168f0813b7a239a784b0de2bfad1f1c8a81381189636fcd487dab347eaab3b72

Analysis

max time kernel
143s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 12:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e5559285692840111ae99c84458bd1b0_NeikiAnalytics.exe
Size

1.6MB
MD5

e5559285692840111ae99c84458bd1b0
SHA1

10d6354140034d524664a4f674eaba536cc163c4
SHA256

168f0813b7a239a784b0de2bfad1f1c8a81381189636fcd487dab347eaab3b72
SHA512

27683ed8c0c0e9e02472d644caaf06dffce6bcc1e7084e084e595456fa037828c2ce99184265d0b85f98fe659e39660be73f54881e367c5b6e4cc5038f9257c4
SSDEEP

12288:KcS6xR1kGbSwwL2bWGRdA6sQhPbWGRdA6sQx4HCXwpnsKvNA+XTvZHWuEo3oWB+:EgSwwL2vepsKv2EvZHp3oWB+

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhqcgnk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mljmhflh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pafkgphl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kifojnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpffeaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiiicf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feenjgfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jocnlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpnjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alpbecod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbdiknlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlobkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gehbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgdidgjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnlodjpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Joqafgni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laiipofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljdkll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glhimp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffqhcq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmmeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feenjgfq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhegig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkconn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lckiihok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmbhgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aalmimfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glhimp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inqbclob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fohfbpgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e5559285692840111ae99c84458bd1b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lflbkcll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbldphde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llmhaold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hplicjok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahbjoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lindkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfbaalbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iciaqc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppcmeem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogjdmbil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbldphde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnebo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhkbdmbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qamago32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epmmqheb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqhbe32.exe

Malware Dropper & Backdoor - Berbew 48 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0009000000023260-7.dat	family_berbew
behavioral2/files/0x0008000000023266-15.dat	family_berbew
behavioral2/files/0x0007000000023268-23.dat	family_berbew
behavioral2/files/0x000700000002326b-31.dat	family_berbew
behavioral2/files/0x000700000002326d-41.dat	family_berbew
behavioral2/files/0x0007000000023272-50.dat	family_berbew
behavioral2/files/0x0007000000023272-56.dat	family_berbew
behavioral2/files/0x0007000000023274-64.dat	family_berbew
behavioral2/files/0x0007000000023276-73.dat	family_berbew
behavioral2/files/0x0007000000023278-80.dat	family_berbew
behavioral2/files/0x000700000002327a-87.dat	family_berbew
behavioral2/files/0x000700000002327c-95.dat	family_berbew
behavioral2/files/0x000700000002327e-103.dat	family_berbew
behavioral2/files/0x0007000000023280-111.dat	family_berbew
behavioral2/files/0x0007000000023282-121.dat	family_berbew
behavioral2/files/0x0007000000023284-128.dat	family_berbew
behavioral2/files/0x0007000000023286-135.dat	family_berbew
behavioral2/files/0x0007000000023288-144.dat	family_berbew
behavioral2/files/0x000700000002328a-151.dat	family_berbew
behavioral2/files/0x000700000002328c-161.dat	family_berbew
behavioral2/files/0x000700000002328e-167.dat	family_berbew
behavioral2/files/0x0007000000023290-176.dat	family_berbew
behavioral2/files/0x0007000000023292-183.dat	family_berbew
behavioral2/files/0x000200000001e32b-200.dat	family_berbew
behavioral2/files/0x0007000000023298-207.dat	family_berbew
behavioral2/files/0x000700000002329b-215.dat	family_berbew
behavioral2/files/0x000700000002329f-231.dat	family_berbew
behavioral2/files/0x00070000000232a1-240.dat	family_berbew
behavioral2/files/0x00070000000232a5-251.dat	family_berbew
behavioral2/files/0x00070000000232a3-247.dat	family_berbew
behavioral2/files/0x000700000002329d-224.dat	family_berbew
behavioral2/files/0x00070000000232ab-270.dat	family_berbew
behavioral2/files/0x00070000000232af-282.dat	family_berbew
behavioral2/files/0x00070000000232bb-313.dat	family_berbew
behavioral2/files/0x00070000000232bd-320.dat	family_berbew
behavioral2/files/0x00070000000232c7-349.dat	family_berbew
behavioral2/files/0x00070000000232db-409.dat	family_berbew
behavioral2/files/0x00070000000232e3-433.dat	family_berbew
behavioral2/files/0x0007000000023306-530.dat	family_berbew
behavioral2/files/0x000700000002330f-556.dat	family_berbew
behavioral2/files/0x0007000000023314-570.dat	family_berbew
behavioral2/files/0x0007000000023318-584.dat	family_berbew
behavioral2/files/0x000700000002332c-653.dat	family_berbew
behavioral2/files/0x00070000000232f9-493.dat	family_berbew
behavioral2/files/0x0007000000023337-689.dat	family_berbew
behavioral2/files/0x0007000000023354-760.dat	family_berbew
behavioral2/files/0x0007000000023352-752.dat	family_berbew
behavioral2/files/0x000700000002335a-781.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
744	Hplicjok.exe
1120	Iciaqc32.exe
844	Inqbclob.exe
2684	Jcphab32.exe
5004	Jnjejjgh.exe
4748	Jlobkg32.exe
3684	Kkconn32.exe
4872	Kkgiimng.exe
3336	Lgccinoe.exe
1852	Lmbhgd32.exe
2004	Mnmdme32.exe
944	Nlkgmh32.exe
3904	Ahbjoe32.exe
4224	Alpbecod.exe
3696	Cfpffeaj.exe
4460	Dheibpje.exe
2916	Eecphp32.exe
4520	Epmmqheb.exe
4228	Fmcjpl32.exe
2120	Ffqhcq32.exe
868	Gehbjm32.exe
1132	Gppcmeem.exe
4044	Gpbpbecj.exe
4316	Hoobdp32.exe
3012	Hoclopne.exe
544	Jiiicf32.exe
2020	Kodnmkap.exe
3448	Lpfgmnfp.exe
4984	Llmhaold.exe
4368	Lgdidgjg.exe
972	Lckiihok.exe
228	Lflbkcll.exe
2568	Mokmdh32.exe
2312	Npbceggm.exe
1764	Ocjoadei.exe
4280	Ogjdmbil.exe
3720	Pccahbmn.exe
3648	Pfiddm32.exe
3860	Qjfmkk32.exe
1432	Qodeajbg.exe
3944	Aaenbd32.exe
3556	Aoioli32.exe
4464	Agdcpkll.exe
2520	Amqhbe32.exe
2980	Akdilipp.exe
2972	Bdmmeo32.exe
4428	Bpdnjple.exe
1556	Boenhgdd.exe
540	Bdagpnbk.exe
4864	Baegibae.exe
3640	Bpkdjofm.exe
4512	Bajqda32.exe
3352	Cggimh32.exe
3872	Cponen32.exe
3924	Coqncejg.exe
4216	Cnfkdb32.exe
3668	Cnhgjaml.exe
4892	Ehndnh32.exe
4056	Fohfbpgi.exe
2740	Feenjgfq.exe
880	Glhimp32.exe
3956	Geanfelc.exe
2320	Hpfbcn32.exe
2292	Hioflcbj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ahbjoe32.exe	Nlkgmh32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfgmnfp.exe	Kodnmkap.exe
File opened for modification	C:\Windows\SysWOW64\Bpdnjple.exe	Bdmmeo32.exe
File opened for modification	C:\Windows\SysWOW64\Glhimp32.exe	Feenjgfq.exe
File opened for modification	C:\Windows\SysWOW64\Hehdfdek.exe	Hhdcmp32.exe
File opened for modification	C:\Windows\SysWOW64\Kpnjah32.exe	Keifdpif.exe
File opened for modification	C:\Windows\SysWOW64\Kifojnol.exe	Kpnjah32.exe
File created	C:\Windows\SysWOW64\Lmbhgd32.exe	Lgccinoe.exe
File opened for modification	C:\Windows\SysWOW64\Nbnlaldg.exe	Nhegig32.exe
File created	C:\Windows\SysWOW64\Anlkecaj.dll	Nmhijd32.exe
File opened for modification	C:\Windows\SysWOW64\Mbibfm32.exe	Mlljnf32.exe
File opened for modification	C:\Windows\SysWOW64\Fmcjpl32.exe	Epmmqheb.exe
File opened for modification	C:\Windows\SysWOW64\Amqhbe32.exe	Agdcpkll.exe
File opened for modification	C:\Windows\SysWOW64\Bajqda32.exe	Bpkdjofm.exe
File opened for modification	C:\Windows\SysWOW64\Keifdpif.exe	Jpgdai32.exe
File created	C:\Windows\SysWOW64\Nbnlaldg.exe	Nhegig32.exe
File created	C:\Windows\SysWOW64\Paihlpfi.exe	Pfccogfc.exe
File created	C:\Windows\SysWOW64\Dphiaffa.exe	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Moehgcil.dll	Ahbjoe32.exe
File created	C:\Windows\SysWOW64\Bajqda32.exe	Bpkdjofm.exe
File created	C:\Windows\SysWOW64\Ilibdmgp.exe	Iacngdgj.exe
File opened for modification	C:\Windows\SysWOW64\Jnjejjgh.exe	Jcphab32.exe
File created	C:\Windows\SysWOW64\Bkamodje.dll	Bdagpnbk.exe
File opened for modification	C:\Windows\SysWOW64\Kiikpnmj.exe	Kifojnol.exe
File created	C:\Windows\SysWOW64\Pafkgphl.exe	Pbekii32.exe
File opened for modification	C:\Windows\SysWOW64\Cacmpj32.exe	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Opkpck32.dll	e5559285692840111ae99c84458bd1b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Cnnbme32.dll	Gppcmeem.exe
File created	C:\Windows\SysWOW64\Bpdnjple.exe	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Mljmhflh.exe	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Fohhdm32.dll	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Fbihneaj.dll	Jlobkg32.exe
File created	C:\Windows\SysWOW64\Lgdidgjg.exe	Llmhaold.exe
File created	C:\Windows\SysWOW64\Pfiddm32.exe	Pccahbmn.exe
File created	C:\Windows\SysWOW64\Geanfelc.exe	Glhimp32.exe
File opened for modification	C:\Windows\SysWOW64\Hbldphde.exe	Hehdfdek.exe
File created	C:\Windows\SysWOW64\Jhkbdmbg.exe	Jocnlg32.exe
File created	C:\Windows\SysWOW64\Ipdbmgdb.dll	Lhenai32.exe
File created	C:\Windows\SysWOW64\Olqjha32.dll	Qamago32.exe
File created	C:\Windows\SysWOW64\Gppcmeem.exe	Gehbjm32.exe
File created	C:\Windows\SysWOW64\Ffqhcq32.exe	Fmcjpl32.exe
File opened for modification	C:\Windows\SysWOW64\Npbceggm.exe	Mokmdh32.exe
File created	C:\Windows\SysWOW64\Mfkkqmiq.exe	Ljdkll32.exe
File created	C:\Windows\SysWOW64\Engdno32.dll	Amnebo32.exe
File created	C:\Windows\SysWOW64\Lpcgahca.dll	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Ebcneqod.dll	Epmmqheb.exe
File created	C:\Windows\SysWOW64\Lflbkcll.exe	Lckiihok.exe
File created	C:\Windows\SysWOW64\Jafdcbge.exe	Jhnojl32.exe
File created	C:\Windows\SysWOW64\Mleggmck.dll	Kiikpnmj.exe
File opened for modification	C:\Windows\SysWOW64\Mljmhflh.exe	Mbdiknlb.exe
File opened for modification	C:\Windows\SysWOW64\Ahbjoe32.exe	Nlkgmh32.exe
File opened for modification	C:\Windows\SysWOW64\Nblolm32.exe	Mlofcf32.exe
File created	C:\Windows\SysWOW64\Cnhgjaml.exe	Cnfkdb32.exe
File created	C:\Windows\SysWOW64\Aaenbd32.exe	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Imffkelf.dll	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Hbldphde.exe	Hehdfdek.exe
File created	C:\Windows\SysWOW64\Deocpk32.dll	Iacngdgj.exe
File opened for modification	C:\Windows\SysWOW64\Cgmhcaac.exe	Cmedjl32.exe
File created	C:\Windows\SysWOW64\Cnocia32.dll	Lflbkcll.exe
File created	C:\Windows\SysWOW64\Lpfgmnfp.exe	Kodnmkap.exe
File created	C:\Windows\SysWOW64\Lckiihok.exe	Lgdidgjg.exe
File created	C:\Windows\SysWOW64\Emlmcm32.dll	Lindkm32.exe
File opened for modification	C:\Windows\SysWOW64\Kkconn32.exe	Jlobkg32.exe
File created	C:\Windows\SysWOW64\Akcoajfm.dll	Gpbpbecj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2460	5620	WerFault.exe	211

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imffkelf.dll"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcckiibj.dll"	Adepji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e5559285692840111ae99c84458bd1b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfpagon.dll"	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inclga32.dll"	Hnlodjpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hehdfdek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljdkll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgnid32.dll"	Dheibpje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmdml32.dll"	Qjfmkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpfbcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilibdmgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdbmgdb.dll"	Lhenai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcomn32.dll"	Ljdkll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hoobdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Falmlm32.dll"	Jhkbdmbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hoclopne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hioflcbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgccinoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnnlj32.dll"	Alpbecod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdihjbp.dll"	Hbldphde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbibfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pafkgphl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll"	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfojfj32.dll"	Hhdcmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iacngdgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Joqafgni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jifecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jifecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoigp32.dll"	Agdcpkll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deocpk32.dll"	Iacngdgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jafdcbge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hplicjok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epmmqheb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engdno32.dll"	Amnebo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccfkp32.dll"	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moehgcil.dll"	Ahbjoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llmhaold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnlodjpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhenai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eanmnefk.dll"	Llmhaold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famkjfqd.dll"	Lgdidgjg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 744	2640	e5559285692840111ae99c84458bd1b0_NeikiAnalytics.exe	91
PID 2640 wrote to memory of 744	2640	e5559285692840111ae99c84458bd1b0_NeikiAnalytics.exe	91
PID 2640 wrote to memory of 744	2640	e5559285692840111ae99c84458bd1b0_NeikiAnalytics.exe	91
PID 744 wrote to memory of 1120	744	Hplicjok.exe	92
PID 744 wrote to memory of 1120	744	Hplicjok.exe	92
PID 744 wrote to memory of 1120	744	Hplicjok.exe	92
PID 1120 wrote to memory of 844	1120	Iciaqc32.exe	93
PID 1120 wrote to memory of 844	1120	Iciaqc32.exe	93
PID 1120 wrote to memory of 844	1120	Iciaqc32.exe	93
PID 844 wrote to memory of 2684	844	Inqbclob.exe	94
PID 844 wrote to memory of 2684	844	Inqbclob.exe	94
PID 844 wrote to memory of 2684	844	Inqbclob.exe	94
PID 2684 wrote to memory of 5004	2684	Jcphab32.exe	95
PID 2684 wrote to memory of 5004	2684	Jcphab32.exe	95
PID 2684 wrote to memory of 5004	2684	Jcphab32.exe	95
PID 5004 wrote to memory of 4748	5004	Jnjejjgh.exe	96
PID 5004 wrote to memory of 4748	5004	Jnjejjgh.exe	96
PID 5004 wrote to memory of 4748	5004	Jnjejjgh.exe	96
PID 4748 wrote to memory of 3684	4748	Jlobkg32.exe	97
PID 4748 wrote to memory of 3684	4748	Jlobkg32.exe	97
PID 4748 wrote to memory of 3684	4748	Jlobkg32.exe	97
PID 3684 wrote to memory of 4872	3684	Kkconn32.exe	98
PID 3684 wrote to memory of 4872	3684	Kkconn32.exe	98
PID 3684 wrote to memory of 4872	3684	Kkconn32.exe	98
PID 4872 wrote to memory of 3336	4872	Kkgiimng.exe	99
PID 4872 wrote to memory of 3336	4872	Kkgiimng.exe	99
PID 4872 wrote to memory of 3336	4872	Kkgiimng.exe	99
PID 3336 wrote to memory of 1852	3336	Lgccinoe.exe	100
PID 3336 wrote to memory of 1852	3336	Lgccinoe.exe	100
PID 3336 wrote to memory of 1852	3336	Lgccinoe.exe	100
PID 1852 wrote to memory of 2004	1852	Lmbhgd32.exe	101
PID 1852 wrote to memory of 2004	1852	Lmbhgd32.exe	101
PID 1852 wrote to memory of 2004	1852	Lmbhgd32.exe	101
PID 2004 wrote to memory of 944	2004	Mnmdme32.exe	102
PID 2004 wrote to memory of 944	2004	Mnmdme32.exe	102
PID 2004 wrote to memory of 944	2004	Mnmdme32.exe	102
PID 944 wrote to memory of 3904	944	Nlkgmh32.exe	103
PID 944 wrote to memory of 3904	944	Nlkgmh32.exe	103
PID 944 wrote to memory of 3904	944	Nlkgmh32.exe	103
PID 3904 wrote to memory of 4224	3904	Ahbjoe32.exe	104
PID 3904 wrote to memory of 4224	3904	Ahbjoe32.exe	104
PID 3904 wrote to memory of 4224	3904	Ahbjoe32.exe	104
PID 4224 wrote to memory of 3696	4224	Alpbecod.exe	105
PID 4224 wrote to memory of 3696	4224	Alpbecod.exe	105
PID 4224 wrote to memory of 3696	4224	Alpbecod.exe	105
PID 3696 wrote to memory of 4460	3696	Cfpffeaj.exe	106
PID 3696 wrote to memory of 4460	3696	Cfpffeaj.exe	106
PID 3696 wrote to memory of 4460	3696	Cfpffeaj.exe	106
PID 4460 wrote to memory of 2916	4460	Dheibpje.exe	107
PID 4460 wrote to memory of 2916	4460	Dheibpje.exe	107
PID 4460 wrote to memory of 2916	4460	Dheibpje.exe	107
PID 2916 wrote to memory of 4520	2916	Eecphp32.exe	108
PID 2916 wrote to memory of 4520	2916	Eecphp32.exe	108
PID 2916 wrote to memory of 4520	2916	Eecphp32.exe	108
PID 4520 wrote to memory of 4228	4520	Epmmqheb.exe	109
PID 4520 wrote to memory of 4228	4520	Epmmqheb.exe	109
PID 4520 wrote to memory of 4228	4520	Epmmqheb.exe	109
PID 4228 wrote to memory of 2120	4228	Fmcjpl32.exe	110
PID 4228 wrote to memory of 2120	4228	Fmcjpl32.exe	110
PID 4228 wrote to memory of 2120	4228	Fmcjpl32.exe	110
PID 2120 wrote to memory of 868	2120	Ffqhcq32.exe	111
PID 2120 wrote to memory of 868	2120	Ffqhcq32.exe	111
PID 2120 wrote to memory of 868	2120	Ffqhcq32.exe	111
PID 868 wrote to memory of 1132	868	Gehbjm32.exe	112

C:\Users\Admin\AppData\Local\Temp\e5559285692840111ae99c84458bd1b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e5559285692840111ae99c84458bd1b0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\Hplicjok.exe
  C:\Windows\system32\Hplicjok.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\SysWOW64\Iciaqc32.exe
    C:\Windows\system32\Iciaqc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\SysWOW64\Inqbclob.exe
      C:\Windows\system32\Inqbclob.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:844
    - - C:\Windows\SysWOW64\Jcphab32.exe
        
        C:\Windows\system32\Jcphab32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Windows\SysWOW64\Jnjejjgh.exe
        
        C:\Windows\system32\Jnjejjgh.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Jlobkg32.exe
        
        C:\Windows\system32\Jlobkg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Kkconn32.exe
        
        C:\Windows\system32\Kkconn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Kkgiimng.exe
        
        C:\Windows\system32\Kkgiimng.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Lgccinoe.exe
        
        C:\Windows\system32\Lgccinoe.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Lmbhgd32.exe
        
        C:\Windows\system32\Lmbhgd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Mnmdme32.exe
        
        C:\Windows\system32\Mnmdme32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Nlkgmh32.exe
        
        C:\Windows\system32\Nlkgmh32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Ahbjoe32.exe
        
        C:\Windows\system32\Ahbjoe32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Alpbecod.exe
        
        C:\Windows\system32\Alpbecod.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Cfpffeaj.exe
        
        C:\Windows\system32\Cfpffeaj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Gehbjm32.exe
        
        C:\Windows\system32\Gehbjm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4044
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:544
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        29⤵
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:228
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        35⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        36⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        39⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1432
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        43⤵
        Executes dropped EXE
        
        PID:3944
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        44⤵
        Executes dropped EXE
        
        PID:3556
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        52⤵
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        56⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Ehndnh32.exe
        
        C:\Windows\system32\Ehndnh32.exe
        60⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:880
        
        C:\Windows\SysWOW64\Geanfelc.exe
        
        C:\Windows\system32\Geanfelc.exe
        64⤵
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Hehdfdek.exe
        
        C:\Windows\system32\Hehdfdek.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        72⤵
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        79⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        81⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        89⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6012
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        94⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        97⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        99⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        103⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        104⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        105⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Qamago32.exe
        
        C:\Windows\system32\Qamago32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        107⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        112⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        116⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 400
        117⤵
        Program crash
        
        PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5620 -ip 5620
1⤵
PID:1264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4116 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aalmimfd.exe

Filesize
64KB

MD5
b435f789312d3ca7073748f5a60a561c

SHA1
12ac53c6210f93be26cfe4966faf3fe08a2a962b

SHA256
aec67b84dd67bc8a2337c6b9ff2bf8049370015a12d22d7049b98a7572f1b467

SHA512
49e344f57150a6e01b57495702b410063d92dca19d1c5e394778c05111f23a826699071f638fc1e645a5b4e3faad60e29e2bf611ec26f0fa705a60590e5a3d9b

Download Submit
C:\Windows\SysWOW64\Agdcpkll.exe

Filesize
1.6MB

MD5
a038f2c76eb54a2fa33e648c81cd23b2

SHA1
f1e89124ddfafea7db1ea2f090b7f33a05bd0749

SHA256
5d049c429bd4ca34485391be6f9e0418023fe19d93dfd0c13ea420f2f9549da9

SHA512
a4a79c6e7a99f5219f887ea34cf13ae42d8b4eec85463a03959e54e41fbe2ee84a0b563c78ea032391f3c377ca1a06f47f98a7a375e9c703560dd08aded6d28e

Download Submit
C:\Windows\SysWOW64\Ahbjoe32.exe

Filesize
1.6MB

MD5
337910e2aa22e65434284ed732aed176

SHA1
93898d76ea2b8881cf62114955072868183680b0

SHA256
12e5840ee637c618292826e6098e281c3a119a7f598b1095d3de9057e1ae3937

SHA512
583187649c3ecfc38d75b117e3213267623baa276b5e7fadbd45307761c1775d95382d671bbe2fddfc3bf9220c5d4936aa42fc951e60973db0535803701da6c0

Download Submit
C:\Windows\SysWOW64\Alpbecod.exe

Filesize
1.6MB

MD5
6ad74127fd464159fab7700628a5901e

SHA1
6d980c6f71a69ccb05c3774d01ad5d82e8e64609

SHA256
dee150096efb9b64e3b9751f0feef1c947e8291695f717e8919c5f546c7cf3ef

SHA512
cf19baa25e7d0011bb6e211f2232d99ab0f38f828a977dd8eb1aae9f3ef2085eb7e361d4d51fc94fde241c52d8dbc5149ff6916dfe24c257f5588102735f3220

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe

Filesize
1.6MB

MD5
ac1ff0c1e33a3263a0eda2df42d6771f

SHA1
dd154a56702b3cfb447f5fa3ab05f334fe247790

SHA256
3b8d5e7d314174fd738e2a907e19e005da63958b7dc34b2b4a4d837dd4159cd2

SHA512
9f70e954c2aa6593c8c3e286a3f0717313ac86f25396613b02c458c7ce0c04262a2281fe6e473c20e465bb8f96ea95a8c10eddff7913bcd700ac92842626380e

Download Submit
C:\Windows\SysWOW64\Boenhgdd.exe

Filesize
1.6MB

MD5
e4aedbf914982e726fba8a7c7acd7d3f

SHA1
e577a94d91b0954bcc0f369709c1671423cf9e0b

SHA256
5ddaca4e46742b374ab6749264b52451eecd2d011f929c8e2ab1003cf88ec1b4

SHA512
5583aef9f4c228d4b85b5ec4ccf73f90a8b4547b17a18704bfa862c62a5693ece1f622efc436b3d4a0429dc3a735030b0202607524a40bdd17b543b3a1253e0b

Download Submit
C:\Windows\SysWOW64\Cacmpj32.exe

Filesize
1.6MB

MD5
ae4c44f184adf3d6166066b782fb075e

SHA1
54a7cc04bdb046f3171d879b898a45155cd1e90a

SHA256
7bb67009e8bd0405b0e59ae065a449f591a63a8fda6c3bd19a0a13ba3d4852dc

SHA512
6f9d477e507557bb57296210426679f398e8cd1387f044db35e70ba03f0ed718eca2aa513c002d7352fd3c4906ffa9e905f8ea2240a827078beeb84b6a873328

Download Submit
C:\Windows\SysWOW64\Cfpffeaj.exe

Filesize
1.4MB

MD5
d656f07d000e962849c2e9329b9af74f

SHA1
060f2e66a072ca4878218e17a3aaf9b5bbcbff88

SHA256
ed4ca589946b208f5cff18fa8c186b1847ee019376a91ccc2151188842177400

SHA512
4c2eb4d583a396bc04e4f708336b68b8fe5e1fb4d9581b52bcc5a851207cb8103a6de202a13ef87c4fd7c16a3e7f5d9f8908bd1c953db02db7ca2cd74419adf1

Download Submit
C:\Windows\SysWOW64\Cfpffeaj.exe

Filesize
1.6MB

MD5
1ed1d48605e9ca9f48a2da912e65cd2b

SHA1
4856451fc9e0e301ecf6b04940898dfea9769a70

SHA256
f4cb6fb9e4e097f9bde1cd2a49c9a5fcebb93fb02e71a474ef18bb8e670e3ac0

SHA512
60c4ee1167e7c9bdad1bef3ff8f3c10a3f03e46dd356f8f0c3e3950188720948274e9248cffe5314208528e36682dd76f0db6b85c02a5193aac97324798c2094

Download Submit
C:\Windows\SysWOW64\Cgmhcaac.exe

Filesize
1.6MB

MD5
23f59d7d4b0804b659361f50df9551c9

SHA1
be6c6c28aa305e73364ebfc31d9bfef99ea30669

SHA256
d05991b2a37520cb4ff49c0fcff70b972b629b4fe056922c50cbf5fad682aadc

SHA512
1526c74d72e58112abfb3608f2f8378fc6240867c5bc325822dfe813a621b33ddacd4cf497ffe27664e6e967c59fd3c8f152f438b3842a2861b2b638bb30e19d

Download Submit
C:\Windows\SysWOW64\Dheibpje.exe

Filesize
1.6MB

MD5
39828a44eec48e5823e6dbf7f01b73e6

SHA1
17523ecb616fba27637a360096744485a4df0278

SHA256
20364647ba24043c7f972a344bda4c00ca5f7d463944bfcb2c8a12c418901088

SHA512
f943407742515f55d806c6ccaea8ab180da646d75a3c25ef54a26033c1fa9e529b85eae5a032db507cc184c764e497a40e0ee8ce4bda4eeb2078947246d1d7a3

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
1.6MB

MD5
8f6764e90458b17b2e55335d6d69df06

SHA1
de9bbb9e40ac0a94f50c9db43858fa7780f58c37

SHA256
cd42e613d03da0b6ff333d19aaa611af5e030a0dad2fa03fb86d2e9f64ee67ba

SHA512
b1cc0ef9c558217a6a3f09d958d43b5922ab1f6eb9259bb5b1e77aa224f53eb526c24f1ecc4218e1276d343558bba68155e6ddff9dfa22ec7c39d18531e228cb

Download Submit
C:\Windows\SysWOW64\Eecphp32.exe

Filesize
1.6MB

MD5
85871e1e40f97bd5c4707759641e0feb

SHA1
df1b8dc00db99db6bf9444e184f9c687b01c5338

SHA256
dc80a71d6b46d1f70f010178a6308a7e687da1b339ad4c2f05463adf49947a58

SHA512
8ac42202640faf8c407ffbb06afc9c143b52855548af8fd9ed9d42611f87b98badd27c48632cbafe87a983387cf9e8a832e4731d7ceda7b069c5c0bb7d9c0554

Download Submit
C:\Windows\SysWOW64\Ehndnh32.exe

Filesize
1.6MB

MD5
6598e9737cb3ab437636d22d86e48641

SHA1
7781386f366525602a4de14a35135e5143fccf5c

SHA256
a797cd1735a4e7393f2d38567c970cd3e2de414866e3b59120b38855c81a7e09

SHA512
d624b97ab9aa709be0aa388fcd092482e09e447d9ea6f5d199a74700e13f9f1ca8848193dbeb872f3144c5c81dca5c658d38c352b8f04342392ae8d93dda712d

Download Submit
C:\Windows\SysWOW64\Epmmqheb.exe

Filesize
1.6MB

MD5
e2babf4e55afb990bfd3f760c5a32307

SHA1
3df2bad336e5a28679ac7ec5afa67374426e5d63

SHA256
f9587acc04ea3df794c36fb3aad8beeeab2d669547c8c5617da70651cc70ed4b

SHA512
b953b0b86fc137e254e1129054fc7ed178dc35515e981df26978f2e04adbeb7f0ec7f11fd0610361e529ff824be5518a5aa71f719991b2840418860da3f78b4f

Download Submit
C:\Windows\SysWOW64\Ffqhcq32.exe

Filesize
1.6MB

MD5
470d32dafee4e8de72af0a0bc0b48c6c

SHA1
505dc39c40adf51dd4387094126e256b1895a412

SHA256
feac5170135e53f3454635863315400e80f681ba0778e30494b26ba41b522691

SHA512
97290cc10e6eb81b369f3766cfe3f3b97de6cc86fefaca19cd1fb17b85c947077c79c3161c095a6dad5abad364f609987b739aea20fbe17ad1041ae1c5a02080

Download Submit
C:\Windows\SysWOW64\Fmcjpl32.exe

Filesize
1.6MB

MD5
e5c92105a0f9fcbcdec65279ba426d09

SHA1
0e748d3e11cae254d38b3cd20ebab5fa8d618724

SHA256
0ecf7b2846122154afc35414022411e697e43e8a34e33a26ad8ef7140c79e4e8

SHA512
0222a1a414fa3b763374785894b755c9cb63e8a91597beb3c4d3f16de4eb264e7c6013d59e859d52eb42a5e0786522c4d4b714a80f2b9a216a26caf6052a5339

Download Submit
C:\Windows\SysWOW64\Geanfelc.exe

Filesize
1.6MB

MD5
655dbf7e5c4873e9c436c9608eba10f9

SHA1
4eb4a8b2b3f9e16b750e43cd752a442463195e1a

SHA256
4af1c446830a9fc58932591bc35d518df347b326dec067fa83af37f6a0fca4b8

SHA512
7f10e2747dbebfc5f277a6711d4ce6a419d4ea7ed0adb50c9746c5e70484523dc89a060417ec65f28b9c2e6f7d2a2cadb74cdcf919dec5100e97ca612d24f21c

Download Submit
C:\Windows\SysWOW64\Gehbjm32.exe

Filesize
1.6MB

MD5
c17e2c52097f6bb2b12d4f1a7af77983

SHA1
c9821bb986d9b6b86c28ad7b6cccab495cf86c95

SHA256
435e109f2a5f7b3e73671e9e203b7a7f59225460fb668dbf5240db5c35e9ba40

SHA512
d00ea68b7d22f35d79befcc2bdd9eab989b7e991f8b6ac1f3b68f0b50ddf5f490162c82aab8d095077577d6b25a933dc9a38478a6f0352a346fe54ab30709cbc

Download Submit
C:\Windows\SysWOW64\Gpbpbecj.exe

Filesize
1.2MB

MD5
f23c773e2530d98d2b58150ffafb115d

SHA1
ffb0553204a1a0cd89b56b7970de9955eb4685e6

SHA256
45cf0dfe5f98f6e860d88f3c6404ed8ee022f2f7dfb233e5ce1e5703d87b00e7

SHA512
bbd04f306418197f22d1b99625f41b9118156843e69ed1c0dedc1af3caca4cc28d8748d8d4d4cf6d5e44a6ffc843914d31c536203fa7eec554fc5974a73e6ce9

Download Submit
C:\Windows\SysWOW64\Gpbpbecj.exe

Filesize
1.6MB

MD5
fcda5ad38e13b705be0db34d3fa459ea

SHA1
83211f2dbad65d812d12fd57d1cfd592929e9eec

SHA256
a0eebccdc0e80a4bd7eeb38be0ef22906a6b0ad51f2e2ce7a029b782a3e771cf

SHA512
c714fdf57a3297b40f677a239a59b65cb589a9985ad67326c27166fe73831f1c78a2d88bf3ae135464d1e7c9b696b89326f2fc111579cb142e1226ccf0eb5702

Download Submit
C:\Windows\SysWOW64\Gppcmeem.exe

Filesize
1.6MB

MD5
9fbc9787cd9a2d45fe74a9cb74e7060d

SHA1
e9546800dd4cb4b02be5227931400dc5ce045d12

SHA256
4f6c0bc760d5b2e807069664d4071008c3c06eb83dccde6b8201a34e582884ba

SHA512
07f684ad6dba1c31d98376ad56f0f8b15a4a3df54177fb2a6fca48054ca15ca911774d9294be31864f6d6eb89c43f341f9667a5325e4ee1df28182eda8845bb2

Download Submit
C:\Windows\SysWOW64\Hoclopne.exe

Filesize
1.3MB

MD5
3706f71b2468210dab31a3a01d0337ea

SHA1
b88cc16a258db462741fa46691c712dc5dabb114

SHA256
803c9f9bfb9bd8efb39d02bb1d45145f970975fa9293ebc3f1af4771d832f46f

SHA512
177d8104617ad42886d78cd4f78c9d205bb28904d384ef4c0bb20153d094ece9cf9c804370f67a761e79715fce0ba0b60b43ed7286b4285a178e229079580c9c

Download Submit
C:\Windows\SysWOW64\Hoclopne.exe

Filesize
1.6MB

MD5
076eecfbcaa8b0eb482726d5218c20d7

SHA1
f7d4a921533d81d554d95976e691d2cb6365252e

SHA256
ff73eebb4973d05084b4dfa22fa809ce4959bd1c542c68192e6aab1033eca854

SHA512
398ecd67dc174cd0852ea5d63f3cfcd0dc5d466910d4e0ef1c2eb0233953dc97063c703409134844bd9335c23823b3c677350e6be43e07a22010cc4a4ed03c51

Download Submit
C:\Windows\SysWOW64\Hoobdp32.exe

Filesize
1.2MB

MD5
3b20a90a5d7c4628e45ce0152e5b27c1

SHA1
0213eb79143b16dbe0ca28a5d821d8a26846ed90

SHA256
d86218a9f3105b5582386ab45bada2678ec27a53dfce6ecb4aa7c4eec5425d87

SHA512
75d0a2f935f61bbe5088bee90604ebfb520bfc62e0a9e15ea2079c5e8b0d26cbb96846acd804c72546cd71303ff3352418aa0c7de00677830d4b4181a0e4c844

Download Submit
C:\Windows\SysWOW64\Hoobdp32.exe

Filesize
1.2MB

MD5
4e224a6f43841528a3f0be26d785fe4c

SHA1
34a1c4992f3f5d6446690001cea0c88ed6e70021

SHA256
2fab202f720ac8504ba68450e3cb7115fbef538d04e9ddaadb24c18bb9342534

SHA512
71350556552d1212efc56aee0731bf445b920562139444832ccb1710dea12899d7076b85f7ea86d24bd10f7f73b5375e6fa254e506dbe8ecfb9737891e3a0d67

Download Submit
C:\Windows\SysWOW64\Hplicjok.exe

Filesize
1.6MB

MD5
51b178b6b9c5a40c91228a1c5c28c59b

SHA1
1b3b6cb1a6e588ef08ec8d0346215c8ec3a67c1f

SHA256
eb6eae1a31efdfe8b3bfb73f9f388618e9975ab9b9888f598a24e58fd76dcc99

SHA512
1a05ce82906d161877cdd6d0bc491e243ec62301f4bb36806dfe8a057efb3c8d32dabc269ef15eb32fca28ea6702db4bf2e249d78064fd6c9ac6ae7515c34d44

Download Submit
C:\Windows\SysWOW64\Iciaqc32.exe

Filesize
1.6MB

MD5
72445ba12f2ba406b3ae1d2a72f3acfe

SHA1
7ded6f7b23a230aee6f81ba53686edd726146744

SHA256
a904fe086c4b42227dacc5f0f8f918a77911b319a4e69b5828d97f504177299b

SHA512
502e8f1ea8d9a7227fb5e90040dbb7c0654190b2b28e231b0b2ecf02f90e5a2c61e1e5928047d480a60ebf711d1ec1e6b86dd719c7e61db8d735d5188dc569ab

Download Submit
C:\Windows\SysWOW64\Inqbclob.exe

Filesize
1.6MB

MD5
4106182c354312ccfd6a766438fb2a2a

SHA1
6a439d224a6f1c2e5aad17d9d8b1fba74b76ff2a

SHA256
4f3c9926de5ef9aa5a38a5cf636a7959f816c958a224d49d3f3881ebaa057cc6

SHA512
2d0007792fa51501f5438718dcbe9dedf80fbf23c1123aa68676c97c1b72694daec98e88ca3d27e14a93bbc1b1a9c9e574609ac57d7ebd599f6935d9d825878e

Download Submit
C:\Windows\SysWOW64\Jcphab32.exe

Filesize
1.6MB

MD5
f825c4f75dd71981d6928aa66968a6b1

SHA1
8cd3141dc35d32de33f5b6463eaeb442012bbd21

SHA256
a06cafd0009c77fb292ed3a3f33d1017b93a497192e9ec52fc7130e092f85e47

SHA512
0ed07efa07c8d90465615e654b934452bfd3da66a868063802baf1b8cd41744071275c79512dbee7020be9d0ae92355c036312decb0da38fdefdcf6aae32fb08

Download Submit
C:\Windows\SysWOW64\Jiiicf32.exe

Filesize
1.6MB

MD5
630116758d1f11688cf114579bbb4c19

SHA1
6d449a1efa8b342a6b4a7ad190e36c6f82269d27

SHA256
168782bdf41bcef9b9484ec765a9253d5f9b649e58e9a58586e38a74bf03ef27

SHA512
b490c966992387c09baea84a21a550153bcbcb880a99f5eacfddd37e74c6be9e4f24738eefbfa4e88eca9024f192c2c4ba934122603de870d35efc16198951d3

Download Submit
C:\Windows\SysWOW64\Jnjejjgh.exe

Filesize
1.6MB

MD5
e8e1afadff45098660fadb147a9102c8

SHA1
9fe267a61c0c335cd1c74b73c2642626c1f7913b

SHA256
98e4f9f840162e78e2998ed507dd57e4df86fe471afa309bb572dcbd8ba9392b

SHA512
cb790197ed6d344e3a84d7e5edb0a90d942d49db991f5ed1d0155b94e15dc000d2c3b9a1b48245b697a66a8c39b7fd3943307036adf13358ed3d0020464b359d

Download Submit
C:\Windows\SysWOW64\Joqafgni.exe

Filesize
1.6MB

MD5
cbb9d11cb02e2f5c122b6f28f80e936c

SHA1
07c7254428d076022a38c6d7133d1fe786365973

SHA256
663511e3bf730f494be1e57855cbea1416794f88a50e5544e8eca575321e6068

SHA512
2f805f4a51d4903a03669ac66495d5231829be54a209ecc61ed00d49003e03838d0d5ce1c87b184f4d097afbce0890c67963acc9b350d2bed69e49b0b36edd39

Download Submit
C:\Windows\SysWOW64\Jpgdai32.exe

Filesize
1.6MB

MD5
7b1e9e1d5054775166998614522b63da

SHA1
d140520957d3e0f52e85bbb26952cbfeb66c413c

SHA256
a0db6732bed606a29cadb0efe0e32377c23121959c695b5f08553081ba311246

SHA512
08eb9dc0f2a742494e0932694fa341e7eaa356630acef304f5379f7462dc788ae1c225b7edd78e032924e3a360bbcf2cf0471e1b3171230bc1011b149ca2c95d

Download Submit
C:\Windows\SysWOW64\Kiikpnmj.exe

Filesize
1.6MB

MD5
1baeb93f74274a27a5fb6eabc1c370c5

SHA1
b80345d27bece7269a828d38c2db1bac1d94cda1

SHA256
ba5774d21d3013c490abb4b275bd4377be066712c58a027630a9d56dc06acc58

SHA512
c629d62efc142bf2a2a64a02ee18571b3027e275ab620f9075b89224c74e47f4841d5708207a27107b014a757580f2e6fe133d576a9b57d8c98700b1297ce696

Download Submit
C:\Windows\SysWOW64\Kkconn32.exe

Filesize
1.6MB

MD5
39849f189b217562d6a3914860540a05

SHA1
a70c8b0da0a7c8637eb9042714b12f833c056017

SHA256
ce5dcc785f15eea5e1c891222fa9420a25066e5c1a359114bec9cf36ec886c83

SHA512
799bec059d669d1637f5224eead6873061f6abd3e42dcdb6769c6322138ccfd279984bd1cedc414b01368fb7a9aec9e2a99a9ec2db75200e4c669dd0e714d6f2

Download Submit
C:\Windows\SysWOW64\Kkconn32.exe

Filesize
1.5MB

MD5
404e5a216cd8db1d7a5b60237fb0ab88

SHA1
a29b7eedb0af9955dbd0d3195f0e54f8e597f945

SHA256
68a610d0f16feda586c4438ea44f356515804bfdd246141006156fd39b1d0179

SHA512
31820eeadb1dde1e7a96af22285f42431dbdb0f756c2b250bde6296b2d979b112b0ed8497f8f5f15ddf80201ce13515d3dd629b143c34bb678378da28d3c39b8

Download Submit
C:\Windows\SysWOW64\Kkconn32.exe

Filesize
1.6MB

MD5
5404cdc16d65f1529c5da831f96b997d

SHA1
fdfa567da29a214b6209710e0f6b12a0c2ae7a44

SHA256
2600f7d1f3865dca25e25e5003a6839466b814d78422b78336368cff497546ea

SHA512
4b5214a7688e097b51c4d1049811c6c99825cfad968c4d93ded1097b7e87da635dcf1576f8b489e3d5aa139126833b2768d807e76d349f195ffb2328bd2632a2

Download Submit
C:\Windows\SysWOW64\Kkgiimng.exe

Filesize
1.6MB

MD5
a6619e3db19d092100a7d162be89da3e

SHA1
fd649b03249e1ee0b7d37ff4af840a7b712a670f

SHA256
fabfd7aaae67200c920ae727754dea702885a341c7a1019c54bd1c191a84e77f

SHA512
40b80e9783765b944354c801a91dcff2974173098dd9d330126853c6642960d531100a768cc0e9ad2d987c96098be3d732e229ba2fdb744183b9931ebf1095fd

Download Submit
C:\Windows\SysWOW64\Kodnmkap.exe

Filesize
1.6MB

MD5
7d2b74476ce3b9fb4b5f1d79a99949f5

SHA1
aa8409483416dcf6b7b287e5538fc9ec42b01da1

SHA256
a8a2c719c2f5b3535bfa51c13ad7c3c1e6a2171ee34dd126986ea06c28bc702e

SHA512
ad5cb8aae02b8fc9ceae084d20ef9076574a80e98b110f6dcec3811c5a5ff2d5c52c1954db3a5ac06841651f5e503ac7ff501770e754785d936eaee72c563fa6

Download Submit
C:\Windows\SysWOW64\Laiipofp.exe

Filesize
1.6MB

MD5
9b7efbad4d2874827a21166759d47044

SHA1
d3962a877570a45d264e5e7a2ec7b4cf2afd2f88

SHA256
60406d8b3b9044d84f47e7873f71afa19829a133f547e2ebc9b4a093a3f26902

SHA512
b8eb8e12ab940d6731d250cc6ef2f1721ef9f602870f1843077d6339389e4fedbbc20d234db4b34140d6200928c6c3c76ddd17bd5dc25a9396eabeffd6ef471c

Download Submit
C:\Windows\SysWOW64\Lckiihok.exe

Filesize
1.6MB

MD5
60ddc459ed9dc3435beb273b49fb347e

SHA1
3cc67874aeedbb0a5590f04e3c2dd34781a3d3a6

SHA256
a07007413867c50d2877a8525b8869bbd2b1ce04a2f35e55efe55037212a90fc

SHA512
a0290d4c4195e65d7994a1d94797fc15db113bb3b8b50ab34c6398dbf9f4af3246aff2d29097b3f3ce16e3d1d0445fa3dcbbd39f6c9cecbbbeef38c45a8c620f

Download Submit
C:\Windows\SysWOW64\Lckiihok.exe

Filesize
1.1MB

MD5
2c3c5dacfab7e0c90c670841d168ed77

SHA1
2e9b7640d292f344dc13b6b427df9c28eb628008

SHA256
b1b6d193bc63bdc8dd86ceb7e18e327e56cb2eb131f8e6e1aad32ae8316e0c2c

SHA512
d5519a8783780004eb53ee6b394b45f670ef153f84e93ae0a132d018763c4e5188cc048be4b309d2294f15e852dab60144b49c7d2288a9153370573a1401261d

Download Submit
C:\Windows\SysWOW64\Lflbkcll.exe

Filesize
1.6MB

MD5
caf2f02efaffdd6532c99076d929c779

SHA1
716dfffa35c3e2815fcdc01c2542ef42b2f5285b

SHA256
98a839ecec169f047eb153b4cfbffc05fe3c1f232cb926a7e335062bb654f023

SHA512
3745ae5c39564c9147e4317b927c3d13284e64b294d4274371253dd28ec8fab8ac4ef4dcd0e8a4cbf353834a6e31311a51ba48e7607dfe9306d6d0d801a9f6f7

Download Submit
C:\Windows\SysWOW64\Lgccinoe.exe

Filesize
1.3MB

MD5
b5c2a89d6efc01f8ba94fc12de2a47f7

SHA1
890e9822209e28a64ed371e48f92f40be7b5ce9d

SHA256
4c2df24ce35bb6eb0821d5d119148e75f2a271865bf692e11381a054c984eed8

SHA512
340171f47cec36530b2083d546b196b1f3401d1d14e52665a9881a3657d2fe14fe4ba9e7472bf23c8a9c38982ef7dbe27b977036bc2fd3cdf131a0b6b82c7a68

Download Submit
C:\Windows\SysWOW64\Lgccinoe.exe

Filesize
1.6MB

MD5
ffd3b475c59c943b7e2eb16bdf3fdff9

SHA1
2ced1cf6f60049363f2e0ad940477f8fdad439f3

SHA256
7f847fe64a2ee3208492ca92e4975182a53bd0469603d537e1dd6408ca3bfcc4

SHA512
c3a85eb285a95d6c3fa151e1fff1ad9b1b169974d26d406e4bee092b4e9762e38191f632fb27d1b4af45fe4d0a9cbc5cd4acef0e3e0e0fcaf5bdda46df5e726a

Download Submit
C:\Windows\SysWOW64\Lgdidgjg.exe

Filesize
1.6MB

MD5
73d8cb6ea725d52d9f18c54e42731a2b

SHA1
240fd40fed17f36436156b28f762ab20b94eaaed

SHA256
03704cd2c4c18a8606d8b76c5ceeaf35f0a28a719e3cd1c322668efe60fbf6a6

SHA512
571be7927c8abc1bec0afb9734dc348ea8c1a6dae212ba144462f31c63a2a2656abb576a81313040a1b54fe29f1092ed0fde866aab6e8c521c6252ce88863234

Download Submit
C:\Windows\SysWOW64\Ljdkll32.exe

Filesize
1.6MB

MD5
7ef97cc9932e3aa2b34eaea8908d5e7b

SHA1
28b0d0b22887f8bc44b295476635a5ef3018406a

SHA256
185329e27d16fd86d884f386cfb310623d03b07d5373f2742d2af9db8544abc2

SHA512
6cd9ad38f7493adb989cd33da2eb1ca8b5f50659565f5d8efb69eae6ce085210b4a55c3a77cc908df4d0c4ea857ed6a069a515d15c95680e15050034079ae35e

Download Submit
C:\Windows\SysWOW64\Llmhaold.exe

Filesize
1.6MB

MD5
151265df9b3643886d4ccbbe7de24f11

SHA1
4a135859ab392d2db1506a0f84eccc83647acb56

SHA256
6c0dc6a00831d4aba50f2370c00e4007df8b564e9c78319ab0a6892e673f74e9

SHA512
d184b5ddbb64cb29f793392a03134e53d3ba571bcb5ee48f90ebd7cfe3c884aecd7f62651f56f4a2c7cab31702e9ff9fb0cf481fd7d617a967c855393fd29ec6

Download Submit
C:\Windows\SysWOW64\Lmbhgd32.exe

Filesize
1.6MB

MD5
eaaeef0b0dcb2976f108c56afcb9ba14

SHA1
1a445bf7a9a8ef8459af5e96dc62dd8b0502eadd

SHA256
df4f5a941b3186ac921f79c7405604e10d523d2da0acfdc4f4af785cfa8d1c3d

SHA512
00c9be709911cb6a03f1500a253347bd940d176bd81c211fa5e580550a26d87b152d324fd67ebbcb518026e75d428f8ccd98e980017b2078cd43b95d384c96c3

Download Submit
C:\Windows\SysWOW64\Lpfgmnfp.exe

Filesize
1.6MB

MD5
21422babfb975576a6cf21dba22d360e

SHA1
d1755d603649d6abe9cedc27deae2c892f64dbfa

SHA256
9d2927e9ef5b41a361f2fb669a6f4b95435bc7af10db5f2e9f6beba8aa3af14e

SHA512
26a1b5452431b09bb4efce71c432b967ca086027cc7e254b07dbba0fdd175595e6fd9e6cccea1dca6a25b6ae0db291136fdd7b2555b9c885b4bbba395adab258

Download Submit
C:\Windows\SysWOW64\Mlhqcgnk.exe

Filesize
448KB

MD5
a9eb1cf4090734ac6b993fafdc7ef50e

SHA1
c7d5991f478f2e5ae7cd5c13f7e389300a5b8e87

SHA256
1c41a622a5d87de9c72d6e44653f78278ee0d52607c691e5bf627bf8fb6d50f7

SHA512
48002c91a857f42630b3c0638df36fb3f4548480cfcb8552776790dc0ac49682f629f24c26dea7b81d5af684822c3f3aad5fff0d8371c8f7e1dfee2c873e9815

Download Submit
C:\Windows\SysWOW64\Mnmdme32.exe

Filesize
1.6MB

MD5
f8e8c9bce737cb983364262c6492b6d3

SHA1
063ae123489a8b4501c084fe31b5653d08270f34

SHA256
be4e5bc2544f8bbb557e93c26853ce1feabf64d515d291d449dfe1ae2c1534c9

SHA512
b70bc8e99bc0854b0b4c6e16c99c4ef36963c8fc3aed48cfc9fddd74b47837aca55f2626493ffe7166ccff4a2069203c4441f95083cc1812245d2e9ebc3618da

Download Submit
C:\Windows\SysWOW64\Nhegig32.exe

Filesize
1.6MB

MD5
5b012e2adf4679dc454a2b8abcfe1c30

SHA1
bdb39345861ed79176c785d85918527f1bc79447

SHA256
eef5730de06fc531ae26dc3b34fd7f1fe63297200511f00a0371614f00b68dfa

SHA512
d97d6e2c55a36747c13628c60e7f979993f050f38df27b491b5da255ec2ad878e8bbe8376f0638914a6700caac82b25ef07b8ba0cb9524bb001c5d250f00d6a6

Download Submit
C:\Windows\SysWOW64\Nlkgmh32.exe

Filesize
1.6MB

MD5
d6ccb7a9f051eef129b6ea7444887aab

SHA1
6b21cde75b125bd040d87487749fb51c4f2b3d67

SHA256
b61dae66301573f4f5b684ccfbea3dd82d5a3888ca2da6e4c94d19801c5654df

SHA512
b964e8aea22382c35c2c12da17edbd506265b3328bb4db4596d28447d71659f72d65f76fd1ac4e4ebed9b5ebea1ed1a9ed59c5ab2a2691d8643a37f968790d21

Download Submit
C:\Windows\SysWOW64\Ocjoadei.exe

Filesize
1.6MB

MD5
28affda6eb5409a5e2892772979869ea

SHA1
68923634e18d4db686b412a480148cd6c96b52f3

SHA256
74262d0eaf0eee9577a77fde8199de0cdbdfb74cbea90ead91a80426610e4759

SHA512
ef5ad52dd5cbb6062a91e0a60e735a01edbebbdf26dfa33238485fe051b20bf5be85ac5c3ea5b3df9964a9abff71379e1c528dbac8f52fd6b23fd9949bae8a86

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
1.6MB

MD5
332b6f267b0f3d81f32a1ec31ac65e2f

SHA1
db0d134d9b8d48857312494c62bed139d60c2b79

SHA256
45a162b255f915ea8c7b0f7d7cc1796511038684510bb1cb38bc6fcb9b803dba

SHA512
74d1b9099df6d7cf324c4afc0beadb2be32060fb456b426d0d44d13391053fbfb77fb0d2ff3c99d30668e7b290d078e8c1829296bf905a0509c1be3234259a11

Download Submit
C:\Windows\SysWOW64\Pfccogfc.exe

Filesize
1.6MB

MD5
accf818cb91fdc9d1b3aa02c1d6a3120

SHA1
107ba5f25c64265eae280f71e57cdd3851d34970

SHA256
f7c0fc15dadcae166043646a67f237c4115aa8069ec8204a52eec3133a84f769

SHA512
3f0cb05e40a5a66314e3cbf690243e677e91ea000b4c28dfe9e6fff0d2731de4c90fd2c12bd665a28379ad29bfbd527e041437b16e077bf64cbd9f782612b9fc

Download Submit
memory/228-257-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/540-360-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/544-212-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/744-547-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/744-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/844-561-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/844-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/868-791-0x0000000077620000-0x000000007769B000-memory.dmp

Filesize
492KB

Download
memory/868-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/880-432-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/944-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/972-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1120-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1120-554-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1132-177-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1152-498-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1432-305-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1556-354-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1764-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1768-462-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1852-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1952-471-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2004-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2020-217-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2120-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2292-450-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2304-474-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2312-269-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2320-444-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2520-330-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2568-263-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2640-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2640-528-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2640-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2684-568-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2684-33-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2740-429-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2916-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2972-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2980-337-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3012-201-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3336-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3352-384-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3356-456-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3448-225-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3556-318-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3612-486-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3640-372-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3648-293-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3668-408-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3684-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3684-589-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3696-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3720-287-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3860-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3872-390-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3904-105-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3924-396-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3944-312-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3956-438-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4044-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4056-420-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4216-402-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4224-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4228-153-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4280-281-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4316-193-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4352-306-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4368-241-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4428-348-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4460-129-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4464-324-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4512-378-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4520-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4572-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4748-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4748-582-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4864-366-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4872-65-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4892-414-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4948-492-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4984-233-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5004-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5004-575-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5148-508-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5196-510-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5292-516-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5372-522-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5416-529-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5472-535-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5512-541-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5552-548-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5600-555-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5652-562-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5700-569-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5748-576-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5792-583-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads