8e4c2813280a6f7e666b1c12b9c01475c269493de4237fd2c797aa8e7bc998f0

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e4c2813280a6f7e666b1c12b9c01475c269493de4237fd2c797aa8e7bc998f0_NeikiAnalytics.exe
Size

88KB
MD5

e0bfb73eee274666092fea51c3c44910
SHA1

cae9d8070bdc874603a1de8bca66cebd6dc82060
SHA256

8e4c2813280a6f7e666b1c12b9c01475c269493de4237fd2c797aa8e7bc998f0
SHA512

150f5457cb9a7ad2ced5428ef18218653ea0e629e6e534c2999eb61087dfda250ecc9658aec856bf3b38914aea071a0940659c0dea201829a077468cb52f079b
SSDEEP

1536:wHRQzEFEE/jvZNVo2fmtrWDbyxU8JwqVDggtECglsOnouy8L:wmzEFEs7TVdfWrWv8Umwq5ZaCglxoutL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qclmck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	8e4c2813280a6f7e666b1c12b9c01475c269493de4237fd2c797aa8e7bc998f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qclmck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjmekgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heegad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klbnajqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lindkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opbean32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnbcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egkddo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8e4c2813280a6f7e666b1c12b9c01475c269493de4237fd2c797aa8e7bc998f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibqnkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fajbjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebifmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eomffaag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qpbnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dglkoeio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fofilp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aidehpea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Halhfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibqnkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klggli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doojec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Foapaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidehpea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dajbaika.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klbnajqc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgkgijg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfnamjhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Heegad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eklajcmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fajbjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jafdcbge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opbean32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhgkgijg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pimfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Joqafgni.exe

Executes dropped EXE 52 IoCs

pid	Process
1832	Bgkiaj32.exe
4576	Bpkdjofm.exe
3164	Chdialdl.exe
1868	Cgnomg32.exe
3928	Dkndie32.exe
4492	Doojec32.exe
2976	Dkekjdck.exe
3380	Dglkoeio.exe
2112	Egohdegl.exe
5048	Eklajcmc.exe
1212	Ebifmm32.exe
628	Eomffaag.exe
2892	Fnbcgn32.exe
4560	Foapaa32.exe
2344	Fofilp32.exe
3688	Fajbjh32.exe
3524	Heegad32.exe
3436	Halhfe32.exe
1232	Ibqnkh32.exe
4896	Joqafgni.exe
3512	Jihbip32.exe
792	Jhnojl32.exe
4584	Jafdcbge.exe
3016	Klndfj32.exe
224	Klbnajqc.exe
4360	Klggli32.exe
1836	Lindkm32.exe
460	Lhgkgijg.exe
2076	Mfpell32.exe
392	Nmcpoedn.exe
3792	Nfnamjhk.exe
4044	Oiagde32.exe
4952	Opbean32.exe
2348	Pimfpc32.exe
1984	Paihlpfi.exe
4756	Qclmck32.exe
1728	Qpbnhl32.exe
4852	Aiplmq32.exe
640	Aidehpea.exe
2516	Bfkbfd32.exe
4040	Bbaclegm.exe
3428	Cgfbbb32.exe
3616	Cancekeo.exe
2576	Ckidcpjl.exe
796	Dmjmekgn.exe
3796	Dajbaika.exe
3960	Egkddo32.exe
4372	Ejccgi32.exe
4440	Fjeplijj.exe
4540	Fgiaemic.exe
3048	Fqfojblo.exe
2012	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Likage32.dll	Oiagde32.exe
File created	C:\Windows\SysWOW64\Aiplmq32.exe	Qpbnhl32.exe
File created	C:\Windows\SysWOW64\Gpkehj32.dll	Aiplmq32.exe
File created	C:\Windows\SysWOW64\Bfkbfd32.exe	Aidehpea.exe
File created	C:\Windows\SysWOW64\Cgfbbb32.exe	Bbaclegm.exe
File created	C:\Windows\SysWOW64\Npdhdlin.dll	Egohdegl.exe
File created	C:\Windows\SysWOW64\Ebifmm32.exe	Eklajcmc.exe
File created	C:\Windows\SysWOW64\Jcoiaikp.dll	Ibqnkh32.exe
File opened for modification	C:\Windows\SysWOW64\Aidehpea.exe	Aiplmq32.exe
File opened for modification	C:\Windows\SysWOW64\Ebifmm32.exe	Eklajcmc.exe
File created	C:\Windows\SysWOW64\Jhnojl32.exe	Jihbip32.exe
File opened for modification	C:\Windows\SysWOW64\Klbnajqc.exe	Klndfj32.exe
File created	C:\Windows\SysWOW64\Oiagde32.exe	Nfnamjhk.exe
File created	C:\Windows\SysWOW64\Cfkeihph.dll	Paihlpfi.exe
File created	C:\Windows\SysWOW64\Qhjgbbnj.dll	Qpbnhl32.exe
File created	C:\Windows\SysWOW64\Kplqhmfl.dll	Egkddo32.exe
File created	C:\Windows\SysWOW64\Doojec32.exe	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Ibqnkh32.exe	Halhfe32.exe
File created	C:\Windows\SysWOW64\Knnele32.dll	Klbnajqc.exe
File created	C:\Windows\SysWOW64\Paihlpfi.exe	Pimfpc32.exe
File created	C:\Windows\SysWOW64\Klndfj32.exe	Jafdcbge.exe
File opened for modification	C:\Windows\SysWOW64\Lhgkgijg.exe	Lindkm32.exe
File opened for modification	C:\Windows\SysWOW64\Bgkiaj32.exe	8e4c2813280a6f7e666b1c12b9c01475c269493de4237fd2c797aa8e7bc998f0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Dkekjdck.exe	Doojec32.exe
File created	C:\Windows\SysWOW64\Jhkilook.dll	Dglkoeio.exe
File created	C:\Windows\SysWOW64\Ghehjh32.dll	Eomffaag.exe
File created	C:\Windows\SysWOW64\Aldjigql.dll	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Bpkdjofm.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Jkmmde32.dll	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Ibepke32.dll	Klndfj32.exe
File opened for modification	C:\Windows\SysWOW64\Pimfpc32.exe	Opbean32.exe
File created	C:\Windows\SysWOW64\Halhfe32.exe	Heegad32.exe
File created	C:\Windows\SysWOW64\Pjhfcm32.dll	Qclmck32.exe
File created	C:\Windows\SysWOW64\Dmjmekgn.exe	Ckidcpjl.exe
File opened for modification	C:\Windows\SysWOW64\Dajbaika.exe	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Cgnomg32.exe	Chdialdl.exe
File opened for modification	C:\Windows\SysWOW64\Eomffaag.exe	Ebifmm32.exe
File opened for modification	C:\Windows\SysWOW64\Foapaa32.exe	Fnbcgn32.exe
File created	C:\Windows\SysWOW64\Ghfedh32.dll	Foapaa32.exe
File opened for modification	C:\Windows\SysWOW64\Ejccgi32.exe	Egkddo32.exe
File created	C:\Windows\SysWOW64\Eklajcmc.exe	Egohdegl.exe
File created	C:\Windows\SysWOW64\Bbaclegm.exe	Bfkbfd32.exe
File created	C:\Windows\SysWOW64\Fqfojblo.exe	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Doojec32.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Helbbkkj.dll	Fnbcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Jhnojl32.exe	Jihbip32.exe
File created	C:\Windows\SysWOW64\Mfpell32.exe	Lhgkgijg.exe
File opened for modification	C:\Windows\SysWOW64\Chdialdl.exe	Bpkdjofm.exe
File opened for modification	C:\Windows\SysWOW64\Cgnomg32.exe	Chdialdl.exe
File opened for modification	C:\Windows\SysWOW64\Eklajcmc.exe	Egohdegl.exe
File opened for modification	C:\Windows\SysWOW64\Bfkbfd32.exe	Aidehpea.exe
File opened for modification	C:\Windows\SysWOW64\Bpkdjofm.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Dglkoeio.exe	Dkekjdck.exe
File created	C:\Windows\SysWOW64\Oipgkfab.dll	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Aidehpea.exe	Aiplmq32.exe
File created	C:\Windows\SysWOW64\Fjeplijj.exe	Ejccgi32.exe
File created	C:\Windows\SysWOW64\Mjhjimfo.dll	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Dglkoeio.exe	Dkekjdck.exe
File created	C:\Windows\SysWOW64\Pimfpc32.exe	Opbean32.exe
File opened for modification	C:\Windows\SysWOW64\Paihlpfi.exe	Pimfpc32.exe
File created	C:\Windows\SysWOW64\Bcidlo32.dll	Bbaclegm.exe
File opened for modification	C:\Windows\SysWOW64\Fqfojblo.exe	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Egohdegl.exe	Dglkoeio.exe
File created	C:\Windows\SysWOW64\Lhgkgijg.exe	Lindkm32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4164	2012	WerFault.exe	141
4280	2012	WerFault.exe	141

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eklajcmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Heegad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jafdcbge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnkibcle.dll"	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfkeihph.dll"	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klbnajqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlhcmpgk.dll"	Halhfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkekjdck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll"	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpaqbf32.dll"	Heegad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qpbnhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dajbaika.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	8e4c2813280a6f7e666b1c12b9c01475c269493de4237fd2c797aa8e7bc998f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdhdlin.dll"	Egohdegl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klggli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kplqhmfl.dll"	Egkddo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chdialdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkekjdck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qclmck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkehj32.dll"	Aiplmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	8e4c2813280a6f7e666b1c12b9c01475c269493de4237fd2c797aa8e7bc998f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Heegad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Halhfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhlclpe.dll"	Jafdcbge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pimfpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qclmck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Doojec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dglkoeio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibepke32.dll"	Klndfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aiplmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcidlo32.dll"	Bbaclegm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajbghaq.dll"	Fajbjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjhfcm32.dll"	Qclmck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egohdegl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eomffaag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Joqafgni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klggli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aiplmq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aidehpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioaanec.dll"	8e4c2813280a6f7e666b1c12b9c01475c269493de4237fd2c797aa8e7bc998f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eklajcmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Helbbkkj.dll"	Fnbcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klbnajqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mleggmck.dll"	Klggli32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 1832	4248	8e4c2813280a6f7e666b1c12b9c01475c269493de4237fd2c797aa8e7bc998f0_NeikiAnalytics.exe	90
PID 4248 wrote to memory of 1832	4248	8e4c2813280a6f7e666b1c12b9c01475c269493de4237fd2c797aa8e7bc998f0_NeikiAnalytics.exe	90
PID 4248 wrote to memory of 1832	4248	8e4c2813280a6f7e666b1c12b9c01475c269493de4237fd2c797aa8e7bc998f0_NeikiAnalytics.exe	90
PID 1832 wrote to memory of 4576	1832	Bgkiaj32.exe	91
PID 1832 wrote to memory of 4576	1832	Bgkiaj32.exe	91
PID 1832 wrote to memory of 4576	1832	Bgkiaj32.exe	91
PID 4576 wrote to memory of 3164	4576	Bpkdjofm.exe	92
PID 4576 wrote to memory of 3164	4576	Bpkdjofm.exe	92
PID 4576 wrote to memory of 3164	4576	Bpkdjofm.exe	92
PID 3164 wrote to memory of 1868	3164	Chdialdl.exe	93
PID 3164 wrote to memory of 1868	3164	Chdialdl.exe	93
PID 3164 wrote to memory of 1868	3164	Chdialdl.exe	93
PID 1868 wrote to memory of 3928	1868	Cgnomg32.exe	94
PID 1868 wrote to memory of 3928	1868	Cgnomg32.exe	94
PID 1868 wrote to memory of 3928	1868	Cgnomg32.exe	94
PID 3928 wrote to memory of 4492	3928	Dkndie32.exe	95
PID 3928 wrote to memory of 4492	3928	Dkndie32.exe	95
PID 3928 wrote to memory of 4492	3928	Dkndie32.exe	95
PID 4492 wrote to memory of 2976	4492	Doojec32.exe	96
PID 4492 wrote to memory of 2976	4492	Doojec32.exe	96
PID 4492 wrote to memory of 2976	4492	Doojec32.exe	96
PID 2976 wrote to memory of 3380	2976	Dkekjdck.exe	97
PID 2976 wrote to memory of 3380	2976	Dkekjdck.exe	97
PID 2976 wrote to memory of 3380	2976	Dkekjdck.exe	97
PID 3380 wrote to memory of 2112	3380	Dglkoeio.exe	98
PID 3380 wrote to memory of 2112	3380	Dglkoeio.exe	98
PID 3380 wrote to memory of 2112	3380	Dglkoeio.exe	98
PID 2112 wrote to memory of 5048	2112	Egohdegl.exe	99
PID 2112 wrote to memory of 5048	2112	Egohdegl.exe	99
PID 2112 wrote to memory of 5048	2112	Egohdegl.exe	99
PID 5048 wrote to memory of 1212	5048	Eklajcmc.exe	100
PID 5048 wrote to memory of 1212	5048	Eklajcmc.exe	100
PID 5048 wrote to memory of 1212	5048	Eklajcmc.exe	100
PID 1212 wrote to memory of 628	1212	Ebifmm32.exe	101
PID 1212 wrote to memory of 628	1212	Ebifmm32.exe	101
PID 1212 wrote to memory of 628	1212	Ebifmm32.exe	101
PID 628 wrote to memory of 2892	628	Eomffaag.exe	102
PID 628 wrote to memory of 2892	628	Eomffaag.exe	102
PID 628 wrote to memory of 2892	628	Eomffaag.exe	102
PID 2892 wrote to memory of 4560	2892	Fnbcgn32.exe	103
PID 2892 wrote to memory of 4560	2892	Fnbcgn32.exe	103
PID 2892 wrote to memory of 4560	2892	Fnbcgn32.exe	103
PID 4560 wrote to memory of 2344	4560	Foapaa32.exe	104
PID 4560 wrote to memory of 2344	4560	Foapaa32.exe	104
PID 4560 wrote to memory of 2344	4560	Foapaa32.exe	104
PID 2344 wrote to memory of 3688	2344	Fofilp32.exe	105
PID 2344 wrote to memory of 3688	2344	Fofilp32.exe	105
PID 2344 wrote to memory of 3688	2344	Fofilp32.exe	105
PID 3688 wrote to memory of 3524	3688	Fajbjh32.exe	106
PID 3688 wrote to memory of 3524	3688	Fajbjh32.exe	106
PID 3688 wrote to memory of 3524	3688	Fajbjh32.exe	106
PID 3524 wrote to memory of 3436	3524	Heegad32.exe	107
PID 3524 wrote to memory of 3436	3524	Heegad32.exe	107
PID 3524 wrote to memory of 3436	3524	Heegad32.exe	107
PID 3436 wrote to memory of 1232	3436	Halhfe32.exe	108
PID 3436 wrote to memory of 1232	3436	Halhfe32.exe	108
PID 3436 wrote to memory of 1232	3436	Halhfe32.exe	108
PID 1232 wrote to memory of 4896	1232	Ibqnkh32.exe	109
PID 1232 wrote to memory of 4896	1232	Ibqnkh32.exe	109
PID 1232 wrote to memory of 4896	1232	Ibqnkh32.exe	109
PID 4896 wrote to memory of 3512	4896	Joqafgni.exe	110
PID 4896 wrote to memory of 3512	4896	Joqafgni.exe	110
PID 4896 wrote to memory of 3512	4896	Joqafgni.exe	110
PID 3512 wrote to memory of 792	3512	Jihbip32.exe	111

C:\Users\Admin\AppData\Local\Temp\8e4c2813280a6f7e666b1c12b9c01475c269493de4237fd2c797aa8e7bc998f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8e4c2813280a6f7e666b1c12b9c01475c269493de4237fd2c797aa8e7bc998f0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\SysWOW64\Bgkiaj32.exe
  C:\Windows\system32\Bgkiaj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\Bpkdjofm.exe
    C:\Windows\system32\Bpkdjofm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\SysWOW64\Chdialdl.exe
      C:\Windows\system32\Chdialdl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3164
    - - C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Dkekjdck.exe
        
        C:\Windows\system32\Dkekjdck.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Dglkoeio.exe
        
        C:\Windows\system32\Dglkoeio.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Egohdegl.exe
        
        C:\Windows\system32\Egohdegl.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Eklajcmc.exe
        
        C:\Windows\system32\Eklajcmc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Eomffaag.exe
        
        C:\Windows\system32\Eomffaag.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Fnbcgn32.exe
        
        C:\Windows\system32\Fnbcgn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Foapaa32.exe
        
        C:\Windows\system32\Foapaa32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Fajbjh32.exe
        
        C:\Windows\system32\Fajbjh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:792
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4044
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Qclmck32.exe
        
        C:\Windows\system32\Qclmck32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:796
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        53⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 420
        54⤵
        Program crash
        
        PID:4164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 420
        54⤵
        Program crash
        
        PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2012 -ip 2012
1⤵
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
88KB

MD5
b25b84120bf668a2ad9ce27941a55546

SHA1
5e11e52f05ac7dbcea0b756cba2fb31f21001b73

SHA256
5029b03c4c08410992582a623d968762b69686e7784b625d3a8d2c5600bb501c

SHA512
30861c63e5ae7cad0cf21610f4c76d1e7d990ef6123864bf22f46cb89c389049f47c3e195b6f8dfd2fda437075956f95435e823ed07440a04da1884d80448db5

Download Submit
C:\Windows\SysWOW64\Bpkdjofm.exe

Filesize
88KB

MD5
6d54a248ab95c3f7fce15f1496d00ba9

SHA1
c62951463ea2f320278188d5bf8ac337abddaf7d

SHA256
15bc1cd50dc17dbe5dd5b7db0662d688ded8ce3c37ce52f73658236270431778

SHA512
6ed0a49d726f4ad8d057551cf78dfc2c799a5aedcbfa93f326ff16fe575dd67e60f7c4aaafb074339733ea878da6019323451d6ba8dcacc1289a610fceba678f

Download Submit
C:\Windows\SysWOW64\Cancekeo.exe

Filesize
88KB

MD5
5cfd104809b096279c6774fd0a8dc398

SHA1
a2ccc16d50f3ea3f5054dfaef0b53e4f6a5e448c

SHA256
97e625fe0645d768254a3197cb75af7b4d9f4c47a7dcab9bc23f6ccbf2d3b736

SHA512
8d89238aed7cfe17bdbd5147695433acf459f7adf053dca22d9dd782c8383eaa7a6abe37eeb9f72c6825388fc5667209dc214647737502a15a3b778db332ec65

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
88KB

MD5
e11e96317b31050611af850f4d5ebee8

SHA1
90a82ba9a7e8697a083e248429587fd38a807f6f

SHA256
8a9505657d9e69dc90a2e227fb9aed339c9e0ac6849b1fd8109b51544df279ef

SHA512
1e31b9f6c772ce32b6a37c7e5518f15bf19feb6499759d87b5c0083ad97f01ac502a4fcd8d89a6c2c3d58ce2e035975eee41455631f16a7473755c6e9d07dfc3

Download Submit
C:\Windows\SysWOW64\Chdialdl.exe

Filesize
88KB

MD5
3abc8f832172ae1fa905477e587fc8bb

SHA1
624e266fe5ea018480202921ee865d10e6a37e47

SHA256
ef116ea3094cc7fe9c2701121016c95edecb29eaf67f83944cf424a9ba2cd0e2

SHA512
b37a9ed7ed7aaee8826bd69e099623d2736cb406d48c206d364f7b5e0cfb889fda790199eb1fc4e246b93c919f05de6c6239c24f83aed301fe19086b6c9d93f7

Download Submit
C:\Windows\SysWOW64\Dglkoeio.exe

Filesize
88KB

MD5
7d4125f9ffe2f8a9b07dabb5a4a61842

SHA1
97bfd48a03e5afc599201f97949862708fd1c6b2

SHA256
23dd0e7234d959135d17f4b3ebec1f036046d609b3da9a96c78cf0ee25d6c684

SHA512
cf4425d2f83d2244aca9dfc02b8d445eb0448285eaaa9c89f7ab450694f2629bd776c88008fea82b5d5ac6f425ce34b5a018b50e0d91141ad083025a15fae07a

Download Submit
C:\Windows\SysWOW64\Dkekjdck.exe

Filesize
88KB

MD5
9af578e9e1484d1b725c6ac64912f1c0

SHA1
37c4ee9e632bd25c4208324a68f207825e75f933

SHA256
e7d2bede36f76d68fed9f163396f8c9f316d5343162d3b4dc587d604e7a1687b

SHA512
d065d069a39afa9191c1f002215d66d1ac0c768181cf09073988aa2ce8d8a7e13d1aa2a77e6f59500ffdbb5145c9b99cf3d949f37fba5edda625e2572c38e9b9

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe

Filesize
88KB

MD5
2824358f8b07be4ea253616750d5320f

SHA1
de8038e5090e4c65c49b13bdc85e529991b3887f

SHA256
e4a109625ba0fbc84af2dafcdb9ec2ab9e3a4864f27c1a1b7b6c03de18d88bf0

SHA512
06125df405631e539d4b4eb2aab6eabd0aaa8aa06dfb078998eeaeb2ea6ae221a6a0fe2ead02e60ee8317c1a994c4e6c85f91726c11c9b94535f1b4750b1b42f

Download Submit
C:\Windows\SysWOW64\Doojec32.exe

Filesize
88KB

MD5
1c6905871e009427e8e47bdfd5c1600b

SHA1
d222a8f7610ad1c7ed6070b98fa8c323f53bb1e8

SHA256
62c839379c1220c60e7ad105787365d2aee8be45ba69e5b3040c4934883357cd

SHA512
63ede26cd8814a65cc499a31d8f545cca5f8588de9a2197a5826a8df5da9d4dad15278c7411d4e5f8c556218364b2882e4cc5f0365500e4a2ab3adf9673348b6

Download Submit
C:\Windows\SysWOW64\Ebifmm32.exe

Filesize
88KB

MD5
dc9124e4976f162138bc6de2ca18ffa0

SHA1
47b3411d581fa32539dd871fb3944a7fcca3a103

SHA256
0db5e8948d61c4b44f84f6866608fcecd95bf0403929009f5bca86a8f28d2e04

SHA512
096933631f59d0ca0a75942c8ec9831b4489d8ce2aa8d46356d4aa2c1383839948a61864dee08e8d89b217bb39bdcf81828d88ca6d4a6314fbfa44f67909f7e1

Download Submit
C:\Windows\SysWOW64\Egohdegl.exe

Filesize
88KB

MD5
74c0cca7b06280f3f94a74a0a500647e

SHA1
97200622519f7d360b65ac0dad4fb54f1acee6bf

SHA256
6c30be27134ce331bf5378ea5bbd892a4564c14f790cf5cb268cb6969e3ab80c

SHA512
d563cd66880c67b79aef66145ed887629d10173dcc29b718b805a1c3e5047a804b205b722d7d13b1a44dbe0d11cbcf0448e8ce897d602a646ada3a2053334ba9

Download Submit
C:\Windows\SysWOW64\Eklajcmc.exe

Filesize
88KB

MD5
a241cf4d90605be643b203d4acd26424

SHA1
294646f7fb04a7ca7c8c109b4e8137135f0a4e71

SHA256
b057458dd7f2f265957c90b52b11225ca49da05714665c65dd93cd2b47176aae

SHA512
23b3697fa0784939aa9a3bb753609c44d6f822dbf47a27dff8315c8860664ee2c61d8564db16b34e60eba13eb37869f13696a82e1f12c0a018ce1878606a9d74

Download Submit
C:\Windows\SysWOW64\Eomffaag.exe

Filesize
88KB

MD5
45ae10662b359608f94345b7b317dbab

SHA1
0cd98f63b8fbad8ddfec4eaa9ce0639c5f89b02b

SHA256
9d2d5f0ea97419c54e36fde2e62543f6477ee1e3cef67fc42bbefaf14b190cc4

SHA512
7ab977c626c532f3e93a44f659f5681a17b56094e3a693b5ddf4f5ef3caa75b2143cb3473647e831b9a77fd68810e838e3b5c9b623dd02c1086b856bb12d1184

Download Submit
C:\Windows\SysWOW64\Fajbjh32.exe

Filesize
88KB

MD5
ceab3cd22230c049a7946950d9995197

SHA1
c671187e4287fad58085883f751981e8bf5727ab

SHA256
46f6813ac290a2e2592516b7c38123ef21c3d0a7ab2a010321a6586bcffeaaf1

SHA512
f51b9f8f78e600e159765e865424d1257c9270fe9157d5a3be6e5bbbb0cb431e467627dd92391be88c87a1b2c0199a5b58bf477f613f20f372725bdef84c369c

Download Submit
C:\Windows\SysWOW64\Fjeplijj.exe

Filesize
88KB

MD5
388f7ca29e736a712c6ad81ad93ed635

SHA1
51fdcc4acac114435b6cb337be1397fc6de6e3ad

SHA256
55f2bb13dd1de9524edc40d46e7994e1f191acb0e8a3503be8678c1b7d4d9445

SHA512
1c66f29443fdf7858efd63d66bdd7d324a3d8cd1a4033430ca8679826526401a5e6e51c1a06175bebbd5b433815045ec8d4cdcd6cdf9ae547fde943955e9befb

Download Submit
C:\Windows\SysWOW64\Fnbcgn32.exe

Filesize
88KB

MD5
fbd3280c9b1d405eaac172cd53cf46e4

SHA1
696827cd512e8e529f11174293f8cf80e6ed8d30

SHA256
4a29c8af46739aacd9ad64fd8ae87de31359c4ec8acfdb0639e21d8e9a7835e1

SHA512
8e515b1f9c8024d95ec8105b66000bd56a6d68558650769a7fa1a7749fcbbc7c79c67cc2cfceb4c18905d2246c77ffcf2eb7b2d3bbb930e25610b8f84294d241

Download Submit
C:\Windows\SysWOW64\Foapaa32.exe

Filesize
88KB

MD5
849b3c33e82f89d7a4cb8f826e08c875

SHA1
02373b2efd13b8650c266750442169d8f612446d

SHA256
f717988dc8294d89b1deacf3b2a7136e3534ed28978ca8cfec1f1849aa7823ad

SHA512
8eff81ff5f1dc1c0850c1210f356d348aa6c24261666c87477cc55fe250e65869238a3b3e27c006013fcd208a7950dbad15c7ba7234066f3ebe295b7398affa2

Download Submit
C:\Windows\SysWOW64\Fofilp32.exe

Filesize
88KB

MD5
795d87d587031611b1340218ae05da65

SHA1
dce2e0f6f447e63d142d7d7b8dc69a0c66360aca

SHA256
4815f37726aa64602640b183a318d9ba5fb3da96e30437f2c328a28c3b41c626

SHA512
fa7074c618254ca39e3759d0be14ebe75b913eeb17c7406d34b86895c56f20513f3c3ad11ba0740e08dae6607ef6dba2e25372a44432169afa45c3b9a1e622da

Download Submit
C:\Windows\SysWOW64\Fqfojblo.exe

Filesize
88KB

MD5
e1be8b99b2d6c963dbc8869a1d60fe29

SHA1
75739117e5e16bcd1c0c43755286a83a90cbfe52

SHA256
c5bdd650c48ea40b9dfe5872b7d938d981be83ff77e9830fc7100c3d8d5c5079

SHA512
564ed91f8012c8e9c087e284630c2b82b717ec0ecc7f981c682c9aec6b1ecf1145ff44f3c04522b759020c0288894f6f1ccbad479d9623ddf52f269ced31f4de

Download Submit
C:\Windows\SysWOW64\Halhfe32.exe

Filesize
88KB

MD5
c647a8a94f564948254074dca838fc69

SHA1
2186066aa729f43c92a9d41c86b72d0045f7d1f4

SHA256
f97f7a3b817fa29c16767ade2a6f79912bd04ec76be4825aeeba2425765cf78e

SHA512
b7a613208eee3734c2e5080a3d96220aa8e63ae3a81c04da0bd9aca4dc6bce131a996edff10f2bf213026074aacdd6ba60a817b7dc83220c43cffd40f7f7dbc8

Download Submit
C:\Windows\SysWOW64\Heegad32.exe

Filesize
88KB

MD5
f4510761d34a9d998813a9bfbc829214

SHA1
abed0f9bb29a7a542bf8863eeb6c36448cc24ac6

SHA256
b47117852907d6cf022c6c192d5ea230d388015a03965a9038088d9f1b695731

SHA512
3fec0f73ca2066ba02204802822f43f0533536d0d6d913fb1f34a863fc9dbb5530f0623ecbf557a08cf41a33ccb60faf5ed2f7f5a9eab68b15f5fbebeeea1690

Download Submit
C:\Windows\SysWOW64\Ibqnkh32.exe

Filesize
88KB

MD5
8dbda6b59e4ce76f6d344e714d335b4e

SHA1
1660521e39c7531e248b4cf23ce697cfd21f81a2

SHA256
e9c200ee6a891be6fadbc07ec81a176f31ef9b818fdc382ee7a082cad0441e9e

SHA512
3ee7c350b1a4e62442c7572bb6a1892aa12cc00b60f77c45713747201e472d3636b1a882a392a009eb2b32196a762ff87d240992f349417d03856ba1698c7551

Download Submit
C:\Windows\SysWOW64\Jafdcbge.exe

Filesize
88KB

MD5
625b8cdbface0ff5e52aa84f073125f3

SHA1
b9f8e5545313a575942089d598c32d12b9885919

SHA256
4b2f785304e62e587fd306c34f1cfef8e91c81ae981a72251b726136fb3d71ae

SHA512
1836a5e312fa71990b802ebb8b02412b9c1910864bd73af6f283bd4f2ebe4752b774d07da9db68064c553cd1655e3b5ce088e67fbeef44a91c534662674c0eda

Download Submit
C:\Windows\SysWOW64\Jhnojl32.exe

Filesize
88KB

MD5
cdded279d082e3b4ddf718c27e14551a

SHA1
8bb6cc02176f00c3801481cfd6791ba537b99c5e

SHA256
30fccc9afaff46e0a0ebcc9070cd66464488bc09db8ab831d23dde904fa21c49

SHA512
61a08a65929333df0707da09ee3017716cda13b05ff342b9932760ad36f5190ab1e867b7a9baafbd2e6fd3b19e0b3d214a355aa3c7ccb5a24cc3ba1da2fa22bf

Download Submit
C:\Windows\SysWOW64\Jihbip32.exe

Filesize
88KB

MD5
1c8c484625cb3c399dda8e9be291cd6d

SHA1
07b4ac824d6fc566444dbe86a7607aef5a82b78a

SHA256
a4e1adb300d2aa72c62e4bfb8c02ae9d7dc5dac020a78c7e5eeb4755abfa5e44

SHA512
07cb93943c34c9a06dd9496bbf386b2a06c2448e44ba3bef35c995b3c68baf32c0539cff37d8504ed3f7f0d5a159ed03d32aa36d8d6d2a64d2a27d36bb8115b5

Download Submit
C:\Windows\SysWOW64\Joqafgni.exe

Filesize
88KB

MD5
fb0458c370ea3559d65cd07c4841e3c6

SHA1
1a1b40b63dd69ffd9ac76b85b8e3a651a628577a

SHA256
d9eeb8186546ee88559eb2a2298e34a4b8cdcd40eff8b073a838f403504f9026

SHA512
b4b77461305b9033ec7e077a4d26a12ea4b5e4e332b09f7c9bfa2892ae82ef4bc5c4385d46bd6f76adb0d1d819a7dfae186b75dbb9d21a388e1498b304a5218f

Download Submit
C:\Windows\SysWOW64\Klbnajqc.exe

Filesize
88KB

MD5
39d50ffb768aca30e76a9ee72d6fd38a

SHA1
4f07fe677f6cd712ac52b87a146ba5cd869b68aa

SHA256
fa4978bf284e7060c22fad86f399949490750f51391965456657f7068a584e1d

SHA512
c8aec6841a125914fa5ad924f23c0c8ff8b85723f8fdb3bc99f0c19d1e22d6b53359eeee21491ffda849f4670638c1cf6e560b3da7347848fd6640a48a5415b8

Download Submit
C:\Windows\SysWOW64\Klggli32.exe

Filesize
88KB

MD5
6dfb4466a2a49aea701cd708aaaacb4b

SHA1
68d26468d7940411f6c1040dc54c4f922fc0280b

SHA256
95cccd8ba789fff40fcc946b77de151e30753e9258da127fd1e23cdb0c9f1c83

SHA512
722996ccc70c75a017d1333d477ce6deac4b58621678e9f2489b99dfe7a6b6188af8e597d1e6416c0a5acb077022a32149d2f6cff06f119f2e67f9ca7a3705de

Download Submit
C:\Windows\SysWOW64\Klndfj32.exe

Filesize
88KB

MD5
6651c86dc4da4ea796808e99e020865d

SHA1
b2d48145608fe0655371773868610d9000909838

SHA256
ec758e9e83867edcdabbc3fa03cf0385378018036874670c1bfb59a8291dfd51

SHA512
557475e5b1ecb912f29fbb9791a7498ac37931455188fc0fb0731f5c3e63b75ddcee49e69e0007010fbbbfad455a8166b51fdd67f121a10b8ed1f498f3c704a0

Download Submit
C:\Windows\SysWOW64\Lhgkgijg.exe

Filesize
88KB

MD5
5254f492fe4d928efd6adc470f047d92

SHA1
85c966da3687dcbf0e7956c45ec3a87b37bbead6

SHA256
57317d795b7f0b8ec76ba9c26730d1268211afd5510a1ef59f2e2efb8b2904ec

SHA512
3943f3e510999bdf0e43b4638f5dd9805ae430121a0338077a155970755f01590a53023c623748ede93fa4119acd7de6d7807a04359e0beb350235521b830e7c

Download Submit
C:\Windows\SysWOW64\Lindkm32.exe

Filesize
88KB

MD5
1b4d79e5d969da0cc2ca904dea471d39

SHA1
193bbb258bd370d7c7cef4a8d93e3abebe0d2c98

SHA256
820132f617f67a00e04e043845f2159065544cb63c0e91f6663ab1d20536713f

SHA512
59e4acfa453530f86c3ced3087c5fea630618361bca947a65d573bb179a566be19efb1239d588683459932c67a42d06434fab02f7124ca29aaa6f469d14f2768

Download Submit
C:\Windows\SysWOW64\Mfpell32.exe

Filesize
88KB

MD5
cba5b4e4212199f9ef28dbccb4e0b0bd

SHA1
a72008128855fb6f7625bdc64c22e1877f9a851a

SHA256
581e3dbc30134eb580b6dc78049b56874ee5d3a2f06d102f886b539a7b97f957

SHA512
23992bc69493ec0b6b15f44d0c78c718fa1d2113265dbaf903f0b7e7c4594bd40cff077ba3d3eba405172b011c4c373da1c85fc73ac3cb8b9faa210b9c6c1a8d

Download Submit
C:\Windows\SysWOW64\Mnpofk32.dll

Filesize
7KB

MD5
fd256fdd55647f046ecfefd28f103d53

SHA1
7cf0b6d772c6e9a0a09663de385a50aa295c36b0

SHA256
465016ffde3f34ffaaaa1b74cab1808f3ad38aab2042e11dba50f51d0000b314

SHA512
ba056c5ac6017b7b03602b249876f75526d3bb4eee7b0a86613a298e3165211874f991544d9e0b825b9ee492e70045f67d4fe8e1f861955450131a412f063c4a

Download Submit
C:\Windows\SysWOW64\Nfnamjhk.exe

Filesize
88KB

MD5
3e61022178c618b6c21a3d08fa1aebd3

SHA1
cba5c6546a1683d99be4da5d815a595964b40611

SHA256
e14dd1dd383e9da66b6144c62510d8780a42f1f6ddb94a8931fd3e4e1e95e535

SHA512
825dfe15d0062a85ac8e002f911bb46fa5e552896e8e45afe65b3a3fbe734addf10ddb17b715453f5944ab45f80ac7823b6372f71b1a19238ab0efd39cd8f4cb

Download Submit
C:\Windows\SysWOW64\Nmcpoedn.exe

Filesize
88KB

MD5
afb603772956d3c0da2a085a946165ab

SHA1
01b961a4c65bc71eaa2166d2d08b22eb47d50621

SHA256
dad7804fb8f78f1a1f37b5b2c3d6adfcbf1f2f6e282eb3f6d9bfd26c8f959021

SHA512
c40294da0329f0d525a1c2ccae5b8cc26d17e2060926edaaa2d4408c164e4215e0ffbaf9dc7061c28e7cfa363aa6aa3378667702b7bb97a9f360f8fe5ac1cb61

Download Submit
C:\Windows\SysWOW64\Oiagde32.exe

Filesize
88KB

MD5
f19956457025894161c1215ed3f76f77

SHA1
c6d1975ed5574cddc9e9f948d34d54f4bc3648da

SHA256
45ea003783a00cff5a94c54f1e33763e4c2664a99ad460f5a96dc1d04910894d

SHA512
6305af1bd444a358bce032b37131c0505381dd063f509fa916a6a6abebd15144970fd589d9e6afeacfeb10d70835904935d107c448b112f5808c31c183391bb2

Download Submit
C:\Windows\SysWOW64\Qclmck32.exe

Filesize
88KB

MD5
02da9f95c6b8a335d41bc49aca118169

SHA1
727c5746877f15b1c80bb2aca89921d68800475e

SHA256
f91fdf7ff53d8c66865425dca07c358cea1880ccc717e08b2e5f2009471ec95a

SHA512
8330cd7164740f82fb240c00c4a43acec7be5d75dcbc78e16ec58a8d3cd25ebee01328b5aa990d2f944b44688ae1f38c61c15771776fc356be13ce43c8052fd0

Download Submit
memory/224-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/460-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/460-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/792-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/792-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/796-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1212-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1212-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1232-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1232-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1832-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1832-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3164-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3164-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3428-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3428-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3524-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3524-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3792-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3792-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3796-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3928-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-528-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-530-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads