3280a9aef5f6144579ecb718cec3a449f027c651e5e5c3f59beefc3794c949ab

Analysis

max time kernel
137s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f2277041e9dcf1396fe1bc29d970fc0_NeikiAnalytics.exe
Size

565KB
MD5

3f2277041e9dcf1396fe1bc29d970fc0
SHA1

9db4e339ae85067c3abc4d00f0e0f57df66163d0
SHA256

3280a9aef5f6144579ecb718cec3a449f027c651e5e5c3f59beefc3794c949ab
SHA512

4c8ca818659c26716442d887fd45d85b42212437da694d865b149329074d948566d2014ecfd9a0d54a9eff44d640add2151d27805feef8ec0dffa0e54a429420
SSDEEP

12288:BPdh1QFcf6JFtuFjAh//+zrWAIAqWim/+zrWAI5KF8OX:nszDtuFjAh/mvFimm09OX

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Haidklda.exeLgikfn32.exeKgmlkp32.exeHmioonpn.exeJbmfoa32.exeGjapmdid.exeIpqnahgf.exeJjpeepnb.exeLpocjdld.exeLnepih32.exeMahbje32.exeGogbdl32.exeGbenqg32.exeJpaghf32.exeKacphh32.exeHbckbepg.exeHjolnb32.exeJdmcidam.exeJbocea32.exeNgedij32.exeNcldnkae.exeGifmnpnl.exeIpnalhii.exeKpmfddnf.exeIjfboafl.exeJkfkfohj.exeIdofhfmm.exeKgdbkohf.exeKpccnefa.exeLalcng32.exeLpappc32.exeJaedgjjd.exeJfdida32.exeLdohebqh.exeIapjlk32.exeGjocgdkg.exeKpjjod32.exeGameonno.exeHippdo32.exeLnjjdgee.exeGjlfbd32.exeGidphq32.exeHjjbcbqj.exeImpepm32.exeGqkhjn32.exeHjfihc32.exeIiibkn32.exeKkkdan32.exeLpcmec32.exeJdjfcecp.exeJbkjjblm.exeJjbako32.exeJigollag.exeKmegbjgn.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmegbjgn.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
behavioral2/memory/4576-0-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Gimjhafg.exe	family_berbew
behavioral2/memory/1668-12-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Gbenqg32.exe	family_berbew
C:\Windows\SysWOW64\Gjlfbd32.exe	family_berbew
C:\Windows\SysWOW64\Gmkbnp32.exe	family_berbew
C:\Windows\SysWOW64\Gqfooodg.exe	family_berbew
C:\Windows\SysWOW64\Gcekkjcj.exe	family_berbew
C:\Windows\SysWOW64\Gfcgge32.exe	family_berbew
C:\Windows\SysWOW64\Gjocgdkg.exe	family_berbew
C:\Windows\SysWOW64\Gidphq32.exe	family_berbew
C:\Windows\SysWOW64\Gfhqbe32.exe	family_berbew
C:\Windows\SysWOW64\Gameonno.exe	family_berbew
C:\Windows\SysWOW64\Hjfihc32.exe	family_berbew
C:\Windows\SysWOW64\Hbanme32.exe	family_berbew
C:\Windows\SysWOW64\Hmfbjnbp.exe	family_berbew
C:\Windows\SysWOW64\Hmioonpn.exe	family_berbew
behavioral2/memory/2108-585-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/3900-588-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4516-599-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2688-702-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4412-596-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/1920-595-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/1996-594-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2988-593-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4428-592-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4016-591-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4300-590-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/3856-704-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/5096-721-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2316-727-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/1856-722-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/3848-718-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/3392-720-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/3720-713-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2020-712-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/3800-711-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2548-710-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4480-709-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/3208-708-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2128-707-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4324-706-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2268-705-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2608-589-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2492-587-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4264-584-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2780-583-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2612-582-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4860-581-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4548-580-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/3192-579-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/3992-577-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/1044-573-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2832-739-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2176-746-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2324-745-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/988-744-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/3612-748-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4084-572-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/368-571-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4804-762-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4140-766-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/1220-776-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/3244-778-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Gimjhafg.exeGogbdl32.exeGbenqg32.exeGjlfbd32.exeGmkbnp32.exeGqfooodg.exeGcekkjcj.exeGfcgge32.exeGjocgdkg.exeGmmocpjk.exeGpklpkio.exeGbjhlfhb.exeGjapmdid.exeGidphq32.exeGqkhjn32.exeGcidfi32.exeGfhqbe32.exeGifmnpnl.exeGameonno.exeGppekj32.exeHboagf32.exeHjfihc32.exeHmdedo32.exeHpbaqj32.exeHbanme32.exeHfljmdjc.exeHikfip32.exeHmfbjnbp.exeHpenfjad.exeHbckbepg.exeHjjbcbqj.exeHmioonpn.exeHadkpm32.exeHccglh32.exeHbeghene.exeHjmoibog.exeHippdo32.exeHaggelfd.exeHcedaheh.exeHbhdmd32.exeHjolnb32.exeHibljoco.exeHaidklda.exeIcgqggce.exeIjaida32.exeImpepm32.exeIpnalhii.exeIcjmmg32.exeIfhiib32.exeIiffen32.exeIannfk32.exeIpqnahgf.exeIbojncfj.exeIjfboafl.exeIiibkn32.exeIapjlk32.exeIdofhfmm.exeIbagcc32.exeIjhodq32.exeImgkql32.exeIabgaklg.exeIdacmfkj.exeIfopiajn.exeIinlemia.exe

pid	process
1668	Gimjhafg.exe
4268	Gogbdl32.exe
4836	Gbenqg32.exe
3372	Gjlfbd32.exe
4712	Gmkbnp32.exe
684	Gqfooodg.exe
4488	Gcekkjcj.exe
3252	Gfcgge32.exe
812	Gjocgdkg.exe
1328	Gmmocpjk.exe
1192	Gpklpkio.exe
368	Gbjhlfhb.exe
4084	Gjapmdid.exe
1044	Gidphq32.exe
3992	Gqkhjn32.exe
3192	Gcidfi32.exe
4548	Gfhqbe32.exe
4860	Gifmnpnl.exe
2612	Gameonno.exe
2780	Gppekj32.exe
4264	Hboagf32.exe
2108	Hjfihc32.exe
2492	Hmdedo32.exe
3900	Hpbaqj32.exe
2608	Hbanme32.exe
4300	Hfljmdjc.exe
4016	Hikfip32.exe
4428	Hmfbjnbp.exe
2988	Hpenfjad.exe
1996	Hbckbepg.exe
1920	Hjjbcbqj.exe
4412	Hmioonpn.exe
4516	Hadkpm32.exe
2688	Hccglh32.exe
3856	Hbeghene.exe
2268	Hjmoibog.exe
4324	Hippdo32.exe
2128	Haggelfd.exe
3208	Hcedaheh.exe
4480	Hbhdmd32.exe
2548	Hjolnb32.exe
3800	Hibljoco.exe
2020	Haidklda.exe
3720	Icgqggce.exe
3848	Ijaida32.exe
3392	Impepm32.exe
5096	Ipnalhii.exe
1856	Icjmmg32.exe
2316	Ifhiib32.exe
2832	Iiffen32.exe
988	Iannfk32.exe
2324	Ipqnahgf.exe
2176	Ibojncfj.exe
3612	Ijfboafl.exe
4520	Iiibkn32.exe
4932	Iapjlk32.exe
2900	Idofhfmm.exe
1804	Ibagcc32.exe
4804	Ijhodq32.exe
4336	Imgkql32.exe
332	Iabgaklg.exe
4140	Idacmfkj.exe
1012	Ifopiajn.exe
3736	Iinlemia.exe

Drops file in System32 directory 64 IoCs

Processes:

Jjbako32.exeHpbaqj32.exeIcgqggce.exe3f2277041e9dcf1396fe1bc29d970fc0_NeikiAnalytics.exeHibljoco.exeJiphkm32.exeLknjmkdo.exeHboagf32.exeHjjbcbqj.exeHbhdmd32.exeHadkpm32.exeIpqnahgf.exeLcmofolg.exeGfcgge32.exeGidphq32.exeKmegbjgn.exeIiffen32.exeJmnaakne.exeHcedaheh.exeHaidklda.exeJbfpobpb.exeLpocjdld.exeMahbje32.exeHippdo32.exeIjaida32.exeIannfk32.exeImgkql32.exeKgmlkp32.exeIdacmfkj.exeKajfig32.exeLpcmec32.exeMdmegp32.exeGcekkjcj.exeIabgaklg.exeJdjfcecp.exeKagichjo.exeNqklmpdd.exeHikfip32.exeHjmoibog.exeIfopiajn.exeKgbefoji.exeIjfboafl.exeJfhbppbc.exeGfhqbe32.exeHmfbjnbp.exeJmbklj32.exeLpappc32.exeKgfoan32.exeLmqgnhmp.exeHccglh32.exeImpepm32.exeIbagcc32.exeKinemkko.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Icgqggce.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Gimjhafg.exe	3f2277041e9dcf1396fe1bc29d970fc0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Hjfihc32.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Hmioonpn.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Icgqggce.exe
File opened for modification	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Gbajhpfb.dll	Gidphq32.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Haidklda.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Ijaida32.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Iannfk32.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Gifmnpnl.exe	Gfhqbe32.exe
File opened for modification	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hikfip32.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hippdo32.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Jjcfkp32.dll	Hccglh32.exe
File created	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kinemkko.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4592 6084 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
4592	6084	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Idacmfkj.exeHbeghene.exeHjmoibog.exeIinlemia.exeJaimbj32.exeMahbje32.exeNgedij32.exeHfljmdjc.exeHcedaheh.exeJpaghf32.exe3f2277041e9dcf1396fe1bc29d970fc0_NeikiAnalytics.exeHpbaqj32.exeLddbqa32.exeKipabjil.exeLkgdml32.exeIiffen32.exeKmegbjgn.exeNjcpee32.exeIjaida32.exeIpqnahgf.exeIapjlk32.exeKdaldd32.exeHbhdmd32.exeJmbklj32.exeKgfoan32.exeLdohebqh.exeLknjmkdo.exeHboagf32.exeMkepnjng.exeHadkpm32.exeHaidklda.exeKmgdgjek.exeLcpllo32.exeHjolnb32.exeHbckbepg.exeKgbefoji.exeLiggbi32.exeNqklmpdd.exeHmfbjnbp.exeHbanme32.exeHmioonpn.exeKpjjod32.exeLcgblncm.exeGogbdl32.exeJmnaakne.exeLgikfn32.exeKkihknfg.exeLpcmec32.exeNbkhfc32.exeGidphq32.exeIpnalhii.exeJdcpcf32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	3f2277041e9dcf1396fe1bc29d970fc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmebabl.dll"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilaidmmo.dll"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3f2277041e9dcf1396fe1bc29d970fc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdcpcf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3f2277041e9dcf1396fe1bc29d970fc0_NeikiAnalytics.exeGimjhafg.exeGogbdl32.exeGbenqg32.exeGjlfbd32.exeGmkbnp32.exeGqfooodg.exeGcekkjcj.exeGfcgge32.exeGjocgdkg.exeGmmocpjk.exeGpklpkio.exeGbjhlfhb.exeGjapmdid.exeGidphq32.exeGqkhjn32.exeGcidfi32.exeGfhqbe32.exeGifmnpnl.exeGameonno.exeGppekj32.exeHboagf32.exe

description	pid	process	target process
PID 4576 wrote to memory of 1668	4576	3f2277041e9dcf1396fe1bc29d970fc0_NeikiAnalytics.exe	Gimjhafg.exe
PID 4576 wrote to memory of 1668	4576	3f2277041e9dcf1396fe1bc29d970fc0_NeikiAnalytics.exe	Gimjhafg.exe
PID 4576 wrote to memory of 1668	4576	3f2277041e9dcf1396fe1bc29d970fc0_NeikiAnalytics.exe	Gimjhafg.exe
PID 1668 wrote to memory of 4268	1668	Gimjhafg.exe	Gogbdl32.exe
PID 1668 wrote to memory of 4268	1668	Gimjhafg.exe	Gogbdl32.exe
PID 1668 wrote to memory of 4268	1668	Gimjhafg.exe	Gogbdl32.exe
PID 4268 wrote to memory of 4836	4268	Gogbdl32.exe	Gbenqg32.exe
PID 4268 wrote to memory of 4836	4268	Gogbdl32.exe	Gbenqg32.exe
PID 4268 wrote to memory of 4836	4268	Gogbdl32.exe	Gbenqg32.exe
PID 4836 wrote to memory of 3372	4836	Gbenqg32.exe	Gjlfbd32.exe
PID 4836 wrote to memory of 3372	4836	Gbenqg32.exe	Gjlfbd32.exe
PID 4836 wrote to memory of 3372	4836	Gbenqg32.exe	Gjlfbd32.exe
PID 3372 wrote to memory of 4712	3372	Gjlfbd32.exe	Gmkbnp32.exe
PID 3372 wrote to memory of 4712	3372	Gjlfbd32.exe	Gmkbnp32.exe
PID 3372 wrote to memory of 4712	3372	Gjlfbd32.exe	Gmkbnp32.exe
PID 4712 wrote to memory of 684	4712	Gmkbnp32.exe	Gqfooodg.exe
PID 4712 wrote to memory of 684	4712	Gmkbnp32.exe	Gqfooodg.exe
PID 4712 wrote to memory of 684	4712	Gmkbnp32.exe	Gqfooodg.exe
PID 684 wrote to memory of 4488	684	Gqfooodg.exe	Gcekkjcj.exe
PID 684 wrote to memory of 4488	684	Gqfooodg.exe	Gcekkjcj.exe
PID 684 wrote to memory of 4488	684	Gqfooodg.exe	Gcekkjcj.exe
PID 4488 wrote to memory of 3252	4488	Gcekkjcj.exe	Gfcgge32.exe
PID 4488 wrote to memory of 3252	4488	Gcekkjcj.exe	Gfcgge32.exe
PID 4488 wrote to memory of 3252	4488	Gcekkjcj.exe	Gfcgge32.exe
PID 3252 wrote to memory of 812	3252	Gfcgge32.exe	Gjocgdkg.exe
PID 3252 wrote to memory of 812	3252	Gfcgge32.exe	Gjocgdkg.exe
PID 3252 wrote to memory of 812	3252	Gfcgge32.exe	Gjocgdkg.exe
PID 812 wrote to memory of 1328	812	Gjocgdkg.exe	Gmmocpjk.exe
PID 812 wrote to memory of 1328	812	Gjocgdkg.exe	Gmmocpjk.exe
PID 812 wrote to memory of 1328	812	Gjocgdkg.exe	Gmmocpjk.exe
PID 1328 wrote to memory of 1192	1328	Gmmocpjk.exe	Gpklpkio.exe
PID 1328 wrote to memory of 1192	1328	Gmmocpjk.exe	Gpklpkio.exe
PID 1328 wrote to memory of 1192	1328	Gmmocpjk.exe	Gpklpkio.exe
PID 1192 wrote to memory of 368	1192	Gpklpkio.exe	Gbjhlfhb.exe
PID 1192 wrote to memory of 368	1192	Gpklpkio.exe	Gbjhlfhb.exe
PID 1192 wrote to memory of 368	1192	Gpklpkio.exe	Gbjhlfhb.exe
PID 368 wrote to memory of 4084	368	Gbjhlfhb.exe	Gjapmdid.exe
PID 368 wrote to memory of 4084	368	Gbjhlfhb.exe	Gjapmdid.exe
PID 368 wrote to memory of 4084	368	Gbjhlfhb.exe	Gjapmdid.exe
PID 4084 wrote to memory of 1044	4084	Gjapmdid.exe	Gidphq32.exe
PID 4084 wrote to memory of 1044	4084	Gjapmdid.exe	Gidphq32.exe
PID 4084 wrote to memory of 1044	4084	Gjapmdid.exe	Gidphq32.exe
PID 1044 wrote to memory of 3992	1044	Gidphq32.exe	Gqkhjn32.exe
PID 1044 wrote to memory of 3992	1044	Gidphq32.exe	Gqkhjn32.exe
PID 1044 wrote to memory of 3992	1044	Gidphq32.exe	Gqkhjn32.exe
PID 3992 wrote to memory of 3192	3992	Gqkhjn32.exe	Gcidfi32.exe
PID 3992 wrote to memory of 3192	3992	Gqkhjn32.exe	Gcidfi32.exe
PID 3992 wrote to memory of 3192	3992	Gqkhjn32.exe	Gcidfi32.exe
PID 3192 wrote to memory of 4548	3192	Gcidfi32.exe	Gfhqbe32.exe
PID 3192 wrote to memory of 4548	3192	Gcidfi32.exe	Gfhqbe32.exe
PID 3192 wrote to memory of 4548	3192	Gcidfi32.exe	Gfhqbe32.exe
PID 4548 wrote to memory of 4860	4548	Gfhqbe32.exe	Gifmnpnl.exe
PID 4548 wrote to memory of 4860	4548	Gfhqbe32.exe	Gifmnpnl.exe
PID 4548 wrote to memory of 4860	4548	Gfhqbe32.exe	Gifmnpnl.exe
PID 4860 wrote to memory of 2612	4860	Gifmnpnl.exe	Gameonno.exe
PID 4860 wrote to memory of 2612	4860	Gifmnpnl.exe	Gameonno.exe
PID 4860 wrote to memory of 2612	4860	Gifmnpnl.exe	Gameonno.exe
PID 2612 wrote to memory of 2780	2612	Gameonno.exe	Gppekj32.exe
PID 2612 wrote to memory of 2780	2612	Gameonno.exe	Gppekj32.exe
PID 2612 wrote to memory of 2780	2612	Gameonno.exe	Gppekj32.exe
PID 2780 wrote to memory of 4264	2780	Gppekj32.exe	Hboagf32.exe
PID 2780 wrote to memory of 4264	2780	Gppekj32.exe	Hboagf32.exe
PID 2780 wrote to memory of 4264	2780	Gppekj32.exe	Hboagf32.exe
PID 4264 wrote to memory of 2108	4264	Hboagf32.exe	Hjfihc32.exe

C:\Users\Admin\AppData\Local\Temp\3f2277041e9dcf1396fe1bc29d970fc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3f2277041e9dcf1396fe1bc29d970fc0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\SysWOW64\Gimjhafg.exe
  C:\Windows\system32\Gimjhafg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\Gogbdl32.exe
    C:\Windows\system32\Gogbdl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Windows\SysWOW64\Gbenqg32.exe
      C:\Windows\system32\Gbenqg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4836
    - - C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3372
      - C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        24⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4016
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        30⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        39⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3392
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        49⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        50⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:988
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        54⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        60⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4336
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:332
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1936
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        67⤵
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        68⤵
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        69⤵
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        70⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3244
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4708
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        74⤵
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        75⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1672
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        78⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        79⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        82⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        90⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        92⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        94⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        95⤵
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        97⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        99⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        100⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        101⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        103⤵
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        104⤵
        Drops file in System32 directory
        
        PID:1320
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        106⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3676
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        108⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        111⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        113⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        114⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        117⤵
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        119⤵
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        120⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        122⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        123⤵
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1696
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        128⤵
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        129⤵
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        132⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        134⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        137⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        138⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        140⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 420
        141⤵
        Program crash
        
        PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6084 -ip 6084
1⤵
PID:6132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
565KB

MD5
c92acd56697b8c480a21008fe2d3704a

SHA1
ce1c3b26a4134f51fd5cebf56da8627fd78a4d63

SHA256
149d94d0a868529ac572340f538a3a8a44c4b2c2b6e0facf29478d641b1f6544

SHA512
1b602229a381792161e4d3792abdcbe71698294189dbe5dedd1e845b9b5ab40ddd7c011e883d2cb5cbfbd5a1a6dda7ba6904e80fdc848220e8e716c0ee86f633

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
565KB

MD5
d80453d53ab1b545dece5ef83782ee9a

SHA1
cd158e4711e653832d590a99472fe5bcb781bfd2

SHA256
4e750f671179218046cb7fcd21abc7dce532c2de86c6d7539fd3b32508543b05

SHA512
17c52d19dac93da2eb2270d9c2172f7d4eb5919a8b9261468269026f33a4f6b5a3159b0218cb1a246d226934c550a11887d8e7509513ec73fa6c3937cf1c001d

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
565KB

MD5
6e37126e995b58481edc2f86cd4f2eb1

SHA1
71e1d5acfcd83d290e8f276260893c46588b1009

SHA256
23fffe4e4fabf821d44359b647a0be1b82f260419a0bd679e980de8362070126

SHA512
a8e56dd7148f653d477ec828019da39c8905746e200ff85be68a81ecf87dde926d2973e7bb417c6339121ac27aad0e0a65f525f276d693ac835ac1f30d02a692

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
565KB

MD5
9d5e6a28fed918ab2cf596d14ea37b6a

SHA1
5ea6f1e10987e3e495ff9e77948bfa7254a5a5bf

SHA256
7549568c5cf479270b762d86c139a2e0ee8f37af2b89a35754a43f33ad31f704

SHA512
37f3408bceba1454c75d36d6cc0f393d50ea25834510238002fa7195bb39fe797a5a49d05cef017d385aa0c589f5b2be98fd890303393b006ed6a7bc771a49f0

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
565KB

MD5
6f2e3cc704b8fcacfe3233003a0ab767

SHA1
e0de8237e01329d30f58f3d17316dc4d473bbc29

SHA256
5287005e0998022bd46cf2f8f7c56fdf491d823f32f5558f753973204e5b1b21

SHA512
cd26ba50f98ddd3b436e5265de1f8ee0d5d87ab676ef8be5ac6a08310f99bb9ca0e41aeb0e47232cf79592ee63f1227260c3f84241e7130609c007b93af3c87f

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
565KB

MD5
be1416ad9e7e52fb14fdee08422179dd

SHA1
2bd05cd8582846879834a1c755784be69c95043a

SHA256
52bff87eb72a796cdbaa5b6a2e646f1a59f84b1fd1d869c17a64d4565e9b22b5

SHA512
a5660a3c0c8679d7ae8582b77d2e0596bd6236e5de347bac75ef1d4ce4bcae69b850974417f728f9f82d924f30f191f2a22ac761ff7a25c186f5178cf64c4d46

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
565KB

MD5
c51d225a86f814ebf1ff293f39d5badb

SHA1
3b4ddcbf2dcf4d959f929799f3da708cfd2cfeba

SHA256
9d5b69f3b57606b07b1b9c4c0f6d1d233972a65edd2abb728069597ea0ab7208

SHA512
66cd3185386e9f3d87bbdceb2c1c47086ba6cb04b8a65bc604f7031002118cd5de72d0c6fcb13f20e56e0ee585e8ea45f2d65f492245951a42bffad33125f56e

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
565KB

MD5
f5c46ac9d1e2820fdb25b945d34b661d

SHA1
3b8adc9c2a23c094b7ad506c838faa92c819a466

SHA256
88cc0ea5e51e17b2d4d174dacaae91c574cfc5a881103f346215e251e802a711

SHA512
1a68aeaea0660864a2935e4199a8b999a700a4a29d92372ccd04822c6eb45eb3bcebb677dedf70aafc6f7977beeecd327fb9a88207e8ac6b7ded264139c388f3

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
565KB

MD5
7ac396459585825e491cfd4f0cd4492e

SHA1
631086453b73c64e1e86ee6ad282bf1f68c91a25

SHA256
d67c347fa69fa4718fe5fa05ebf9daaf7f5054318779f59a0c781f1cf2d714c3

SHA512
eeb793e3be5965fc9ed8edc4adc24f8540de60f4d6f72b7e7e7ba1d4728e5bd51b9956d29478f7bf95b7d0b35dcbfdcd627b4a90335204dfd98be0708e7551a0

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
565KB

MD5
bf7e9beeab1ed453c013ed4456fa8a42

SHA1
0f101d14036277f0d7db62ea16f298118f092aa3

SHA256
632b45f70e60e589019d69929667a3519c20c95efdda4e33652c81314aa4e1d1

SHA512
bc8d13248fa79f73f2f4ada6cd632e126dbf1e6ed53bd7092cebb2dfef17ec5abcabc9b32286fcfc7455a35e7a746163112955d628d299a2447528e06d31dc1e

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
565KB

MD5
d652d48ff51c1dafb85d7fa9d00090ab

SHA1
275e5b247d1f8dfc6b24bc5377ea61290849832c

SHA256
12ef839e30e6329b31bac38866e896867e41083b2f73b2dfe0eaf3fe1c2ee51c

SHA512
7e3a8459d43985e7900bdfc43e4d890addb7bea65b7bd806a33fd2a0efd3eac415f93215117e5c7c2b08a503419e9235d4a229e683f392fa864927b4a3763ea7

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
565KB

MD5
68324106c67f763899106f88b4ee07cc

SHA1
56e7f2cf0a03f6051d9fe8dac11b4bdb02a0f77e

SHA256
d959b4abbc3268acafe9b33d5b5ea58dffb83b1efd3f13ba9139931a8bd98785

SHA512
5e583c031c2b8a7182457923665c9d1e491b497a4fc76da76b9a232a5c63dfb2d4ed4e70c637be7b0b594f056e0399f755b74a9573a8142d02564859262d6767

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
565KB

MD5
a095197716f0d97fdf6e746ea7d6be86

SHA1
7de711c085f5e11c6a47df6e0346a71b98a06e56

SHA256
606d3fb397c8e585ca792c0f02e991e34205401ad99675973b040822a61c027f

SHA512
888bb8a27c50e2ed16912637fbba2496cb47a83cbec42a0bf87ffba3fcb9e72270e8a3cd8f2dc607b198ca0d85b3cd11d402a1dff5126d67c507c8a3cafd64ab

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
565KB

MD5
de53e1fa82135f3ea1029ee875c5005a

SHA1
1d140ba63ecfea84e59c3f035969187f20f5efec

SHA256
232d280ed774778759b50667fa7abdccfc5b15a5d7967c49dd47560d392d39f6

SHA512
0e6236827f9194493ed1d3c51dfcbcbce6f53cb2bbbb629acd6099e681a16e039ac48c947e1551f59f0d56098218362b9b1d5db9cb43e40cdc8a4cc2528c2eed

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
565KB

MD5
ddaf2d93ee719c51d78855f5bfe5eb72

SHA1
21b7262e49dfc8c4817e821fe133a3d8149ace8d

SHA256
f9a224639bb8d0e1f229d66a1d1a31600ca11339f8fc11e743c427be7bc2386f

SHA512
0b17422864875267ee41a091fee8fb05c6f486943cdcf16c5640112826337aaa06943f60884960046f791b61d18010d26a132a3e7732947647c3b37858c01dfb

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
565KB

MD5
78a117447a697cb49fd4933fbcd1f43d

SHA1
a3c86c29bd80018221bce6f6b7a2b5818dd8b1e2

SHA256
afbb2305afbf7120d050dc23f0cca9e8611b8f6be7b6d2036b0d4837e7eef9a5

SHA512
33075a3d3373eee01e64bd6aabca124d62feff3f8d9b28e1d15d2825a98e7cf9f15407638109687eb7cbb0b1a68e5228c198a109772ae4c574e401d75043301d

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
565KB

MD5
b60f5a678760d597df6d746e34262fdb

SHA1
93021dc1ce6c9136fb82000c16b824b2a55f6799

SHA256
e0f340138cc3bf51a9f5636ad0376be520b004b4af5e3e6cefa9a241e98b11e4

SHA512
77196d930bed157ba4f096cee7615c6e322844b7b5c4b2f773f362326e30490ae62a4efa32951b02e85865dd7521a3861dbea28c44e7805e391b796acbe5da4d

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
565KB

MD5
b6a00b29881c9a1fbe210e33b4cdce7f

SHA1
b72ed02fa3a6cfcfb839da8ad69818d4acb7d592

SHA256
20667bedd5fd2000a8026da64820161db452aa9dbb3b5e3d2c0dcd99ef798912

SHA512
595d81ddd0e32034ede0fdfc9468cdc4b0b404df06ac5e662e7181301ff441a4b90e14b257b6783f49ad3dbea6c62d1b85a060e7756b00db02aa3d78efec88a9

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
565KB

MD5
df1bbe1f148b04c031e012a52bed780d

SHA1
96b7a5b719e24b97e908818567c41b804e8ef547

SHA256
cb41f77ebd26c2d7f723e91a03b10be8961572243bf0b508582eaa13a859a2e6

SHA512
5f2139a260d65a32dbf96ef074507dd98346f71daa3dc0fd928508de0a999e03104bfb8eb0039c58f9653bba26e8f94a41b89361ced21ec13e79c77430181d24

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
565KB

MD5
79945a10561352108e7fd11060b5bb2e

SHA1
2d75db5c6e16c81cb891993c459f6e049fcf63ef

SHA256
37c3a42902fcdb8b775c3b6385b0f858e40388f9d5eb38dcb8ee7c28babfd9dd

SHA512
0361b259701933f35cd1d31c3ccb9c3a286ecea5d76cb7cc02393e172b6e7dc3a95b52e830d5dbef34eeb80ce88bf0b44156883b3a3f99920cabefb0c34ec8dc

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
565KB

MD5
f0a98813394fac54363904749caeab9e

SHA1
8a1f03c56792b50f77f0f7eabf06012e10f0af66

SHA256
45e95a5e3b79e71dde2c1782fb46e47980a37734e37032a9fed02e35305b9b92

SHA512
eaf5aba1637628d50cd2d30dc379c9e714afc9ad18358eafc16b44ad63b18ab6c9b1d42260ddcc196d6c53a339478c76a871f4030dd095fd49d752314db07ea6

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
565KB

MD5
637fd7952c6e1cb40f74303d98a3f3a1

SHA1
63c824ba8a3a69dbf0805e12ed923084400953ea

SHA256
30e5530519889e21b05ae53026a865788d751a843e9ba12e5ac64e2f807cbec0

SHA512
a4ce389163a4fec8a44ede5f86bfeaa0ba394d00f8b91943144178c2cb8d3aee35a9ded0118b6890b5bf8cb00c9c9abc3d70bd486367875a4d75d6a8c230dbb6

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
565KB

MD5
75a2646829664c541c8ded84432b629e

SHA1
d2e813f787adb4086221f9434a1a5bd688ba201b

SHA256
7925b0435cfb679491fb4baaae1c9bbc865945fda1bdf878710168ee7e9258ad

SHA512
b759b22204aa77c32cdccafe84b7d0e14d5e0f85fe80f69351b09e758f81e52e9d73730b7389288ee2c09ccfff22891d64ae86e825ecf74dec872f750ccd31d9

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
565KB

MD5
ddfd9029934f8de2b2349a705785b0df

SHA1
1eba0bd093d868769c6bd89fa98186c1eb3b366a

SHA256
55ff69e00c6732b56a65b325adfed4eedf615f3b2b8e031a88ac8440e185b03d

SHA512
3e1b7485b0b294418c2c408a5c8082e97aea2a6b1051c29a342bc5252acc04041d204b80e9fa283426a1295de1b5ca4bb3c964d637c8ed133be0c50b8b6fed98

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
565KB

MD5
d6ffd50cc3f21f22cb535173b0a6941a

SHA1
31c4c5638f187d03dc646322ff3032c22bcfe7d0

SHA256
959c7491105d0ba699158d06e652a4cf73bce41f5ce3b55afcea87dfe214e470

SHA512
f85013a6e1df409c432afabca30bec5b27b3cdcfefa19adf824e831875ce17448a8e26e542d80ee55a0688db6a572177977132e7b945d5c067f050c48c73dabe

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
565KB

MD5
8f0b2e103828f1e694725bbc51380ffa

SHA1
1d36424917709562579125b8b80184c41c079730

SHA256
41533221e1c14269584eef39dba266b8af8dbd1c49a39a382ccad1b249ada079

SHA512
b5e6ba592749f45f876f1cb994b008b1b544293985074064f39ca7a7f6d18430a715a011495dd21c53a32a52d26a2bfb7437f53ce393e0202c337d8ef9484f21

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
565KB

MD5
bc004f5dc9694ed21c8224239ad11349

SHA1
3d920ea3665268b840b0fa7e5860d9d997fa9901

SHA256
2e5b632645e93d53847b7c11c9d2c8ecc219988963785d3d934361034f041438

SHA512
3fb632e161beae61172e98d052a3e08e83c151309d4257d57d76d2231631b4be8f2f44eabe7a61b87089829662c5ce1e655ac7f7a87761217e4fbdfe313ec5ed

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
565KB

MD5
1205ecdf0eff6dcf96c016a4d3449c03

SHA1
05345f2a3ff856535bd2790987ceeff4fcdc83ba

SHA256
e5fea0dd8567a0ed6325cb9e347331f5322166ce8253ee9d621ee3228a8f103c

SHA512
fb7eb1bbc7cbf2c8dda5520a5d800badfefb630a2ba78523130c8928cdc2cf64df6e49dd6e4623d4d3619c506bca1d643adeed0cae6884419bb4599df39ddd8c

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
565KB

MD5
404fee8ac553130bbcf35fb7c3356f3e

SHA1
0786c29642dc52e3041ebaf84caae0dcc667a2a4

SHA256
9c515a9a92b73fc4435d4621a660b2df51a43067b70b28372611727ec206fb0e

SHA512
0a1f0e8325c1a112af8c819fd84289062d64047ca4478a497be0f9cba05ee257a4cd993d89e1788fa857b61f12999077bddd324a5de1e2df3bbc86166a645c80

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
565KB

MD5
89dd7cd525e9dec5554d2f3c73366b3b

SHA1
79b28ce335384f706047e421b149f18ad8c75d5c

SHA256
40e8b65f41b7b1076e3237f613e679c600a8c5b367f4a4ecda004c2b1c6b3d22

SHA512
2c92067d51a86c9fe1a4adde68eb81842c845643f958973d4cebeb98960528b5b6367fa2cbf582ffe374b1d01cd613436618a62a1012977201d189c184526b93

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
565KB

MD5
01945a6c50c28a40694e1616fbf96aef

SHA1
b46137b70107b25dc7f24b53654e0c66f6cf3dcc

SHA256
d0f4c9d6c2ed8353fa3340f8030e9c0bdeb32cbb255aa5d7b5305acd9fb3339b

SHA512
49c669f91ca8a66637eab234f55290f5043ae7a89fe0606731470e7b7f8fe425cc045fb7549a38dd3ae9cf100b34d910109410fc94a06300138b0cf418713415

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
565KB

MD5
b8ac8794cb1ff62003db45178ed7ab52

SHA1
f9f1bbafbb56097218482fd156ecede0b05e114d

SHA256
9c5ab6e89109edadc2ef81a6787cf9ea7a5867ecac3063bd480ce34b69f687d8

SHA512
4423e930e04e84feb4a7b380691dc0e6a7449b8c47a32a2cc4f69062acfc3c51d97765a12a53aee6561731b8e998fdd3f1de9e4d03f7ecd9916d816c4c19ab8c

Download Submit
C:\Windows\SysWOW64\Pnfmmb32.dll

Filesize
7KB

MD5
f928b18112ac9a10b35d15936ad933a3

SHA1
b049bfcfce77cdb4a1f1e666edbd2f4389e027ae

SHA256
f7cea65d4c8267f1bd02394e9fd802a6a90f6fb072f9aac6758d710444ce7bdc

SHA512
3ef5040f2c856579e41d06ff93bd268a6b2a1357c65006c2b15911e31e3ce3d1f8d762740a28f04e69f776a680828e6640fa9419a1c02440460ac7694557c61b

Download Submit
memory/332-765-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/368-571-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/684-565-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/812-568-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/892-787-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/988-744-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1012-771-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1044-573-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1192-570-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1220-776-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1328-569-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1668-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1672-791-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1804-761-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1856-722-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1920-595-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1936-773-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1996-594-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2020-712-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2108-585-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2128-707-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2176-746-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2212-774-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2268-705-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-727-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2324-745-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2360-786-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2492-587-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2548-710-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2608-589-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2612-582-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-702-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2780-583-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2832-739-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-760-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2988-593-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3116-788-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3192-579-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3208-708-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3244-778-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3252-567-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3372-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3392-720-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3468-775-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3612-748-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3720-713-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3736-772-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3800-711-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3848-718-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3856-704-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3900-588-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3992-577-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4016-591-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4084-572-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4140-766-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4264-584-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4268-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4300-590-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4324-706-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4336-764-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4412-596-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4428-592-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4480-709-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4488-566-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4516-599-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4520-754-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4548-580-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4576-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4708-785-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4712-564-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4796-777-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4804-762-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4836-29-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4860-581-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4932-756-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5096-721-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5156-794-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5192-795-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5228-797-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5264-798-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5300-799-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5336-800-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5372-801-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5408-802-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5444-803-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5480-804-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5516-805-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5552-806-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5588-807-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5624-808-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5660-809-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5696-810-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5732-811-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5772-812-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5808-813-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5844-814-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download