29eb1571a11a710317ebfd64641b1432699eff72121f6c2289869313dcbec756

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29eb1571a11a710317ebfd64641b1432699eff72121f6c2289869313dcbec756_NeikiAnalytics.exe
Size

576KB
MD5

05048e3b9dda7a6e0204d665d063f520
SHA1

4dc3a10b893f42c872c08fcd06357a9f71424a4f
SHA256

29eb1571a11a710317ebfd64641b1432699eff72121f6c2289869313dcbec756
SHA512

17b3d219fcc8b499bcb17765a56970a4943e58bc8eebea240f18befbe85ff1a712f4eb2361ad89d234be91107ff3e371b1068bd08196285e48bec82b14b17331
SSDEEP

12288:aWxXGyXu1jGG1ws5iETdqvZNemWrsiLk6mqgSgRDO:3lGyXsGG1ws5ipX6

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Johggfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kedlip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfldgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbfmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cibain32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	29eb1571a11a710317ebfd64641b1432699eff72121f6c2289869313dcbec756_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qppaclio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbhhieao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbgeqmjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppgomnai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajdbac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inebjihf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedlip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbfmgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddfbgelh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Damfao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacepg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ihdldn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Johggfha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhnhajba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbdiknlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afappe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eddnic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Damfao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbldphde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbldphde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qppaclio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Loofnccf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mledmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbgeqmjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afappe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajdbac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giljfddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	29eb1571a11a710317ebfd64641b1432699eff72121f6c2289869313dcbec756_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Giljfddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhkbdmbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ommceclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ommceclc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipdndloi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhkbdmbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khiofk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbhhieao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipdndloi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koonge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhnhajba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddklbd32.exe

Executes dropped EXE 42 IoCs

pid	Process
3384	Damfao32.exe
3168	Gacepg32.exe
3448	Giljfddl.exe
1720	Hbldphde.exe
3532	Inebjihf.exe
1716	Ipdndloi.exe
2228	Ihdldn32.exe
3772	Jhkbdmbg.exe
940	Johggfha.exe
1156	Kedlip32.exe
2596	Koonge32.exe
2336	Khiofk32.exe
2552	Kadpdp32.exe
4732	Lhnhajba.exe
1956	Ljpaqmgb.exe
3664	Loofnccf.exe
444	Mledmg32.exe
2492	Mbdiknlb.exe
3776	Mbgeqmjp.exe
3716	Nfldgk32.exe
3444	Ommceclc.exe
4868	Ppgomnai.exe
3864	Pjaleemj.exe
2052	Qppaclio.exe
1496	Afappe32.exe
4404	Aplaoj32.exe
2916	Ajdbac32.exe
1612	Bbfmgd32.exe
3816	Cibain32.exe
4724	Cdolgfbp.exe
2160	Ddfbgelh.exe
2252	Ddklbd32.exe
3912	Edoencdm.exe
4264	Epffbd32.exe
4592	Eddnic32.exe
3676	Eqmlccdi.exe
1664	Fgiaemic.exe
3004	Fcbnpnme.exe
716	Fnjocf32.exe
1728	Gbhhieao.exe
3504	Gqnejaff.exe
3984	Gbmadd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kedlip32.exe	Johggfha.exe
File opened for modification	C:\Windows\SysWOW64\Mbgeqmjp.exe	Mbdiknlb.exe
File opened for modification	C:\Windows\SysWOW64\Gqnejaff.exe	Gbhhieao.exe
File created	C:\Windows\SysWOW64\Ckfaapfi.dll	Gbhhieao.exe
File created	C:\Windows\SysWOW64\Qppaclio.exe	Pjaleemj.exe
File created	C:\Windows\SysWOW64\Ahfmjddg.dll	Khiofk32.exe
File created	C:\Windows\SysWOW64\Afjpan32.dll	Ajdbac32.exe
File created	C:\Windows\SysWOW64\Epffbd32.exe	Edoencdm.exe
File opened for modification	C:\Windows\SysWOW64\Ajdbac32.exe	Aplaoj32.exe
File created	C:\Windows\SysWOW64\Bbfmgd32.exe	Ajdbac32.exe
File opened for modification	C:\Windows\SysWOW64\Edoencdm.exe	Ddklbd32.exe
File created	C:\Windows\SysWOW64\Gacepg32.exe	Damfao32.exe
File opened for modification	C:\Windows\SysWOW64\Ipdndloi.exe	Inebjihf.exe
File created	C:\Windows\SysWOW64\Koonge32.exe	Kedlip32.exe
File opened for modification	C:\Windows\SysWOW64\Mledmg32.exe	Loofnccf.exe
File opened for modification	C:\Windows\SysWOW64\Loofnccf.exe	Ljpaqmgb.exe
File opened for modification	C:\Windows\SysWOW64\Mbdiknlb.exe	Mledmg32.exe
File created	C:\Windows\SysWOW64\Fbjbac32.dll	Epffbd32.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Gqnejaff.exe
File created	C:\Windows\SysWOW64\Eqmlccdi.exe	Eddnic32.exe
File created	C:\Windows\SysWOW64\Gqnejaff.exe	Gbhhieao.exe
File created	C:\Windows\SysWOW64\Damfao32.exe	29eb1571a11a710317ebfd64641b1432699eff72121f6c2289869313dcbec756_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ommceclc.exe	Nfldgk32.exe
File opened for modification	C:\Windows\SysWOW64\Ommceclc.exe	Nfldgk32.exe
File created	C:\Windows\SysWOW64\Ajdbac32.exe	Aplaoj32.exe
File opened for modification	C:\Windows\SysWOW64\Fgiaemic.exe	Eqmlccdi.exe
File opened for modification	C:\Windows\SysWOW64\Fcbnpnme.exe	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Johggfha.exe	Jhkbdmbg.exe
File created	C:\Windows\SysWOW64\Pjphcf32.dll	Nfldgk32.exe
File created	C:\Windows\SysWOW64\Afappe32.exe	Qppaclio.exe
File created	C:\Windows\SysWOW64\Eddnic32.exe	Epffbd32.exe
File opened for modification	C:\Windows\SysWOW64\Bbfmgd32.exe	Ajdbac32.exe
File created	C:\Windows\SysWOW64\Ojimfh32.dll	Eddnic32.exe
File created	C:\Windows\SysWOW64\Kadpdp32.exe	Khiofk32.exe
File created	C:\Windows\SysWOW64\Aplaoj32.exe	Afappe32.exe
File created	C:\Windows\SysWOW64\Gbhhieao.exe	Fnjocf32.exe
File opened for modification	C:\Windows\SysWOW64\Gbhhieao.exe	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Njlmnj32.dll	Hbldphde.exe
File created	C:\Windows\SysWOW64\Fnjocf32.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Ndmojj32.dll	Ddklbd32.exe
File created	C:\Windows\SysWOW64\Ohlemeao.dll	Ihdldn32.exe
File created	C:\Windows\SysWOW64\Ljpaqmgb.exe	Lhnhajba.exe
File created	C:\Windows\SysWOW64\Obhmcdfq.dll	Ddfbgelh.exe
File created	C:\Windows\SysWOW64\Edoencdm.exe	Ddklbd32.exe
File opened for modification	C:\Windows\SysWOW64\Qppaclio.exe	Pjaleemj.exe
File opened for modification	C:\Windows\SysWOW64\Epffbd32.exe	Edoencdm.exe
File created	C:\Windows\SysWOW64\Okkbgpmc.dll	Eqmlccdi.exe
File opened for modification	C:\Windows\SysWOW64\Gacepg32.exe	Damfao32.exe
File opened for modification	C:\Windows\SysWOW64\Jhkbdmbg.exe	Ihdldn32.exe
File created	C:\Windows\SysWOW64\Mledmg32.exe	Loofnccf.exe
File created	C:\Windows\SysWOW64\Mbdiknlb.exe	Mledmg32.exe
File created	C:\Windows\SysWOW64\Kpbgeaba.dll	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Hbldphde.exe	Giljfddl.exe
File created	C:\Windows\SysWOW64\Johggfha.exe	Jhkbdmbg.exe
File opened for modification	C:\Windows\SysWOW64\Koonge32.exe	Kedlip32.exe
File created	C:\Windows\SysWOW64\Lhnhajba.exe	Kadpdp32.exe
File opened for modification	C:\Windows\SysWOW64\Eddnic32.exe	Epffbd32.exe
File created	C:\Windows\SysWOW64\Ihdldn32.exe	Ipdndloi.exe
File created	C:\Windows\SysWOW64\Mjjkejin.dll	Jhkbdmbg.exe
File created	C:\Windows\SysWOW64\Pnbmhkia.dll	Aplaoj32.exe
File created	C:\Windows\SysWOW64\Ddfbgelh.exe	Cdolgfbp.exe
File opened for modification	C:\Windows\SysWOW64\Giljfddl.exe	Gacepg32.exe
File opened for modification	C:\Windows\SysWOW64\Eqmlccdi.exe	Eddnic32.exe
File created	C:\Windows\SysWOW64\Mgpilmfi.dll	Gacepg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1168	3984	WerFault.exe	132

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agecdgmk.dll"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddklbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Inebjihf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohlkq32.dll"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qppaclio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhaiafem.dll"	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfaapfi.dll"	Gbhhieao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Giljfddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Johggfha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkilc32.dll"	Mbgeqmjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjbac32.dll"	Epffbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Damfao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmhel32.dll"	Ipdndloi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpbgeaba.dll"	Mbdiknlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbdiknlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ommceclc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipdndloi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mledmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbgeqmjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhoped32.dll"	Ommceclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohlemeao.dll"	Ihdldn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Koonge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cibain32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	29eb1571a11a710317ebfd64641b1432699eff72121f6c2289869313dcbec756_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhnhajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhnhajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eddnic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	29eb1571a11a710317ebfd64641b1432699eff72121f6c2289869313dcbec756_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edoencdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbhhieao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbdco32.dll"	Giljfddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afappe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpjna32.dll"	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gacepg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Giljfddl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmojj32.dll"	Ddklbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgjo32.dll"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epffbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbfmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfmbd32.dll"	29eb1571a11a710317ebfd64641b1432699eff72121f6c2289869313dcbec756_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Damfao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlmnj32.dll"	Hbldphde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjjkejin.dll"	Jhkbdmbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Koonge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foniaq32.dll"	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eibmbgdm.dll"	Damfao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbldphde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemghi32.dll"	Mledmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppgomnai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmkcc32.dll"	Qppaclio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afjpan32.dll"	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afappe32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 3384	452	29eb1571a11a710317ebfd64641b1432699eff72121f6c2289869313dcbec756_NeikiAnalytics.exe	91
PID 452 wrote to memory of 3384	452	29eb1571a11a710317ebfd64641b1432699eff72121f6c2289869313dcbec756_NeikiAnalytics.exe	91
PID 452 wrote to memory of 3384	452	29eb1571a11a710317ebfd64641b1432699eff72121f6c2289869313dcbec756_NeikiAnalytics.exe	91
PID 3384 wrote to memory of 3168	3384	Damfao32.exe	92
PID 3384 wrote to memory of 3168	3384	Damfao32.exe	92
PID 3384 wrote to memory of 3168	3384	Damfao32.exe	92
PID 3168 wrote to memory of 3448	3168	Gacepg32.exe	93
PID 3168 wrote to memory of 3448	3168	Gacepg32.exe	93
PID 3168 wrote to memory of 3448	3168	Gacepg32.exe	93
PID 3448 wrote to memory of 1720	3448	Giljfddl.exe	94
PID 3448 wrote to memory of 1720	3448	Giljfddl.exe	94
PID 3448 wrote to memory of 1720	3448	Giljfddl.exe	94
PID 1720 wrote to memory of 3532	1720	Hbldphde.exe	95
PID 1720 wrote to memory of 3532	1720	Hbldphde.exe	95
PID 1720 wrote to memory of 3532	1720	Hbldphde.exe	95
PID 3532 wrote to memory of 1716	3532	Inebjihf.exe	96
PID 3532 wrote to memory of 1716	3532	Inebjihf.exe	96
PID 3532 wrote to memory of 1716	3532	Inebjihf.exe	96
PID 1716 wrote to memory of 2228	1716	Ipdndloi.exe	97
PID 1716 wrote to memory of 2228	1716	Ipdndloi.exe	97
PID 1716 wrote to memory of 2228	1716	Ipdndloi.exe	97
PID 2228 wrote to memory of 3772	2228	Ihdldn32.exe	98
PID 2228 wrote to memory of 3772	2228	Ihdldn32.exe	98
PID 2228 wrote to memory of 3772	2228	Ihdldn32.exe	98
PID 3772 wrote to memory of 940	3772	Jhkbdmbg.exe	99
PID 3772 wrote to memory of 940	3772	Jhkbdmbg.exe	99
PID 3772 wrote to memory of 940	3772	Jhkbdmbg.exe	99
PID 940 wrote to memory of 1156	940	Johggfha.exe	100
PID 940 wrote to memory of 1156	940	Johggfha.exe	100
PID 940 wrote to memory of 1156	940	Johggfha.exe	100
PID 1156 wrote to memory of 2596	1156	Kedlip32.exe	101
PID 1156 wrote to memory of 2596	1156	Kedlip32.exe	101
PID 1156 wrote to memory of 2596	1156	Kedlip32.exe	101
PID 2596 wrote to memory of 2336	2596	Koonge32.exe	102
PID 2596 wrote to memory of 2336	2596	Koonge32.exe	102
PID 2596 wrote to memory of 2336	2596	Koonge32.exe	102
PID 2336 wrote to memory of 2552	2336	Khiofk32.exe	103
PID 2336 wrote to memory of 2552	2336	Khiofk32.exe	103
PID 2336 wrote to memory of 2552	2336	Khiofk32.exe	103
PID 2552 wrote to memory of 4732	2552	Kadpdp32.exe	104
PID 2552 wrote to memory of 4732	2552	Kadpdp32.exe	104
PID 2552 wrote to memory of 4732	2552	Kadpdp32.exe	104
PID 4732 wrote to memory of 1956	4732	Lhnhajba.exe	105
PID 4732 wrote to memory of 1956	4732	Lhnhajba.exe	105
PID 4732 wrote to memory of 1956	4732	Lhnhajba.exe	105
PID 1956 wrote to memory of 3664	1956	Ljpaqmgb.exe	106
PID 1956 wrote to memory of 3664	1956	Ljpaqmgb.exe	106
PID 1956 wrote to memory of 3664	1956	Ljpaqmgb.exe	106
PID 3664 wrote to memory of 444	3664	Loofnccf.exe	107
PID 3664 wrote to memory of 444	3664	Loofnccf.exe	107
PID 3664 wrote to memory of 444	3664	Loofnccf.exe	107
PID 444 wrote to memory of 2492	444	Mledmg32.exe	108
PID 444 wrote to memory of 2492	444	Mledmg32.exe	108
PID 444 wrote to memory of 2492	444	Mledmg32.exe	108
PID 2492 wrote to memory of 3776	2492	Mbdiknlb.exe	109
PID 2492 wrote to memory of 3776	2492	Mbdiknlb.exe	109
PID 2492 wrote to memory of 3776	2492	Mbdiknlb.exe	109
PID 3776 wrote to memory of 3716	3776	Mbgeqmjp.exe	110
PID 3776 wrote to memory of 3716	3776	Mbgeqmjp.exe	110
PID 3776 wrote to memory of 3716	3776	Mbgeqmjp.exe	110
PID 3716 wrote to memory of 3444	3716	Nfldgk32.exe	111
PID 3716 wrote to memory of 3444	3716	Nfldgk32.exe	111
PID 3716 wrote to memory of 3444	3716	Nfldgk32.exe	111
PID 3444 wrote to memory of 4868	3444	Ommceclc.exe	112

C:\Users\Admin\AppData\Local\Temp\29eb1571a11a710317ebfd64641b1432699eff72121f6c2289869313dcbec756_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\29eb1571a11a710317ebfd64641b1432699eff72121f6c2289869313dcbec756_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\SysWOW64\Damfao32.exe
  C:\Windows\system32\Damfao32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\SysWOW64\Gacepg32.exe
    C:\Windows\system32\Gacepg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\SysWOW64\Giljfddl.exe
      C:\Windows\system32\Giljfddl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3448
    - - C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
      - C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Afappe32.exe
        
        C:\Windows\system32\Afappe32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3676
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:716
        
        C:\Windows\SysWOW64\Gbhhieao.exe
        
        C:\Windows\system32\Gbhhieao.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3504
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        43⤵
        Executes dropped EXE
        
        PID:3984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 412
        44⤵
        Program crash
        
        PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3984 -ip 3984
1⤵
PID:3036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afappe32.exe

Filesize
576KB

MD5
80379b346b9d17d2b16dff220699921b

SHA1
8c3e4b015f77f184d92c1ab5803f624119e689c3

SHA256
71752b514a264b8f2e09076353c40e00c235d06921502c86c81c2aa5b2918fff

SHA512
4738dc92b173845ee2ac359e41bf4d2e4dcf93f1e5c26674045006f962aac946f72c6bb8ab8cab9069112395155b523ac9e3fb18e4517468ba12ec9b6bf52ef5

Download Submit
C:\Windows\SysWOW64\Ajdbac32.exe

Filesize
576KB

MD5
02d6b68b2414ebc326b90a5e7028ce86

SHA1
57b56f2c0c9295c85143d141006f04ca49aa378f

SHA256
6eef7fb8d2adcd639c34bd346f6db1f49fd2fa7895873631c46b84018a835f79

SHA512
9334d3ebdca20bf1a17f18076367a37320886ce60af78722701d0f2098d330b2588a102fb594bd9e46c89b70fa093e75ad312bcdfe19ee4003693405e572ce64

Download Submit
C:\Windows\SysWOW64\Aplaoj32.exe

Filesize
576KB

MD5
ca3df17bd689590c3351e04afd1910c5

SHA1
1e0d57fdcf61dd075694c59544f253db30f22d73

SHA256
970b78f061fb2c7d38ce902886ce158b63ab0c44bc6ad79d3e13d7c7a184c56b

SHA512
86b8be8610d009dfaa4e38ebfcde850b4faca8cac10032fbb55144499e655e3b77878755193875175008e0317e2628fb42edaa3806a4aab130ed6ee28962264f

Download Submit
C:\Windows\SysWOW64\Bbfmgd32.exe

Filesize
576KB

MD5
b2f2424efedda5a518d9ae1338d17024

SHA1
316bb1b961ffa89360b520caa442c94fdd581700

SHA256
20d313d4b152e4a7a074a0577026ba913b44fc7bac7184aa3827a13319e97cba

SHA512
8de1c731597873cbad1f030318bac1c376972e1fc2780b1e66d8c4e72a34f12130df66e574fe44551120906cc5b89e90ff1d2790a456616143441475898800f9

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
576KB

MD5
ff3fe343e38b72228d4a7074d166b501

SHA1
7b2a55fd0125cca2f51ce871a8b77d9527caab37

SHA256
01812157db08dcad352137454e2075373916e0ff0e874f2aa396e4a1f51575dd

SHA512
f6420a377eb94ecb63b1a639434aa19e821842baf7d523d80e277e57ae40acdd577a737e5d3554e3476c02171cd2619fe6e8dd05ff6e7ffd96601fa92bd90e71

Download Submit
C:\Windows\SysWOW64\Cibain32.exe

Filesize
576KB

MD5
f426399f5fff09d35bcc18418e874170

SHA1
6b2e0d7e3e0bcf3e42d3953f125d26c40d8959b9

SHA256
3029f03bbcb62a4a66c7f281bcb7794e918031b927d1b35c1a1e5ac0440755ba

SHA512
9b36db86e3d4c78fd9e51828595fcd09092ba5a5a82a608c8104815a0997343d2f2aedd15d4ae5b522da183d69b19a7b94cb4ac70ff4398f2947fbc971c8a1ad

Download Submit
C:\Windows\SysWOW64\Damfao32.exe

Filesize
576KB

MD5
662106330b4ec155105e13da80e7bfde

SHA1
ae065cd7353ac3eaebeed15ca6f74a3a01ce0c78

SHA256
4659ea8975dcf48f6e5e41b30aff4c0d549d9867faaa62cd95509a7a70b96225

SHA512
772b352cb5dced1841abad5f9e62cf390383edd766c0f92fc62be9e623b402b40e177b834dfb3710264cf8766394e0ddb26e54db10efd569d60dc09fd6f10e08

Download Submit
C:\Windows\SysWOW64\Ddfbgelh.exe

Filesize
512KB

MD5
0df8c825e23bba5e25e812b52feec9ae

SHA1
82ec79c4a08ea37279752527d6c197eb95caf970

SHA256
02c2d6a1f4fb8400c374b5bf16976284dba082a21da47c89275284124a3bb0be

SHA512
63ba0b58011ebada9314ee0c75485feafed1504410d72ab2789a550e4dd911e6de3f175b7208d7177af527e40c7e5563ad46bed474eebb7c6e1d2008b8fc794f

Download Submit
C:\Windows\SysWOW64\Ddfbgelh.exe

Filesize
576KB

MD5
b588df1a374f6394de98660436c47945

SHA1
0687a8c9732650695ac65e46e2275fb8d7cb1f5e

SHA256
dd94f0686306409a5bcfe8815c2aebccf96adea105bbd23b4c90c85e4dec5f04

SHA512
c3b8d31450ae51f5a2afaf2684b0cedd99d25453a95a9a2b53944ea503598fc03b2f49c071c4cdbf64ff468cc2c55f89f7b3a844bc0195de87ba2450d9b47657

Download Submit
C:\Windows\SysWOW64\Ddklbd32.exe

Filesize
576KB

MD5
36a2930760368ac1d46a3757acb1959d

SHA1
70aedfec65381f44d74cf3ab979fba4e49567626

SHA256
800ac5ae388a357a847aa5fa45400c8fc2d583e6ff7c451add1aa60d0317cb42

SHA512
eb1a5a5a42fa45808bcb8291540fe181c585d21669b533eb4a3961d1752ab6f6d3bea608609c5ac7466b31b7b10d872ac0716bf3d02f82c2e12b9fd7edcf29d2

Download Submit
C:\Windows\SysWOW64\Fgiaemic.exe

Filesize
576KB

MD5
e1525ccf65f7637e7851d1050e9411a5

SHA1
7a2ab56d616e7e18ebff8afae58805066688056d

SHA256
810e0c94c478f2ba98c76fc9249cc15bf24220f34851b67472c6ed8088e2c62c

SHA512
ef87a0c7aed55d04f66f49984ceffd5f689500ae9c392cb1dd41704e98895a6d623cd369fd8611449202b90a5564bf63ed59b30d02868e25ffb1a03f15df5aa0

Download Submit
C:\Windows\SysWOW64\Gacepg32.exe

Filesize
576KB

MD5
a51704b0fb4546c222f34f5f7319412d

SHA1
486aff4515b8191c2e2808e753606772725cb872

SHA256
f5377e4be002d2ef7966740f058ea977d29cefb797da343c2c257a3a8cbace71

SHA512
ec224e4169de18928ca4068382b375ff55d18b5fd2079e10301e87e515b020cdc35729f1738719f58fbf39257ad80a45c4403a9781be3de9a6d5d80f7c5b9069

Download Submit
C:\Windows\SysWOW64\Gbhhieao.exe

Filesize
576KB

MD5
7a18f8e6cf102078d3ef864bb910cf04

SHA1
89851e9ba16b0610ecb0942bf19ddd8c8672fce1

SHA256
0f4e902139c25fb30c27d0092e6fc598874e0d518acf94ab69546efe9928fbe9

SHA512
3fa9199a774ce92253639b4a2367fc8b4f675cc0bd8d4c48e232fd9dec0af9e7ef4d01d3c59c45fb7a7a6fff54441549a57fc8e825edd5fc5a85020f43aa5b64

Download Submit
C:\Windows\SysWOW64\Giljfddl.exe

Filesize
576KB

MD5
d587727254ee526e686c7b9bb3c659b7

SHA1
98717798d7ef0ae803956205875c4141cced7277

SHA256
7c1776e875c342a3714e479199a06785ededf2aa5e623987ca5dbac40e4718e3

SHA512
60dd1ced08bc9589c88d319be82b8d54ecb70866ad498fca47d8cf631349541ebc8d02862cb4d9e3012bff87142f0425e4733ec592458d7fc430f21c0fe57b80

Download Submit
C:\Windows\SysWOW64\Hbldphde.exe

Filesize
576KB

MD5
10d253fdc95155a5bb51a66906846d43

SHA1
56cda172a9e6f515bd6aa3c88db7350af8731b2a

SHA256
c093d365d585f726534a117dbcfcc98a1f04f8baf17c62d06ee089f052b82041

SHA512
17debbbe357581381a8f2ee4b86f270b1923d9d9c415b8a5298ce755750b720152dbe320680435b547e0af43891dc55dbeda4cd92b83416e6e7dd4f448f6d29d

Download Submit
C:\Windows\SysWOW64\Ihdldn32.exe

Filesize
576KB

MD5
3ccf67eaa954ef93d235b7f239858ebc

SHA1
7b191499d451ccb336e1705a08a4c5e2001bcd22

SHA256
e53162a5455c1bc149ff8324242fa92fb9fd7c05046cdb6089e5351bd16004ca

SHA512
cbf3b231711ecc2cfd3f514f4e9cab550f3b833939d1d1db16e654a5e2430703e987eecce45b5ef6751b5022a97fc1c88f9286ce32582153760b5de4f584dd72

Download Submit
C:\Windows\SysWOW64\Inebjihf.exe

Filesize
576KB

MD5
c1a6be771f6ef9a37b41f2ec99f3b2e8

SHA1
42f700836232818044721839560d93f65e585f17

SHA256
6143bf44702c609bce2cc52d7e7f9b1410495b8c3444e0330479238e79a3c066

SHA512
4af713a69e0eadc117b02ff5dcad38abf0f14c6e2f7820b430ab6bade3558ecddee1b40453939e4462cbd4e23a4ce6d0a000a9c114b6846f705ecd25adba5a38

Download Submit
C:\Windows\SysWOW64\Ipdndloi.exe

Filesize
576KB

MD5
4aa9de1cdc2cc47a80923666014c034c

SHA1
e5943ba1dc0e01aa9f58b71613afee7acf90956a

SHA256
0fddc3492243f180307e1f796255b4ddda234b831f8e2399c4ef6e0a355c17bd

SHA512
84ffce32938df88c552353e56db5a85108433a374545cb800896e91e98e66a62475572a0dc73d79c0da54ba03d824af3698a671309a6b77a26d0a69a170ec047

Download Submit
C:\Windows\SysWOW64\Jhkbdmbg.exe

Filesize
576KB

MD5
9ff039420b436c0882eba1c15ba3b9f3

SHA1
bcc51a0fd7111f4087d9cdba3e3048c73fae0755

SHA256
d2ae046ec1b3ced3b55cfe9dcdf9d6364d015449ca006e6f66ac42bf5f0d3eed

SHA512
5a7274088f9523ab0e6cc596395f5d06f72ee70b51b7af75e731f2e80fef620eb87dd1dd1b23aa929ecbdccfaa9d4d28ce061ba4c7f90f68b36a6ae542adf449

Download Submit
C:\Windows\SysWOW64\Johggfha.exe

Filesize
576KB

MD5
c543f1b92bfae2d2996ec159032300b7

SHA1
344cad21c8f5fa98b969d5947761e1e685f1b614

SHA256
41784f7e61d84c9707650ca050169128a31af885047f042845405c3b57a232c5

SHA512
802e09388889b84c85c1211590955582ef3db32f6ebb92ede7b9dedeae2bbf5cbc22a4550772b68f38d8f660149e756a0e4158492632fd1e42061aa4adc706da

Download Submit
C:\Windows\SysWOW64\Kadpdp32.exe

Filesize
576KB

MD5
4d3795583921c54b0070d7306e43808a

SHA1
bb25030f7def5acbcb38fa419783302c5c9992b3

SHA256
783d6507bfdf22990a76209bda970b017937fbf72bfb2f1a114bfabfda3f608b

SHA512
eb20592980132c0a68830bf4454474d1af42889c9f86a7b8451c3e9914707c33f236e5b0d2d165c3392802f15f94d21f1bb10cf1a0b700b8d17908f52ccf77ab

Download Submit
C:\Windows\SysWOW64\Kedlip32.exe

Filesize
576KB

MD5
a450be84153b31eb44afdef0590547d7

SHA1
84fd86fa27a5ad1645d27485a1ba62922bceab4c

SHA256
85c41f029173bf063afd0eca1c84a2720b8fe6c81ff5a90db5854ec576692074

SHA512
1077e2c861a7c14422d60951a03577ae3a57bbde0b46e11b9c3282a2c5081f739115f9e3702fd9129beb5e9a46831816d1d688c4e7c23157b1d06c7bba8d05df

Download Submit
C:\Windows\SysWOW64\Khiofk32.exe

Filesize
576KB

MD5
37cd9afe94bae436bdbd18de56712392

SHA1
ad0e796cb4dd5810a2c6892376abdf6c5082085e

SHA256
85e46dc1a76f5f641e2a69ee16faa72955088a283bd42ac55d3778abf3f5f0b8

SHA512
8138dc82f6382e0032f142512223f5c9b4506679b0ed0f17b4c97d98e402b4bd29343480b1720b2be44420cf7cb7b3027c1cadb0e6340cc4acfc30aaa757e287

Download Submit
C:\Windows\SysWOW64\Koonge32.exe

Filesize
576KB

MD5
c395bd6a209efb88e11f7faac687ce16

SHA1
5366a1241d83de85d9606cc91c8ff35a7a346248

SHA256
dcc615fe9337385dbc1399edff2e2e5f2f263c5a721526080a662c1a1bc870e2

SHA512
f7f0ed86536e28ccf1657df92cd4791211a2a3c2c2c8e17cb33d40203f2cc4468a971afbce2015371ecfe510fffbbe3521404ea2cffefa587b48382c35ffd0ad

Download Submit
C:\Windows\SysWOW64\Lhnhajba.exe

Filesize
576KB

MD5
4c7bff9ee22981883c0db0c0caef25f3

SHA1
901cf07f5e443df3c63590fa02bcbecfc88e7ee8

SHA256
2c70884741b6993d677ff40b5814b0551676a0c1f554da2d52264e47ee1b6ec9

SHA512
b0fe38a4fa5bbe18b09a303c367c93a00e9575fdb3fce280bb92c977eef9cf49843c0bc51180c63e1f2cd0d09b7ea0a79e46e3771576d6371da84e36f6d79648

Download Submit
C:\Windows\SysWOW64\Ljpaqmgb.exe

Filesize
576KB

MD5
d2a3a062aec4c9420a49b991db82f21b

SHA1
9dafd93df2a0345feeab3e2dcca0f55a7c0de1c0

SHA256
73187a5841dd5b44ae7e719ed2eb20edf5f93c5836bc20f71b21a22a88a2ad7e

SHA512
817aceecf630c8603998c72a3cf87d1827cdfe0d62c73ac4d8ff244b57fdc655d06b151c5430aad340d0239ea53bad5c38d225b296f557e0bfe111c8e01125c1

Download Submit
C:\Windows\SysWOW64\Loofnccf.exe

Filesize
576KB

MD5
59f9d8d9a1e878ababe0a69c89ca2e51

SHA1
30bde6607108d1f21b0b79644d7737785f21cf24

SHA256
2624dead011454a0d6e19f25dc12838e28fa07275964307f27603c5cd950f654

SHA512
817dfd10763250482a5d143d9dd083cad6c8e7d7aaa459b2747097988c453e9a3d9f31f1a341fa96adc8151e226408a8a9734d967bbc05f31d871d1cf48cd292

Download Submit
C:\Windows\SysWOW64\Mbdiknlb.exe

Filesize
576KB

MD5
7688d26a7ca8e8d107781caea08a9503

SHA1
5417eab2e9ed26dc45c3790d6f8059ab41e8533e

SHA256
26f3541fc2b7b453b6e002a4adbf905f688d1118f5ad72434a4fb42abc048e2d

SHA512
f5d1fcca132fe85edb04d887ac754dab9d14ae7a87b3d6ee7b5883310c4776d4dc15c172446c9fab3eeeb3f869dd6ec6859f77bdc5207ded063055d7c3daca96

Download Submit
C:\Windows\SysWOW64\Mbgeqmjp.exe

Filesize
576KB

MD5
cbc655267fcd5855fb7072b54652921c

SHA1
0e64026c3fea52fe20a41119c3538741c76bd28e

SHA256
5ad7c97f007bbbd00d0cfef4636b9b379f5175e7661fb73ea3528e5e51b3122a

SHA512
389fbf757cff3bd91e77cddaedb0f626df835dee8d82eb5f213ee656305d8a2e2b0fbc497afa6e8a228392ce24d49543c19c11551c5e6e709e967a651dbfca98

Download Submit
C:\Windows\SysWOW64\Mledmg32.exe

Filesize
576KB

MD5
3bb770fcc1d178003f21f6bdd90097d5

SHA1
d7faf1ac7efe4c4c7f5d5f2ba96500aaa730cd90

SHA256
b017849fec6719a2233115755913e3834fcdd2463fa6f750a16c46667932f185

SHA512
ec7261e80d5a66ade45022d86b59cef713aabf08cb8f0c14fc4df3eb7712cd4728baf846408a5393f2edbca2950d3c0049b75bd242a73ea7fe168e2a6cc7f469

Download Submit
C:\Windows\SysWOW64\Nfldgk32.exe

Filesize
576KB

MD5
9b71fb0b48f6574fa333a328fa12ccb8

SHA1
5379814f1bc31e25ba83053dd7d581efd691c16b

SHA256
2ef7840c3c87a9d020b2dab6c333d1b3956622f699bc431a794c0f335da55228

SHA512
fe919344ab20d09f7747b61efb1493155bbd354a12e795a69295ad8681669d18f569b094bc5d3ff1a2792956b44b8ef8b5a72e77450f67872dacd660e10c954f

Download Submit
C:\Windows\SysWOW64\Njlmnj32.dll

Filesize
7KB

MD5
5d776c9886755524b4f181197736c3a9

SHA1
3e4b21f3ac9e190d5f2aeabc917690c4d50a477a

SHA256
3a078088eab78fcdf8e392e4ab8acd384eae311658ab7af10f98041927d6b961

SHA512
0d5ab62583c8e8bdba492158d8a68e339d7362d073dd8ff276bd20aa7182df15ad6217c8b6707f7e973e7cd3173d8fd8fb7627371325e5a7d4ac3f50b6a6b320

Download Submit
C:\Windows\SysWOW64\Ommceclc.exe

Filesize
576KB

MD5
7d031c2a0d89cedf7877b7a86833f37f

SHA1
88a0846bf542fd2c1ac966b261142a26c862b1fe

SHA256
60fcbcf0b3ecd8c2b7971443c03b97bf6631321c5d2de6f4ebf23eee14c94e6e

SHA512
991bccb3f4775466e1c5bb6f3d6a46c76a4d6a074bf5f922aaff386faf342487903db97d2d4f4ee87e653c7db8c52dc3d6cdc3adb04682c57b416ce6fdb8257b

Download Submit
C:\Windows\SysWOW64\Pjaleemj.exe

Filesize
576KB

MD5
e0b14988fc8e10292606d8bf1c287403

SHA1
5736f0189097f62a6d837100b20a25ef6865d951

SHA256
7a410b9c0e1ddc81111247f28f3718795bc86fc7965c642e9970851bde7d1e42

SHA512
f3644c5ae53dfe250de25bf4260cd5e1ca31ba3ec10d73000c9afa80981a7c2490364c24858cc49ff0bbbc2cda364b12344fdde238817ad9783f139e25f312fb

Download Submit
C:\Windows\SysWOW64\Ppgomnai.exe

Filesize
576KB

MD5
c04f58a007c9e4108d79219ab2253057

SHA1
b4b51b5670eb40c2d1cabf0936d55db2b18dad61

SHA256
810a6611b078a78b8915f232b60d4d43a10b6fa7fe8b9b8a5699e939cba1d84d

SHA512
b0c56954477426d330599110351a37e5e00a201825f84ff8a894a634fd28d5d8fedff366a2dc389b81b5e19319e197f926b74bd25023010efcbd9515b82f811a

Download Submit
C:\Windows\SysWOW64\Qppaclio.exe

Filesize
576KB

MD5
db4c5137893dadd7cb1245020bdf7558

SHA1
e12978b7a689a7d54de2ec2c80a208d2ca3a24e2

SHA256
cc83d6cc62cfc2076111bc2b3401a11a1752134dcdb51371cc0aaa457492aa4f

SHA512
39536cead6efdb3539750d11826b305d288b1085c2c554b97264a4d9bbca1901b76651a7591dfd8620e5fd66e9d7bdf60f5e1d05674c922c83402b5ba8f4f5b2

Download Submit
memory/444-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/444-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/940-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/940-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3384-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3384-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3444-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3444-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3772-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3772-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3776-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3776-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3912-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3912-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads