bd4994af9b526356bc5860e968c7fd213d9cfbdd5d37691d44f6175532f9ecfe

Analysis

max time kernel
140s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe
Size

121KB
MD5

b1331de1f06acee423dcb568555d7390
SHA1

88270bf9135f36bc5cb51978a3e7031c8e26dfe8
SHA256

bd4994af9b526356bc5860e968c7fd213d9cfbdd5d37691d44f6175532f9ecfe
SHA512

2718f3db0e25fe5e5ecd59bf6cee57bc2b3152b8d24513f4ef9d26522550d26ffc72ae6dbca92065abf27483ecd97f748e0cc60df1594f31699a738107aacf02
SSDEEP

3072:NviwFZZSTKW2nfUiBLRi8t4rqCHjZIDWZnHcHvR6ijwhwDCRM2O7AJnD5tvv:R+qBLRi80GW3VJRM2Oarvv

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giecfejd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfepdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kifojnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajohfcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampaho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieeimlep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kongmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiopca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiphjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhoahh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ephbhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdjfohjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giljfddl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcjjhdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjolie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Halaloif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejlnfjbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khabke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilibdmgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdgdeppb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkcigjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbknebqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbiockdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbiockdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbkkik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbnaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmodajm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjffpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqnejaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcjjhdjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojqcnhkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjfbjdnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeolckne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fofilp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bigbmpco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dncpkjoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdgdeppb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggjjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgocgjgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkoplk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocnabm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmfefni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajjokd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblflp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhpnlclc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkkik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdaile32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kifojnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lllagh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klbgfc32.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/1436-0-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000800000002324f-6.dat	family_berbew
behavioral2/memory/4992-8-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0009000000023255-14.dat	family_berbew
behavioral2/memory/4764-15-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023257-22.dat	family_berbew
behavioral2/memory/4700-28-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023259-30.dat	family_berbew
behavioral2/memory/3432-31-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002325b-38.dat	family_berbew
behavioral2/memory/212-44-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002325d-46.dat	family_berbew
behavioral2/memory/4420-47-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002325f-54.dat	family_berbew
behavioral2/memory/5032-55-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023262-62.dat	family_berbew
behavioral2/memory/1656-63-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023264-70.dat	family_berbew
behavioral2/memory/4876-71-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023266-78.dat	family_berbew
behavioral2/memory/2544-79-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023268-86.dat	family_berbew
behavioral2/memory/436-87-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/4568-95-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002326a-94.dat	family_berbew
behavioral2/files/0x000700000002326c-97.dat	family_berbew
behavioral2/memory/2344-104-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002326e-110.dat	family_berbew
behavioral2/memory/3632-111-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023270-118.dat	family_berbew
behavioral2/memory/2384-120-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023272-126.dat	family_berbew
behavioral2/memory/764-128-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023274-134.dat	family_berbew
behavioral2/memory/4860-136-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023276-142.dat	family_berbew
behavioral2/memory/4708-143-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023278-150.dat	family_berbew
behavioral2/memory/400-152-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002327a-153.dat	family_berbew
behavioral2/files/0x000700000002327a-158.dat	family_berbew
behavioral2/memory/948-160-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002327c-166.dat	family_berbew
behavioral2/memory/3724-168-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002327e-174.dat	family_berbew
behavioral2/memory/4960-176-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023280-182.dat	family_berbew
behavioral2/memory/8-184-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023282-190.dat	family_berbew
behavioral2/memory/3788-192-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023284-198.dat	family_berbew
behavioral2/memory/1820-200-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023286-206.dat	family_berbew
behavioral2/memory/1384-208-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023289-214.dat	family_berbew
behavioral2/memory/1932-216-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002328b-222.dat	family_berbew
behavioral2/memory/4984-223-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/4916-232-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002328d-231.dat	family_berbew
behavioral2/memory/432-239-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002328f-238.dat	family_berbew
behavioral2/files/0x0007000000023291-246.dat	family_berbew
behavioral2/memory/1548-247-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
4992	Fofilp32.exe
4764	Gbiockdj.exe
4700	Gbkkik32.exe
3432	Giecfejd.exe
212	Gndick32.exe
4420	Giljfddl.exe
5032	Hnnljj32.exe
1656	Hbnaeh32.exe
4876	Ilibdmgp.exe
2544	Iiopca32.exe
436	Kiphjo32.exe
4568	Kcjjhdjb.exe
2344	Kifojnol.exe
3632	Kadpdp32.exe
2384	Lllagh32.exe
764	Lcmodajm.exe
4860	Mhoahh32.exe
4708	Mqjbddpl.exe
400	Nijqcf32.exe
948	Ojqcnhkl.exe
3724	Ockdmmoj.exe
4960	Ocnabm32.exe
8	Pqbala32.exe
3788	Ppgomnai.exe
1820	Pafkgphl.exe
1384	Pfepdg32.exe
1932	Qjffpe32.exe
4984	Qfmfefni.exe
4916	Ajjokd32.exe
432	Ajmladbl.exe
1548	Ajohfcpj.exe
1524	Ampaho32.exe
3720	Bigbmpco.exe
4628	Biiobo32.exe
1576	Bpcgpihi.exe
5100	Binhnomg.exe
2584	Bipecnkd.exe
1532	Cienon32.exe
2764	Ccppmc32.exe
4488	Cildom32.exe
1104	Cdaile32.exe
4480	Dcffnbee.exe
4464	Dnljkk32.exe
4396	Dggkipii.exe
4944	Dpopbepi.exe
4644	Dncpkjoc.exe
2520	Ejjaqk32.exe
744	Ejlnfjbd.exe
5064	Edaaccbj.exe
4548	Ephbhd32.exe
3528	Ekngemhd.exe
456	Ecikjoep.exe
792	Eqmlccdi.exe
2348	Fcbnpnme.exe
2300	Fqikob32.exe
1340	Gkoplk32.exe
860	Gdgdeppb.exe
1828	Gqnejaff.exe
2152	Gkcigjel.exe
1176	Ggjjlk32.exe
2260	Gcqjal32.exe
4208	Hgocgjgk.exe
3732	Hcedmkmp.exe
3668	Hjolie32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mhoahh32.exe	Lcmodajm.exe
File created	C:\Windows\SysWOW64\Nijqcf32.exe	Mqjbddpl.exe
File opened for modification	C:\Windows\SysWOW64\Pafkgphl.exe	Ppgomnai.exe
File created	C:\Windows\SysWOW64\Nndbpeal.dll	Giecfejd.exe
File created	C:\Windows\SysWOW64\Iiopca32.exe	Ilibdmgp.exe
File created	C:\Windows\SysWOW64\Kcjjhdjb.exe	Kiphjo32.exe
File created	C:\Windows\SysWOW64\Kadpdp32.exe	Kifojnol.exe
File opened for modification	C:\Windows\SysWOW64\Hbnaeh32.exe	Hnnljj32.exe
File opened for modification	C:\Windows\SysWOW64\Gkoplk32.exe	Fqikob32.exe
File opened for modification	C:\Windows\SysWOW64\Gdgdeppb.exe	Gkoplk32.exe
File created	C:\Windows\SysWOW64\Khabke32.exe	Jlkafdco.exe
File created	C:\Windows\SysWOW64\Klbgfc32.exe	Kongmo32.exe
File created	C:\Windows\SysWOW64\Ilibdmgp.exe	Hbnaeh32.exe
File created	C:\Windows\SysWOW64\Cildom32.exe	Ccppmc32.exe
File created	C:\Windows\SysWOW64\Edaaccbj.exe	Ejlnfjbd.exe
File created	C:\Windows\SysWOW64\Cjeejn32.dll	Ejlnfjbd.exe
File created	C:\Windows\SysWOW64\Fjohgj32.dll	Kcjjhdjb.exe
File created	C:\Windows\SysWOW64\Hjfbjdnd.exe	Hbknebqi.exe
File created	C:\Windows\SysWOW64\Nohjfifo.dll	Pafkgphl.exe
File created	C:\Windows\SysWOW64\Bopnkd32.dll	Dnljkk32.exe
File opened for modification	C:\Windows\SysWOW64\Iaedanal.exe	Iabglnco.exe
File opened for modification	C:\Windows\SysWOW64\Hjolie32.exe	Hcedmkmp.exe
File opened for modification	C:\Windows\SysWOW64\Hbknebqi.exe	Halaloif.exe
File opened for modification	C:\Windows\SysWOW64\Khabke32.exe	Jlkafdco.exe
File opened for modification	C:\Windows\SysWOW64\Gbiockdj.exe	Fofilp32.exe
File created	C:\Windows\SysWOW64\Dkjfaikb.dll	Nijqcf32.exe
File opened for modification	C:\Windows\SysWOW64\Pfepdg32.exe	Pafkgphl.exe
File created	C:\Windows\SysWOW64\Dcffnbee.exe	Cdaile32.exe
File opened for modification	C:\Windows\SysWOW64\Iabglnco.exe	Hjfbjdnd.exe
File created	C:\Windows\SysWOW64\Jdjfohjg.exe	Ieeimlep.exe
File created	C:\Windows\SysWOW64\Llngbabj.exe	Lhpnlclc.exe
File opened for modification	C:\Windows\SysWOW64\Halaloif.exe	Hjolie32.exe
File opened for modification	C:\Windows\SysWOW64\Khdoqefq.exe	Khabke32.exe
File opened for modification	C:\Windows\SysWOW64\Giljfddl.exe	Gndick32.exe
File created	C:\Windows\SysWOW64\Deocpk32.dll	Hbnaeh32.exe
File created	C:\Windows\SysWOW64\Ojqcnhkl.exe	Nijqcf32.exe
File created	C:\Windows\SysWOW64\Ocnabm32.exe	Ockdmmoj.exe
File opened for modification	C:\Windows\SysWOW64\Ephbhd32.exe	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Ggjjlk32.exe	Gkcigjel.exe
File opened for modification	C:\Windows\SysWOW64\Ieeimlep.exe	Iaedanal.exe
File opened for modification	C:\Windows\SysWOW64\Jlkafdco.exe	Jlidpe32.exe
File opened for modification	C:\Windows\SysWOW64\Kcjjhdjb.exe	Kiphjo32.exe
File created	C:\Windows\SysWOW64\Ajohfcpj.exe	Ajmladbl.exe
File opened for modification	C:\Windows\SysWOW64\Dpopbepi.exe	Dggkipii.exe
File created	C:\Windows\SysWOW64\Ieeimlep.exe	Iaedanal.exe
File created	C:\Windows\SysWOW64\Abbqppqg.dll	Iiopca32.exe
File opened for modification	C:\Windows\SysWOW64\Mqjbddpl.exe	Mhoahh32.exe
File opened for modification	C:\Windows\SysWOW64\Biiobo32.exe	Bigbmpco.exe
File created	C:\Windows\SysWOW64\Fllinoed.dll	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Ncjiib32.dll	Dpopbepi.exe
File opened for modification	C:\Windows\SysWOW64\Fcbnpnme.exe	Eqmlccdi.exe
File created	C:\Windows\SysWOW64\Kjekja32.dll	Gcqjal32.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Llngbabj.exe
File opened for modification	C:\Windows\SysWOW64\Kiphjo32.exe	Iiopca32.exe
File opened for modification	C:\Windows\SysWOW64\Cienon32.exe	Bipecnkd.exe
File created	C:\Windows\SysWOW64\Ccppmc32.exe	Cienon32.exe
File created	C:\Windows\SysWOW64\Dnljkk32.exe	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Klddlckd.exe	Klbgfc32.exe
File created	C:\Windows\SysWOW64\Kpikki32.dll	Ockdmmoj.exe
File created	C:\Windows\SysWOW64\Cienon32.exe	Bipecnkd.exe
File opened for modification	C:\Windows\SysWOW64\Cildom32.exe	Ccppmc32.exe
File created	C:\Windows\SysWOW64\Jeolckne.exe	Jbncbpqd.exe
File opened for modification	C:\Windows\SysWOW64\Bipecnkd.exe	Binhnomg.exe
File created	C:\Windows\SysWOW64\Hpkdfd32.dll	Ocnabm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5480	5392	WerFault.exe	175

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjffpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajohfcpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhoahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfmfefni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgocgjgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljloomi.dll"	Hcedmkmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcedmkmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bipecnkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khecje32.dll"	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejjaqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfaapfi.dll"	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fofilp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iiopca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjlpn32.dll"	Gkoplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkoplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Halaloif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilibdmgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhoped32.dll"	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohnncn32.dll"	Jblflp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlhjjnc.dll"	Khabke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khabke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilibdmgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcjjhdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bigbmpco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjolie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Llngbabj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkoplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbncbpqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnnljj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajjokd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cienon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbncbpqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhoahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdebqbi.dll"	Dggkipii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkjoj32.dll"	Jeolckne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cildom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkcigjel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdjfohjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqbala32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnblgj32.dll"	Cienon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khdoqefq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iaedanal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhkkfnao.dll"	Ieeimlep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbhcl32.dll"	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamonn32.dll"	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjolie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcqjal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflimp32.dll"	Hgocgjgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iaedanal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkdfd32.dll"	Ocnabm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 4992	1436	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe	92
PID 1436 wrote to memory of 4992	1436	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe	92
PID 1436 wrote to memory of 4992	1436	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe	92
PID 4992 wrote to memory of 4764	4992	Fofilp32.exe	93
PID 4992 wrote to memory of 4764	4992	Fofilp32.exe	93
PID 4992 wrote to memory of 4764	4992	Fofilp32.exe	93
PID 4764 wrote to memory of 4700	4764	Gbiockdj.exe	94
PID 4764 wrote to memory of 4700	4764	Gbiockdj.exe	94
PID 4764 wrote to memory of 4700	4764	Gbiockdj.exe	94
PID 4700 wrote to memory of 3432	4700	Gbkkik32.exe	95
PID 4700 wrote to memory of 3432	4700	Gbkkik32.exe	95
PID 4700 wrote to memory of 3432	4700	Gbkkik32.exe	95
PID 3432 wrote to memory of 212	3432	Giecfejd.exe	96
PID 3432 wrote to memory of 212	3432	Giecfejd.exe	96
PID 3432 wrote to memory of 212	3432	Giecfejd.exe	96
PID 212 wrote to memory of 4420	212	Gndick32.exe	97
PID 212 wrote to memory of 4420	212	Gndick32.exe	97
PID 212 wrote to memory of 4420	212	Gndick32.exe	97
PID 4420 wrote to memory of 5032	4420	Giljfddl.exe	98
PID 4420 wrote to memory of 5032	4420	Giljfddl.exe	98
PID 4420 wrote to memory of 5032	4420	Giljfddl.exe	98
PID 5032 wrote to memory of 1656	5032	Hnnljj32.exe	99
PID 5032 wrote to memory of 1656	5032	Hnnljj32.exe	99
PID 5032 wrote to memory of 1656	5032	Hnnljj32.exe	99
PID 1656 wrote to memory of 4876	1656	Hbnaeh32.exe	100
PID 1656 wrote to memory of 4876	1656	Hbnaeh32.exe	100
PID 1656 wrote to memory of 4876	1656	Hbnaeh32.exe	100
PID 4876 wrote to memory of 2544	4876	Ilibdmgp.exe	101
PID 4876 wrote to memory of 2544	4876	Ilibdmgp.exe	101
PID 4876 wrote to memory of 2544	4876	Ilibdmgp.exe	101
PID 2544 wrote to memory of 436	2544	Iiopca32.exe	102
PID 2544 wrote to memory of 436	2544	Iiopca32.exe	102
PID 2544 wrote to memory of 436	2544	Iiopca32.exe	102
PID 436 wrote to memory of 4568	436	Kiphjo32.exe	103
PID 436 wrote to memory of 4568	436	Kiphjo32.exe	103
PID 436 wrote to memory of 4568	436	Kiphjo32.exe	103
PID 4568 wrote to memory of 2344	4568	Kcjjhdjb.exe	104
PID 4568 wrote to memory of 2344	4568	Kcjjhdjb.exe	104
PID 4568 wrote to memory of 2344	4568	Kcjjhdjb.exe	104
PID 2344 wrote to memory of 3632	2344	Kifojnol.exe	105
PID 2344 wrote to memory of 3632	2344	Kifojnol.exe	105
PID 2344 wrote to memory of 3632	2344	Kifojnol.exe	105
PID 3632 wrote to memory of 2384	3632	Kadpdp32.exe	106
PID 3632 wrote to memory of 2384	3632	Kadpdp32.exe	106
PID 3632 wrote to memory of 2384	3632	Kadpdp32.exe	106
PID 2384 wrote to memory of 764	2384	Lllagh32.exe	107
PID 2384 wrote to memory of 764	2384	Lllagh32.exe	107
PID 2384 wrote to memory of 764	2384	Lllagh32.exe	107
PID 764 wrote to memory of 4860	764	Lcmodajm.exe	108
PID 764 wrote to memory of 4860	764	Lcmodajm.exe	108
PID 764 wrote to memory of 4860	764	Lcmodajm.exe	108
PID 4860 wrote to memory of 4708	4860	Mhoahh32.exe	109
PID 4860 wrote to memory of 4708	4860	Mhoahh32.exe	109
PID 4860 wrote to memory of 4708	4860	Mhoahh32.exe	109
PID 4708 wrote to memory of 400	4708	Mqjbddpl.exe	110
PID 4708 wrote to memory of 400	4708	Mqjbddpl.exe	110
PID 4708 wrote to memory of 400	4708	Mqjbddpl.exe	110
PID 400 wrote to memory of 948	400	Nijqcf32.exe	111
PID 400 wrote to memory of 948	400	Nijqcf32.exe	111
PID 400 wrote to memory of 948	400	Nijqcf32.exe	111
PID 948 wrote to memory of 3724	948	Ojqcnhkl.exe	112
PID 948 wrote to memory of 3724	948	Ojqcnhkl.exe	112
PID 948 wrote to memory of 3724	948	Ojqcnhkl.exe	112
PID 3724 wrote to memory of 4960	3724	Ockdmmoj.exe	113

C:\Users\Admin\AppData\Local\Temp\b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\SysWOW64\Fofilp32.exe
  C:\Windows\system32\Fofilp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SysWOW64\Gbiockdj.exe
    C:\Windows\system32\Gbiockdj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Windows\SysWOW64\Gbkkik32.exe
      C:\Windows\system32\Gbkkik32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4700
    - - C:\Windows\SysWOW64\Giecfejd.exe
        
        C:\Windows\system32\Giecfejd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3432
      - C:\Windows\SysWOW64\Gndick32.exe
        
        C:\Windows\system32\Gndick32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Giljfddl.exe
        
        C:\Windows\system32\Giljfddl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Hnnljj32.exe
        
        C:\Windows\system32\Hnnljj32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3788
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Ajjokd32.exe
        
        C:\Windows\system32\Ajjokd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:432
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Ampaho32.exe
        
        C:\Windows\system32\Ampaho32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        35⤵
        Executes dropped EXE
        
        PID:4628
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        36⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1104
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:744
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:456
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:792
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Gkoplk32.exe
        
        C:\Windows\system32\Gkoplk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1828
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Ggjjlk32.exe
        
        C:\Windows\system32\Ggjjlk32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\Gcqjal32.exe
        
        C:\Windows\system32\Gcqjal32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Hgocgjgk.exe
        
        C:\Windows\system32\Hgocgjgk.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Hcedmkmp.exe
        
        C:\Windows\system32\Hcedmkmp.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Hjolie32.exe
        
        C:\Windows\system32\Hjolie32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Halaloif.exe
        
        C:\Windows\system32\Halaloif.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Hbknebqi.exe
        
        C:\Windows\system32\Hbknebqi.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\Hjfbjdnd.exe
        
        C:\Windows\system32\Hjfbjdnd.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Iabglnco.exe
        
        C:\Windows\system32\Iabglnco.exe
        69⤵
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\Iaedanal.exe
        
        C:\Windows\system32\Iaedanal.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Ieeimlep.exe
        
        C:\Windows\system32\Ieeimlep.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Jdjfohjg.exe
        
        C:\Windows\system32\Jdjfohjg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Jbncbpqd.exe
        
        C:\Windows\system32\Jbncbpqd.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        76⤵
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        79⤵
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        85⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 420
        86⤵
        Program crash
        
        PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5392 -ip 5392
1⤵
PID:5452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:5488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajjokd32.exe

Filesize
121KB

MD5
20321fb71968f1159c981d8e9b53cbdc

SHA1
b7134cd57eecff98adce375d0a27f7cef420c466

SHA256
58b1b0c94e563cf53f829d8c5a3b4125dc5c3e8e3345fa8a0e5d281142b0d7cb

SHA512
4c1462edb99b6ae095b0b6a0d506c889ae37f10fb36b9ff8a3d274da0720693effb464a6ced202fb94317cff90dfd285aceecb1a01dd986adac9790c448e4310

Download Submit
C:\Windows\SysWOW64\Ajmladbl.exe

Filesize
121KB

MD5
801d79593b23b0828795650989f2847e

SHA1
8e2989b95df312a213480c9ce917e99a05864ad3

SHA256
b515694aaf183cab6edcdd52c65be2b59ea256e6f0ef52db3713df3aadfa2af4

SHA512
be25da179c694d22a2eb96ec540dd1613e45af988a08ae2d361327b0a48c3c5893cb600c29d6e440c55dca53dc963235c1b241f85892836d43ab37a2a07862a5

Download Submit
C:\Windows\SysWOW64\Ajohfcpj.exe

Filesize
121KB

MD5
3b657d09fb23486a1d6c648f997968ad

SHA1
ac2f6ef8689f00d43971de2ff751e3a0133040af

SHA256
3df717cc95529570c0cd9e0ffb654d79e4e735f1b96eba33f4461aa4a5a1abf3

SHA512
a27aaa9f7d91e437aa40732c890f814dd022a6f6eb3703f21e9e2dd911de076ed059fe60732792eef6f267a07d6db78daf35009c313e4f7238bc6ad3914597e2

Download Submit
C:\Windows\SysWOW64\Ampaho32.exe

Filesize
121KB

MD5
508f1d2f53c8bd541ab385c573f98154

SHA1
075de4f3e8a16fc066d55a2474dbbe1a1a619383

SHA256
e3792b4cb0b2d0e08574cc27715504edd7ab52ede77fdeb1ed0463f69b2ffe2b

SHA512
e29dd21714e993bf683356e1e4a6fb75eaf7fcf8038bef171c4372125dff14f059500ab35215f5a2309e60fd3243cb0380aa590eb7be7aa7c2a351480c4f5a63

Download Submit
C:\Windows\SysWOW64\Cienon32.exe

Filesize
121KB

MD5
9012f530d225e809e51b7fbfd405117b

SHA1
c20b5cc1862329910c7b917d47f5086096323cea

SHA256
3339e8754a2e380f1939f19e1a81a6044266b724990e3498fbde1634cdc39eae

SHA512
f835cb7f6c635992ee2d7f11ea5341b0a279cdfbb3f0763263a85df9eed302b2aa120f4b856d1f90d3b76a8dd73b27df3ed73a00265fcc6e84b58fb4b9a03697

Download Submit
C:\Windows\SysWOW64\Dggkipii.exe

Filesize
121KB

MD5
29242abe6c04c6acc66ebff67209daf5

SHA1
e49a37ccaf099a2768d1282282b128d1a0ff7746

SHA256
2eec3f1ea741e03277a11ffb761ad520b6a3d8d908bc174a18dd94a8a7536851

SHA512
675d0163955953ce3e8f67bc6701f9efe09a7da3f7699b8bd7306b98c8a16139932e446962ca246e2ec81313b59aa4a27fd2228007d4c365efe24153c7adf64d

Download Submit
C:\Windows\SysWOW64\Edaaccbj.exe

Filesize
121KB

MD5
2ed03fabad4bb743710c55950678c81f

SHA1
45b1d642b76c802f80b68e8f2b8dd60719360153

SHA256
e1f5b0701c9ac4c62afe9717f9e8eacbf2d36c9fa0077a923062964abd3b41f5

SHA512
58f4139e376a2170d8afb5da1801a5f2e56e8ab5b7f3a14a30a9ce4d3107b6ec996dcd1bb59af8bc18ce6c10cdc2dc11385c14cd547d1d327a84b022f760e712

Download Submit
C:\Windows\SysWOW64\Ejjaqk32.exe

Filesize
121KB

MD5
3a70143af769c604f6030ad934e55c2a

SHA1
9a6a243edef642289032a46e6111b7d963e8cd84

SHA256
c7c342adfd6feae105aba22b87c4541f5e681007e840b256d798f34082b14214

SHA512
b64b80aa617ba432a1a14b5843fdf4ddf4566fe006c026bb6a81407935116497bd45411c98369240b9cd04353c654d29aaed5fc594375e790e2dc0f57751c112

Download Submit
C:\Windows\SysWOW64\Ekngemhd.exe

Filesize
121KB

MD5
ecb783fd223695c6ab25ce4e6ba7888f

SHA1
79f5f00f5fcd784dd3d1106d8616a7ad56cc474b

SHA256
8757203bb7fc1faa31f479b9506c842a587889b9c243a5da47fe467b21a16543

SHA512
e909747a39fa3922998671b8de0be0a2757d3447922f3dc6f0bf8b8865ac1d64cab189ba66c4b8e04a36f72e4f1ce5508d7fa28831147eede719c25609405563

Download Submit
C:\Windows\SysWOW64\Fofilp32.exe

Filesize
121KB

MD5
f553d294945088a4f7b2322406d33acc

SHA1
7a1c6b43f3610520ffc7eb9bfd38d3f2ced63bf3

SHA256
2ed46a8dd3648b4b023c3083614bc1f312fa48e364a9abb8be85526d5ce73dc9

SHA512
aba021f41a92f2cbcc98f4e56652d9c02e29a538ed26da671b23b8bee1feb5239ff29da70852482203f3898e9f6d1a848677c94bcd1aeb7e59b35ae04ca26d54

Download Submit
C:\Windows\SysWOW64\Gbiockdj.exe

Filesize
121KB

MD5
fb03c3ee27e954be6600523914ffd4bb

SHA1
7405010cdbef1e51bda8d0ef9e0d14da17996a71

SHA256
b6741fbb8393ff72b82e7452c7963802893e061b632da4bb532c222b56857d36

SHA512
0050c262664e8d410661522151c480a74080567e710bcc4c455bebdc0ff8ba9afbf32c898640ec32337652d1f4cba5e6df63cc5d6c1b49b9ae93d2f0e47539a8

Download Submit
C:\Windows\SysWOW64\Gbkkik32.exe

Filesize
121KB

MD5
1a356a5a3ce4a0381b44c471083083cd

SHA1
aae2e1d5d257e143216e224ebaa4aede195e9cc2

SHA256
1207858e89b6a5f0bb67caec4efe7dbd6e2854cf6105ed0df932705d872dd46d

SHA512
c21387bb78bee320377875ab2889c7c1e81863050777aa3f9f1d923a48e4d79248e05e6596cb1baff197d5c5b2a89bccd71043a6f0250381bc2dfe30a96323e4

Download Submit
C:\Windows\SysWOW64\Gcqjal32.exe

Filesize
121KB

MD5
c0909d75d4ac765a112ea8d90ed31f11

SHA1
7be28182a793cff66f91586970fb13244c9f6968

SHA256
16b94acc9a527cfed6c72adb339a648b4576d3ac6bd7806a0412d985c3a82544

SHA512
97b01216d846470888986404d496b8de0c78755ed2fe1b0266595033f227a2d7521c433e05abe797225aecf23b1b620ca84d570794ab14c957e9177f84eda4b9

Download Submit
C:\Windows\SysWOW64\Giecfejd.exe

Filesize
121KB

MD5
4e41df6da606ff43dfe2a1fef3a60fa5

SHA1
465cbee3437aac0229a4a75fae6c0bd93c659616

SHA256
f201bfb2f963bc79bae6724a3f42683ef1cfea066245493e5621c0a9b4a1028c

SHA512
adbe6f471be0e93fd964e0fb32f8765a8aae77010f405f81060c88b6b08b02f422b060c56903cae945bd7f8c1214755c9a9bad0652e5f6ee6c24a4c7f39514ca

Download Submit
C:\Windows\SysWOW64\Giljfddl.exe

Filesize
121KB

MD5
1b9030863c5797373d848c9406041432

SHA1
5ccb5ea9944e02c60afed012e030e022a41a2bd6

SHA256
afe6bd60e0ed7137faaefa0538f1814f4ab7aeac286e639bffa6c8bb01b68fe3

SHA512
f9fa1d85ab5447b957c0618a94323c07e51ef0ce3590ad937ec63ee4c9d89df0e56abe58dcf4f2e3d73a59685f3102a7d6dd7ceb80970e75d059a010b784da84

Download Submit
C:\Windows\SysWOW64\Gkcigjel.exe

Filesize
121KB

MD5
aeddc9718368a99f5945f1e4871fccb8

SHA1
03181855745f802f00bd5767596607e2034ebd73

SHA256
1e30293060378b7e41b6d752a7b0342e4b94a6b92c95e0d553e127db75590b90

SHA512
7d17adfb3d47bfff1880eef1f5752d359b11b1916c537752824d8d32c566d36d7766ae150e7489be42ee504b7d7b0d90b694563582f639fd9f4fc07e40f47a0e

Download Submit
C:\Windows\SysWOW64\Gkoplk32.exe

Filesize
121KB

MD5
986839adde0308fa7950b53d316b44b6

SHA1
2f9ab582283b34cece1709b292bcd07500303791

SHA256
9eee8e7ee5094c38b5de6b9205ffcb3891ea83c8e3fdcd85bcdb89132282ea66

SHA512
1ba3cf4bb441980e71c3486a84e6cb5689eb904ade4684c31b65e3663bc9204dac739c6bac61cd0fe6f3da45b37c643fe769c589fb4f6d3e3574c2f2ecafd65f

Download Submit
C:\Windows\SysWOW64\Gndick32.exe

Filesize
121KB

MD5
93657cfed571e025de4a26d9737a5778

SHA1
d02a3b60d5f4db09b7eb981e372e562222fa5765

SHA256
a65e94854560b02fb55fc52ffb1484e7c876dd2d6903f4fc76db1b0f9add709b

SHA512
07d759c4fe984d80a426b1c38ad89d8725db2756045834af237d835560c1d70dc2c6c81f6125687bbbd31135bec945bfe830489874c31111c4ef77f52d763de4

Download Submit
C:\Windows\SysWOW64\Halaloif.exe

Filesize
121KB

MD5
7a71514e8459e7df10fb850eb9242f7c

SHA1
b7b817f33a4898174ae18665700aec7d2eb25eb0

SHA256
25bce074f55ab6d7a75545037fe949d1a9709f80878134808fceb3c6a239c5aa

SHA512
effb446194de3feb5c65c40f6d5809f65fd66ea1bae8fd480ee8310cd9eee544dd5fa2768a7b3d9f046bf513e8b30bdf40eda99df80e453ad8b52aabda557196

Download Submit
C:\Windows\SysWOW64\Hbnaeh32.exe

Filesize
121KB

MD5
96b4ae564231e121b1521fafd2ee54b9

SHA1
2c237a994a83386d0b92c316eda47ace500e1d0f

SHA256
b7951fc214dd87711b23a2c7e736c7feafde828309de049a98ec208949727a6d

SHA512
d3726ecbd819e9862afc5906b699eb3e6c45de9e073bb00113401888b83d8a261d25bce6698c65e256e308bab10d039e48a53cefbba16e719041ba1e0e625d16

Download Submit
C:\Windows\SysWOW64\Hjfbjdnd.exe

Filesize
121KB

MD5
048b3d9422e7418a5ee5092bd403510e

SHA1
fa8ddf3633204c4338366057378920eb672a61b1

SHA256
27eb44ecd10eec99b49841a331644f16243cc3fff8310f23b9ff1f03294c4744

SHA512
49d8422d93dda52a1c88cb1471c2c4245f34b5d891944800015049652fb68aae3c1b945ec476d8e321545f47780bdb27288df4f15d592bb6cbae7748f4cfa49d

Download Submit
C:\Windows\SysWOW64\Hnnljj32.exe

Filesize
121KB

MD5
5700e6fe046debd3eb9ef3c27d52dc49

SHA1
400cf5387e89ce7783f5427f39373996b6aa25b2

SHA256
1af020f8bdb386c29937bc3c67dadb9c9fe22b919418d8b45a1f95e828088c6a

SHA512
8c29d8a33bfa42926291b7f207fdec6a6af8742adfe72a1ebc37adff75a03859cde90bd205625b6e643e27bfffbbaf7a4b3ef81ed847e1dad097126cb17d3741

Download Submit
C:\Windows\SysWOW64\Iaedanal.exe

Filesize
121KB

MD5
e12d8a361db11ad5270019300007a10c

SHA1
cbb6fd3f9421a85ad5458290d1897a6c0b7eef6c

SHA256
3956d282e30530179058cb669a5b684afe0765a8049ffc16059f277b88c99533

SHA512
51c84ccfb3fa35c542f8bfae898c291fd124512bfc308be62e5327b63c539f8a47c29ce1765e62a21b53591a6fe3c4a5b5639ee6435ea2aad083c4f2d62b34ac

Download Submit
C:\Windows\SysWOW64\Iiopca32.exe

Filesize
121KB

MD5
ee458f07efb9734cee7f28cbad751105

SHA1
2990b258b5b255e2a891629e17d475dbe008c04b

SHA256
8a00a51274954f29cb0e876c149ddc8705a40e97f460d3797ed8a0bab386001b

SHA512
2a7d4a68596722a010b423a8e11e33dee3a8e3d76e12f604ad4cab77d29188732f33361b9f6b01a61c8d5d4de473e3badaa9e3701704b707edb254bec5bfe164

Download Submit
C:\Windows\SysWOW64\Ilibdmgp.exe

Filesize
121KB

MD5
6c7a9c1f31f82ac7b1f8ceaa012dcdd6

SHA1
87c11d518a2a93f87c37a4a1ecec39ab12e8c3e1

SHA256
44f8169e05af45abf7685212e492676f9d7f6efc25296dbba3395160a4e0e119

SHA512
86aef934d8e232d4509737b85e7e5ea83f390c241bcd3403100edce77d0081eb3d325f097ec63704682b08e5fa13df36f7a83a176bc8926dfe1e3c0f75d80b27

Download Submit
C:\Windows\SysWOW64\Jeolckne.exe

Filesize
121KB

MD5
d5564d04a5164048e08d5e0d699827a2

SHA1
ae71de1fee869feed10b4508ffe576ee8fd664fd

SHA256
7747bcccee850ab935382ec4f0a29fd63a2ad516ec33e5cd3a4f4f6f3a720fb2

SHA512
9f93e7409216406add7e5aad480f8180a2e462005c2893449d88a56a210ed9e0c8de135c9f1f97ec5f8ecfb555b071245781a76ac6194f6440a79be77d6d1441

Download Submit
C:\Windows\SysWOW64\Kadpdp32.exe

Filesize
121KB

MD5
70ee5c72f689b6f638c1136189de0bfb

SHA1
06033eb52178451cc337a97679d2e4b3acffd8e5

SHA256
ad363047b4a102e36a307e76429af5722bda913268a4ab3cf74e0b213335fe5c

SHA512
4439f081a8b1170d7197616e5956c0b2f6c64b44d57c1974dc090f10aeb689d6672bac2288f229dd8d82bce920b04473363ba298eca77f38497a5b48966726e3

Download Submit
C:\Windows\SysWOW64\Kcjjhdjb.exe

Filesize
121KB

MD5
f9363ca5e514a3943bd8a5556386a0c6

SHA1
05ea4d87671f329c2b9e0216ac1396102a0c4459

SHA256
bd0b448ec97d21e4a821dce5a2e6094135c2d72d9778798508a11e697743cce6

SHA512
051b480faadeba1df1b400ec50d2726b1a56b72ae4aafb63d61b9a29462c29ebf4d7e6de67cedf0fa8ea12c56ea72a49e894223fa827a3627a83af6ad805c76d

Download Submit
C:\Windows\SysWOW64\Khabke32.exe

Filesize
121KB

MD5
c81a9bef56a6fbca6ff7888470e73a1a

SHA1
00e852898e10d077ceea51be9360791145ce5520

SHA256
5925d3755648a3e9ac798731db87e91ba8e3d4940dab1c5685f0d3ce6165c9ae

SHA512
bc97e3706125df1834b8791486c5f6d5378e608d64981505d63438df0d9126666c8da5185eb3ed2ba79d8d2c349ee907cae38d8810d7d7d751a498bb91683fa9

Download Submit
C:\Windows\SysWOW64\Kifojnol.exe

Filesize
121KB

MD5
c3e3aca5b4be69e2367bdcc00ff9c776

SHA1
10d3c9a6a5c627c91080bb1d9be3e188d85363c3

SHA256
fadd2a6dc618da7554feedea7b89866bb5a2be216876477dbc7adc10cbe40bc8

SHA512
cdcd219c929a84b01b8bb53f342cc71e137a545a9ba7057cc269fb3f33698e045f14e96b379b7f6d4d6d124b69420b28d78f66d9c2c02c55a21f81d0d158f261

Download Submit
C:\Windows\SysWOW64\Kiphjo32.exe

Filesize
121KB

MD5
01c24fc8fa0a299687058a8683fa4806

SHA1
4cebc14623a140817448b860d5e9c2172766916c

SHA256
8f0db4f1371a6450eac6150fa12854531b8effdddc4e1475d057d1eec232fa44

SHA512
fb1f9a285a201882786ab4328838bfa674b9c67b3dec9d159e71499159b4b4b98f270a0152837b1bcdf8a60f297ce48d1e352f89cab985126a24d17b74267bdb

Download Submit
C:\Windows\SysWOW64\Klddlckd.exe

Filesize
121KB

MD5
8580a0680d9fec40e0648c563b9b6281

SHA1
2108d256649bc2cd11b2e6ef7d295ce047e261db

SHA256
d6375f41768b5345c2a0e33e419e83c9dad8e3c23b22a9079db59e098be35e1d

SHA512
24110ab084a505151a0878e7632f857468b50c46abb89c6447e065db035a54e2f22afcd3caa5a32f19175da8a250aad87df99a4f98f0d167a7eed95c62ca15f2

Download Submit
C:\Windows\SysWOW64\Lcmodajm.exe

Filesize
121KB

MD5
1dff739dd04662a528be5e3da5a3eb43

SHA1
211ab8b045aac913de66b85e209eb5eb0ad1aa3b

SHA256
4b92072e8bfe2eaf0ee059e4961282099347bb3c24436e3bc0662eaa559262b0

SHA512
2e383f69a4951f8d358bbc7e7332d58ab1939fb6b272b8a2d43d3896a5f5e9fa759f5638849d4119b4e3f9de20dcb62c8e4c0d93414487bc9d618595ddca4235

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
121KB

MD5
c346c96dadb7d18e826537cdbaab6103

SHA1
0a642aa114558a8d2fc5ae31da2e969c34f42cd0

SHA256
f2b314cccb5be043fcc1a8da781569fba8c57e2aaaef61616aab86f9f4b7c8b5

SHA512
898430923df68da65263b2eaaf89969619831f19329889744b3e9847c5317f5486c659376eab387ab4fc87e92031fd605622401a92ff9ffa95d99fbe83b83b09

Download Submit
C:\Windows\SysWOW64\Lllagh32.exe

Filesize
121KB

MD5
8d291c3cfdc495d524cc5cf2e34a03db

SHA1
10b8542b0de47f150d9458578b72ece01d8339d7

SHA256
8d8e6c48eca7cb8a920bb060fad2b0837a0d05fd513b21e239cc23314acaaad2

SHA512
3cb1349761caf9f817c48bfd007ae7923b79b06ab70e0c579da8a1aa63ea37bb07723e761d058f87397154e884a903dc46ad83d0278008ef858cae9272afb758

Download Submit
C:\Windows\SysWOW64\Mhoahh32.exe

Filesize
121KB

MD5
087a10ce6cca9346793647bc6ddc42d9

SHA1
38fdf5d64d649a48c864979b584642e49e1dda1c

SHA256
a121fe25af7da704a246a86232bc3614c0514a5baf195bea936762890da082a2

SHA512
bdac8d5d349269bea4e32460aa9eede1d04bc53336dc87d06c3906973d45bafa3870e1413a785414c200d863a0d6ee9308c78c5a382c4d344228fc59561058ff

Download Submit
C:\Windows\SysWOW64\Mqjbddpl.exe

Filesize
121KB

MD5
986743e2743e333ad389873f6e0e73cc

SHA1
311e26ffde750820d0625a907c0ecd25bcadf9a2

SHA256
818a2ec0d953ee269f4d2111e5f9478ebf4d991bfb35c3e4a1bb3e7433e2bc75

SHA512
bab81c34c558146347454c5658db928e34f83dfdbddb674fac1973067fed833d502ae5ba53f11148712b446eacafd5aa9fa9efbb4d04a2eaa3841ee6519ce03b

Download Submit
C:\Windows\SysWOW64\Nijqcf32.exe

Filesize
121KB

MD5
23c975c5979e8a2cd87bbc017c67be22

SHA1
7d7a139241ee2a92e9313fea8f32111ccfe7ccdb

SHA256
d94ecb4316ca80b4ed99ee02633be67878c26863123d00a8de9c1f5218cb0883

SHA512
ffa42d9abb44058f6eec582202a83e39ab7ea34748968ee2d484e9569ec313b00a6848009160771a04aa536bb4900a022b2d925750136d4b1fdf2b6c99f59253

Download Submit
C:\Windows\SysWOW64\Nndbpeal.dll

Filesize
7KB

MD5
1ac4c8b0dd6b515303e39d5564fc7d2a

SHA1
ed5bd6dfa64e198812e2bb83f53b75d62cd0edb4

SHA256
4b34c8f9d1b8c7779a5ebe2c0bf36a6d7213b73e510741d6cbcd2b5b40927523

SHA512
6161728725d0c11b3965543ed1cf0d6eded0bea7c1efe9aa3fe1b6e2962e8df3580509683fa500119c5c2d70d6fb2a3f676bfe3c198c4fe1b14f62cc4b78ece5

Download Submit
C:\Windows\SysWOW64\Ockdmmoj.exe

Filesize
121KB

MD5
438a71644e3b9f99830f51c0fe5010b5

SHA1
cc0fd851cbb6106b542a8bd9cf51b1260dcbd296

SHA256
b344ab3b248ba9ca7ef5c124a6dce4482432628ce2eac9ed54f838b9657221f6

SHA512
74af3bf594692c6dc034896583af7644de61e7ce7381223b6664cb506a4f745fc432f0cdda8c59b0cd0ef94891d56ee13dc34a4cfc53f75b1b08e282ebf01ca7

Download Submit
C:\Windows\SysWOW64\Ocnabm32.exe

Filesize
121KB

MD5
2713e8f2ffc80bf8edc705ef2f2924e3

SHA1
2409c85d17e0a4289fb15dcf8c4c03d177cee8a8

SHA256
b78d3776e548052afb71943be5e6a8544b107ae2c2cd636ddbb1c8f62199145c

SHA512
0c04e080205026f9ccb85b49584a2a30d9ef826a05ccb04b34671bb31a1c70ae71c28bd3adaababab7760991034698bafd4f3c693d43ee6daa467d917bafb0c3

Download Submit
C:\Windows\SysWOW64\Ojqcnhkl.exe

Filesize
121KB

MD5
ba39e764a8a00bb3aa14f7e8379199de

SHA1
cdf38b9a4149774ffd6ea923fb467b576e267ca3

SHA256
e5ad6f0defc521c6be7544bc05a685adee1780fc0a8b715923493b4e448b4815

SHA512
3be06f11523abbecb0a41ffc05eb2eb86f327bc480fd805f23702e481e841f0eb3f78f4eb9c4b58c26c6e8820d00737ef6f82cd1651fbe3fe35f1f5ee13c2176

Download Submit
C:\Windows\SysWOW64\Ojqcnhkl.exe

Filesize
121KB

MD5
8ca73590ba6a644d3be4defcfe0047cd

SHA1
b2a4815c8be835c2e8b7b05ba58a4f7066da6564

SHA256
fa98e4edbdbe022931e2a8294ba723e19c213695dbc719ef2cb9ff742b6d154e

SHA512
485c21d4ac247371691276190ae4ab987249fcef92ad0952f5ac713e236a43bab4773a721fcf7d3502fdfa53b358bb6ce453a7ff909377a3a39c1d1e03e8de88

Download Submit
C:\Windows\SysWOW64\Pafkgphl.exe

Filesize
121KB

MD5
c84986e53374e5f6723b5e3db388f16a

SHA1
5f63704f13f7cd3acf8e1307d020b8e8493478f2

SHA256
43ea0f56f787efa3f1e6250a9e73157447a11c868260efab7fec210c9e1f7729

SHA512
7b11bb73d83be24dad938fcbb524112cc73fc1575d38d36934b9a6f9c766270c363a46a15644c9733582321a8e4f8d6156041b1fadd5bb54e322001a560b863c

Download Submit
C:\Windows\SysWOW64\Pfepdg32.exe

Filesize
121KB

MD5
40aa355c153a7c58517ffcff5df32e39

SHA1
49a04448ec8b6bd5ce8697d46379868017ad5e0d

SHA256
0fcb3c3af12c358dbb5d5c0c97119aa49701ee4767ea586bd5b1fce08e9b4452

SHA512
1582d313c84d9a021851563dd6845236ce33af93d12ca20146de42aa53e8e7e4e88af5f72475aab7e0997215ee955947621e2d6c863d89ad44109ffcffc92e80

Download Submit
C:\Windows\SysWOW64\Ppgomnai.exe

Filesize
121KB

MD5
9fcf2404c9afa2778f5da1730f5b3502

SHA1
b86013e94acdfd3a9e8f89f78489df268aae11d5

SHA256
d8dc0423a4fc9b50a51f49c5f22d2ca24f8626d014027b1db8530c58bc77cf56

SHA512
e231e464ad8c23a1967f3015cf1b61eb7eecf81621c9d4b10d4f8f333bf02beb82c11adae909ffa28d19a6c5d1a6016394ba80ae0572cdd6f299b7426a079f92

Download Submit
C:\Windows\SysWOW64\Pqbala32.exe

Filesize
121KB

MD5
ff9ed7eaecbdcb159f8c3ef3237741b3

SHA1
7aca86949d610ef62e96017b7978c8d64bc15705

SHA256
7b5b866c214efe5e7eb7d5a1adbc8b1fa9d216a511e65b6f9a6f9fcd699c4383

SHA512
65f447f70a9ca9a64143a5041e430a161ef49021fa883a7c376b424ee5c3d37d24ecb9bcb7b789855a3714ff991027ac8ae5648992edb9389481ef094ba90302

Download Submit
C:\Windows\SysWOW64\Qfmfefni.exe

Filesize
121KB

MD5
ae092b01a9e965d0109865e05d3f09b8

SHA1
eeac66fe08d1fde4bd2d26f1078ad350e6723a8c

SHA256
1351a8e2745037e022729b1b90fc70e9353f64a17553c06f67dbcfbe49342678

SHA512
6a50e0540c63aa6dba205976dc240d355b12f18cc505a9082f33f5b06ac80feb3f8d1a98e4ab0a7a397a8ce31a9f67bb5e21250cfb8505368e2e36dc77622d56

Download Submit
C:\Windows\SysWOW64\Qjffpe32.exe

Filesize
121KB

MD5
c4b757bc43976c85dd0220308f38d481

SHA1
d98dcfa087d4844da487bb0e4a38339de23adc8f

SHA256
3d2ca9918e9d1099f3dd02a8a66a70e276d669acc0c3add370be279526a6a9db

SHA512
abcc0af6c61271f9c731e08a9857884cdef023612206fecf0fdcc7087c546fb2830364f80b1504fe1fb809084cdad227c229fa848499f54969374ef8a5f5b736

Download Submit
memory/8-184-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/212-573-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/212-44-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/400-152-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/432-239-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/436-87-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/456-376-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/744-352-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/764-128-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/792-382-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/832-484-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/860-406-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/948-160-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1092-454-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1104-310-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1176-424-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1340-400-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1384-208-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1436-532-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1436-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1508-460-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1524-256-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1532-292-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1548-247-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1560-471-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1576-274-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1656-63-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1820-200-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1828-412-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1932-216-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2152-418-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2260-430-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2300-394-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2320-502-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2344-104-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2348-388-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2356-514-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2384-120-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2520-346-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2544-79-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2584-286-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2764-298-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2920-472-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3232-478-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3432-31-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3432-571-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3528-370-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3632-111-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3668-448-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3720-262-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3724-168-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3732-442-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3788-192-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3820-496-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4028-490-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4208-436-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4352-520-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4396-328-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4420-47-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4464-322-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4480-316-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4488-304-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4496-526-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4496-579-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4548-364-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4564-508-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4568-95-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4628-268-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4644-340-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4700-28-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4708-143-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4764-15-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4764-558-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4860-136-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4876-71-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4916-232-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4944-334-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4960-176-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4984-223-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4992-551-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4992-8-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5032-55-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5064-358-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5100-280-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5136-537-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5180-539-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5180-578-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5220-545-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5220-577-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5264-556-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5304-576-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5304-559-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5352-575-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5352-565-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5392-572-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5392-574-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads