442d782afd5835d8f55380e3bf6493068717378cfc882b3afe4aaa70a245d450

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 07:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

442d782afd5835d8f55380e3bf6493068717378cfc882b3afe4aaa70a245d450_NeikiAnalytics.exe
Size

96KB
MD5

ad83b5675aba0a9ae6cdf32d91c83a20
SHA1

047b6cca9076b2e35c5aa77e6d49b589ca84f8ac
SHA256

442d782afd5835d8f55380e3bf6493068717378cfc882b3afe4aaa70a245d450
SHA512

91f449d39084e70214f05e85636dfaf83769b255b906ffd65c3ba293fad152d07718f6377dc38d9588ec2491de4f7c1e70b1cfe1f168a66033a6a91289f95374
SSDEEP

1536:txVV3o/0BSnVmXHm7kxDYHci/phdFBRyexrkzBHe9MbinV39+ChnSdFFn7Elz45Q:XVV3604nVUHmuYHcAphdoe9eHAMbqV3T

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npccpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkidlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdacop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npccpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okanklik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piekcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	442d782afd5835d8f55380e3bf6493068717378cfc882b3afe4aaa70a245d450_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okfgfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blkioa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odhfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgpeal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qiladcdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndjfeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afgkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmldme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oohqqlei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okfgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgbafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okanklik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkidlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	442d782afd5835d8f55380e3bf6493068717378cfc882b3afe4aaa70a245d450_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkioa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oohqqlei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgbafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndjfeo32.exe

Executes dropped EXE 35 IoCs

pid	Process
2292	Lfbpag32.exe
2612	Libicbma.exe
2620	Mieeibkn.exe
2820	Mhjbjopf.exe
2484	Mdacop32.exe
3000	Mofglh32.exe
264	Mmldme32.exe
272	Nmnace32.exe
2872	Ndjfeo32.exe
1532	Ncpcfkbg.exe
1608	Npccpo32.exe
2532	Oohqqlei.exe
2560	Odhfob32.exe
1516	Okanklik.exe
1044	Okfgfl32.exe
1684	Pkidlk32.exe
1816	Pgpeal32.exe
1428	Pqhijbog.exe
1984	Pgbafl32.exe
1724	Piekcd32.exe
1980	Pkfceo32.exe
852	Qflhbhgg.exe
888	Qijdocfj.exe
2168	Qiladcdh.exe
1012	Acfaeq32.exe
1388	Amnfnfgg.exe
1972	Afgkfl32.exe
2892	Agfgqo32.exe
2696	Alhmjbhj.exe
876	Afnagk32.exe
2580	Blkioa32.exe
2480	Bhdgjb32.exe
2544	Baohhgnf.exe
2592	Cpceidcn.exe
760	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
1768	442d782afd5835d8f55380e3bf6493068717378cfc882b3afe4aaa70a245d450_NeikiAnalytics.exe
1768	442d782afd5835d8f55380e3bf6493068717378cfc882b3afe4aaa70a245d450_NeikiAnalytics.exe
2292	Lfbpag32.exe
2292	Lfbpag32.exe
2612	Libicbma.exe
2612	Libicbma.exe
2620	Mieeibkn.exe
2620	Mieeibkn.exe
2820	Mhjbjopf.exe
2820	Mhjbjopf.exe
2484	Mdacop32.exe
2484	Mdacop32.exe
3000	Mofglh32.exe
3000	Mofglh32.exe
264	Mmldme32.exe
264	Mmldme32.exe
272	Nmnace32.exe
272	Nmnace32.exe
2872	Ndjfeo32.exe
2872	Ndjfeo32.exe
1532	Ncpcfkbg.exe
1532	Ncpcfkbg.exe
1608	Npccpo32.exe
1608	Npccpo32.exe
2532	Oohqqlei.exe
2532	Oohqqlei.exe
2560	Odhfob32.exe
2560	Odhfob32.exe
1516	Okanklik.exe
1516	Okanklik.exe
1044	Okfgfl32.exe
1044	Okfgfl32.exe
1684	Pkidlk32.exe
1684	Pkidlk32.exe
1816	Pgpeal32.exe
1816	Pgpeal32.exe
1428	Pqhijbog.exe
1428	Pqhijbog.exe
1984	Pgbafl32.exe
1984	Pgbafl32.exe
1724	Piekcd32.exe
1724	Piekcd32.exe
1980	Pkfceo32.exe
1980	Pkfceo32.exe
852	Qflhbhgg.exe
852	Qflhbhgg.exe
888	Qijdocfj.exe
888	Qijdocfj.exe
2168	Qiladcdh.exe
2168	Qiladcdh.exe
1012	Acfaeq32.exe
1012	Acfaeq32.exe
1388	Amnfnfgg.exe
1388	Amnfnfgg.exe
1972	Afgkfl32.exe
1972	Afgkfl32.exe
2892	Agfgqo32.exe
2892	Agfgqo32.exe
2696	Alhmjbhj.exe
2696	Alhmjbhj.exe
876	Afnagk32.exe
876	Afnagk32.exe
2580	Blkioa32.exe
2580	Blkioa32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lfbpag32.exe	442d782afd5835d8f55380e3bf6493068717378cfc882b3afe4aaa70a245d450_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Koldhi32.dll	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Blkioa32.exe	Afnagk32.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Amnfnfgg.exe	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Ekebnbmn.dll	Mdacop32.exe
File created	C:\Windows\SysWOW64\Pfdmil32.dll	Ndjfeo32.exe
File created	C:\Windows\SysWOW64\Pkidlk32.exe	Okfgfl32.exe
File created	C:\Windows\SysWOW64\Qflhbhgg.exe	Pkfceo32.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Mmldme32.exe	Mofglh32.exe
File created	C:\Windows\SysWOW64\Odhfob32.exe	Oohqqlei.exe
File created	C:\Windows\SysWOW64\Lapefgai.dll	Pgbafl32.exe
File opened for modification	C:\Windows\SysWOW64\Bhdgjb32.exe	Blkioa32.exe
File opened for modification	C:\Windows\SysWOW64\Mofglh32.exe	Mdacop32.exe
File created	C:\Windows\SysWOW64\Ndjfeo32.exe	Nmnace32.exe
File created	C:\Windows\SysWOW64\Pkfceo32.exe	Piekcd32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Mieeibkn.exe	Libicbma.exe
File created	C:\Windows\SysWOW64\Pgpeal32.exe	Pkidlk32.exe
File created	C:\Windows\SysWOW64\Ipgljgoi.dll	Pkidlk32.exe
File opened for modification	C:\Windows\SysWOW64\Mdacop32.exe	Mhjbjopf.exe
File created	C:\Windows\SysWOW64\Nmnace32.exe	Mmldme32.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Piekcd32.exe	Pgbafl32.exe
File opened for modification	C:\Windows\SysWOW64\Qijdocfj.exe	Qflhbhgg.exe
File created	C:\Windows\SysWOW64\Ncmdic32.dll	Qflhbhgg.exe
File created	C:\Windows\SysWOW64\Lfbpag32.exe	442d782afd5835d8f55380e3bf6493068717378cfc882b3afe4aaa70a245d450_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Qiladcdh.exe	Qijdocfj.exe
File opened for modification	C:\Windows\SysWOW64\Agfgqo32.exe	Afgkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Mofglh32.exe	Mdacop32.exe
File opened for modification	C:\Windows\SysWOW64\Qflhbhgg.exe	Pkfceo32.exe
File opened for modification	C:\Windows\SysWOW64\Afgkfl32.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Bhdgjb32.exe	Blkioa32.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Bhdgjb32.exe
File opened for modification	C:\Windows\SysWOW64\Mmldme32.exe	Mofglh32.exe
File opened for modification	C:\Windows\SysWOW64\Ndjfeo32.exe	Nmnace32.exe
File opened for modification	C:\Windows\SysWOW64\Okanklik.exe	Odhfob32.exe
File opened for modification	C:\Windows\SysWOW64\Acfaeq32.exe	Qiladcdh.exe
File created	C:\Windows\SysWOW64\Okfgfl32.exe	Okanklik.exe
File created	C:\Windows\SysWOW64\Qiladcdh.exe	Qijdocfj.exe
File opened for modification	C:\Windows\SysWOW64\Pqhijbog.exe	Pgpeal32.exe
File created	C:\Windows\SysWOW64\Qijdocfj.exe	Qflhbhgg.exe
File created	C:\Windows\SysWOW64\Cophek32.dll	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Mgjcep32.dll	Alhmjbhj.exe
File opened for modification	C:\Windows\SysWOW64\Blkioa32.exe	Afnagk32.exe
File created	C:\Windows\SysWOW64\Imbiaa32.dll	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Mdacop32.exe	Mhjbjopf.exe
File opened for modification	C:\Windows\SysWOW64\Odhfob32.exe	Oohqqlei.exe
File opened for modification	C:\Windows\SysWOW64\Pgbafl32.exe	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Ncpcfkbg.exe	Ndjfeo32.exe
File created	C:\Windows\SysWOW64\Cdepma32.dll	Odhfob32.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Blkioa32.exe
File opened for modification	C:\Windows\SysWOW64\Pgpeal32.exe	Pkidlk32.exe
File created	C:\Windows\SysWOW64\Afgkfl32.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Ajpjcomh.dll	Afnagk32.exe
File created	C:\Windows\SysWOW64\Oackeakj.dll	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Faflglmh.dll	Okfgfl32.exe
File created	C:\Windows\SysWOW64\Pqhijbog.exe	Pgpeal32.exe
File created	C:\Windows\SysWOW64\Agfgqo32.exe	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Mieeibkn.exe	Libicbma.exe
File opened for modification	C:\Windows\SysWOW64\Mhjbjopf.exe	Mieeibkn.exe
File opened for modification	C:\Windows\SysWOW64\Alhmjbhj.exe	Agfgqo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
668	760	WerFault.exe	62

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdepma32.dll"	Odhfob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbiaa32.dll"	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmldme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okanklik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okfgfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdacop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbgng32.dll"	Nmnace32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oohqqlei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpodeegi.dll"	Pgpeal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqpfa32.dll"	442d782afd5835d8f55380e3bf6493068717378cfc882b3afe4aaa70a245d450_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll"	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	442d782afd5835d8f55380e3bf6493068717378cfc882b3afe4aaa70a245d450_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlbongd.dll"	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faflglmh.dll"	Okfgfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Libicbma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkidlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cophek32.dll"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qniedg32.dll"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afnagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbche32.dll"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpdbghp.dll"	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohjlnjk.dll"	Okanklik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmgbeon.dll"	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okanklik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	442d782afd5835d8f55380e3bf6493068717378cfc882b3afe4aaa70a245d450_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibkpd32.dll"	Mmldme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okfgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odhfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbelde32.dll"	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgpeal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hanedg32.dll"	Npccpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll"	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baohhgnf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2292	1768	442d782afd5835d8f55380e3bf6493068717378cfc882b3afe4aaa70a245d450_NeikiAnalytics.exe	28
PID 1768 wrote to memory of 2292	1768	442d782afd5835d8f55380e3bf6493068717378cfc882b3afe4aaa70a245d450_NeikiAnalytics.exe	28
PID 1768 wrote to memory of 2292	1768	442d782afd5835d8f55380e3bf6493068717378cfc882b3afe4aaa70a245d450_NeikiAnalytics.exe	28
PID 1768 wrote to memory of 2292	1768	442d782afd5835d8f55380e3bf6493068717378cfc882b3afe4aaa70a245d450_NeikiAnalytics.exe	28
PID 2292 wrote to memory of 2612	2292	Lfbpag32.exe	29
PID 2292 wrote to memory of 2612	2292	Lfbpag32.exe	29
PID 2292 wrote to memory of 2612	2292	Lfbpag32.exe	29
PID 2292 wrote to memory of 2612	2292	Lfbpag32.exe	29
PID 2612 wrote to memory of 2620	2612	Libicbma.exe	30
PID 2612 wrote to memory of 2620	2612	Libicbma.exe	30
PID 2612 wrote to memory of 2620	2612	Libicbma.exe	30
PID 2612 wrote to memory of 2620	2612	Libicbma.exe	30
PID 2620 wrote to memory of 2820	2620	Mieeibkn.exe	31
PID 2620 wrote to memory of 2820	2620	Mieeibkn.exe	31
PID 2620 wrote to memory of 2820	2620	Mieeibkn.exe	31
PID 2620 wrote to memory of 2820	2620	Mieeibkn.exe	31
PID 2820 wrote to memory of 2484	2820	Mhjbjopf.exe	32
PID 2820 wrote to memory of 2484	2820	Mhjbjopf.exe	32
PID 2820 wrote to memory of 2484	2820	Mhjbjopf.exe	32
PID 2820 wrote to memory of 2484	2820	Mhjbjopf.exe	32
PID 2484 wrote to memory of 3000	2484	Mdacop32.exe	33
PID 2484 wrote to memory of 3000	2484	Mdacop32.exe	33
PID 2484 wrote to memory of 3000	2484	Mdacop32.exe	33
PID 2484 wrote to memory of 3000	2484	Mdacop32.exe	33
PID 3000 wrote to memory of 264	3000	Mofglh32.exe	34
PID 3000 wrote to memory of 264	3000	Mofglh32.exe	34
PID 3000 wrote to memory of 264	3000	Mofglh32.exe	34
PID 3000 wrote to memory of 264	3000	Mofglh32.exe	34
PID 264 wrote to memory of 272	264	Mmldme32.exe	35
PID 264 wrote to memory of 272	264	Mmldme32.exe	35
PID 264 wrote to memory of 272	264	Mmldme32.exe	35
PID 264 wrote to memory of 272	264	Mmldme32.exe	35
PID 272 wrote to memory of 2872	272	Nmnace32.exe	36
PID 272 wrote to memory of 2872	272	Nmnace32.exe	36
PID 272 wrote to memory of 2872	272	Nmnace32.exe	36
PID 272 wrote to memory of 2872	272	Nmnace32.exe	36
PID 2872 wrote to memory of 1532	2872	Ndjfeo32.exe	37
PID 2872 wrote to memory of 1532	2872	Ndjfeo32.exe	37
PID 2872 wrote to memory of 1532	2872	Ndjfeo32.exe	37
PID 2872 wrote to memory of 1532	2872	Ndjfeo32.exe	37
PID 1532 wrote to memory of 1608	1532	Ncpcfkbg.exe	38
PID 1532 wrote to memory of 1608	1532	Ncpcfkbg.exe	38
PID 1532 wrote to memory of 1608	1532	Ncpcfkbg.exe	38
PID 1532 wrote to memory of 1608	1532	Ncpcfkbg.exe	38
PID 1608 wrote to memory of 2532	1608	Npccpo32.exe	39
PID 1608 wrote to memory of 2532	1608	Npccpo32.exe	39
PID 1608 wrote to memory of 2532	1608	Npccpo32.exe	39
PID 1608 wrote to memory of 2532	1608	Npccpo32.exe	39
PID 2532 wrote to memory of 2560	2532	Oohqqlei.exe	40
PID 2532 wrote to memory of 2560	2532	Oohqqlei.exe	40
PID 2532 wrote to memory of 2560	2532	Oohqqlei.exe	40
PID 2532 wrote to memory of 2560	2532	Oohqqlei.exe	40
PID 2560 wrote to memory of 1516	2560	Odhfob32.exe	41
PID 2560 wrote to memory of 1516	2560	Odhfob32.exe	41
PID 2560 wrote to memory of 1516	2560	Odhfob32.exe	41
PID 2560 wrote to memory of 1516	2560	Odhfob32.exe	41
PID 1516 wrote to memory of 1044	1516	Okanklik.exe	42
PID 1516 wrote to memory of 1044	1516	Okanklik.exe	42
PID 1516 wrote to memory of 1044	1516	Okanklik.exe	42
PID 1516 wrote to memory of 1044	1516	Okanklik.exe	42
PID 1044 wrote to memory of 1684	1044	Okfgfl32.exe	43
PID 1044 wrote to memory of 1684	1044	Okfgfl32.exe	43
PID 1044 wrote to memory of 1684	1044	Okfgfl32.exe	43
PID 1044 wrote to memory of 1684	1044	Okfgfl32.exe	43

C:\Users\Admin\AppData\Local\Temp\442d782afd5835d8f55380e3bf6493068717378cfc882b3afe4aaa70a245d450_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\442d782afd5835d8f55380e3bf6493068717378cfc882b3afe4aaa70a245d450_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\Lfbpag32.exe
  C:\Windows\system32\Lfbpag32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\Libicbma.exe
    C:\Windows\system32\Libicbma.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\Mieeibkn.exe
      C:\Windows\system32\Mieeibkn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\Mhjbjopf.exe
        
        C:\Windows\system32\Mhjbjopf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\SysWOW64\Mdacop32.exe
        
        C:\Windows\system32\Mdacop32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Mofglh32.exe
        
        C:\Windows\system32\Mofglh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Mmldme32.exe
        
        C:\Windows\system32\Mmldme32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Nmnace32.exe
        
        C:\Windows\system32\Nmnace32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:272
        
        C:\Windows\SysWOW64\Ndjfeo32.exe
        
        C:\Windows\system32\Ndjfeo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Npccpo32.exe
        
        C:\Windows\system32\Npccpo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Oohqqlei.exe
        
        C:\Windows\system32\Oohqqlei.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Odhfob32.exe
        
        C:\Windows\system32\Odhfob32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Okanklik.exe
        
        C:\Windows\system32\Okanklik.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Okfgfl32.exe
        
        C:\Windows\system32\Okfgfl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Pkidlk32.exe
        
        C:\Windows\system32\Pkidlk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Pgpeal32.exe
        
        C:\Windows\system32\Pgpeal32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Pqhijbog.exe
        
        C:\Windows\system32\Pqhijbog.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Pgbafl32.exe
        
        C:\Windows\system32\Pgbafl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Pkfceo32.exe
        
        C:\Windows\system32\Pkfceo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Qflhbhgg.exe
        
        C:\Windows\system32\Qflhbhgg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Qiladcdh.exe
        
        C:\Windows\system32\Qiladcdh.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Blkioa32.exe
        
        C:\Windows\system32\Blkioa32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        36⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 140
        37⤵
        Program crash
        
        PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
96KB

MD5
36209fb548bd6a33862bc85eea90affd

SHA1
6810141facbb6f6d680fe33b18439aa0ebce0f17

SHA256
b634d76e79e62685f2fceec0a5feb2b3b8910b7e6b1f6de69e333ff9b85866af

SHA512
9119a38826c5d44b3740b7b92b8acbc8d0d457e89a4fcc49812f789cfe31f9c245f8e448f6f57fd491550307c23388bed8dc50c64337ac37c3a9f5078ecfded1

Download Submit
C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
96KB

MD5
850eacbef6c50ffa2b08e7b0e846315c

SHA1
be8db1cf2b0c7129424468e1f7cd64b530cd5077

SHA256
e93403333a5c86a9efff47f240dd8ff36be51c996751ddada1cb7cf7d1f289d7

SHA512
91fb0bda75a98031225caec933cc4ef00325d792cadf4e6dca3e7a19e48d032420c874fa995c09e98b2ace83e884a6eccaba4e5f15a5c48cff356352e51bf6d8

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
96KB

MD5
27d49334994c69996dc4620695fbfe5f

SHA1
392451b8f7f4e5fdb050f2beab3e1a4a2f66c3a0

SHA256
bc41e381487cb557ea8f8b4ecee14ebef1d3ed93b3f7661783b7153068221c6d

SHA512
5b3c4ef4f402e11e44361dbf565232208a691114714e9d66cfc66ad0fcb8a3b79c6b0331e38cda2e144eb4e5669731b54c9a74f4bcdb6fc30c10345c6eab2a21

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
96KB

MD5
ba2c233dd9da5b856ad8677af83f7870

SHA1
ca36f4cbfceeaba4265bdd155bb5394e5410fb67

SHA256
01575be155cdf2a49e71b12e99001f5803b4099da1afcb9046b2e0fc6b591f04

SHA512
b8c0b461e5aec2924f1668c933e07a6cb5be25deb7e2c832661244a72696eedba24dc2cfc242059cae449caa584ddc0738d8f2ed648d274062321c39db111478

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
96KB

MD5
74a79d3714eca9a558d20ba1e52226e0

SHA1
b114747647611bf00c8e1a09808e279c2ffd8044

SHA256
1926c3bda9b53c00a5fca9376b77b05192df872db59848b990c0f25f06594d62

SHA512
b42937ae54f9ae49cccd7822d130b40bf65ab3e7a1c70441817144dad1ef7ef9614cc1044e7f5504160c116388d8ff28f2dbcf73b3e8fb20049d580fe6cc1569

Download Submit
C:\Windows\SysWOW64\Amnfnfgg.exe

Filesize
96KB

MD5
6f4a33c8e6ebe8e656fddcb3d3f9e29d

SHA1
b9dc9ece1801978d063ad07eaa98cb3243e979cd

SHA256
0e2a350f2968360743606d2945d9a8cd18c1f940bd14eec3bb4df42c75c5623c

SHA512
8af5bb69aba86291e6e3d6cb9f51af34447093b6dbd0f4f03f5c77f6b6c548b80a22be2643f23cd37e269c2f64f2b464f33b657ccf461b0becaa72812abe007a

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
96KB

MD5
ebcb4c9907b0859f91ffbc59f5290f98

SHA1
3ac01e7cc8605c914c6fc6d2c495872b19c5be8b

SHA256
76e53d68106788a6c6518f0bc222d08d43dde9ed52f5f90f632ac206db8689f4

SHA512
b4ea8f33d12c7f6e7657fad42d5d8678e49b83a08017adf1a4fb37c0ed00aadc0db721b17fd098f53f6733ef8729764df1009dd8b8cc3757662fc3a738220ada

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
96KB

MD5
30b3a9422c61eaec3b217e572c89eaa2

SHA1
aa1daa8ab0634f6c309d0b45b4add3ed7abc7f61

SHA256
11ba716e1a44f4d365352c46fb06a1f8ee833b5d8c225189d639b067dda7aa84

SHA512
c6e0db006abde4b693e1ebba5e112c7365b2e7746e7bfb700496e1f43e728f133c610a6ab8351ad99e2a8f0b2d668b48d7f15ec75570741891405badf4c345f1

Download Submit
C:\Windows\SysWOW64\Blkioa32.exe

Filesize
96KB

MD5
9bffb8dfc2ae0b6195e393b431394299

SHA1
3ca3da3ec7cba3cb89e0d1f821c10da48c462c03

SHA256
4b54c7841dbc49a7b37d9b6cf772edd5f1df6ec934fcc70c2b80df0892093315

SHA512
a44d9be57581773b4925271be226263896d826731614c774d2daa7b0f3cf5ac2bc25ad829f6b25e32ab0dd2ea456d54898b47d1ba843e95a66eebf49ae346030

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
96KB

MD5
e9b005f3d56b86e8f0ce9673c5524080

SHA1
d60a59147b99a921d15d8ad65cd82fb891e8d2ef

SHA256
a7f4a7206fe768785470d9e71165f8ed371c9f0cff964b1a7c56c4994f480f9c

SHA512
e609a266a9f71d38da101064fcfcb9cf37ac6969462d103c214023766532f3790f5fbc07ad08d8001ffc6f817f92cca2fc042f7066e3be79723f86b0b260ee78

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
96KB

MD5
6d210949d60f885f544833592fb7452c

SHA1
58dae094356953c9f88353a49d772430ccbee668

SHA256
08d60e4a5fcb86bce52527473f3fb13356370c689a1e58b7d1583c385fccbd28

SHA512
c60552bbbd200556d2f15bd34827a2f71621cc7bbf4bd58a6476b1434539929cc30635446b66b602b197482132463e65a129e371b2d31d0247e6fd6b4581dcbf

Download Submit
C:\Windows\SysWOW64\Mofglh32.exe

Filesize
96KB

MD5
92a1692c98b4135fc5861bf27e396447

SHA1
039c6b5521ec3c43c7b211467f6bab633967649d

SHA256
6d66f5b7735f466e1c935c98045e330ff776417a5cc97c9da7c780007bf13bc9

SHA512
04096d9f2fffcc56da8b95f483eaa754b1c6f681a3d49852cc4b584b914896659772b895497ab8caeaf929238da834948add66a921a34f879c5c12542a7c16a4

Download Submit
C:\Windows\SysWOW64\Pgbafl32.exe

Filesize
96KB

MD5
bef7beca763ed6b3a5c9f647c59f9dcd

SHA1
c5c47ec4ab99a08b556405c22097d583b7111009

SHA256
7b2cbba2858063f2b5cf97909b2c506bef339e06871fdd4d045c66e7aed814a9

SHA512
25e2c9ed6c598761effdb34ad22ab012b7ebcadd53f767a84cde482da6ad5a5a6335aa1c26f011235677e46ae3ecebd96eae7e07797c062706d0e58080e12a94

Download Submit
C:\Windows\SysWOW64\Pgpeal32.exe

Filesize
96KB

MD5
56c9db75f0efacf286574d996cc4cb5c

SHA1
4ec70b078f102b73cc4d8bd71519012b555c0961

SHA256
5f2c5c27546a2bceeaeaa0d21cc66faf43f7f84e44b691876568055be024e2df

SHA512
2f6f5292e0ade7684133389d9f7a75008990cb1e12bcc88e142e7709c1d9e9496fc33266432fad88d27e40e0ee31464fb831f73e92857d806123e6fe3f2c13ae

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
96KB

MD5
d1a919df8cbfdcd79874353194f5e0cd

SHA1
ffd65c381d18ba0cad71b7490698c08468a1394e

SHA256
1121801e2d01b4603f4e3bdb71adf8bc21afcad4ae7235c9a0046f7b45c75fb9

SHA512
720296c17492463b368f820d512d2a6c812791257c94f4714ddd4800305e4c0236bbde407b6a191073e6204119d3f8d99090b36e346dddeddaabe1f62abb61d0

Download Submit
C:\Windows\SysWOW64\Pkfceo32.exe

Filesize
96KB

MD5
7f111a716475cb09a6ab5991c0d0ca3a

SHA1
fa33b96e40ff726c4c99d104783d88ef176b0592

SHA256
14f1aa60fc7abe72a0cd268aea19e449719710ee34db2e3a1aa452533c0f6076

SHA512
2cca37e8ed70c5c69d636bdeb54c9ffa4bb3dbc286062c26421594e8a03450ae99401144ddfde5b56b9d210e8620de47a87a73a484e8a711a114f6911e66a118

Download Submit
C:\Windows\SysWOW64\Pkidlk32.exe

Filesize
96KB

MD5
1eff0a54cd6bfbd71e5f414537a5ae7e

SHA1
27f171471f05d36bfca95298ba6b31a5538fd33c

SHA256
2aec4dae01b66d98c276969aa5d143a6a1b0d68adfc0fff791a2a23d45a31dd4

SHA512
857f666034b71729ef26a4adf259b28dce2687a352025943478c581af6721a216fad899d2e0a5a55ce1f993769fbf6b80ae21597a4e53e3c036d6b4dee68c3c8

Download Submit
C:\Windows\SysWOW64\Pqhijbog.exe

Filesize
96KB

MD5
9fce1ebf16ca162b4efa02fe6b162036

SHA1
5b321cbbfd5f48a4f32e12873a4852fef8837164

SHA256
11b3d40a269d9eaeb97b02679547d99d945fabca718e4fb75ae52647315c4ef0

SHA512
c254149e56bf886e16dfa95762b036950c7fde351ba099a20b6b74f778f2dbcb34a4f4415d62184e8929886d4544da531d610fec88c6e0aae5eeb8d9b374a9bc

Download Submit
C:\Windows\SysWOW64\Qflhbhgg.exe

Filesize
96KB

MD5
59d7ccbb1ec5ad0fc8c5d9108a5ea9fc

SHA1
5fc55fa983082375a66f3d42ebd3e1984359a779

SHA256
f052d7d1489556f0dfeff5f442f5a9b3f0cdfd0f67b559dd664544efbb533aca

SHA512
3d0ce54de1ceaa42c70f35d326d6c57ecbaa098b5614c94a1d97e32e9318cb7e5ad0e75a5ca91335d6cebb7588c9b6b8f146454a1c1bb5a2741bf5d92ad21c84

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
96KB

MD5
a76e5a4ddef2aa273efa8be3888c3ffd

SHA1
e883c09457540095268b5875c024d2e148f96f80

SHA256
e9554309b84562146c96ae5a6078fb5b8d2682a8de697dec4f4b0a0f2b8ad2ea

SHA512
6820b9e2775f385ca23cb11d248993f9ff36d2bb8cff83fe3e56d56cfabd4aa15747df0e738c0468c07470e11e5285f9b804856bf9c27c7aaa3203b84cd13812

Download Submit
C:\Windows\SysWOW64\Qiladcdh.exe

Filesize
96KB

MD5
e772fa9b65c6465e6dc470e00972be12

SHA1
2c5de4ccd4f995fe629e67db3bfe8d86327c92fb

SHA256
41e91e3679d54fb305327d96571fb41585e4d4080efabad8ddd353770202bb52

SHA512
f69d286a9188627536075c3b10586dae7a64c159b371b5c92c51c870acb908794d67b0fff0a2c0c3194a2a12241a1f894a707e87631564c06c0df6a325577f97

Download Submit
\Windows\SysWOW64\Lfbpag32.exe

Filesize
96KB

MD5
cd5d0457c6771380cef7f0d3b8e068f1

SHA1
9d11a2de86fb1c0e88e1f292fdc006758a513cae

SHA256
364ca92bdbdeac7bad9204db1d3e149a9982e2926951e5308a4d91f3d298cf67

SHA512
7759a78358d60344276d937600517bfef97c8122382957a9329598404e4784d88effdbef2b02738b3a0681ff6202d92dd8772b8dd70b6a727470c9c0305db571

Download Submit
\Windows\SysWOW64\Libicbma.exe

Filesize
96KB

MD5
1a3aa78135a722c1c4989590230e51c6

SHA1
68109e3dc03c327d08e8c88b6caf8348def882ce

SHA256
f80f16492efff634376d9c63a5175cbee1b84c608b2df213f372351117b4f94d

SHA512
c64e522e8cd8e9555d4754870bb2d5361565115a773b7ceadfee130e2c9104db4b95083c0d2e12218a4e143f0b6dcd33b9f067a6bd1fa9e90bfa3df075b6c9c5

Download Submit
\Windows\SysWOW64\Mdacop32.exe

Filesize
96KB

MD5
b754967328bf37a824026a413779b09a

SHA1
dcbf67aa1b2dd22cceb665b82bed8b51be192ddd

SHA256
2867c7123ce76bb4697fc2bf381a7144ec4636a06158e08d500b3d09aced872e

SHA512
b4b8b848925d7fa334a8d156e0a2562609b65ddffb59aa986c2d6bb0bf53796ed3db6587ed4124a80d23675344debf717fb992f520541ee24c28756d850333f8

Download Submit
\Windows\SysWOW64\Mhjbjopf.exe

Filesize
96KB

MD5
17c987db4b41323e1c41f1c795816429

SHA1
df35097b2582beffe0b36f79daf34eef96283d58

SHA256
ddfaa33f0bb3b93b438c0c122360378ae420d48a5a2ae19d335172022e0b4bcf

SHA512
4784aba0f9e85da904c2545177cdd39adcf4da4df0263064d4c73136af7c3f5df3e85a373eeb2c92fbe0a60b259a5d46ce860cd24411339abd199f8d37429568

Download Submit
\Windows\SysWOW64\Mieeibkn.exe

Filesize
96KB

MD5
310c0d75f85590a7a7a18078464ec86a

SHA1
fb9e01d858fe6b0ebd1dfdf06fd5a7d300bb3a93

SHA256
3bc22ce98b4ca3aef9a1925f266a1ba724ffe1484e31a30dfe06f3c687df7aee

SHA512
5e5eb20932d5f4543cc07fc624c3891f6dd6ef3da739fcafded938487220443a283e0ceba2765838dbf4336c41cfc929f5dcfdcdb9bd090a6b1feca757fd54da

Download Submit
\Windows\SysWOW64\Mmldme32.exe

Filesize
96KB

MD5
2b0842328565d27a0edc09d095fa288b

SHA1
9047034a77b48df4c5f9bfa8a2547ca8476306e2

SHA256
add46e627428d1ecf4ef64016230766f5db64b401ee7291675a2bbaa73c9d4ec

SHA512
b27f7e40b40037945c6c698b2f5388d16bd239b3937cd2cba6da52a0a437928341ba7822b20aa2901134807109fcbf57ec1dfce616a47598bb55306b420ea13b

Download Submit
\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
96KB

MD5
0dba3e5cfcb2579f72ee451b4c29285e

SHA1
39deabec05bbea6942b9525cb35d7beb5453e35b

SHA256
277cecc6d92fb9b4a54d0b9cc9a90a13a3a36b0b00b8aef9bc67d38afe1116f0

SHA512
56d0455dc698fd70414d381e8404df24debc4737fbb8bf1ccc63864143b303735058f8b278494b42c43c174c419ff202a5e20cd2f4419acaefdc4d8d456cc9c8

Download Submit
\Windows\SysWOW64\Ndjfeo32.exe

Filesize
96KB

MD5
bb451e482afe0c5c9c35fee4fe0215f1

SHA1
662a4beebfb6b8f764e2c29f377eb9dd22519004

SHA256
fe423be49f5e99dd3bfd695affc02ff549c36c2acc099b8706acbaf24ea1a597

SHA512
29b2acdca0fb279ace78567fdf806e5d7b2687afcc81acc67e5d0d288253ad72015adfc1caba0f883441dbcd9f292754d25989c6466ea772d3ed0cd3273efa0c

Download Submit
\Windows\SysWOW64\Nmnace32.exe

Filesize
96KB

MD5
bf607d3f73e3bda343634c7b3610c6d4

SHA1
b223485ea3d478ef4209ecd1048a5e5d68f8ca0d

SHA256
8c300d6c8e57812600c57944da5cb47f36fd1d69afa1ff28432fcf46cb5a57d1

SHA512
a7f6b5f13f9f0f0255936c64a14cf656b8c07b90925e9a80fa797c4f1e193be15e7678ef1d2c78ed4e4240ef32c51523d2da51b5b9f6629bf8d74b98cfb302f2

Download Submit
\Windows\SysWOW64\Npccpo32.exe

Filesize
96KB

MD5
dec51b3a1445a3d6893b8b39ad48634e

SHA1
7bb74eb402e10a536bc6e7a6ee65e459160dbec7

SHA256
73f7a2650acc3812aaef77f531fe3780cca01bddf9cd236680826158abc2cee4

SHA512
d1e2f40e163c612c877e685bb5bae35966bdcd55ab6ac1bb20e292bb9db306b543f905b9e0d8dd41040323c1587ce254512a4a4fcbb82fc89d7732da11a611cf

Download Submit
\Windows\SysWOW64\Odhfob32.exe

Filesize
96KB

MD5
5b020fcb3c7b413d59720e972bbc3158

SHA1
153bbe99e0fa97e36e5f551392da39552d542f46

SHA256
300c7ddb213cce157ac633c89f16fad39cc6ccfbee97551395aa00ec8bbbea00

SHA512
e9b53dea1787406b848d1c73a7bbbec937d8e5d27a0a898ee29cc0ae00c953ef3df0b8297de13690d29c5823cb2b01fa1a0991025853f693327df1328c4060b8

Download Submit
\Windows\SysWOW64\Okanklik.exe

Filesize
96KB

MD5
c96b6c9a354886a508352c7ff04402f9

SHA1
72ce21dc5c6c7b19634a113754f7359b2b7caadc

SHA256
add1464658e89c34b8b576c5d9739d259bb5ad9bc153e7cf48dde008898a8c00

SHA512
c24b077f76d245c75bb54c8a6b47824c39ff3ca5d25a975479dda4f7a4351a14eb474d59e158ac611fa22193b361f6bd7003a864e976e35e95f4c74c7c5cb208

Download Submit
\Windows\SysWOW64\Okfgfl32.exe

Filesize
96KB

MD5
1856b4ba947fd46249a05d36a250b4fd

SHA1
7b4de6f8ab7210ba8baba835616676f49f536369

SHA256
953169f9476194fce050e8724c1c65a99783c239e3766dc23d02c1782d395e35

SHA512
944781b2d782990e8a11a7be1ac500ee8dc336100ed1b60cc96923266502e276429061e7db8af396db2e09e11c7dd5462d10b098921f31014f21cfe9fc9fbbb8

Download Submit
\Windows\SysWOW64\Oohqqlei.exe

Filesize
96KB

MD5
d5b1ea5449b71c9485f5c5ac9738bdbd

SHA1
a32d30fd8ebd521a22c97a4869e9937f256c2a07

SHA256
cf7f30165a40c205b3f63c7480a039c0eb3a0a9bbc8e7a765abc4f6ba73d59a0

SHA512
1cf3cd581b13af9c68e78e668fd6ecced1a32d2d72b8e77372afbcbefd6308fe09f9085cf3da2b5f6056f03f2a905859289fd4383605261488258c48ee60a0a0

Download Submit
memory/264-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/272-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/272-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/760-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-280-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/852-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-371-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/876-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-370-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/888-293-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/888-294-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/888-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-316-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/1012-315-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/1044-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-334-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1388-335-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1388-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1428-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1428-241-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1428-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-197-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/1516-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-142-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/1608-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-268-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1724-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-269-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1768-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-418-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1768-6-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1768-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1972-337-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1972-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1972-338-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1980-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-305-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2168-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-301-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2292-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-24-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2292-25-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2480-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-392-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2480-393-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2484-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-174-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2532-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-404-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2544-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-400-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2560-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-188-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2580-382-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2580-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-381-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2592-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-414-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2592-415-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2612-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-39-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/2620-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-360-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2696-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-359-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2820-66-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2820-69-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2820-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-357-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2892-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-356-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/3000-96-0x0000000001B60000-0x0000000001B94000-memory.dmp

Filesize
208KB

Download
memory/3000-90-0x0000000001B60000-0x0000000001B94000-memory.dmp

Filesize
208KB

Download
memory/3000-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads