078f313beec83892e57332b5a91f18b49c04a7134a44c146602222b5f7f6072a

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

160106d785f36589733d06dfa1ce14c0_NeikiAnalytics.exe
Size

378KB
MD5

160106d785f36589733d06dfa1ce14c0
SHA1

5ed196f86ee81ddaffd111e3d68b02ab6f1d664a
SHA256

078f313beec83892e57332b5a91f18b49c04a7134a44c146602222b5f7f6072a
SHA512

95069e0b3dd19a61c010288fbb36aacdcff2a354d10bed8c7fc9bd52e6ffe266a57a9f491ac3c578bf820c6e38753c2a034a8a47e96891b7287c47990a068fbc
SSDEEP

6144:MNRBH1oprtMsQBma/atn9pG4l+0K76zHTgb8ecFeK8TJ4u392vVAMR4/5V0lLn+Q:IBmRMsEat9pG4l+0K7WHT91M52vVAMqa

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	160106d785f36589733d06dfa1ce14c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe

Malware Dropper & Backdoor - Berbew 40 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000700000002328e-7.dat	family_berbew
behavioral2/files/0x00080000000233f9-15.dat	family_berbew
behavioral2/files/0x00070000000233fb-23.dat	family_berbew
behavioral2/files/0x00070000000233fd-31.dat	family_berbew
behavioral2/files/0x00070000000233ff-40.dat	family_berbew
behavioral2/files/0x0007000000023401-47.dat	family_berbew
behavioral2/files/0x0007000000023403-56.dat	family_berbew
behavioral2/files/0x0007000000023405-64.dat	family_berbew
behavioral2/files/0x0007000000023407-71.dat	family_berbew
behavioral2/files/0x0007000000023409-78.dat	family_berbew
behavioral2/files/0x0007000000023411-106.dat	family_berbew
behavioral2/files/0x0007000000023415-120.dat	family_berbew
behavioral2/files/0x0007000000023419-134.dat	family_berbew
behavioral2/files/0x0007000000023423-169.dat	family_berbew
behavioral2/files/0x0007000000023427-183.dat	family_berbew
behavioral2/files/0x000700000002342d-204.dat	family_berbew
behavioral2/files/0x0007000000023435-232.dat	family_berbew
behavioral2/files/0x0007000000023433-225.dat	family_berbew
behavioral2/files/0x0007000000023431-218.dat	family_berbew
behavioral2/files/0x000700000002342f-211.dat	family_berbew
behavioral2/files/0x000700000002342b-197.dat	family_berbew
behavioral2/files/0x0007000000023429-190.dat	family_berbew
behavioral2/files/0x0007000000023425-176.dat	family_berbew
behavioral2/files/0x0007000000023421-162.dat	family_berbew
behavioral2/files/0x000700000002341f-155.dat	family_berbew
behavioral2/files/0x000700000002341d-148.dat	family_berbew
behavioral2/files/0x000700000002341b-141.dat	family_berbew
behavioral2/files/0x0007000000023417-127.dat	family_berbew
behavioral2/files/0x0007000000023413-113.dat	family_berbew
behavioral2/files/0x000700000002340f-99.dat	family_berbew
behavioral2/files/0x000700000002340d-92.dat	family_berbew
behavioral2/files/0x000700000002340b-85.dat	family_berbew
behavioral2/files/0x00070000000234ec-804.dat	family_berbew
behavioral2/files/0x00070000000234f2-822.dat	family_berbew
behavioral2/files/0x0007000000023500-864.dat	family_berbew
behavioral2/files/0x0007000000023508-888.dat	family_berbew
behavioral2/files/0x000800000002350d-906.dat	family_berbew
behavioral2/files/0x0007000000023519-936.dat	family_berbew
behavioral2/files/0x0007000000023536-1026.dat	family_berbew
behavioral2/files/0x0007000000023540-1056.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
1388	Gqdbiofi.exe
1416	Gfqjafdq.exe
1996	Goiojk32.exe
740	Gjocgdkg.exe
1504	Gmmocpjk.exe
4340	Gqikdn32.exe
4692	Gbjhlfhb.exe
2612	Gfedle32.exe
2104	Gidphq32.exe
2968	Gmoliohh.exe
2260	Gqkhjn32.exe
3176	Gcidfi32.exe
2568	Gbldaffp.exe
3328	Gfhqbe32.exe
1612	Gjclbc32.exe
3992	Gmaioo32.exe
1692	Gameonno.exe
2548	Gppekj32.exe
3204	Hboagf32.exe
3616	Hfjmgdlf.exe
3136	Hjfihc32.exe
1456	Hihicplj.exe
4856	Hapaemll.exe
3876	Hpbaqj32.exe
2948	Hcnnaikp.exe
1032	Hbanme32.exe
3628	Hjhfnccl.exe
2976	Hikfip32.exe
3292	Hmfbjnbp.exe
2584	Habnjm32.exe
3780	Hpenfjad.exe
3724	Hbckbepg.exe
2276	Hjjbcbqj.exe
4776	Himcoo32.exe
2624	Hmioonpn.exe
1108	Hadkpm32.exe
1780	Hpgkkioa.exe
2924	Hbeghene.exe
2796	Hfachc32.exe
4556	Hjmoibog.exe
1888	Hmklen32.exe
1648	Haggelfd.exe
4100	Hpihai32.exe
1204	Hcedaheh.exe
1064	Hfcpncdk.exe
3964	Hjolnb32.exe
2952	Hibljoco.exe
932	Hmmhjm32.exe
2348	Haidklda.exe
3016	Ipldfi32.exe
1704	Ibjqcd32.exe
3000	Iffmccbi.exe
4504	Ijaida32.exe
5068	Iidipnal.exe
3604	Iakaql32.exe
3580	Ipnalhii.exe
4336	Icjmmg32.exe
2144	Ibmmhdhm.exe
1724	Ijdeiaio.exe
2692	Iiffen32.exe
3264	Imbaemhc.exe
2636	Ipqnahgf.exe
2176	Icljbg32.exe
3620	Ifjfnb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ijdeiaio.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hfjmgdlf.exe
File opened for modification	C:\Windows\SysWOW64\Gfqjafdq.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Ifegaglc.dll	Gfedle32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Gppekj32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Hbckbepg.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Gqdbiofi.exe	160106d785f36589733d06dfa1ce14c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhjn32.exe	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Ibooqjdb.dll	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Iffmccbi.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Goiojk32.exe
File created	C:\Windows\SysWOW64\Qchnlc32.dll	Hbeghene.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jibeql32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Hpihai32.exe	Haggelfd.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ginahd32.dll	160106d785f36589733d06dfa1ce14c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gqikdn32.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Gfqjafdq.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hbanme32.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Hadkpm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6156	4240	WerFault.exe	249

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inccjgbc.dll"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hapaemll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 1388	872	160106d785f36589733d06dfa1ce14c0_NeikiAnalytics.exe	81
PID 872 wrote to memory of 1388	872	160106d785f36589733d06dfa1ce14c0_NeikiAnalytics.exe	81
PID 872 wrote to memory of 1388	872	160106d785f36589733d06dfa1ce14c0_NeikiAnalytics.exe	81
PID 1388 wrote to memory of 1416	1388	Gqdbiofi.exe	82
PID 1388 wrote to memory of 1416	1388	Gqdbiofi.exe	82
PID 1388 wrote to memory of 1416	1388	Gqdbiofi.exe	82
PID 1416 wrote to memory of 1996	1416	Gfqjafdq.exe	84
PID 1416 wrote to memory of 1996	1416	Gfqjafdq.exe	84
PID 1416 wrote to memory of 1996	1416	Gfqjafdq.exe	84
PID 1996 wrote to memory of 740	1996	Goiojk32.exe	86
PID 1996 wrote to memory of 740	1996	Goiojk32.exe	86
PID 1996 wrote to memory of 740	1996	Goiojk32.exe	86
PID 740 wrote to memory of 1504	740	Gjocgdkg.exe	87
PID 740 wrote to memory of 1504	740	Gjocgdkg.exe	87
PID 740 wrote to memory of 1504	740	Gjocgdkg.exe	87
PID 1504 wrote to memory of 4340	1504	Gmmocpjk.exe	88
PID 1504 wrote to memory of 4340	1504	Gmmocpjk.exe	88
PID 1504 wrote to memory of 4340	1504	Gmmocpjk.exe	88
PID 4340 wrote to memory of 4692	4340	Gqikdn32.exe	89
PID 4340 wrote to memory of 4692	4340	Gqikdn32.exe	89
PID 4340 wrote to memory of 4692	4340	Gqikdn32.exe	89
PID 4692 wrote to memory of 2612	4692	Gbjhlfhb.exe	90
PID 4692 wrote to memory of 2612	4692	Gbjhlfhb.exe	90
PID 4692 wrote to memory of 2612	4692	Gbjhlfhb.exe	90
PID 2612 wrote to memory of 2104	2612	Gfedle32.exe	91
PID 2612 wrote to memory of 2104	2612	Gfedle32.exe	91
PID 2612 wrote to memory of 2104	2612	Gfedle32.exe	91
PID 2104 wrote to memory of 2968	2104	Gidphq32.exe	92
PID 2104 wrote to memory of 2968	2104	Gidphq32.exe	92
PID 2104 wrote to memory of 2968	2104	Gidphq32.exe	92
PID 2968 wrote to memory of 2260	2968	Gmoliohh.exe	93
PID 2968 wrote to memory of 2260	2968	Gmoliohh.exe	93
PID 2968 wrote to memory of 2260	2968	Gmoliohh.exe	93
PID 2260 wrote to memory of 3176	2260	Gqkhjn32.exe	94
PID 2260 wrote to memory of 3176	2260	Gqkhjn32.exe	94
PID 2260 wrote to memory of 3176	2260	Gqkhjn32.exe	94
PID 3176 wrote to memory of 2568	3176	Gcidfi32.exe	95
PID 3176 wrote to memory of 2568	3176	Gcidfi32.exe	95
PID 3176 wrote to memory of 2568	3176	Gcidfi32.exe	95
PID 2568 wrote to memory of 3328	2568	Gbldaffp.exe	96
PID 2568 wrote to memory of 3328	2568	Gbldaffp.exe	96
PID 2568 wrote to memory of 3328	2568	Gbldaffp.exe	96
PID 3328 wrote to memory of 1612	3328	Gfhqbe32.exe	97
PID 3328 wrote to memory of 1612	3328	Gfhqbe32.exe	97
PID 3328 wrote to memory of 1612	3328	Gfhqbe32.exe	97
PID 1612 wrote to memory of 3992	1612	Gjclbc32.exe	98
PID 1612 wrote to memory of 3992	1612	Gjclbc32.exe	98
PID 1612 wrote to memory of 3992	1612	Gjclbc32.exe	98
PID 3992 wrote to memory of 1692	3992	Gmaioo32.exe	99
PID 3992 wrote to memory of 1692	3992	Gmaioo32.exe	99
PID 3992 wrote to memory of 1692	3992	Gmaioo32.exe	99
PID 1692 wrote to memory of 2548	1692	Gameonno.exe	100
PID 1692 wrote to memory of 2548	1692	Gameonno.exe	100
PID 1692 wrote to memory of 2548	1692	Gameonno.exe	100
PID 2548 wrote to memory of 3204	2548	Gppekj32.exe	101
PID 2548 wrote to memory of 3204	2548	Gppekj32.exe	101
PID 2548 wrote to memory of 3204	2548	Gppekj32.exe	101
PID 3204 wrote to memory of 3616	3204	Hboagf32.exe	102
PID 3204 wrote to memory of 3616	3204	Hboagf32.exe	102
PID 3204 wrote to memory of 3616	3204	Hboagf32.exe	102
PID 3616 wrote to memory of 3136	3616	Hfjmgdlf.exe	103
PID 3616 wrote to memory of 3136	3616	Hfjmgdlf.exe	103
PID 3616 wrote to memory of 3136	3616	Hfjmgdlf.exe	103
PID 3136 wrote to memory of 1456	3136	Hjfihc32.exe	104

C:\Users\Admin\AppData\Local\Temp\160106d785f36589733d06dfa1ce14c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\160106d785f36589733d06dfa1ce14c0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\SysWOW64\Gqdbiofi.exe
  C:\Windows\system32\Gqdbiofi.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\Gfqjafdq.exe
    C:\Windows\system32\Gfqjafdq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\SysWOW64\Goiojk32.exe
      C:\Windows\system32\Goiojk32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:740
      - C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        28⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        31⤵
        Executes dropped EXE
        
        PID:2584
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3780
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        35⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1108
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        38⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        49⤵
        Executes dropped EXE
        
        PID:932
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        50⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        54⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        55⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        56⤵
        Executes dropped EXE
        
        PID:3604
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3580
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2144
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        66⤵
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        67⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3432
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        69⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1448
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        71⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        73⤵
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        74⤵
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1004
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4500
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        79⤵
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        80⤵
        Drops file in System32 directory
        
        PID:772
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        81⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        83⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        84⤵
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:620
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        87⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        89⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        91⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        92⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        93⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        96⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        97⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        101⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        103⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5960
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        105⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        107⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        108⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        109⤵
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        110⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4732
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        114⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        115⤵
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        116⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        117⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        119⤵
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        120⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3840
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        122⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        123⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        124⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        125⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        126⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        128⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        129⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        130⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        132⤵
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        134⤵
        
        PID:916
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1524
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        137⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        138⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        140⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        141⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        142⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        143⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        144⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        145⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        146⤵
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        147⤵
        Drops file in System32 directory
        
        PID:1152
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1276
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        151⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        153⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        154⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        155⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        159⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        160⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        162⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        164⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        165⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        166⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        167⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 400
        168⤵
        Program crash
        
        PID:6156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4240 -ip 4240
1⤵
PID:5272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
378KB

MD5
24fb48c28e40f2ff7cf30847c966cd7c

SHA1
e66523fb19b632d70ab48feed4670608e4c836da

SHA256
1535d35d5f04d7fa65bc4fd69a9b07080c127f830cb12b2eadce34c22b913b5d

SHA512
9073e6538811b1545db5d3f5e4838d90fd8cfa6e794ea7155a493d26427ada78098401fcd7db6ec7e56e721aef64eba115f12ccf224210e9266e626ccf5195a7

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
378KB

MD5
637701869e2b46563df507202cee6c17

SHA1
fd3acac6cff3a6d162de4a6582f2c1b73c19c8e4

SHA256
c53b64d81ff5a377fa76721ce95afc076005d3b384b97cd389687c2d9e2a27e2

SHA512
b81dab3f8b545974ce58cd03c3f2d91444740e26075a1d2377c8d77112b8f35df4be84e640d4485840cc3c8a9ec7d89c2454a9b4913288b4ae785d1564c7b9ce

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
378KB

MD5
3a6f70c78df084faa00012abb17df43a

SHA1
23e86b9fb220e517540916e1729b26416f292fc7

SHA256
fef6012be1b5c74968794467b4b0b4ab8fb1a789fe8d5b077c1e9138483a703c

SHA512
469a6c184dd165ba07f7f2692bae98b88e776ce2a7e927da7b42c5154a2b6096d529af8a0d195b1e5713e2429bde32a7c4882f2f07df308c375f848283d7780d

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
378KB

MD5
a8fe142619cafa1cbdbab7b4cd819bb9

SHA1
d8c3901cac388fdae2dc76606fef9319d13ef25a

SHA256
228740f8232b0b08c054b6dced96f5386b3ab1bf0790679eecac3c113dca87da

SHA512
b439df8bf67bee95495fec43ed9359416b08e54974c52d356d8bc335548fb9ea0e3f2736166670ef1c9b5faa94459cec8ae65c8bf5aad7723687e11878708ff7

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
378KB

MD5
0c0c8fea00c4ec3787d8f89d9c6570f7

SHA1
23b89312022a1a6742526893322f845a5e076668

SHA256
34fd5446475498c9b860b7a41debba7d93f3914834dcbb454c6e1dfd0f3f3513

SHA512
3b19a6210dcaf66fa960556c00a54baf5e634179017cda99d384a6b02d84932344109bc15222a899744d08f6103812943b7ea7b1cb189594672d29b777846a37

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
378KB

MD5
74de55ef24371aee955cabd72a9ea8e5

SHA1
bfc034f0f6c3e697cce5e47e169f6d325aaae3dd

SHA256
e2dcb1c32b43ff29df6e45fed20cdfd01731c866f1374b12019504eda29fd0cc

SHA512
7aedbe3c7a508a1163504f40bff246a186360f96644492fc35fd86fcc68add77efd32225161d8642f43e89d25cf4d3f1beb8230b48ed917d05f68385b596d5ab

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
378KB

MD5
3d6d17f50b6361120d4d908cf0e740e3

SHA1
07ea6cca828c49caf1c173a24014928455040967

SHA256
8695aeecb85c4ee83def2c79d8104a6468d6568672cc65775315dc7a40cd955d

SHA512
948680a910e40579024d2e10cc587deca5798468062e2fc3bdbfb9b48da93bf97ff087f573b9cf95252cbbef68e3fec13bca1115129affe1ee9271d8f9edd153

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
378KB

MD5
3ad6973ffd99009c62d7d0db9ee87b52

SHA1
2cb81cb1042cc6a9581bee3d7d5007342dd40a55

SHA256
5be38090f22de8aebbd0811096556476db99651dae6eba581785c3d89f9c403b

SHA512
5f57c5d71fc9c8396479c38cbe6e88e6398608e795d94f163c945c550e761568012193891c93bde2ab39843c9293649fc7c3e98d791af0120cffefe252360d04

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
378KB

MD5
b29f442fcbdee3e77414f60297fdabb4

SHA1
ce546102471f154173ae448315b8fe4789935621

SHA256
326bdd47a4f5ba39b6d3c66e6bf2f87ada18fa5889374b646f865fbe12b73465

SHA512
f0bec781f80d076807afa96e7a33eb650a202cb000f11a68b7952f5cca02227bd349e3460bcab9aedda14758b5d22ca2792aca2daa43956f032e430e326d2f4b

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
378KB

MD5
6de1281e98ade183736625e411231236

SHA1
f49540bacb372c76ef2ed7f2ff740981f21f85eb

SHA256
ca04797f84d2c2bbe478f27167933ff5777b8893d3e3d7f780bf4a3cc8b977f2

SHA512
86cc8f65605ef6077d91e036b7388a929e28d788e2bd961c71be584aeb539927224591a85eb580e4fda8eca823e8970695556f2a86a1ed9ff8d849d236a065bc

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
378KB

MD5
2221c05135812505a35f9cb2c607fdf9

SHA1
b175343856b99e1e90e6a425f320bc6d24bce019

SHA256
c539846359465d5e7ad0a27efe01bea283ec1f9ee26a4b11acf45e7c93324209

SHA512
882b18c999368602b196155a5f8f2e3075c9c49fa69284623ea9138bfa642158256fe230a264d06da599dffe0c47905b99d4654bcf672bac04872254c2cccb9d

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
378KB

MD5
5cbe06e67d2ae38f88a6ee8711ec4402

SHA1
5be09d54fb9d82c82a5d2af056300612592416b1

SHA256
8a2b5ef036907c0766ba3b946030e6fc959c16f44301bdfad8d01e8b3e8056ca

SHA512
3e7877a510939fc889bddacddeb9b0981dd6590924fefcec4daa61c43a96a6d20ec2337d83fc9110cbad0fdc44ff501378efc82c640bbdf78ec5f12ed09e3955

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
378KB

MD5
faa055dc1c21349933f9a9da2d4612c6

SHA1
5d2618b708bad5e5260b608ab4a502c08a59b8d0

SHA256
4802fd50928ce7ef498a1881862d593143b1e27ef0f2ae9a1980bd7a964e9cc9

SHA512
512e64501a3846536ca08ae1d5cd8cb6d78cdaec2d036f770015587da2f5a741a168699847266bae91d0e65e4136714e51877d0c4b40370d8a4cc9689e0eea3d

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
378KB

MD5
26c6b98ef5809c63a8c6bec959d38228

SHA1
1c6e169c49ab956ea701f41936232bcd5575f09b

SHA256
d6eea8df7d0b2c1b5c35518e72f17452ad847995d4d5d5611a14d835401a0c89

SHA512
8f25f61a8d1b138d16ecc61f80109a46818dd35bd35db72b6a3cfdf6eb4275beefa15214ec99e7a57f55b3b1dc556e6a83ad17b7fcab50a95ba6c84fc2e742fa

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
378KB

MD5
d176d2293cd615b579d0c60a7367e333

SHA1
ff14ee0e0b31c20d3270b3ab97044e3e3459e0ed

SHA256
988c2c04e5f2d4e565f40debd2f4b7a1bd2ddcdf57f429e682c613b28f10f5e7

SHA512
5a49d9e4b1b7ef698988c423ce2f0c9a19a5f43555092446df24a83b628d4f9f68fa6d946e01adb2f19144843106e3707509c3a399ef84745c4b273fceb97400

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
378KB

MD5
4ec7892dce545d403138de79ecea8f92

SHA1
0777ab91d67b71d773949cf4b53281250a358cfd

SHA256
26f3506460f6337cdb0d0d01a9fa2638735fdc32c427351953436e6583320ae3

SHA512
c023760d076e4e2f35757e310855a49b935e7300565916f2db39289fae4b5bdf1737796fc806551d8d2fde86fc914236a701f1c9e2efc8dd9b48e805fa3cda13

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
378KB

MD5
34555ac880c8eb154545b35ad466b49b

SHA1
3556354244a59027f55227d0ae51bb0b27f2b7a5

SHA256
0350d34e3da5ff5cf07f5ae28719a505a0abf735f02373ed6352394d8bddfbd3

SHA512
75ce3c77207ac92420f0cd43d21010e6a6998ae4b897067811a1f51efb83b337cf616dff455198fc260925cf3fce299dae709546fe27189ba15e02a2cecdc280

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
378KB

MD5
77b22fba187d968d8a24fa02d7f8d96f

SHA1
57cec89573dd22678edfd07f3534c1982fc58409

SHA256
4710ee95f908fbf9e67eb65a97c337e20dd503a7fc4bbb73f8337b00ac415e9f

SHA512
7b114146ee5ca068e14f28fd041226f68aa235d498db071e4eb03a5eb887ea4ebe77147127fbc9063d43496e196ecac18892275c465e910d445d06fdb26e5d96

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
378KB

MD5
aa999c5873f007327255f63061d35686

SHA1
3dfbf04eecc3852ed681936a2eb1927de709522f

SHA256
d143a521527d3a12840730b55675e5a651ad1c77b30c209d680526ab55b66761

SHA512
ea947a6485921df3e72c66ba6db443be9f44e2eb861289e8f6da4ab94db024c554d08664380201c420d89d84b1ca1a6fc74504f7d833dd093a50944e284d64ba

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
378KB

MD5
e04fd776a42f62f97f58ffacd2768b27

SHA1
4cd783d402dc3235b514cfbaa934e12a06f08966

SHA256
a2fe24bc2e1a92493723031814a72b15bf29afc19e08d1265ed9c84f92a6899f

SHA512
197f67c7c89c7cab6a4ca40b30003d7391736d39a124c3c4d072201775c781915e6d854f9a3a3cc4311dd63853370fe414e06f464d21190498d069d9ed2730de

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
378KB

MD5
7a12d5dd1a0e862778862dbaa7b47e93

SHA1
e09a3bf14573e65cdae4dd4530666ec599a931d2

SHA256
a4a92742c51e9e1109f2f4771a7da1b5fc618857590b6e114baa2e1b124aae26

SHA512
109886f16b57605400e3007fbf061cafc288e6535b4654fceb10834c9f38acde5ac83c1388a4c64d3447e3e3932d1942d4dd2e06417b96a6ea8ca87f4442d275

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
378KB

MD5
77e1cfc799c7d49b513135a4072cb885

SHA1
f5da1ceb3c14511a193b29854a5ad744200cc477

SHA256
d6455a74998aae5b27b3b9d286b9e0e6b4e5b749e4a106e7560ea4993bedfc5d

SHA512
5fda5d37839153866527690963cbd8f913f7cd57b8361f3185e3467bc56b0a3ede2385a7b92367782c9e79d1a92a1ce27eb6ac2c65b545da4c04a7ec9051d906

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
378KB

MD5
0ecebb7eb1a6fa1e51ae07cae0e08858

SHA1
f8477aa5a9aeb77c10a3361ad864383457bb213a

SHA256
4ea25cd1cf354faad5c04270970b68d6674482af1e9a7c5d95a6e1b4cd982fe4

SHA512
e90719c05772312e98cf6efff89c3c26722670f2b748050c267c8e636f64c29e6dd222db443f1f8d3fb7511acdf22590c163bdb9e3b68c50fc4f8f8fbcbab8b0

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
378KB

MD5
b5321b5b9f2223fe59249aca114305aa

SHA1
47d849db60f574efabdb398bbf2223f477936c71

SHA256
31be172c1f25718094675310bdc7d1d6f2fd8eafeae37bf66f7728b87362f2f5

SHA512
11eff7098f249c9b1fd6c9f90700b73ae7fbba7c064f36b0aedea3e8d058e251d0c0d5b72a0930d5844b3dfd8df7e48b9cfea6416893f7681aabd7c0d3ed5b53

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
378KB

MD5
8610c9c5bcf8a4029cfe33dc8f91a299

SHA1
56f9a438ec58728174a8f7aeb8b367437e2eff9b

SHA256
4f19964a87973aee316c90437c23d3cd687ec882e0591251b3d2c8189fba7123

SHA512
3d1a9a610a13550fba62185175250722b796601d09f720b0eb46f8e1d091138910478439c5bb98d16f30faf46839ed2f40746d624148dcc2b931d13392aa9787

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
378KB

MD5
c9828c60ad6001d6685c22bb76379137

SHA1
7ad9ee04a18a679a77c09b194e5222148e4f417b

SHA256
ec19c188ba786d212b042096fa753b82c53e32132d5f544ea1ce8c6906c87940

SHA512
fcbc64f546873dd2c7f53c715d0ab4344f0f7cdee96c2237f615f29e83e55ebac04bb50507e0dd785d5e9b9bc4a06aabc78a49174e04cdf5e8f110a5fed343bc

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
378KB

MD5
f5018deacce5ac1289422098a987ace3

SHA1
3e34cb003c21950af812ad4cd01269eddd14acc5

SHA256
558cb11d1e2dd266b41379f8927adbe31487d1dd7a5c19521390ec1066a817b0

SHA512
c9ba80c07a6905342c1619c7112d81054b2b50b24ae1a22acf5d5cf34c3a47ab3cd0c3966c22e5cdf19b59b81cae776edc165a961b695e2b1e0b2e12200d5047

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
378KB

MD5
f8861caec3e83037b5112432faaf2b13

SHA1
b70cf6a88985ef939ed8fce043f4097bd5515177

SHA256
e00fe11ebeb1f9deeba0eacc2f7b2d6f0702e04ec6965562be591f6e391aa7d7

SHA512
dd24b90640a03fb86201f11ca8cce86a59740e6f268ede87225720d9b6bb3c59e6fb34e28dc3f7c9bda2e7e85de8cd452a5e28cb03302f65f5126b19a6afbf42

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
378KB

MD5
4a2471d5bcb85ed490ae1713e107f343

SHA1
fc0ff619977e8929c55df334cca67e22c845d567

SHA256
c9deba2de4a28d7dcdb06d1e33120f8a120e354b10a02f1bca33c882ac75c24f

SHA512
9a103ffdd090c33b608cfbb065f872371997e15e0bae5de45d8d252757726fd707dc93e2d6f787b3e5cba1508f9fd877ac1546cf88f246959d1d29440852b660

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
378KB

MD5
92f10da39c986a19f2b04658b41aefdb

SHA1
ed577414f5e18b9df102da9697a2508801cc5918

SHA256
40ecebb323fed152040a1d7f2dd18df04bdb22f91ef4508ce24bad7ae897c332

SHA512
037c25cbdde2ea08a834b403dc5bcd03237e1c8e6fdde98a7ed40a235ae356e858d233d3184d0878cfb23e9bd289df4f9afed3087735678d6f1569171bf3d7b0

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
378KB

MD5
eb7259b47e4b23fb350264134eada20b

SHA1
16cd91d98ad3d03e4e2031e393e895da0a6bc14b

SHA256
db82f605af81e1c628cd55fdb9d25a634a652d0b1b0f00ceacd84486afcb6d28

SHA512
0e3f9c274ea47f2d9303718956161d4c53ee4f9a3050dad92afcfe75e384a861b9de20a8c74d1b94e1c5175aa0b95c29e9a831fd85b6be29c0f7a36d6a96caa3

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
378KB

MD5
bbbb05f6683825d174181e959eb94e68

SHA1
184479d23ceaee539ebd04a4b47d0b182adfa75c

SHA256
8a4a468611d3a0e92dea68e9f773e585621c9025d1964f0dd681cfa8a3f0abbb

SHA512
fe244966358bd3a30c9868377e69e736fa63faeeedba5521a5fea156c01006eb237d13b4ca2153715381773e7117e79207b7f26f0b1c2ad1969ea41ee2e8f537

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
378KB

MD5
45705c46ec716b09af19364ec310bcf3

SHA1
4bea6827ed53f997bf9e071c0be29f1cc52a375d

SHA256
4c9989234a0854d7809f0c03cfcaf41534bf076f43834b5bcf44fae9695d712c

SHA512
a56a4189b56a3c33616c51f22953d2f35cb5c8eb53a3126030c19823b4d30bf0113d4bb705f2bf122cd4c56eb9c77599cae1d9b8643b02b2e2a0baa66c952a69

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
378KB

MD5
c29ba8a41b886857906781200344874e

SHA1
c22fee24738a3d67e5dda1cee5beb4b4bc6e9822

SHA256
0f5bf9a939f45846679252e1c5d94e645c38ef89116ee059576f653cb9628445

SHA512
7aa6044f56937f9bd3e5c585e45e9fe5af5b5f6a03ad4949043cc7d9be58812794410452b5557851d83a8e88cd86ebb0d43e59f1a4242f4d948b330fe323064b

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
378KB

MD5
d7af1c1dd31efd3b01979f37daa0026e

SHA1
eeb79ca68b6148779cbf9522fb7dea8519c5bdb6

SHA256
333864a864ef45207f37c18e4fd5f448c0187761548184e5d6956b163b1797c8

SHA512
438d603052a5cba938f5dd130528a0ac0d1b6598f05803923f8ead5118b149031ebd656ae3a08d38e345e3077e86e6ee575044ab355684985c1c286462564fad

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
378KB

MD5
494c8a85a8032ee9ac3b87a4211f3839

SHA1
6bc8f518e41c28c08ef3ba01059d150f6cb3fbfc

SHA256
8794f90bd9edc95f994801101ea17a06cdd14144137cee3b71fa8f7f99a50403

SHA512
5713fa78d2a01c60817118f4b286309610f87b61a74240e17c1e139e2ee4693ef28a93b30242c8db050a9f1703ca9e37ef86f767edbd1c27ba0990b7dc132068

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
378KB

MD5
06836202a5066fba6d2c8aca5234dbef

SHA1
900e55eddd63cc37e82c694ec8fef467770faad8

SHA256
d5bded7b7a0cd755f4e16aa5b29a08dd2f6cb9f151f20d04ca856597d69b85a3

SHA512
60f50e067df007f61bd721e942a2603db7f227f85da9544a2c198698c41bd2deec5e0c849692eacda21abc36787424fe9fef09f622c3a039410c42c087775a2d

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
378KB

MD5
8d28c626576694bd746c7ac08e123c01

SHA1
1a4841cd759d82df00fe75df791c0be26760a826

SHA256
29bb0127014083a10cdcd97af9916b707c6a32d226559ab1ce6a43cd4b076af9

SHA512
a31958b5c3e4b49966495353ea1ec493ece9b1cfddb89bcd0a99b94fe6c16c636fd35e8c7e1c222ae9842cddedaf73f0c493c7ab840997ed6bf5a928faf87847

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
64KB

MD5
b09ee5e24cc7d18e795696eff4b6826e

SHA1
16a270802cc9b663a7c18aa6e113d74ea015c2f7

SHA256
b7cfcc49159f75bfc683c2ec96b57c7c9e74fe8564767ddd88d90ae7b3e28865

SHA512
9b186c3643301f10d511237af81009f0e9b84b43e5bf90ddc50c89f618ee2b2c636f72abf56efcdcc81e43b8281e43ea0a6c95e223254155c15d35348ad35a6d

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
378KB

MD5
ce37bc353efcaf929eb30de3a2417f1d

SHA1
444cfae7765c4932deb1f791452e300d1831793d

SHA256
3f7c9ac19ac3d45e98445856bffa17ff90a64a6485974247ad2667d4e3b3ce80

SHA512
b76a3a971b670e5f01a627ef3bf5231221cffa7335a4ea6f8e83304aa20b67a102ff19972b7579062dbd2ee81ab3a6e3939c0babd6a24cc2cc34ffc696b270f4

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
378KB

MD5
e14d5dbb87ce386ee285ffe3a4fab58e

SHA1
a26eabed13c0bad832dac86d92dfc2e506c40ca9

SHA256
b718250b61b817f149bfcc2f79173ef6ac3ae06fc7e9c22f8a81d6fd13b0bcec

SHA512
0c8cb9437e80579d58844ed19ab5f93661ff8cd8ed944045b84afb2a4d7690c88f965bb7faea8732a454471881c29a7bfb2c8f127dddd2b9a87c1b601f1019c4

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
64KB

MD5
ac2f74fa5b85bc4ec038eeb5c7a1ef7b

SHA1
e4d0819133dddeacb19cec195027e4808c5c5bee

SHA256
59df9467e6c22a0f962db2dc341de1a7369d9e393f5fe3fecb8596956e714dfb

SHA512
a86d820cf98325bef3f55768a7058d991a67335003c323dcc0916713f8689e45e030a7165f638c55b3c158cdcb378bfadf343c2fe71affbfd03a2c23432be7e3

Download Submit
memory/620-637-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-632-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/840-629-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/932-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-623-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-620-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1436-638-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1448-624-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-614-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-628-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-633-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-634-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-631-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-626-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-613-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-618-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-617-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-615-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-487-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-468-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-606-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-636-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3176-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-616-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-622-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-610-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-609-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-619-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3876-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3932-635-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-486-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4100-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4200-625-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-621-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-611-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-630-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-607-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-627-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-608-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5144-639-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5176-640-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5216-641-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5248-642-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5292-643-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5344-644-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5380-645-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5420-646-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5456-647-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5488-648-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5528-649-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads