de4030a6fc518bf9c5766bae1c334b129b0dc2ec1aa979c9df7d1f99f446f9e3

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe
Size

227KB
MD5

066b980647f7f526bff743cc67a12c10
SHA1

b2ab174539c63889a3719861fa93fd4561256de9
SHA256

de4030a6fc518bf9c5766bae1c334b129b0dc2ec1aa979c9df7d1f99f446f9e3
SHA512

8903b57772657efe59eda08c042b6d3ff8f2967f5c6727b33d31df1b2e781be3e5feb423beab2d6995ac1244499660e661eb76f7315af43029f18cb6631ab3b3
SSDEEP

3072:IIbktLcn0Zw/EeykpwoTRBmDRGGurhUXvBj2QE2HegPelTeIdI7jFHu:otL/Z2Km7U5j2QE2+g24Id2jFHu

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kilhgk32.exe

Malware Dropper & Backdoor - Berbew 42 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0006000000023298-6.dat	family_berbew
behavioral2/files/0x0007000000023452-14.dat	family_berbew
behavioral2/files/0x0007000000023455-22.dat	family_berbew
behavioral2/files/0x0007000000023455-17.dat	family_berbew
behavioral2/files/0x0007000000023457-30.dat	family_berbew
behavioral2/files/0x0007000000023459-39.dat	family_berbew
behavioral2/files/0x000700000002345b-47.dat	family_berbew
behavioral2/files/0x000700000002345d-54.dat	family_berbew
behavioral2/files/0x000700000002345f-63.dat	family_berbew
behavioral2/files/0x0007000000023461-70.dat	family_berbew
behavioral2/files/0x0007000000023463-78.dat	family_berbew
behavioral2/files/0x0007000000023465-82.dat	family_berbew
behavioral2/files/0x0007000000023465-87.dat	family_berbew
behavioral2/files/0x0007000000023467-96.dat	family_berbew
behavioral2/files/0x0007000000023469-104.dat	family_berbew
behavioral2/files/0x000700000002346b-114.dat	family_berbew
behavioral2/files/0x000700000002346d-123.dat	family_berbew
behavioral2/files/0x000700000002346f-131.dat	family_berbew
behavioral2/files/0x0007000000023471-139.dat	family_berbew
behavioral2/files/0x0007000000023473-148.dat	family_berbew
behavioral2/files/0x0007000000023475-157.dat	family_berbew
behavioral2/files/0x0007000000023477-166.dat	family_berbew
behavioral2/files/0x0007000000023479-175.dat	family_berbew
behavioral2/files/0x000900000002344d-184.dat	family_berbew
behavioral2/files/0x000700000002347c-193.dat	family_berbew
behavioral2/files/0x000700000002347e-202.dat	family_berbew
behavioral2/files/0x0007000000023480-211.dat	family_berbew
behavioral2/files/0x0007000000023481-219.dat	family_berbew
behavioral2/files/0x0007000000023483-227.dat	family_berbew
behavioral2/files/0x0007000000023485-236.dat	family_berbew
behavioral2/files/0x0007000000023487-245.dat	family_berbew
behavioral2/files/0x0007000000023489-253.dat	family_berbew
behavioral2/files/0x000700000002348b-261.dat	family_berbew
behavioral2/files/0x000700000002348d-265.dat	family_berbew
behavioral2/files/0x000700000002348d-270.dat	family_berbew
behavioral2/files/0x00070000000234a7-356.dat	family_berbew
behavioral2/files/0x00070000000234cf-494.dat	family_berbew
behavioral2/files/0x00070000000234dd-538.dat	family_berbew
behavioral2/files/0x00070000000234f3-615.dat	family_berbew
behavioral2/files/0x00070000000234fb-643.dat	family_berbew
behavioral2/files/0x0007000000023511-719.dat	family_berbew
behavioral2/files/0x0007000000023525-786.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
2740	Fcnejk32.exe
3484	Fjhmgeao.exe
1440	Fodeolof.exe
2932	Gfnnlffc.exe
1812	Gimjhafg.exe
4084	Gmhfhp32.exe
3084	Gogbdl32.exe
5068	Gfqjafdq.exe
2716	Giofnacd.exe
2124	Gcekkjcj.exe
1912	Gjocgdkg.exe
4100	Gcggpj32.exe
3356	Gjapmdid.exe
3140	Gcidfi32.exe
4444	Gjclbc32.exe
2204	Gmaioo32.exe
2824	Gppekj32.exe
2492	Hihicplj.exe
4080	Hbanme32.exe
4644	Hjhfnccl.exe
5080	Hikfip32.exe
2984	Hjjbcbqj.exe
3184	Hpgkkioa.exe
2820	Hfachc32.exe
2948	Hmklen32.exe
1184	Hfcpncdk.exe
2996	Hmmhjm32.exe
2192	Ibjqcd32.exe
3104	Impepm32.exe
4760	Ipnalhii.exe
4524	Ifhiib32.exe
532	Iiffen32.exe
2532	Icljbg32.exe
3040	Ifjfnb32.exe
4504	Imdnklfp.exe
3828	Idofhfmm.exe
892	Iikopmkd.exe
2772	Iabgaklg.exe
2144	Idacmfkj.exe
1224	Ibccic32.exe
4860	Ijkljp32.exe
1516	Jaedgjjd.exe
4596	Jdcpcf32.exe
776	Jiphkm32.exe
2548	Jagqlj32.exe
4620	Jbhmdbnp.exe
544	Jfdida32.exe
1464	Jibeql32.exe
3692	Jaimbj32.exe
752	Jdhine32.exe
2360	Jfffjqdf.exe
1280	Jpojcf32.exe
2356	Jfhbppbc.exe
572	Jmbklj32.exe
2852	Jpaghf32.exe
4480	Jfkoeppq.exe
2604	Jkfkfohj.exe
4852	Kaqcbi32.exe
3392	Kdopod32.exe
4512	Kgmlkp32.exe
2900	Kilhgk32.exe
4916	Kmgdgjek.exe
2848	Kgphpo32.exe
3756	Kinemkko.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gogbdl32.exe	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Hihicplj.exe	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhfnccl.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Gogbdl32.exe	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Hifqbnpb.dll	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Hpgkkioa.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Fodeolof.exe	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Lihoogdd.dll	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Giofnacd.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Hdgohg32.dll	Fcnejk32.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Klebid32.dll	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6140	6052	WerFault.exe	206

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifqbnpb.dll"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpckhigh.dll"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngiehn32.dll"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mglack32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 2740	4008	066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe	82
PID 4008 wrote to memory of 2740	4008	066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe	82
PID 4008 wrote to memory of 2740	4008	066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe	82
PID 2740 wrote to memory of 3484	2740	Fcnejk32.exe	83
PID 2740 wrote to memory of 3484	2740	Fcnejk32.exe	83
PID 2740 wrote to memory of 3484	2740	Fcnejk32.exe	83
PID 3484 wrote to memory of 1440	3484	Fjhmgeao.exe	84
PID 3484 wrote to memory of 1440	3484	Fjhmgeao.exe	84
PID 3484 wrote to memory of 1440	3484	Fjhmgeao.exe	84
PID 1440 wrote to memory of 2932	1440	Fodeolof.exe	85
PID 1440 wrote to memory of 2932	1440	Fodeolof.exe	85
PID 1440 wrote to memory of 2932	1440	Fodeolof.exe	85
PID 2932 wrote to memory of 1812	2932	Gfnnlffc.exe	86
PID 2932 wrote to memory of 1812	2932	Gfnnlffc.exe	86
PID 2932 wrote to memory of 1812	2932	Gfnnlffc.exe	86
PID 1812 wrote to memory of 4084	1812	Gimjhafg.exe	87
PID 1812 wrote to memory of 4084	1812	Gimjhafg.exe	87
PID 1812 wrote to memory of 4084	1812	Gimjhafg.exe	87
PID 4084 wrote to memory of 3084	4084	Gmhfhp32.exe	88
PID 4084 wrote to memory of 3084	4084	Gmhfhp32.exe	88
PID 4084 wrote to memory of 3084	4084	Gmhfhp32.exe	88
PID 3084 wrote to memory of 5068	3084	Gogbdl32.exe	89
PID 3084 wrote to memory of 5068	3084	Gogbdl32.exe	89
PID 3084 wrote to memory of 5068	3084	Gogbdl32.exe	89
PID 5068 wrote to memory of 2716	5068	Gfqjafdq.exe	90
PID 5068 wrote to memory of 2716	5068	Gfqjafdq.exe	90
PID 5068 wrote to memory of 2716	5068	Gfqjafdq.exe	90
PID 2716 wrote to memory of 2124	2716	Giofnacd.exe	92
PID 2716 wrote to memory of 2124	2716	Giofnacd.exe	92
PID 2716 wrote to memory of 2124	2716	Giofnacd.exe	92
PID 2124 wrote to memory of 1912	2124	Gcekkjcj.exe	93
PID 2124 wrote to memory of 1912	2124	Gcekkjcj.exe	93
PID 2124 wrote to memory of 1912	2124	Gcekkjcj.exe	93
PID 1912 wrote to memory of 4100	1912	Gjocgdkg.exe	95
PID 1912 wrote to memory of 4100	1912	Gjocgdkg.exe	95
PID 1912 wrote to memory of 4100	1912	Gjocgdkg.exe	95
PID 4100 wrote to memory of 3356	4100	Gcggpj32.exe	96
PID 4100 wrote to memory of 3356	4100	Gcggpj32.exe	96
PID 4100 wrote to memory of 3356	4100	Gcggpj32.exe	96
PID 3356 wrote to memory of 3140	3356	Gjapmdid.exe	97
PID 3356 wrote to memory of 3140	3356	Gjapmdid.exe	97
PID 3356 wrote to memory of 3140	3356	Gjapmdid.exe	97
PID 3140 wrote to memory of 4444	3140	Gcidfi32.exe	99
PID 3140 wrote to memory of 4444	3140	Gcidfi32.exe	99
PID 3140 wrote to memory of 4444	3140	Gcidfi32.exe	99
PID 4444 wrote to memory of 2204	4444	Gjclbc32.exe	100
PID 4444 wrote to memory of 2204	4444	Gjclbc32.exe	100
PID 4444 wrote to memory of 2204	4444	Gjclbc32.exe	100
PID 2204 wrote to memory of 2824	2204	Gmaioo32.exe	101
PID 2204 wrote to memory of 2824	2204	Gmaioo32.exe	101
PID 2204 wrote to memory of 2824	2204	Gmaioo32.exe	101
PID 2824 wrote to memory of 2492	2824	Gppekj32.exe	102
PID 2824 wrote to memory of 2492	2824	Gppekj32.exe	102
PID 2824 wrote to memory of 2492	2824	Gppekj32.exe	102
PID 2492 wrote to memory of 4080	2492	Hihicplj.exe	103
PID 2492 wrote to memory of 4080	2492	Hihicplj.exe	103
PID 2492 wrote to memory of 4080	2492	Hihicplj.exe	103
PID 4080 wrote to memory of 4644	4080	Hbanme32.exe	104
PID 4080 wrote to memory of 4644	4080	Hbanme32.exe	104
PID 4080 wrote to memory of 4644	4080	Hbanme32.exe	104
PID 4644 wrote to memory of 5080	4644	Hjhfnccl.exe	105
PID 4644 wrote to memory of 5080	4644	Hjhfnccl.exe	105
PID 4644 wrote to memory of 5080	4644	Hjhfnccl.exe	105
PID 5080 wrote to memory of 2984	5080	Hikfip32.exe	106

C:\Users\Admin\AppData\Local\Temp\066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\SysWOW64\Fcnejk32.exe
  C:\Windows\system32\Fcnejk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\Fjhmgeao.exe
    C:\Windows\system32\Fjhmgeao.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Windows\SysWOW64\Fodeolof.exe
      C:\Windows\system32\Fodeolof.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1440
    - - C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3184
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:532
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:892
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        39⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2144
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        41⤵
        Executes dropped EXE
        
        PID:1224
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        46⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        48⤵
        Executes dropped EXE
        
        PID:544
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:752
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1280
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        54⤵
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:572
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        61⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        68⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3452
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        72⤵
        
        PID:640
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        73⤵
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        75⤵
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        77⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        78⤵
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        79⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        81⤵
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        82⤵
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        83⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3788
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        88⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        89⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        90⤵
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3272
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        92⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        93⤵
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        94⤵
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        95⤵
        Drops file in System32 directory
        
        PID:1368
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        96⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        99⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        100⤵
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5240
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        105⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        107⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        112⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        113⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        119⤵
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        121⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 412
        122⤵
        Program crash
        
        PID:6140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6052 -ip 6052
1⤵
PID:6116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
227KB

MD5
600c264e54d17644da079ec158bf7b9d

SHA1
7646ff6a3c29ef31875e6fa0ef7c8578407d2b28

SHA256
7bfd76a2bce472dab70bf21d739b87eb5224aff82ba699175cb1ff94d0b23842

SHA512
eef2b1ce77164e4b64f858c9fd7a0d7bbd03db9fd6693f9f028e22dac399db47cf83ee468af6fe931cdbab2a35b95347499a14e911a449998267fe4d58c298a3

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
227KB

MD5
eec2f2fc68f400d91a93c20e18b08196

SHA1
b826222c0f73b7ab9d53f8f1035e677530f9cb80

SHA256
96e595a701d9760b59d4eafcf8db55b3926422ab3026c75307a387639cd6ed04

SHA512
f28780d7dd5fbf14ad99a50f14703b4e16a52e7b669237f2353ae2d37fd1293cd3d0dd585080b066666370e52e5cf63daa13d114bcc5d9edb404fc8045ccd094

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
227KB

MD5
825f65bceef9933440e604643978edbe

SHA1
0d5edb108d1b1754d850acdd7bd465c8b660bde4

SHA256
24a264c284899e4558bea388f6fe79283c46a389bbf259ffcbdf52890ddc9538

SHA512
506998ac99434c53f0bfa87f87b6dac7417a0ccfa8c23af7430eb575e27a54a3d7ba4afb87b5b1e667d38d0d7e74a515d3bccbe40dfd65c59d03cb4e95102dee

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
227KB

MD5
c8ae3c691e76c08140c77e5848c8e09c

SHA1
710769099050935bcaf8db2a6957261dd343809d

SHA256
cd07069d3a6af18babb5f74896898dacb21844f1e3768c25b7dd90f058d87819

SHA512
d7c5109ef08af68bb03cb0612e33d503c99f023ac5f8540d083502094df398681307b7e296f43f534166ad5e2613f359d3ba56d4416c4e3c711649f990bce4e4

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
227KB

MD5
d13223169625af3ea5a961f3b86d7270

SHA1
c14de4f69c4d37a8c1ff06e0d39c9466fd9067c1

SHA256
60b5bbe163debe83d03b45a79737d833353b654dba37d5126252fbfd1af9352f

SHA512
8d69046dff249d24c76590cc42c4823cd101db21a21b0bca269c299ce15c5eff771126d4e6d7461e5ffb1f76212d8dab74e0a0645126a2b625ac6562c57d424e

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
227KB

MD5
7e1f6f20fa1de3cb85cd83330364b1cd

SHA1
d4bec098defc36e130ac3ba73ababedf8397f09a

SHA256
8df7cdfcd75c43ee533cbfce9cc1847b6bf4558730e1aeb1a40f7df4a5de6aa8

SHA512
7b873680b0deede83a75e3e2f67ee5d442c12c0ba72f545827a9f244e310f51505da34f47185daa923a060a69ee62901b905ef2a43cc14969ed149577377cfd4

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
227KB

MD5
a27dc8d2c63dbbc9158bbb7879e985d6

SHA1
1d55d71bc6e430280595ea1fab18c7d7351a39e7

SHA256
ee49013a2c259ba33ac48b95ca14670dafd0537c1d048495adc83d3868d21290

SHA512
5f6df88a26d359d9a5b787a6a8aaa65e73befeeaef53484f0ce2cfe37811fd196841fbee1c7725b794fd3b1f9ee26833fc47ec74db8cd77dfd8bfbf1c03717cf

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
227KB

MD5
99fed813e80b30e2549385dd0060b782

SHA1
e458750c391dd3ca501ec84adfc09613125181dc

SHA256
cac124f0efee064c03ccc9ddb524d566a2e2219801f1a5dc30f0a4c55f33f1e5

SHA512
9056165821c89483d9f4af5022005824cce7a9fc6e6013f5904e397eac2f9955487620b1d35b95ba85708c82bc970ded312edda0ce9caed91cc83d069647f9d2

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
227KB

MD5
42ca5b1dd123e297928d44c37196c31f

SHA1
ad2da23f6490f0845753b6470926d4d89416e1e8

SHA256
3c779bef21b88aaf3e14516ac3dd179371163b7542815d29cb1c3db16e498fbd

SHA512
f0017cde7de198c048b574a30ba1506a13334e1ec6bafe94279b7e1c294ba9ce8e379ab66005574ed936c6b474ae27c24f6a2c057eba6387b198088747257594

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
227KB

MD5
3a0dcdc19044f4e49600d3ede6a98240

SHA1
dc7f3f80efd6ca6b123b781f4d70936e1f8d8d5d

SHA256
aba1e0727b28ee1825dabb7bcb909c2a813b86079e3297631f257b2afa3360e8

SHA512
a07b83a715bbcc31ee1e3150a1a899238d27d672d8114ffb663938f0cf41075997d825a59018c91889984e0919b64e6352c093d31a4972f79246f64dfa630cf6

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
227KB

MD5
ec82f77ca942b5d03d6181ad16696732

SHA1
43d5caae1c8ee7d4e6ec7697f5f05f3400e517ad

SHA256
72cbe8e00fbc1f3b256bc93b20259186a1df41604480836d7f51879fc1a515c1

SHA512
41abf2fee38c55d328c1f00ae0f3c5905718bbf90e8fc138916bef66ce013153e7a9543f88961c56a84b28eedb9ced6c7bddc2d985a9da7e705efb9417f18f83

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
227KB

MD5
3a77de34fbfab89263e3d7fbb85b6914

SHA1
e3bfcaa1ae1eb9873d000eb457170ba0b52ea17b

SHA256
fcb6db223336a9be11fc85de705f388e67d88359290ab7f0b9ce082bf89e9da1

SHA512
c7b079bb82f9bab88f6fe5822f57d2af0a2b53d18001a49ff5f1d1647c0053126159aa2d86c84ea55270175b6652affc0c5ce1c6bb545911a698d3db1462dbf1

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
227KB

MD5
05ec05547d621233eb1877d8e06d3765

SHA1
ec0eef6a060e56ca595959ad68eeec267df805e0

SHA256
4b0e39ab97f3ff9f55959ed808cd73f5f781a53bb6e87c1a99c2c64097b18489

SHA512
026cf775d4922c10e3e137a677ec7fd315f74e363d886f8b44d3002f2251368105d115c9c3d35111a9b9c3b710c6d9735263314faa9f82b5ef36c72b49bea3c3

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
227KB

MD5
96924cf6c47c665bdbecd37b5111a295

SHA1
7483d5d97b7fe0e1bfb7b0d258dfd07a2bb2a0a3

SHA256
032feb930dffe812b0d7a6e0e67a7e75455b53f55737e0eb35c7117e873e1fd1

SHA512
4092741ab98fec6e4ef12e0a91bf0520bb34a514011b45804131bda7782285ee8294efaa2b6557b4c1504b70cf5618009551373cee117d29fa89029fccaf6165

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
227KB

MD5
985bbe57480366d54f4b37c5f58ceecc

SHA1
799c499c48d8f5a29f2e5cd1995924261d3d754f

SHA256
c9caf3d7a937461ddb290233e5e07a24169546d2c1ed1e9bef2847f964649cd8

SHA512
f7525d66825386bdb1e800cc6d9d1dccc4ae608095f7b81ed8184f2eef11c404a67fc2f9aab0f3fc20d5f73cfadf578bffbbb5a5443fa6ef2527dd34f34384fc

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
227KB

MD5
d65255569a08e58da422dada2b24380d

SHA1
e8fb8d02226f4baa5190c2c93a694d26d60ecbbc

SHA256
94ecfff3ed6544ad0ebed4c0752fe76b30af268c0b07960409c76f7c04803f38

SHA512
a172c73bd7aa7ac15a69b504aaf0229443942cd585bf216f54ec337c68c9c3b1582ac48981850454f66e07c7c6a3c40cbcfed68477aba7e0b274cc5b56049a33

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
227KB

MD5
03db34309718bc32a1ed26fedabb2e97

SHA1
0b77f2cc9af1b933b7edbcfa6a0b8a5a4b1444db

SHA256
e064d6fb9337e69a8edb45635ac1e63ac54710b1712408ab89728979812c3665

SHA512
97d98f55eb4d44395df9bf96a50c70811f1bb89a53668131e4c3800c6cc605571e4e08b74f55f30f6de3bc85e356a5b5e6e397c918203dc866745c4c31dc9d1c

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
227KB

MD5
4bb8a966c3c137acf719d003efff9500

SHA1
4582483477d6d53026c7b5c737bd2090b6016927

SHA256
6432f1430665185c7f7a5209edb578612c4b1f8117360a2db5b9a01f5fd93783

SHA512
a4e90c819f4dd6e322fca3f786dd66eec881c6a03b689bf69e8e599dc3c85c109874502fc107341d9269162aa95c7008f74395fd7742ae4732fe2ccec700e469

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
227KB

MD5
1fad709a13ca0999603268793b579495

SHA1
c03bc092d4fa438fac7e21aa67e5c2b8b7aea2c3

SHA256
fae3e68c2a7b4fa9b84b0145e0928c27a66dc5bc48b58e12eb5b8321703c81ee

SHA512
9150b86612340a9c15b555bcec35ded460df31ae6996fa4980a2fbf061b6c847c8bfc10f905dff29d4b09bf14a4ac8a09a01a690b9708e69f8463410fd49c38e

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
227KB

MD5
0d9a2729b0133d978a6827d5a3769cda

SHA1
c09cd73ab0518dbf2647097a94daf3234d0265da

SHA256
78cfba33880bfa01c1bc05c929c61f49f6c0219227ba6ac1c26bd85377ce386c

SHA512
c222d373572845dee2cdc5b08bbbc8ba0f823f32ae4657ec57f78463511c282093cbc822916d4e8014b5652925be673bad50a6df0aaea462e1ab9b8c11ba2309

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
227KB

MD5
b3cfe17344bdeb838a85f491d8a5f5d4

SHA1
c8c4039ce0abf035ea7ec4c5cb4802c6cad7f744

SHA256
7dbe7c0b4db9f58f880e43c6383945261d091de411806a178baeedd8812c2b9f

SHA512
489cb3d89651e302cbd4ae644bb29664e3b3daaa27f7ae44f767d6728d34586e1207e12a0b537af493f4e388a25f07b312505d2bbc5cd2b5847be4b87f731909

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
227KB

MD5
cd502a4a72e4c7bb38fa73c613a5abde

SHA1
17f0b6533fa659084fc2a2c67790acd8bc5f6044

SHA256
b19150d086cf5273dc2f6a91a85b1711b2b0ba818aebff3dc557524ab1770fc1

SHA512
8a6da88094c71fc04e911c541b2621b0c4dd74e67c42fe49d31bae18f521d839de846aa8c974643c6506c1a54ef0af58428c7fcd558f7a1aa66b02f9ee61d080

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
227KB

MD5
c76ccf33900f780210208ea5cf1ce129

SHA1
2958b43e995c689a1f3ca5661db66719fe80cc2b

SHA256
4ff1a0bb3d9c71558727cabae08ca059937c8fa2e43559f399f1510c6dcf213c

SHA512
4fe9966b87a8700c158c3b84d542a52b9ac5c856603543d88b3bebd09003b5b9ad5fb4e245f55bdfe7c47361e98f9bfd0d0996d4aee5a8aa8db6e8305b833736

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
227KB

MD5
34de9522ea7b676021ce9191d8aa6eec

SHA1
563ed9a618ea7e317609a661a94e65847d7907c8

SHA256
e5eb4bd812510d7b0d503d0752fff73f631acaeb7c117b25684bbc12019058e9

SHA512
c44bee9c2837de967ca933b94386a74c959300dadef9f3339e9fc3e21cb1cf4a133a9b831b6edbc14e59d62eb4ff4dbde8e8dcc24f29ed7e126c3af49883d3f9

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
227KB

MD5
b707f8935479f85e5d2f0e108cf9bb5a

SHA1
629e981b7e70e741e7fb9740c858be624236ecaa

SHA256
b6b4793d02207c669912982a4539511bc5d3939184d63dd1a840d6aebf6af2f0

SHA512
893a2642c497503dc4328b4a3c4eb7b216e279efecc5ec67101bf62b4505e7419210598cec2b74bb7cce18dac44150758e19409e203425823516af2954aa10ae

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
227KB

MD5
4859b78ce8bc7c0c31b71b794829b8e8

SHA1
2cf67ec3b0579013e74d733acfbe4ee37e07217b

SHA256
0d8ec587d287cf41ea27af0a1f279cbec83aa7e42b064f855660dcaf233e655b

SHA512
45fa99f27f11d2b5ccae392f94c61a39a0aead49f9ab935d6fe38895dd27c0e7292cba68385962caebb9cc2d832a0b5265b9969ff5d01f008c80dcab03e42989

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
227KB

MD5
3f44c36814a9eddba203da8bf9e913de

SHA1
b7f79caa029c41f419853aa72a8df7455d8d229b

SHA256
1b736ed63c4872e4b22c3225a472040e83d21b7a6f6c0ed7045b2ef5a8458e16

SHA512
22ed06e55fd3765b567ee69f6ca7d83edb4b56f9f56f0d5510fe2bb4e3c010b6ba490d4d874d9906f0e1483cfe43d895b8608b939ca44f0352bb3d8e581c03d9

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
227KB

MD5
7b8b5881505484807686d32c38c184a6

SHA1
2c8e44f5a7e53b4a4713ca3b11e793407847ca52

SHA256
b1c25360bb1d70f80fce97b370e20793a983e2d72a80143fbc70910a4aaa7ae9

SHA512
48cfe890774a49db149307822dd39c69bb12a47661d7bcaaf442d96d4166d6516926317d5599975448cc9c232bb800d46fd59eab08d40d6894800c5ca06e61b5

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
227KB

MD5
8a254e367bbeecc6f1974306fc0f422e

SHA1
adccc63c377667f6a106d37d18a778c9f1a34e55

SHA256
37c082e8f2713001175077b5da5900ed3eed5ffa509b234b735535e3f406dd27

SHA512
376e58fe3c43a02dd9088052830d158bef0593ef2cdbab9fd72593187d1157d319001cb6ee01de3c3971269c685deea6d8b380ad5af5f3c4a50cc4f197f84c79

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
227KB

MD5
874c712499aa3f71109de04afac7c907

SHA1
134b9b9124478c32e239497f84ecc42dd3424a8f

SHA256
83477f46f93ce4464a788f89baeea2a3aee9ad8b92ee95295f3e7548a3b24023

SHA512
310647b1c19a5fe5048862c54016b32e41c9f424d04b172dcd27d523a93b80373f27a179f6d86eda68154c2a9f716b99b0fc2463fa9e1559d3099d1a58b7997b

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
227KB

MD5
1b85a0a206c6c9ba37cf847ff18b4f8c

SHA1
cd2cb3bc12b1b2a72ab83a0cdca78516fbba2bf9

SHA256
7baf93f9290cca7ed5b0d006b94e886af7603f6919ba2645865ec9a0a4ca93a7

SHA512
86a729cb13959bf0284af70f5d246aeb73d6ea56d66aad617b248c936dd368d9f5aa12ebf2e3c93cea04ceb3e0368f33ed3a9377e04bf49d383fc5e46ba4a77c

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
227KB

MD5
5749363971a78ed17f8c847a12c8b52f

SHA1
d4bdd0a6828e45d264bace24699e08be5aa5bcb9

SHA256
b71d29767a4b0457f00322a3fba574d239dbcaf205675a597ff28701aca9c1dd

SHA512
b8d66bcd8f5cc183e5127c8a229ccac2ed5c5b062e21fc1595d00758138ba01dae469a42f50b86090b7ca7fd163ba05c8fe3689f50fde4ce4a56e9e621269f4a

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
227KB

MD5
12552e1e159f1c44f5d865db2a6fb7ff

SHA1
58e498a863c5b8ed565f231e9115e2ce61d9c1dc

SHA256
ebef9ed95e37f6c8ff7c2e7308df4bcb5471bb6cff3dddbf13489d3f33164158

SHA512
ec9184008b89474cd622768f5c3e3189ae3907d108fef8a70d6636affe579d7e68f179acc2c88ac40e785173c768de441d97ce242f769b5507a8e338e57dc5e0

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
227KB

MD5
3c62ced971ca3cfb646ee4ec55d90ae5

SHA1
80a8883bf6e31c10f4b470efb436a67215d1c3d2

SHA256
5c9a7097a8120e78c878980d4ea5bc371f776a61c22c068782c7b0ae0d0424c8

SHA512
18c6d55ed9c7f1dc68e89ca01b2f30785d5eaa2a8dc9b7c424a41a7440c3297c6944f8efe145ff6ef504d28356f8c5f3e2883d9e49e48ff4a80a73ac3ca791de

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
227KB

MD5
d2159711213236fd905ca7be0bb645f6

SHA1
711186a5707e7ef245110fcf59c1c607ea2b61b6

SHA256
346beef4dbb901b4d1c34b4666aeb5367b73010a58f3f48c4fec55efebdbbcf3

SHA512
50da2ffaefa1ad6180cc160903beff5514087270f1ecccdc7e3c91bf0ecf7feb21f3de1f028ffbf4dd28c8c7d7a2108ce5127bf58b8230fe11789dabd2228ae8

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
227KB

MD5
b4a8ce05ca3224065f6458d38a68d832

SHA1
8c894146d46e103e45649ffa9c687c462d870e4d

SHA256
276ee7ad759d3f202ff5f9df18da875ab83dd54be578ee7722cf6e4adf96417f

SHA512
99cdc1e05f22bd0c5870215379f1a40bca34a5f5493c9d8b8e976296cbcd2b2685ee184f5ae570b7aef0fa2e7af268bde2b134144ce3a167ffa5bacb23c6581b

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
227KB

MD5
ebd63bff313b331861861dc45bd69810

SHA1
80846860b4d4fdc818b7efd075e3ebb02be30c54

SHA256
9dc019a7d100c06d2c818ef95690e4afcc646e737424258973634aa761b19d89

SHA512
71c6563d5fcf8c931e598c743744a719fb649e3b2f523a33ad86462cc3053badb19d8315f9df6c71da22c3ebcf4a2ecaf64b09818f809700ed469b109df3c0a5

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
227KB

MD5
58c0ad8cad8cd8af6888c526ac32e94b

SHA1
4310e91503a1b97dc0fadad0e8e60ead092b9026

SHA256
556c68fd00e1dcb75070a6795537a4d8b65863f71737bd4d0b9d32263442e729

SHA512
f9e06d3c67a00c9180898c9cd231b5a3c380deb991020ea5d2a139217def89a6e39255ed4a37269c26676acd5e1b61a5cdab1cfce0e0d34baadb525368445501

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
227KB

MD5
1b94e2c050599e59f26758863d911502

SHA1
affc85ce639ecddd4e2abb5c38ca25504fe4cc55

SHA256
176c1105846319e074f60f2a89429471bed75757242b1cec568f27d24b4a474d

SHA512
6321547ec63b76abb4e6000f2afb435e7d319d958428c64e9d85658c4812304783d4117959d80b05cd8cc568cb82d799966e177b88384305fd2c231b4f54b0d4

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
227KB

MD5
9b35bf24dfe004540ef41167fb750a61

SHA1
fe97c962e12988a91cc6c585a755e21f6cad09cd

SHA256
2f0e594d6a66323e6070800797d242d3618a6dce8509c41af65825d93c302483

SHA512
698566284f3aec9e8b62562f6fe93f813eee52d14287fff7dad7dfb14c8be1e066f83498ed6b9ad36d40a878e6d11ba19df22c490177579ace5ba2fb506b32a2

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
227KB

MD5
8864c59840e5e27a467150dde0cdcc18

SHA1
884a113cfdeff2b6a49cbf823eb6e2b4e6627e99

SHA256
f4f736e18db221f725916ab5679f52239500862bc629182787b6e48d991a14ca

SHA512
a9a647764f3c6d3b0918a7878974b4bbff6fb345e17ac21f0838ce31b630f7b6ab4c4a2739beb0ea99bad0f4224d7ecf121db5c489fe3db5f77537bd5dea230f

Download Submit
C:\Windows\SysWOW64\Ngiehn32.dll

Filesize
7KB

MD5
104c8ab00878451527ef6e6447264692

SHA1
40851ed362e8d8da7ab69a12c53265e31e85ef2b

SHA256
9353b83fc3332cf6b5b2ca6927a4fbd18d8c638ba5ed8f8958af97c5a2a13c2d

SHA512
707a1b4225e854eb7a7a12fca54a6d0b1f6700f058214ecd4ba74fbd03db07f5f61b1be71e57dc3a87494802812491bffbb3d73f0130465aa15b42d8542fa643

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
227KB

MD5
8139df152761bd61f232f34ce9761324

SHA1
79e22d3dea4857247f582a7d53420f21d7de887e

SHA256
94d0a68291b2b6d51193d3b204988f45e5af486e8d71a63e1bae82109d73a273

SHA512
69be3e97586e2c8f0da80fa7e3e639af8e2d056b83716377c6436f11152f9afd843ae6c9a1e2e0e9ce13e7e98bfa7748379bbdc2e62b08084571ef75a07b9e54

Download Submit
memory/532-277-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/544-374-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/544-439-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/572-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/752-396-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/776-423-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/776-355-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/892-312-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1184-221-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1184-300-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1224-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1280-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1440-106-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1440-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1464-450-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1464-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1516-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1516-405-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1812-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1912-90-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1912-177-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2124-171-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2124-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2144-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2192-319-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2192-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2204-137-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2356-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2360-399-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2492-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2492-238-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2532-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2532-348-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2548-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2548-361-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2604-440-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2716-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2716-163-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2740-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2740-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2772-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2820-205-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2820-290-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2824-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2824-141-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2852-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2932-116-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2932-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2948-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2948-213-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2984-186-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2984-276-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2996-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2996-230-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3040-291-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3084-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3084-140-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3104-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3104-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3140-117-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3140-204-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3184-196-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3184-279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3356-107-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3356-195-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3392-458-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3484-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3484-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3692-386-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3692-457-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3828-301-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3828-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4008-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4008-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4080-164-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4084-52-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4100-185-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4100-99-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-130-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4480-437-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4504-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4524-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4524-264-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4596-349-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4596-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4620-372-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4644-173-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4760-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4760-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4852-451-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4860-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4860-398-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5068-66-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5068-150-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-178-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads