e13b252629a5d69022e976a18fd3eb576de0efee7038a17874fbab05f0808400

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f3bacf4be682d7cecedb594439b0190_NeikiAnalytics.exe
Size

362KB
MD5

1f3bacf4be682d7cecedb594439b0190
SHA1

1cac074eb3a2ae79f0f167af191f23f5c7395228
SHA256

e13b252629a5d69022e976a18fd3eb576de0efee7038a17874fbab05f0808400
SHA512

74952d7f77c0be184c64ae127735d4a6e8405661ece57458a8884e791b31d03a72a019a7077e9a672f52e32884289431b7b5cf9689234ab9592f582535b04574
SSDEEP

6144:oHX6V9Emsm8tGDuMEUrQVad7nG3mbDp2o+SsmiMyhtHEyr5psPc1aj8DOvlvuZxF:o36yttmuMtrQ07nGWxWSsmiMyh95r5Oa

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hplbickp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omgmeigd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hioflcbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpjjmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enpfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	1f3bacf4be682d7cecedb594439b0190_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gehbjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbhoeid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpoihnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ihpcinld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Niojoeel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llodgnja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njjdho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojajin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdpni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fohfbpgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpccmhdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Knenkbio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgpoihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eojiqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihpcinld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Omdieb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbjddh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilnbicff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Figgdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplmliko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nijqcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbebbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnibokbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Heegad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inebjihf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jngbjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boihcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiekog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eiekog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnnccl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejqldci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gehbjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiipmhmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojomcopk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpioin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpelhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnibokbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iamamcop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Objkmkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilnbicff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eojiqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gaebef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiopca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpgmhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhfpbpdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doagjc32.exe

Malware Dropper & Backdoor - Berbew 45 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0008000000023256-5.dat	family_berbew
behavioral2/files/0x000800000002325a-14.dat	family_berbew
behavioral2/files/0x000800000002325e-17.dat	family_berbew
behavioral2/files/0x0007000000023260-30.dat	family_berbew
behavioral2/files/0x0007000000023262-38.dat	family_berbew
behavioral2/files/0x0007000000023264-46.dat	family_berbew
behavioral2/files/0x0007000000023266-54.dat	family_berbew
behavioral2/files/0x0007000000023269-62.dat	family_berbew
behavioral2/files/0x000700000002326b-70.dat	family_berbew
behavioral2/files/0x000700000002326d-78.dat	family_berbew
behavioral2/files/0x000700000002326f-82.dat	family_berbew
behavioral2/files/0x0007000000023271-94.dat	family_berbew
behavioral2/files/0x0007000000023273-102.dat	family_berbew
behavioral2/files/0x0007000000023275-110.dat	family_berbew
behavioral2/files/0x0007000000023277-118.dat	family_berbew
behavioral2/files/0x0007000000023279-126.dat	family_berbew
behavioral2/files/0x000700000002327b-134.dat	family_berbew
behavioral2/files/0x000700000002327d-142.dat	family_berbew
behavioral2/files/0x000700000002327f-150.dat	family_berbew
behavioral2/files/0x0007000000023282-158.dat	family_berbew
behavioral2/files/0x0007000000023284-166.dat	family_berbew
behavioral2/files/0x0007000000023286-174.dat	family_berbew
behavioral2/files/0x0007000000023288-182.dat	family_berbew
behavioral2/files/0x000700000002328a-190.dat	family_berbew
behavioral2/files/0x000700000002328c-198.dat	family_berbew
behavioral2/files/0x000700000002328e-206.dat	family_berbew
behavioral2/files/0x0007000000023290-214.dat	family_berbew
behavioral2/files/0x0007000000023292-222.dat	family_berbew
behavioral2/files/0x0007000000023294-229.dat	family_berbew
behavioral2/files/0x0007000000023296-238.dat	family_berbew
behavioral2/files/0x0007000000023298-246.dat	family_berbew
behavioral2/files/0x000700000002329a-254.dat	family_berbew
behavioral2/files/0x00070000000232a0-269.dat	family_berbew
behavioral2/files/0x00070000000232a8-293.dat	family_berbew
behavioral2/files/0x00070000000232ab-305.dat	family_berbew
behavioral2/files/0x00070000000232ad-312.dat	family_berbew
behavioral2/files/0x00070000000232b5-335.dat	family_berbew
behavioral2/files/0x00070000000232b9-347.dat	family_berbew
behavioral2/files/0x00070000000232c7-389.dat	family_berbew
behavioral2/files/0x00070000000232d9-443.dat	family_berbew
behavioral2/files/0x00070000000232e1-467.dat	family_berbew
behavioral2/files/0x00070000000232e5-479.dat	family_berbew
behavioral2/files/0x00070000000232f1-515.dat	family_berbew
behavioral2/files/0x000700000002330a-595.dat	family_berbew
behavioral2/files/0x0007000000023314-630.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
2892	Gehbjm32.exe
4468	Gpelhd32.exe
440	Gbeejp32.exe
2376	Hplbickp.exe
2352	Hekgfj32.exe
3896	Hiipmhmk.exe
1688	Ibcaknbi.exe
1636	Ilnbicff.exe
2620	Ioolkncg.exe
2540	Jmbhoeid.exe
760	Jngbjd32.exe
1596	Kgdpni32.exe
2528	Klcekpdo.exe
4472	Knenkbio.exe
4316	Lgpoihnl.exe
3104	Llodgnja.exe
2292	Lfjfecno.exe
4892	Mcpcdg32.exe
4068	Mcelpggq.exe
4560	Mqimikfj.exe
2288	Nnojho32.exe
2480	Ncnofeof.exe
4064	Njjdho32.exe
4968	Njmqnobn.exe
4420	Ojomcopk.exe
2524	Ojajin32.exe
4360	Oghghb32.exe
4652	Omgmeigd.exe
1132	Phonha32.exe
2612	Pplobcpp.exe
2136	Pdjgha32.exe
2936	Qpcecb32.exe
2928	Ahmjjoig.exe
2608	Afbgkl32.exe
1188	Aokkahlo.exe
788	Amqhbe32.exe
3360	Agimkk32.exe
2028	Apaadpng.exe
4676	Baannc32.exe
2924	Bogkmgba.exe
4684	Boihcf32.exe
4072	Chdialdl.exe
2304	Cncnob32.exe
3208	Cpdgqmnb.exe
2312	Doagjc32.exe
3288	Eqdpgk32.exe
5024	Eohmkb32.exe
4368	Eojiqb32.exe
4264	Enpfan32.exe
1668	Eiekog32.exe
2848	Figgdg32.exe
4900	Fgmdec32.exe
3876	Fgoakc32.exe
708	Fohfbpgi.exe
1988	Gnnccl32.exe
3312	Gbkkik32.exe
1892	Ggkqgaol.exe
2432	Gpdennml.exe
4984	Gaebef32.exe
3940	Hnibokbd.exe
560	Hioflcbj.exe
376	Hpioin32.exe
2004	Heegad32.exe
2680	Hhfpbpdo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ilnbicff.exe	Ibcaknbi.exe
File created	C:\Windows\SysWOW64\Liabph32.dll	Lgpoihnl.exe
File created	C:\Windows\SysWOW64\Aepjgm32.dll	Njmqnobn.exe
File created	C:\Windows\SysWOW64\Omgmeigd.exe	Oghghb32.exe
File created	C:\Windows\SysWOW64\Baannc32.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Fgmdec32.exe	Figgdg32.exe
File opened for modification	C:\Windows\SysWOW64\Hihibbjo.exe	Hejqldci.exe
File opened for modification	C:\Windows\SysWOW64\Nbebbk32.exe	Nijqcf32.exe
File opened for modification	C:\Windows\SysWOW64\Omdieb32.exe	Omalpc32.exe
File opened for modification	C:\Windows\SysWOW64\Eqdpgk32.exe	Doagjc32.exe
File created	C:\Windows\SysWOW64\Omalpc32.exe	Objkmkjj.exe
File created	C:\Windows\SysWOW64\Lpcncmnn.dll	Ibcaknbi.exe
File created	C:\Windows\SysWOW64\Eignjamf.dll	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Cpfoag32.dll	Cncnob32.exe
File opened for modification	C:\Windows\SysWOW64\Amqhbe32.exe	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Bogkmgba.exe	Baannc32.exe
File created	C:\Windows\SysWOW64\Nkphhg32.dll	Ggkqgaol.exe
File created	C:\Windows\SysWOW64\Khnhommq.dll	Jllhpkfk.exe
File created	C:\Windows\SysWOW64\Fjohgj32.dll	Kidben32.exe
File created	C:\Windows\SysWOW64\Dndfnlpc.dll	Objkmkjj.exe
File created	C:\Windows\SysWOW64\Bmgagk32.dll	Lfjfecno.exe
File created	C:\Windows\SysWOW64\Mqimikfj.exe	Mcelpggq.exe
File opened for modification	C:\Windows\SysWOW64\Chdialdl.exe	Boihcf32.exe
File created	C:\Windows\SysWOW64\Inebjihf.exe	Hihibbjo.exe
File created	C:\Windows\SysWOW64\Jppnpjel.exe	Jpnakk32.exe
File created	C:\Windows\SysWOW64\Hjcbmgnb.dll	Nbebbk32.exe
File created	C:\Windows\SysWOW64\Ioolkncg.exe	Ilnbicff.exe
File opened for modification	C:\Windows\SysWOW64\Oghghb32.exe	Ojajin32.exe
File opened for modification	C:\Windows\SysWOW64\Figgdg32.exe	Eiekog32.exe
File created	C:\Windows\SysWOW64\Opnaqk32.dll	Gbkkik32.exe
File opened for modification	C:\Windows\SysWOW64\Iiopca32.exe	Ihpcinld.exe
File created	C:\Windows\SysWOW64\Hekgfj32.exe	Hplbickp.exe
File created	C:\Windows\SysWOW64\Ncnofeof.exe	Nnojho32.exe
File created	C:\Windows\SysWOW64\Bgemej32.dll	Ncnofeof.exe
File created	C:\Windows\SysWOW64\Dhhmleng.dll	Oghghb32.exe
File created	C:\Windows\SysWOW64\Aokkahlo.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Hhlpmmgb.dll	Klcekpdo.exe
File created	C:\Windows\SysWOW64\Kmfpdfnd.dll	Figgdg32.exe
File created	C:\Windows\SysWOW64\Cgkeml32.dll	Fgmdec32.exe
File opened for modification	C:\Windows\SysWOW64\Ggkqgaol.exe	Gbkkik32.exe
File created	C:\Windows\SysWOW64\Hiipmhmk.exe	Hekgfj32.exe
File opened for modification	C:\Windows\SysWOW64\Ibcaknbi.exe	Hiipmhmk.exe
File created	C:\Windows\SysWOW64\Nnojho32.exe	Mqimikfj.exe
File created	C:\Windows\SysWOW64\Ccegpn32.dll	Enpfan32.exe
File created	C:\Windows\SysWOW64\Hpioin32.exe	Hioflcbj.exe
File created	C:\Windows\SysWOW64\Kidben32.exe	Kplmliko.exe
File opened for modification	C:\Windows\SysWOW64\Lfjfecno.exe	Llodgnja.exe
File opened for modification	C:\Windows\SysWOW64\Hejqldci.exe	Hhfpbpdo.exe
File opened for modification	C:\Windows\SysWOW64\Kifojnol.exe	Kidben32.exe
File created	C:\Windows\SysWOW64\Ambfbo32.dll	1f3bacf4be682d7cecedb594439b0190_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Pccopc32.dll	Hekgfj32.exe
File opened for modification	C:\Windows\SysWOW64\Baannc32.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Heegad32.exe	Hpioin32.exe
File created	C:\Windows\SysWOW64\Eiacog32.dll	Jpnakk32.exe
File created	C:\Windows\SysWOW64\Dognaofl.dll	Kplmliko.exe
File created	C:\Windows\SysWOW64\Gflonn32.dll	Omalpc32.exe
File opened for modification	C:\Windows\SysWOW64\Knenkbio.exe	Klcekpdo.exe
File created	C:\Windows\SysWOW64\Gpkpbaea.dll	Mcpcdg32.exe
File created	C:\Windows\SysWOW64\Pplobcpp.exe	Phonha32.exe
File created	C:\Windows\SysWOW64\Afbgkl32.exe	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Amqhbe32.exe	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Dckahb32.dll	Jngbjd32.exe
File created	C:\Windows\SysWOW64\Baiinofi.dll	Njjdho32.exe
File opened for modification	C:\Windows\SysWOW64\Omgmeigd.exe	Oghghb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5140	6048	WerFault.exe	190

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eqdpgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmadjhb.dll"	Pbjddh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baiinofi.dll"	Njjdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fohfbpgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aooold32.dll"	Llodgnja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgm32.dll"	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jngbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleqaiga.dll"	Mqimikfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fckjejfe.dll"	Gnnccl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pbekii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpolbbim.dll"	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgemej32.dll"	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmbhoeid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baannc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eojiqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kplmliko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Doagjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Figgdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fgmdec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpnakk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jppnpjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlkecaj.dll"	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mqimikfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Doagjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hejqldci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhmleng.dll"	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fgoakc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkgppbgc.dll"	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gflonn32.dll"	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjohgj32.dll"	Kidben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgagk32.dll"	Lfjfecno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbkkik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpiijfll.dll"	Inebjihf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Enpfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eiekog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gnnccl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Heegad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbebbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbeejp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgdpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eegcnaoo.dll"	Eohmkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	1f3bacf4be682d7cecedb594439b0190_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaabap32.dll"	Hiipmhmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnojho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbkkik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dognaofl.dll"	Kplmliko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elckbhbj.dll"	Lpgmhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eiekog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Figgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fgmdec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjpkd32.dll"	Fgoakc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnaqk32.dll"	Gbkkik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcelpggq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njjdho32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2892	1804	1f3bacf4be682d7cecedb594439b0190_NeikiAnalytics.exe	90
PID 1804 wrote to memory of 2892	1804	1f3bacf4be682d7cecedb594439b0190_NeikiAnalytics.exe	90
PID 1804 wrote to memory of 2892	1804	1f3bacf4be682d7cecedb594439b0190_NeikiAnalytics.exe	90
PID 2892 wrote to memory of 4468	2892	Gehbjm32.exe	91
PID 2892 wrote to memory of 4468	2892	Gehbjm32.exe	91
PID 2892 wrote to memory of 4468	2892	Gehbjm32.exe	91
PID 4468 wrote to memory of 440	4468	Gpelhd32.exe	92
PID 4468 wrote to memory of 440	4468	Gpelhd32.exe	92
PID 4468 wrote to memory of 440	4468	Gpelhd32.exe	92
PID 440 wrote to memory of 2376	440	Gbeejp32.exe	93
PID 440 wrote to memory of 2376	440	Gbeejp32.exe	93
PID 440 wrote to memory of 2376	440	Gbeejp32.exe	93
PID 2376 wrote to memory of 2352	2376	Hplbickp.exe	94
PID 2376 wrote to memory of 2352	2376	Hplbickp.exe	94
PID 2376 wrote to memory of 2352	2376	Hplbickp.exe	94
PID 2352 wrote to memory of 3896	2352	Hekgfj32.exe	95
PID 2352 wrote to memory of 3896	2352	Hekgfj32.exe	95
PID 2352 wrote to memory of 3896	2352	Hekgfj32.exe	95
PID 3896 wrote to memory of 1688	3896	Hiipmhmk.exe	96
PID 3896 wrote to memory of 1688	3896	Hiipmhmk.exe	96
PID 3896 wrote to memory of 1688	3896	Hiipmhmk.exe	96
PID 1688 wrote to memory of 1636	1688	Ibcaknbi.exe	97
PID 1688 wrote to memory of 1636	1688	Ibcaknbi.exe	97
PID 1688 wrote to memory of 1636	1688	Ibcaknbi.exe	97
PID 1636 wrote to memory of 2620	1636	Ilnbicff.exe	98
PID 1636 wrote to memory of 2620	1636	Ilnbicff.exe	98
PID 1636 wrote to memory of 2620	1636	Ilnbicff.exe	98
PID 2620 wrote to memory of 2540	2620	Ioolkncg.exe	99
PID 2620 wrote to memory of 2540	2620	Ioolkncg.exe	99
PID 2620 wrote to memory of 2540	2620	Ioolkncg.exe	99
PID 2540 wrote to memory of 760	2540	Jmbhoeid.exe	100
PID 2540 wrote to memory of 760	2540	Jmbhoeid.exe	100
PID 2540 wrote to memory of 760	2540	Jmbhoeid.exe	100
PID 760 wrote to memory of 1596	760	Jngbjd32.exe	101
PID 760 wrote to memory of 1596	760	Jngbjd32.exe	101
PID 760 wrote to memory of 1596	760	Jngbjd32.exe	101
PID 1596 wrote to memory of 2528	1596	Kgdpni32.exe	102
PID 1596 wrote to memory of 2528	1596	Kgdpni32.exe	102
PID 1596 wrote to memory of 2528	1596	Kgdpni32.exe	102
PID 2528 wrote to memory of 4472	2528	Klcekpdo.exe	103
PID 2528 wrote to memory of 4472	2528	Klcekpdo.exe	103
PID 2528 wrote to memory of 4472	2528	Klcekpdo.exe	103
PID 4472 wrote to memory of 4316	4472	Knenkbio.exe	104
PID 4472 wrote to memory of 4316	4472	Knenkbio.exe	104
PID 4472 wrote to memory of 4316	4472	Knenkbio.exe	104
PID 4316 wrote to memory of 3104	4316	Lgpoihnl.exe	105
PID 4316 wrote to memory of 3104	4316	Lgpoihnl.exe	105
PID 4316 wrote to memory of 3104	4316	Lgpoihnl.exe	105
PID 3104 wrote to memory of 2292	3104	Llodgnja.exe	106
PID 3104 wrote to memory of 2292	3104	Llodgnja.exe	106
PID 3104 wrote to memory of 2292	3104	Llodgnja.exe	106
PID 2292 wrote to memory of 4892	2292	Lfjfecno.exe	107
PID 2292 wrote to memory of 4892	2292	Lfjfecno.exe	107
PID 2292 wrote to memory of 4892	2292	Lfjfecno.exe	107
PID 4892 wrote to memory of 4068	4892	Mcpcdg32.exe	108
PID 4892 wrote to memory of 4068	4892	Mcpcdg32.exe	108
PID 4892 wrote to memory of 4068	4892	Mcpcdg32.exe	108
PID 4068 wrote to memory of 4560	4068	Mcelpggq.exe	109
PID 4068 wrote to memory of 4560	4068	Mcelpggq.exe	109
PID 4068 wrote to memory of 4560	4068	Mcelpggq.exe	109
PID 4560 wrote to memory of 2288	4560	Mqimikfj.exe	110
PID 4560 wrote to memory of 2288	4560	Mqimikfj.exe	110
PID 4560 wrote to memory of 2288	4560	Mqimikfj.exe	110
PID 2288 wrote to memory of 2480	2288	Nnojho32.exe	111

C:\Users\Admin\AppData\Local\Temp\1f3bacf4be682d7cecedb594439b0190_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1f3bacf4be682d7cecedb594439b0190_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\SysWOW64\Gehbjm32.exe
  C:\Windows\system32\Gehbjm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\Gpelhd32.exe
    C:\Windows\system32\Gpelhd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Windows\SysWOW64\Gbeejp32.exe
      C:\Windows\system32\Gbeejp32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:440
    - - C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2376
      - C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        31⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        32⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1188
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        38⤵
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4684
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        45⤵
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Doagjc32.exe
        
        C:\Windows\system32\Doagjc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Figgdg32.exe
        
        C:\Windows\system32\Figgdg32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Fgmdec32.exe
        
        C:\Windows\system32\Fgmdec32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Fgoakc32.exe
        
        C:\Windows\system32\Fgoakc32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\Gpdennml.exe
        
        C:\Windows\system32\Gpdennml.exe
        59⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:560
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Hhfpbpdo.exe
        
        C:\Windows\system32\Hhfpbpdo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\Hejqldci.exe
        
        C:\Windows\system32\Hejqldci.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        67⤵
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Ihpcinld.exe
        
        C:\Windows\system32\Ihpcinld.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4372
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4340
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        73⤵
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        74⤵
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        75⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        78⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        79⤵
        
        PID:468
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        81⤵
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        82⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        91⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        94⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        97⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 412
        98⤵
        Program crash
        
        PID:5140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6048 -ip 6048
1⤵
PID:6136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:5276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
362KB

MD5
38a9d128144e8e44c68de7b601e4cb99

SHA1
14482e40ce34732bd56f01f4f31d60d1b3be2f3c

SHA256
4df44b6d8a749b1d267dd38fdd871abf38ea6cd6e7fd3f03041331a405512675

SHA512
bdc6aac1a3186d448ac0898ead8c191eaeb39c92c9aa2152aad5860dcd7ad077efa951c810f1b3648d79eb90fbc60419041e579ef3a28693a42e640c4bce3721

Download Submit
C:\Windows\SysWOW64\Baannc32.exe

Filesize
362KB

MD5
2e9d679a973de5a7694c2305578ab9d4

SHA1
9e46b5dd73ac698ff61e34e8aa3866e9e4e7c0e9

SHA256
254c74ab048cf21609b048895c91bd1296b31a17c021194816130be66ac74039

SHA512
cc4b4ef25f2bb2e5194edc7ae61e860b376d913b25811f46c3fa07963bef3c7a324e6c29768b738a75cae917ff656f478568c067a4a2983b18e3fced715e74bd

Download Submit
C:\Windows\SysWOW64\Boihcf32.exe

Filesize
362KB

MD5
38fa0e2b0891501023ca3b4dd26001dd

SHA1
af922f66c60a7ffadf9c34a4087486a3bb7d859a

SHA256
f8f926d873225d87fb11fac5188aa39ba80c960ea48ae8b2fdbe135a955597d3

SHA512
ea92a0b873135f46a9e153375ca5b6a6f256813a3ddf7c80ced343b94ee5771917e2a14e744a9008ce83e4394468f01ea0f6f1cc1a8bef1b2b2712e5be975f20

Download Submit
C:\Windows\SysWOW64\Chdialdl.exe

Filesize
362KB

MD5
585fbb5abb47cd0091a84d29d7d2d150

SHA1
b4a4f1a8c95dbb7019ff43cd26f3394d276eda65

SHA256
08371b4b5556ed2840c1fe6fe2870584da85d9f38fe165e2f39c4d2f5eb58460

SHA512
d45519fd382f54d951346a49b849c62925e36863c50d20e177c23008d0d2a6691f209ef701a131679809889b7238acba0e2d6082c402c1c4ca8e3f1b832491ec

Download Submit
C:\Windows\SysWOW64\Eojiqb32.exe

Filesize
362KB

MD5
a77a5a4d0cc74516a9ae2cfec1f995e1

SHA1
fc724014128b3e563c87490e55aa6a57498d253d

SHA256
c633496d1aba97371ab901b0a5226c9e055c4c8020f341a0076e931a2d2744b6

SHA512
e1fdf1f69b70d76375d7056bfb6626fe6c65e0b3cc9e91fd41b80dd2ab8afcd62ffe11013265a56436fd2e8d4a74732f48903706f32c2324136ce29baba39636

Download Submit
C:\Windows\SysWOW64\Eqdpgk32.exe

Filesize
362KB

MD5
ef6b569e4a77be8b0ce2c767556f4213

SHA1
369a3bc18cbb164384ef1c672c501a3b959d5e0b

SHA256
87da53b0681c2ff5fc93503f4dd555d0ae4fa6e128e6d3b92ae15ffc644bdf5e

SHA512
f77dec21a98eab2100cff0a68221267f569181f9284997faa1ebe99805e8d738b5ea788e92dc68fcfbeb033a6aec16bbbcfdcc0e567a5e311e4d34e48523e73e

Download Submit
C:\Windows\SysWOW64\Gbeejp32.exe

Filesize
362KB

MD5
105c8e5b5cc83e7b0bc70d1ec15711ab

SHA1
0b522d08b5e7cd7984b0a9c1e0c04ac6bc2656cd

SHA256
dee04788e391554a1509546b842ed0a3d289e5b4760f896af8256ee8c2f6c891

SHA512
50765900bf3c97d86f390588a17463819873ddf2d235c103417acbd053dd0e449edd1baa3d0878930370553bc450998a0bde53876952d3259c7b48dc135ab429

Download Submit
C:\Windows\SysWOW64\Gehbjm32.exe

Filesize
362KB

MD5
94ee4e9429e8323440808a42c26875b1

SHA1
c1386d3bcfa1801d8969941172a71e436b713ee9

SHA256
a010e54bc58fdcf7ae461b549af270781cae3319030f79b10e2bf48488411834

SHA512
38d35010d99a7fc2f594d41121badcf2811107f35564ec0b0877eeb53bae70dd393ca2b7142610fa45675f2145c0754c9c631223d5db6ce93b980364f8e3f92d

Download Submit
C:\Windows\SysWOW64\Gnnccl32.exe

Filesize
256KB

MD5
d53bedc4bb24105ba480e50f67365519

SHA1
7efd85f4a42d377d33b872babeb75c53e9a66770

SHA256
66cfb85db36ca44ad65b69a7065554c224e04e498b6ba3b077cfa3d45c8da21b

SHA512
17267737daaf569a82627ae0f39aeaed2dae77407dbba854a34697252b9b7b8c7ea42de85bbae9a4d7621e215e4b9ffb68c87635a7ec7951b91a07d6062e6eb4

Download Submit
C:\Windows\SysWOW64\Gpelhd32.exe

Filesize
362KB

MD5
9a6c91f1b5f11276148646ced3906036

SHA1
83d46220f6f277bfbecb7ea080873f94ef1b7037

SHA256
6d89db4b30f55a9f33ef23a2d7da029914ad64e8f3682e53beed1f5a93d75280

SHA512
2d32da8aef70556308576edb4598adfe871b1cfe685001fe359431bec0027e8325648fc4cb6bc8d36bad9f4d2850688699959b9a8394552b530c6e1560e90683

Download Submit
C:\Windows\SysWOW64\Hekgfj32.exe

Filesize
362KB

MD5
119b038be9bc8309932593a6d8f62a98

SHA1
56694f8a86766ce8b361bbda04dc427b6688c1a5

SHA256
f32c1b67ef7455885252770ce59079f818d8ae5d0c13a926ce13defa042fd6d2

SHA512
f7cbfd53dc7088a0569f9eb30221d0a2e1f516710997573f3f5c0d441d869cea7835c848845ab1d0ddb6a588c1dc9886f214c632fd67a9b4fe3e6867319052e5

Download Submit
C:\Windows\SysWOW64\Hhfpbpdo.exe

Filesize
362KB

MD5
3c25750f46a96bb2ed50faabb6b322f8

SHA1
e6981f57c88fb534ccb4029d660426b754d4e32e

SHA256
13f8343f32b6f3be9468c29257301b2eec4ea7c9d8dbc2a49200a4b3bb859222

SHA512
7376ca8f7e057e8ef03a9ff3dfc9aefd2ad054b333df88741bcab1a9957f5f09ab8e9d48ba7d3411fd62cc9cc02c1743e425368ac4631822fe209adb2a7a539d

Download Submit
C:\Windows\SysWOW64\Hhjhdagb.dll

Filesize
7KB

MD5
21fc3025020606ea1f96ebe010779e4f

SHA1
454b5066e1182dc572d29dc0244c212c788ffd19

SHA256
dfef53d86b36696e88afe60b3f1672f2cb973e83014f7168f92f8f7b664a1695

SHA512
97390edc4c28925fc31d128509dfaa995a5958c4d4762cad3aa08e88d944ead4af93639454bb8f6f5a972c8c8271c9174c22a7e197aecb71173117b8129b647c

Download Submit
C:\Windows\SysWOW64\Hiipmhmk.exe

Filesize
362KB

MD5
eb2d81676badef8d3d43cc44d0320bab

SHA1
19eb45ebc50842a9770a5e4ae50fb525bb64caab

SHA256
1cd2ad996304e2397cd53518b6d711c8af78378efedcea590534b637f14978dd

SHA512
f0d3daa9575e62f1084e88b410e3be547bfcc7caa679c0d873b9a491cb81fad5e045259dd1e44c59903da514eaf96fae000ea8554cc5fa1a4426f419d6a321ec

Download Submit
C:\Windows\SysWOW64\Hplbickp.exe

Filesize
362KB

MD5
6fb492e972e76b7aba7daf6ce3e1a9bc

SHA1
dac0009fb6712d0a3dc70227f546554bbf497a1e

SHA256
f8dfca6c508f0207249823cbb12c46b100d398fac6e71cfa8a8cecb7ea79411e

SHA512
9f04a9d047fcfdb9b27ec2e11d9d6142d0cede23f3647e12013b55567d1fbd690d26fce2e28bbe72b708de2842dfb3500db871d684c1f5dc2bd39bcfc1125258

Download Submit
C:\Windows\SysWOW64\Iamamcop.exe

Filesize
362KB

MD5
4555e20128ee343e6b882d9e44fe3885

SHA1
44396d0a574024b1339e0999d21a56696961d6d9

SHA256
15c5986663c5e41c35d092696499348f93ce004d560048973940e83a730c2a5b

SHA512
c173563cc1df1d37ddc4acced66dadf5b6750479440d6f1479e99e0504498139536e34f99ef3d5e4187fd52cb3902a957bc07cb2affc6b0ffe30e26d338d0b88

Download Submit
C:\Windows\SysWOW64\Ibcaknbi.exe

Filesize
362KB

MD5
9e6f76decb245a42f0fde00f146d1a39

SHA1
e89f7945f7da5a62a92cf64fbce760107fc56d4b

SHA256
36b24b510bbedf84752244dcf4a7cc8db8e825215f30b8d6a065f98a4737173c

SHA512
a1127056ba3103412a7f319130feecf09c00bf3dd64f89c7030b5b99cf5be61ceac0eea4dd90ad2c352fb76652c4a86eadbdeefae0c6198529ccc8fad9b03bd0

Download Submit
C:\Windows\SysWOW64\Ihpcinld.exe

Filesize
362KB

MD5
4b8d7edd49827636bef6e199c5ef9f57

SHA1
d61cd2d52e3517787d7a77346ff06e8e479ef121

SHA256
b1a33dc7afd872e488e4f836af11249dde919f436fd64ec5110b33bc6719a751

SHA512
a0b0161484900cabeffcd13da029a7347efb88deffa0e2b2233c2ff813df59c45cc5e8b53cf34012383b1da9f2398d0b828da69ea56f41ba409e3ffaf1fa0d4d

Download Submit
C:\Windows\SysWOW64\Ilnbicff.exe

Filesize
362KB

MD5
839faae1912bb70457bb4a04cd2bdfa1

SHA1
2bf5d473a3573730fa43af0706ea1a825146bb2c

SHA256
d34f7c1bc6fa5a526e80541edd1ea7c2043a7230d0f9f31ef4cbc5bb849adbab

SHA512
2c98120c5d827eb207a231d75862f432d8f795651a584940d9e62afd3e66ad45bddc7033956d6fa0940412ce820a24a0dd7b0af6c1231f756f92a0609ec95735

Download Submit
C:\Windows\SysWOW64\Ioolkncg.exe

Filesize
362KB

MD5
7017d0e80acb25e751632d0f05fed0f9

SHA1
d674d9672c10798b52b04fd2941c5dd01e886e11

SHA256
114294bc7a73d6891487f6c512f7476f6dec9e1933363663d3d78a82481d4beb

SHA512
683b0fb91bb3065cc210173169c5601979d5bd7a2b2a7cabd12c85444545c690d37af63a013f72eab4d99ec6dc2e68b43b95e7e1b5fad9c7b397b26a56e56dc3

Download Submit
C:\Windows\SysWOW64\Jmbhoeid.exe

Filesize
362KB

MD5
c8ea0b1fc6c897276cc2b745da92c823

SHA1
07bfc140c50496909c2b204cdeed712b1a85fcb5

SHA256
3b6bc4df1ce31422c8e6fa1542f0bf3b838d14dcdf1c91e04850d90a89cc5e51

SHA512
60b7915b09886a422fe12599349049851eb6e5843997e374e440613099d6d4baa9cc16d9697515f91527b385304e2341da2af718989f1a6676d2bf9da8745782

Download Submit
C:\Windows\SysWOW64\Jngbjd32.exe

Filesize
362KB

MD5
4cffa7f8d7abb0d323be89a2ac840132

SHA1
b487e9f7a7d4c81f7b3d98651d2ddc33377c7169

SHA256
e492529052b0e7c479c2306e8baf8a7e58c3ceb5955072b037acc1f469b3cc28

SHA512
93674370446aa275c7eececdba80083a7c051b523278bd4bc0f1a42f1639a8c321897fcc7e4c5d49a9870177d9c325bd6d906b14265f8bebb311e7ace1b5d23f

Download Submit
C:\Windows\SysWOW64\Kgdpni32.exe

Filesize
362KB

MD5
5a57fe8673e561787f414c0acb0ca424

SHA1
79b1275b0e12086728214e20981183c08144cb28

SHA256
afb3d6f47a419750e2f2f7285fa94b3e2f8682bc76300a7c6bcbfaafa1c26fc7

SHA512
e49477094050fa886e4fad9fb50c17b2aa2dffa5a7ab015f6949fd46e6b7286e8239b5c863c221adbbce9142ba2db18f76bacf4a4be833352267630436429f7b

Download Submit
C:\Windows\SysWOW64\Kidben32.exe

Filesize
362KB

MD5
521f247149a46181a5c9a8b2127bc4e7

SHA1
ab1a429181c2725759f902427b3719c24505263a

SHA256
785d20fae9b5318a63111c82203ed916322b1b521e3b54b566fcdbaf1276f061

SHA512
be5dd5bd8ded5bacbb76945aec6d832ebddeac82efe5f1d78af792ca574a01f156495b8773dfb148dbcb3f5de247c9092193b9886bd3abfd93d3692d536f46f9

Download Submit
C:\Windows\SysWOW64\Klcekpdo.exe

Filesize
362KB

MD5
54385cf970b373fa117899cf62c85958

SHA1
4ae016d585f1d69538f5b2ad7c553def9a0236ad

SHA256
c76437a713c73308c4e7afdc4810bc646974e7591c3c632528f66828aac4638c

SHA512
44ee3d86f333fa7fec4312e74bf30e9a2856d1bf3f156a9fa53d1810b1cc9a926bd1fa6c7c720c783ea5b9d6ead8d3cafb907e817e0ef6282023e074c98a1209

Download Submit
C:\Windows\SysWOW64\Knenkbio.exe

Filesize
362KB

MD5
bcdfeb4d2a34a56f7f8c8a53e9c7c89d

SHA1
6e96f34654f2b2594c6a679c8d577dbf39538090

SHA256
ef36f9c44686fb9e904849d2345d1ca4e4055987e5283498302b65e90de644c6

SHA512
c6494597f5eb4ab121a84b670c1fe419f8464e44e676e5684304cbaec01488b7160b074a75d37bc4194c4bc70b626f7a1b3a137fe1616bd4c74ffc19631b858c

Download Submit
C:\Windows\SysWOW64\Lfjfecno.exe

Filesize
362KB

MD5
eab410e0387f12abb85136ba1c3aa7ce

SHA1
e463d6b55d303751cfda1856a831bcfa780418b6

SHA256
ee4773a026cfcec7811b7ce065a7836f44ded936c78934b78a5cb77e6111319a

SHA512
38c4e1f788448bda260360fb71c88385e336e9b83a52974f19fb80a02e2befd467f2f199958a2ecf7e7157a85b6ee45201e5092a351c05c96c3760d35cafe72e

Download Submit
C:\Windows\SysWOW64\Lgpoihnl.exe

Filesize
362KB

MD5
6a0853af14463a38d12daa610ea1bdcf

SHA1
d4f34822ed252c3be5ca3b61c65c58036c1adf30

SHA256
68b79c824aa29eb37eefed151220cf5539691a061b4d856d08b15113e2722d70

SHA512
13e694b3131cc0650667cf5925b45691d8f08d22305bf05764deaab09109e51e942ec12382be5ed83eba44992ae514455c3026502ae6329b7b438dd273421d66

Download Submit
C:\Windows\SysWOW64\Llodgnja.exe

Filesize
362KB

MD5
7658efc4ab646f2680422a8a9c9de29c

SHA1
e1c68b71848e37c9f25cd5b705c33d0d4bb8a892

SHA256
4d12a1578e87caa6cfc78a17470ca12fd3586c0202f76e51cc92c7cdfc1bec76

SHA512
93f1f97d89dcbf1b1ef308ebcba9de7e1fde5110e6f43d77a830b01bd53ce848bee9b0d9197d02a4a69bfd61dbe741eef9809d9d62c17c08dd915d79a44a08b3

Download Submit
C:\Windows\SysWOW64\Mcelpggq.exe

Filesize
362KB

MD5
342dd50ba00f665be0327ea6c832db72

SHA1
6568c13ab237cf84bd0b161b0bc0346e388036ec

SHA256
9cc06e96f6cbdfbdac33488e013c25ec376079dc9518a78f6e883fd5e91b5862

SHA512
60a2203880d569fd2aa59ebf875fd678fa0c983094e4519d538aefc846dde6083db2130e1d298223199e33cbea808d1d1a089325966658e99f000776c43fa9fb

Download Submit
C:\Windows\SysWOW64\Mcpcdg32.exe

Filesize
362KB

MD5
e52599d5e62a51c946300cb303eeb610

SHA1
5bb82af5bef5a2d3cbbb241479a927725c55ddad

SHA256
1d119b2c89de3244a8e1e564bf46dd892d35a94b1029240f2acbded67f266dad

SHA512
af0c912f0216df21196c901cbb16ffeaebffda5f754d4921d20a9f035508586cbf92a8d7e5712e917aa2774f8ad93f7d1f93acc16095c52c51be9443ccc1d566

Download Submit
C:\Windows\SysWOW64\Mqimikfj.exe

Filesize
362KB

MD5
a71c29ea91f149c78f85f9fe12138ba2

SHA1
56954e087e26689f9183c8fc05222017c58ccb05

SHA256
0c855cd842634aae16ae7697860f9cf44e7e581cfd93031bfc12c488995414ae

SHA512
a68faa8199a53dc539297c0feed085e182150e96a5c44a98a23c855928c182c64820811ac11a6173db4061c6e4b88663b4aa2b4f9a19bbdc6a5e45e7cd41ac8b

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe

Filesize
362KB

MD5
a59be864b2641fe62f4dacdf476daa9f

SHA1
2748a8abce98e1e66bbb0791e58ef7d1ffe977e3

SHA256
21bb8060e55c072a66264606f8f447bf113b874bb1fa13554526738c7696e4c1

SHA512
f2aaa8676d07ec726d67692474406b5043c27f2147b93f1319156651dcc5dab35a19fa53753ac4c5b32a9d1910328d9ced75078238781eef10f93c7383f9c575

Download Submit
C:\Windows\SysWOW64\Njjdho32.exe

Filesize
362KB

MD5
878cc4c490d575cdad007cb1340326e9

SHA1
6ec023185dfdb2b3452c3ab8685575f1f4fa9a83

SHA256
9b28e69eeed29931ea6a7b81b1f5b72d7ab50017c011f0359040f0a789e045a7

SHA512
da92ada8453138a2a0a159b30b03dacbbffb4d2b2a40e076187c968a580d30919cedee6950332abc29b8481a4f8a1773640cb40745fb1bd4c948c5f3792c94c9

Download Submit
C:\Windows\SysWOW64\Njmqnobn.exe

Filesize
362KB

MD5
ed2ab94e9ba2ee6c9083c0c13fc09a91

SHA1
42183505f69b16861b72e71375d9ae11d52d5719

SHA256
57b528c734fe78e4ab604f879dca2fd4b93c38b745d55d35ccadce5bedd9d1a9

SHA512
53e2c9d23ac503fe91a60e61cb0c595994439e4ac7446b137e1addde4be32d5676fe8f85b68bc1d3645f9a5d168722e4382e48055dc6c0619a29488692e2fd1c

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe

Filesize
362KB

MD5
b63f5860b3b099d44c60735b2c3c68ce

SHA1
6bb5bb0bfc95794823151b7fb1d7b1401a4339a4

SHA256
5cc2607924f464f169fb09d9ccf9305ff3887e955e3677d5daf2bc32c39d1f8f

SHA512
efc6c56fc282989dcefce836e559469a539e49047f27159b9be6fa783ff0c70bc942b561253a6b987b9dbbd441a52acc2103b3457a6e36485713f32623e91d08

Download Submit
C:\Windows\SysWOW64\Oghghb32.exe

Filesize
362KB

MD5
d6c829319c741c47c041229570378756

SHA1
8b947cfa98e0b355abf606871d3fc693acd669af

SHA256
a22d28a86243b8daf2054a3117ab3d08ca45669237d03f04b38977a68469b530

SHA512
8bba38fefc637db93c40de2566dcc4b4c95412da76efbf5b69f4025d8ab1a0f82d348cb11ab853aab9c73fc2f35a92f9b5ac40ce7bdb4322b4ce387e4f3dcdbb

Download Submit
C:\Windows\SysWOW64\Ojajin32.exe

Filesize
362KB

MD5
6381304b8a1b53b03e28f90566957091

SHA1
c3e2dae41bee187b0dbdf989e60b48bfec85d6f2

SHA256
1efe1e9d0fd71a55914faa984c79e4a3a798fee5d15569086e3787068a17628e

SHA512
61354907920c2f549dd0ffe31949fbfe2650b14e9a0d28833f652d02e3353b1122bbe6b6708434ab41478ebda7655651e0db47afbf6017de77e22a42f5a001d9

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
362KB

MD5
909dcf54e595175cf005bdf817ef9412

SHA1
061111b0d5c3b7149f3bba13e027ab4d6387256c

SHA256
8c091971cdc515c9baaa63e7f43c0cc3071e2ac0c5924305fd5d07c714668051

SHA512
52e4d75910df9e1acb51c54c5523bfde22e392c578d12b72b170c75f53aa5a571f99552b5b523e7d07b9cbcbf781a2f943e1cc9b7371989834a9334246907be0

Download Submit
C:\Windows\SysWOW64\Omalpc32.exe

Filesize
362KB

MD5
bc3a498a8eaf9b319f16221530ec3a2d

SHA1
1517f3355000d7066843a5d8bc9976e58ea3d68c

SHA256
338fda7c99114bc1d56ff0df3fc600eb25c164bef92edef151280f84a433839d

SHA512
05eb8ece9b209972f0e2f719da266c59785861ca00bdf1b4f71200a37d193a896468e4427c4909ea4a5892bc4b3529408cd0e31f691249a233a4ad0552d49bf3

Download Submit
C:\Windows\SysWOW64\Omgmeigd.exe

Filesize
362KB

MD5
33ed6483e55b914d3de7fffe6183ba76

SHA1
05972f1873eb75acb5214c5f33314fef020704e4

SHA256
935db4b069a53b122ff0f6af9b030bc40960d53a0a778a2b221837951a53bc25

SHA512
0ef663c123386c20fd4e1842d908b3550381f5871fe7f6a2fe177e0c9fa37ef3a8eadc9217508aec8e894b6512a56d16986a13c2abd43e920cfdad66bd4a752b

Download Submit
C:\Windows\SysWOW64\Pbhgoh32.exe

Filesize
362KB

MD5
4a71fc24a279bcee4b5401f1f03eee34

SHA1
865018f9906c591c1e0c89a20eb146ba32b65181

SHA256
030920aae53fbe8547f1fbaa7628c3767119d8fb9ddf9dd2efec6d077e6270b7

SHA512
f06dbb8920a1e787e0a046145a38a259b65ecfa3c1782e5f2fb7758d1ab9886742ffcb047dcbdb1778e73e3cb78d4d827ff055d56c33e3cd2c884b0de9033eae

Download Submit
C:\Windows\SysWOW64\Pdjgha32.exe

Filesize
362KB

MD5
f2d4777974dc9b70cf4f6fc361b782e4

SHA1
54e158032ee38d5fadb492d5fa2c4d082e1af014

SHA256
91a7f5eb889c02f996988654a97bca2df1e5dddfade02b571e11053ec40f4b06

SHA512
7dfb55e39f8c50b5b0df89a351165721185c918b332a03cd7cac3b37847f9d84e94f9de526e21fbaf7a969c5b4bfd4143da4ea968fe0c65a795b9c3b40ad5a6f

Download Submit
C:\Windows\SysWOW64\Phonha32.exe

Filesize
362KB

MD5
78233e3290441793b515b83ab18ef796

SHA1
cdd2c8b7418fc1af4e0fdad9f7df57331d24303b

SHA256
4dc031f1abba11e28f4c5e5598ee630ca1b23acb59e38f6b62cab8e533c3bd2e

SHA512
78a5dbf6139011476a340b8f3ee8dcc3da2b82e32298d03a4a8b202f8172764e4dd9588e472d54d762c2712e9b1a5675a688f4020e6d26f9ca6ec80e3d645422

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
362KB

MD5
40268318acd15d69286f2e12ba63c410

SHA1
71c68818723798c71d2f862aa81909c4e1513cf0

SHA256
7602ffd7aeec89b7f988e441e23fbef324414c2d826d79524f2787d2cbd8e93a

SHA512
578b019fb64020cb9076f91314abdf9f2bb3fb74406f9803537e29e3c8da949361c6d83fc8d3bccca6a45637eb01eb4db263cdd231de2a6824b0677b24d7db3b

Download Submit
C:\Windows\SysWOW64\Qpcecb32.exe

Filesize
362KB

MD5
5ce8bac5626f04911a78e81688c27ada

SHA1
05b746822fd6ee2cdf99b9c143487b7e9f4fdb67

SHA256
b971ea7bc3c56d54387f0ee6944ba3d06bff26a114650082914b4af7d6339dfd

SHA512
1e6287445ac1da7024d6e4f797d8004b00ff78aa84b6165a9b12c50714f8f5f41e19c8e00fc3a74ca2d1f921c9607877fb1b80b306ba65383b60ae28ff06b788

Download Submit
memory/376-440-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/440-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/440-567-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/468-532-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/560-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/684-524-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/708-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/760-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/788-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1132-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1188-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1596-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-526-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1636-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1668-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1688-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1688-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1804-538-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1804-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1860-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1892-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2028-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2112-500-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2136-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2288-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2292-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2304-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2312-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2352-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2352-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2376-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2376-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2432-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2480-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2520-464-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2524-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2528-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2540-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2608-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2612-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2620-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2644-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2680-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2848-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2892-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2892-551-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2924-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2928-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2936-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3104-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3132-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3208-330-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3288-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3312-402-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3360-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3736-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3876-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3896-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3896-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3940-429-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4064-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4068-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4072-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4264-362-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4308-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4316-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4340-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4360-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4368-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4372-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4412-513-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4420-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4468-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4468-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4472-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4560-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4636-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4652-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4676-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4684-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4900-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4968-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4984-423-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5024-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5132-539-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5204-547-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5248-554-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5304-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5420-570-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5472-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5516-584-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5568-587-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5620-594-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads