32c40c94c123f41326b92adae22b2a2aa014a983e394f3b4834cccb4a82bcb07

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 01:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1bb034e0a61b59435a4f29e2c34c1180_NeikiAnalytics.exe
Size

3.7MB
MD5

1bb034e0a61b59435a4f29e2c34c1180
SHA1

ef9c37efbca0b205fbaa96856f238a27d41c4d1b
SHA256

32c40c94c123f41326b92adae22b2a2aa014a983e394f3b4834cccb4a82bcb07
SHA512

120f025809baa4a21ebab47ac23fee033d518bed3d36c32587771b356f62d8cc71a96840f4ffb4744f778e5c2928534625e686fdb311b5125c4282f2862ff05f
SSDEEP

98304:P6r6HaSHFaZRBEYyqmS2DiHPKQgmZ0aUgUjvha/4wzlF65T:vaSHFaZRBEYyqmS2DiHPKQgwUgUjvhoU

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cefemliq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emjjgbjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1bb034e0a61b59435a4f29e2c34c1180_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebploj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpjmee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Digkijmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhcnke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epmcab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpgqpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cimhckeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cccpfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpljkdig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcdimopp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhcnke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efikji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cefemliq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Camfbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cipehkcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcdimopp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhqaefng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clckpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Camfbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doccaall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cimhckeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Digkijmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efikji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpgqpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epmcab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebploj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doccaall.exe

Malware Dropper & Backdoor - Berbew 36 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0007000000023409-17.dat	family_berbew
behavioral2/files/0x000700000002340f-41.dat	family_berbew
behavioral2/files/0x0007000000023411-48.dat	family_berbew
behavioral2/files/0x000e000000023364-74.dat	family_berbew
behavioral2/files/0x000e000000023364-80.dat	family_berbew
behavioral2/files/0x0005000000022e34-98.dat	family_berbew
behavioral2/files/0x0005000000022e34-105.dat	family_berbew
behavioral2/files/0x0008000000023405-112.dat	family_berbew
behavioral2/files/0x000700000002341f-121.dat	family_berbew
behavioral2/files/0x0007000000023421-128.dat	family_berbew
behavioral2/files/0x0007000000023427-152.dat	family_berbew
behavioral2/files/0x0007000000023429-160.dat	family_berbew
behavioral2/files/0x000700000002342b-167.dat	family_berbew
behavioral2/files/0x000700000002342d-176.dat	family_berbew
behavioral2/files/0x000700000002342f-184.dat	family_berbew
behavioral2/files/0x0007000000023433-195.dat	family_berbew
behavioral2/files/0x0007000000023437-216.dat	family_berbew
behavioral2/files/0x0007000000023435-208.dat	family_berbew
behavioral2/files/0x0007000000023435-207.dat	family_berbew
behavioral2/files/0x0007000000023431-192.dat	family_berbew
behavioral2/files/0x0007000000023439-224.dat	family_berbew
behavioral2/files/0x0007000000023441-250.dat	family_berbew
behavioral2/files/0x000700000002343d-240.dat	family_berbew
behavioral2/files/0x000700000002343b-232.dat	family_berbew
behavioral2/files/0x000700000002343b-231.dat	family_berbew
behavioral2/files/0x0007000000023425-144.dat	family_berbew
behavioral2/files/0x0007000000023423-136.dat	family_berbew
behavioral2/files/0x0007000000023441-256.dat	family_berbew
behavioral2/files/0x000700000002341a-89.dat	family_berbew
behavioral2/files/0x0007000000023415-64.dat	family_berbew
behavioral2/files/0x0007000000023413-56.dat	family_berbew
behavioral2/files/0x0007000000023448-270.dat	family_berbew
behavioral2/files/0x000700000002340d-32.dat	family_berbew
behavioral2/files/0x000700000002340b-24.dat	family_berbew
behavioral2/files/0x000700000002344e-288.dat	family_berbew
behavioral2/files/0x000700000002327d-8.dat	family_berbew

Executes dropped EXE 40 IoCs

pid	Process
4720	Cccpfa32.exe
2996	Cimhckeo.exe
4744	Cpgqpe32.exe
3336	Cipehkcl.exe
3152	Cpjmee32.exe
964	Cefemliq.exe
4904	Cpljkdig.exe
408	Camfbm32.exe
1516	Clckpf32.exe
2512	Digkijmd.exe
2032	Doccaall.exe
4640	Dcdimopp.exe
1152	Dhqaefng.exe
1572	Dhcnke32.exe
3668	Efgodj32.exe
3884	Epmcab32.exe
4840	Efikji32.exe
4460	Epopgbia.exe
2044	Ebploj32.exe
4716	Ehjdldfl.exe
4368	Ecbenm32.exe
3200	Emjjgbjp.exe
4888	Fopldmcl.exe
684	Ffjdqg32.exe
4656	Fmclmabe.exe
836	Fjhmgeao.exe
2004	Gjjjle32.exe
4740	Gcbnejem.exe
860	Hmfbjnbp.exe
4596	Hmioonpn.exe
2292	Hbeghene.exe
3380	Haidklda.exe
2924	Kmegbjgn.exe
3776	Kkbkamnl.exe
2608	Mcklgm32.exe
4476	Mjjmog32.exe
3352	Njacpf32.exe
4044	Nkqpjidj.exe
1404	Ndidbn32.exe
4060	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fdcfcpdf.dll	Ehjdldfl.exe
File opened for modification	C:\Windows\SysWOW64\Fopldmcl.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hbeghene.exe
File created	C:\Windows\SysWOW64\Cimhckeo.exe	Cccpfa32.exe
File created	C:\Windows\SysWOW64\Nigpemda.dll	Cipehkcl.exe
File opened for modification	C:\Windows\SysWOW64\Cpljkdig.exe	Cefemliq.exe
File created	C:\Windows\SysWOW64\Ockmjg32.dll	Dhqaefng.exe
File opened for modification	C:\Windows\SysWOW64\Clckpf32.exe	Camfbm32.exe
File created	C:\Windows\SysWOW64\Hmfbjnbp.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Haidklda.exe
File opened for modification	C:\Windows\SysWOW64\Cpjmee32.exe	Cipehkcl.exe
File created	C:\Windows\SysWOW64\Ehjdldfl.exe	Ebploj32.exe
File opened for modification	C:\Windows\SysWOW64\Gcbnejem.exe	Gjjjle32.exe
File opened for modification	C:\Windows\SysWOW64\Cccpfa32.exe	1bb034e0a61b59435a4f29e2c34c1180_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mkomif32.dll	1bb034e0a61b59435a4f29e2c34c1180_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Eenphlji.dll	Cpgqpe32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Dcdimopp.exe	Doccaall.exe
File created	C:\Windows\SysWOW64\Efgodj32.exe	Dhcnke32.exe
File created	C:\Windows\SysWOW64\Jqqjmnii.dll	Ebploj32.exe
File created	C:\Windows\SysWOW64\Ebploj32.exe	Epopgbia.exe
File created	C:\Windows\SysWOW64\Kmihaj32.dll	Ecbenm32.exe
File created	C:\Windows\SysWOW64\Gcbnejem.exe	Gjjjle32.exe
File opened for modification	C:\Windows\SysWOW64\Ffjdqg32.exe	Fopldmcl.exe
File opened for modification	C:\Windows\SysWOW64\Camfbm32.exe	Cpljkdig.exe
File opened for modification	C:\Windows\SysWOW64\Epmcab32.exe	Efgodj32.exe
File opened for modification	C:\Windows\SysWOW64\Epopgbia.exe	Efikji32.exe
File opened for modification	C:\Windows\SysWOW64\Ebploj32.exe	Epopgbia.exe
File created	C:\Windows\SysWOW64\Epmcab32.exe	Efgodj32.exe
File created	C:\Windows\SysWOW64\Jmkefnli.dll	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Cniohj32.dll	Epmcab32.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Cpgqpe32.exe	Cimhckeo.exe
File opened for modification	C:\Windows\SysWOW64\Doccaall.exe	Digkijmd.exe
File created	C:\Windows\SysWOW64\Bbopfj32.dll	Dcdimopp.exe
File opened for modification	C:\Windows\SysWOW64\Dhcnke32.exe	Dhqaefng.exe
File created	C:\Windows\SysWOW64\Fdahphpi.dll	Camfbm32.exe
File created	C:\Windows\SysWOW64\Ffjdqg32.exe	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Hdgohg32.dll	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Cichoi32.dll	Efikji32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Cpljkdig.exe	Cefemliq.exe
File created	C:\Windows\SysWOW64\Clckpf32.exe	Camfbm32.exe
File created	C:\Windows\SysWOW64\Dhqaefng.exe	Dcdimopp.exe
File created	C:\Windows\SysWOW64\Jpqikhah.dll	Cimhckeo.exe
File created	C:\Windows\SysWOW64\Cpjmee32.exe	Cipehkcl.exe
File created	C:\Windows\SysWOW64\Gibgla32.dll	Clckpf32.exe
File created	C:\Windows\SysWOW64\Doccaall.exe	Digkijmd.exe
File opened for modification	C:\Windows\SysWOW64\Cimhckeo.exe	Cccpfa32.exe
File opened for modification	C:\Windows\SysWOW64\Cpgqpe32.exe	Cimhckeo.exe
File created	C:\Windows\SysWOW64\Iifpphha.dll	Efgodj32.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Haidklda.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Camfbm32.exe	Cpljkdig.exe
File created	C:\Windows\SysWOW64\Epopgbia.exe	Efikji32.exe
File created	C:\Windows\SysWOW64\Lpdcae32.dll	Emjjgbjp.exe
File opened for modification	C:\Windows\SysWOW64\Fmclmabe.exe	Ffjdqg32.exe
File created	C:\Windows\SysWOW64\Hkccjejn.dll	Cefemliq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4052	4060	WerFault.exe	127

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdahphpi.dll"	Camfbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gibgla32.dll"	Clckpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdcfcpdf.dll"	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnpim32.dll"	Cpljkdig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpjmee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cipehkcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpgqpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhcnke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1bb034e0a61b59435a4f29e2c34c1180_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpljkdig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Digkijmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbopfj32.dll"	Dcdimopp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nigpemda.dll"	Cipehkcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkakml32.dll"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Digkijmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockmjg32.dll"	Dhqaefng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clckpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clckpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jehocmdp.dll"	Doccaall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhqaefng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofddb32.dll"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1bb034e0a61b59435a4f29e2c34c1180_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkccjejn.dll"	Cefemliq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhqaefng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokmgc32.dll"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cccpfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efgodj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cipehkcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgbbq32.dll"	Dhcnke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efikji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Camfbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efgodj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cimhckeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Camfbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bamagp32.dll"	Digkijmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 4720	1400	1bb034e0a61b59435a4f29e2c34c1180_NeikiAnalytics.exe	81
PID 1400 wrote to memory of 4720	1400	1bb034e0a61b59435a4f29e2c34c1180_NeikiAnalytics.exe	81
PID 1400 wrote to memory of 4720	1400	1bb034e0a61b59435a4f29e2c34c1180_NeikiAnalytics.exe	81
PID 4720 wrote to memory of 2996	4720	Cccpfa32.exe	82
PID 4720 wrote to memory of 2996	4720	Cccpfa32.exe	82
PID 4720 wrote to memory of 2996	4720	Cccpfa32.exe	82
PID 2996 wrote to memory of 4744	2996	Cimhckeo.exe	84
PID 2996 wrote to memory of 4744	2996	Cimhckeo.exe	84
PID 2996 wrote to memory of 4744	2996	Cimhckeo.exe	84
PID 4744 wrote to memory of 3336	4744	Cpgqpe32.exe	86
PID 4744 wrote to memory of 3336	4744	Cpgqpe32.exe	86
PID 4744 wrote to memory of 3336	4744	Cpgqpe32.exe	86
PID 3336 wrote to memory of 3152	3336	Cipehkcl.exe	88
PID 3336 wrote to memory of 3152	3336	Cipehkcl.exe	88
PID 3336 wrote to memory of 3152	3336	Cipehkcl.exe	88
PID 3152 wrote to memory of 964	3152	Cpjmee32.exe	89
PID 3152 wrote to memory of 964	3152	Cpjmee32.exe	89
PID 3152 wrote to memory of 964	3152	Cpjmee32.exe	89
PID 964 wrote to memory of 4904	964	Cefemliq.exe	90
PID 964 wrote to memory of 4904	964	Cefemliq.exe	90
PID 964 wrote to memory of 4904	964	Cefemliq.exe	90
PID 4904 wrote to memory of 408	4904	Cpljkdig.exe	91
PID 4904 wrote to memory of 408	4904	Cpljkdig.exe	91
PID 4904 wrote to memory of 408	4904	Cpljkdig.exe	91
PID 408 wrote to memory of 1516	408	Camfbm32.exe	92
PID 408 wrote to memory of 1516	408	Camfbm32.exe	92
PID 408 wrote to memory of 1516	408	Camfbm32.exe	92
PID 1516 wrote to memory of 2512	1516	Clckpf32.exe	93
PID 1516 wrote to memory of 2512	1516	Clckpf32.exe	93
PID 1516 wrote to memory of 2512	1516	Clckpf32.exe	93
PID 2512 wrote to memory of 2032	2512	Digkijmd.exe	94
PID 2512 wrote to memory of 2032	2512	Digkijmd.exe	94
PID 2512 wrote to memory of 2032	2512	Digkijmd.exe	94
PID 2032 wrote to memory of 4640	2032	Doccaall.exe	95
PID 2032 wrote to memory of 4640	2032	Doccaall.exe	95
PID 2032 wrote to memory of 4640	2032	Doccaall.exe	95
PID 4640 wrote to memory of 1152	4640	Dcdimopp.exe	96
PID 4640 wrote to memory of 1152	4640	Dcdimopp.exe	96
PID 4640 wrote to memory of 1152	4640	Dcdimopp.exe	96
PID 1152 wrote to memory of 1572	1152	Dhqaefng.exe	97
PID 1152 wrote to memory of 1572	1152	Dhqaefng.exe	97
PID 1152 wrote to memory of 1572	1152	Dhqaefng.exe	97
PID 1572 wrote to memory of 3668	1572	Dhcnke32.exe	98
PID 1572 wrote to memory of 3668	1572	Dhcnke32.exe	98
PID 1572 wrote to memory of 3668	1572	Dhcnke32.exe	98
PID 3668 wrote to memory of 3884	3668	Efgodj32.exe	99
PID 3668 wrote to memory of 3884	3668	Efgodj32.exe	99
PID 3668 wrote to memory of 3884	3668	Efgodj32.exe	99
PID 3884 wrote to memory of 4840	3884	Epmcab32.exe	100
PID 3884 wrote to memory of 4840	3884	Epmcab32.exe	100
PID 3884 wrote to memory of 4840	3884	Epmcab32.exe	100
PID 4840 wrote to memory of 4460	4840	Efikji32.exe	101
PID 4840 wrote to memory of 4460	4840	Efikji32.exe	101
PID 4840 wrote to memory of 4460	4840	Efikji32.exe	101
PID 4460 wrote to memory of 2044	4460	Epopgbia.exe	102
PID 4460 wrote to memory of 2044	4460	Epopgbia.exe	102
PID 4460 wrote to memory of 2044	4460	Epopgbia.exe	102
PID 2044 wrote to memory of 4716	2044	Ebploj32.exe	103
PID 2044 wrote to memory of 4716	2044	Ebploj32.exe	103
PID 2044 wrote to memory of 4716	2044	Ebploj32.exe	103
PID 4716 wrote to memory of 4368	4716	Ehjdldfl.exe	104
PID 4716 wrote to memory of 4368	4716	Ehjdldfl.exe	104
PID 4716 wrote to memory of 4368	4716	Ehjdldfl.exe	104
PID 4368 wrote to memory of 3200	4368	Ecbenm32.exe	105

C:\Users\Admin\AppData\Local\Temp\1bb034e0a61b59435a4f29e2c34c1180_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1bb034e0a61b59435a4f29e2c34c1180_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\SysWOW64\Cccpfa32.exe
  C:\Windows\system32\Cccpfa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\SysWOW64\Cimhckeo.exe
    C:\Windows\system32\Cimhckeo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\Cpgqpe32.exe
      C:\Windows\system32\Cpgqpe32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4744
    - - C:\Windows\SysWOW64\Cipehkcl.exe
        
        C:\Windows\system32\Cipehkcl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
      - C:\Windows\SysWOW64\Cpjmee32.exe
        
        C:\Windows\system32\Cpjmee32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Cpljkdig.exe
        
        C:\Windows\system32\Cpljkdig.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4740
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        41⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 220
        42⤵
        Program crash
        
        PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4060 -ip 4060
1⤵
PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Camfbm32.exe

Filesize
3.7MB

MD5
c2083fcdcd27617cc95f65b4ab1ca27f

SHA1
f873aa3ea6a216ab223eb64828bd62312c1a1454

SHA256
264407344ddf1795e84c6b8784f335a899f247cead9551600a1adaf99b5db2fa

SHA512
feccc9228ad07dcf0c45dba734b0ee2ad4bc3c031c52990e713c99d786dbcda91b7501f6defcba6157d69d038280306c7959ef8a7945a0ef192dd9f1185e99eb

Download Submit
C:\Windows\SysWOW64\Cccpfa32.exe

Filesize
3.7MB

MD5
beec6745ba0d53ae20068a01cb990b97

SHA1
a97c470e98258f321c3831e24f1dab6588a71adb

SHA256
0f4f85ebe8896fd31fe953f41fe4e30acfe2506963eb37cdc7c990e9ce38942c

SHA512
b02646b2b4b3725f778248ee5f6765582d31a6d6430b4685d90d40f8bd77920dd6725b74b7803d1bde9c1ef4d5dfb647391e36b06ad28cd4d555a8c7b390b7a4

Download Submit
C:\Windows\SysWOW64\Cefemliq.exe

Filesize
3.7MB

MD5
001f8051e3fa6e8b7868adaffeaf0d01

SHA1
a818cbc79eed18fa5023b5b98851177e3bab317d

SHA256
e3ea4f2ce19558b079c2fa3899ec6ed0cf0455833d070f266ad4c50e6cc80d83

SHA512
35c1441e1907ba95d01bf1bb01d376f19cda262fcf7fa3ab650cb10212c59648fb13d24d939c53dae7a48df000ceaa6cc7c77c19b46a2f49f99a7978859b9fb0

Download Submit
C:\Windows\SysWOW64\Cimhckeo.exe

Filesize
3.7MB

MD5
caeee86a562544696e44268fad7128f9

SHA1
4afd1f83b26c494f62f6dbe899efe100ce354e80

SHA256
07874400e08663846b34660bf33081684b7fe3f2c5b892d084d7b898d461ce1a

SHA512
d0c26b992b4a22fd6f2c5b646d6ee0cb0f434fcab86163542cce61d760a118bb57fe102a58fa7f0539487a8b726f7225ccc06fb19d75e75a1b156be27e553ca2

Download Submit
C:\Windows\SysWOW64\Cipehkcl.exe

Filesize
3.7MB

MD5
73bfa0b39ae0ab62acdfe9d2dfab1e46

SHA1
74d31d5376d52da52b00a2c596b56fd38d25f91f

SHA256
14c2586bc0aca027e0e12a18a2833a4baaa53f128827aff72a69f0804deff261

SHA512
90aa4b55d1b850cd8a3878150b99e7e0abfb706df2076282e39f4c62695b837dec5bb0eec78f59e2e64ac67771fb3da9feb6207d7f392a8618efb8a99b876486

Download Submit
C:\Windows\SysWOW64\Cpgqpe32.exe

Filesize
3.7MB

MD5
0dce525ce4f249d3b8a4a18c6ce6d7e4

SHA1
a5988b7bf4e1d575933125c7977855a856523164

SHA256
04835f18a9b601570adec169a66d3334382a57df70723342974707e239368a8c

SHA512
a68d1f08b054f76b42c3992c78391936aa4ba13fdbc1efe13d42346ec9889f3764c3afa020069b21aa542da601adf10431fe30e7b1b078c1983ddc7fa45eefcb

Download Submit
C:\Windows\SysWOW64\Cpjmee32.exe

Filesize
3.7MB

MD5
14a21ea6193f5f2a92aa62db1f7ec6ac

SHA1
250eb5667cf4e4d2a7a407630bcf81bb5e011648

SHA256
ec11cf94a45004b945c69c6aa4b06f5c7644697ef9273db459070be87018d92b

SHA512
aad5284071082325608ad2086dc7a7b0136ad217050b4e4982fbe6c69a16fbb38e149ccede5495438193c2cc11783e8cfffd837256f9efad9fbf8a998e9e99cd

Download Submit
C:\Windows\SysWOW64\Cpljkdig.exe

Filesize
3.7MB

MD5
63365a2443b2f1217b16589e6239c172

SHA1
f58d93d5c2fd7709644e226d70110451be08e077

SHA256
fae170b4a45f19483c6e19cee0b158db5f4e739da89a927d3ec0c62147a7a805

SHA512
da00a41845f53217184f0550f04b0f94ad497fc6357c1e350e47bcd5d803ca127fec3a32fa2259f92ce7afc28c7a6f2d9158ee2dcc45d5b840f635e9528fea59

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
3.7MB

MD5
1f4774176b43dcafabbf254ca3fac010

SHA1
0b19630105a743e2c86a4f2fbc2ccb905b156f04

SHA256
fb3af3af9fd038a541d05629bf2dbd00bf9f6d4b2fcbbc4c7dfa56c74057e210

SHA512
ce390b6d108591528ce5d0bc9de204637101611829be90dbb0961b794d65933984ee6497af1046121c47ebeef90d87b53bbbb568a02701840a2e2965683ec643

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
3.7MB

MD5
4fb589d35275b1846ef56e650cb5c50e

SHA1
f58d36f0c32459eed805f2e6cb0e015f2145b639

SHA256
96031f44e74264d20def47678ed9030234b9ec38a526586ea78be16909074c21

SHA512
17e0fff2f7131a4b68a1d9972a96e21ae7e4f42600b30dfdbe0275f1011b535393c82b9a33d3ee67fdcd6a17af0f6e459473d57dcc8aff06470b5489279ba2b7

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
3.7MB

MD5
fba2e9f68a2a62b5817b9dd4247d9a63

SHA1
403ab18ccccec8f043c0d747851bdc75b6c5316c

SHA256
1c7b4582d6eb4623f1ea4eb8bf21a9f52493d104d9a32018a420f8c8889be51b

SHA512
397a79b7aa4779a99c1c53b292e4f90abd54eef54d448f290c54bf884f26fd07a2e316d231aa1d55cf0d095ea9281bfcf8ac2400d1b66ad9f3446ecb9cc3bb44

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
3.7MB

MD5
5ff78690fd2b21cf3cbc73acf44dd3bb

SHA1
5ac7fb462736454c2934c0a0ab998360fa7cbbf8

SHA256
31272c5d693999234226102a5ade798f0e4b5294eb9865da0c24f2d944c5dbe8

SHA512
7030bb047dbe9e09469caa1aaf6db27bcd6e0a105389614ad3168e7f25f7f596e7a2c38cb7e86b295ed1e79bc70eaccea0aeb29937d6856d5e616328e0d4fecd

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
3.7MB

MD5
d6475a7368c5f9e405c46e46fe78b7d1

SHA1
8bf5dedd2ef44113bceb7249a1280e445cc05579

SHA256
46d0dc5a996e5b1d54f37c6dae4d137753912071bc0f87122c4002a574346b41

SHA512
65820690e25e103e8ede1034cf4c87aff0996f2a93ad0a9b917c72af1ca458819487b44aba68b64f4713e024ddcfb4e15efbea5750ab9c8ee0a42a0eb7d78287

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
3.7MB

MD5
1a552436b4f9045fb9a59098fba8aefb

SHA1
2d3311a8968d13e3f5a66a192e5efc35e3e3e6a1

SHA256
bd4a22df3c4472e05b369852a91184042d949970c0a613f134f081745ddc621a

SHA512
8cca053774278b625d0ce2ad775d25454a7818e33e954ac553190fc74162b44ef117a8468700e28ebcc0f2e869b0aa891f6d30b610c8b3d7bb0862ab96b63a49

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
3.7MB

MD5
1b63d62fa4af2a4d995b123d9b71d2e7

SHA1
fc460b2f1c86a88927a0cd78e2a974ae56485e64

SHA256
f67ee327a05420bd0aca1d2a62178ffd685dad76fccb46d63e7ede9691015cc3

SHA512
c7a0a05f1cb7a52b30fe9de067762157d539bf4aee398d37f445b020cfdff5aaf3bd1cc0d73f38c24068f06515c34328f9e93abb6af21b388733fd78d4e802c1

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
3.7MB

MD5
927c31dd8192aea0e0c84c4de06f1f42

SHA1
68afacf476fc90ac6cd84530de986fd9f44ade9f

SHA256
a2acbc87a3f1524a0c209342fbb109254a613810461fe03e69a07e6ed650e30b

SHA512
cafa3a716354c07972b3906c4d3f156132187e42452afa687ad8bdd88c9509ebbf7e91fe6e8daaff17b011ccf27cf8233f29f58045dc3940f24729273930d738

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
3.7MB

MD5
1cb0c30cac98958b52cae3c434656e90

SHA1
1a9f6a8be28631ce2836a2f33d077d47a14f08aa

SHA256
4db7fcdc76f446b80f96eb7e507cc29e128ce0fb6bd8492f2a0185ffb6156903

SHA512
1697f39f1666399b583f474736978b0a321ead0a3ec66e9bb48dc07cb2c6a71f5adb18f85986a8a949cc1a75aff24239c1821f11a369dc70c8f9429dd3f8c3a7

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
3.7MB

MD5
3adbd5e58406bed0c5d9a13065d736f1

SHA1
6e558e89eafe3b23a2e0e88051f4265107ac81de

SHA256
6c51a65a220a44ad5221a28390a6607503b152f5c267f6998df2abf37ed65de8

SHA512
fec6237a546002b54576f8c0c4d81f9aaedfeb46232805a34a352b9d988b46b3ee2e259bfc2e6c205acbb9b7f495623528a7e209146e3386024c2473f7ac2b75

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
3.7MB

MD5
de884ccc176d773adf2f8d1c6bcfa7b7

SHA1
a9cbdcef8f313e01407a303d636916056b03a202

SHA256
c7fb144a332d3e100df33963fe68a8e6874b0c917f97e12a0aa6a64862773053

SHA512
93201f13875113979852df8ee4a8abbcc9f39c02f479346545c5757adec7827ff4c1576a56b8dd64395fe663bb949852ff4248e9125977c6df4277d8273c1cac

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
3.7MB

MD5
e93f7a40b84fafbf0205efec56c501b1

SHA1
170e0230deb674c6460982dfba7f1f41c47e15f2

SHA256
55c852ac1e80095b01b039bc8050adf1257e385c2eaa6c737335114b9eca386b

SHA512
033decb25f11a3ee9a387a462370a59bdc30eaf503ab84280758fcf90f1949e1eb31cd5ca368c2a93913eb687941d59e3d27dc0cf72eaabdcf455982015f40af

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
3.7MB

MD5
34733c484ed9de4f9b5e4cc2ca091916

SHA1
e7edbce6d40762e35b227abe4a54a1fdc370f920

SHA256
cfca9194cf263d7d454fcddea6014aa85ccfea7d63dc55ac73e8f99c509215db

SHA512
e1c61c50ce009c23477e48c3ca92754fd732116e7b471c83745b64ff0e3dd14bfd5e2390b645f44e0d264199b331b36480935cd051851c671f5874a220f881a1

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
3.7MB

MD5
d6731011af0af2155b714cc387f5fe55

SHA1
4ce262673fcb6acde915b6e1a10e4c5d28f89a5d

SHA256
e8519b651786dc44790e54a387b040f2c287e84fa8717fbbf692ba9b1c204752

SHA512
691af9389b678c56a6bfb51ab6b4f40fca9dbccc3580fbc5c0178cf19250a273d1a0f06d4a7cb48c95e797979540af3bbffecefd70f6e8955c18254f6f20988e

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
3.7MB

MD5
9d2ea5961b4e2527c1b45f1bda2c042c

SHA1
4c568cf62247c499a977f497eff233402747a77f

SHA256
9329b82cc7551d5410e6b10fd9878bda95a56d0096f8b9efd988a7938181389b

SHA512
539bbcb3f68f65b08ac10d5ed780b292626239b9d84bc929987ac18f81922853437798dc76a337974a04bccb166b397b5caec27206cf1eaaff40d70f0bdb9ed0

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
3.7MB

MD5
a9211be57bc7252de1d17af78921c876

SHA1
81d4bbc6d02635053f974998ee87b758d6c6692d

SHA256
d476c3966342ab44240cb329d717b78e51c67dedd43a3918b2b394df106eb688

SHA512
e420558e88c9e29df472e0cea9b0267047f846dce5e602d6bd19e71cc16303edb730c138e7ff7173be85023a45ea36860f56d9c1d9ea578301c34c3bf56f4edc

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
2.7MB

MD5
8aa3d744f43b86c683c19de69017dc6b

SHA1
bab9a7c52d9d30b92cc0055912080f3ca160083a

SHA256
b90b2f4222fc4766bc0ebccf59a5925f45dad477defe82631b38ba0a23062ffe

SHA512
b583cb22cce0b38d9ac3ef1c12068de175967c3091e23e6dd1b20bd4313ff08f529094e8fd487bcbda4d1f1d18780a777425328b71a56c2a7033adc3dce6792d

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
3.7MB

MD5
03c812da1ba98fd9a67ff2f1bb1fe207

SHA1
12931fc7e6a5b66cc7a72d6129dae0c956b2f38a

SHA256
855a7a207fe1bd2bf53a8fa806988ea66af3e86490c0ba91a3d0dfeca49d0b39

SHA512
bf4e7ce253b268c2628ac3ca48da9023896593b86f6c085384e6c154d83e65a83c7b4b4a3510f21f056ef419c8caa13d23ff247255760649adfa73c0703086dd

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
3.7MB

MD5
b87203e0fe7aef213a6c0553d462a790

SHA1
5f34fde4188a1abac86f268ca71c43e79ae9afce

SHA256
f823f30152445fbbc9f8b56665b8f02a15ca1e4d805d0a26234c44377bff5d4c

SHA512
9e7c63afcccc9a3731363e6744b76f0523b2f662c6fddc8c9977db99a2509fc3340d9ed3802303287feb51013e012c1ec81bcd08665ab2eaccdba08343f5ebcd

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
3.7MB

MD5
75fe0ec5a85e2f0a49fda0015258e4d3

SHA1
c37b96b0e0838fb8f7aff771c9720f8d5fb2938e

SHA256
6de2cfe86a0f4b4adc45522a742e87abf46395c82bc0c33281c5d50408d35ee9

SHA512
15e77ca1f74459db121bd41557f77cb95fdc9c94ba8136c5c698e11028ad1cc3f96a380d0a18e28c1f831f792afae004eb4b60311c4faccb312d6fb7f49b7502

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
3.7MB

MD5
9dea41321d6fb47ad70d58176f4ec072

SHA1
f1dee6812b3b4280029ad2541ea22bfadb6f41a4

SHA256
49bfbb92772b5d981b717d7f74694573832a80ee2e923a02bc51409124d8b1f1

SHA512
0c3ae6243ff343f3d2625d9e0027306719ed75c088f64e90524f0afdd0c419bc5f5ee5938ad42c555d6557f5da23872e949d218b9c93abfaa4070efa971e271f

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
3.7MB

MD5
7c140b8cd9aa4a4d142ab464c921dc82

SHA1
f966e45231ba9ee13e480113b605c618f6903e3e

SHA256
d2e911f8fee429d4d1633dd39c048702ae5416edcb66936ec0bc2e41b2376554

SHA512
3c04e8217708f01ae7f80eb50bc18d2e4aeee3e971998b2f91ff4baf14b2d9c40fca1322ab89f2694ea077148d4b18532165245cce1c247bbc2cec290627f381

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
3.7MB

MD5
ed2ca7d6ced8f98df84f1249be0adedd

SHA1
d1a362e950eeb81a2924ed637e0b959536379877

SHA256
533844661f7a88823743f9be318f5f5448cf88628c2530a1e9d8dde284926b6a

SHA512
e98609c52a14087e4dbb83def468d24a6533204df4c6b91aaaef35fb0c52e1df45db095d779632a86e13c9aa5617d2a20efd9a9eb7c591591a104ca09667dd69

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
1.8MB

MD5
334aa23b335e7f8d204f4f15e386c09d

SHA1
c9c8fb9259dc641bd65d9d3ca0354f82197f787e

SHA256
76b4d5623a513191b108f9f0db6ec83d12b9c9d59212ea2d92520c46f8123c63

SHA512
e3bfaa56b457140a2eda5a41ccdb49dceea81a6ebd7960978c69458c36ac327b2bbac33d45f7adf95c366d8e11a25cfb70f88cab3c14e71be9ebe30e8ff6423e

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
3.6MB

MD5
0814fcbc2d4c2856e482a918bcf6ff36

SHA1
bcb785eeb63894559a81808ee8db949530690e95

SHA256
ddfa98c9c2a9ecbc4d10fc19103f18c2883d9d9e628dfb4f9facb5adf77850a4

SHA512
33090989553992f4f1b9473d2cb7e175cf015204908d50311ddd7eb7add9a20ab4e59637b7a1ffd896b6389d068371e040894696e4ffa5e9f65c1313b6c9d3b6

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
3.7MB

MD5
3fb6d2deab55c509c429859b1c3db9aa

SHA1
3a08c26629e13cad12abd753948dc60565331236

SHA256
9cac67c3ac7c07958b69c9cf934a177ee9394b0dabb59f90d77a8daf90f74127

SHA512
4222e7a7887950dba87a1d2939fdb81d31488ce1b3a05b0fcb032240e72db33482ce56a0034e1896c47c64586d895382f6a6a4d449b5b744299b3ac77ab9dcf1

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
3.7MB

MD5
cbb560bd0998ffd4c5dc776863a20775

SHA1
d4bb7fbf3737cc6178fa956cf87b0688d958c653

SHA256
768d9efa8190ed0e24be82f6bbad3798eb3bd2e3b6dd8cdb3316ce6f36785fa3

SHA512
ef837a45d66b50aab7a6423ce6a857971e3b7b6aa558c4c8704527247c8cfb4228ed941baf3348a7991d205c5d2b8ca2df0908e887aa0a7f7308db71ca4ef8d0

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
3.7MB

MD5
29727c544e46b77391f5cd4bf8bf02b1

SHA1
5ca7f87005ca6ccffadf6d351173aef251224b41

SHA256
cba94d4e2ec978526423cceca10920afc3d547f096a01c51651f251401b0ef01

SHA512
90dcb00798606fd6f334a04f01b9b8b664ce3c38c6e18d39051908355bdce31b69932db1c9c7716b9728a842eaf399feebda67bdbb42cbd22892abecdabfbe55

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
3.7MB

MD5
5f4bdf82313f3c777a8adcd74fefb4b4

SHA1
aef7fc00247bb077e099ad7d0ad57e4ecfb6eec9

SHA256
7b1e549743381ceb27bfad5aa30652046398da0b15b675510f87a62957531048

SHA512
e7809ca342b876b6a8cde4575dbf8a69931b5fbc821b2f896013899251ae25ec01c7cba007387b9ae6cd2aab168cf28947fdd4212963c38393659d2b92e37f3f

Download Submit
memory/408-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-2-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1404-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3352-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3352-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-59-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads