67ef0ed05bfb058691d72b33214e5beae96040996b1c53b241a370e692af13da

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67ef0ed05bfb058691d72b33214e5beae96040996b1c53b241a370e692af13da_NeikiAnalytics.exe
Size

4.0MB
MD5

51fedca7f9cba2ef15333cb1841b8750
SHA1

3e8f83c1f8c7fa55f21b8db163a6c32551bfcb78
SHA256

67ef0ed05bfb058691d72b33214e5beae96040996b1c53b241a370e692af13da
SHA512

a7d7eab3e64ffcfdaf290b9ad41d6cb69239e7d71a000f506be6ea9f962dc7d4dc8e21d86ab31310f9acf125a171e126858c31617609fc00521ded913755baad
SSDEEP

98304:L6Gn9646r6HaSHFaZRBEYyqmS2DiHPKQgmZ0V:raSHFaZRBEYyqmS2DiHPKQg/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epffbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akepfpcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhdbhifj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbmohmoh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	67ef0ed05bfb058691d72b33214e5beae96040996b1c53b241a370e692af13da_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpfbcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbmohmoh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpfbcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefiopki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imiehfao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmdgikhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmdgikhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfhgkmpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boihcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khlklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dncpkjoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cleegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfhgkmpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicgpelg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iijfhbhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lckboblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	67ef0ed05bfb058691d72b33214e5beae96040996b1c53b241a370e692af13da_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imiehfao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiiicf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iijfhbhl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnhfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cleegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofhknodl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bafndi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefiopki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqkondfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqjbddpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhdbhifj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicgpelg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqjbddpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhocd32.exe

Executes dropped EXE 40 IoCs

pid	Process
2504	Akepfpcl.exe
3192	Bafndi32.exe
1432	Cleegp32.exe
2032	Hfhgkmpj.exe
1204	Imiehfao.exe
4208	Jiiicf32.exe
4496	Jcfggkac.exe
4540	Nmdgikhi.exe
3904	Ofhknodl.exe
2672	Pdenmbkk.exe
3704	Afpjel32.exe
4040	Bmhocd32.exe
3804	Boihcf32.exe
2352	Cdpcal32.exe
3784	Dahmfpap.exe
4948	Dhdbhifj.exe
2340	Fbmohmoh.exe
4036	Gicgpelg.exe
4988	Hpfbcn32.exe
1968	Iijfhbhl.exe
4860	Jhifomdj.exe
3092	Kefiopki.exe
4420	Khlklj32.exe
3684	Lckboblp.exe
4328	Mfnhfm32.exe
716	Mqjbddpl.exe
4136	Nmcpoedn.exe
1436	Ocihgnam.exe
1456	Pjjfdfbb.exe
3872	Aplaoj32.exe
3768	Cpcpfg32.exe
700	Cpfmlghd.exe
2748	Dncpkjoc.exe
1104	Epffbd32.exe
2388	Eqkondfl.exe
3248	Fggdpnkf.exe
2496	Fkemfl32.exe
3260	Fkgillpj.exe
1316	Fdbkja32.exe
2512	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bafndi32.exe	Akepfpcl.exe
File created	C:\Windows\SysWOW64\Ifomef32.dll	Nmdgikhi.exe
File created	C:\Windows\SysWOW64\Bepjbf32.dll	Mqjbddpl.exe
File created	C:\Windows\SysWOW64\Cpcpfg32.exe	Aplaoj32.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Amcpgoem.dll	Khlklj32.exe
File created	C:\Windows\SysWOW64\Eqkondfl.exe	Epffbd32.exe
File opened for modification	C:\Windows\SysWOW64\Dncpkjoc.exe	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Ckjooo32.dll	Cleegp32.exe
File created	C:\Windows\SysWOW64\Ibcbfe32.dll	Jiiicf32.exe
File created	C:\Windows\SysWOW64\Gicgpelg.exe	Fbmohmoh.exe
File created	C:\Windows\SysWOW64\Hpfbcn32.exe	Gicgpelg.exe
File created	C:\Windows\SysWOW64\Imqpnq32.dll	Mfnhfm32.exe
File opened for modification	C:\Windows\SysWOW64\Fdbkja32.exe	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Jcfggkac.exe	Jiiicf32.exe
File created	C:\Windows\SysWOW64\Pipeabep.dll	Boihcf32.exe
File created	C:\Windows\SysWOW64\Khlklj32.exe	Kefiopki.exe
File created	C:\Windows\SysWOW64\Jmbpjm32.dll	Aplaoj32.exe
File opened for modification	C:\Windows\SysWOW64\Epffbd32.exe	Dncpkjoc.exe
File opened for modification	C:\Windows\SysWOW64\Nmdgikhi.exe	Jcfggkac.exe
File created	C:\Windows\SysWOW64\Ocihgnam.exe	Nmcpoedn.exe
File opened for modification	C:\Windows\SysWOW64\Aplaoj32.exe	Pjjfdfbb.exe
File created	C:\Windows\SysWOW64\Fdbkja32.exe	Fkgillpj.exe
File opened for modification	C:\Windows\SysWOW64\Cleegp32.exe	Bafndi32.exe
File created	C:\Windows\SysWOW64\Jiiicf32.exe	Imiehfao.exe
File created	C:\Windows\SysWOW64\Dhdbhifj.exe	Dahmfpap.exe
File opened for modification	C:\Windows\SysWOW64\Eqkondfl.exe	Epffbd32.exe
File opened for modification	C:\Windows\SysWOW64\Akepfpcl.exe	67ef0ed05bfb058691d72b33214e5beae96040996b1c53b241a370e692af13da_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Imiehfao.exe	Hfhgkmpj.exe
File created	C:\Windows\SysWOW64\Pkoaeldi.dll	Bmhocd32.exe
File opened for modification	C:\Windows\SysWOW64\Iijfhbhl.exe	Hpfbcn32.exe
File created	C:\Windows\SysWOW64\Hfibla32.dll	Iijfhbhl.exe
File created	C:\Windows\SysWOW64\Mqjbddpl.exe	Mfnhfm32.exe
File created	C:\Windows\SysWOW64\Fggdpnkf.exe	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Ackekpfe.dll	67ef0ed05bfb058691d72b33214e5beae96040996b1c53b241a370e692af13da_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ehkaqc32.dll	Hfhgkmpj.exe
File opened for modification	C:\Windows\SysWOW64\Jiiicf32.exe	Imiehfao.exe
File opened for modification	C:\Windows\SysWOW64\Mfnhfm32.exe	Lckboblp.exe
File created	C:\Windows\SysWOW64\Kqkplq32.dll	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Afpjel32.exe	Pdenmbkk.exe
File opened for modification	C:\Windows\SysWOW64\Gicgpelg.exe	Fbmohmoh.exe
File created	C:\Windows\SysWOW64\Hfibjl32.dll	Gicgpelg.exe
File opened for modification	C:\Windows\SysWOW64\Jcfggkac.exe	Jiiicf32.exe
File created	C:\Windows\SysWOW64\Bmhocd32.exe	Afpjel32.exe
File created	C:\Windows\SysWOW64\Focanl32.dll	Dhdbhifj.exe
File opened for modification	C:\Windows\SysWOW64\Pjjfdfbb.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Bhkhop32.dll	Pjjfdfbb.exe
File created	C:\Windows\SysWOW64\Pdenmbkk.exe	Ofhknodl.exe
File created	C:\Windows\SysWOW64\Flpoofmk.dll	Fbmohmoh.exe
File opened for modification	C:\Windows\SysWOW64\Kefiopki.exe	Jhifomdj.exe
File opened for modification	C:\Windows\SysWOW64\Fggdpnkf.exe	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Bhcmal32.dll	Lckboblp.exe
File opened for modification	C:\Windows\SysWOW64\Fkemfl32.exe	Fggdpnkf.exe
File created	C:\Windows\SysWOW64\Mfnhfm32.exe	Lckboblp.exe
File opened for modification	C:\Windows\SysWOW64\Fbmohmoh.exe	Dhdbhifj.exe
File created	C:\Windows\SysWOW64\Pjjfdfbb.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Blghiiea.dll	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Nailkcbb.dll	Fggdpnkf.exe
File created	C:\Windows\SysWOW64\Fjinnekj.dll	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Fkemfl32.exe	Fggdpnkf.exe
File created	C:\Windows\SysWOW64\Hmcipf32.dll	Fkgillpj.exe
File opened for modification	C:\Windows\SysWOW64\Hfhgkmpj.exe	Cleegp32.exe
File opened for modification	C:\Windows\SysWOW64\Imiehfao.exe	Hfhgkmpj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4928	2512	WerFault.exe	130

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	67ef0ed05bfb058691d72b33214e5beae96040996b1c53b241a370e692af13da_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmdgikhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibknda32.dll"	Akepfpcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lckboblp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kefiopki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqjbddpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoaeldi.dll"	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Focanl32.dll"	Dhdbhifj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	67ef0ed05bfb058691d72b33214e5beae96040996b1c53b241a370e692af13da_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcjjj32.dll"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpoofmk.dll"	Fbmohmoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epffbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll"	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	67ef0ed05bfb058691d72b33214e5beae96040996b1c53b241a370e692af13da_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	67ef0ed05bfb058691d72b33214e5beae96040996b1c53b241a370e692af13da_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfhgkmpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofhknodl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bafndi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhdbhifj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepjbf32.dll"	Mqjbddpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giidol32.dll"	Ofhknodl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimjkpjn.dll"	Hpfbcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdjokcd.dll"	Kefiopki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbpjm32.dll"	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cleegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpfbcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcmal32.dll"	Lckboblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lljoca32.dll"	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boihcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbmohmoh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjiib32.dll"	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cleegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibjl32.dll"	Gicgpelg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iijfhbhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ackekpfe.dll"	67ef0ed05bfb058691d72b33214e5beae96040996b1c53b241a370e692af13da_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiiicf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhdbhifj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcbfe32.dll"	Jiiicf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imiehfao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afpjel32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 2504	4544	67ef0ed05bfb058691d72b33214e5beae96040996b1c53b241a370e692af13da_NeikiAnalytics.exe	91
PID 4544 wrote to memory of 2504	4544	67ef0ed05bfb058691d72b33214e5beae96040996b1c53b241a370e692af13da_NeikiAnalytics.exe	91
PID 4544 wrote to memory of 2504	4544	67ef0ed05bfb058691d72b33214e5beae96040996b1c53b241a370e692af13da_NeikiAnalytics.exe	91
PID 2504 wrote to memory of 3192	2504	Akepfpcl.exe	92
PID 2504 wrote to memory of 3192	2504	Akepfpcl.exe	92
PID 2504 wrote to memory of 3192	2504	Akepfpcl.exe	92
PID 3192 wrote to memory of 1432	3192	Bafndi32.exe	93
PID 3192 wrote to memory of 1432	3192	Bafndi32.exe	93
PID 3192 wrote to memory of 1432	3192	Bafndi32.exe	93
PID 1432 wrote to memory of 2032	1432	Cleegp32.exe	94
PID 1432 wrote to memory of 2032	1432	Cleegp32.exe	94
PID 1432 wrote to memory of 2032	1432	Cleegp32.exe	94
PID 2032 wrote to memory of 1204	2032	Hfhgkmpj.exe	95
PID 2032 wrote to memory of 1204	2032	Hfhgkmpj.exe	95
PID 2032 wrote to memory of 1204	2032	Hfhgkmpj.exe	95
PID 1204 wrote to memory of 4208	1204	Imiehfao.exe	96
PID 1204 wrote to memory of 4208	1204	Imiehfao.exe	96
PID 1204 wrote to memory of 4208	1204	Imiehfao.exe	96
PID 4208 wrote to memory of 4496	4208	Jiiicf32.exe	97
PID 4208 wrote to memory of 4496	4208	Jiiicf32.exe	97
PID 4208 wrote to memory of 4496	4208	Jiiicf32.exe	97
PID 4496 wrote to memory of 4540	4496	Jcfggkac.exe	98
PID 4496 wrote to memory of 4540	4496	Jcfggkac.exe	98
PID 4496 wrote to memory of 4540	4496	Jcfggkac.exe	98
PID 4540 wrote to memory of 3904	4540	Nmdgikhi.exe	99
PID 4540 wrote to memory of 3904	4540	Nmdgikhi.exe	99
PID 4540 wrote to memory of 3904	4540	Nmdgikhi.exe	99
PID 3904 wrote to memory of 2672	3904	Ofhknodl.exe	100
PID 3904 wrote to memory of 2672	3904	Ofhknodl.exe	100
PID 3904 wrote to memory of 2672	3904	Ofhknodl.exe	100
PID 2672 wrote to memory of 3704	2672	Pdenmbkk.exe	101
PID 2672 wrote to memory of 3704	2672	Pdenmbkk.exe	101
PID 2672 wrote to memory of 3704	2672	Pdenmbkk.exe	101
PID 3704 wrote to memory of 4040	3704	Afpjel32.exe	102
PID 3704 wrote to memory of 4040	3704	Afpjel32.exe	102
PID 3704 wrote to memory of 4040	3704	Afpjel32.exe	102
PID 4040 wrote to memory of 3804	4040	Bmhocd32.exe	103
PID 4040 wrote to memory of 3804	4040	Bmhocd32.exe	103
PID 4040 wrote to memory of 3804	4040	Bmhocd32.exe	103
PID 3804 wrote to memory of 2352	3804	Boihcf32.exe	104
PID 3804 wrote to memory of 2352	3804	Boihcf32.exe	104
PID 3804 wrote to memory of 2352	3804	Boihcf32.exe	104
PID 2352 wrote to memory of 3784	2352	Cdpcal32.exe	105
PID 2352 wrote to memory of 3784	2352	Cdpcal32.exe	105
PID 2352 wrote to memory of 3784	2352	Cdpcal32.exe	105
PID 3784 wrote to memory of 4948	3784	Dahmfpap.exe	106
PID 3784 wrote to memory of 4948	3784	Dahmfpap.exe	106
PID 3784 wrote to memory of 4948	3784	Dahmfpap.exe	106
PID 4948 wrote to memory of 2340	4948	Dhdbhifj.exe	107
PID 4948 wrote to memory of 2340	4948	Dhdbhifj.exe	107
PID 4948 wrote to memory of 2340	4948	Dhdbhifj.exe	107
PID 2340 wrote to memory of 4036	2340	Fbmohmoh.exe	108
PID 2340 wrote to memory of 4036	2340	Fbmohmoh.exe	108
PID 2340 wrote to memory of 4036	2340	Fbmohmoh.exe	108
PID 4036 wrote to memory of 4988	4036	Gicgpelg.exe	109
PID 4036 wrote to memory of 4988	4036	Gicgpelg.exe	109
PID 4036 wrote to memory of 4988	4036	Gicgpelg.exe	109
PID 4988 wrote to memory of 1968	4988	Hpfbcn32.exe	110
PID 4988 wrote to memory of 1968	4988	Hpfbcn32.exe	110
PID 4988 wrote to memory of 1968	4988	Hpfbcn32.exe	110
PID 1968 wrote to memory of 4860	1968	Iijfhbhl.exe	111
PID 1968 wrote to memory of 4860	1968	Iijfhbhl.exe	111
PID 1968 wrote to memory of 4860	1968	Iijfhbhl.exe	111
PID 4860 wrote to memory of 3092	4860	Jhifomdj.exe	112

C:\Users\Admin\AppData\Local\Temp\67ef0ed05bfb058691d72b33214e5beae96040996b1c53b241a370e692af13da_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\67ef0ed05bfb058691d72b33214e5beae96040996b1c53b241a370e692af13da_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\SysWOW64\Akepfpcl.exe
  C:\Windows\system32\Akepfpcl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\Bafndi32.exe
    C:\Windows\system32\Bafndi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Windows\SysWOW64\Cleegp32.exe
      C:\Windows\system32\Cleegp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
      - C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Jcfggkac.exe
        
        C:\Windows\system32\Jcfggkac.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        41⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 400
        42⤵
        Program crash
        
        PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2512 -ip 2512
1⤵
PID:1368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afpjel32.exe

Filesize
4.0MB

MD5
d47ca4af12b55806d6534f0c45a67899

SHA1
969d8d44e79388fd4b47f05fb56d1142e4dcdb2c

SHA256
45beaf1df105127d560cfad43db2db2baf61b653d2328bd1544b377fbbb5f860

SHA512
00a9697d57a8354aec614a97099db782f392aa55fc5e7222acaf477434cf9534dfe3fd710cc18447fabf3addda9b80db2b7d6674f5f541c943ad57ad62747d50

Download Submit
C:\Windows\SysWOW64\Akepfpcl.exe

Filesize
4.0MB

MD5
3619126b4d1c1b4753f3aa0479a2e193

SHA1
6056785d879d47c3d58f6324befccb75e3b3216b

SHA256
b31fac85587e47ff521aa6fc94b4f5826130a59285c4978a1b09a3626c647e92

SHA512
c3326e13df137414a9f38077ba39512ccfa4870aeaf8b86a40b13ac0d2b8101863718b6930f532ee96987fe8f1e70892923d976241b12f31eb59cf35c25b3db6

Download Submit
C:\Windows\SysWOW64\Aplaoj32.exe

Filesize
4.0MB

MD5
4825838f4c80207a821b83af4dce980a

SHA1
f3b44f89d58265f0dfd0f2eda3cd7f1355eb7602

SHA256
666fd02de28858c2b4ee3d2c3d73a7667e7440f70f2056f8881ea916429e04d8

SHA512
d2dc4765c77a669ecb5c3a35954f7dd35b33632095f979a4bfcb97ee34737b2e28505cbb7260f311d4f40cb3648d9ac92962e5f7c652ebf2cfb75812f2747579

Download Submit
C:\Windows\SysWOW64\Bafndi32.exe

Filesize
4.0MB

MD5
e8964e54523d5a6c11a4bbec988f7e81

SHA1
c5906b0b128128e3ff182d4ce7df88d5f0577dcf

SHA256
4d9b8d9965ac7c5b6c1d547eb654f44098239694d2073728522d0a314fc94272

SHA512
bfb2157175bfb66b023dc4fc55ad4fee1d2569bc125ad4681070340d97d77cda4c2735a95626182b0d8e195ddcfc4b821a9733985ec7584d0a85989c3f1b32a1

Download Submit
C:\Windows\SysWOW64\Bmhocd32.exe

Filesize
4.0MB

MD5
b8a3bb23c4712c44241964e14d5a4578

SHA1
a148be52e9a5cbe91beb8607116aad85fd6c1ae9

SHA256
437168c63e7b361a2aa540f13796b5168a750aecd969cd9014b213b5ddfd92d3

SHA512
a37e33e433ba28900d46d0bf9d93c15581134ada608be091b8338c56a92dcbedf73c5e159b6a34a5a33e60206ce8f43a9980c883da5e43076cc0703fddd7eb2f

Download Submit
C:\Windows\SysWOW64\Boihcf32.exe

Filesize
4.0MB

MD5
56b85302af635aa29b38728947cd0409

SHA1
364c0cc50fddd33c3c7d5770a7f73b0844a68184

SHA256
9a05201ab0bad546a72bfec68f14dc98c9012a7f91d55be0b47a108f7abefa6a

SHA512
32f6b2f723650c359f3362590e0d27f0298d86f4ab577680c98b430fb7f3754ada863f7f397b2089725ce3c091c37bcdd98a6c0abed1e67e9b0c7aec5afb8d9c

Download Submit
C:\Windows\SysWOW64\Cdpcal32.exe

Filesize
4.0MB

MD5
ad4f848a3b9795cbcca666ad94d8978f

SHA1
920c9314e1eb3f68be35ce4892214b87b19993cc

SHA256
ef8f1cf1ef2bb628ad88e2bffa94ae8daf4a6f3fa3ff8cfdb5df66ac0e287775

SHA512
fe7b4100e6768b3a191243306a0f09cf2d7806ac16504cd109ac6faef2c5a32136fda96c02e717d5f5c86ec3fde366605d4054baa9b16fd585d9caa1e19c5086

Download Submit
C:\Windows\SysWOW64\Cleegp32.exe

Filesize
4.0MB

MD5
86a157c0af97fc7bf488e908c946455e

SHA1
ed07ac25c6c7bf818a4c6c676235c12f1a28ec7b

SHA256
71982c3240ed7f7ec7c7f41bb01cb825e65c2b9243690c30c374068be3b6fb00

SHA512
2b85e64b417f3ce025f8d11e3a53ba0e204dfdcd782e1682f55024d4bf91eb1456f864498c67178f735c20a4d738e56befb76b3ca7eab115ccc5b84a114d3d17

Download Submit
C:\Windows\SysWOW64\Cpcpfg32.exe

Filesize
4.0MB

MD5
1d8aef21b240c47a6010f3277f9d5c63

SHA1
825c65d13ba4475f31a63bdc6fcaf11ce4cdff37

SHA256
749379e4e3fdf92fb189f3b745ccd02ea45b09e2817a57b97ec0b32eef18cb4d

SHA512
8f439f3226821770f0adb7ca22b9b7e0a25a690db517f993b834c18d4e24c125e9660d08589573c03387b4f4af20cd9347790b865f1d1b546d38456dec6754d8

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
4.0MB

MD5
d6949c6cc967522eb4df39733dc8847b

SHA1
8b5da1615c6424536adfb688572b9d08f322f3cf

SHA256
3eb942b677412009406ec7a71cc410ddba257e8bc2232ec52259b747a05ceead

SHA512
e08940da7aa9f81a03a628bf4a86a956006e35769b26fe1dae79564323d1abfbf28e3a5fe9075f384085fcaed12d8df65f6949515eb9f86cae846b6831507eae

Download Submit
C:\Windows\SysWOW64\Dahmfpap.exe

Filesize
4.0MB

MD5
750c2d3cbc66e2c5c526574dccb2951d

SHA1
d949b7c86a2c653ac0af106b7ad636deaf8b7bc7

SHA256
394c527e19b8a74184165507fe54cc5942efdb4aafa2c56672a2cda334b489bd

SHA512
5bc185a5478d9ade1dc06af8cab24e86930c996cf6f0e830a5a55f4586fb9ba2edca9caac1c5f7a487d47dd036f96f9897c1181e16027d19dd0237f7f6b97e53

Download Submit
C:\Windows\SysWOW64\Dhdbhifj.exe

Filesize
4.0MB

MD5
4e46ebdc2d70b81a3e9cdae82f7829d6

SHA1
2893d5900001343b36d00fa121cef8207ae09a2e

SHA256
ae6d818bb08def79b5371791906de554a6235f9a29093d99ce323d714f4fe570

SHA512
ca25660cb035ed3225e2f5a3b57bcbb577a12c92a4456360c6502e4e881339aebb3211d225e82fab3841b6a0aad8ffd02621de02bed6ff9d751c5f52189a325e

Download Submit
C:\Windows\SysWOW64\Eqkondfl.exe

Filesize
4.0MB

MD5
1e6de8447b77ec5187f8f388a61dde83

SHA1
b0c29856a974f99c9f155008e9fff83bb7803daf

SHA256
4084bea2159b9d7b15cbcb910481e6c8d8b83caa83c967634886b4f6ef8d4986

SHA512
918fe25eecc64b7b9f8ab1eccf1ca9e0fd493a15ebe25f168bb7ba9e9c3d9c9124f748f057e751aeeb93b463b6261e5f1e0a56a1c1cd903a78850de45a126288

Download Submit
C:\Windows\SysWOW64\Fbmohmoh.exe

Filesize
4.0MB

MD5
013293f94a38c84eec36a0289eca69c4

SHA1
64b2c090bbaefbefd734c19502e57f45034a076a

SHA256
a71cab9d735822580fa6c7541787f2ee836f1999546df6859c1953c7b99c88f6

SHA512
0f0069cd0366eb70b03043981fca7f61498fbc035f51def84db6562bc05ec9809be888d5d38643be187bc3f3839d1c155005616b85375366255f1a4b77ac104b

Download Submit
C:\Windows\SysWOW64\Gicgpelg.exe

Filesize
4.0MB

MD5
c629cdcf542789081fb553646230a983

SHA1
c18b81ffba3b31dbdae15cab918edaa78d1c8be6

SHA256
469658585428fb03f5103b0d9058b2ae8dbc84b1907c970eec169928d99ed9f7

SHA512
3152e7ab5e916dbd3adba1853cc46fd87a494f5b3f0289021014b2f81d299bcbe8cbe135b7a77ed2b87b44e7f3c79620049a0cfc960e26912a4d322533299708

Download Submit
C:\Windows\SysWOW64\Hfhgkmpj.exe

Filesize
4.0MB

MD5
dbd2ceed1e82850fd545d4d3f618ba7a

SHA1
c9c4dade53ea13ea3b6ca7ea1b77bfd2691c13d2

SHA256
f3a545e98407f68b7fac4e375f0d1eedd30678fa93cd1d4edd4facad8cb5d5fd

SHA512
90d4e84f5db33f5dd85f66e8eb06073d6d20d0f43dfc3c5a56f7c78dfdb2d62dff61c7fe458c85958e17a050bd1cae96642276d517e86dfab9353626ea2ae836

Download Submit
C:\Windows\SysWOW64\Hpfbcn32.exe

Filesize
4.0MB

MD5
98bdd78a9d56e904257288da047f86c4

SHA1
2c5001d9d38bf2014239c499ea6dfd4b3637cdca

SHA256
27338be3d4c244df0f67f59655c20e1c04e56581c154408236067f30a3937766

SHA512
989555804ea1039bcdaca6700fbf5856fd80df45c44c0f286fbb756b9ddb58208695dda7880bd259cdcf4856e5ed2060a47db74e9d3a0713b8202a440b119a25

Download Submit
C:\Windows\SysWOW64\Iijfhbhl.exe

Filesize
4.0MB

MD5
5a7f393cb7971d7f26b836aed4d8db3c

SHA1
d0c610c983e64b5e7f4762144a480d73582b0139

SHA256
9327d0f638e2d42d6e620c58a812521dc38b0b18b582e1c91435237e65ecc702

SHA512
6e0e3d8ac44e3d44f0aba36b3c448941c072360184095bde3bd73454dacffaacbd92e82eea2e62a83f59659859728dcfea568381cb302b1aef748dfdc19e3876

Download Submit
C:\Windows\SysWOW64\Imiehfao.exe

Filesize
4.0MB

MD5
018c7e9a8f3d644b3c7eff0b30c02665

SHA1
4fdbf0c1fde4fafc8a5e8f94da088aff29ca41b6

SHA256
60b39e840b567db082ada4abe6bed7f5671f70a5ad4c30b7f8a62202221ae9d7

SHA512
08663db5693df7b71a0636c93d61277c514dda826b761d5eaacfc5ba9a431b415d5ccc5ac94af29eb208a15b38e9af7f4509273959ddc0e681675f31466e1cfa

Download Submit
C:\Windows\SysWOW64\Jcfggkac.exe

Filesize
4.0MB

MD5
6dd4b3ef6e9c8254f2ecd38e6ad14d42

SHA1
c1a972eaec180eba892477d3c7302d210ad02fa7

SHA256
68c50e2dcddccfa1055cb9455681deee3a2ead5dcd1c46e1e1ea165f5c02f8f5

SHA512
792eb8ce151fbd4a3f4b23cfd25f6e202e624528074ea5b7709cd64a72ab5599a7d753e2ad7ad47d96b079156ef730db2ec086e757fe12bcf364b1eed0107451

Download Submit
C:\Windows\SysWOW64\Jhifomdj.exe

Filesize
4.0MB

MD5
ad618d9f5b7732ec114b2ff3bc4ed250

SHA1
1d4a2e6d80ad68f72e6c73683f648cfee73c86e1

SHA256
60ceda63c145c4723f7d319831b1bb3876f32a11028b458bba40b171cc3d9c8f

SHA512
bfdce0ef9ff947d2e64f58222e9b40728485c17d6bc8d1538783fab663fcdbdbc3e26c30e4386faf1ce3134c5770898ddb502ac60e47e4d1de2dda55db21d5c9

Download Submit
C:\Windows\SysWOW64\Jiiicf32.exe

Filesize
4.0MB

MD5
10402a552c8687210b12f7dbc8ef7783

SHA1
45f95d87b78bfedba057b526df9fb82970d43cf7

SHA256
0949f8f564daa8173709920990cc3a1062c1bf5953fccad47e7cccc6d53b741b

SHA512
adb728d3a6b69290f08a92ea33d24f137d6f6da28d0b57811cfad2883f27a2991c9d0e8fd0fca39b0772f62daa38f9df211eff0bc2bb9010b44330c21d72aae1

Download Submit
C:\Windows\SysWOW64\Kefiopki.exe

Filesize
4.0MB

MD5
e639e6c88b3e5817d31b505449673de7

SHA1
04ec47d2b3a908d1d486dbbf3f939f1410b7bdfa

SHA256
70b4c377b6cfd38fb519507d6e3c3f19b0f66145eec82ca7f4bab1961e2ff83f

SHA512
7d4ab0f668d88c15a608903e1e819b14576b8db1add678d631722eec92050617d382ec1b713bcb068d3ad086346ce170c5f2ec534df9aa42a108cb1e083726b5

Download Submit
C:\Windows\SysWOW64\Khlklj32.exe

Filesize
4.0MB

MD5
95e41b82947e870f694b93dab91eef8c

SHA1
5ba22aa2b9343d357e8f8ce86c460e5d7a284e75

SHA256
69c85da9a89b9edc39df226131c2aa891e878e94db845b849b5e7de44fa92be6

SHA512
cb14a229f9b6c73f4a4b1e4844ed21fe50bae660c91e2ac2bd337d9d3f5a895d85017b5ffdd32f43936e348c9f8b2a29604fd6ee3913bac4a7ff6569bf7c4cf1

Download Submit
C:\Windows\SysWOW64\Lckboblp.exe

Filesize
4.0MB

MD5
4da3c8be9a13b34b80ab7a629e50b711

SHA1
cbc709b912c6d4fc48116fee1b16c1225abc3acf

SHA256
23a5d114d6e784d1dda59af8ef8a6b461c4216a9512d5ca3be2a812d23ce2341

SHA512
f6ab9c5c7a49f6c0acd12e3cce7a4d23dfda2b09536bd0eebcff16f21f20ce81a5229b7ee3b4670723bfefbda4000368af211ae0b9debf3629a4189403d681af

Download Submit
C:\Windows\SysWOW64\Mfnhfm32.exe

Filesize
4.0MB

MD5
ccb63bb5b16dcc71c4abb24bbaff03dd

SHA1
615442e07785bc20c8d2502d0943c5117e5579bd

SHA256
ec144cdb5d5322f94cbcbaf539765f3ce949bbb6bd6f28c7fa872be95d3a2889

SHA512
27cca0f1142d8db5303003ccccd506c51bee7984e0d711fbae9c51135993b625c4392aab7f2962821a53692934fc2c82761e1fbf5bb9c3d2d79df1aa34c71ddb

Download Submit
C:\Windows\SysWOW64\Mqjbddpl.exe

Filesize
4.0MB

MD5
a8ed5f8142754b1d17b1a8695748572a

SHA1
d7645bf9ec8e6ca48d274e395fa04e2ddc4304cf

SHA256
43c0d2a22fbab6a72bd57fdf532b279fdd6a9d5ef1d1cecd72b31074e465f7b1

SHA512
1a5a09554a507cd32244522e6717c967577e3a5d69a993ec67c00d947453eebd387345de72ce966f2eab55653baa5bf3f33a4c4800c157e3f1dbd107d2134202

Download Submit
C:\Windows\SysWOW64\Nmcpoedn.exe

Filesize
4.0MB

MD5
930d2f8e0bccf3d99c7ee40e0acbc406

SHA1
4958c8c9c1e991c44526c7dc52d3ef0a0b5954b0

SHA256
28f17d01432ef23838ac9d4f601a85684f268244d58c2086f4e6c24cb0b50818

SHA512
41d233cdcfef28da87334620c13ee78a527526983d78995dadc6d2e707fdc08b1bb2a0221b26f3aac60c8ab29e7e9cedcb4bb32e63a6dbbad6fb418bd96b1384

Download Submit
C:\Windows\SysWOW64\Nmdgikhi.exe

Filesize
4.0MB

MD5
3c44bd387989bf4143ff2e1b1ec8954d

SHA1
eb653db178dca7040a72ea75dd0f2d7b9a92e3bc

SHA256
e033be882c5cde6c3ab944cf04db5c9aa63dffcb6ffa6682462e5de264ec2528

SHA512
70be976f0fc99e0c34bec90b44208e1bd63ea7e11254328b0732f8b936e7a3d7618c1866e2de8eee83f06fa2735525197010c5cd7ae2a0ddf2a35775b9a6bb77

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
4.0MB

MD5
2c6ceef0e660dc93062a9e11d6442515

SHA1
f5d00f0f98522c105f02730021084847196e18f6

SHA256
6f25ba47959e6004284ae109ddddf5eb39fd6a53921f35dcb1f0b53023c81393

SHA512
ab992c8d1e34ad7f4d0ad90f49b00bbae77a5efb1fcdfa3c66b600bc9be9352c068b5a5f590aa36c97d2c1260619be8af3627677f01106ec9949b7c943c933ae

Download Submit
C:\Windows\SysWOW64\Ofhknodl.exe

Filesize
4.0MB

MD5
34564c983ffc21bf4c39cc8be81322de

SHA1
7b48d329cef0c05655b904d623081d9fdfefa472

SHA256
1360db5d8b846e8e94b731dde3691c7719049686b50b15040a5d78e071bc95e5

SHA512
3fed931afcef84a2e6e9bd348554eb405a4e84ae337773f09481e42f46b2a9bd5cdb85da4925e7848a79f27ed0a1a5383c40f855d70f3912bd5b03445fd70fc8

Download Submit
C:\Windows\SysWOW64\Pdenmbkk.exe

Filesize
4.0MB

MD5
bb983e3a7a6b0ef6e03cf4524ec84cd2

SHA1
197df502bb3e8f73b388280c0dc0f9c2ff194946

SHA256
2f32ba3845f90a6306e10904a4095aaa91d62ba090f790d488fbdf57d9605f5d

SHA512
fd03ed06d40fb6ca845a2a4e0c04de342916d717d86ea456caecb14390701afb93dff99b835e6f2189f66d17ed6fe833a8a35f5acf4a4b9492b8ae079208783e

Download Submit
C:\Windows\SysWOW64\Pjjfdfbb.exe

Filesize
4.0MB

MD5
eb9df6907f2c187cab4284891a7775ef

SHA1
7a4b225d30d45483fcebac436b4788b59624c6e0

SHA256
d5223d3ac15406de4a7742d0d113ab8cd14e096272a36c9dbf8315177cd2b8ba

SHA512
66bce1e3350027330dbf3533d95986ec9fa24b57b118e41e9060aca7b65d7c230fc88441a730d0610f7ff3666b1b964550175f128ef4b1c90c4174357a408637

Download Submit
memory/700-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/700-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/716-213-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1104-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1104-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1204-45-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1432-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1432-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1436-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1436-320-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1456-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1456-321-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1968-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1968-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2032-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2032-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2352-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2352-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2388-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2388-314-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2496-312-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2496-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2504-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2504-307-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2512-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2512-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2672-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2672-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2748-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2748-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3092-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3092-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3192-308-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3192-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3248-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3248-313-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3260-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3260-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3684-325-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3684-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3704-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3704-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3768-318-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3768-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3784-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3784-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3804-108-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3804-331-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3872-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3872-319-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3904-337-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3904-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4036-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4036-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4040-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4040-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4136-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4136-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4208-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4208-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4328-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4328-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-344-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4496-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4496-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4540-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4540-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4544-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4544-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4544-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4860-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4860-326-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4948-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4948-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4988-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4988-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads