mhhfdo32.exe
1628	Mdacop32.exe
2252	Ngdifkpi.exe
2388	Ngfflj32.exe
1504	Nekbmgcn.exe
392	Niikceid.exe
2112	Nilhhdga.exe
1648	Ocfigjlp.exe
1624	Ohendqhd.exe
1964	Oqacic32.exe
2988	Pjldghjm.exe
1344	Pdaheq32.exe
2184	Picnndmb.exe
1512	Pjbjhgde.exe
2564	Poocpnbm.exe
1724	Qkhpkoen.exe
2584	Qeaedd32.exe
2628	Abeemhkh.exe
2724	Amnfnfgg.exe
2380	Amqccfed.exe
2480	Aigchgkh.exe
264	Bnielm32.exe
2784	Boplllob.exe
1032	Chkmkacq.exe
2820	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2444	0e9d48a0fea6359a9fde6e606aeedfe877f430fe4772e5a690ba60a362b78c2f_NeikiAnalytics.exe
2444	0e9d48a0fea6359a9fde6e606aeedfe877f430fe4772e5a690ba60a362b78c2f_NeikiAnalytics.exe
1460	Kocbkk32.exe
1460	Kocbkk32.exe
1652	Kilfcpqm.exe
1652	Kilfcpqm.exe
2688	Kofopj32.exe
2688	Kofopj32.exe
2744	Kfbcbd32.exe
2744	Kfbcbd32.exe
2504	Kkolkk32.exe
2504	Kkolkk32.exe
2600	Kjdilgpc.exe
2600	Kjdilgpc.exe
1180	Llcefjgf.exe
1180	Llcefjgf.exe
2800	Ljibgg32.exe
2800	Ljibgg32.exe
2868	Ljkomfjl.exe
2868	Ljkomfjl.exe
1472	Lccdel32.exe
1472	Lccdel32.exe
1780	Mbkmlh32.exe
1780	Mbkmlh32.exe
936	Mhhfdo32.exe
936	Mhhfdo32.exe
1628	Mdacop32.exe
1628	Mdacop32.exe
2252	Ngdifkpi.exe
2252	Ngdifkpi.exe
2388	Ngfflj32.exe
2388	Ngfflj32.exe
1504	Nekbmgcn.exe
1504	Nekbmgcn.exe
392	Niikceid.exe
392	Niikceid.exe
2112	Nilhhdga.exe
2112	Nilhhdga.exe
1648	Ocfigjlp.exe
1648	Ocfigjlp.exe
1624	Ohendqhd.exe
1624	Ohendqhd.exe
1964	Oqacic32.exe
1964	Oqacic32.exe
2988	Pjldghjm.exe
2988	Pjldghjm.exe
1344	Pdaheq32.exe
1344	Pdaheq32.exe
2184	Picnndmb.exe
2184	Picnndmb.exe
1512	Pjbjhgde.exe
1512	Pjbjhgde.exe
1696	Pndpajgd.exe
1696	Pndpajgd.exe
1724	Qkhpkoen.exe
1724	Qkhpkoen.exe
2584	Qeaedd32.exe
2584	Qeaedd32.exe
2628	Abeemhkh.exe
2628	Abeemhkh.exe
2724	Amnfnfgg.exe
2724	Amnfnfgg.exe
2380	Amqccfed.exe
2380	Amqccfed.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fdbnmk32.dll	Ljkomfjl.exe
File opened for modification	C:\Windows\SysWOW64\Pjbjhgde.exe	Picnndmb.exe
File created	C:\Windows\SysWOW64\Chkmkacq.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Llcefjgf.exe	Kjdilgpc.exe
File created	C:\Windows\SysWOW64\Lccdel32.exe	Ljkomfjl.exe
File opened for modification	C:\Windows\SysWOW64\Mbkmlh32.exe	Lccdel32.exe
File opened for modification	C:\Windows\SysWOW64\Ohendqhd.exe	Ocfigjlp.exe
File created	C:\Windows\SysWOW64\Pfnkga32.dll	Qkhpkoen.exe
File opened for modification	C:\Windows\SysWOW64\Kofopj32.exe	Kilfcpqm.exe
File created	C:\Windows\SysWOW64\Ogbknfbl.dll	Kofopj32.exe
File opened for modification	C:\Windows\SysWOW64\Llcefjgf.exe	Kjdilgpc.exe
File created	C:\Windows\SysWOW64\Mhhfdo32.exe	Mbkmlh32.exe
File opened for modification	C:\Windows\SysWOW64\Pdaheq32.exe	Pjldghjm.exe
File created	C:\Windows\SysWOW64\Kilfcpqm.exe	Kocbkk32.exe
File created	C:\Windows\SysWOW64\Ljibgg32.exe	Llcefjgf.exe
File created	C:\Windows\SysWOW64\Oqacic32.exe	Ohendqhd.exe
File created	C:\Windows\SysWOW64\Lnhbfpnj.dll	Oqacic32.exe
File created	C:\Windows\SysWOW64\Eeieql32.dll	Kfbcbd32.exe
File opened for modification	C:\Windows\SysWOW64\Nekbmgcn.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Ciopcmhp.dll	0e9d48a0fea6359a9fde6e606aeedfe877f430fe4772e5a690ba60a362b78c2f_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ogikcfnb.dll	Ljibgg32.exe
File created	C:\Windows\SysWOW64\Hljdna32.dll	Ngdifkpi.exe
File created	C:\Windows\SysWOW64\Picnndmb.exe	Pdaheq32.exe
File opened for modification	C:\Windows\SysWOW64\Kjdilgpc.exe	Kkolkk32.exe
File created	C:\Windows\SysWOW64\Pdlbongd.dll	Mhhfdo32.exe
File created	C:\Windows\SysWOW64\Jjmoilnn.dll	Pdaheq32.exe
File created	C:\Windows\SysWOW64\Ggfblnnh.dll	Mbkmlh32.exe
File created	C:\Windows\SysWOW64\Qofpoogh.dll	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Bnielm32.exe	Aigchgkh.exe
File opened for modification	C:\Windows\SysWOW64\Amnfnfgg.exe	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Pjldghjm.exe	Oqacic32.exe
File opened for modification	C:\Windows\SysWOW64\Picnndmb.exe	Pdaheq32.exe
File created	C:\Windows\SysWOW64\Qkhpkoen.exe	Pndpajgd.exe
File created	C:\Windows\SysWOW64\Hpggbq32.dll	Amqccfed.exe
File opened for modification	C:\Windows\SysWOW64\Kkolkk32.exe	Kfbcbd32.exe
File created	C:\Windows\SysWOW64\Qeaedd32.exe	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Ghkekdhl.dll	Ohendqhd.exe
File opened for modification	C:\Windows\SysWOW64\Abeemhkh.exe	Qeaedd32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Pjldghjm.exe	Oqacic32.exe
File opened for modification	C:\Windows\SysWOW64\Kocbkk32.exe	0e9d48a0fea6359a9fde6e606aeedfe877f430fe4772e5a690ba60a362b78c2f_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kjdilgpc.exe	Kkolkk32.exe
File created	C:\Windows\SysWOW64\Ibebkc32.dll	Kkolkk32.exe
File created	C:\Windows\SysWOW64\Ngdifkpi.exe	Mdacop32.exe
File created	C:\Windows\SysWOW64\Nekbmgcn.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Kocbkk32.exe	0e9d48a0fea6359a9fde6e606aeedfe877f430fe4772e5a690ba60a362b78c2f_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nilhhdga.exe	Niikceid.exe
File opened for modification	C:\Windows\SysWOW64\Boplllob.exe	Bnielm32.exe
File created	C:\Windows\SysWOW64\Mdacop32.exe	Mhhfdo32.exe
File opened for modification	C:\Windows\SysWOW64\Mdacop32.exe	Mhhfdo32.exe
File opened for modification	C:\Windows\SysWOW64\Niikceid.exe	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Bnielm32.exe
File opened for modification	C:\Windows\SysWOW64\Qkhpkoen.exe	Pndpajgd.exe
File opened for modification	C:\Windows\SysWOW64\Chkmkacq.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Amqccfed.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Fbpljhnf.dll	Mdacop32.exe
File created	C:\Windows\SysWOW64\Pjbjhgde.exe	Picnndmb.exe
File created	C:\Windows\SysWOW64\Qhiphb32.dll	Pndpajgd.exe
File created	C:\Windows\SysWOW64\Aigchgkh.exe	Amqccfed.exe
File opened for modification	C:\Windows\SysWOW64\Kilfcpqm.exe	Kocbkk32.exe
File opened for modification	C:\Windows\SysWOW64\Mhhfdo32.exe	Mbkmlh32.exe
File created	C:\Windows\SysWOW64\Dnlbnp32.dll	Nekbmgcn.exe
File opened for modification	C:\Windows\SysWOW64\Nilhhdga.exe	Niikceid.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Chkmkacq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2144	2820	WerFault.exe	64

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll"	Mdacop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobcmana.dll"	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amqccfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	0e9d48a0fea6359a9fde6e606aeedfe877f430fe4772e5a690ba60a362b78c2f_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmnipm.dll"	Pjldghjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oqacic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Llcefjgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlbongd.dll"	Mhhfdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofpoogh.dll"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oqacic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhbfpnj.dll"	Oqacic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kilfcpqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kofopj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Llcefjgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ohendqhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaapnkij.dll"	Ocfigjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0e9d48a0fea6359a9fde6e606aeedfe877f430fe4772e5a690ba60a362b78c2f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbnmk32.dll"	Ljkomfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdplpd32.dll"	Picnndmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljibgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnielm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Boplllob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kfbcbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ljkomfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mhhfdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocfigjlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ohendqhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoleq32.dll"	Kilfcpqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkolkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0e9d48a0fea6359a9fde6e606aeedfe877f430fe4772e5a690ba60a362b78c2f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeieql32.dll"	Kfbcbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljkomfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocfigjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbknfbl.dll"	Kofopj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpggbq32.dll"	Amqccfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qkhpkoen.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 1460	2444	0e9d48a0fea6359a9fde6e606aeedfe877f430fe4772e5a690ba60a362b78c2f_NeikiAnalytics.exe	28
PID 2444 wrote to memory of 1460	2444	0e9d48a0fea6359a9fde6e606aeedfe877f430fe4772e5a690ba60a362b78c2f_NeikiAnalytics.exe	28
PID 2444 wrote to memory of 1460	2444	0e9d48a0fea6359a9fde6e606aeedfe877f430fe4772e5a690ba60a362b78c2f_NeikiAnalytics.exe	28
PID 2444 wrote to memory of 1460	2444	0e9d48a0fea6359a9fde6e606aeedfe877f430fe4772e5a690ba60a362b78c2f_NeikiAnalytics.exe	28
PID 1460 wrote to memory of 1652	1460	Kocbkk32.exe	29
PID 1460 wrote to memory of 1652	1460	Kocbkk32.exe	29
PID 1460 wrote to memory of 1652	1460	Kocbkk32.exe	29
PID 1460 wrote to memory of 1652	1460	Kocbkk32.exe	29
PID 1652 wrote to memory of 2688	1652	Kilfcpqm.exe	30
PID 1652 wrote to memory of 2688	1652	Kilfcpqm.exe	30
PID 1652 wrote to memory of 2688	1652	Kilfcpqm.exe	30
PID 1652 wrote to memory of 2688	1652	Kilfcpqm.exe	30
PID 2688 wrote to memory of 2744	2688	Kofopj32.exe	31
PID 2688 wrote to memory of 2744	2688	Kofopj32.exe	31
PID 2688 wrote to memory of 2744	2688	Kofopj32.exe	31
PID 2688 wrote to memory of 2744	2688	Kofopj32.exe	31
PID 2744 wrote to memory of 2504	2744	Kfbcbd32.exe	32
PID 2744 wrote to memory of 2504	2744	Kfbcbd32.exe	32
PID 2744 wrote to memory of 2504	2744	Kfbcbd32.exe	32
PID 2744 wrote to memory of 2504	2744	Kfbcbd32.exe	32
PID 2504 wrote to memory of 2600	2504	Kkolkk32.exe	33
PID 2504 wrote to memory of 2600	2504	Kkolkk32.exe	33
PID 2504 wrote to memory of 2600	2504	Kkolkk32.exe	33
PID 2504 wrote to memory of 2600	2504	Kkolkk32.exe	33
PID 2600 wrote to memory of 1180	2600	Kjdilgpc.exe	34
PID 2600 wrote to memory of 1180	2600	Kjdilgpc.exe	34
PID 2600 wrote to memory of 1180	2600	Kjdilgpc.exe	34
PID 2600 wrote to memory of 1180	2600	Kjdilgpc.exe	34
PID 1180 wrote to memory of 2800	1180	Llcefjgf.exe	35
PID 1180 wrote to memory of 2800	1180	Llcefjgf.exe	35
PID 1180 wrote to memory of 2800	1180	Llcefjgf.exe	35
PID 1180 wrote to memory of 2800	1180	Llcefjgf.exe	35
PID 2800 wrote to memory of 2868	2800	Ljibgg32.exe	36
PID 2800 wrote to memory of 2868	2800	Ljibgg32.exe	36
PID 2800 wrote to memory of 2868	2800	Ljibgg32.exe	36
PID 2800 wrote to memory of 2868	2800	Ljibgg32.exe	36
PID 2868 wrote to memory of 1472	2868	Ljkomfjl.exe	37
PID 2868 wrote to memory of 1472	2868	Ljkomfjl.exe	37
PID 2868 wrote to memory of 1472	2868	Ljkomfjl.exe	37
PID 2868 wrote to memory of 1472	2868	Ljkomfjl.exe	37
PID 1472 wrote to memory of 1780	1472	Lccdel32.exe	38
PID 1472 wrote to memory of 1780	1472	Lccdel32.exe	38
PID 1472 wrote to memory of 1780	1472	Lccdel32.exe	38
PID 1472 wrote to memory of 1780	1472	Lccdel32.exe	38
PID 1780 wrote to memory of 936	1780	Mbkmlh32.exe	39
PID 1780 wrote to memory of 936	1780	Mbkmlh32.exe	39
PID 1780 wrote to memory of 936	1780	Mbkmlh32.exe	39
PID 1780 wrote to memory of 936	1780	Mbkmlh32.exe	39
PID 936 wrote to memory of 1628	936	Mhhfdo32.exe	40
PID 936 wrote to memory of 1628	936	Mhhfdo32.exe	40
PID 936 wrote to memory of 1628	936	Mhhfdo32.exe	40
PID 936 wrote to memory of 1628	936	Mhhfdo32.exe	40
PID 1628 wrote to memory of 2252	1628	Mdacop32.exe	41
PID 1628 wrote to memory of 2252	1628	Mdacop32.exe	41
PID 1628 wrote to memory of 2252	1628	Mdacop32.exe	41
PID 1628 wrote to memory of 2252	1628	Mdacop32.exe	41
PID 2252 wrote to memory of 2388	2252	Ngdifkpi.exe	42
PID 2252 wrote to memory of 2388	2252	Ngdifkpi.exe	42
PID 2252 wrote to memory of 2388	2252	Ngdifkpi.exe	42
PID 2252 wrote to memory of 2388	2252	Ngdifkpi.exe	42
PID 2388 wrote to memory of 1504	2388	Ngfflj32.exe	43
PID 2388 wrote to memory of 1504	2388	Ngfflj32.exe	43
PID 2388 wrote to memory of 1504	2388	Ngfflj32.exe	43
PID 2388 wrote to memory of 1504	2388	Ngfflj32.exe	43

C:\Users\Admin\AppData\Local\Temp\0e9d48a0fea6359a9fde6e606aeedfe877f430fe4772e5a690ba60a362b78c2f_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0e9d48a0fea6359a9fde6e606aeedfe877f430fe4772e5a690ba60a362b78c2f_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\Kocbkk32.exe
  C:\Windows\system32\Kocbkk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\Kilfcpqm.exe
    C:\Windows\system32\Kilfcpqm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\SysWOW64\Kofopj32.exe
      C:\Windows\system32\Kofopj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\Kfbcbd32.exe
        
        C:\Windows\system32\Kfbcbd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\SysWOW64\Kkolkk32.exe
        
        C:\Windows\system32\Kkolkk32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Kjdilgpc.exe
        
        C:\Windows\system32\Kjdilgpc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Llcefjgf.exe
        
        C:\Windows\system32\Llcefjgf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Ljibgg32.exe
        
        C:\Windows\system32\Ljibgg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Ljkomfjl.exe
        
        C:\Windows\system32\Ljkomfjl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Lccdel32.exe
        
        C:\Windows\system32\Lccdel32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Mbkmlh32.exe
        
        C:\Windows\system32\Mbkmlh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Mhhfdo32.exe
        
        C:\Windows\system32\Mhhfdo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Mdacop32.exe
        
        C:\Windows\system32\Mdacop32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Ngdifkpi.exe
        
        C:\Windows\system32\Ngdifkpi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Ngfflj32.exe
        
        C:\Windows\system32\Ngfflj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Nekbmgcn.exe
        
        C:\Windows\system32\Nekbmgcn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Niikceid.exe
        
        C:\Windows\system32\Niikceid.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Nilhhdga.exe
        
        C:\Windows\system32\Nilhhdga.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Ocfigjlp.exe
        
        C:\Windows\system32\Ocfigjlp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Ohendqhd.exe
        
        C:\Windows\system32\Ohendqhd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Oqacic32.exe
        
        C:\Windows\system32\Oqacic32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Pjldghjm.exe
        
        C:\Windows\system32\Pjldghjm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Pdaheq32.exe
        
        C:\Windows\system32\Pdaheq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Picnndmb.exe
        
        C:\Windows\system32\Picnndmb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Pjbjhgde.exe
        
        C:\Windows\system32\Pjbjhgde.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Poocpnbm.exe
        
        C:\Windows\system32\Poocpnbm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Pndpajgd.exe
        
        C:\Windows\system32\Pndpajgd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:264
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        38⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 140
        39⤵
        Program crash
        
        PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abeemhkh.exe

Filesize
99KB

MD5
0021b75185f4a8b561080ca766a85476

SHA1
c1db8e6957ae6f46b9e19dc7f15d5b63290c8a3d

SHA256
0c44680d8464a4824b4a43cb18988c3a05d62ad9420798672457bd117bbe4548

SHA512
41049727fb5e01dde31c0bd3456125ada8af49f02172019ec7a615751f8a9535683b8ada9e2f614c536d1eb715d75c44777a6abe410d36aa9b9f8465e83d7040

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
99KB

MD5
97d4bcf308d0d02a5ef53969f8db5d73

SHA1
ba5e6e88a3d9b9e3882bd2d1b37a87d6d9f37a2f

SHA256
569d0293682a8f012763de6d05bd01e78b46689aca9ea8af1de531c79613cbde

SHA512
4c801507b3f2d66895922f0b54eb0e6720827ed9d6b17d997e0e027d843ba60d2d1134cd46a80b838fe94651f7e3c3e2aa0a52f7c3eb340324a0907c722c3d2f

Download Submit
C:\Windows\SysWOW64\Amnfnfgg.exe

Filesize
99KB

MD5
8abe60fa03d1262e2db8692f92b7580a

SHA1
0692e7a37b7bc22acc7297ae60313ef3f2658803

SHA256
1c6b3a742f77f348240409a78da02759d178c8b9d3a1328aff9a17654ce223b4

SHA512
51c1e147be4f23e9725f37f8f76f9c09ca65a233027916a0f1d3a5fa54b7ddb563b8bb091e4eef435eb96fb25ddd6e7f2ceffef6995b90fc8ce97d84bf6c57d8

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
99KB

MD5
d79ae71914c7eda4b41c2364044524ef

SHA1
cdc4d67ecf813c1640da39b92036016e15078f46

SHA256
c052e2f76f80e3f163fff5baf4a7bf352e9425b8a3d9e45c0e61717141cc3a8c

SHA512
f70cb27ad8beb1b2ff4a1674e0f3e769bdf625106a7bec2a0cfe25403e61d03fd30a2eb8634f7d98fb9929cf9bedb885939760e64c587fccc26335282e40c71a

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
99KB

MD5
014f9538e42d9a7fdf4992ef6db9cf46

SHA1
13c3fd8b7ab333c416a253c988d8ba0fd7a8bbd5

SHA256
491d13a8d629b03f812b3d468a6b6f5ab4b77dd6abbce183b9caf21314217ce8

SHA512
fee3d6dd2cf23e905f598406d4a4b5d2d957cbc538d05a85c7238f711effe16f56d3f4047c3d94efebf4f633ae581bfcb3cce0d8b9c078441c12628f4073bac4

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
99KB

MD5
f3eda579b8593ff16118bfb2d615467d

SHA1
76ceef2201af1990017fb55035939a6329db92b9

SHA256
6a2e293fdb2dd98c957f66f4110e48219483e3f450fb6993fb855b62a923da90

SHA512
c5d02653cdc4e62e0595b5f50e18f7f8257c5052204a2d0d818ac23abf36c919e2a18441dfb9d6f0273acf8222d827e91c963caefcffbafa2086a83f38524473

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
99KB

MD5
f11f21765e8391413ea497d9b9401222

SHA1
2a4dcfba08897bc4d305828a5c5f0dff77e061c9

SHA256
85cbaf03718695575b2c056433b77d55f39d3e0d5df7b2bfca8ccc86f1e0db84

SHA512
88ff8a001130229dac8a68115cd1dbc1eef2e9bd2f549ec0a5a8d006fd818f27b6d82ad72c1525774a58466bee4c986e56c80fa2714d4ffba709cac58c1348db

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
99KB

MD5
861fb4115562f1c812e1db4ba74363e6

SHA1
e0f0429717637816e75c3ff65978c819e9d3f64e

SHA256
51e4b38337f5445f6c55b43acecf2792c1cd3f00b38a7b750d78d2614409ca60

SHA512
6e6d0547567a1d4f1132700f257c51fa3158a5d7e78e2c9d33acaa9c3287c08280da7223800bc677b4f4872d6930ff5bf69b904062fb55a5632ee2a4b5f29ec8

Download Submit
C:\Windows\SysWOW64\Eeieql32.dll

Filesize
7KB

MD5
bb8d480a3ae5fd8d4bf17b0e2fe23007

SHA1
8ab90081368bf88fcf22202a744c118636dfd8eb

SHA256
850260d3510e0e349a5a95f642b1626fed079400b09647d48b5ee6428b2a4e8d

SHA512
ece12bfbf0010750b6f738e75af52832df645bc0f8add9c2f94ee0aab5998d938669fb87adb21fba9d2c6df9b77cbaacee90d12bd969984f851140a5c69ba891

Download Submit
C:\Windows\SysWOW64\Kilfcpqm.exe

Filesize
99KB

MD5
b64d6b36b89760e405928948a824369b

SHA1
97b9c68fdee507c2a62e45c52005dc50e03d5151

SHA256
d91bacee9093fd86bfa5aea76bcc28c58d5e230abde74fecd38a110afb5f956c

SHA512
01ba23cd1a3fe20c413a8bb975277c0c0f993dce212fcc5373e3a7cd5af0c2a79d4752cf30bd675361ce751e8e3fb03cf05ee4cc4973e1574ad5e350508281a2

Download Submit
C:\Windows\SysWOW64\Kkolkk32.exe

Filesize
99KB

MD5
0cbf295aba4a493de3599e8aab2df0e6

SHA1
21b94e542d364eeb3a7e4bfc561f3f57e4abcfdf

SHA256
9cf307afc5bc2ae3a34185d52394f75b3c292d03df8bb1af58cf61f90c032ae3

SHA512
dd6463a8986a2a88ea992274a51f0510b0f6e8a351e8fad6fffdde2f4ed69401c85e9d862a395a5bc16a884ec0dd056b73f260447d774800d8961439e8ed403a

Download Submit
C:\Windows\SysWOW64\Kofopj32.exe

Filesize
99KB

MD5
5718bdee2bf92b4edbaa601ca9144c51

SHA1
c91c3ac1b9748941498bdde27bda0df7b0af31dd

SHA256
e43951584695ac286949070a3c2730e101ab7feacea7371135bca6f71b6f53b7

SHA512
b9c7a8c708f24c0b4ea015dd0ad1ed532d1b71e3d8129d8011648d9a34acbdd371ca066031a2d2b4adac0918056f38eeae0904914d35966919f399673471c145

Download Submit
C:\Windows\SysWOW64\Llcefjgf.exe

Filesize
99KB

MD5
376d484d8ec6f8b11e969136c964fea6

SHA1
ddc5e859ce0fe19a98a306e01ce0562b86bd2a7a

SHA256
557aacc9dc22c579de8a9b3598833a241ee7d666c9396d893f801e1ef1455e9c

SHA512
534c2125b81802926616e5118480aacf246a878c46353da7d92763b44e6ea9d687ba35e983cb88492ef9e8f70fd43927994ccac17ca68829b60fb9ae948ab232

Download Submit
C:\Windows\SysWOW64\Mbkmlh32.exe

Filesize
99KB

MD5
d7aad171dc9b5a7d2f01495c5cf9af28

SHA1
0fbe595a1cce2d8fceb9abfb82f73dc94b0028b9

SHA256
7e9c03f89509d635e8e40115674572723dd4b7f951ae46e0e3a34defe6b5ef57

SHA512
0f768ffd16948b0e756c3cce86f86abe8da7ffb3d43a46c86df5f426cead38f2b1e943600a5e289060b4d60b9b64c99dc1ab168d0148dad84bed46861e54fef7

Download Submit
C:\Windows\SysWOW64\Niikceid.exe

Filesize
99KB

MD5
03ba8dbd75b785b66b66b96aa8dea560

SHA1
310cd68974efd1a1de34188811127ac22b6cdafb

SHA256
712c5b0443c2039fe08859cf9b9b06212401aad0de1774f399f808186096f03c

SHA512
9fa1be78fc1aa7247e5b0413b5dce0894d6feea593a686bb7cf979b6742dd788bafa2bc17659951c190d45850bd2707fb644779a2b1be12d0def9dbac41b64b2

Download Submit
C:\Windows\SysWOW64\Nilhhdga.exe

Filesize
99KB

MD5
6864b6d114c215e45401cb13a74cf1d1

SHA1
2e5a8f971b3ad4b56e25c1b2725d26c14c7b5912

SHA256
106fafc4047e317eab7c6a11c94f1be84232c22b6bd585c2df44a27c25d5b8c5

SHA512
b93068cf2c66eb5ae89ae2769c427176cbb16077b2308b22e1d5f161fdb7ad0b00340c6416b302278deb97761618f3826996e565ff638758ff12cec399a27d53

Download Submit
C:\Windows\SysWOW64\Ocfigjlp.exe

Filesize
99KB

MD5
fd2853849982ce7d6cc9c523b706bec9

SHA1
61252afeb34d4648beb266ce68b4f6c7f718af3e

SHA256
4aafd703f1c59f27b95dc5e3e2356354c428fd64417af2772644b8bb3f7b3620

SHA512
908aefeea54ffabc9ecc6cdbe619a21a08f3d48ba47801474c63f3b9ec8c5498329da4d992276b3b92af21fa906fdcbe2f69fb51ecacf755bb0b6f6e3bf0d304

Download Submit
C:\Windows\SysWOW64\Ohendqhd.exe

Filesize
99KB

MD5
6d2bf3fa77f8c6d63deef4e867aba8ff

SHA1
98b8f9e8c076d3aeffced9601f9e428ce511fc30

SHA256
9c62d6fde45576aa9e585d300e28d84df569dbf9dc15f750d96770e9514b2750

SHA512
b05a1777d47f7606ce2cb1d050e4a89c41aad8411ccaf9355978011f0f880d56eb669ec48b6da9fcf6190da999616a425e52bbb4cc396be0596816b77ff11c9c

Download Submit
C:\Windows\SysWOW64\Oqacic32.exe

Filesize
99KB

MD5
1026155790ea30a1066961573c8a6e33

SHA1
6ba01f8442497514147c48cedf1d93ac4e3cf729

SHA256
c3ec271f548e0dd31acf0ecd8ac546916234a7ae31c4607a58877c9cf51299bd

SHA512
66189e458b428cee38769f06edd49ca65aeb627b03910991352b6e08dd9be913402226acf31bc8b4be850c2cb6c4ac84ebd3eb40afedcdc6cc39bb0b85c04af2

Download Submit
C:\Windows\SysWOW64\Pdaheq32.exe

Filesize
99KB

MD5
8725044c8cc40242e4a307eda15ffdfe

SHA1
eb75786a644e1eb8fbe1ed5a6f76ffdc168a6966

SHA256
ef1563969c898b695ab69de86e5f079828c30c2ad5e75658a3c1fa7401525e46

SHA512
ab7726bcc3652e9e2303b2b8044b27040bfc1b04b6f2c6e65acf9ad66209e124988b276a0129846e9c763a36e7c7dd574e0824e9e5f5bf1f866f797ad0da1863

Download Submit
C:\Windows\SysWOW64\Picnndmb.exe

Filesize
99KB

MD5
1c165e7cd2f5f8d08515146cc74eed2b

SHA1
e143cbc6403f8d6b8f928901cdd61205fef7dda8

SHA256
5aec15eb69bede1e6aa627a1176ccb28f6c2c7430e591307daff1ca532464f8a

SHA512
a466b6259382b25f6249455981529f78b8e8545c3ff22415eb84e512588ef316db092ceca6e76024ae58cf9eaab32763dca00ba95a7a25a0b95ace122a535786

Download Submit
C:\Windows\SysWOW64\Pjbjhgde.exe

Filesize
99KB

MD5
7dc771b7741c205767046da8249f084b

SHA1
4dda9b5172ff6a401a851661731f04fefc831e1b

SHA256
1f91b596e5fc83e7273c4640345332b4aca03ea01c92c95bbd44b4876b989ae6

SHA512
3338c8899499091267c86e35a898279b04994436187bbe5fe303866bb606a8056b83174d5f2b9f85c7c3895f990ea9a42050a95c024a099b706926737c3bd05f

Download Submit
C:\Windows\SysWOW64\Pjldghjm.exe

Filesize
99KB

MD5
4a9b0d41fcc4123f90fae18962af6434

SHA1
49314532d5b75f5f9e53cb3a6194ac5e1a46670e

SHA256
cc665096a2c5b4e00b5ac39f4ef117017712fa9524125b0588481a6d3d7a20e0

SHA512
70791495fd94ea842eb3e53d8905010d6ce3fe0525754f1740feaa18487071263415ab36103f0ff188df393405babf5e7aa895a2078dcc2a1f17a51b42d2ee63

Download Submit
C:\Windows\SysWOW64\Poocpnbm.exe

Filesize
99KB

MD5
9faa690ce36ac4cdb843ee36d5ac3723

SHA1
3d36c85e99ae926829deef651abc2adf844c1fb1

SHA256
9e725ad9dd74e9eec342069ffb874ef4246f5ad9051a6796e7dd0543a233baa7

SHA512
027aea27b80a18fd2c73d48ea5cc49eebdda94352f4f1a2245ca22815a07f94c6b144a1306a767e44e1fba8af0ce986061bdf20a8498987c81de5447e8a42843

Download Submit
C:\Windows\SysWOW64\Qeaedd32.exe

Filesize
99KB

MD5
707cecea2716b7f35ee98ecfcedef467

SHA1
b35397abd631cd61873987dafa348f2e74a742dc

SHA256
971cbea680a283b78a27213d42560cff6e7e9ae461b30dc106bf244faae53188

SHA512
1d03c52ac02a9a8db2e2496e51dae2cc6a6a23d7662b7700c80ec7d88f4e76b6121cda7655aca270433b7dd76da61b9f144219dcdbe4cc222f31458d8a6ae7b5

Download Submit
C:\Windows\SysWOW64\Qkhpkoen.exe

Filesize
99KB

MD5
56f36759f6483391f060f76c91202d50

SHA1
01e3d6922377f771603ac5e94b4db0e241f05d4d

SHA256
86ec31680293ba5e60e9c958d967f64b1701a64d0fcf0f4c24506c4242075652

SHA512
631c2a44880086e8e346517e596f675aa1139275024bcb24437c287c1b60775652cbc8dc2c817e48564fdc1ad65e842919c3804893071ed7caef196963475358

Download Submit
\Windows\SysWOW64\Kfbcbd32.exe

Filesize
99KB

MD5
1a4dd1fec07e604ad5d267baba0d3d73

SHA1
19cda832c3df4e26cd83c3ab31042b951d608c77

SHA256
3912eb8db7768fc6b9297e407d60552feacc060f96f0d3db4b93bac608832521

SHA512
cfb2276f3c73ff056e462fd4ef31a16f2feb2742f5190e3af2315739cea08886b9c4dbe51240b6aee9a7161d458fd2c27aaf0baff1c25445cf491908b04f9a89

Download Submit
\Windows\SysWOW64\Kjdilgpc.exe

Filesize
99KB

MD5
6b700756699f0435ed86c8fffdfaf5dc

SHA1
be4893fb7c4fdece5fbf3e281e2710e2e584f209

SHA256
4be194f2f0091ee598538f103ee5d4671fad079ab3dc4ea3da8cef1cc2353607

SHA512
8a4d3563491065ca7850c122a33e7d3a7132a2c3df70d57c72acf75b73b59a54b05e7aa0e2d4ba4a1de93384a282a3c962a1ef71b11ea8166bdc903f64241661

Download Submit
\Windows\SysWOW64\Kocbkk32.exe

Filesize
99KB

MD5
7a826c538fa849f1d64d6b6d65b12805

SHA1
aa6fe4afce2f7241e2e7546067e81302117595e4

SHA256
8ee5d2262816f55ed68a4070cdc1c21a9140ba056738a0c15f59c89dd5207d78

SHA512
327dbc3a5f1b3052a4e54893198071465ad300e632e27c0c691b7af76e0de5e7164d06e6904eabb9780f0024dfe88877892298e213ed71066d100e1a43bc6003

Download Submit
\Windows\SysWOW64\Lccdel32.exe

Filesize
99KB

MD5
6edac7c77dbaae31b7e38b7b60f68367

SHA1
b8f28dc97f243f05c32320980be430e5bcdfe132

SHA256
ebcd322b2320eefa4d17e613ad8f95fada7d142d0ebbe54933a74e5e8d33dcf6

SHA512
09e20a7bb46436871825c88632d46c2a4b600b93d8d06f8937f37fb8fab0ff7f713fd41c622273c0ea271c545a8ee227e0d5253aaac8d016649d3fcc4036fe08

Download Submit
\Windows\SysWOW64\Ljibgg32.exe

Filesize
99KB

MD5
87755c72d3ebe82175b2fd265206c2e7

SHA1
94e83501e1e1fdcdcc6c14478812c6cbf916e75f

SHA256
a097c1cfb3c14bdbff3df809abaaf63d7d595204781ced1c8aa4aeeb7d924f0e

SHA512
325d8b3c12ef187a07be4aa3181dd310962d3035db07b1c6b1a219f860e35be685ca42159093aae947440e90f7930a5fec761bffb093ca5c097c5ffbd6e1a202

Download Submit
\Windows\SysWOW64\Ljkomfjl.exe

Filesize
99KB

MD5
0b497d6db0bf0e8b7c49b868fc67de56

SHA1
0436833c1f4c40513437ec4706d4b85b2099b66c

SHA256
2d0d185fe3ddacd2cb8efbd1df4ef456c8c434419e41c7db8c0cc9fc90f6097f

SHA512
a4c012bbecf1f1fd3ddaa7329a32084002c0f92c79aa2f1cb4e45206468ed301bd1b2ec38ad70fb1996d7851705f68727bd6f835b9ca6eb51b091d5b4db9eee3

Download Submit
\Windows\SysWOW64\Mdacop32.exe

Filesize
99KB

MD5
f677f47b7b3caeb5547663b38199b4dd

SHA1
2ce4fab381250c936d0777a76c582d6da396cf80

SHA256
f4e20411786d99361d184417b5b46b7c5ad1c03cb1815929458af5738538dd04

SHA512
b1f3a0609ce90a05daad05ba2a12f6756b701b4da593a127087351aa89e2465a990290ea9a66b29dae6af6954dfde5a4b4c8684341af43e6a40071003c855c39

Download Submit
\Windows\SysWOW64\Mhhfdo32.exe

Filesize
99KB

MD5
1bea8f45d896e591b9c8c6c54241d636

SHA1
22ffedd379eb663627a98d830119fd011892518e

SHA256
e8bf75b04e0456c59dd98a57345d1c9d070f4b7b5ffa13499d8dde612ab8f477

SHA512
e43aa59e12adee61f617980cac6dcf4bba75872885bfebe5a668bc2f77b3a2d73fd17218aea4726d99e0a249df7a6ec3ba2330949b248407c84085cf13a5d878

Download Submit
\Windows\SysWOW64\Nekbmgcn.exe

Filesize
99KB

MD5
fb8d0c2f300bc4838c9dc4190bff06b9

SHA1
2ef09f6037c2fd20dab1c74b53e14d56ec804c53

SHA256
e685df969d0cd485138d8d7fc5d16fb5d0190fefec2a09099e161f63c19c7063

SHA512
06c99fe3ebc2169fd79a6b1a42529a7d2b68e9e62867cf2c9c8762fdae8c5960150af269ee2f913b074259a1feedf784bd19c33f94e56a1945fd8964b43f4611

Download Submit
\Windows\SysWOW64\Ngdifkpi.exe

Filesize
99KB

MD5
3897ac9a23e89952ef5ee63c4850b3d1

SHA1
a098cf77fb067ad27eee57970594c2cb5655bad0

SHA256
319b8551bd41cba727ca20286914b9956f04cd7be99ec1fe31841586d9b2fa68

SHA512
ba904a2bcea5b49ceff1684353d743d62d64f33bbb0f0aa86d3f91d4c28e93c9c20e2a8f8a8fdfb7f5001756273bb90f12b8bd7c028c0ecf2ed4dd2a69eef86b

Download Submit
\Windows\SysWOW64\Ngfflj32.exe

Filesize
99KB

MD5
15cc8f068f57591611544b40a538eb28

SHA1
0a3e672cbccc92e59cee702d94740021588e10c6

SHA256
becfe3e38f41da6fa2428e7937e874e7e346ae2d45e0d44cc4d0a61dbcde925d

SHA512
3c28c9b85f037e7724007d54c84de1b412682025628973ad24f59b5f4fa52651c61a7c41f5295053b642427487b9274f1a3e2b8cd973c59d7950a249e1e3bfa3

Download Submit
memory/264-447-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/264-420-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/264-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/392-295-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/392-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/392-249-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/936-177-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/936-186-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/936-253-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/1032-434-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1180-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1180-103-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/1180-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1344-307-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1344-348-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1460-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1460-109-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1472-161-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1472-157-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1472-230-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1472-155-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1504-238-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1504-242-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1504-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1512-337-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/1512-360-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1512-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1624-279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1624-285-0x00000000002B0000-0x00000000002F3000-memory.dmp

Filesize
268KB

Download
memory/1624-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-254-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-187-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-197-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1648-313-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1648-264-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1652-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1696-386-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1696-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1724-349-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1724-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1724-356-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1780-156-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1780-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1964-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1964-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2112-300-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2184-355-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2184-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2252-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2252-203-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2380-392-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2380-402-0x00000000003A0000-0x00000000003E3000-memory.dmp

Filesize
268KB

Download
memory/2380-433-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2380-443-0x00000000003A0000-0x00000000003E3000-memory.dmp

Filesize
268KB

Download
memory/2388-278-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2388-273-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2388-231-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2388-224-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2388-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2444-12-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2444-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2444-11-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2444-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2444-81-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2480-446-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/2480-445-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2480-403-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2504-66-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2504-148-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2504-74-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2564-338-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2564-380-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2584-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2584-367-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2584-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2600-169-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2600-83-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2628-374-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2628-414-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2688-124-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2688-125-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/2688-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2724-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2724-388-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/2724-381-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2744-58-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2800-122-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2800-198-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2800-178-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2800-116-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2800-123-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2820-444-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2868-132-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2868-135-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/2988-306-0x0000000000360000-0x00000000003A3000-memory.dmp

Filesize
268KB

Download
memory/2988-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads