00a980120b15de23dba5305cd2f1e81b52fca98da6a8495de132c0b4ab39abcc

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00a980120b15de23dba5305cd2f1e81b52fca98da6a8495de132c0b4ab39abcc_NeikiAnalytics.exe
Size

302KB
MD5

e2678948f02526195d4a4ec5777df970
SHA1

10bf4ac31349d7b058b58639c5d220a41c59a7ab
SHA256

00a980120b15de23dba5305cd2f1e81b52fca98da6a8495de132c0b4ab39abcc
SHA512

50eaa365feba7c4bb4789c376d68388614e7c19d2d3a7f5aa4758efa8763a85da8b46660b604e3bb1dc2cb5895c2a815274f5ac1e02fd584077cf438efd9100b
SSDEEP

6144:upPlo3jL7GNlighD4lTjZXvEQo9dfEORRAgnIlY1:2oTv8lXhuT9XvEhdfEmwlY1

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jekjcaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ampaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbdpad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohidbkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cancekeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnphoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Johggfha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljdai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Legben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaajhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqaiecjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acccdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	00a980120b15de23dba5305cd2f1e81b52fca98da6a8495de132c0b4ab39abcc_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdcmkgmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhdcmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbnaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhegig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampaho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdpad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kheekkjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcfidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Obnehj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbpedjnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnlodjpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilibdmgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kheekkjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qppaclio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjhbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibgdlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iamamcop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcmfnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kemooo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acccdj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnehj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omfekbdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnlodjpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jekjcaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Johggfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Legben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biklho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaajhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbebbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfepdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qppaclio.exe

Executes dropped EXE 48 IoCs

pid	Process
3080	Gbpedjnb.exe
2672	Hnlodjpa.exe
4856	Hhdcmp32.exe
960	Hnphoj32.exe
1912	Hbnaeh32.exe
4736	Ilibdmgp.exe
2308	Ipgkjlmg.exe
1172	Ibgdlg32.exe
876	Iamamcop.exe
3092	Jekjcaef.exe
3968	Jaajhb32.exe
2744	Johggfha.exe
1288	Kheekkjl.exe
3880	Kcmfnd32.exe
3200	Kemooo32.exe
3532	Lljdai32.exe
4904	Lcfidb32.exe
4368	Legben32.exe
5044	Lfiokmkc.exe
3312	Mohidbkl.exe
3144	Mlofcf32.exe
1696	Nhegig32.exe
3508	Nqaiecjd.exe
912	Nbebbk32.exe
624	Objkmkjj.exe
4396	Obnehj32.exe
2496	Omfekbdh.exe
1368	Ppikbm32.exe
2800	Pfepdg32.exe
1028	Qppaclio.exe
1128	Qjhbfd32.exe
3976	Acccdj32.exe
4468	Adepji32.exe
4144	Adgmoigj.exe
1416	Ampaho32.exe
1900	Biiobo32.exe
4768	Bpcgpihi.exe
2688	Biklho32.exe
812	Bbdpad32.exe
1440	Bdcmkgmm.exe
4792	Bdeiqgkj.exe
4252	Cajjjk32.exe
1420	Ccmcgcmp.exe
4788	Cancekeo.exe
3244	Cmedjl32.exe
4404	Cmgqpkip.exe
1104	Dphiaffa.exe
2544	Diqnjl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gpdbcaok.dll	Johggfha.exe
File opened for modification	C:\Windows\SysWOW64\Objkmkjj.exe	Nbebbk32.exe
File created	C:\Windows\SysWOW64\Qjhbfd32.exe	Qppaclio.exe
File opened for modification	C:\Windows\SysWOW64\Adgmoigj.exe	Adepji32.exe
File created	C:\Windows\SysWOW64\Elekoe32.dll	Biiobo32.exe
File opened for modification	C:\Windows\SysWOW64\Cajjjk32.exe	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Eccphn32.dll	Gbpedjnb.exe
File opened for modification	C:\Windows\SysWOW64\Jekjcaef.exe	Iamamcop.exe
File created	C:\Windows\SysWOW64\Gbhhqamj.dll	Nhegig32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedjl32.exe	Cancekeo.exe
File created	C:\Windows\SysWOW64\Cbqfhb32.dll	Lljdai32.exe
File opened for modification	C:\Windows\SysWOW64\Legben32.exe	Lcfidb32.exe
File opened for modification	C:\Windows\SysWOW64\Iamamcop.exe	Ibgdlg32.exe
File opened for modification	C:\Windows\SysWOW64\Lfiokmkc.exe	Legben32.exe
File opened for modification	C:\Windows\SysWOW64\Adepji32.exe	Acccdj32.exe
File opened for modification	C:\Windows\SysWOW64\Ampaho32.exe	Adgmoigj.exe
File created	C:\Windows\SysWOW64\Bpcgpihi.exe	Biiobo32.exe
File created	C:\Windows\SysWOW64\Biklho32.exe	Bpcgpihi.exe
File created	C:\Windows\SysWOW64\Deocpk32.dll	Hbnaeh32.exe
File created	C:\Windows\SysWOW64\Iamamcop.exe	Ibgdlg32.exe
File created	C:\Windows\SysWOW64\Jgbfjmkq.dll	Mohidbkl.exe
File created	C:\Windows\SysWOW64\Fhcbhh32.dll	Qppaclio.exe
File opened for modification	C:\Windows\SysWOW64\Bpcgpihi.exe	Biiobo32.exe
File created	C:\Windows\SysWOW64\Cancekeo.exe	Ccmcgcmp.exe
File created	C:\Windows\SysWOW64\Jggocdgo.dll	Hhdcmp32.exe
File created	C:\Windows\SysWOW64\Lcfidb32.exe	Lljdai32.exe
File created	C:\Windows\SysWOW64\Idknpoad.dll	Ilibdmgp.exe
File created	C:\Windows\SysWOW64\Gohlkq32.dll	Pfepdg32.exe
File created	C:\Windows\SysWOW64\Hnlodjpa.exe	Gbpedjnb.exe
File created	C:\Windows\SysWOW64\Hbnaeh32.exe	Hnphoj32.exe
File created	C:\Windows\SysWOW64\Jekjcaef.exe	Iamamcop.exe
File opened for modification	C:\Windows\SysWOW64\Kcmfnd32.exe	Kheekkjl.exe
File created	C:\Windows\SysWOW64\Aadafn32.dll	Nqaiecjd.exe
File created	C:\Windows\SysWOW64\Knaodd32.dll	Qjhbfd32.exe
File created	C:\Windows\SysWOW64\Eknphfld.dll	Ampaho32.exe
File opened for modification	C:\Windows\SysWOW64\Hnphoj32.exe	Hhdcmp32.exe
File created	C:\Windows\SysWOW64\Ilibdmgp.exe	Hbnaeh32.exe
File created	C:\Windows\SysWOW64\Nhegig32.exe	Mlofcf32.exe
File opened for modification	C:\Windows\SysWOW64\Obnehj32.exe	Objkmkjj.exe
File created	C:\Windows\SysWOW64\Bdeiqgkj.exe	Bdcmkgmm.exe
File created	C:\Windows\SysWOW64\Aanfno32.dll	Ibgdlg32.exe
File opened for modification	C:\Windows\SysWOW64\Lcfidb32.exe	Lljdai32.exe
File created	C:\Windows\SysWOW64\Mjjkejin.dll	Jaajhb32.exe
File created	C:\Windows\SysWOW64\Lljdai32.exe	Kemooo32.exe
File created	C:\Windows\SysWOW64\Lalceb32.dll	Bpcgpihi.exe
File created	C:\Windows\SysWOW64\Bbdpad32.exe	Biklho32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgqpkip.exe	Cmedjl32.exe
File created	C:\Windows\SysWOW64\Dphiaffa.exe	Cmgqpkip.exe
File created	C:\Windows\SysWOW64\Egopbhnc.dll	Lcfidb32.exe
File created	C:\Windows\SysWOW64\Pfepdg32.exe	Ppikbm32.exe
File created	C:\Windows\SysWOW64\Mhbacd32.dll	Kemooo32.exe
File created	C:\Windows\SysWOW64\Fldeljei.dll	Lfiokmkc.exe
File created	C:\Windows\SysWOW64\Ampaho32.exe	Adgmoigj.exe
File created	C:\Windows\SysWOW64\Ifncdb32.dll	Cmedjl32.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Hnphoj32.exe	Hhdcmp32.exe
File created	C:\Windows\SysWOW64\Biepfnpi.dll	Ipgkjlmg.exe
File opened for modification	C:\Windows\SysWOW64\Jaajhb32.exe	Jekjcaef.exe
File created	C:\Windows\SysWOW64\Kemooo32.exe	Kcmfnd32.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Inclga32.dll	Hnlodjpa.exe
File created	C:\Windows\SysWOW64\Iaejqcdo.dll	Iamamcop.exe
File opened for modification	C:\Windows\SysWOW64\Nqaiecjd.exe	Nhegig32.exe
File created	C:\Windows\SysWOW64\Bkodbfgo.dll	Cmgqpkip.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4560	2544	WerFault.exe	138

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohlkq32.dll"	Pfepdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qppaclio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcfidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biepfnpi.dll"	Ipgkjlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohjfifo.dll"	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ampaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lalceb32.dll"	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kheekkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhqamj.dll"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knaodd32.dll"	Qjhbfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjieep.dll"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbpedjnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanfno32.dll"	Ibgdlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acccdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	00a980120b15de23dba5305cd2f1e81b52fca98da6a8495de132c0b4ab39abcc_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcfidb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lfiokmkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcfpl32.dll"	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hnlodjpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hnphoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibgdlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldeljei.dll"	Lfiokmkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hnlodjpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcfndog.dll"	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldjigql.dll"	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlofcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfepdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Biklho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deocpk32.dll"	Hbnaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ibgdlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Johggfha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Legben32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ilibdmgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acccdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dilcjbag.dll"	Biklho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenokbf.dll"	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njonjm32.dll"	Adgmoigj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qppaclio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Biklho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	00a980120b15de23dba5305cd2f1e81b52fca98da6a8495de132c0b4ab39abcc_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaejqcdo.dll"	Iamamcop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Johggfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lfiokmkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Objkmkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknphfld.dll"	Ampaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbdpad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hnphoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbpedjnb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 3080	4076	00a980120b15de23dba5305cd2f1e81b52fca98da6a8495de132c0b4ab39abcc_NeikiAnalytics.exe	91
PID 4076 wrote to memory of 3080	4076	00a980120b15de23dba5305cd2f1e81b52fca98da6a8495de132c0b4ab39abcc_NeikiAnalytics.exe	91
PID 4076 wrote to memory of 3080	4076	00a980120b15de23dba5305cd2f1e81b52fca98da6a8495de132c0b4ab39abcc_NeikiAnalytics.exe	91
PID 3080 wrote to memory of 2672	3080	Gbpedjnb.exe	92
PID 3080 wrote to memory of 2672	3080	Gbpedjnb.exe	92
PID 3080 wrote to memory of 2672	3080	Gbpedjnb.exe	92
PID 2672 wrote to memory of 4856	2672	Hnlodjpa.exe	93
PID 2672 wrote to memory of 4856	2672	Hnlodjpa.exe	93
PID 2672 wrote to memory of 4856	2672	Hnlodjpa.exe	93
PID 4856 wrote to memory of 960	4856	Hhdcmp32.exe	94
PID 4856 wrote to memory of 960	4856	Hhdcmp32.exe	94
PID 4856 wrote to memory of 960	4856	Hhdcmp32.exe	94
PID 960 wrote to memory of 1912	960	Hnphoj32.exe	95
PID 960 wrote to memory of 1912	960	Hnphoj32.exe	95
PID 960 wrote to memory of 1912	960	Hnphoj32.exe	95
PID 1912 wrote to memory of 4736	1912	Hbnaeh32.exe	96
PID 1912 wrote to memory of 4736	1912	Hbnaeh32.exe	96
PID 1912 wrote to memory of 4736	1912	Hbnaeh32.exe	96
PID 4736 wrote to memory of 2308	4736	Ilibdmgp.exe	97
PID 4736 wrote to memory of 2308	4736	Ilibdmgp.exe	97
PID 4736 wrote to memory of 2308	4736	Ilibdmgp.exe	97
PID 2308 wrote to memory of 1172	2308	Ipgkjlmg.exe	98
PID 2308 wrote to memory of 1172	2308	Ipgkjlmg.exe	98
PID 2308 wrote to memory of 1172	2308	Ipgkjlmg.exe	98
PID 1172 wrote to memory of 876	1172	Ibgdlg32.exe	99
PID 1172 wrote to memory of 876	1172	Ibgdlg32.exe	99
PID 1172 wrote to memory of 876	1172	Ibgdlg32.exe	99
PID 876 wrote to memory of 3092	876	Iamamcop.exe	100
PID 876 wrote to memory of 3092	876	Iamamcop.exe	100
PID 876 wrote to memory of 3092	876	Iamamcop.exe	100
PID 3092 wrote to memory of 3968	3092	Jekjcaef.exe	101
PID 3092 wrote to memory of 3968	3092	Jekjcaef.exe	101
PID 3092 wrote to memory of 3968	3092	Jekjcaef.exe	101
PID 3968 wrote to memory of 2744	3968	Jaajhb32.exe	102
PID 3968 wrote to memory of 2744	3968	Jaajhb32.exe	102
PID 3968 wrote to memory of 2744	3968	Jaajhb32.exe	102
PID 2744 wrote to memory of 1288	2744	Johggfha.exe	103
PID 2744 wrote to memory of 1288	2744	Johggfha.exe	103
PID 2744 wrote to memory of 1288	2744	Johggfha.exe	103
PID 1288 wrote to memory of 3880	1288	Kheekkjl.exe	104
PID 1288 wrote to memory of 3880	1288	Kheekkjl.exe	104
PID 1288 wrote to memory of 3880	1288	Kheekkjl.exe	104
PID 3880 wrote to memory of 3200	3880	Kcmfnd32.exe	105
PID 3880 wrote to memory of 3200	3880	Kcmfnd32.exe	105
PID 3880 wrote to memory of 3200	3880	Kcmfnd32.exe	105
PID 3200 wrote to memory of 3532	3200	Kemooo32.exe	106
PID 3200 wrote to memory of 3532	3200	Kemooo32.exe	106
PID 3200 wrote to memory of 3532	3200	Kemooo32.exe	106
PID 3532 wrote to memory of 4904	3532	Lljdai32.exe	107
PID 3532 wrote to memory of 4904	3532	Lljdai32.exe	107
PID 3532 wrote to memory of 4904	3532	Lljdai32.exe	107
PID 4904 wrote to memory of 4368	4904	Lcfidb32.exe	108
PID 4904 wrote to memory of 4368	4904	Lcfidb32.exe	108
PID 4904 wrote to memory of 4368	4904	Lcfidb32.exe	108
PID 4368 wrote to memory of 5044	4368	Legben32.exe	109
PID 4368 wrote to memory of 5044	4368	Legben32.exe	109
PID 4368 wrote to memory of 5044	4368	Legben32.exe	109
PID 5044 wrote to memory of 3312	5044	Lfiokmkc.exe	110
PID 5044 wrote to memory of 3312	5044	Lfiokmkc.exe	110
PID 5044 wrote to memory of 3312	5044	Lfiokmkc.exe	110
PID 3312 wrote to memory of 3144	3312	Mohidbkl.exe	111
PID 3312 wrote to memory of 3144	3312	Mohidbkl.exe	111
PID 3312 wrote to memory of 3144	3312	Mohidbkl.exe	111
PID 3144 wrote to memory of 1696	3144	Mlofcf32.exe	112

C:\Users\Admin\AppData\Local\Temp\00a980120b15de23dba5305cd2f1e81b52fca98da6a8495de132c0b4ab39abcc_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\00a980120b15de23dba5305cd2f1e81b52fca98da6a8495de132c0b4ab39abcc_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\SysWOW64\Gbpedjnb.exe
  C:\Windows\system32\Gbpedjnb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\SysWOW64\Hnlodjpa.exe
    C:\Windows\system32\Hnlodjpa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\Hhdcmp32.exe
      C:\Windows\system32\Hhdcmp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\SysWOW64\Hnphoj32.exe
        
        C:\Windows\system32\Hnphoj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:960
      - C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Ampaho32.exe
        
        C:\Windows\system32\Ampaho32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        49⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 412
        50⤵
        Program crash
        
        PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2544 -ip 2544
1⤵
PID:3432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acccdj32.exe

Filesize
302KB

MD5
28539139974fe1620ae06554da9c772e

SHA1
d64e3e59be4c94a50cd5eafc385a26ebcf8c88a8

SHA256
88a25a9a4f236af24e12d4fd32800dc6ce648ebfd03c1e105e1f73162aecde1b

SHA512
b6dd721a88714b9c4e2437cb95712baf4c7ee034c269492961442429b60472a6634349abe907510e9ee15263b3c45a8fad8146e05fc595618df22df4b7d1b787

Download Submit
C:\Windows\SysWOW64\Cajjjk32.exe

Filesize
302KB

MD5
503bdae80b417e0b4b4571ca49724f1b

SHA1
d4e29b3973f29ec5fcbf784c739b45108dc36570

SHA256
068ea07c70d61ffec03f48523f24f0d15cf57ac17d7e01ba80c41182ca80219d

SHA512
66b5241d8fd4e74c2f7aee70e874198b67a1b70666113867f648b2c8c68067f79026f059b57c0c395a7fb3743740c63aeab08d0bde4b55604c4cc11715df08a2

Download Submit
C:\Windows\SysWOW64\Cmedjl32.exe

Filesize
302KB

MD5
6f9a4d539e3d7522175a0c318cef1c38

SHA1
d6ad1629d484ff226552ab70cb2cf96213af1004

SHA256
8bf2e7dcccc6f469b8ecf1a9034c9779d68a8d7116aed721ad93f53fbfa8694c

SHA512
2d0b981ea43b3cc77a4ac854e523ae400971fe456e1c189954cfc1470c93606bd7f2e0d5283eaf25049692828be3e9867f0d972d541c5943bf68cb92821af114

Download Submit
C:\Windows\SysWOW64\Gbpedjnb.exe

Filesize
302KB

MD5
661533dc497e94af846cf93d83affe3c

SHA1
65f0fd0066dd0d42fb2bd4dcc08c6a7723047fe4

SHA256
fd4c1c819f4be508817700fb8500fcea09a7b93d181467cb855cf5cb50f1f683

SHA512
47f4a6302b4315659d42ee296a4a17b7c4e0d399f0446bf1794b14e2a737c67a45e5ff622f9b54b584136111c4d58fb9fa941fffd14b98d0dca21eb546a38741

Download Submit
C:\Windows\SysWOW64\Hbnaeh32.exe

Filesize
302KB

MD5
9dc77ef088b296c7477b13908a9196a0

SHA1
af56580d8b1464700623387f7cd53d4a6cb5c0c7

SHA256
c04c0b9d30dc2fb9ad1ae797c1d953c10c2b131e2721f9fc209b93246ca04e2a

SHA512
29d34e5f4aef33c4540ac7bfafe028110aad49a3cd6edad19bcf3d1646d302f19c081d335af6137c925255b5eb090654f19b8e556ba42012913ece518d876913

Download Submit
C:\Windows\SysWOW64\Hhdcmp32.exe

Filesize
302KB

MD5
e2bf7cb4462182e602ca7e947503f792

SHA1
db52a83a6fe3349fba1de0a096cfe299bf982144

SHA256
408f74ae33d342baa4ff885d722504f28c339e3562d11e8cadb073e8b81a35bf

SHA512
79a1fd6eec31c543278ccab8400c7361ab2cad0f20e14ca97d67f1294fff91376eab03e9b1936e3b3d6a5209cac82367d58659cfc1be7a93303119933b7d3a33

Download Submit
C:\Windows\SysWOW64\Hnlodjpa.exe

Filesize
302KB

MD5
ae6b2dba2e4957fef0064c2f805ef45d

SHA1
b922e9c4ccbb89cc0197e4f9d134c8eca3d90882

SHA256
7df0593f1a038148bc0b61dc296a282bb8be62065d77e5e8aad82769506fba37

SHA512
fc4d69e2f4d4baf3ae15273b16e6f4a02cd3375333a63ff45e90d488ff12c789157ac27be51d228fae7c5a6eb5033db535ab020cf639cb178605f0f49c3ede75

Download Submit
C:\Windows\SysWOW64\Hnphoj32.exe

Filesize
302KB

MD5
1bbaf02eae7a5f4f50a3384af149e7a3

SHA1
f9f84154b59f256fa5c5d964083fbf21c5bda8bc

SHA256
2de3e8431d074fc98cc4dbb9f1451ecb9b50f4fc1a41041c25c72feb2f0cb09c

SHA512
696719265f62374732375de67117a32f5d5a2d75ff01aac3b241404a2096d3d56c30033339b0f2fa78c5fa127869ebd1158e86608fa14018866f405e925b80ce

Download Submit
C:\Windows\SysWOW64\Iamamcop.exe

Filesize
302KB

MD5
f04cc16aff48a2c4f298e5dcef0be5a9

SHA1
d4be9d8330e1918cdaf47204b4f0dd8acd4b3657

SHA256
afd7e2e90a82a9d3b41a6c69db3ea01113a594a19b84850573f98918052d8c69

SHA512
4295df1f9216236fc11f4009e768ba6462dccceb682ccf7d73de6dad71efe3e9bc58ac5ebf89a39542c7bdf130609473ae78de927e8f1434d231e6405c01c1c3

Download Submit
C:\Windows\SysWOW64\Ibgdlg32.exe

Filesize
302KB

MD5
5fa4cca0feae030c85eaef5e0593b253

SHA1
d23e09ac3420f69f560be5df6d6352124a82fd3c

SHA256
4cc93b207beccf35d4a1d5cff1afa481ca21a03065d8287c9dc0433a6e7317f3

SHA512
3ee17d339f01cb3ee000da96e32ee68828f7773918b25db0ff45c4deb6213957b2f1154ac9875de0ae4f3d18d4ee6dc9912ab737037ceb9a38c9b1494753677d

Download Submit
C:\Windows\SysWOW64\Ilibdmgp.exe

Filesize
302KB

MD5
66988fa6e6a3106818b4b1f9460ba822

SHA1
ec98e9d150313367a8d6396a047e8878e1adf7f8

SHA256
65dda2b1b8b142361af6ad31a97cbe5e27ec3ef5adacd1013be495f1c33bee66

SHA512
63a66c9b2ce746f97d6b95d1ed7cb4fda6906925b92b482f64c14d32d05e8d6a8de3ec1681a521a22b49a898702a5b345dc8111cc5c54c8d34291e9bc7c1d5c0

Download Submit
C:\Windows\SysWOW64\Ipgkjlmg.exe

Filesize
302KB

MD5
0856dc7b5e8c175c86c226ed5b565285

SHA1
e1ee3f4bce3c87b31d7b4dfd949f06fc29619d34

SHA256
b64ce02a1136b9e7d6c2dae5221c5b8f8a47a3315706cc3efb314b55294b8ae1

SHA512
cc639b25ad6aa393fd75a22cf0dcc4b7a54a6342599c3f764450e2ac56cc46ddf6c2aba5d8a5ed4d34cc32dd1761502ba488127ec487926777c129665e7b0548

Download Submit
C:\Windows\SysWOW64\Jaajhb32.exe

Filesize
302KB

MD5
611dd252c7a3d5adfd14113ad7259db9

SHA1
d3b67cbfa8a637e59e1924804404ae6e2a0a5fcf

SHA256
bf8689d7778567e570ca3fbb2ab7da123c122e5a08363a5de221665fafbc8786

SHA512
2ffb78499716de2c5fce7df82eec5ec994aee322c6daad9f96376769ce518ff53bb2d66bb1e1f6f7486e019f1060f2d3eafbf49d444827891f2a818bc582acde

Download Submit
C:\Windows\SysWOW64\Jekjcaef.exe

Filesize
302KB

MD5
ed6ef888857cc0ead89f8d2f486f2c5d

SHA1
cea3ceb019eab533606c7976862077476705ef9d

SHA256
f7a9c86bf854bba1edaf8cd0faaac8c28cd9bfc834a2707b8762b5ecd0151bee

SHA512
e2becdd52e0d1ebd35cc442b72c27c91a98eb8a0615f9956d53b335db30143a09814646ffc56ce46571f310ca6f4cbb1c2fee66d27385817b0d035fbb7e0af03

Download Submit
C:\Windows\SysWOW64\Johggfha.exe

Filesize
302KB

MD5
06e9a14b94e75f6b3f212b4409f1f52b

SHA1
8909cd1c2fcd45a35627ced9b1680d4aae133dc5

SHA256
f8909abb5ff26e6b4a15026b856f5a1f8181452cd2761be17629fbc85debf4ce

SHA512
1abd629006ab5c3416041e17451b292f89befd535ce5cf2fa8ca43fdfd7aac3d0a789bcfb8854e625f00d9a1ee960c62a029b12318d7ef67803a85e94dafad0a

Download Submit
C:\Windows\SysWOW64\Kcmfnd32.exe

Filesize
302KB

MD5
83bd9b67d8bd5ec2f47989331f9776a4

SHA1
4ea9e0a188686b447c617eede23faab727ab254c

SHA256
c1725137248b609a0a58d3a649a6c7853fdc9261dd3ed2d51a9f316c1860cfbd

SHA512
ebefc5d3ef0618e0380c9f72ccbfd861319a0b03db01af9aca626d4c3f2e2bd2464254df321b0853763c3c733a7b95748edc5bde30bcb986e008d02d5777062f

Download Submit
C:\Windows\SysWOW64\Kemooo32.exe

Filesize
302KB

MD5
af4a33b6d64479bed9ba65b87452e526

SHA1
391e169909061378261a8d0546a67b78b5a13329

SHA256
53f0af017611c5cab3c1fa71d80e68a451d376be918497f1c0adb0f3bbdc1941

SHA512
d9b1e729fa4d5500d34e8bbdf7f923b9f6098d303125d2bf7710d81b26f40285d9bdd3e15d37f2f4f2df45d45faeed3bad2375570209884aa9f4d423835bb64c

Download Submit
C:\Windows\SysWOW64\Kheekkjl.exe

Filesize
302KB

MD5
fb0812ef05e0b87409f41f88efd44423

SHA1
ca02aa45aa0eb3c16c1ad4f1dc541d09691616e4

SHA256
da4ca9896551851be291f79935b08a11800b8dda7faab0ff6735a6dd0eb83da6

SHA512
30eb2ea83598622ebba03b56cb3ba8f9e5a39d946cdbb057298e957b278839883be563f3ea9fc4a845229ee6e4d8b15e93d046c726c2304efead4b617a634755

Download Submit
C:\Windows\SysWOW64\Lcfidb32.exe

Filesize
302KB

MD5
3305173d3cdb4327c5d76515701c59c1

SHA1
d0be08ba27e005724fe53eaf2f0932e6b9373f4e

SHA256
26f0e53a0a61806c39ad955d39b20a7d81ea15ef1f44b788cffafb34cb990bd5

SHA512
3adb038fee8623830743266c4621fc1556f868930474d7e89f2bd3bfe8351de3d58fb0a8bdde5fee62e3f79e80c7d7452505724d7580bac0f5220b8cd9edc596

Download Submit
C:\Windows\SysWOW64\Legben32.exe

Filesize
302KB

MD5
aaef36a8403dc03ca4237d119d28578b

SHA1
d6836afe821d7600d50084d239a365d67af384ca

SHA256
76f5eb036c9fed9f3b2892140e3a0616652d62236e1bc90a16b097a86313a61e

SHA512
d3fafbbf80da8d7099f23dff2cd5262a2e7701a7e42807370ccacded83edda47b9a7c35f4c0f039864170d5d7e33a1e8dce4eff2dab4ce719c40812b11f4b098

Download Submit
C:\Windows\SysWOW64\Lfiokmkc.exe

Filesize
302KB

MD5
859e6b930143b5c9b8002b6d8fb4d6c7

SHA1
2db2bc49ba3a341eb43ea7af5afd17556c4689ea

SHA256
c3e66cc4e9f3d1657f98696850badaf81df9ad8f6a24d5aac89901385fa0c7e4

SHA512
8e4a17a6f8efcb0c8ce1ac95ffdf4bd4113b9e5cae4616afb3b14c083cdf7f861d7a22f16d5d64b808c3da7233b884183c7ec6c3f36c9b3edb32e6d08feb7ee1

Download Submit
C:\Windows\SysWOW64\Lljdai32.exe

Filesize
302KB

MD5
a342e4227b8dd661b97f55d72e4cc0cf

SHA1
0fad6131be0fd8b942e1bef6bbb92ea0176bab17

SHA256
b170d3884eb998ab2b9f8c6c46dcba48abfd3cd8776c1985b1da49f061ef53c8

SHA512
9657dcfba28aeda20fd30d52ba2061c07fa45868627faca57abce737d25367a2049091aae3fb2bd6bdbb4048d2765808b69e54c6f64403e6075e3332bdc738b6

Download Submit
C:\Windows\SysWOW64\Mlofcf32.exe

Filesize
302KB

MD5
5bc0d23a97b8f9aae1656ef939b617e6

SHA1
2ff2ccd87319236eed9c90db606045d22c785926

SHA256
0505a54e6ba2ad3b4970265736ac5b442210857cfa180eb732c10fe3a63af14c

SHA512
4502d7edf9731bc1a6da174edbd49954810738ef0e5e2412f80b3aa26b8439e3e3ee6d9114e36a169e6cf0ce0cbd3aacc7bbe0c9bb6d4f5bd6d4399b4c79bc9d

Download Submit
C:\Windows\SysWOW64\Mohidbkl.exe

Filesize
302KB

MD5
b982d9a3b4d635da1d65f715ca7897b0

SHA1
831cf71d1f33090c05f0eef384d205c5acfe7087

SHA256
1b737cb7aa8b320f39ab62885c3cf6218b921af73c881020e417443e6ce9f77a

SHA512
b4fbc21274d624eeb0a11038cb8d31240cc68fa412ceb8eaedc5eb523a2add7a62597712d9236b0d03a55fda0266a5c8e8339a4c88fddf786c7036f4ad626301

Download Submit
C:\Windows\SysWOW64\Nbebbk32.exe

Filesize
302KB

MD5
93de7e12cdac68dcd3348d34a805b6ef

SHA1
df5d6ceeeb53268f4d3cd502ed6fc7581e9b7d3c

SHA256
c1e8dd5843b54549c9b9f05f0e83f02995e96e848aa5e66d8a8ff1b421d1d166

SHA512
4bf7691f5722e6a3b1ba3e476dfb12e02483f05a42c904d5a3c1183ab2c8154b1df2168c9f061ea14908408b10de039cf5cd7e233c6f046b77559e4ddc6025ca

Download Submit
C:\Windows\SysWOW64\Nhegig32.exe

Filesize
302KB

MD5
cc9a2e655302368fddcc6844dd5b6638

SHA1
1032e48ae44ee0a18dd2a449ca950a955e8ed5ba

SHA256
5e5a09757e9535e03fb36d211201d9a55fe4a24baac3be14605449c47c0a0346

SHA512
6774e75cf2e2eebf29888cccc3f73dbb36895401c9379863ad49348337282a99867304dc30cbd27049690129d040fde4a02d41d9c8506cdaf57067a87e289f5c

Download Submit
C:\Windows\SysWOW64\Nqaiecjd.exe

Filesize
302KB

MD5
643b2b99da58f1f92c7c5334e493d440

SHA1
b5ccfa377d0c302e6f89f85fceb48fbf0ace2808

SHA256
9377f825696d6a23ad0be9412f87ac6fa041b845cf2d364c6010feaa915a3a21

SHA512
365953e66fd735c41f278884bfe9a7aa2322f701fd4c0920232ce2aa98977193b26b89611449e1ca516f2274fd42b2cd56985453f105665248a8122b9da2f94c

Download Submit
C:\Windows\SysWOW64\Objkmkjj.exe

Filesize
302KB

MD5
4194009fbcc0665f5ed795ebfa1187f2

SHA1
b8d40859be5311158e54de7d58c5a3a838614c5b

SHA256
b0ea0b9de15b2952237a347b5974a29277ed128a8b50259e0c705b46adc0c48c

SHA512
f30a5d6fb374e11add1c59128f832612bb0f15ee65f378a008ff8a25f5c81f248d3a08c8a93a71328bc3760c6447033fa7eb01b80af42ec6482ce08a0617cf09

Download Submit
C:\Windows\SysWOW64\Obnehj32.exe

Filesize
302KB

MD5
83aab16e298d6d6cb1771b1637750a81

SHA1
445ff534a20a8cf80c821cc1435b897f5225a793

SHA256
034a4f476273af52a9445a6f7b10c0dd6de4872b0dbf68cebc21d22e2db75982

SHA512
bca267ae3e03b855ebbb4b3534e53fd039f40bedb2073426158d6c7de0a69cb690585b7cf6a39950e33c67ac00832ecae2dc70b0cfe9d32b5fe6dad3e0ff46af

Download Submit
C:\Windows\SysWOW64\Omfekbdh.exe

Filesize
302KB

MD5
6c37a746699d71d6bb55f9a4c5194e7a

SHA1
8cb6c96a62c2a7cebcc5a89384e538ce657ffbef

SHA256
1774a294ab0938e95123d4e9ffcb0e4be92fc5d1eeffa0b842fe43d717fe9ab9

SHA512
16f604e927bca8c34cd6b47571ba36c3f2a008ff286d3549e4d5b0143710e57bf76fd7de1878e07749f2e6b5748e1733011710267ed63cfe7f2f12477d8dd904

Download Submit
C:\Windows\SysWOW64\Panlem32.dll

Filesize
7KB

MD5
165eeebfcaac866f5f1aaf11483f9580

SHA1
cc3417f8e881efa41b00bd7fcc00519903de50bf

SHA256
35671409d57b75302919194586337cc8583d2e84d0a0d366864d6eb50aa8e2b0

SHA512
954efc27d30891f80beae3247051ec3392acdc8edb39e04fc844b710806ff33b6289d5eb08dc6ab2ec2c272f4f87484c698b4a25684a10faccb48cc5859319a0

Download Submit
C:\Windows\SysWOW64\Pfepdg32.exe

Filesize
302KB

MD5
34e04c427e92899dc79df36fc20e75d0

SHA1
6e3830ab2d81315fed71d36ab3c8e5a742f0f922

SHA256
2f5e58b9b5b065e8daed2eede1ef54362d5bb51c5e9c8824ecc3672608a25750

SHA512
3b6b6b0a33dd58a06b9f7be3c86331a2c9820a353f0dcb5b4a78ff8545003ee70b9095c33be2e63733e9a85a51d5b0501333665364b087cdfcee1921d714817d

Download Submit
C:\Windows\SysWOW64\Ppikbm32.exe

Filesize
302KB

MD5
530090febcc222dca7fc7228aeee37ef

SHA1
f04ba07c527f1bf791b9f08c5b3eab07db167a4f

SHA256
315327d08db79da4153c7dee242f57480900f349ebeb69795f014564fef8ca8e

SHA512
6b80b22afcd945fa21d1a922dd5087ea5fc4822dfe05b80c2b7a32895afdc2caab77cf2555551392ae826889d41377621288b13b0eff38f38d0068e06ce8933c

Download Submit
C:\Windows\SysWOW64\Qjhbfd32.exe

Filesize
302KB

MD5
d7239ff173451d7a80ba117275389b0c

SHA1
67428c6c3a1431679f83948b7ac38ea82a94db59

SHA256
657646c855e1b0917dc296f2d075e1c304725a7d740a1a97e084a5e024c16933

SHA512
7432500e73b1a2225bbd8848ed23f85fc04bbd7e6d8ae8a007420da1e6778251de628413933dfd16bf4c184a73bfd17cf874f6a79262254a980976c1ce89f6aa

Download Submit
C:\Windows\SysWOW64\Qppaclio.exe

Filesize
302KB

MD5
f24863fa817a6271040a22dd0512aaee

SHA1
868c79aaaff39b5b11f1c1a3ab7962028db7e29a

SHA256
17aca3e68db3a05f73fba23f88bfa568dfabf4c582c3172df93faf176d588097

SHA512
379d6f584acfe3e75a804a56d24be5811c549ff2fbe22cef1459a19e5a18da685eeec665a5e9c424227165a72e7fc400afeede360dde9bc4d407341901a33e2f

Download Submit
memory/624-373-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/624-200-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/812-360-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/812-300-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/876-388-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/876-71-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/912-374-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/912-191-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/960-31-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/960-393-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1028-240-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1028-367-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1104-350-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1128-247-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1128-366-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1172-389-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1172-63-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1288-104-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1288-384-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1368-224-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1368-369-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1416-370-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1416-274-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1420-357-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1420-322-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1440-359-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1440-304-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1696-376-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1696-175-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1900-280-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1900-363-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1912-392-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1912-39-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2308-390-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2308-56-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2496-371-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2496-215-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2544-354-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2544-352-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2672-395-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2672-16-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2688-292-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2688-362-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2744-385-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2744-95-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2800-368-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2800-231-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3080-396-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3080-7-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3092-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3092-387-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3144-172-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3200-382-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3200-119-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3244-334-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3244-355-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3312-159-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3312-377-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3508-375-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3508-183-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3532-381-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3532-127-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3880-383-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3880-111-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3968-88-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3968-386-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3976-255-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3976-365-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4076-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4076-397-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4144-273-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4252-358-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4252-316-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4368-379-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4368-144-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4396-207-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4396-372-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4404-353-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4404-340-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4468-262-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4468-364-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4736-391-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4736-47-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4768-290-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4788-328-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4788-356-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4792-310-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4792-361-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4856-394-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4856-23-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4904-380-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4904-135-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5044-378-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5044-152-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads