bdc6344bdb49959b694d593bb0ad7b76a2b7bb6949a76590036a780bcdbd3096

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

191763632b29e3478a0b77ef028b1cb0_NEIKI.exe
Size

115KB
MD5

191763632b29e3478a0b77ef028b1cb0
SHA1

b9910bd5f72498153de1f9e39b7c123409b064c5
SHA256

bdc6344bdb49959b694d593bb0ad7b76a2b7bb6949a76590036a780bcdbd3096
SHA512

13e4278a95cadd4b870613f67a0fcd6239f7f37c06537130cbdc4d4d6aa9858952c61f187843554c25725ca1b2f1b182c2075ec80b0d9c286315e618cfd109db
SSDEEP

3072:+c31UF3APE42shwWMKdbrIR/SoQUP5u30KqTKr4:R31UF3APE422wnKhrIooQUPoDqTKE

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbjhlfhb.exe

Malware Dropper & Backdoor - Berbew 45 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000a00000002343d-7.dat	family_berbew
behavioral2/files/0x0007000000023450-15.dat	family_berbew
behavioral2/files/0x0007000000023452-23.dat	family_berbew
behavioral2/files/0x0007000000023455-31.dat	family_berbew
behavioral2/files/0x0007000000023457-39.dat	family_berbew
behavioral2/files/0x0007000000023459-47.dat	family_berbew
behavioral2/files/0x000700000002345b-55.dat	family_berbew
behavioral2/files/0x000700000002345d-58.dat	family_berbew
behavioral2/files/0x000700000002345f-71.dat	family_berbew
behavioral2/files/0x0007000000023461-79.dat	family_berbew
behavioral2/files/0x0007000000023463-87.dat	family_berbew
behavioral2/files/0x0007000000023465-95.dat	family_berbew
behavioral2/files/0x0007000000023467-103.dat	family_berbew
behavioral2/files/0x0007000000023469-112.dat	family_berbew
behavioral2/files/0x000700000002346b-119.dat	family_berbew
behavioral2/files/0x000700000002346d-127.dat	family_berbew
behavioral2/files/0x000700000002346f-135.dat	family_berbew
behavioral2/files/0x0007000000023471-143.dat	family_berbew
behavioral2/files/0x0007000000023473-151.dat	family_berbew
behavioral2/files/0x0007000000023475-159.dat	family_berbew
behavioral2/files/0x0007000000023477-167.dat	family_berbew
behavioral2/files/0x0007000000023479-175.dat	family_berbew
behavioral2/files/0x000700000002347b-183.dat	family_berbew
behavioral2/files/0x000700000002347d-191.dat	family_berbew
behavioral2/files/0x000700000002347f-199.dat	family_berbew
behavioral2/files/0x0007000000023481-208.dat	family_berbew
behavioral2/files/0x0007000000023483-215.dat	family_berbew
behavioral2/files/0x0007000000023485-223.dat	family_berbew
behavioral2/files/0x0007000000023486-231.dat	family_berbew
behavioral2/files/0x0007000000023488-239.dat	family_berbew
behavioral2/files/0x000700000002348a-247.dat	family_berbew
behavioral2/files/0x000700000002348c-249.dat	family_berbew
behavioral2/files/0x00070000000234a9-336.dat	family_berbew
behavioral2/files/0x00070000000234ad-348.dat	family_berbew
behavioral2/files/0x00070000000234c1-402.dat	family_berbew
behavioral2/files/0x00070000000234c5-414.dat	family_berbew
behavioral2/files/0x00070000000234cf-444.dat	family_berbew
behavioral2/files/0x00070000000234e3-504.dat	family_berbew
behavioral2/files/0x0007000000023509-630.dat	family_berbew
behavioral2/files/0x000700000002351d-699.dat	family_berbew
behavioral2/files/0x0007000000023523-720.dat	family_berbew
behavioral2/files/0x0007000000023529-740.dat	family_berbew
behavioral2/files/0x0007000000023531-768.dat	family_berbew
behavioral2/files/0x000700000002353f-815.dat	family_berbew
behavioral2/files/0x0007000000023566-942.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
436	Fbqefhpm.exe
4292	Fjhmgeao.exe
4652	Fijmbb32.exe
4816	Fqaeco32.exe
2880	Gfnnlffc.exe
2844	Gimjhafg.exe
3104	Gcbnejem.exe
3240	Gfqjafdq.exe
5064	Gmkbnp32.exe
4392	Goiojk32.exe
4908	Gbgkfg32.exe
3492	Gjocgdkg.exe
2312	Gmmocpjk.exe
1932	Gpklpkio.exe
4308	Gbjhlfhb.exe
2092	Gjapmdid.exe
4416	Gmoliohh.exe
4624	Gpnhekgl.exe
3760	Gbldaffp.exe
1080	Gifmnpnl.exe
2832	Gppekj32.exe
4324	Hfjmgdlf.exe
3632	Hmdedo32.exe
2208	Hcnnaikp.exe
224	Hfljmdjc.exe
4972	Hikfip32.exe
2928	Habnjm32.exe
2296	Hbckbepg.exe
4660	Himcoo32.exe
412	Hpgkkioa.exe
3664	Hbeghene.exe
1948	Hjmoibog.exe
1036	Haggelfd.exe
1716	Hcedaheh.exe
2436	Hfcpncdk.exe
732	Hibljoco.exe
440	Haidklda.exe
4172	Icgqggce.exe
4664	Ibjqcd32.exe
2536	Ijaida32.exe
4656	Impepm32.exe
4560	Ipnalhii.exe
4868	Ifhiib32.exe
964	Iiffen32.exe
4884	Iannfk32.exe
3900	Icljbg32.exe
900	Ifjfnb32.exe
3644	Ijfboafl.exe
4864	Iapjlk32.exe
740	Idofhfmm.exe
532	Ifmcdblq.exe
3768	Ijhodq32.exe
1928	Iabgaklg.exe
4348	Ipegmg32.exe
836	Ibccic32.exe
1920	Ijkljp32.exe
3148	Imihfl32.exe
2120	Jpgdbg32.exe
5024	Jfaloa32.exe
2708	Jiphkm32.exe
4852	Jagqlj32.exe
4728	Jbhmdbnp.exe
4744	Jjpeepnb.exe
2216	Jmnaakne.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Djmdfpmb.dll	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Honckk32.dll	Hikfip32.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Gbgkfg32.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Hakfehok.dll	Fijmbb32.exe
File opened for modification	C:\Windows\SysWOW64\Hpgkkioa.exe	Himcoo32.exe
File opened for modification	C:\Windows\SysWOW64\Hfcpncdk.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Gbgkfg32.exe	Goiojk32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Dakcla32.dll	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Gmoliohh.exe	Gjapmdid.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Gmoliohh.exe	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Klebid32.dll	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Fjhmgeao.exe	Fbqefhpm.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Gimjhafg.exe	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jbocea32.exe
File created	C:\Windows\SysWOW64\Pnfmmb32.dll	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jangmibi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6196	5888	WerFault.exe	228

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peeafpaf.dll"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	191763632b29e3478a0b77ef028b1cb0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibooqjdb.dll"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Habnjm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3840 wrote to memory of 436	3840	191763632b29e3478a0b77ef028b1cb0_NEIKI.exe	83
PID 3840 wrote to memory of 436	3840	191763632b29e3478a0b77ef028b1cb0_NEIKI.exe	83
PID 3840 wrote to memory of 436	3840	191763632b29e3478a0b77ef028b1cb0_NEIKI.exe	83
PID 436 wrote to memory of 4292	436	Fbqefhpm.exe	84
PID 436 wrote to memory of 4292	436	Fbqefhpm.exe	84
PID 436 wrote to memory of 4292	436	Fbqefhpm.exe	84
PID 4292 wrote to memory of 4652	4292	Fjhmgeao.exe	85
PID 4292 wrote to memory of 4652	4292	Fjhmgeao.exe	85
PID 4292 wrote to memory of 4652	4292	Fjhmgeao.exe	85
PID 4652 wrote to memory of 4816	4652	Fijmbb32.exe	86
PID 4652 wrote to memory of 4816	4652	Fijmbb32.exe	86
PID 4652 wrote to memory of 4816	4652	Fijmbb32.exe	86
PID 4816 wrote to memory of 2880	4816	Fqaeco32.exe	87
PID 4816 wrote to memory of 2880	4816	Fqaeco32.exe	87
PID 4816 wrote to memory of 2880	4816	Fqaeco32.exe	87
PID 2880 wrote to memory of 2844	2880	Gfnnlffc.exe	88
PID 2880 wrote to memory of 2844	2880	Gfnnlffc.exe	88
PID 2880 wrote to memory of 2844	2880	Gfnnlffc.exe	88
PID 2844 wrote to memory of 3104	2844	Gimjhafg.exe	89
PID 2844 wrote to memory of 3104	2844	Gimjhafg.exe	89
PID 2844 wrote to memory of 3104	2844	Gimjhafg.exe	89
PID 3104 wrote to memory of 3240	3104	Gcbnejem.exe	90
PID 3104 wrote to memory of 3240	3104	Gcbnejem.exe	90
PID 3104 wrote to memory of 3240	3104	Gcbnejem.exe	90
PID 3240 wrote to memory of 5064	3240	Gfqjafdq.exe	91
PID 3240 wrote to memory of 5064	3240	Gfqjafdq.exe	91
PID 3240 wrote to memory of 5064	3240	Gfqjafdq.exe	91
PID 5064 wrote to memory of 4392	5064	Gmkbnp32.exe	92
PID 5064 wrote to memory of 4392	5064	Gmkbnp32.exe	92
PID 5064 wrote to memory of 4392	5064	Gmkbnp32.exe	92
PID 4392 wrote to memory of 4908	4392	Goiojk32.exe	93
PID 4392 wrote to memory of 4908	4392	Goiojk32.exe	93
PID 4392 wrote to memory of 4908	4392	Goiojk32.exe	93
PID 4908 wrote to memory of 3492	4908	Gbgkfg32.exe	94
PID 4908 wrote to memory of 3492	4908	Gbgkfg32.exe	94
PID 4908 wrote to memory of 3492	4908	Gbgkfg32.exe	94
PID 3492 wrote to memory of 2312	3492	Gjocgdkg.exe	95
PID 3492 wrote to memory of 2312	3492	Gjocgdkg.exe	95
PID 3492 wrote to memory of 2312	3492	Gjocgdkg.exe	95
PID 2312 wrote to memory of 1932	2312	Gmmocpjk.exe	96
PID 2312 wrote to memory of 1932	2312	Gmmocpjk.exe	96
PID 2312 wrote to memory of 1932	2312	Gmmocpjk.exe	96
PID 1932 wrote to memory of 4308	1932	Gpklpkio.exe	98
PID 1932 wrote to memory of 4308	1932	Gpklpkio.exe	98
PID 1932 wrote to memory of 4308	1932	Gpklpkio.exe	98
PID 4308 wrote to memory of 2092	4308	Gbjhlfhb.exe	99
PID 4308 wrote to memory of 2092	4308	Gbjhlfhb.exe	99
PID 4308 wrote to memory of 2092	4308	Gbjhlfhb.exe	99
PID 2092 wrote to memory of 4416	2092	Gjapmdid.exe	100
PID 2092 wrote to memory of 4416	2092	Gjapmdid.exe	100
PID 2092 wrote to memory of 4416	2092	Gjapmdid.exe	100
PID 4416 wrote to memory of 4624	4416	Gmoliohh.exe	101
PID 4416 wrote to memory of 4624	4416	Gmoliohh.exe	101
PID 4416 wrote to memory of 4624	4416	Gmoliohh.exe	101
PID 4624 wrote to memory of 3760	4624	Gpnhekgl.exe	102
PID 4624 wrote to memory of 3760	4624	Gpnhekgl.exe	102
PID 4624 wrote to memory of 3760	4624	Gpnhekgl.exe	102
PID 3760 wrote to memory of 1080	3760	Gbldaffp.exe	103
PID 3760 wrote to memory of 1080	3760	Gbldaffp.exe	103
PID 3760 wrote to memory of 1080	3760	Gbldaffp.exe	103
PID 1080 wrote to memory of 2832	1080	Gifmnpnl.exe	104
PID 1080 wrote to memory of 2832	1080	Gifmnpnl.exe	104
PID 1080 wrote to memory of 2832	1080	Gifmnpnl.exe	104
PID 2832 wrote to memory of 4324	2832	Gppekj32.exe	105

C:\Users\Admin\AppData\Local\Temp\191763632b29e3478a0b77ef028b1cb0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\191763632b29e3478a0b77ef028b1cb0_NEIKI.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Windows\SysWOW64\Fbqefhpm.exe
  C:\Windows\system32\Fbqefhpm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\SysWOW64\Fjhmgeao.exe
    C:\Windows\system32\Fjhmgeao.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Windows\SysWOW64\Fijmbb32.exe
      C:\Windows\system32\Fijmbb32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4652
    - - C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4816
      - C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        23⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        31⤵
        Executes dropped EXE
        
        PID:412
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        34⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        36⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:732
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        39⤵
        Executes dropped EXE
        
        PID:4172
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        40⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        42⤵
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:964
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3900
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:900
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4864
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        55⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        58⤵
        Executes dropped EXE
        
        PID:3148
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        59⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4744
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1704
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        67⤵
        Drops file in System32 directory
        
        PID:3184
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4924
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        71⤵
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        73⤵
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4964
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        76⤵
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        79⤵
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        80⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        81⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        82⤵
        
        PID:860
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        83⤵
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        86⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        87⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        88⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        89⤵
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        90⤵
        
        PID:512
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        93⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        94⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        96⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        101⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        106⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        107⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        112⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6048
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        117⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        120⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        126⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        129⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        130⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        131⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        132⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        133⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        134⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        138⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        139⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        140⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        141⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 400
        142⤵
        Program crash
        
        PID:6196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5888 -ip 5888
1⤵
PID:6172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
115KB

MD5
2162f1e1e69b9b25307c5363dfc2c15c

SHA1
4ee8e5e8e17d30d70caf2935fc032b54375bc576

SHA256
1c3011372257c5382ac8547692f0c58db4212acaaca81fd711620a2ef6bb6e66

SHA512
6f14c623fd430a60e53fe46ff19e6d74205eb11500a4e5399a1d465974d7f94db3d500dfd7aaa371bf0e2c035b3b3a4adfad577616f6b88ec94b2c796dcae0bc

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
115KB

MD5
f774f1b944464fa979e4150036d9d2ab

SHA1
b359b587b54db701e829f120591d50bdc79c5fa2

SHA256
fb9f3a2e4acccf905387f920f1699afc441ddbfc105b223dfbc1cd4a2c086981

SHA512
29deec61f204ec41c192f2740d2226430b941dc362d6cf19dc21865de9afc1b3a73085574109e72e0f413b1b8926703d80adb79d1b4f89abf779269595db4304

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
115KB

MD5
b1969f5d23f89d7ca74fc156962915c0

SHA1
05d8292f7972e2404bc44cab1890b1da8f4eacd5

SHA256
dc2aa4233790ffaf18b487b9939e5d9958c7995e392bed455601b5ffedeebe91

SHA512
5496b9818bce974fd722c23b7f5e66915adcf1de4f158b4820265786a04d72ed131da3ad4397b5e2193e6fc1f1edf325427a56eb9529108edfc54ab1b0b3dd83

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
115KB

MD5
c28dac007f009400219744a5f9cc6ebe

SHA1
16b3a42253c2d99ab3a6aeef6ef5008462757997

SHA256
d04cbc45b24c4abfe8a2253af6f2e38a8d225111def0f44a5c4e35eac330b5af

SHA512
137a9bb0eec302c853e6a710bb9e0737056024ffaa9a3c3b82cb0b874a4434a529a69f894429e4c1559e0102e91e62db4bb655afa85ac4f6e83ee7689aa775a2

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
115KB

MD5
92e6a69a826fbf65c403804f71139a1d

SHA1
b99f108278987d056112345188fd04c3b0c502bb

SHA256
c9f30bef9ff6c0ceb2f0d18097e520930b4f8be33d48c6d534d2fb43b9c39bc3

SHA512
ca1b9909376bb18b23e0b19ff4b6f6a9436cbbd0a6c1247292928c60aa6fc52216e29b506cf8e866244060fa1dcf034147c897c2904f018b9817df2bfb3c1d88

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
115KB

MD5
839544ab435e639cbe1af744f83624b1

SHA1
87e6c336614d1c4b35da443e765fafef419586c3

SHA256
5fa565b3d4eb80e4c4f6f17ab9ec750621c40bc84e9bd899daf031241bdb7a42

SHA512
c445b5a93527a1976c0695883bf30d4ac6c654d32b56c2e166625b30af9558d1a1bf28795fffd8256d2b603a30b182acbc15d2772ebfa8ec1fbd69f152b388c4

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
115KB

MD5
c4198539352393b0824bacc4df6c92f3

SHA1
80952bc368a63484e4f282b8eb0e60373e9794ef

SHA256
c3b2be741301bc460c0fd0ec0329013eda398017035933f25d9775fd748c409c

SHA512
124def982dd67e978d7f53bde6807d28bb3a494090f8b88a972f2689ecfeb1c3c5835c59e656192daf69ec46fa2534fc85a0c83b4a44d65af3091704b854e7ce

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
115KB

MD5
71ba1d1dd019fd41c12a626b86c05728

SHA1
d35c06a6dacca70599f63bfb63e21a417c3d6563

SHA256
318d72753ec14158fa16242588afd3dfce937389e644d062450cc9cec0b9c8d3

SHA512
b159780447f3ffd8f2044b9552ab8dc6a82d4fd1c5bacc269e94adefbb9766a6739e1bdd19c4f2be8c8ad3cafd85316e3c654a86d39ed0a3cf5f06d7e48570ba

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
115KB

MD5
1772fec337cb9bf43afd3c370d3a32ae

SHA1
46a1beeed550b3c06b881cf2b96f078ca162d8a2

SHA256
af355cbd4f71aa8c15e87ad607d7b1b34f688c2f7ced7cd862dab4ac8f2d4560

SHA512
43bcd645b6dd1dd00a32559585d72498e1a0f16132177966f9d50da96e733e27eda9478a19e4aefb2ceedc672ec702a9040bb3b89816cf56b6d402ea64c8e307

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
115KB

MD5
826816513763d5a8707acdabd641b85a

SHA1
bc3a758d27387df63311be9647c41f9115b0c8e5

SHA256
af8a42b577e7173fb639fff0a86436b8f188f47383268f9dc472b5f827809aae

SHA512
cf4e1135d443d8ad06ffd52ebe40b3cb1c786ed16d6a98ab9f45192866e3e1cdab07d2f8fa4fef8a7c58abd781b11e18b4c43f53f99cc8ed094bbc6beda30294

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
115KB

MD5
97e42f783880c6f12c90bab2993f55ee

SHA1
af65c4b70bb2a39077eb7ad5bc94d9704478044a

SHA256
1a32dfff61898ed9b9958b9338ca1cd165a79b6f5cacc6cd994cb376c1c29618

SHA512
1543ecd3fe365a0607c74c5b7e977f8cdfb19d1c4e3c83f48cb12132a92f5054078ea9b194d4ea8e02b1a086050f78420f32d23d977e0c8d7555251ec4c57c50

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
115KB

MD5
560bdc9f2c53c7de1ce35ceb5c10a40d

SHA1
c08feb7634f2824e6e6176d6c80a98520dae7a66

SHA256
3c9941bb7943b12c87d08dedb8ff795e88f5fb42af0c4bf772c1c86091c0c9e0

SHA512
a3f8483a855a5765c23b3d6252de3ca8c6552a825a7872c7cfdae889f760ee9b669388b085d99faa45fbecab45fbcb805cb2b1b4f9b0266c58804b5ab10948a8

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
115KB

MD5
1ae0d67aa45b9f541f22f29568d73c58

SHA1
1dc39a5dea5ae3f1563ad5f19ee927d96ee70c3c

SHA256
0ffb15fb7654dd7bb1ada349fc1dfcf765f61e447224e8aea6403cf904ba90a3

SHA512
c5312b7d78445eacc2480e37e7395cd3a2d9c43d1730800aa2b52dc037174a81840f451f99853a27f81848b02c1ef2824136297217603711baf706a8276090e8

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
115KB

MD5
a44373bea7210a146ecf3339fbd2011e

SHA1
330e77885098a7c06086122d6491b423f80e1bcc

SHA256
91fec3df6311723a4a7f6fd0670ca2f34ac0fcf07131680e66969e0e3ba6d3d7

SHA512
4f3a91ae873cca03a633bf53cffcf13028e7d39db9c451a7bcab2859bafad251fef2c36e1222e09cf51c07e3b48b7b57e45b7d43dbf961009de4ceb13eb88925

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
115KB

MD5
9263db1de61d5db92d8d094845492f98

SHA1
cf0c0a3f23d08386f454863c0a35e0e429bd2f70

SHA256
b084922967bfc0e302c1e10f29d05dd7161b727d4f50c03851193094b6513988

SHA512
0db1b0b9b81928fe5e5d06a39cc23adf8c43e128904d2db22377b5567da2e3154948ce4ab33e96fc5dedf1c29761891c28d8d24cff22adf5c6af57a5ad9e645b

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
115KB

MD5
f31434fd3b257efe0794bd0446a0d5ba

SHA1
d5e4212dafceaecd60d68e3726afb4827ae27bf7

SHA256
b81368f08bf923912d4d7648a9980c49e206c2142615ead61b27e5f523f910f4

SHA512
e506c42b9212cd1a543ec95e4b5b5753cbfa3817c13a25bbab7ec5dbfae2130cdacd9b8a3e971559df0f08eae71ea1d3583219811c13d9c38c8424d747eab76e

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
115KB

MD5
bb9472faba2b6b6d61c76cec36183535

SHA1
28c498c9ad33317f498adfd70368189d70c73a86

SHA256
b967e98b6996cdef555256db3f8b978e05b331598abec00ce5f3ac8bd4aab5c3

SHA512
7989238140cd09fb5a2778a6b78939acf5d3b20b7ec369e9e9077378a99896af434b67ca1543d6cbc94e2628257bee4de4fcc1e523e35aaf6a0cffd09b742b1f

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
115KB

MD5
10d7ccb1539b57c6e8c65e1102cee145

SHA1
7aa92582ef1aeeed39b2f42951e8ffaad8ea5f0b

SHA256
01461b999675cfadd47aeec70483d0c299978f56a4290e131df7ceea734258cb

SHA512
a62ea6963ab20e3cff7d4a0ad926e4311c30f7f1814df709c0961e9408745ad24ea25b7f5755924b1e911c2be2294315f8ba16c46031a572f4561c8807b019ab

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
115KB

MD5
85d8daeb8ecd405e13445520a69ac989

SHA1
1bb716a55ba0ac01c4d2d22ec8d2c68a49377e3a

SHA256
382c96abba9fd65095a3db9a55ad8951eebcd9547eb5bf18164f287b0e4c8c98

SHA512
ad917239fccd85ea5ae6bbc11090b069bb69322fef0b2dbc4dc8c7c344a12fe73aed8e53b76ea4cd480ff78c087346b5bf5d7913faf3e93bb705e24ede4a6774

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
115KB

MD5
ff1ce8adbf69fdc40f3f31af4aa3cf86

SHA1
c406c777146d21bc61e2b69ef05b3b9136d7b01c

SHA256
1f243ab556873c9c2a4c9ce0db54d8ed6a420bc7d649abaeb6a619b080462bca

SHA512
489a42aa815ef4cd635d11dd18c1d50ad021f03773d9a888f49d46ec5cf4eb67cb27f3c6e5d7b77f83571dd60f735417a79802c39c3fe5475221ec9ee5ee2f4e

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
115KB

MD5
3c53c96bb264b9b64e45a302a3393027

SHA1
9ed25b4d857cda947b56e1c94948d710c8ca9072

SHA256
abf708059d1707112995f799502fbde0719755a6939f3238c16ff1b9a6fe8871

SHA512
4c1c1f7cfe1bf99edba9efa87d471ead4c42af7b90d1349d4146ff94a0411bd202c61df775a2c84905768d2b56f1b8755b4433a0f9021894d4b4c11942abcf01

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
115KB

MD5
1c259f308b8474b11c90be6cec13f7a4

SHA1
d1d659d9858fe021be3eeb51742aa47324d31c7c

SHA256
365b7be227ecd4d5d91ec248363e89bb95835a8cf928d5e79988ef969a77793f

SHA512
7cc03883b6c4c4fcc6588bb6078ba5fd4c631ce9b75f61cdc07ece83ad4f3800593e8e1bf4b136c661e6dca7f48f2f669378d5ad323f49574092d6f016ebc132

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
115KB

MD5
c077c833d4d835c3e93f1ccff964c5ac

SHA1
904aeadfda02015528b250907c6e01f12c626e5f

SHA256
10a3b731c75d2fd7486caa18ae00bf74b49ebe60e691644d918b3e66924a22e4

SHA512
9dcc78d643ee25e87b2d9ba8ebef7d8bd3f3cac57e5d91ee21dbe09bdeda2efd823e5d785f35410ecf14192c972331e08016b7e30992c6257da3829da4d9eb64

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
115KB

MD5
453d6b479c54f59ae2faed07be55e52e

SHA1
139b9d01118f1fd405cb72d636d15bc7e0351d8d

SHA256
f607710475e83a68c3d21d9080c798658e68bc3b94e6569e15a2b05a4fcb4b7c

SHA512
6891b00b071343c58c6956f3e4eefc67dcb2312b47a9d49f1b70e66faca8e216aee331e441c47f1a50a5183524cf368b732fe2e85062aec7dda9a5fbac1f7029

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
115KB

MD5
bb33e649605ce772f8b7cf3b45edb752

SHA1
b107b5dab56dd901eb553988836acce85363165e

SHA256
fef49e4b07e1ddda42ae0df0b62da27f6e1e65cb87c2d6d49ddad79217dbd853

SHA512
41633d78b1abc7fcaa9d14659a6070155b69b52f6295cdb58fb2dc53f848345b1e49db79dd6faa46137439a7f04f419a5ec208d9365bca2d6edd40495d4051a9

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
115KB

MD5
f75716624d438fb394a74dacf4827130

SHA1
f2fa38e8f52d4e3c0f16c2e6fbf947470c90e374

SHA256
11f6948f1ddac04fd19d6dae749f41fd04b1a32992dc4640065f417f2fa1206f

SHA512
d4ac2a8f84f41921a984d56f97bcec4939156bb24327f9dcc759f2d9afa9aefe72d1a578b3388f6328ead2c424fe6968dbcdf3727abeb2a93d03478eabce0b68

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
115KB

MD5
d7ebb4a6f7c9927c8a141ba21761370e

SHA1
4bfa46958ab04aeeb14ce78fc227c577a866e1ff

SHA256
e10b5199878a18e0f5ab0dce4a113370d34ad6fff9419420e1cc2e839b1f2dad

SHA512
61f4949b8f0b96e985df5d2ecfe4630a723fa9762721ff6c461df4c10d3bbc9a802b7166d9231e8d06a1b30fa6a33c098fd995492e6ceed956333dafe32ec281

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
115KB

MD5
379b46fbd2e4e494522a775e5643c13f

SHA1
39741156a54a20c4006837010d471f6ed5f72f99

SHA256
e2a3d376966e37ee32a646dd6e97971911c0229dca65b34cef9e2bba0d415233

SHA512
f48a3e1807ec45387ff7163726d200e7da35aa1baa91b6cf394e63573258e6b0f585fb2ac4e26f9dee4df07680149a57053708d0ffa919301342e8174d602920

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
115KB

MD5
b796201b9132039cb38c3564b6d25360

SHA1
e669dc3721f66729baef7acf04d935721cc0a6d4

SHA256
e3de6c6f8098f5b94228bfa559dbb6aac63c5e3a0914f7d07417afe40b65d401

SHA512
1170625266686fa39e0be79f434b1689285ffa6814acc6b6858935817d383e68b9f9463750afaf6ac0e0c153a311a59fb9424f16604ede533cbf5ae96e4f8cbc

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
115KB

MD5
9acf982683fa55de873a60425bb77db1

SHA1
4ff79eed49201815d4beefab1098226c44e54cec

SHA256
2c93c8c5ed0a0e080b7caa8929301676a84379dd0813de14e79c03e717e92eee

SHA512
f32aa0963cfffb63e6e0918a5ea7fb2071517f760e89da4cd802202d7dc7018848c074bb1774a81e4ca696c944ffa3b6878aa1316b4a4d3d42db60992c3e1c30

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
115KB

MD5
bd78bde7351280b6186e8a2b237ff509

SHA1
4253c4149f2e5b722b584df93453960a4c9a2c6c

SHA256
e59406fbab40729235545a4bd8a75c98a202095aba2da64b2b3f919074add698

SHA512
faeae77112949c79049a94b3d22a64ecb54c780d0ae154fcd701318dcc52af734536dd89130a5c9aeffdc16cbc7e61a948cd8edc1582d8f8b76902c7c3d1ff7e

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
115KB

MD5
34ea0c7a164a69ac9eda23bb6c09eb87

SHA1
c253a376724c3bea0243a3a4667428e757b2c606

SHA256
93c577a7ce8598f6b0c68463c5609d68bd08dbacc3660d6e7860c645988bf8f0

SHA512
dfb81f93f929b105a181f335b2508352e063e85d81a6918ef56bfcc502aab9c87d87ae50c262708afe3ecf3b68d4f3caaa1421c974e3496a49bc42b6dd44fca1

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
115KB

MD5
a1656d4c136a09157d872264b64a0c95

SHA1
f436d6d4c716cf4fd46ee087cd72ab96b8337721

SHA256
eef3bfb23cb8bbc58595107141510c3c57bd40baca998d44583f8daf9570e6a4

SHA512
31834a35ec195e4ec3029345f2f110ab25d28901c88ad9f28ea8f0fa3e63d905473d0e733cc6cc5396819a15d6680bde6ce3865274d19dc397ba99874ee39f11

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
115KB

MD5
397c3757442c3df16c5a60a3dafcb752

SHA1
37684258a133c46a7e1d87c53a696275ad916cd1

SHA256
a79ce02c703af301df32f886e3df55905269d2498cdd13c1b7994599982e6d28

SHA512
e0009a147ff54295192b86337557825d31b8be35b0b217d5fad75bdfe82d4823e8bcda33f568a09cc3c39a0d6d3141dacd784e13f3f389d562f2ea0c077958ac

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
115KB

MD5
290d596302d5fb8da299bb0f7979ec7a

SHA1
d9eb1d2bf96e8604d2d2c9de1489157df6ec6737

SHA256
80c838697da17e4e710e29748cfb9e4f52b81938b6ebef938d38cc90bfaaeee9

SHA512
36c7741dc708ee21568dc558492fbff7904b663bde4746467f5a45beada3f91c244e5e57c71ed19575611b875274300e173c7d7476f028ce5736c7c40c81b28a

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
115KB

MD5
9a7d67cd4370139932cdb33a57e1c7c0

SHA1
7949e3e58c27d76d776ca9e76fabe86ef4d7e5ea

SHA256
b54998c54638dd48f0b65d648b456329bac1d151f51f2cfc5122ab2ac81ac042

SHA512
c0fbd8b2dca7167967fc6d9c9dfa87971f8f15e0fed7778839fbb653bbef7336b7e27eda83e112758d643ccba3c3f2d4e567cf889e249c740bd8bfe6448f1a88

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
115KB

MD5
270a757f49309d39ee5708b0c4874c12

SHA1
61a1dc23218d50e9b4c5b0f057fd81e68b758e9a

SHA256
7220f03a2f8952a974a26fbafde212c3082638daceb8aac1ffbe38ceab234af3

SHA512
80d1e73b80fb2054c4b22f317e8b8650be1e09ca2c7f184be478080ab3d6dea227dd4c206205ffebb5cebbf8c9d83720f991cbeb9cfaf1a6fc237c9552c0f989

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
115KB

MD5
9c819c6af105ea41d7d9de729eee0678

SHA1
916dd838de6f7c2fb53d18d93aae57bac30b8f46

SHA256
1b8feaf52d3ec98c14f9fe476c0c555bc260381a3a0895028155ed8764fff5e4

SHA512
a9b870870ecf569c77e16a0e12e8b83724561cebb7a41181d810ae962e1dd84df67a49353bb3bcec451ec5496078b17ddd49772cf197ce7415b6bb9a529a65be

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
115KB

MD5
2321cf92a03d923b51c710edeb15f885

SHA1
5e25856d6b2a9fe5bca9d71d0440ee38f60d709a

SHA256
84835b57b4d8c2d76f39ab4b9f1710bfa81253d23fe80a5aa146fa4d2e8b8e16

SHA512
f9594162be9728dcd27d06382b03ba99028ecb4459b17e0fa1e8b702905e3a0bc16c9617004c233df5f0b9a214f1c1bc0ab29e318b3956758d7f80921d542781

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
115KB

MD5
f0bb4b53e6a8da22a8b091dd3acdd816

SHA1
737c31f0e8166e893e50736a87a8c6b3ebbad36d

SHA256
64a651225c612f0dc453d24d24e8cd3ecf8af825dd2cf25ecaa1460944a8b89e

SHA512
c39886c40a1964000baebfaebb603a7704f719bf3546f6a89582e0455c0135b64a4f2390d3c504c0f017930bd68a13903e65de9f3776ac7c38979551f8d3b7df

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
115KB

MD5
f2959581c1afa27d9d87a1beef7e247a

SHA1
b719ed138b7080090038c042547d89ce2cfaba06

SHA256
64d2b40ffd4983e56ece9f4f6ebba2e2c63ac7232bf96440fcc7694c091faa77

SHA512
3c9d3ca9634ccaafd552705e9de60236bd70ff5cecf47c5227c6a11f1ee6d678b47d91634cd2e32169dc91c96cc6f7c9c90162ac09ab3504917806ae44141c71

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
115KB

MD5
cdd9661d45fcef7e19b5b0f09b18ec83

SHA1
37d42557bb04ff134be779e70bf703669c475b6f

SHA256
c0819403c095b01826dd54c0546c318b7471f62da29461495b60ea1b935db894

SHA512
6379c1f2105783eaf404ea6d3f7e29ca189efd1cceed3926da110a3643691f7f5bddb65b99cdea3860e7476aa524f92271ed3c921073d1083a65bfdbdad304b1

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
115KB

MD5
4c7b931535953ba73241716f20870bd7

SHA1
bb77419847963539c76c9c5fe8daba9db1c4adf9

SHA256
bed3b33bdc18d54724c81d8d9af64d4298ce6f64404cd85f5d54741100843e58

SHA512
7d1819376478d1155fcff5fc1084526ab6bfa1c66d5b7872b20506ea6549d220338ad9bb300fe9c75d0ff9ec1921656db2dbc75f2c9dedae5433fc96184b2332

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
115KB

MD5
345e43b72ad0d4c3b8f82ad39f93b456

SHA1
cac41eda31ed379fd505773dd4137887b4f27615

SHA256
bdc64fa3de0ece0aa748a07dfbef97566e5cb1c99be7c2df76b3da72fe534ab1

SHA512
a9cdb68de83f8189b8d3303aee1114e3ce9db901a136172bbff4c7321ea4b0f92f73e785c259566a8626ed8fb5df7cfda8d3369c5b15bc2287514876d83d50a3

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
115KB

MD5
d564734037ebfefcfd741a0941e37dd3

SHA1
a1d45f2012b5e8487ce9781b82a2e37df33d6bce

SHA256
1f2db193b71671b6fcae9ec493b8fff8b6d9332395d04f9de55c31215e5740fd

SHA512
d196c3a4743a2532008b6b7e71f9a9ff4dc7b22c5104cf1191e344a62a8833491c90836125d55de43a31d4d4cea08ce3d17a03e9f5f0a057aa24d2f410ce8f60

Download Submit
memory/224-205-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/412-241-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/436-558-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/436-9-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/440-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/532-375-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/732-281-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/740-365-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/836-395-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/860-552-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/900-347-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/964-333-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1036-263-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1064-479-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1080-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1420-573-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1656-598-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1704-455-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1716-274-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1920-401-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1924-580-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1928-383-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1932-113-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1948-257-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2092-128-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2120-413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2208-193-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2216-449-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2296-225-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2312-104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2436-275-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2468-587-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2536-310-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2552-566-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2564-509-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2708-425-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2832-168-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2844-593-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2844-49-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2880-586-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2880-41-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2928-217-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2932-539-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2948-485-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2996-525-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3104-57-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3148-407-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3184-465-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3240-65-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3456-533-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3484-515-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3492-100-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3632-185-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3644-354-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3664-253-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3760-153-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3768-377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3840-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3840-545-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3840-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3900-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4172-298-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4292-17-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4292-565-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4300-473-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4308-121-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4324-177-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4348-393-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4392-81-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4416-137-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4468-497-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4560-317-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4580-546-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4624-145-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4652-572-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4652-25-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4656-315-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4660-232-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4664-304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4728-437-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4744-443-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4816-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4816-579-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4852-431-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4864-359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4868-323-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4884-335-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4908-89-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4924-467-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4964-503-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4972-209-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5020-527-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5024-423-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5064-72-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5096-563-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5116-491-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads