aed8069d3004be456c9d5f31f4f597f14bc330db595d03df417f95ec5bc7126f

Analysis

max time kernel
143s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e39c808e6040f6ab71d02d2d8592580_NeikiAnalytics.exe
Size

346KB
MD5

3e39c808e6040f6ab71d02d2d8592580
SHA1

7db66d64aa1fccd915a34fb707e88e559b9dc807
SHA256

aed8069d3004be456c9d5f31f4f597f14bc330db595d03df417f95ec5bc7126f
SHA512

1b245860665d4d91094daac5c94163fbc2bfd107129c27224a0a4cae3f851222d88135de69c13fcd01fd40b6a6f87c804b8d230132804dc08b996e6236f189be
SSDEEP

6144:rDgtchdsFj5t13LJhrmMsFj5tzOvfFOM:PLhds15tFrls15tz4FT

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3e39c808e6040f6ab71d02d2d8592580_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe

Malware Dropper & Backdoor - Berbew 41 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000700000002328e-6.dat	family_berbew
behavioral2/files/0x00070000000233fa-15.dat	family_berbew
behavioral2/files/0x00070000000233fe-30.dat	family_berbew
behavioral2/files/0x0007000000023400-38.dat	family_berbew
behavioral2/files/0x0007000000023403-47.dat	family_berbew
behavioral2/files/0x00070000000233fc-22.dat	family_berbew
behavioral2/files/0x0007000000023405-54.dat	family_berbew
behavioral2/files/0x0007000000023408-62.dat	family_berbew
behavioral2/files/0x000700000002340a-71.dat	family_berbew
behavioral2/files/0x000700000002340c-79.dat	family_berbew
behavioral2/files/0x000700000002340e-86.dat	family_berbew
behavioral2/files/0x0007000000023410-96.dat	family_berbew
behavioral2/files/0x0007000000023412-105.dat	family_berbew
behavioral2/files/0x0007000000023416-122.dat	family_berbew
behavioral2/files/0x0007000000023418-129.dat	family_berbew
behavioral2/files/0x000700000002341a-136.dat	family_berbew
behavioral2/files/0x000700000002341c-143.dat	family_berbew
behavioral2/files/0x000700000002341e-150.dat	family_berbew
behavioral2/files/0x0007000000023422-164.dat	family_berbew
behavioral2/files/0x0007000000023426-178.dat	family_berbew
behavioral2/files/0x000700000002342a-192.dat	family_berbew
behavioral2/files/0x000700000002342e-206.dat	family_berbew
behavioral2/files/0x0007000000023434-227.dat	family_berbew
behavioral2/files/0x0007000000023438-241.dat	family_berbew
behavioral2/files/0x0007000000023436-234.dat	family_berbew
behavioral2/files/0x0007000000023432-220.dat	family_berbew
behavioral2/files/0x0007000000023430-213.dat	family_berbew
behavioral2/files/0x000700000002342c-199.dat	family_berbew
behavioral2/files/0x0007000000023428-185.dat	family_berbew
behavioral2/files/0x0007000000023424-171.dat	family_berbew
behavioral2/files/0x0007000000023420-157.dat	family_berbew
behavioral2/files/0x0007000000023414-113.dat	family_berbew
behavioral2/files/0x0007000000023483-485.dat	family_berbew
behavioral2/files/0x000700000002348b-510.dat	family_berbew
behavioral2/files/0x00070000000234b9-664.dat	family_berbew
behavioral2/files/0x00070000000234cf-738.dat	family_berbew
behavioral2/files/0x00070000000234d1-745.dat	family_berbew
behavioral2/files/0x00070000000234d5-758.dat	family_berbew
behavioral2/files/0x00070000000234dc-777.dat	family_berbew
behavioral2/files/0x00070000000234e4-805.dat	family_berbew
behavioral2/files/0x0008000000023381-889.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
4100	Gfqjafdq.exe
4104	Gbgkfg32.exe
4312	Gfcgge32.exe
2408	Giacca32.exe
1012	Gmmocpjk.exe
3324	Gpklpkio.exe
4296	Gbjhlfhb.exe
916	Gameonno.exe
1292	Hboagf32.exe
1876	Hjfihc32.exe
1396	Hmdedo32.exe
5072	Hpbaqj32.exe
868	Hmfbjnbp.exe
1644	Hpenfjad.exe
3824	Hbckbepg.exe
4444	Hjjbcbqj.exe
1624	Himcoo32.exe
2964	Hadkpm32.exe
912	Hpgkkioa.exe
1044	Hccglh32.exe
4684	Hbeghene.exe
1480	Hjmoibog.exe
1772	Hippdo32.exe
1856	Hmklen32.exe
3268	Hpihai32.exe
4284	Hcedaheh.exe
1720	Hbhdmd32.exe
2276	Hjolnb32.exe
3300	Hibljoco.exe
1952	Haidklda.exe
4628	Ipldfi32.exe
4436	Icgqggce.exe
1588	Iffmccbi.exe
4700	Ijaida32.exe
4260	Iidipnal.exe
1440	Ipnalhii.exe
3984	Icjmmg32.exe
4400	Ifhiib32.exe
4640	Ijdeiaio.exe
4200	Iiffen32.exe
2968	Imbaemhc.exe
2084	Ipqnahgf.exe
1688	Icljbg32.exe
2124	Ibojncfj.exe
3756	Ifjfnb32.exe
4648	Ijfboafl.exe
1596	Iiibkn32.exe
4504	Imdnklfp.exe
1252	Ipckgh32.exe
4604	Idofhfmm.exe
948	Ibagcc32.exe
1200	Ifmcdblq.exe
4968	Ijhodq32.exe
1768	Iikopmkd.exe
3716	Imgkql32.exe
4196	Ipegmg32.exe
3828	Idacmfkj.exe
4240	Ibccic32.exe
712	Ifopiajn.exe
3140	Iinlemia.exe
3212	Imihfl32.exe
1088	Jaedgjjd.exe
4012	Jpgdbg32.exe
3372	Jbfpobpb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Haidklda.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Imgkql32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Peeafpaf.dll	3e39c808e6040f6ab71d02d2d8592580_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Icljbg32.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Hbckbepg.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Gameonno.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Jpgdbg32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Gbgkfg32.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Iidipnal.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Inccjgbc.dll	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hpgkkioa.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Gfcgge32.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Hjfihc32.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ijdeiaio.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ijdeiaio.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Onkhkpho.dll	Icgqggce.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Hpgkkioa.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Gameonno.exe	Gbjhlfhb.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5556	5500	WerFault.exe	225

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3e39c808e6040f6ab71d02d2d8592580_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giacca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglanoaq.dll"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3e39c808e6040f6ab71d02d2d8592580_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 4100	1436	3e39c808e6040f6ab71d02d2d8592580_NeikiAnalytics.exe	83
PID 1436 wrote to memory of 4100	1436	3e39c808e6040f6ab71d02d2d8592580_NeikiAnalytics.exe	83
PID 1436 wrote to memory of 4100	1436	3e39c808e6040f6ab71d02d2d8592580_NeikiAnalytics.exe	83
PID 4100 wrote to memory of 4104	4100	Gfqjafdq.exe	84
PID 4100 wrote to memory of 4104	4100	Gfqjafdq.exe	84
PID 4100 wrote to memory of 4104	4100	Gfqjafdq.exe	84
PID 4104 wrote to memory of 4312	4104	Gbgkfg32.exe	85
PID 4104 wrote to memory of 4312	4104	Gbgkfg32.exe	85
PID 4104 wrote to memory of 4312	4104	Gbgkfg32.exe	85
PID 4312 wrote to memory of 2408	4312	Gfcgge32.exe	86
PID 4312 wrote to memory of 2408	4312	Gfcgge32.exe	86
PID 4312 wrote to memory of 2408	4312	Gfcgge32.exe	86
PID 2408 wrote to memory of 1012	2408	Giacca32.exe	87
PID 2408 wrote to memory of 1012	2408	Giacca32.exe	87
PID 2408 wrote to memory of 1012	2408	Giacca32.exe	87
PID 1012 wrote to memory of 3324	1012	Gmmocpjk.exe	88
PID 1012 wrote to memory of 3324	1012	Gmmocpjk.exe	88
PID 1012 wrote to memory of 3324	1012	Gmmocpjk.exe	88
PID 3324 wrote to memory of 4296	3324	Gpklpkio.exe	89
PID 3324 wrote to memory of 4296	3324	Gpklpkio.exe	89
PID 3324 wrote to memory of 4296	3324	Gpklpkio.exe	89
PID 4296 wrote to memory of 916	4296	Gbjhlfhb.exe	90
PID 4296 wrote to memory of 916	4296	Gbjhlfhb.exe	90
PID 4296 wrote to memory of 916	4296	Gbjhlfhb.exe	90
PID 916 wrote to memory of 1292	916	Gameonno.exe	91
PID 916 wrote to memory of 1292	916	Gameonno.exe	91
PID 916 wrote to memory of 1292	916	Gameonno.exe	91
PID 1292 wrote to memory of 1876	1292	Hboagf32.exe	92
PID 1292 wrote to memory of 1876	1292	Hboagf32.exe	92
PID 1292 wrote to memory of 1876	1292	Hboagf32.exe	92
PID 1876 wrote to memory of 1396	1876	Hjfihc32.exe	93
PID 1876 wrote to memory of 1396	1876	Hjfihc32.exe	93
PID 1876 wrote to memory of 1396	1876	Hjfihc32.exe	93
PID 1396 wrote to memory of 5072	1396	Hmdedo32.exe	94
PID 1396 wrote to memory of 5072	1396	Hmdedo32.exe	94
PID 1396 wrote to memory of 5072	1396	Hmdedo32.exe	94
PID 5072 wrote to memory of 868	5072	Hpbaqj32.exe	95
PID 5072 wrote to memory of 868	5072	Hpbaqj32.exe	95
PID 5072 wrote to memory of 868	5072	Hpbaqj32.exe	95
PID 868 wrote to memory of 1644	868	Hmfbjnbp.exe	96
PID 868 wrote to memory of 1644	868	Hmfbjnbp.exe	96
PID 868 wrote to memory of 1644	868	Hmfbjnbp.exe	96
PID 1644 wrote to memory of 3824	1644	Hpenfjad.exe	97
PID 1644 wrote to memory of 3824	1644	Hpenfjad.exe	97
PID 1644 wrote to memory of 3824	1644	Hpenfjad.exe	97
PID 3824 wrote to memory of 4444	3824	Hbckbepg.exe	98
PID 3824 wrote to memory of 4444	3824	Hbckbepg.exe	98
PID 3824 wrote to memory of 4444	3824	Hbckbepg.exe	98
PID 4444 wrote to memory of 1624	4444	Hjjbcbqj.exe	99
PID 4444 wrote to memory of 1624	4444	Hjjbcbqj.exe	99
PID 4444 wrote to memory of 1624	4444	Hjjbcbqj.exe	99
PID 1624 wrote to memory of 2964	1624	Himcoo32.exe	100
PID 1624 wrote to memory of 2964	1624	Himcoo32.exe	100
PID 1624 wrote to memory of 2964	1624	Himcoo32.exe	100
PID 2964 wrote to memory of 912	2964	Hadkpm32.exe	101
PID 2964 wrote to memory of 912	2964	Hadkpm32.exe	101
PID 2964 wrote to memory of 912	2964	Hadkpm32.exe	101
PID 912 wrote to memory of 1044	912	Hpgkkioa.exe	102
PID 912 wrote to memory of 1044	912	Hpgkkioa.exe	102
PID 912 wrote to memory of 1044	912	Hpgkkioa.exe	102
PID 1044 wrote to memory of 4684	1044	Hccglh32.exe	103
PID 1044 wrote to memory of 4684	1044	Hccglh32.exe	103
PID 1044 wrote to memory of 4684	1044	Hccglh32.exe	103
PID 4684 wrote to memory of 1480	4684	Hbeghene.exe	104

C:\Users\Admin\AppData\Local\Temp\3e39c808e6040f6ab71d02d2d8592580_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3e39c808e6040f6ab71d02d2d8592580_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\SysWOW64\Gfqjafdq.exe
  C:\Windows\system32\Gfqjafdq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\SysWOW64\Gbgkfg32.exe
    C:\Windows\system32\Gbgkfg32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Windows\SysWOW64\Gfcgge32.exe
      C:\Windows\system32\Gfcgge32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4312
    - - C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        24⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4700
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4260
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4200
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        42⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        44⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        45⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        49⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        57⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:712
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        61⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        62⤵
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1088
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        66⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5060
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        68⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        69⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        70⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2424
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1788
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        74⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4208
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        76⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        77⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        78⤵
        
        PID:400
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:232
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        81⤵
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        83⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        87⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        88⤵
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        90⤵
        
        PID:116
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        91⤵
        Drops file in System32 directory
        
        PID:928
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        94⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        97⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        98⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        99⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        100⤵
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        104⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        109⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        111⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        114⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        115⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        116⤵
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        117⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        120⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        121⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        122⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        125⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        126⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        127⤵
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        129⤵
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        131⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        135⤵
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        136⤵
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        137⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 400
        138⤵
        Program crash
        
        PID:5556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5500 -ip 5500
1⤵
PID:6012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
346KB

MD5
188a83b81fa7b51cc71df09c976ad920

SHA1
8cbaafdd607468b9457eb9f55006f1dcb7717b12

SHA256
413d3d26e989a676aa72ce4327876930a532b7a60afd226ee347dd845396748f

SHA512
edca210cc31da248c8711ac52db1d0b95f81eb191c029890dd337b1c16219b9f9c5de01e60a8e881c0378fafd6a516916dad2edd43764e04e40c1b1875dc6f42

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
346KB

MD5
9428ca3513f5c974093e9cfe1a493c26

SHA1
65eb475011620eaf93828300495038abfe5c84b4

SHA256
0432c922cfaa4abf3b8f6e18972f44003cb57c2a399d3dc0a8c2b120937d5e3c

SHA512
8e3941adfe06a7a95ce3197126694cb9968a2804750daf9a1a4a235aab3bedfd413da3f6e6e2a6f5f7dcc0ba03dce245d7e0999a1e004389acc6b080d8b0839a

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
346KB

MD5
042cdcea6f7b0b13df07ff6d39f04c15

SHA1
affbfeb10b81c693df8cf1f821d354e38f0aaa68

SHA256
76f0dc43f1b84e9d52561faead4e995c96789928ff5660627f8b19a8b4272f02

SHA512
6f019bd439c63b4e01c6d8d622f8f272a56a3a4711de26deceb0332e604ce3004bc1c67b2e827918cc750c83681252e1faadfd97c9ac14ad48793ff04a0ce14d

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
346KB

MD5
e1e12bb27783c23cd54a469a5180c006

SHA1
babc3a825b3f5480c21649232e0d3e1017065201

SHA256
595f9a99e1ccd0fe1fa8be6d31b136b8ef9f415b4c9aa495f4f6201b8b76dde0

SHA512
fbeffce99a357f0dbfa6969443b092fe6ff41c8e3e0c04bde238d14c71f136d800857baa6edc4b736cdd36e3ae1abefbb276d8be59ddb117d0fa3f7638dfc228

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
346KB

MD5
2ce54db1bf3e0d59b6f16197b3cad426

SHA1
e830899828352af0d7b647f009a88849f6c595a0

SHA256
74641159c9e022d07cca072d2cf1d7fd4ea044db623157d96563fcc198c87631

SHA512
a932c6cf0478433994d8fdf7a0c48f16e86300707cf692e9d4e8c7cb613c32d9fad2420baf6a754d242ad0fcea80eb181d3292df54326f181c8362aee7be8a04

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
346KB

MD5
52a8222ad75aeb0fe2993708b3ac4263

SHA1
08d2a7a6b591ddb51de532591b5cfbb8730bacd6

SHA256
35a9a7b1b80eaff938ac339acbc24bc6c90f15753beb3ec3e1b9a697b416b61c

SHA512
50ace503e39dfcec7c1b44a72f8c6f7621f719170c851f988d471fd928bd917f6720fc8bdd5ba3005750ce118222590e90e9cf8c342fc9443e581ada94050f4e

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
346KB

MD5
c332dcedb9d3b383843c5a258fc139bd

SHA1
7aa28f62d3f2a415d7c24e8123f8377862d5a8a8

SHA256
18571fcfc281fcd0a624b37272a45d1113e2df5fa5142d64594f7ff4533c6985

SHA512
4859e23c33a43b58b960612adcea8aaf65ff9291d7c7411d903cbfd0e855a665c5e8593c77b2f9ea6c215f45f7c3b48fed5aa62fbfa431cb57cb731f06b741fb

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
346KB

MD5
944360249d1b5b821ef6efea13f8cfb4

SHA1
11692ae883a469ad56ff42cbf700ee46067343bc

SHA256
f01ca1e29d9ab91b5151e4cba720fc80db1209c1bfca322efd98cbf1d65bd92b

SHA512
afa4e3dbc277542b2de0478011554555d48ffb3953442c01bdda957ee847f786680d8b527365f150824a0fa64323d3fc2a33c599d54122e758f2703426083558

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
346KB

MD5
872231aad92d4fe5648602cea4b1cbca

SHA1
d4a3a505aba4abd59326a0f60f6bc2431bd81734

SHA256
cd1ac7b7fa657f248d6bc59e51345d538a0e69deb50944e17c98a0dcaa0f1607

SHA512
ecaba90e309f200b72a07f58ce8ed59583fc122a6a4f2d4c6adb0332a59364629b0319ee8ca353cb8bed662c60edc8d096da67b87acd840fc51a42714796b838

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
346KB

MD5
5f976b2d882db8136fcfd1b24127bea8

SHA1
6df3f9b9f902d2c6ae906fd40f4d02e1e4a33717

SHA256
1e1b34ce34861347e7c1b39cb17378c40e30228d3cd017d588d931b91bd350c8

SHA512
5ac0843b9913d9a31cca71af6f808d5eabaa87aa148805aecf68d4d25dc8c6c0bfe2126c823ffb908ddb3ef66d14160b9dae32382bcca8a6e71cfabeafdea17b

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
346KB

MD5
d669679ed97f12682dcab34b37f9cd8c

SHA1
148b083f906a910762c5da7a0693c062432176b7

SHA256
da0a829a773550b6c2d04bdb6e40b0552cade4ca74a7bb2d4a74046a4279e28d

SHA512
c011efc653edb902310d499528ab0e4df341a3151913fd2c1cd50dae82fec893bac308519fe927f0c634c719ac9c67d794b5ff5121ac45e0e9849eae960db734

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
346KB

MD5
cb8758ef134a83d3fe9cdcc20927170a

SHA1
c368630b85ba358d8d70ce5eb886d6f74fd0ec23

SHA256
b0734a437b3993ef9f35fc9f0cc0affcec450476da2d26ac80b5bfda3ac3241f

SHA512
67aff54d158b9e9fb465c8ef1b7c86b785b8e27cdda2804d81d9b65b2bba86153042fa1472ad65de1a6fc3f9a8d6aa38b203fbaed1d3ea5bcc7235e05c4994b3

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
346KB

MD5
f56ebf99a80a85c212baa7a669cd3156

SHA1
361f3dda3da1c7c0bd0187993d2b789d3f67c164

SHA256
a474e35cf855ea10ab0c9373ece6446dabe98aa24b80c290a02f52ccc8822f3c

SHA512
cdbd46c5e55345e1b0ed2509d63a57647933cffbddeb7b6aa0383809e51839a8f8ce1c59f991b8e1b3c55f9931427b4394ec4f060d47c49a34dd18e129549a4e

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
346KB

MD5
2569ff8e2ceaa72f254ba48b3f72c4b6

SHA1
949e91e717f2e05c221a38ed1f8baa92933233bd

SHA256
d130571e0dfd7ffd45f7a6020bec27fa3e554e6f2ad0d6f18d855ce79bd391c5

SHA512
b1da9cb7a82e0c7033c9e34dddc44f0dd77ecced55f97eb8bf4b7c3914797facbbdfa38954facad87164b727cf70b5a168dbe19258424a4e2fae2e2eeae3d9af

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
346KB

MD5
dfb8823ffb271b27a0b884d88b3e4172

SHA1
726e60f264cafc846916bdeeb6fcdb5ad0a0b5d8

SHA256
496a36678ae3a6b533b528b8b4d89e8728dccde2870262ca00f288b328e2e9e5

SHA512
60934b2b343f4fdc52d056ad653dcd3fc310936d4f0fe60133af3c745357f4d134a4d8564b35eb75cc7fea543cc59d6847e95d6ef0dd940a1f543d0c8f2d577d

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
346KB

MD5
55959a27c2b9b599b8c17ed0d2be9e0e

SHA1
817b067c2f0acd01f401188d930b225aae0505aa

SHA256
8172d66f11c85801c62556dc23b820a22ea28d39c8940b8c4fd4ac1cd8a00125

SHA512
d9f6b7a9346d7085097a1fbfc8aa04ccf309aeb5db88ee4b416d87ac6bb87ba4330c42956eb030f710f3729993c44949767f1fbb1d6a6d712993737f40636bdd

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
346KB

MD5
85cabb8f23467eff4852ac9340ce9f13

SHA1
6e022f667ed94e7e7df389aededfee00230ae238

SHA256
afe46958da2b9eecb1991503a7de4c52e1c677b270a3f6962719a381599122b5

SHA512
6e7ab41fbd735264986b6e46dcf7c805f696ea7412a5c2c88ae331d4350575540035783ab0ea74ba57e3c0d3532fdf7b6deae32809ec0acf516b1d37dc0687ab

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
346KB

MD5
e260297bf65a00964230ab9eed190e9a

SHA1
514475d344191279521af485233612943efe0e92

SHA256
f76c95d1d68dbd4e80e171d11b7fa22fbf86dbcf70dc39fe6aab567c4abc9305

SHA512
db6f16e613dc03685b4de42f3420acca41d407ca9eef839b98427fabada645b9e87e115ce5f1f4b00c0a3f623eed1a1d386bb8f2ff4eda7649174d90a3e6b4c3

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
346KB

MD5
7891226eda3f7094ac07a6691cbf8add

SHA1
aab6ad62c84e9e55df8316d6cd56e59e4be36b5e

SHA256
efb57942ca683ae16a64943adf1cd36f415b0366244848a084510158da4e4346

SHA512
546ff33d35f5b6c6ffaadb78c6550a286eacfc39f96cc85779ae8443ad1ab8a06a0274a254769f8496065b7062ad7ad2809e890032bbbfa08e90d55b92458a10

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
346KB

MD5
129117efa87c58144b5fc8161aa16ad6

SHA1
5d21920b1250552b091b4abfe8de48780ce6a134

SHA256
d74be48bb98e3bdf531f3d484fc7df06914d1f993bd2b2b8d33cd68f7ae48cf1

SHA512
550a8b411bb0f8237b8220a3806f188517ed084c5b2b55f404c5027edc2d34c900e9931bda7efa4aa1ea4183e360d1e98407d7047866e2734651b4cf772342bd

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
346KB

MD5
130da7e497259d576967533ccfdbd60e

SHA1
5b72ce2e96fc62a671bb2ba3e77b509a9b731eab

SHA256
67e5f0fc03c352deda02398aa64961f38cb05020114fd3eba676923dd61793a3

SHA512
44761e6904dda377e9744979e7a1a56e3a1f891a5653f8b4a96b02e7e3f8cf9a642e194d0c1d3bbac37929a77c687a6ae221a9e36c4557a048eaf84b5c842bf2

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
346KB

MD5
447a20eb3094cf4a3d45dcc55d2113b8

SHA1
345637d917823439dedcd1c1176b4411e3af32c3

SHA256
2fc5313926cfbc3c20ddc481d029b0407b541bada07ed1e3cde959e9456729c0

SHA512
67bd63481e12381f11dfb8e84d5563ceb1eed76c540a204e5acb52542262c9315d4a1cbf2f405a9e81132ba6a431edc867eae152e5f7af47daa31b513a0e7903

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
346KB

MD5
15b6a1ffa05cced1f852c320554b9535

SHA1
f2c16b752529d1ffd1df668c523e2168fd84833e

SHA256
05232fb9000235822d6f5fc8ec22572072b0e48ff2388c69b1d079b886fea600

SHA512
1fc44396057a8c593b3817296eed6f3350b4d9bfe5d5cc3809773df19729404077a3f9cca60e7a5286beca5024234f2ec8a2f1f4e77e280340e68ce818623b92

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
346KB

MD5
384293a3a2f587a9e41bcae8b98bfd8a

SHA1
535d4b1d6b5a46d0b6f1e27afbf1a704c98347de

SHA256
897d48e82a013c279298dc935db4c500b4f3c9ab78018e633cd01300de85ad1d

SHA512
5e96b7ac1732ec846a38d891575a66a9cad61f7490236855d3fe80e27e9fbb85e46a8cf3c414c6e149d9de5ef907e785d887c17865fb391df21a8881574e7b11

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
346KB

MD5
6c92ec24244481c00da916a2c9bd28bf

SHA1
d841a1229e75602c30b36c6c3c4da038a62bb57c

SHA256
af063c5efde1899d0b283cba99ebc5968c193a72c9a52336342ce2f553960138

SHA512
9a42dbc436ce2db93be74144b1e439f0af32ce2a39aa74fa9198351af40f57457d80dc5a21c31f1ddf776a3a824d83075e609997bbcb204ad838489ee899183a

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
346KB

MD5
2a785e7f208e72af8ddf287701f4757d

SHA1
c4411fe213b2b007397d1141d64d6529babbdadb

SHA256
a61dcbb933d9d9b3b9211ec48b5de6d6e40f52aafadd36903b9c0f25f35d732c

SHA512
eb5cf90666b57d57d2be18521daafcb2a5191f9bdbf2a91c63ea8b5b6cbc3af4f8e0ca13f71331bb82b299015736b25a95b37c70a4b766f0486d39cc44cdb403

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
346KB

MD5
612858bec7bfcc3b402ba3ecbefce420

SHA1
806533c3636dd3ac172bc6d61732c4fdf0d7f9e1

SHA256
aa178d9737c211f8edf8e4acc1585ac3ae2294151eddf8365a87430b0095e2b0

SHA512
fd774a625eb5087d32b47019480888f49a95302b6585c6f21d66288b1e6a4d6b3e5516dc54971fe8072aa52a936291d70050b2da8a952c26974aee8046a08d9d

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
346KB

MD5
caa405c969833c611e5dd2a4c5924d3b

SHA1
325d9b9665fe3257a8f50d26d619a84aa206f596

SHA256
02c0e64a396df0f94c84df5a796f9febbb5b689f689f640dfadd6b85759917c9

SHA512
58df9d06328baba0e5c43299fa4fb5d4b44431e017e7a89d6afd30295ed49c1c1254a788be2730daf1c5245d2b1f94594de9494209f4c2c8b289af959989c57b

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
346KB

MD5
c60a523adf47ebc0a6a6f223cb7e81c6

SHA1
48cef8dafd2410c299d8a0d7c0144bf9d417db6e

SHA256
a5739870a1322d048ae1dd12f622e7885799d71ddbdb58f5adbabe87ca3764b3

SHA512
0b0fa84fc6f16402734de84a1b7bd133d2a375bd9cb5810835b9a6772c321d64978f6d815f4bbf1e56558a0662cd44697d1a9be4ca5ef84b1aaeae43cd88c269

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
346KB

MD5
e2bdbaedf1b3ab01e699f2b612c07a68

SHA1
1679b7f821938d6bad712b226dbdb9dbf6fabcd4

SHA256
36b13c65119e44c5610530245164d26db418d7c72989fd6f97c10b4813b44cab

SHA512
8ec6823e5277cd884d7c203f01584deaa3c1fadf60a45e65de61f42a08ebdb13ff0bc7c71382f48f553b0a6bd645eb01107243232f0b0bc69bbd9422fecb5ba8

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
346KB

MD5
230177f88b1686db3ae0679140f201ad

SHA1
847bce479a4cb354faa11869d263f60d93be0b56

SHA256
0e1a35ca0d83fb308bf47bbe62ac7d3afc549dfc80009cfa1ca30b36b9379fa0

SHA512
850ce4c825e60a44f8d41787a5b3bdd6c420608525f3611ef9e15529a8b827e394658a43c8cfa768ee9d92ce97f9fdabd40d0de1738961c1a67c2eebdc8fe9a8

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
346KB

MD5
f92ab945a32d6cb1471a1b5e97c18dd4

SHA1
0ebdc598260d128a5be687c0f2bf92e0b01b2e06

SHA256
9845be33f494201e1b9c3afbae2db8764bb8db5552ee43858f08871901d6dacc

SHA512
65d96fff728492e0a06d89520e9646f900d6c26584e2b61f7e5f01724c567c835d353677eaf4562e252453270ad7f40c32f1a88839e65b3e1e9d0e723e9c6307

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
346KB

MD5
39312e9e623511080ce8f939a979c1a5

SHA1
bd7bb632d970e6fdec4606e62b8922de96847c9c

SHA256
04d9f4844e5811bd86686c63d55eddf94e3bcb290244b0458d630955293ff33d

SHA512
8225254857d0d38f6f14b96e11f1063a053d9f4b6362d4177f412e19bc4d7d315c27da4c3983721f25d7d54cd687f2bb05997d249f77f879d8038eb350d43684

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
346KB

MD5
165001d512231c7c2b1092843a844f4b

SHA1
b2b7489f6b6a5948721c5af77cd098a46ae2f467

SHA256
f237843711230fe32a849fbbd762c05ca410547bfd917c3825b8f373868fce83

SHA512
e4b1e779e5782947aaf2722fcf7ee769876472f1e2251970b2ba06ff170c2c08303449ff18eceb4b1ee2e1b6824364c70ee4b6bb3e3f8a62dd9e2f4a505d2c28

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
346KB

MD5
9b857ae3fe0fc47d1d34cfa2564e550c

SHA1
eb12f1cb93690578a392bf7487fdb55ebc8e7259

SHA256
4422adc4ee9d6ecbc2d291c5c3b721b341bb97d85f9842bb6fa836252abe2d93

SHA512
4cbdc0bfd987986a68288cb6258539b14a0b78c996384818a19fcc1e5d68724cf2628f9515b7bc2810a596bde18979410ecc355f5377cd94e86e1eee3b30f597

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
346KB

MD5
901b5089d8b0ad7053fd39e39afc4de4

SHA1
639d3f5029ab6f9251c2efabad0db63b8df4af88

SHA256
de4d688862833597e984133421f1e3e934cb1614554e1c4f19e5a7f31310eb87

SHA512
9ba2007613ab5d88a8bdaded93161f5b29a53f682a963d0d3ccd8588da2c0d69dabe2ed11925defbb9193f01f6bada949ea64f286268de14e687f678258b2482

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
346KB

MD5
d9e86318a00521f2c7f4dac76901cd00

SHA1
050d94177cc21aff51d8f9ac64a43966b99f015f

SHA256
adbc2889f31ad26041b05d687d06d4530a49ba4a222cade3e8ce45173d6322ed

SHA512
a56db0dbd34aaf182245b8a799ea7bce984999518bf7f7d4b43f7785d8ab86e0d61d6234615907376b9461354765271ab3059da81deb01c02169ba2b5771dbc5

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
346KB

MD5
b943d6435e4558552af1526c213d72d5

SHA1
1bacfbd47c38363fd1bd0813005019562c93919b

SHA256
879a740fc0c6cf90bd7bcff43a44e7c5d99f4522694f0f1c78c15868de2d39cd

SHA512
1f8c96add9c8bfe28bd7eed65edf6115a4704d9d025b900813e3464700d0737e71082c36c1d156c110206de67eadaeb2e7da99ca952a07526548d3877442d345

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
346KB

MD5
13ccad575cedb84d7a54fca9a795b6ea

SHA1
61cae1e636a8969c9011d195aeb1d219882cae3d

SHA256
6458400dd4f88886365017343c832f2f0a6716a1d98bbcff5f96cfa490d0e269

SHA512
1804e9e471c92950ed6e6aa975aa5cb2bdfeea8ecf1ea06e6ac3e7daa782a90cc572b7e5d5f332da2531cc6eba291552109b5f0abe7e7420edb443fa7d26a99e

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
346KB

MD5
c468e7977f730350ee2876a100dfdbd5

SHA1
69e358e5a1fdd5e7479f719d8f1955f01e308712

SHA256
3844957f5e93013f37b44acb2feeca5cc61e0785b1296c3ec64a8e7fb0c5aeb4

SHA512
cdb779156e6f7ac03966f76b48e9a61e609ea7ad11667d4d78216852588abb1843816af2ea9d5f802da2311c2052689a3e5c65fd1ddb05486bce1dc10ac15b59

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
346KB

MD5
04e1edcaaf9624d69f708a029f693e4a

SHA1
896b2c18659731908853bbdf53eaef1dd428ed59

SHA256
9f8866d5442b36d557ad64d4b9f1c9c03a01570c4b8bcbf91fca1270c08dc62f

SHA512
3af05c8a31422a58dc12fd6f9dab48cc4b8f1d8f0bd292909ba1ca45ab18a040db7101ad6bdc8374ce2fd458ab443373759a76043561244eca615a0921c875f4

Download Submit
memory/232-547-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/400-533-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/712-460-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/868-110-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/912-406-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/916-477-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/916-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/948-443-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1012-44-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1044-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1088-463-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1200-444-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1252-441-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1292-77-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1396-93-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1424-526-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1436-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1436-88-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1440-423-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1480-409-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1588-420-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1596-439-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1624-404-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1644-119-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1688-435-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1704-579-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1704-509-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1720-414-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1756-476-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1768-448-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1772-410-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1788-503-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1788-567-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1816-539-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1816-482-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1856-411-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1876-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1876-490-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1908-540-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1952-417-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1960-467-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2084-434-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2124-436-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2140-527-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2276-415-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2348-561-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2408-118-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2408-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2424-495-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2424-553-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2964-405-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2968-433-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3140-461-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3212-462-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3268-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3300-416-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3324-465-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3324-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3372-466-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3568-568-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3644-560-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3644-497-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3716-452-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3756-437-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3824-402-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3828-458-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3984-424-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4012-464-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4100-101-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4100-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4104-27-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4196-457-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4200-432-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4208-515-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4240-459-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4260-422-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4284-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4296-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4296-474-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4312-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4400-425-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4436-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4444-403-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4504-440-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4604-442-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4628-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4640-431-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4648-438-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4684-408-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4700-421-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4968-445-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5004-554-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5060-468-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5068-546-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5068-484-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5072-102-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads