78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a

Analysis

max time kernel
139s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
Size

275KB
MD5

ece550966133138854a4b24679844c60
SHA1

293bf606cacb8486e48a82c936adfbc1ff09e4c4
SHA256

78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a
SHA512

964e17ca5cb2f2b61066dc7390d93aa481927c108597c2676800375950641db4e33380fcd09fb16c8765b8049240f8b8b87a25275bf845a96394917e26c98744
SSDEEP

6144:tkuliPEgzL2V4cpC0L4AY7YWT63cpC0L4f:tJliZL2/p9i7drp9S

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqlfhjig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haodle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooibkpmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggbcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hajkqfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hajkqfoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccmhdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fooclapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kidben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibgdlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdnhih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacepg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jikoopij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fooclapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llcghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfqnbjfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hldiinke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Galoohke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihdldn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfnamjhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdnhih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lomjicei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfagighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Foclgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lomjicei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbibfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledepn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacepg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqcejcha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofjqihnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihdldn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hldiinke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jikoopij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpgmhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqcejcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Foclgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibgdlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kabcopmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nijqcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnblnlhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjlalkmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kabcopmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbibfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noblkqca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggmmlamj.exe

Executes dropped EXE 64 IoCs

pid	Process
1264	Dggbcf32.exe
892	Eqlfhjig.exe
1404	Fooclapd.exe
4004	Fdnhih32.exe
4976	Foclgq32.exe
1460	Fkmjaa32.exe
1772	Galoohke.exe
4352	Ganldgib.exe
4404	Gnblnlhl.exe
3496	Gacepg32.exe
2556	Ggmmlamj.exe
1652	Hajkqfoe.exe
4948	Halhfe32.exe
3456	Haodle32.exe
1728	Hldiinke.exe
4564	Ibgdlg32.exe
1332	Ihdldn32.exe
3976	Jidinqpb.exe
4264	Jbojlfdp.exe
1732	Jikoopij.exe
4860	Jafdcbge.exe
2328	Jbepme32.exe
1880	Klndfj32.exe
2424	Kidben32.exe
1920	Koajmepf.exe
4392	Kabcopmg.exe
3900	Kpccmhdg.exe
1640	Lpgmhg32.exe
4120	Ledepn32.exe
2000	Lomjicei.exe
4788	Lplfcf32.exe
2088	Llcghg32.exe
552	Mfkkqmiq.exe
1004	Mpclce32.exe
2032	Mjlalkmd.exe
732	Mcdeeq32.exe
1104	Mqhfoebo.exe
2624	Mbibfm32.exe
4904	Mlofcf32.exe
5048	Nblolm32.exe
3856	Noblkqca.exe
4440	Nijqcf32.exe
4908	Nfnamjhk.exe
3464	Nqcejcha.exe
4820	Nfqnbjfi.exe
4428	Ooibkpmi.exe
3288	Ojnfihmo.exe
3180	Ojqcnhkl.exe
1976	Oonlfo32.exe
3752	Ofjqihnn.exe
2384	Oqoefand.exe
5056	Obqanjdb.exe
912	Pcpnhl32.exe
3568	Pjjfdfbb.exe
3892	Pcbkml32.exe
4548	Pfagighf.exe
2320	Pmkofa32.exe
5044	Pcegclgp.exe
608	Pjoppf32.exe
1012	Paihlpfi.exe
2112	Pfepdg32.exe
4980	Pmphaaln.exe
4988	Pciqnk32.exe
4588	Pififb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lplfcf32.exe	Lomjicei.exe
File created	C:\Windows\SysWOW64\Nqcejcha.exe	Nfnamjhk.exe
File created	C:\Windows\SysWOW64\Epoaed32.dll	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hajkqfoe.exe	Ggmmlamj.exe
File created	C:\Windows\SysWOW64\Mldjbclh.dll	Halhfe32.exe
File created	C:\Windows\SysWOW64\Dognaofl.dll	Klndfj32.exe
File created	C:\Windows\SysWOW64\Lpgmhg32.exe	Kpccmhdg.exe
File opened for modification	C:\Windows\SysWOW64\Dggbcf32.exe	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Fooclapd.exe	Eqlfhjig.exe
File created	C:\Windows\SysWOW64\Klndfj32.exe	Jbepme32.exe
File opened for modification	C:\Windows\SysWOW64\Nfnamjhk.exe	Nijqcf32.exe
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Hldiinke.exe	Haodle32.exe
File opened for modification	C:\Windows\SysWOW64\Jikoopij.exe	Jbojlfdp.exe
File opened for modification	C:\Windows\SysWOW64\Mcdeeq32.exe	Mjlalkmd.exe
File created	C:\Windows\SysWOW64\Obqanjdb.exe	Oqoefand.exe
File opened for modification	C:\Windows\SysWOW64\Pciqnk32.exe	Pmphaaln.exe
File created	C:\Windows\SysWOW64\Nohjfifo.dll	Paihlpfi.exe
File created	C:\Windows\SysWOW64\Mpclce32.exe	Mfkkqmiq.exe
File created	C:\Windows\SysWOW64\Mcdeeq32.exe	Mjlalkmd.exe
File created	C:\Windows\SysWOW64\Fbbnpn32.dll	Mjlalkmd.exe
File created	C:\Windows\SysWOW64\Nblolm32.exe	Mlofcf32.exe
File opened for modification	C:\Windows\SysWOW64\Paihlpfi.exe	Pjoppf32.exe
File opened for modification	C:\Windows\SysWOW64\Ojnfihmo.exe	Ooibkpmi.exe
File created	C:\Windows\SysWOW64\Pcpnhl32.exe	Obqanjdb.exe
File opened for modification	C:\Windows\SysWOW64\Pcegclgp.exe	Pmkofa32.exe
File created	C:\Windows\SysWOW64\Foclgq32.exe	Fdnhih32.exe
File opened for modification	C:\Windows\SysWOW64\Haodle32.exe	Halhfe32.exe
File created	C:\Windows\SysWOW64\Dbkqqe32.dll	Jidinqpb.exe
File opened for modification	C:\Windows\SysWOW64\Klndfj32.exe	Jbepme32.exe
File created	C:\Windows\SysWOW64\Nijqcf32.exe	Noblkqca.exe
File created	C:\Windows\SysWOW64\Pciqnk32.exe	Pmphaaln.exe
File created	C:\Windows\SysWOW64\Pmphaaln.exe	Pfepdg32.exe
File opened for modification	C:\Windows\SysWOW64\Eqlfhjig.exe	Dggbcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ggmmlamj.exe	Gacepg32.exe
File opened for modification	C:\Windows\SysWOW64\Jbepme32.exe	Jafdcbge.exe
File opened for modification	C:\Windows\SysWOW64\Koajmepf.exe	Kidben32.exe
File created	C:\Windows\SysWOW64\Pjoppf32.exe	Pcegclgp.exe
File created	C:\Windows\SysWOW64\Paihlpfi.exe	Pjoppf32.exe
File opened for modification	C:\Windows\SysWOW64\Pmphaaln.exe	Pfepdg32.exe
File created	C:\Windows\SysWOW64\Dggbcf32.exe	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mpaqbf32.dll	Hajkqfoe.exe
File created	C:\Windows\SysWOW64\Ibgdlg32.exe	Hldiinke.exe
File created	C:\Windows\SysWOW64\Jafdcbge.exe	Jikoopij.exe
File opened for modification	C:\Windows\SysWOW64\Mpclce32.exe	Mfkkqmiq.exe
File created	C:\Windows\SysWOW64\Dkjfaikb.dll	Ojnfihmo.exe
File created	C:\Windows\SysWOW64\Pmkofa32.exe	Pfagighf.exe
File created	C:\Windows\SysWOW64\Mlmadjhb.dll	Pfepdg32.exe
File created	C:\Windows\SysWOW64\Fdnhih32.exe	Fooclapd.exe
File opened for modification	C:\Windows\SysWOW64\Kidben32.exe	Klndfj32.exe
File created	C:\Windows\SysWOW64\Cnokmj32.dll	Mlofcf32.exe
File created	C:\Windows\SysWOW64\Nfqnbjfi.exe	Nqcejcha.exe
File opened for modification	C:\Windows\SysWOW64\Ooibkpmi.exe	Nfqnbjfi.exe
File opened for modification	C:\Windows\SysWOW64\Pfepdg32.exe	Paihlpfi.exe
File created	C:\Windows\SysWOW64\Hajkqfoe.exe	Ggmmlamj.exe
File opened for modification	C:\Windows\SysWOW64\Jbojlfdp.exe	Jidinqpb.exe
File created	C:\Windows\SysWOW64\Llgdkbfj.dll	Noblkqca.exe
File opened for modification	C:\Windows\SysWOW64\Oonlfo32.exe	Ojqcnhkl.exe
File created	C:\Windows\SysWOW64\Ofjqihnn.exe	Oonlfo32.exe
File created	C:\Windows\SysWOW64\Hodlgn32.dll	Fkmjaa32.exe
File opened for modification	C:\Windows\SysWOW64\Ganldgib.exe	Galoohke.exe
File created	C:\Windows\SysWOW64\Hiplgm32.dll	Ggmmlamj.exe
File opened for modification	C:\Windows\SysWOW64\Jafdcbge.exe	Jikoopij.exe
File created	C:\Windows\SysWOW64\Ljgmjm32.dll	Oqoefand.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2212	4588	WerFault.exe	152

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqcejcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljhbbae.dll"	Ofjqihnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohjfifo.dll"	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdnhih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqhfoebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qckcba32.dll"	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dggbcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhmnagf.dll"	Jikoopij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nblolm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmkofa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphnbpql.dll"	Koajmepf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnllm32.dll"	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncepolj.dll"	Gacepg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pciqnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihdldn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nblolm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfnamjhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcdeeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfepdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Galoohke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffaen32.dll"	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ganldgib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kabcopmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqlfhjig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oonlfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfqnbjfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkmjaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmhel32.dll"	Ibgdlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lomjicei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onnnbnbp.dll"	Pmkofa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akeodedd.dll"	Eqlfhjig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcilohid.dll"	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkmjaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfagighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmadjhb.dll"	Pfepdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggmmlamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgpfqchb.dll"	Jbojlfdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggikgqe.dll"	Nfqnbjfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpclce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgccelpk.dll"	Mcdeeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llgdkbfj.dll"	Noblkqca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nijqcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggmmlamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lomjicei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihdldn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjoppf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajefoog.dll"	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibgdlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdding32.dll"	Fooclapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbepme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epoaed32.dll"	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfqedp32.dll"	Lpgmhg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 1264	3364	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe	89
PID 3364 wrote to memory of 1264	3364	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe	89
PID 3364 wrote to memory of 1264	3364	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe	89
PID 1264 wrote to memory of 892	1264	Dggbcf32.exe	90
PID 1264 wrote to memory of 892	1264	Dggbcf32.exe	90
PID 1264 wrote to memory of 892	1264	Dggbcf32.exe	90
PID 892 wrote to memory of 1404	892	Eqlfhjig.exe	91
PID 892 wrote to memory of 1404	892	Eqlfhjig.exe	91
PID 892 wrote to memory of 1404	892	Eqlfhjig.exe	91
PID 1404 wrote to memory of 4004	1404	Fooclapd.exe	92
PID 1404 wrote to memory of 4004	1404	Fooclapd.exe	92
PID 1404 wrote to memory of 4004	1404	Fooclapd.exe	92
PID 4004 wrote to memory of 4976	4004	Fdnhih32.exe	93
PID 4004 wrote to memory of 4976	4004	Fdnhih32.exe	93
PID 4004 wrote to memory of 4976	4004	Fdnhih32.exe	93
PID 4976 wrote to memory of 1460	4976	Foclgq32.exe	94
PID 4976 wrote to memory of 1460	4976	Foclgq32.exe	94
PID 4976 wrote to memory of 1460	4976	Foclgq32.exe	94
PID 1460 wrote to memory of 1772	1460	Fkmjaa32.exe	95
PID 1460 wrote to memory of 1772	1460	Fkmjaa32.exe	95
PID 1460 wrote to memory of 1772	1460	Fkmjaa32.exe	95
PID 1772 wrote to memory of 4352	1772	Galoohke.exe	96
PID 1772 wrote to memory of 4352	1772	Galoohke.exe	96
PID 1772 wrote to memory of 4352	1772	Galoohke.exe	96
PID 4352 wrote to memory of 4404	4352	Ganldgib.exe	97
PID 4352 wrote to memory of 4404	4352	Ganldgib.exe	97
PID 4352 wrote to memory of 4404	4352	Ganldgib.exe	97
PID 4404 wrote to memory of 3496	4404	Gnblnlhl.exe	98
PID 4404 wrote to memory of 3496	4404	Gnblnlhl.exe	98
PID 4404 wrote to memory of 3496	4404	Gnblnlhl.exe	98
PID 3496 wrote to memory of 2556	3496	Gacepg32.exe	99
PID 3496 wrote to memory of 2556	3496	Gacepg32.exe	99
PID 3496 wrote to memory of 2556	3496	Gacepg32.exe	99
PID 2556 wrote to memory of 1652	2556	Ggmmlamj.exe	100
PID 2556 wrote to memory of 1652	2556	Ggmmlamj.exe	100
PID 2556 wrote to memory of 1652	2556	Ggmmlamj.exe	100
PID 1652 wrote to memory of 4948	1652	Hajkqfoe.exe	101
PID 1652 wrote to memory of 4948	1652	Hajkqfoe.exe	101
PID 1652 wrote to memory of 4948	1652	Hajkqfoe.exe	101
PID 4948 wrote to memory of 3456	4948	Halhfe32.exe	102
PID 4948 wrote to memory of 3456	4948	Halhfe32.exe	102
PID 4948 wrote to memory of 3456	4948	Halhfe32.exe	102
PID 3456 wrote to memory of 1728	3456	Haodle32.exe	103
PID 3456 wrote to memory of 1728	3456	Haodle32.exe	103
PID 3456 wrote to memory of 1728	3456	Haodle32.exe	103
PID 1728 wrote to memory of 4564	1728	Hldiinke.exe	104
PID 1728 wrote to memory of 4564	1728	Hldiinke.exe	104
PID 1728 wrote to memory of 4564	1728	Hldiinke.exe	104
PID 4564 wrote to memory of 1332	4564	Ibgdlg32.exe	105
PID 4564 wrote to memory of 1332	4564	Ibgdlg32.exe	105
PID 4564 wrote to memory of 1332	4564	Ibgdlg32.exe	105
PID 1332 wrote to memory of 3976	1332	Ihdldn32.exe	106
PID 1332 wrote to memory of 3976	1332	Ihdldn32.exe	106
PID 1332 wrote to memory of 3976	1332	Ihdldn32.exe	106
PID 3976 wrote to memory of 4264	3976	Jidinqpb.exe	107
PID 3976 wrote to memory of 4264	3976	Jidinqpb.exe	107
PID 3976 wrote to memory of 4264	3976	Jidinqpb.exe	107
PID 4264 wrote to memory of 1732	4264	Jbojlfdp.exe	108
PID 4264 wrote to memory of 1732	4264	Jbojlfdp.exe	108
PID 4264 wrote to memory of 1732	4264	Jbojlfdp.exe	108
PID 1732 wrote to memory of 4860	1732	Jikoopij.exe	109
PID 1732 wrote to memory of 4860	1732	Jikoopij.exe	109
PID 1732 wrote to memory of 4860	1732	Jikoopij.exe	109
PID 4860 wrote to memory of 2328	4860	Jafdcbge.exe	110

C:\Users\Admin\AppData\Local\Temp\78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Windows\SysWOW64\Dggbcf32.exe
  C:\Windows\system32\Dggbcf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\Eqlfhjig.exe
    C:\Windows\system32\Eqlfhjig.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Windows\SysWOW64\Fooclapd.exe
      C:\Windows\system32\Fooclapd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Windows\SysWOW64\Fdnhih32.exe
        
        C:\Windows\system32\Fdnhih32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
      - C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Galoohke.exe
        
        C:\Windows\system32\Galoohke.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Ganldgib.exe
        
        C:\Windows\system32\Ganldgib.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Gnblnlhl.exe
        
        C:\Windows\system32\Gnblnlhl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Hajkqfoe.exe
        
        C:\Windows\system32\Hajkqfoe.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Jbojlfdp.exe
        
        C:\Windows\system32\Jbojlfdp.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3900
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:552
        
        C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3180
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:608
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        65⤵
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 400
        66⤵
        Program crash
        
        PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4588 -ip 4588
1⤵
PID:2512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dggbcf32.exe

Filesize
275KB

MD5
7350cb8060c8cbcc3f86de7b87f1ec80

SHA1
3a7fde163164c6bff5a3dcab66b101e054b2ba74

SHA256
9e0136232f26636d29803b0d2bd1cf99000fb929934381e06ba4f3148fd6f4e3

SHA512
6910f3565110296b5c881cadd23fa81b385f50b9920ee999d200257ce93be94f36820cd0be145d52a574f4f63d0ea064d31e5d7c0053d1aa7db219105d059738

Download Submit
C:\Windows\SysWOW64\Eqlfhjig.exe

Filesize
275KB

MD5
76de10788c2bfac0121849dc155727b3

SHA1
45b2cdef0f3e6322b8fc61da0cd4309cd2c36dd2

SHA256
e1192bae2e264ec7618e3c3b83170c348ab18a2608b2aa125c5b8a507b5ea2ba

SHA512
6f18980071f778a5df207a84d08c9992fd87eaaab03c2633762b0fc7f3ce457ab60db7cab9a8a772649f81777226e1a11abfad427fdb0a9a7d9afcb2f4f6a926

Download Submit
C:\Windows\SysWOW64\Fdnhih32.exe

Filesize
275KB

MD5
9ac97a0271ce6375d1d0c0d4621a4be3

SHA1
96a9ab2f2f219b787ad6f21f46337d85d2899315

SHA256
f2e7dd4dc08a00ce1e341a356769a6756b92b2c00e8016a540f1b89f25b064c0

SHA512
a717e7853464e0d7895221a3122f39007e337f144b3422d4e07d7c0ce08ceb534ee81f34a159cbb83d500cfacd428cc99b92ef59c8685e985e72f28196f5351c

Download Submit
C:\Windows\SysWOW64\Fkmjaa32.exe

Filesize
275KB

MD5
b9360e4e948dd183c77d4cbbec3fbb7f

SHA1
abf68513b1ccfa5f4bea9c25967cf26724a0ba8d

SHA256
38f57bb5b240d9d1441d51686ffc115851793eeaaaf5415f28188a32d609ba34

SHA512
2ad05c8bcb1aab99fc7013653a0c06bc75909b17bdc014bb525222b82dcd17ffcdb6c46caf0b2041521af4b170df4da9df3d32276b83706edb3a6a2e54036543

Download Submit
C:\Windows\SysWOW64\Foclgq32.exe

Filesize
275KB

MD5
96025eff7597cc97d31fea0ad1592b0d

SHA1
fe25340799eabe496373c9156bd038b35a60aa63

SHA256
a40aacf2aa7723b57bf9c32e16c49582cfc190eec074addef01f9a8654b8e28a

SHA512
6eec679b58b37478ce87417bf0b9ad607f2858c5eab1d86a3f950fa3d7f5e2b5da1088b0c206d919b7c0c019e343bc7a75f5ffdf3f7a71fd2814677eb99d5421

Download Submit
C:\Windows\SysWOW64\Fooclapd.exe

Filesize
275KB

MD5
daf233d3ccb12b3a5fbb11ff0a47b863

SHA1
1505945ca21e2a3e4f10cc76ec1e27fb98fe3bc7

SHA256
5c66ef1f3271ef3fe689ebc29bfbfb8c76fc417851afb40051dac75caaf86f82

SHA512
7586ca9c55a96b1fc279982b3e4837f2e28bec26f273c6de8f7233e1c9806d2db1d7a4ea580881d3b664c07264fd011e71b1d8d0b7004b6667ea3447005a43c8

Download Submit
C:\Windows\SysWOW64\Gacepg32.exe

Filesize
275KB

MD5
a887b34daa0342aa710272815539749d

SHA1
1b956a624966824ab12d689f26eeacb6dc915967

SHA256
eaf945538e3158107ac65f35962e69df14bff63d5d260374eca144a16fb645a6

SHA512
cd13692031eee92e9237281fd458d50e5c5d525dbbd28274cfa0c8d73433fa3fed0b570f97f75072b5920b8cdf2c62037488f3223c9c721ebe0b22ae517fa291

Download Submit
C:\Windows\SysWOW64\Galoohke.exe

Filesize
275KB

MD5
1aaad804fb6f65afa2905bed3f4492d2

SHA1
327186352b1308dedd7fd2d705c63e387d943b31

SHA256
14a702d1a5f57656787e838ff62ad69d7633dd0244c4e70c68a01cbc0fa23936

SHA512
1139b3c85b8ef7b5eef5d89101e8b7858e4c1b4ce01d918ec38ed0b7875a86ea65686b84e2392dd0dbe10faa9ceef2067a688940cc62c9a9be216defe073c6c4

Download Submit
C:\Windows\SysWOW64\Ganldgib.exe

Filesize
275KB

MD5
95a1788a797514543efa8a1a69f6c96c

SHA1
34ad88e6bd3aca97aba20eae822ec81b910c62f2

SHA256
e6d85e8439b95372f1fe396cd7405fd747ad0c7a6b569861794838a66279fdc5

SHA512
07255b112b90d507e093b9c86e1cf9f5d4f203abdbd363056fb95cfe030fcc7070259dfb012ec7e549e0e583ea256f49a0d938419578bf4ea5ef9016394e8097

Download Submit
C:\Windows\SysWOW64\Ggmmlamj.exe

Filesize
275KB

MD5
b307c5f546d303fb965bd1fd631e9da3

SHA1
60ab2ea405343e86b3b88d5201839334a5d7b507

SHA256
46ec7d5a11321ca85914b37dd65e3b1abecd0adff91cfb41e99f51dc0ac545e4

SHA512
1899c5cdeb7968970451047f7de78fde2a2685ef1a17e4e33195bd32f0b572382148cc960ed4143f688cdd163beef3a54532a191e52cd816d2d152a5f9a72ae5

Download Submit
C:\Windows\SysWOW64\Gnblnlhl.exe

Filesize
275KB

MD5
97c5e388cf9bf288a7db63cd6ac28ebe

SHA1
ffdc6148d96ec0019da02da3caf8a2d0b7823638

SHA256
5c6f25de11ab37fbe09b96d7874cbfff2097f667fc94b63046f043e1c418d144

SHA512
8a621f0cd0e1be95abbd9f97fbfdf4e167c8164f634f4fe219adb0347eae917fcbf4b548f620496d76d9bae3bc5079402a8e742a17e19e18167d14aa10ffcf78

Download Submit
C:\Windows\SysWOW64\Hajkqfoe.exe

Filesize
275KB

MD5
5b08ae33b9c0a9caeae018c5490d46b2

SHA1
133b7be29af04db4c59c5800306d866034170592

SHA256
ec4e7bba6b9567f59f31f1657bee4a36480b10e652ddd013a55ee68f7597b8b9

SHA512
33b381fa471db2b55fd422b20fca16857d2847794ae58927fb56938000eccc743ddf52310b27cf95fa589e966fa66f952d9b89619e85390031b6ce9508bc869a

Download Submit
C:\Windows\SysWOW64\Halhfe32.exe

Filesize
275KB

MD5
223159c1765d484725d60fb77c877d8f

SHA1
a27492e506dd7152d9cbd60e26e146f2304ebd70

SHA256
6416ec609adc9278e2e60d7d38b7106ca4c0ae2f5d427eaabc373dc22198e80f

SHA512
a6b90d730ac6dfa8b79a00a34d56d67477012c0acbd0f04b6c36e1939ae1ac42aa9da5b5e7ac693ba23ecd2dce01d885e6c7c769e4121d385940dd2ef64539eb

Download Submit
C:\Windows\SysWOW64\Haodle32.exe

Filesize
275KB

MD5
ef72dc98a2c4fa7f88b75e43dc1c5d80

SHA1
9db58aab604e7a1adbeb05b20a90a836cd0209d0

SHA256
da930edb7642d56dc3e97183031c38e3f8f2b949aa58a8bb64c4244fb4a7f242

SHA512
f0dbb88fe97b754bd97cd244648fd133a01b7d60ceb3a38cc5e9783f0569162497a07873519b8b6151cce3b863633c353f345a12c8dc36fb6ce1eba69ad0c3ae

Download Submit
C:\Windows\SysWOW64\Hldiinke.exe

Filesize
275KB

MD5
ff4c9c882546cde6989c4c42a0795800

SHA1
7d267a2d83d42e4bf5dbd2c4ec099f4abe52d8aa

SHA256
a194913e7df21a12237b733817f425c3ede1257c23bc227ad256abb8af9c9a76

SHA512
a09f08e16114c68fe3d8d177ee2e37b16e01d596179b37771ceec4fd9b86e9d7aaee37d9defb46991752237af840308050f7110f3ed03ee20d99637edfdca6ed

Download Submit
C:\Windows\SysWOW64\Ibgdlg32.exe

Filesize
275KB

MD5
2e8f242dd975b9a8fbb9cb262de283ed

SHA1
a81a73bc6b8c338ba546d47c91e7cf9a371a1dde

SHA256
ece75a04393f6ef08688e8e4cef9f25a464a3997c94a3139e8d188a49ca382a8

SHA512
9811b01e5845efbd7d8b993732735eb2f274c0ebca9c5002888d00702a9b2b91b757b022fa56d32dc289a0b45fb728cd81e3c99dc0732078be0a7ddec215dfe1

Download Submit
C:\Windows\SysWOW64\Ihdldn32.exe

Filesize
275KB

MD5
3ff492e88e982bcb6ba06f487eedb180

SHA1
c662fde93b189c8b45f18ace429305579a64980b

SHA256
76c8482ce3ebfa5a227c49cf03780606180001eb68151ae64d0fa89d4e6b2169

SHA512
78093633f13fc8891d2a892b43ed6a3f04d591768f42ccdd88bc7f72146d8de4a1570f9193519f6af3ac141dc43ce2b449d3b5662d55c52a4ba15b54a649dbc7

Download Submit
C:\Windows\SysWOW64\Jafdcbge.exe

Filesize
275KB

MD5
e3bb850342f758cf0a5f6b3234a3a8cb

SHA1
57288258f07d4f38507993b68620d1055675aa4b

SHA256
6269148ba62e882f32e5de5e1970f36e5a1bb3401d68aaceca851ada4daf295c

SHA512
20938d34bac33aca87f964db8516db4650fcd55dcd76d7dc597922460b34ded167416d480f2e773e8bad658b6d9ddce9bd7cc8a451c0fcd94cfb8596b32c13ec

Download Submit
C:\Windows\SysWOW64\Jbepme32.exe

Filesize
275KB

MD5
cb59dc177281932d277012ed5aba2560

SHA1
b030dfc4fc68fefd451672fe48c68a16e56a05a0

SHA256
41a7c733cc81fdb411573d76c92effa44a58a450ed45181c4f12cab835bb9612

SHA512
34ef27a9768a3a087c3e33a0236c950ea481b45f53b21409324555a9f913cf58323e4093101d06519ff2831aa444559b692bc0410534bca9fb099def1916d3b7

Download Submit
C:\Windows\SysWOW64\Jbojlfdp.exe

Filesize
275KB

MD5
61c5c9d78885943ece18700d603fd286

SHA1
aab0b209de52768fd0b89596f8f1f5755a462fe9

SHA256
f28b435a38b00dee214bbd9b4b750865910de0169e2100864e60f89cdef39d65

SHA512
c0539422782a693afef77f412cc6c10262b19aeefedfb908f1a37e662e2bf51de1ac003732dfd1aba994d112c36646a19cf5a731367ce9759ebdfaa62f06b056

Download Submit
C:\Windows\SysWOW64\Jidinqpb.exe

Filesize
275KB

MD5
a0e3e187ad64044a3188597ee5685316

SHA1
38870d1f57a9299c163856a4f266180809939d6a

SHA256
b969ca22c61c0929d9b73a4564f93a620e5aa538ae8b3e015918b5285e1bece6

SHA512
64661bff93f115275aa3650e47e56619a862fa91094a6c5a3c29f2392157cdb64b77869586c8cb8577d4894d6e7bf76cb0efbc5ddac2cd5db89a74666f8e7c96

Download Submit
C:\Windows\SysWOW64\Jikoopij.exe

Filesize
275KB

MD5
471d1be3714b1110e8a5b2c4242ec061

SHA1
4ecb4e44c1cdeaeaadb816d91553cae225a30f7c

SHA256
0c440374c3714bf05b53ae75dbe9610bb977c61111c4d0168714ee72b88f5e9e

SHA512
7e87f5e8e1d01b759a763a7657fb4e27f0b621ccbd58aaafb39677ccac5f4ed6044d0cfb089653bec2d1d05f96fa5e279cb5e5f82ad0f6a54409f61e8a40e140

Download Submit
C:\Windows\SysWOW64\Kabcopmg.exe

Filesize
275KB

MD5
5e141464f1cc5ff281ed043d2a3e2ee1

SHA1
b286fa6973147753a8c54400a275239b81907658

SHA256
094402b03d8f11e7eadf401e166e32155c27a1cc8e5f5b633f925ab3ebfb715d

SHA512
ca1c8b5a43829fac87efcad20b0c6fa6af322bb29419abcbff974967851e82cba03069a45a8862551a26af0760e0447ee7d6b183c996ab2d1d9fa38ca20f130a

Download Submit
C:\Windows\SysWOW64\Kidben32.exe

Filesize
275KB

MD5
e8278c35eb8c351070d7360e65d82494

SHA1
75e49bbb0db52f01a0dae33b59bf6b348c21aaf2

SHA256
a93e7b4caf9bde85cb047a01cfe9e943269ad451ccc3f2cb83ca3f4f03a83393

SHA512
78c11d4fe2108ffbdb20a9931cf5c94ce8a09020f02f10c0391aac1fe4da55a40da608caeb32c1d105086e76892c7b14e612198d7c1c4324bb9adfc9e76d98f1

Download Submit
C:\Windows\SysWOW64\Klndfj32.exe

Filesize
275KB

MD5
5c3e0d1ee5ce18127a86215292fd2951

SHA1
234e000acdbee7c41ca42a912b475103a904c3b2

SHA256
1bbc7487b7121a188fb1848bd9c65f5f381fa550b9218f0cb6ea524b4385b482

SHA512
c20198a9b98b718322b44e878726d5814d2f3df3e698da957568294d9268e8582ec89256d1e548496ef94f7129bbc3f2ce357fa514196b64dc6547990cc6039e

Download Submit
C:\Windows\SysWOW64\Koajmepf.exe

Filesize
275KB

MD5
e11b801d33e94daaa0de4958fb11909d

SHA1
774d3ccbf42ed086623986337d2bc1e44bb987e8

SHA256
8fd0f8370d3391578c95e438ead439a863dd65b871b27439703efd65b5588122

SHA512
7b925b83d6bfec26debbe3ae4e534f278be1d0fd18dfb0186c85019fc15bde336019611d01b57334ada12d2a009a0430975eab5169613eac3bec47b4a28ca536

Download Submit
C:\Windows\SysWOW64\Kpccmhdg.exe

Filesize
275KB

MD5
7c94420ef71fd1c29958ce420051cb8d

SHA1
7d3cdc6793ee1d4a2fa1bce9e25b6f955c2f5956

SHA256
2c65345acc51dc4310d1d2ffa63e6c84fbd41499d45df2b7eae96558ca8374a1

SHA512
9d7bcec3b0fbbc619b1ebe9d7eb88eeb5f634c2755fb5d32c973e9e861e30e30d6f345f283456e0f8ceaef5df33ca56694c0b9c1d598b472ca7d78e4c4074777

Download Submit
C:\Windows\SysWOW64\Ledepn32.exe

Filesize
275KB

MD5
a8159594ce42cb932513c58fd6110e0d

SHA1
381d1208592c2298c0de5f120a4bbb1203d35494

SHA256
407afe315da07dd41dd0049668db64d69b445eac1d617bf15af99e4ac24731e6

SHA512
98a602b0417112b6c0a26abaf3110e1c52ef1531fe540b193e633321efa9cd91c43cdb2c4ad8d33fe65e365aab5c7e5970e3cb7081a24d412a2573cf90296352

Download Submit
C:\Windows\SysWOW64\Llcghg32.exe

Filesize
275KB

MD5
56e6288611f12a0ac23d052d173d3568

SHA1
56a04fb571a464407a683c8181c6f1fedb3992b8

SHA256
7d513c1e2c2c475ec063deda3ec3950b7354d024eadfedede60f25a580e64d02

SHA512
be73a7ed2a5f6d4420cb3a82c86593849881031bc56a3eedc412511467974171a511967e8cc228390117bf5f216e15d427524d4801cb5083de1ff772f7eefe59

Download Submit
C:\Windows\SysWOW64\Lomjicei.exe

Filesize
275KB

MD5
e38b36e3a0a34974af121fa015048057

SHA1
310a37b2f04cf50d34f0759af0908e00cb31829b

SHA256
45832b22ade75d7a40bc8b39d88a33d2b135ac2a28225bb467a3518b4d28fbd8

SHA512
bda457cac4f3f07071faff977b6a52a5c0ab16bf7b0dad968962e16b60ed1c89829156f83c5ee902c819515ab8539d05ae3bcd80e6f6831ce27703e462f2145c

Download Submit
C:\Windows\SysWOW64\Lpgmhg32.exe

Filesize
275KB

MD5
6aed427dbdde33e685a6e32eb160a696

SHA1
2c9295ec33cc8eaec99c2efbb1da33eabda8c532

SHA256
da3c53e99dd522e8dc9dbed9bda8d2a05917e9afae9799cff4a5f0ff2fdb2b04

SHA512
7782d8410e84532765727703556ddd0be7fdbcdfe93262fece27ad7265a67bb24592516044fb4c7c724f371c0ca77a25e58ea3b7ce657ff6e7ccf097fc24a3cc

Download Submit
C:\Windows\SysWOW64\Lplfcf32.exe

Filesize
275KB

MD5
fa98616ae7b881055fbb4f50f8a99feb

SHA1
8acc3fcf8ce2ee508e504ff59214e790be516be8

SHA256
3db5899c9931d86be9403e4279cdc9a89b25960f7ebaeb50d35e4dd2b3d76e23

SHA512
f00e364089b1df1c0c782da4bac647e12afc9d3d72804890042093f9d65e415b6e48817819f859e5088e9cc49013f2a5cdb9499dbba64b91fd205368b964ccec

Download Submit
C:\Windows\SysWOW64\Nfnamjhk.exe

Filesize
275KB

MD5
43a6e3875c215ad8becf20b34f756e4a

SHA1
f1a76e70681c7fb4af5223232caffdcdd84cef9d

SHA256
e83891118d91e382d2c8f0c116744f5c913ae186cfc435833f71f7b8f7a872b8

SHA512
2eea2b16f89bb5c4bb4a95069841153c85e787aa931d12765d2c1b750f15dcc7eed5c5090331a35402574eb0a148635a1b9868b2e707a99733fb1310a655db65

Download Submit
C:\Windows\SysWOW64\Nijqcf32.exe

Filesize
275KB

MD5
9d8aba519e0a2767fb9bf910188a6a9b

SHA1
0bbcdfad02f7f3018250fbd60177836026595614

SHA256
234c8655ea7fab10fe09afd5225226939df494f88ed72fc682bcae2a7f6eae60

SHA512
a9143a90a57d50dcce832b40ae8616ea3d192cfeea1c2d076a0732e8fc0582c0742bff2406bd3fd396201d439857bdde37bfb7e74dc7469ebbe322fa55c305cd

Download Submit
C:\Windows\SysWOW64\Ojqcnhkl.exe

Filesize
275KB

MD5
91bab7aa07459f6e07dc94be56aba7cd

SHA1
857938e3dbe54f520fc63fd157aed243d8b3007b

SHA256
e51abd034d788a5212fcb7ef9144d9a8a337e26b502381dad3a3a15bec4f5c78

SHA512
29961352c3c57d8c3e33af19a66545b21c80e16f6fe35d006fd1aa3564a9ae4788c7a54c705270438599f4dec9181266ba5c8af3494e5ac6d932bd1a53d8d34c

Download Submit
C:\Windows\SysWOW64\Pfagighf.exe

Filesize
275KB

MD5
4615aae93501ab12a1b161cd5720f47a

SHA1
99cc379d121eef16b709ccfe4d0fca24be87b16f

SHA256
10b06fced9ba2dd5fb706aae57689d689eb28833955d12a786eba11cf6570467

SHA512
a30690dda609d4248bdc60b398d36537cd9addbe4902081ab2a610cf378a032b04a7dba1b217fa9da410c716553efca76153f40345a709bfabe490f52f8c0f56

Download Submit
memory/552-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/552-355-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/732-380-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/732-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/892-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/892-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1004-362-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1004-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1104-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1104-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1264-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1264-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1332-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1332-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1404-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1404-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1460-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1460-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1640-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1640-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1652-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1652-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1728-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1728-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1732-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1732-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1772-61-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1880-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1880-198-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1920-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1920-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1976-398-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2000-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2000-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-369-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2328-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2328-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2384-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2424-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2424-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2556-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2556-178-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2624-390-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2624-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3180-391-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3288-384-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3364-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3364-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3364-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3456-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3456-118-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3464-363-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3496-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3496-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3752-405-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3856-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3856-411-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3900-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3900-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3976-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3976-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4004-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4004-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4120-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4120-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4264-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4264-250-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4352-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4352-66-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4392-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4392-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4404-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4404-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-381-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4440-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4440-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4564-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4564-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4788-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4788-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4820-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4860-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4860-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4904-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4904-397-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4908-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4976-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4976-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5048-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5048-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5056-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads