c13139e26a5d2805e3552900bf54287209600f2b9410f3abd813d751c3a84b65

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7d7f721e531ab6e118882e907293530_NeikiAnalytics.exe
Size

482KB
MD5

d7d7f721e531ab6e118882e907293530
SHA1

a43f49a714558f9c5625c46fb6fc266434298b7e
SHA256

c13139e26a5d2805e3552900bf54287209600f2b9410f3abd813d751c3a84b65
SHA512

c105d5f214d0e2564844ce036db2a27f041c0afa720f1b7bd970ad3e94328e7c6808e5028a5d9a0c70329f2d0b1c790059f1dee309d4c64937764c4acecef759
SSDEEP

12288:JgXJSLrpV6yYP4rbpV6yYPg058KpV6yYP8OThj:JgXJSLrW4XWleKW8OThj

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gimjhafg.exe

Malware Dropper & Backdoor - Berbew 52 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0007000000023278-8.dat	family_berbew
behavioral2/files/0x00080000000233b9-14.dat	family_berbew
behavioral2/files/0x00070000000233bb-22.dat	family_berbew
behavioral2/files/0x00070000000233bd-30.dat	family_berbew
behavioral2/files/0x00070000000233bf-39.dat	family_berbew
behavioral2/files/0x00070000000233c1-41.dat	family_berbew
behavioral2/files/0x00070000000233c1-46.dat	family_berbew
behavioral2/files/0x00070000000233c3-54.dat	family_berbew
behavioral2/files/0x00070000000233c5-63.dat	family_berbew
behavioral2/files/0x00070000000233c7-70.dat	family_berbew
behavioral2/files/0x00070000000233c9-78.dat	family_berbew
behavioral2/files/0x00070000000233cb-87.dat	family_berbew
behavioral2/files/0x00070000000233cd-97.dat	family_berbew
behavioral2/files/0x00070000000233cf-99.dat	family_berbew
behavioral2/files/0x00070000000233cf-104.dat	family_berbew
behavioral2/files/0x00070000000233d1-113.dat	family_berbew
behavioral2/files/0x00080000000233b7-122.dat	family_berbew
behavioral2/files/0x00070000000233d4-126.dat	family_berbew
behavioral2/files/0x00070000000233d4-131.dat	family_berbew
behavioral2/files/0x00070000000233d6-140.dat	family_berbew
behavioral2/files/0x00070000000233d8-149.dat	family_berbew
behavioral2/files/0x00070000000233da-158.dat	family_berbew
behavioral2/files/0x00070000000233dc-167.dat	family_berbew
behavioral2/files/0x00070000000233de-176.dat	family_berbew
behavioral2/files/0x000b00000002332a-184.dat	family_berbew
behavioral2/files/0x000900000002332d-194.dat	family_berbew
behavioral2/files/0x00080000000233e2-203.dat	family_berbew
behavioral2/files/0x00070000000233e5-211.dat	family_berbew
behavioral2/files/0x0008000000023328-220.dat	family_berbew
behavioral2/files/0x00070000000233e8-229.dat	family_berbew
behavioral2/files/0x00070000000233ea-237.dat	family_berbew
behavioral2/files/0x00070000000233ec-245.dat	family_berbew
behavioral2/files/0x00070000000233ee-256.dat	family_berbew
behavioral2/files/0x00070000000233f0-257.dat	family_berbew
behavioral2/files/0x00070000000233f0-264.dat	family_berbew
behavioral2/files/0x00070000000233f2-273.dat	family_berbew
behavioral2/files/0x00080000000233f8-290.dat	family_berbew
behavioral2/files/0x000c000000023344-358.dat	family_berbew
behavioral2/files/0x0009000000023349-364.dat	family_berbew
behavioral2/files/0x000700000002340d-393.dat	family_berbew
behavioral2/files/0x0007000000023414-414.dat	family_berbew
behavioral2/files/0x0007000000023416-422.dat	family_berbew
behavioral2/files/0x0007000000023420-454.dat	family_berbew
behavioral2/files/0x000900000002333f-503.dat	family_berbew
behavioral2/files/0x0007000000023444-579.dat	family_berbew
behavioral2/files/0x0007000000023448-591.dat	family_berbew
behavioral2/files/0x0007000000023453-638.dat	family_berbew
behavioral2/files/0x000700000002345d-673.dat	family_berbew
behavioral2/files/0x0007000000023483-802.dat	family_berbew
behavioral2/files/0x0007000000023489-822.dat	family_berbew
behavioral2/files/0x0007000000023491-848.dat	family_berbew
behavioral2/files/0x0007000000023493-856.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
5060	Eqfeha32.exe
1948	Ecdbdl32.exe
4628	Ffbnph32.exe
2516	Fjnjqfij.exe
2064	Fomonm32.exe
220	Fjcclf32.exe
868	Fjepaecb.exe
3996	Fqohnp32.exe
4132	Fflaff32.exe
5040	Fodeolof.exe
2564	Gimjhafg.exe
4508	Gmhfhp32.exe
2760	Gmkbnp32.exe
2832	Gbgkfg32.exe
4488	Gmmocpjk.exe
3828	Gbjhlfhb.exe
636	Gcidfi32.exe
1048	Gppekj32.exe
1240	Hapaemll.exe
1440	Hbanme32.exe
1472	Hcqjfh32.exe
3452	Hfofbd32.exe
3708	Hfachc32.exe
2704	Hmklen32.exe
4812	Hcedaheh.exe
2364	Iidipnal.exe
3700	Ipnalhii.exe
3612	Imbaemhc.exe
4292	Icljbg32.exe
3984	Ifjfnb32.exe
3080	Ijhodq32.exe
2680	Iabgaklg.exe
1340	Jaedgjjd.exe
1488	Jjmhppqd.exe
4760	Jmkdlkph.exe
4988	Jbhmdbnp.exe
2224	Jibeql32.exe
1940	Jaimbj32.exe
4476	Jdhine32.exe
2320	Jbkjjblm.exe
3536	Jidbflcj.exe
3256	Jmpngk32.exe
1624	Jdjfcecp.exe
4380	Jfhbppbc.exe
3976	Jmbklj32.exe
4984	Jbocea32.exe
1152	Kmegbjgn.exe
316	Kpccnefa.exe
5000	Kgmlkp32.exe
1612	Kilhgk32.exe
4328	Kacphh32.exe
4904	Kbdmpqcb.exe
3640	Kmjqmi32.exe
4964	Kdcijcke.exe
2164	Kknafn32.exe
4452	Kagichjo.exe
2620	Kcifkp32.exe
2508	Kgdbkohf.exe
2640	Kkpnlm32.exe
2708	Kmnjhioc.exe
3208	Kpmfddnf.exe
2548	Kckbqpnj.exe
1264	Kkbkamnl.exe
1056	Lpocjdld.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Impoan32.dll	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Icljbg32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Icljbg32.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Fqohnp32.exe	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Hapaemll.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Icljbg32.exe	Imbaemhc.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Fjcclf32.exe	Fomonm32.exe
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Fodeolof.exe
File created	C:\Windows\SysWOW64\Gmkbnp32.exe	Gmhfhp32.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jibeql32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Fqohnp32.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Gbgkfg32.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Ggdddife.dll	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Gimjhafg.exe	Fodeolof.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Gmhfhp32.exe	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Pnfmmb32.dll	Gmhfhp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5416	5272	WerFault.exe	204

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpckhigh.dll"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchnlc32.dll"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjbmnlq.dll"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fodeolof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hapaemll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 5060	3180	d7d7f721e531ab6e118882e907293530_NeikiAnalytics.exe	80
PID 3180 wrote to memory of 5060	3180	d7d7f721e531ab6e118882e907293530_NeikiAnalytics.exe	80
PID 3180 wrote to memory of 5060	3180	d7d7f721e531ab6e118882e907293530_NeikiAnalytics.exe	80
PID 5060 wrote to memory of 1948	5060	Eqfeha32.exe	81
PID 5060 wrote to memory of 1948	5060	Eqfeha32.exe	81
PID 5060 wrote to memory of 1948	5060	Eqfeha32.exe	81
PID 1948 wrote to memory of 4628	1948	Ecdbdl32.exe	82
PID 1948 wrote to memory of 4628	1948	Ecdbdl32.exe	82
PID 1948 wrote to memory of 4628	1948	Ecdbdl32.exe	82
PID 4628 wrote to memory of 2516	4628	Ffbnph32.exe	83
PID 4628 wrote to memory of 2516	4628	Ffbnph32.exe	83
PID 4628 wrote to memory of 2516	4628	Ffbnph32.exe	83
PID 2516 wrote to memory of 2064	2516	Fjnjqfij.exe	84
PID 2516 wrote to memory of 2064	2516	Fjnjqfij.exe	84
PID 2516 wrote to memory of 2064	2516	Fjnjqfij.exe	84
PID 2064 wrote to memory of 220	2064	Fomonm32.exe	86
PID 2064 wrote to memory of 220	2064	Fomonm32.exe	86
PID 2064 wrote to memory of 220	2064	Fomonm32.exe	86
PID 220 wrote to memory of 868	220	Fjcclf32.exe	89
PID 220 wrote to memory of 868	220	Fjcclf32.exe	89
PID 220 wrote to memory of 868	220	Fjcclf32.exe	89
PID 868 wrote to memory of 3996	868	Fjepaecb.exe	90
PID 868 wrote to memory of 3996	868	Fjepaecb.exe	90
PID 868 wrote to memory of 3996	868	Fjepaecb.exe	90
PID 3996 wrote to memory of 4132	3996	Fqohnp32.exe	91
PID 3996 wrote to memory of 4132	3996	Fqohnp32.exe	91
PID 3996 wrote to memory of 4132	3996	Fqohnp32.exe	91
PID 4132 wrote to memory of 5040	4132	Fflaff32.exe	92
PID 4132 wrote to memory of 5040	4132	Fflaff32.exe	92
PID 4132 wrote to memory of 5040	4132	Fflaff32.exe	92
PID 5040 wrote to memory of 2564	5040	Fodeolof.exe	93
PID 5040 wrote to memory of 2564	5040	Fodeolof.exe	93
PID 5040 wrote to memory of 2564	5040	Fodeolof.exe	93
PID 2564 wrote to memory of 4508	2564	Gimjhafg.exe	94
PID 2564 wrote to memory of 4508	2564	Gimjhafg.exe	94
PID 2564 wrote to memory of 4508	2564	Gimjhafg.exe	94
PID 4508 wrote to memory of 2760	4508	Gmhfhp32.exe	95
PID 4508 wrote to memory of 2760	4508	Gmhfhp32.exe	95
PID 4508 wrote to memory of 2760	4508	Gmhfhp32.exe	95
PID 2760 wrote to memory of 2832	2760	Gmkbnp32.exe	96
PID 2760 wrote to memory of 2832	2760	Gmkbnp32.exe	96
PID 2760 wrote to memory of 2832	2760	Gmkbnp32.exe	96
PID 2832 wrote to memory of 4488	2832	Gbgkfg32.exe	97
PID 2832 wrote to memory of 4488	2832	Gbgkfg32.exe	97
PID 2832 wrote to memory of 4488	2832	Gbgkfg32.exe	97
PID 4488 wrote to memory of 3828	4488	Gmmocpjk.exe	98
PID 4488 wrote to memory of 3828	4488	Gmmocpjk.exe	98
PID 4488 wrote to memory of 3828	4488	Gmmocpjk.exe	98
PID 3828 wrote to memory of 636	3828	Gbjhlfhb.exe	99
PID 3828 wrote to memory of 636	3828	Gbjhlfhb.exe	99
PID 3828 wrote to memory of 636	3828	Gbjhlfhb.exe	99
PID 636 wrote to memory of 1048	636	Gcidfi32.exe	100
PID 636 wrote to memory of 1048	636	Gcidfi32.exe	100
PID 636 wrote to memory of 1048	636	Gcidfi32.exe	100
PID 1048 wrote to memory of 1240	1048	Gppekj32.exe	101
PID 1048 wrote to memory of 1240	1048	Gppekj32.exe	101
PID 1048 wrote to memory of 1240	1048	Gppekj32.exe	101
PID 1240 wrote to memory of 1440	1240	Hapaemll.exe	102
PID 1240 wrote to memory of 1440	1240	Hapaemll.exe	102
PID 1240 wrote to memory of 1440	1240	Hapaemll.exe	102
PID 1440 wrote to memory of 1472	1440	Hbanme32.exe	103
PID 1440 wrote to memory of 1472	1440	Hbanme32.exe	103
PID 1440 wrote to memory of 1472	1440	Hbanme32.exe	103
PID 1472 wrote to memory of 3452	1472	Hcqjfh32.exe	104

C:\Users\Admin\AppData\Local\Temp\d7d7f721e531ab6e118882e907293530_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d7d7f721e531ab6e118882e907293530_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\SysWOW64\Eqfeha32.exe
  C:\Windows\system32\Eqfeha32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\SysWOW64\Ecdbdl32.exe
    C:\Windows\system32\Ecdbdl32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\SysWOW64\Ffbnph32.exe
      C:\Windows\system32\Ffbnph32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2516
      - C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        24⤵
        Executes dropped EXE
        
        PID:3708
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        31⤵
        Executes dropped EXE
        
        PID:3984
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1940
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        40⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        44⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        45⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3976
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:316
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        53⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        66⤵
        
        PID:744
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        70⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        71⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        72⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        74⤵
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        79⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        81⤵
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        82⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        84⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:808
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        88⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3344
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1080
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3980
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2756
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        95⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        96⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        98⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        102⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        104⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        105⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        107⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        109⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        110⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        111⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        112⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        113⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        114⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        115⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        116⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        119⤵
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        120⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5272 -s 420
        121⤵
        Program crash
        
        PID:5416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5272 -ip 5272
1⤵
PID:5388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
482KB

MD5
61b125daa4dfff750fc1f716205b94fe

SHA1
240f040f7844f5a4c967950fbdb1651826032cf5

SHA256
f311e02492c04c8cc2c91e56955e0faaf851ccbaadb57d5e9fe11e72434130a9

SHA512
d7dcfe21456dd9dd752cb0ef8cb426ae9c9ce957697426742c16271af8011063aa7722e4e8f89256bc0810b818663f0d1e10f6c39ffa849dbc1f4cd4274ba71c

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
482KB

MD5
b04a9d00e78c08b6a9c2cc78de5716a5

SHA1
2b822dc021f5fa81146bd9ca8b3eee7eb873ad4b

SHA256
402d3b6611aa7e3422cce3a4060f5d16fd8ed65a7cd16ffcbba5352da1926a37

SHA512
2825b2db315a5dd06064654314bfc8519b0fd82b5096310818ce79c334fc9c093e26bbdba91d5bb89962f3f90ec066579d88b34877b2c943cc5a09821daecdbc

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
482KB

MD5
28b2e940a44ed6bf318b686b2d028eb0

SHA1
9d226bccec9d92aec612354863896010f89c65f6

SHA256
e8260494c4b5828c65d8203abbf07e5605499049d85e70081446234a073563fe

SHA512
a52a8ffcb88fa019dd61a74d32d950b9e73a5a2670e2147b3324c0207c5e752ebc769e6d9b7ee8be32f257de4784654f02e54d57447ea9d2b25bb2be3f0106f1

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
482KB

MD5
f6f483ae509cf41712696d9ae523a8c1

SHA1
21f077393b40229f550d243874efcfcfe5b61251

SHA256
5d7f3a120a0541b4f86a2ff91deac1908736142e6d6bcda2367b02a1d89d8c05

SHA512
e44c746c1cd522981fe80a362161be24e857e7b297b451f0fa2bae19c5607c735c90c6ad1a88d242ebbe7df1db97ecdb45c5ca124f7edcdbc04d647868bd888a

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
482KB

MD5
d1d6cfce3fd042d7a005976bb783a46f

SHA1
a26b01a26bb9210d01f8f544b082ecaf2cbdc230

SHA256
0defc9cf88e7302dff1bbd509ddafdfb3dad1599e8d52710c3e868a323a079f2

SHA512
939f55fdb5db1f578618e0dd6cbeed8c8a51df45d21bbad9e8ad2a15b5aa20adf86bf9ea10eee503770cd92aa5d1bd126dabb83c35a5abc1e1d5e38b31bcdd9a

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
482KB

MD5
b38fca9aee8c892ac8f25d5e10fd1ed8

SHA1
6dc4bf5d2473ad993c4a16ec49b6abdbfe142c4f

SHA256
ad21b7ea0e3ee0fd0890cbdac115fa6f2b471a13a9f66d0ef4de9e7ebad98bd2

SHA512
727a3151bb84a0977b481838b26034ddadf2931eb3acb47f5d5119087d3e471d1dd33c3a71c19cfcec7032ca27b4ad7e1858ce021596d6161a86816de2f72aaa

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
482KB

MD5
de095413d79b6d7ac5b5034b73445226

SHA1
8923be4f2e636d016fec57c3fcc8941d969c4db3

SHA256
ef5929e9f4d98099bfee31fbae1fb6a7b001d81a90ecc5f10efc2ce474406495

SHA512
aaecda3935a12a0ba11c2e54b4eac4a15e5d4beddd1ba46c850dec8c49b9172eb199440ee41a634eb969bb5fa51e3f60677782c85bf29055e1b2d95446a65e6c

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
482KB

MD5
6a1040d5aa23ade1ec20b85ef521dc1d

SHA1
cf04ae76b9e4061dc5e7f48490f8b6a2163ea43d

SHA256
4183bf878cf45a8a922ed3dfdd503f5aee8530e842a35744811f193fd2322927

SHA512
ed2d846be9b791402ffb2303d0d7885485be357958c8669dfd519948492471db95a306302e3f5c41ba50567e23d3b1b50e551c8a7f99366f339173cec5df2c5d

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
482KB

MD5
2bed08eaecc3f10ca9a45046e2d474be

SHA1
5a4bb4e13e0c861c492dc419782f5dec465a5626

SHA256
a2ee560e27fb30df08da3fb5d5ae795c7c875dc4f0810b6b5135991b96768411

SHA512
601ba1f061c8faf480377dde2216c5655ca1ae28045e6bcd4ef8b0f6cdd7f4c7885cee6880aba404c470a3ccfb338fbf6b81a3ac1f69fa6f8fda153362c47fa0

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
482KB

MD5
e25beacbeac7a1527d18d570f9fd773e

SHA1
8f0bf229d508176525c51b88a881898f9990f8b6

SHA256
5a705f4bcedab415b69c3fde183dd4f863d4e886c14e3539dc470fecd8c50c0a

SHA512
e2a4e1aef1d3f4d036797db400743aaea1f78744ffef8a20ea5d81f329bd52d426065a6c5151a6d8f6f9185e03ac7708e11d3eb57de66d4a32401fa958fde67e

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
482KB

MD5
ad86c3778c17ff7e95bed20e4c9ee50b

SHA1
0f4e880cad05fea88ea542e42ba82f440816ba5d

SHA256
8249e06488f46e948e4c27f10d1bf2ecfa0f3bcaed1f0034a362fe12d0d380f1

SHA512
555c941c8ff0ec94392736df8202c7f7e5c0a6107850343d2b233aaeca1e00a96817d2899307e8e17da264997e607975891b852312ac0d9829ceaceaab97e40a

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
482KB

MD5
dee03202a74217c70b514b1f774489f9

SHA1
bc309a3e9a8b7fa6e5acdc8ad1ac00732d86f05e

SHA256
f199ba45c1f57701d626ef6e6854c097f21fcdd0f9fb00bd2077bc6708da4587

SHA512
e3ea14f0438c72ddf0f8ff6db0ceb2fd130d2c8274fe663babc30772dcffefa6532e6a054a2f50d1a48bd5489203a0b85adaca6f8238f2513359cd62245772cf

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
482KB

MD5
055ac9913e5278f717a183881fe0d12d

SHA1
6910e65fe16fbd72db09520a49ce4dd2d13b95bb

SHA256
9eaff21cae0d201718c9eccf9999bc32ea5afb042e02950d0ab1c472faeb7e7a

SHA512
15aad7ddd2282ae879b09e95e2a1398741ea106a6cca04e5fa3c3dce918523497e8a79a63c9f0184e25ed725744216719355328c8c2ee8c4e6f3c31388e7e90d

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
482KB

MD5
154929bd0d30e423fc2cbc8637e16bd2

SHA1
c30a861e7dec3ba88a34fb9bf8f23eb46cd4cc55

SHA256
8328b61d3867edc18207fd1ccb712a6282fce136a419e3da2629397805fb2908

SHA512
5b594e8a1f34f3dd8fd579aea5e8ad1e3507bc773cfbb19f853b17804cddc8776839cb17f017d24a12894466999d577e3c534e9b19eee75e2ad7071a9c7b29a5

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
482KB

MD5
6e6a1b1f14d21e335008d4a43fb9e11f

SHA1
73837d5267f5d3c19b03c67eb57fcc39eecf529f

SHA256
e64e4d6d73b5279a80a08d6c352f50fb1f7762c02a7d608c71a97f5c6e208686

SHA512
c74c3b45d3367e2af98adc22eb03bb01a2f61f64a064c39c7649bee78daff70ac86092239c272bd1e11302d79a82d35b5c5d103200cfb8ff1605463668240429

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
482KB

MD5
5943fb0545fcbcc7fb15e815ede392f7

SHA1
289383352919f2d1b04c4608741e50d04d5d0ec0

SHA256
b7451ac2fbd808e3b02a0dc44ae63ca5cca985a7fec9f6c53ffb57c097d7e5fd

SHA512
b9a90acb32fd8a2354d303c9ecb5924e3d9c62e082d196272a97c2c9a37bf6b047d71600d6b433279c7f701ec993300bf506ddd9cb3595981e2208e097746c3f

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
482KB

MD5
695aa1180c38356908dd71f43c84fe53

SHA1
1fda4453e3b1b841726e7b818f911e8b95f2b534

SHA256
9665c6842619f7e3bcbd300815a0f52a372dfee235088e265d644296d41e9d60

SHA512
751aad22d2f547cbcdfa455bbbbcd81ad88edbce296b593e9c9a9545a8fb3f8ee8d3d5241520bf5b153983d5067da2e5a3c39ea982baf859e38ad5bd9fd33bd2

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
482KB

MD5
0da060a422dafe17e76d9c00c05f10c5

SHA1
88f1b9bd0ca3893ca7c8526a18e5c86547154583

SHA256
dc34012c8958748afb259723ea86b3d537fbd2a0d32cdbd6dea50e23b5081e58

SHA512
5585a4b1e4be763bdf75ae8640d9023f29eaa6ceeba010af33746cc591808e8b631f146a6e4b1c5af53c7c71422f9c98f085f67c6f9b0f6225dddad1316f31e8

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
482KB

MD5
c1d7af34577128fef5e1293a08244222

SHA1
0497617ab429dd34571994527a7daf5d0dcce77a

SHA256
2bbc8f25f8a05827005d29a1515a5050ac99ac2870dc570be4df2caa5faacc0e

SHA512
88af034c1089295fe5acb36393c74840629a75d892cf5c882192cc2371d2d505337379d1603c1af123e85df49008d3d7fcca36595eea938288ae1477431b08cf

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
482KB

MD5
42826dff7b8df9a984584a40e96ef837

SHA1
833d5682b4d0d3ff073bc1a814ba1ca1dbe11ed2

SHA256
295ccd2522785a4877421662b9a498a7197023d247ed747264803142149a4e02

SHA512
713b42b0baf17d1ad3e707fc8899d982e0e25c15f88b5eb1c1a62b879812859f96b336ba2e0f156c8eb0649e85b1b69811db6952bab55c5afd78fea3dc6c2f53

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
482KB

MD5
29f563e390c071ddc8d5910f81f81b49

SHA1
4adf535e667faf2a6db998f940358baefaf83810

SHA256
c6cd68c6358f7e0ad6b1e294acbc17c3a0bf1d001556b37c9178a7b8834b1274

SHA512
978018f5937caefcc51558fb983e62ff59094a3ff7fd1e409be3216e23c32115ea2976260df8939759e104537c96ab7db091c87c57067ee02234e21f9a02fbf3

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
482KB

MD5
c8ced8e7469597842787e4c048ed67e7

SHA1
d070fef83b5bb86972c6a53c3cae4945219eb2fd

SHA256
f63a7462b46b6bf7ece4787e52118cb196d27601a2e4c2d8a9fae3809a348455

SHA512
103f9685dc73230ea6d20e71615061d8569efc23cb98fb57f12501b10d6e5404b1ef0793b446206f06cced22434ea0e9c8dc6450a9c156dc58270b849f02c8fe

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
482KB

MD5
a148a2536591b2c2cf70a81500990efd

SHA1
c245f468accd67b66a2ff7a2aa09aa7629574209

SHA256
212f3ec73063e5e648087292484b693a6ccacaa0fb61ef8d79d159e517d6f1b2

SHA512
6f47b35e9fa71d6df6f3e1cb27e70ae4ce8bc3485fde17b33c9fcfc8aac682aeceaf665a1e4c56747f7a07a1d3d282cd18a0f6935cc539822d9c97ffd5a06bb1

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
482KB

MD5
0624b9a1c6e504a81cd9ae67e59797c5

SHA1
6d355b6cc97a2ad0e78d3c046f1e83add6d43103

SHA256
0e7a73ba0e01ebad28a9fd9cc1606c50ef21b288e1ca9fa49edaa76a373d26b0

SHA512
96d94f0a08be1c6f797f76e3537eebef6b9a8e41de6cdfa8f1aed4e31fde35fd5831770a132638dd3b2f38966f2155f9b5d7b736d7eb62a83e69318837835e7e

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
482KB

MD5
2689e00a5439a18c91a1eaf282d04ec3

SHA1
53055cc30941c18fbec9ed6561ef027cbd33becf

SHA256
fbbc6205280741d1e80d659d8fa0297fae067e80eec64a8213ee5671d8c2c1ba

SHA512
4b9731cd79821301063e4ee3c05fdbb8f2578e8d655d4ce663717d77651349417d88bf4e65030eddc297e396f563a4a27246b234a00a92ed6893f818d8dafb48

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
482KB

MD5
c4a647aac5c16cedb740708d3e18085e

SHA1
1f916613a56d25dac1fa597ddcd17697bd57c1a0

SHA256
4ac4a927dd85727ec2b87ccac78e4399c69710d6f899716f9d2b15be8e89d960

SHA512
dc1811aaf80e7501f0c7d7825ecb790a5e10c46257904f29bd5d23bdc79f7cb4859e9142d70540b00a148f1b7913d6ea20b69a370d4fdbeb98fc3d8a63bbce67

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
482KB

MD5
23ec8b2357892d5fff37fc5d7b972795

SHA1
8aacccb918a228a4ccdb5f4f34f3131226a0e668

SHA256
c910263bf1068228fb41abdbb7fdfbc97311d83b110127f55bb95141202f0630

SHA512
3e199860d1b6d05f57867636c624bb1590cee5341ac2b19fb157613622fe00fb318b99737cdfb8e0c5d7818972c8c3a255c769b8edababb5fc080454f5cf72a8

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
482KB

MD5
7b943de137692c12c3f832ce1b01ed9f

SHA1
73e514023e535f14f81295b5a1238c1ef71483af

SHA256
040e3b9c07a9673623d9404bc7353491604f4054ade296a054a5ec560fc5a957

SHA512
9f10799304bd637fa2a41c5eb30ebdb63ced573aae958bc510ad9996135a7175e2d32d2cb36b2933d6fffa642d8c67c4512323ff7690a4df46a5c0e84bc1e613

Download Submit
C:\Windows\SysWOW64\Hndnbj32.dll

Filesize
7KB

MD5
b359ecc323e564708660703832d318b2

SHA1
643c5d132b24188c7fd1a044ae3ee20959199d24

SHA256
08027bdeb7f0bded7fc18eb84d70e1c210af5042f64cc2ecf2574792d33d218a

SHA512
49872d3eef19ff32aee145951f309d1e3af6e74d81efc4b57085c2c45a63dae3094ea677df8658babd629efdbb5a52ac95f36ab21423ed40b3ea824f9f48ba94

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
482KB

MD5
437616771b2aff154b766face10c5641

SHA1
644106e95aa5ff1d9db1b5dac89564d8dcafccb7

SHA256
c33a2ffc050431d1a3f46abfe674a77240321368aaf935ed0ad0eedc765e1455

SHA512
5a61e3ef4474ab7af157599564d63266d2e57cc68a750790dfac14116904561ca072078d361e9d25a8410e286fe08e3f763a374becd03518535e8d9dc7dc53a5

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
482KB

MD5
d2833287bc0c31c9a9f627dc1e07bbf4

SHA1
d4defe27fe2cd1202d4683b0e8f00aa1f2b7aaef

SHA256
37f31046e8092d5757dd42339a9cba66ed449b22be94e71a7c868912be76e2b5

SHA512
3575740b8dbec178c2a12171acca52f69a935384019efc46dbda08233eb1784e2b30891677b219c5f5e155da23363a2a38f366b792f10080758eb564a26b72e4

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
482KB

MD5
cc7c6f1b2d0831a17008dc6a53a52d34

SHA1
e12fc21a2e499178eb6350f46967f12d031dcdbe

SHA256
165a7b671152ef1a2c1f0c22032662fd3bf3b40016f1a31cb5f0ee5374236d62

SHA512
9429f85cb894e2ec23d7fe4b74632cb50ff0c4d602650616132118b44ab93ab468b1b2b7af3311ab511d80dcb0e3db28051cdcaba4bc2c13c6f158465ce5b184

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
482KB

MD5
3213b141daf33581aae5e00f6143d125

SHA1
1d993d8eef64c1e0030218a3385b78b71bb32954

SHA256
d763b25b21e3d1e8cd200ebe5afc7bf7b9290634310987510b6c76fd8d8caa17

SHA512
02c32c293bd885733b51e65ffbcccec1916f8f00e7f5ce8ebe368fbf1d3fb3b0fca910c033b433ecb3db140d2d3edd19bd8617aca2d64835f40755a20693e79a

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
482KB

MD5
dc2e78155842443e9479e641c39842c1

SHA1
b5e5364f8e228718a76e58bedb65cf704fb127ec

SHA256
bfc7c635f89823b858743f1c10ee7d09b58105352aa3f9d9ec3b4eadbde9e69d

SHA512
8d5316f0a59c49c7757ccd34fb15d7d0739288a1585e15ce7a617c61b36fe9b10928b9c4222b771936e895323856cccfcc541f0ae7c30a06709b0fec37296aee

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
482KB

MD5
e1b7d16ece72e00aa608fb612743c653

SHA1
12163d7619f161b36f8c5a4a71d6033bcfb522fb

SHA256
8d255572b3f9f4367d52450a783c11e7a03aa25009f9dc4b380946ab544ae118

SHA512
ccf8e81a1df09e3777dc2a9d137d351e5a0fbf7f83e84cbed8216c6588f532839da08dbdbbd977d0dd7287847ddbc79afe569ec739e63cfb6f5ca3af9ec6b3ef

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
482KB

MD5
52a67c27726a23979f521c033c44eb96

SHA1
f40f97e06fd8022e68e5a632226b8d56127d1e8c

SHA256
643de8f0562327bc5b2aa72e4c1168b06945f1991c34f036da9ac5c577cbc705

SHA512
33466bac38f784375b6c8e64dc06bd406d2a94a1e06b5b407bc512612c619b1e7c6c63d948b05275f116817d164095efe7c9d8b8ea1b0e227854290d28f2cf07

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
482KB

MD5
c3c2f9aa0b54add0b08be8f8e87b096e

SHA1
e2e8714dcce522564d48ea94845f1ab550727d8b

SHA256
38c3461a68d0b868c55a34691741a98b6453bc6d082a45c153e0f5d51a737b59

SHA512
4074931633b4dfa3efc29296c68be8a01c06ba98b9111846cc35dd28f9df3eff289c0a48a07fc8149069763d7a3b04b98bd8e3f7d5c7ef4ea928e72e5327e30e

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
482KB

MD5
d87addac808c9cd19a6a85d84d0fdde0

SHA1
137be3889f6ef2a2146c4d7fb192d658d22c9d9d

SHA256
6d42db05bf47735f9eb5b27e1e6c3093efc17c012e21e564245688bf2edef2bd

SHA512
8e46b4df6d1a4fe2ace686d0044c7e69e46ef0bf001f485b1cdb7b00186d8248edc7cc8101932c26d8fc24522759d1942a9c903827c35ed00a80ae8be2d4ffc1

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
482KB

MD5
63aa3fd4f0f381bf23e3b0a18e660745

SHA1
036c21f415cc779745511de42fc3e06dcbb24399

SHA256
4204cc6c9af6f35c05eba29f963a73974be71d4b84ec6396b7b98cddfc197fae

SHA512
d618039c8fb8c6c56c85fb943195306afc2b7ce6300858a73280febfbf99a2e0105c7e7c117c8ec1ec4b5061517ccf77a975d679b5c60f4ec928707ba4c31f61

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
482KB

MD5
18a3a379cf42e491595c2823223cfe2b

SHA1
44020130c29000f4ad508d19c96f41ab877831d1

SHA256
f220fcef3561c3748810bf9dc17e98434cfe206efa262f248923d9cd6a0f8993

SHA512
4e68d59a7b6a8147b8b903ec746a482d3ab432d289610e40cecbdef6ca93cd977bb1e0911da46d18dacefd8402ff61b8b309cc7e0293b728f87cfa1ac551ebf3

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
482KB

MD5
de1834e20c5fdc82c286d59a3424c036

SHA1
bbd5f715085abe9cf1a2a3eb284ccd552ea04744

SHA256
150598bbd4ba5b332c59808393cc4cb6804b430e14b98610cee98cda967d4bf5

SHA512
26b6b625baada5ecaeb39db4169794f50a89298a9ef34be64d2e118f204cf7e6c85bceec321fea5b177920cb80912926b1a3c19c790e425b103a738b871cf0ee

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
482KB

MD5
c5599a4289530dc6e0f5589bf73cb0f8

SHA1
27310d6efcc9c6eab7739229b1215b3b55a539a2

SHA256
068898b3c46d822a4195e845742203e0aced27aaad51d324c80dc1e8fc952187

SHA512
a676e44b8834eb081385303f960f0e91b0640a4a731d3b4e702e407ec3d4bab5d05de9cbff3c0219d8f57b450f806e00a82aeff72aae86513fe08295afdda891

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
482KB

MD5
835c37e8fffac55cabfebb0f8837fc0b

SHA1
f956ca28ea251955734f3586b4d15b981b990b16

SHA256
78019bc59537e3e4e0b3f5487f86f5836bce416cc9aca733e6c6651378edc5da

SHA512
bb706635146fd6e4e9e82493774afab7e08e51af27a03266b6780505be6ebbc47d4c5e1c5219274684506fd85411e5ed0c6b2d876eba56e8073055919f50f1c6

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
482KB

MD5
87205494741bc203736ea60e388d55d9

SHA1
f0404d1d7d2a808ca067f8fe9d1e518d7617f3f0

SHA256
750c69d5c516a342c1f4a73b1eca97a67d8166eb601d4b3acf8acfa5f43ed8cd

SHA512
07a87e43b81359f2b41ab88695d29a715a23f145c72b3d5fa1078e07909bf1b93765f277601b45919b2e2c34523a3aacff8b1bb0524346203501bf73a62ce3ee

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
482KB

MD5
d8c2eff3556a004f20bfad89a53d965b

SHA1
1d4fd0ba09b3c7609beaaaa3c26791faab58fa97

SHA256
dc7e8491d2a19a9a9da150c85f95069e234786158c1c227d9ddf1170d0f80ce4

SHA512
5c086356f60ceac5b54f97fa981b3aa7aa0635b8225c66fd169d4cfefb5d742d033fa561dd5b555ad981999d6e1666d95a3872c7ac2095023637f2c68dbaad46

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
482KB

MD5
c9dfb7ceb61c0174c76130d66dfdcbe7

SHA1
44a27c9a5bb32dd103a0469aa7c7b46682dec228

SHA256
3d74b803b726847bfb4e7a3f4aa5922d527c5f68328eba1b9441058b2b828a7f

SHA512
970468660ab30369ed0157f57dad0f20fbe2a1c07d6b498f8ae741e74f95a96a2097fa8e3949665f1e47cbcef89dec92bcb37df0d98bcebd490248332006f60c

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
482KB

MD5
3074f05b1ad9969fcea5361f385f7f21

SHA1
1241b5b1737f937a29430d4ce0f3b109130eaa0e

SHA256
2cef07f23fa88d86e9de66d74fb38e659f8922e52fbd6a6c6c8e3415a162b329

SHA512
2a3155ee7bd9eb36a4eaf49898de8924eaf822ec751baae9f4668a81145135335d204acf6ae9b843c91d14aadd104f62625986a977ba7ce36722a0d193d11201

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
482KB

MD5
75a39b4d32e854a15eec7c3c58bcd44c

SHA1
2eda664f5d3438069611b90b19fbaf20e1597759

SHA256
06f97002da3fe8f201ef00c437d72486fa15a2c7291b96ae324019776132db87

SHA512
647bd91b659b72a456cc2334ef0ba9dad4e4cae957f8ae79724ae664a248ec148b2837647e8af1804c478e4b784e333e79d46f784f5c6f8eaa9319c251da5e4e

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
482KB

MD5
f4bc8a3e555ff99c4e6af8b41482127d

SHA1
60e3e2c60f6b933e6e7e7eaebb21f279829db034

SHA256
2ef3b8d8b6373236c34bb9ab1c45ffcdb5afe1623fe5acc4018a125684c61d3f

SHA512
2e6d13d522535749979025a805efefc7f61136e5f19c7d4890311fe1cc820b374b316dbe121843d86fd464665f51c6d4d2e6b5ff286c6aad51c2115e0707e3df

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
482KB

MD5
a1d5fedc9ba231d587562614ad33165a

SHA1
d918d3020c6958b7dcadb436d957bc16c083e591

SHA256
0bf4e8baaae78ede64b7e78bf1c09cfa3d3f3f71c33a8e77a765acd289f87d82

SHA512
b0debd049ac1c81f90af40bd89dcf85cf98314cf062222d27f7995259f3dbd2873b2265f550211f270c4f85843f24e8957f4c3c4b5088240b7a91922e64aebfa

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
482KB

MD5
713da9f9ecde8d7b6a21f94f8320aaf6

SHA1
407375ed73f5031b44e8aa8c0eaf78e10a8f6de4

SHA256
2d19af273d407824435735d4e89f12b02eee0ec89ecba7323b8b8fd0afabfe2d

SHA512
28a5b1108e84a4c8007e88e77f57e2537a921a3593b1617d9cae8ea87b3473ef1488f3e5dc9b6b779768dfb14f244e6aa1bbbe7002c168b0dd4595c9d4fec3f9

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
482KB

MD5
d48dce9e4598af410a53ccb5a6f4923e

SHA1
09ee5bbca0313a2eedb9939d70ff583a368e49b8

SHA256
99ca5369a2c8db9efd7e1a95d803c771dad58e0c3ab22e9facd80914ffb02d75

SHA512
1a30cfcb6ee10733c1de030947487a5d37abc8289df448ccb8a4b3992411521757a5473c91936defeadcfa8b889d01c669de4ff7b419c6e3b70284f514d87a5b

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
482KB

MD5
cec4afc37c50bbb20ed2e08fe0009f04

SHA1
553c3699397c366ef564a5f842e7db8840ad3e61

SHA256
e85e074c1676df68852a4443ad00b7c15c8b51eaface52d0d16de19f6e372b71

SHA512
674afb0eb7e9dd8d63437d917aa6720c053aa1a56d3372ecf1141728805d44fb327107bcc09c2977a3b4cfe48c011dce9d9816d64e120c9a5b8a2f30d3cb3442

Download Submit
memory/220-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/220-137-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/316-385-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/636-243-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/636-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/868-142-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/868-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1048-249-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1048-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1152-378-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1240-161-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1240-261-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1340-283-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1340-349-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1440-266-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1440-170-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1472-185-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1488-356-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1488-289-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1612-399-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1624-350-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1624-419-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1940-320-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1940-384-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1948-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2064-124-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2064-40-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2164-433-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2224-377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2224-310-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2320-398-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2320-329-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2364-223-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2364-302-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2516-115-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2516-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2564-90-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2564-182-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2680-274-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2680-342-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2704-213-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2760-106-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2760-195-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2832-116-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2832-212-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3080-267-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3080-335-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3180-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3180-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3256-412-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3256-344-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3452-281-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3452-187-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3536-338-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3536-409-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3612-247-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3640-421-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3700-231-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3700-309-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3708-282-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3708-201-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3828-138-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3976-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3984-262-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3996-150-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3996-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4132-159-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4132-72-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4292-322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4292-253-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4328-410-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4380-426-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4380-357-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4476-391-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4476-323-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4488-125-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4488-222-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-186-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-98-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4628-105-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4628-27-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4760-367-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4760-296-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4812-295-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4812-214-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4904-413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4964-427-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4984-439-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4984-371-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4988-303-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4988-370-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5000-392-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5040-169-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5040-81-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5060-89-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5060-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads