2c82782440a59f26577bc1bbf933fe4ace01e5abd92aef3636a664b12819bd5a

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 04:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2c82782440a59f26577bc1bbf933fe4ace01e5abd92aef3636a664b12819bd5a_NeikiAnalytics.exe
Size

376KB
MD5

004e5481e0cc184979d1450734c49de0
SHA1

21ab6b2427fbffcf190f56ca02f8c60739231eb7
SHA256

2c82782440a59f26577bc1bbf933fe4ace01e5abd92aef3636a664b12819bd5a
SHA512

f4c0f51b64aa8c22ddbc517ecded5c0e00ac6a943db1ae4e833627b9162735fcb4de7fce83ef4c4031d178ab6491829d6f7e43d9cb34835038c943a23b114998
SSDEEP

3072:jeLucldRs7hLlcVAURfE+HXAB0kCySYo0CkkhHs4WfO7:jeFlXs1JcRs+HXc0uo0CkkW1fs

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnlecmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgloefco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojfcdnjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2c82782440a59f26577bc1bbf933fe4ace01e5abd92aef3636a664b12819bd5a_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jenmcggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knnhjcog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipjoja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knnhjcog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phonha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfgipd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfeeabda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogcnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afpjel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nopfpgip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pplobcpp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedccfqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnldla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgicgca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnangaoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nopfpgip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2c82782440a59f26577bc1bbf933fe4ace01e5abd92aef3636a664b12819bd5a_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnlecmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgloefco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplobcpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imgicgca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnangaoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfeeabda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoioli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieidhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jedccfqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jljbeali.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfgipd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akdilipp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jenmcggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcbfcigf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmfkhmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcbfcigf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnldla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnfpinmi.exe

Executes dropped EXE 39 IoCs

pid	Process
3980	Imgicgca.exe
3588	Ipjoja32.exe
3200	Ieidhh32.exe
2184	Jenmcggo.exe
4508	Jljbeali.exe
3156	Jedccfqg.exe
4992	Knnhjcog.exe
1944	Kjgeedch.exe
4704	Kcbfcigf.exe
2204	Ljnlecmp.exe
1136	Lnldla32.exe
656	Lfgipd32.exe
2528	Lnangaoa.exe
4472	Mmfkhmdi.exe
3780	Mgloefco.exe
1564	Mcelpggq.exe
1372	Mfeeabda.exe
500	Nopfpgip.exe
2344	Nnfpinmi.exe
4856	Ngqagcag.exe
4456	Ogcnmc32.exe
4064	Ojfcdnjc.exe
4400	Ocaebc32.exe
3288	Phonha32.exe
376	Pplobcpp.exe
4356	Pnplfj32.exe
2416	Qdoacabq.exe
4088	Afpjel32.exe
1668	Aoioli32.exe
2136	Amqhbe32.exe
5016	Akdilipp.exe
3084	Bacjdbch.exe
1100	Bddcenpi.exe
3852	Chfegk32.exe
5108	Cpbjkn32.exe
436	Cdpcal32.exe
1556	Cpfcfmlp.exe
3280	Dkndie32.exe
3656	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ljnlecmp.exe	Kcbfcigf.exe
File opened for modification	C:\Windows\SysWOW64\Dkndie32.exe	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Jedccfqg.exe	Jljbeali.exe
File created	C:\Windows\SysWOW64\Gadiippo.dll	Ojfcdnjc.exe
File created	C:\Windows\SysWOW64\Ieoigp32.dll	Aoioli32.exe
File opened for modification	C:\Windows\SysWOW64\Bddcenpi.exe	Bacjdbch.exe
File created	C:\Windows\SysWOW64\Hicakqhn.dll	Jedccfqg.exe
File created	C:\Windows\SysWOW64\Kjgeedch.exe	Knnhjcog.exe
File created	C:\Windows\SysWOW64\Oppceehj.dll	Nopfpgip.exe
File created	C:\Windows\SysWOW64\Pplobcpp.exe	Phonha32.exe
File created	C:\Windows\SysWOW64\Ieidhh32.exe	Ipjoja32.exe
File created	C:\Windows\SysWOW64\Jljbeali.exe	Jenmcggo.exe
File created	C:\Windows\SysWOW64\Ljnlecmp.exe	Kcbfcigf.exe
File opened for modification	C:\Windows\SysWOW64\Lnangaoa.exe	Lfgipd32.exe
File opened for modification	C:\Windows\SysWOW64\Qdoacabq.exe	Pnplfj32.exe
File created	C:\Windows\SysWOW64\Amqhbe32.exe	Aoioli32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Lnldla32.exe	Ljnlecmp.exe
File created	C:\Windows\SysWOW64\Mmfkhmdi.exe	Lnangaoa.exe
File created	C:\Windows\SysWOW64\Ghkogl32.dll	Mcelpggq.exe
File opened for modification	C:\Windows\SysWOW64\Nnfpinmi.exe	Nopfpgip.exe
File opened for modification	C:\Windows\SysWOW64\Mfeeabda.exe	Mcelpggq.exe
File opened for modification	C:\Windows\SysWOW64\Aoioli32.exe	Afpjel32.exe
File opened for modification	C:\Windows\SysWOW64\Cdpcal32.exe	Cpbjkn32.exe
File opened for modification	C:\Windows\SysWOW64\Ieidhh32.exe	Ipjoja32.exe
File created	C:\Windows\SysWOW64\Gifjfmcq.dll	Jenmcggo.exe
File created	C:\Windows\SysWOW64\Cjceejee.dll	Phonha32.exe
File created	C:\Windows\SysWOW64\Afpjel32.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Lfgipd32.exe	Lnldla32.exe
File created	C:\Windows\SysWOW64\Peaggfjj.dll	Mmfkhmdi.exe
File created	C:\Windows\SysWOW64\Dkndie32.exe	Cpfcfmlp.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Dempqa32.dll	Nnfpinmi.exe
File opened for modification	C:\Windows\SysWOW64\Amqhbe32.exe	Aoioli32.exe
File opened for modification	C:\Windows\SysWOW64\Ngqagcag.exe	Nnfpinmi.exe
File opened for modification	C:\Windows\SysWOW64\Cpfcfmlp.exe	Cdpcal32.exe
File created	C:\Windows\SysWOW64\Fomnhddq.dll	Cdpcal32.exe
File created	C:\Windows\SysWOW64\Afakoidm.dll	Ipjoja32.exe
File opened for modification	C:\Windows\SysWOW64\Mgloefco.exe	Mmfkhmdi.exe
File opened for modification	C:\Windows\SysWOW64\Pplobcpp.exe	Phonha32.exe
File created	C:\Windows\SysWOW64\Aoioli32.exe	Afpjel32.exe
File opened for modification	C:\Windows\SysWOW64\Imgicgca.exe	2c82782440a59f26577bc1bbf933fe4ace01e5abd92aef3636a664b12819bd5a_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Jedccfqg.exe	Jljbeali.exe
File created	C:\Windows\SysWOW64\Fgjimp32.dll	Pplobcpp.exe
File created	C:\Windows\SysWOW64\Cpbjkn32.exe	Chfegk32.exe
File created	C:\Windows\SysWOW64\Imgicgca.exe	2c82782440a59f26577bc1bbf933fe4ace01e5abd92aef3636a664b12819bd5a_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Eieijp32.dll	Ieidhh32.exe
File created	C:\Windows\SysWOW64\Ogcnmc32.exe	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Bbikhdcm.dll	Ocaebc32.exe
File created	C:\Windows\SysWOW64\Pjkakfla.dll	Kcbfcigf.exe
File created	C:\Windows\SysWOW64\Gpkpbaea.dll	Mgloefco.exe
File created	C:\Windows\SysWOW64\Aqmiic32.dll	2c82782440a59f26577bc1bbf933fe4ace01e5abd92aef3636a664b12819bd5a_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Okddnh32.dll	Pnplfj32.exe
File created	C:\Windows\SysWOW64\Cdpcal32.exe	Cpbjkn32.exe
File opened for modification	C:\Windows\SysWOW64\Kcbfcigf.exe	Kjgeedch.exe
File created	C:\Windows\SysWOW64\Phonha32.exe	Ocaebc32.exe
File opened for modification	C:\Windows\SysWOW64\Chfegk32.exe	Bddcenpi.exe
File opened for modification	C:\Windows\SysWOW64\Ocaebc32.exe	Ojfcdnjc.exe
File created	C:\Windows\SysWOW64\Qdoacabq.exe	Pnplfj32.exe
File created	C:\Windows\SysWOW64\Kjamidgd.dll	Afpjel32.exe
File created	C:\Windows\SysWOW64\Bddcenpi.exe	Bacjdbch.exe
File created	C:\Windows\SysWOW64\Ipjoja32.exe	Imgicgca.exe
File created	C:\Windows\SysWOW64\Knnhjcog.exe	Jedccfqg.exe
File created	C:\Windows\SysWOW64\Eeccjdie.dll	Kjgeedch.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1068	3656	WerFault.exe	130

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndikch32.dll"	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didmdo32.dll"	Imgicgca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnldla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peaggfjj.dll"	Mmfkhmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhkmbmp.dll"	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jenmcggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedccfqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnlecmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnangaoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfeeabda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgjimp32.dll"	Pplobcpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nopfpgip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmplqd32.dll"	Ljnlecmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjdipap.dll"	Lnldla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfgipd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jencdebl.dll"	Lnangaoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmfkhmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aablof32.dll"	Knnhjcog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjgeedch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akdilipp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2c82782440a59f26577bc1bbf933fe4ace01e5abd92aef3636a664b12819bd5a_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jenmcggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeccjdie.dll"	Kjgeedch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imgicgca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipjoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifjfmcq.dll"	Jenmcggo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnlecmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnldla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkpbaea.dll"	Mgloefco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipeabep.dll"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcbfcigf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllfakij.dll"	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfgipd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nopfpgip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knnhjcog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoioli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jedccfqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkhqmjb.dll"	Chfegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knnhjcog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgloefco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicakqhn.dll"	Jedccfqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipjoja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbikhdcm.dll"	Ocaebc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 3980	2240	2c82782440a59f26577bc1bbf933fe4ace01e5abd92aef3636a664b12819bd5a_NeikiAnalytics.exe	90
PID 2240 wrote to memory of 3980	2240	2c82782440a59f26577bc1bbf933fe4ace01e5abd92aef3636a664b12819bd5a_NeikiAnalytics.exe	90
PID 2240 wrote to memory of 3980	2240	2c82782440a59f26577bc1bbf933fe4ace01e5abd92aef3636a664b12819bd5a_NeikiAnalytics.exe	90
PID 3980 wrote to memory of 3588	3980	Imgicgca.exe	91
PID 3980 wrote to memory of 3588	3980	Imgicgca.exe	91
PID 3980 wrote to memory of 3588	3980	Imgicgca.exe	91
PID 3588 wrote to memory of 3200	3588	Ipjoja32.exe	92
PID 3588 wrote to memory of 3200	3588	Ipjoja32.exe	92
PID 3588 wrote to memory of 3200	3588	Ipjoja32.exe	92
PID 3200 wrote to memory of 2184	3200	Ieidhh32.exe	93
PID 3200 wrote to memory of 2184	3200	Ieidhh32.exe	93
PID 3200 wrote to memory of 2184	3200	Ieidhh32.exe	93
PID 2184 wrote to memory of 4508	2184	Jenmcggo.exe	94
PID 2184 wrote to memory of 4508	2184	Jenmcggo.exe	94
PID 2184 wrote to memory of 4508	2184	Jenmcggo.exe	94
PID 4508 wrote to memory of 3156	4508	Jljbeali.exe	95
PID 4508 wrote to memory of 3156	4508	Jljbeali.exe	95
PID 4508 wrote to memory of 3156	4508	Jljbeali.exe	95
PID 3156 wrote to memory of 4992	3156	Jedccfqg.exe	96
PID 3156 wrote to memory of 4992	3156	Jedccfqg.exe	96
PID 3156 wrote to memory of 4992	3156	Jedccfqg.exe	96
PID 4992 wrote to memory of 1944	4992	Knnhjcog.exe	97
PID 4992 wrote to memory of 1944	4992	Knnhjcog.exe	97
PID 4992 wrote to memory of 1944	4992	Knnhjcog.exe	97
PID 1944 wrote to memory of 4704	1944	Kjgeedch.exe	98
PID 1944 wrote to memory of 4704	1944	Kjgeedch.exe	98
PID 1944 wrote to memory of 4704	1944	Kjgeedch.exe	98
PID 4704 wrote to memory of 2204	4704	Kcbfcigf.exe	99
PID 4704 wrote to memory of 2204	4704	Kcbfcigf.exe	99
PID 4704 wrote to memory of 2204	4704	Kcbfcigf.exe	99
PID 2204 wrote to memory of 1136	2204	Ljnlecmp.exe	100
PID 2204 wrote to memory of 1136	2204	Ljnlecmp.exe	100
PID 2204 wrote to memory of 1136	2204	Ljnlecmp.exe	100
PID 1136 wrote to memory of 656	1136	Lnldla32.exe	101
PID 1136 wrote to memory of 656	1136	Lnldla32.exe	101
PID 1136 wrote to memory of 656	1136	Lnldla32.exe	101
PID 656 wrote to memory of 2528	656	Lfgipd32.exe	102
PID 656 wrote to memory of 2528	656	Lfgipd32.exe	102
PID 656 wrote to memory of 2528	656	Lfgipd32.exe	102
PID 2528 wrote to memory of 4472	2528	Lnangaoa.exe	103
PID 2528 wrote to memory of 4472	2528	Lnangaoa.exe	103
PID 2528 wrote to memory of 4472	2528	Lnangaoa.exe	103
PID 4472 wrote to memory of 3780	4472	Mmfkhmdi.exe	104
PID 4472 wrote to memory of 3780	4472	Mmfkhmdi.exe	104
PID 4472 wrote to memory of 3780	4472	Mmfkhmdi.exe	104
PID 3780 wrote to memory of 1564	3780	Mgloefco.exe	105
PID 3780 wrote to memory of 1564	3780	Mgloefco.exe	105
PID 3780 wrote to memory of 1564	3780	Mgloefco.exe	105
PID 1564 wrote to memory of 1372	1564	Mcelpggq.exe	106
PID 1564 wrote to memory of 1372	1564	Mcelpggq.exe	106
PID 1564 wrote to memory of 1372	1564	Mcelpggq.exe	106
PID 1372 wrote to memory of 500	1372	Mfeeabda.exe	107
PID 1372 wrote to memory of 500	1372	Mfeeabda.exe	107
PID 1372 wrote to memory of 500	1372	Mfeeabda.exe	107
PID 500 wrote to memory of 2344	500	Nopfpgip.exe	108
PID 500 wrote to memory of 2344	500	Nopfpgip.exe	108
PID 500 wrote to memory of 2344	500	Nopfpgip.exe	108
PID 2344 wrote to memory of 4856	2344	Nnfpinmi.exe	109
PID 2344 wrote to memory of 4856	2344	Nnfpinmi.exe	109
PID 2344 wrote to memory of 4856	2344	Nnfpinmi.exe	109
PID 4856 wrote to memory of 4456	4856	Ngqagcag.exe	110
PID 4856 wrote to memory of 4456	4856	Ngqagcag.exe	110
PID 4856 wrote to memory of 4456	4856	Ngqagcag.exe	110
PID 4456 wrote to memory of 4064	4456	Ogcnmc32.exe	111

C:\Users\Admin\AppData\Local\Temp\2c82782440a59f26577bc1bbf933fe4ace01e5abd92aef3636a664b12819bd5a_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2c82782440a59f26577bc1bbf933fe4ace01e5abd92aef3636a664b12819bd5a_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\Imgicgca.exe
  C:\Windows\system32\Imgicgca.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\SysWOW64\Ipjoja32.exe
    C:\Windows\system32\Ipjoja32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\SysWOW64\Ieidhh32.exe
      C:\Windows\system32\Ieidhh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3200
    - - C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
      - C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:500
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        40⤵
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 400
        41⤵
        Program crash
        
        PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3656 -ip 3656
1⤵
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afpjel32.exe

Filesize
376KB

MD5
2b588fb32f0dd0041e12883bbb73cd07

SHA1
e52571ef0be8b5d83ebfb28f8df167ba29b52048

SHA256
f62420d375b91e99e93656db44c83a56fa2ee7d4c7ea137756d3c317a61505f0

SHA512
cf517ba071ca74ea9c91faf94ecc6ebf786256ce9cefc846bb9447ce28388003e2fed374fa51728268318e3185850a4f73214794e17849bf35048f7ebc7b6657

Download Submit
C:\Windows\SysWOW64\Akdilipp.exe

Filesize
376KB

MD5
00773b715722afa125af50fb08453f1a

SHA1
05288b0f7ea6d0f34f06b309e20e765721e22f1b

SHA256
d1b7b39e98dab857394573a1c49ed7d82799fd737efaac02d3c33b4fd46321ac

SHA512
00c99c76c36270988a0886a580c4d0f1394b7745e4a5884c5a19d0d80e071bb7c8c2738cd902d9814ac9bbd0702675d382b3ff44cc84b09155d4f0a1bc4f63f7

Download Submit
C:\Windows\SysWOW64\Amqhbe32.exe

Filesize
376KB

MD5
6de313f35877cac78452191ca6e00a6c

SHA1
f777869270da43c42dbd90b54ba0b8454496901c

SHA256
5882e819747c06a6e099b3e897f3de920c3e568a5e14c582c7aefaf84e510bee

SHA512
1e6e07e0084843214881766c9c8d5b15f7a0bd86d0bebfe4eb20c1dd48c4672ce7302afc2fa9a17764a96f6e6e223223ed43b74b6bd310c7dfd90fdd1cdd836f

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe

Filesize
376KB

MD5
a699f61bc22be45b9505f19c23b76477

SHA1
cc29c15d02297d2fed1c53467df10cb38b83fa33

SHA256
463d9ad72ec6135afa04cd4ba0450d3336c985dcf2abfafd3f518f767f4341db

SHA512
1882eb5af889b6493bbb1849f4d9922f00f7f583c7450d46bfe41234ce67787c62c0a353b17d35e5fed68510649ff90102a1636f81e9761f7da47a00d0adabae

Download Submit
C:\Windows\SysWOW64\Bacjdbch.exe

Filesize
376KB

MD5
d30ef44bef9621586a85acc10866f464

SHA1
44614458f9da066ebb006c6ef00887ce19de3c94

SHA256
40087a8f8538189bd791fb20d3fe7a2423c720f028cb29c147f25fb557ef5a68

SHA512
9d344568edacb102d137104b35e43b515a4770f9a92898ce14b23282250e00629ec95ea1747868ecfc6640ec2193a49f0a0acd07b46f80c4f21c56955efc49bc

Download Submit
C:\Windows\SysWOW64\Cdpcal32.exe

Filesize
376KB

MD5
deabdb4ffaa0db57cf27b5948708f8fd

SHA1
2e50f36272317d99cbbf8257bbc32b22d240de82

SHA256
f0cd20e65c29d7d747a8c1471711f0039adeaeeb9a9edd8f864ebd2ae6e1a1aa

SHA512
2abad4472b6c2821957170d8571821df843a4279cf3716eee902d2e4820cf3ed887e744be74c171a96b26508c6d7895b0b624443d5a71f0dec19c9d5075ca6e0

Download Submit
C:\Windows\SysWOW64\Cpfcfmlp.exe

Filesize
128KB

MD5
5f85c039dabdd442baf637cd2a0293ed

SHA1
bb91c7a5e90e36e1068bea83870417606123e84a

SHA256
03a341df13a8224cf8e92c4ec261271cd3b0ea1324492d04ee6f05b983bd08e8

SHA512
1c965d9c25e327e32c1eda1999f6a1e6ec2dbcb61ce959010dcea1529ae79ab96c979bf43d81adaf92198b764c56d3e97ba7c98573d8c8f27d88d5c8e5bd0427

Download Submit
C:\Windows\SysWOW64\Ieidhh32.exe

Filesize
376KB

MD5
138ef478c46013fca11bd6a5c4ea6dc9

SHA1
b1b44a95054c50eb9dc405d03f9c6698fddb3242

SHA256
38a5daa31251300043bd6ea307a2b92e2f52f4d619f1c81d7ab45fcbddc7d695

SHA512
b1f9eb02d7abe35460f51e99aa1e8cbd99584f82cd2cdb94f6d591e93ac3a2c3749ff0f18a716ae3b010feba60226a80279496438b3a678af049a31641b6a852

Download Submit
C:\Windows\SysWOW64\Imgicgca.exe

Filesize
376KB

MD5
5dfc445619b3131877bc3bcc26491fbf

SHA1
f5fc08d3f26eb44aa9594d55f523575fb8d68158

SHA256
bfc49a5892917c11c9a96c729c6ce077102b0812b01a9eeb261b8a1781db3d0c

SHA512
5a4192517697f84bedcde634a3e1da039932038ff238df8f1e98d103bb9bd46bb952a7b2070b8b4631cf62c00ed116a2626801b427c46407e22ce7a05e36c9df

Download Submit
C:\Windows\SysWOW64\Ipjoja32.exe

Filesize
376KB

MD5
708421aee741c0db44b3b4ba46b340c8

SHA1
f96ac4f055a9793f8a7299da750f08c12cc23ba3

SHA256
a76d8a8fab0b2cdbb2eca56cfbdf937c2f0c1e410924c21da7189edf181c4d03

SHA512
4c5a09b489aed2aed7371401bdc9887fc622d52665f18d6eb09f53a0b4f90d2f61ee4ce92bdffd9446edd712bfaaf04248dad87e007774f7a3c714c2b45332da

Download Submit
C:\Windows\SysWOW64\Jedccfqg.exe

Filesize
376KB

MD5
0090b3d463bef6d7f64fb66ab3396faf

SHA1
12fc8785393e119a424b488fff0692ea460eba03

SHA256
fadc218a2811c462e1bc9f25fc218bdc52b3d08275ed79e612aa9c2824be5bf1

SHA512
409cce3d9d1625e37637de59d9a76e6d325d58c8921311857fc51f84ceb2071a03cbb15384fdb84cc1a05b693aaa2d7db4033966e79f759b6d285b6b0abcea1e

Download Submit
C:\Windows\SysWOW64\Jenmcggo.exe

Filesize
376KB

MD5
10cc37a1e1a3ed4cfd3b4dd9ec30ffc1

SHA1
c9a8706f8a1b2e2ff583fcb9445ce2088d120b7d

SHA256
75ec13993d8dccbcac4418917befb4ae3bab1104f4610e55743ee1c924f98c5a

SHA512
f5d61c288538a870056903174e88b34f59b583d6b726076f6e6870931d4a7190e2c6b75ae2b5012fa3226fad327127c12caaef499757747c07faacfc516a293d

Download Submit
C:\Windows\SysWOW64\Jljbeali.exe

Filesize
376KB

MD5
ac81c92d25f1bd92cddd3c468f99e06b

SHA1
792a092ab004e59a0b2867d2876fca4db960439a

SHA256
09f2e4d9f84bddc04b69da904294bcc912aa9069e760d402450e64bfdf122094

SHA512
ecda30b30dabea9e79b0c705086814f72d212c64614dce2b7e936de76410969240db951e7b68122adc77411e34a85925f0620ba888b3730264f3179b8faa7298

Download Submit
C:\Windows\SysWOW64\Kcbfcigf.exe

Filesize
376KB

MD5
d2a274b0e0bdcac44725d31d07c5be85

SHA1
a154c2b26feae3dbf08e97409ac3fa5a8a734032

SHA256
02c29342a73171c861864a245002513b62f267a115cb3bcccefe9bc4f235cd74

SHA512
0f311dd3b35d87568a127d2ec16c5ae63b3e4651c5d947731ba186dc4ec14b2f81b1dc52cfc784f5d34943bea4d39d4f8684b2f35dcfbfe01b5fe6935ae4d44f

Download Submit
C:\Windows\SysWOW64\Kjgeedch.exe

Filesize
376KB

MD5
37a3263d204dfafd694efc559e413228

SHA1
55aa81a587d17cb08075380d162c33644395282f

SHA256
c02278faac8782c276c971f3f88bf3ebd701afce7255dfb7a38a035cd1dd64e3

SHA512
82915d16e540699cb5442c114c3ddb905e24172b5a939b7f89f8fb31404365d2459a0bb5e0625cce80c365fabca04c359ac07a6fa5ac54a9dec2a78becb9e03a

Download Submit
C:\Windows\SysWOW64\Knnhjcog.exe

Filesize
376KB

MD5
52f05e437d41a624247308888abb061c

SHA1
1f183c9576dc60a69776bfbab7a5490fcc8ec89c

SHA256
8926b03b1a0e8c102db7f933eae491a994b4ad8de4faf91a66f1c65becfc13bb

SHA512
6036acb7edc53b2211747f4d376735b0e2a76c1fbb8403752f37d08a9d40abefbd4abec8d211908985f817f3a06b604ff7bc3f397b9626466c850f208103ded9

Download Submit
C:\Windows\SysWOW64\Lfgipd32.exe

Filesize
376KB

MD5
b2026e6b4bebe32ff2fa05adb0f31915

SHA1
aff1efcd3044d3deb255668ee173becc9044cb5c

SHA256
27d39a1803d5818ffe9e04be016b4e656ed18f99b4260c755effcce536920105

SHA512
5255a149329cb222f1b8638c610106e4abb3ecba3b583ff451b85067a1a61593fe1bbe77391135dce1485f8ee1550119f9c80dca1bc3aae845a538b733703e8f

Download Submit
C:\Windows\SysWOW64\Ljnlecmp.exe

Filesize
376KB

MD5
f54c10ed8eb131b29ea7ed3af9acc3c0

SHA1
645a839f33fe0d5651f518285998c12bd2f11e76

SHA256
7f0e468e7bb93ca28be4bbafa76bca357dbc386f3e16538ce564aab5b25f5f81

SHA512
21002b485d877133a04820129f72ab8d8b9a7eadc3a7ec6590ba1e7f07d872e3004d4f29ab16b09b17df767c2c46d547fbf98b83aeede2659c3fe9067fcd4634

Download Submit
C:\Windows\SysWOW64\Lnangaoa.exe

Filesize
376KB

MD5
ce82c828f3d607b79bfbf97cea36a163

SHA1
ada1d51e23da646e30741e71d9501be5650e39cf

SHA256
90806b3d3c221d59abb91a67d5aa4e07322f7d8ad1477b06db3aac526d438f64

SHA512
84b7105074bcc1ef8b4be6e9518bcc2534220e2ccd102a516638cdc251c71766308cf26a430a0e343d12dd1e2e07874c8a97f692f172b02c90d81ed8fce81c68

Download Submit
C:\Windows\SysWOW64\Lnldla32.exe

Filesize
376KB

MD5
42c6d5dc52540b5a6ebf72d38bd55f1f

SHA1
2aba02f5c652e5f626df425fecfe6298b5b364a3

SHA256
fe409d8fb4fb27b6b0c10749bed215b6b02a31a6ab201655be24d6a4b902fc9c

SHA512
9314a2d6925504349e48ae1d432fcab2d5dda6989358e2d616a27cb09cca1e752ea1f609e5895b6cfb2e41bd35b9a18b0d6b73b566ba31e217feccc27575afc3

Download Submit
C:\Windows\SysWOW64\Mcelpggq.exe

Filesize
376KB

MD5
5370c6135da95cdfc4b579c9c43e84b7

SHA1
9c5e133857e990ce0c937e63de6754c4245db605

SHA256
4c676d67591ea94ff41917931c70ae3681e38a8164d115f604f26b5e0de0ecb7

SHA512
6ec3102f23b7286f16b65d7f6b209aa30f458f4c1bcf06bf396732dc3a7d32f4671ab901998528103670ee78017b98a38b56afc953ac207e4ee9c9e12a72659a

Download Submit
C:\Windows\SysWOW64\Mfeeabda.exe

Filesize
376KB

MD5
8aa5896e63affab0119c128d065b3e5d

SHA1
76dc279aeeed220de514655e2f5ec0907abc9205

SHA256
3deab5ecaa5757341630c859c5596edb372004fd150e61131c34752dc75d2a0d

SHA512
e3575f715e8cbbee100a2d11012f4507cb08aeb05e135846cbb4cf2fadd62b87d460c03ec4097ff1d481772bb5d30cee7cac4fc1500baadca04fcff9270bfd0e

Download Submit
C:\Windows\SysWOW64\Mgloefco.exe

Filesize
376KB

MD5
184ff6642d75f1f0c1192d8f5e654b07

SHA1
13fbf1fcdd75e36edacdd87829b4e642fa6a94be

SHA256
2505762a1ef2a2c973e8340532b07ff46058fb0b28ebb7e49e3dcf110d5b7a02

SHA512
b5b21f7b6426f510796a2b4e62fc032f26e8d327d0422db5e57a7dde81e1c11cbc7128fd8bd6d7d9e696f3ce48bcf8cf2fefa677fef83b692bb67352b57b2499

Download Submit
C:\Windows\SysWOW64\Mmfkhmdi.exe

Filesize
376KB

MD5
5bacfb85a3bef90c449b8fa70e7721a5

SHA1
0ee0b8320cec14a1b0912009ac23fd2ab91aacbb

SHA256
8d1e5c74b75c74cf51149e68e187fa773b09d68e96b82a674bfa7665646885ed

SHA512
7e4ce578ba0c56bf059ea25d5bd7d956771795d20d453293cbd30b3db1190bd629cc8ae6710ada20f50f0dc1c3e3ac28e07ae76b046e9229552c7cc4833da12c

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
376KB

MD5
e131126e109eada3f267e733bb251028

SHA1
c54bdce79b03998c0eeac35719acd23b643bd79e

SHA256
6df59f5bc69440f7d206052739c3849aca5ee333313a0a931b4e3223ec17c53a

SHA512
6f1b0bfe786e3b61b3074d9b86b2142735982f99a606c87d54d7391c319af990fe42d26cd613fc4361ba2a2bddbed81f37962a63090d2f352ef5f460f7152076

Download Submit
C:\Windows\SysWOW64\Nnfpinmi.exe

Filesize
376KB

MD5
1f339ab03670073887af604223777968

SHA1
b1335092217ebda54897c389e74550fc97ffa1c2

SHA256
465a48738cb283815035a1d87be24d02a6425124d909e52d22cdf5515a3f249d

SHA512
4819044ab906317c356a6e4473c6a9da714188f5f0c7c10cd17b143bb4ef510d4529dff11e08f205004720c95b556d1ee9f25cd3edd46f5a9d197f36e00499fb

Download Submit
C:\Windows\SysWOW64\Nopfpgip.exe

Filesize
376KB

MD5
f9a6f7acfd7acd5b207d097ab5571cf4

SHA1
e43928638c41e61a2eecd539d379e5582198f3f5

SHA256
56e9f1af1372bf8484d6d08a6479b2f1bf1db6b6a60e79e4f43fac9e51eb42e8

SHA512
d870086f45e23a6dda30ed3d952ea143450adad80c55ba0e50b27ad602f001681119b715c3200f1b3f12f7fc463ce0ed3de924b962b2676b0f5802285a306e68

Download Submit
C:\Windows\SysWOW64\Ocaebc32.exe

Filesize
376KB

MD5
a3f52747d493eae0998eeb3d00db9353

SHA1
2770f0d4c991e970d1db407cee0356964d770186

SHA256
685339fe520772146f0159a8ae94622432a4049e47bc1604fe79399f1ffe1bff

SHA512
d20291921f52aa2c13dea0f14aca6e36e01ee4837dac00a2a67b34a7810a338071e8e61d331abb48c856fb5e5c463c60de9260ef6ae45bf715d4a61d810533c5

Download Submit
C:\Windows\SysWOW64\Ogcnmc32.exe

Filesize
376KB

MD5
02bc20a41660e733ec4d1a5a565f0074

SHA1
e4e50ffd82f29dd7a2331ede7031f60a42ce50ad

SHA256
322bbe863dea034fa98f457075b4256b6a8e5ee8639aa43db713ead2f34b74fe

SHA512
15ba5e2379d31787c66563697dce662b586ce53fbfdfd927cc432304a88a57fd9d41f1a2b022656a678409217e6f471f704c6313e5abe13aee5d1c301f11ce18

Download Submit
C:\Windows\SysWOW64\Ojfcdnjc.exe

Filesize
376KB

MD5
b403a82b5ba84b81a75e939d5d37a233

SHA1
66260521ed9d4caf2b511f2d42acf9982d24bfd7

SHA256
4608d13a743a36c43e2c5ccfa979edc83910580e738158c1caa3e9126ce1a80a

SHA512
8c423156e9dac33bb4b6d7eebd24eeb8d21b8c1f225e15898208b40cdf054a6d5b629f386a23b132507ce8c525104ae3c7ac2fc682291ad9b25804eb8f1d7554

Download Submit
C:\Windows\SysWOW64\Phonha32.exe

Filesize
376KB

MD5
3bf9df61737560490213c4abcd8b5172

SHA1
45c671ac830259106d57b75a050b3a74f1b54ad9

SHA256
2086645a2445f30d280b285181b9b7a682187bd4d76cb18966ede0c4be024111

SHA512
b5f994d0fe6917cacabe550f0a7ae92e95c6229160a33b4e6b5a9323ca52ea2a1d13d9d2974a95599274bf830025808e904c05b77cef4f1e37e8650514582801

Download Submit
C:\Windows\SysWOW64\Pnplfj32.exe

Filesize
376KB

MD5
d522328037a5fbb40fde9da1ba0347fb

SHA1
3b41b435b5c9746861b97e51b5a414715c2e9a38

SHA256
652e1b1ddb521e0e29cc9b276333c6633542cd71c167aa1a5a688db7299b43e6

SHA512
5ce8435c8c51fd1e61151b3da1f13e799b40dbc6d8a328face5dc1e95946da72679ec1fe0b60122281e26f472ef8afa5ce56e85dae328f65f8106c401f97fab2

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
376KB

MD5
804cb5533a86218bcee233ce7f19132b

SHA1
9c649e2fb6bdd2bab748dd5f81a6921b80938fe2

SHA256
22680a6ff3e37c458b81b6489c75fe25363d883b93ce8d9cd3385037bf7c5992

SHA512
1fc592eede59bb096d062730705a0fe5f825dc61fe41beec2727cb39bab163afd8ed4de8a89eb5945e008096f7bbad763e285cbb22004c5f64551a61164c49fc

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
376KB

MD5
29669add30afe42d326c2c339069778e

SHA1
cc600b35cec47f3823dc2de7898985fd85c78e8c

SHA256
5e88e9b19ef448a389764ba3776f8fc0d9d50fcb541487de244fd9c22c350f20

SHA512
87a8569d950313a8b98d101fcc844b5e79260fd89e617486d43f6642cd45031e0e2a343c85afdb75ff0dac2c7d54ffcc2f0a3f3704fdf062c9dd2543172f3524

Download Submit
memory/376-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/500-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/500-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2344-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3084-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3084-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads