b73085bf62875588d924ee64bf9ce737132705050161b2442f8572c7181cce19

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a004c013a52e176a0a3d197e35b63230_NEIKI.exe
Size

844KB
MD5

a004c013a52e176a0a3d197e35b63230
SHA1

48554a9c036f0dd518f08cd20c0d26b5cb261153
SHA256

b73085bf62875588d924ee64bf9ce737132705050161b2442f8572c7181cce19
SHA512

af8075f656865798db4b82f91095d7a0fade7a56673ebff094786620db5ff3d4dd16f9aed914b4a0f4cee71204912742f01db6ccd6b8746d008f83adcb1088fb
SSDEEP

24576:wziH5W3Tnbc53cp6p5vihMpQnqrdX72LbY6x46uR/qYglMi:nH5W3TbGBihw+cdX2x46uhqllMi

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Immapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eepjpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fljcmlfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icplcpgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpbmco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gofkje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eepjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaedkdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffgqqaip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhlejnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjcdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmjdjgjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a004c013a52e176a0a3d197e35b63230_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe

Malware Dropper & Backdoor - Berbew 50 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000600000002326f-6.dat	family_berbew
behavioral2/files/0x00080000000233ef-15.dat	family_berbew
behavioral2/files/0x00070000000233f1-22.dat	family_berbew
behavioral2/files/0x00070000000233f3-30.dat	family_berbew
behavioral2/files/0x00070000000233f5-38.dat	family_berbew
behavioral2/files/0x00070000000233f7-47.dat	family_berbew
behavioral2/files/0x00070000000233f9-54.dat	family_berbew
behavioral2/files/0x00070000000233fb-62.dat	family_berbew
behavioral2/files/0x00080000000233ed-70.dat	family_berbew
behavioral2/files/0x00070000000233fe-79.dat	family_berbew
behavioral2/files/0x0007000000023400-86.dat	family_berbew
behavioral2/files/0x0007000000023402-94.dat	family_berbew
behavioral2/files/0x0007000000023404-97.dat	family_berbew
behavioral2/files/0x0007000000023404-101.dat	family_berbew
behavioral2/files/0x0007000000023406-110.dat	family_berbew
behavioral2/files/0x0007000000023408-118.dat	family_berbew
behavioral2/files/0x000700000002340a-122.dat	family_berbew
behavioral2/files/0x000700000002340c-134.dat	family_berbew
behavioral2/files/0x000700000002340e-142.dat	family_berbew
behavioral2/files/0x0007000000023410-150.dat	family_berbew
behavioral2/files/0x0007000000023412-158.dat	family_berbew
behavioral2/files/0x0007000000023414-166.dat	family_berbew
behavioral2/files/0x0007000000023416-174.dat	family_berbew
behavioral2/files/0x0007000000023418-182.dat	family_berbew
behavioral2/files/0x000700000002341a-190.dat	family_berbew
behavioral2/files/0x000700000002341c-198.dat	family_berbew
behavioral2/files/0x000700000002341e-206.dat	family_berbew
behavioral2/files/0x0007000000023420-214.dat	family_berbew
behavioral2/files/0x0007000000023422-222.dat	family_berbew
behavioral2/files/0x0007000000023424-230.dat	family_berbew
behavioral2/files/0x0007000000023426-238.dat	family_berbew
behavioral2/files/0x0007000000023428-241.dat	family_berbew
behavioral2/files/0x000700000002342a-254.dat	family_berbew
behavioral2/files/0x0007000000023432-275.dat	family_berbew
behavioral2/files/0x0007000000023444-329.dat	family_berbew
behavioral2/files/0x000700000002344a-347.dat	family_berbew
behavioral2/files/0x0007000000023464-425.dat	family_berbew
behavioral2/files/0x0007000000023472-468.dat	family_berbew
behavioral2/files/0x0007000000023476-479.dat	family_berbew
behavioral2/files/0x0007000000023484-521.dat	family_berbew
behavioral2/files/0x0007000000023486-528.dat	family_berbew
behavioral2/files/0x0007000000023498-587.dat	family_berbew
behavioral2/files/0x000700000002349a-594.dat	family_berbew
behavioral2/files/0x00070000000234a4-628.dat	family_berbew
behavioral2/files/0x00070000000234a6-636.dat	family_berbew
behavioral2/files/0x00070000000234ac-656.dat	family_berbew
behavioral2/files/0x00070000000234b8-698.dat	family_berbew
behavioral2/files/0x00070000000234ba-706.dat	family_berbew
behavioral2/files/0x00070000000234c6-748.dat	family_berbew
behavioral2/files/0x00070000000234d2-789.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
2460	Eepjpb32.exe
4464	Fljcmlfd.exe
4592	Fhqcam32.exe
4900	Ffgqqaip.exe
1352	Ffimfqgm.exe
4420	Fhgjblfq.exe
2356	Glhonj32.exe
3096	Gofkje32.exe
4720	Gkoiefmj.exe
4228	Gbiaapdf.exe
2164	Gfgjgo32.exe
1548	Hcmgfbhd.exe
3200	Heapdjlp.exe
1292	Hmjdjgjo.exe
1384	Immapg32.exe
4512	Imoneg32.exe
1908	Ippggbck.exe
3512	Ilghlc32.exe
2868	Icplcpgo.exe
3412	Jfaedkdp.exe
4816	Jefbfgig.exe
232	Jfeopj32.exe
3812	Jfhlejnh.exe
1772	Kboljk32.exe
1560	Kpbmco32.exe
1568	Klimip32.exe
1716	Kdcbom32.exe
5020	Kpjcdn32.exe
4544	Kmncnb32.exe
2484	Liddbc32.exe
4496	Lmbmibhb.exe
4600	Lpcfkm32.exe
668	Ldanqkki.exe
3212	Lgokmgjm.exe
3908	Lmiciaaj.exe
1584	Mgagbf32.exe
1540	Mpjlklok.exe
2788	Mibpda32.exe
4328	Mlampmdo.exe
4384	Meiaib32.exe
2668	Mmpijp32.exe
4896	Migjoaaf.exe
4448	Mdmnlj32.exe
2216	Menjdbgj.exe
4444	Ncbknfed.exe
908	Nngokoej.exe
1692	Ncdgcf32.exe
1364	Nlmllkja.exe
3588	Ngbpidjh.exe
4640	Ndfqbhia.exe
4856	Njciko32.exe
4400	Nckndeni.exe
336	Njefqo32.exe
1924	Oflgep32.exe
3228	Opakbi32.exe
4540	Ofnckp32.exe
3040	Oneklm32.exe
3860	Ofqpqo32.exe
3696	Oqfdnhfk.exe
2308	Ogpmjb32.exe
2012	Onjegled.exe
3400	Ojaelm32.exe
3548	Pqknig32.exe
3128	Pfhfan32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hcmgfbhd.exe	Gfgjgo32.exe
File created	C:\Windows\SysWOW64\Npibja32.dll	Ilghlc32.exe
File created	C:\Windows\SysWOW64\Jfhlejnh.exe	Jfeopj32.exe
File opened for modification	C:\Windows\SysWOW64\Ldanqkki.exe	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Oneklm32.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Cpaqkn32.dll	Eepjpb32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Djkahqga.dll	Kpbmco32.exe
File opened for modification	C:\Windows\SysWOW64\Menjdbgj.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Gbiaapdf.exe	Gkoiefmj.exe
File opened for modification	C:\Windows\SysWOW64\Ippggbck.exe	Imoneg32.exe
File created	C:\Windows\SysWOW64\Qncbfk32.dll	Ldanqkki.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Lhclbphg.dll	Ffgqqaip.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Fhqcam32.exe	Fljcmlfd.exe
File opened for modification	C:\Windows\SysWOW64\Ffimfqgm.exe	Ffgqqaip.exe
File created	C:\Windows\SysWOW64\Hcmgfbhd.exe	Gfgjgo32.exe
File created	C:\Windows\SysWOW64\Choehhlk.dll	Heapdjlp.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Ffgqqaip.exe	Fhqcam32.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Ngbpidjh.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Fhgjblfq.exe	Ffimfqgm.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Dakipgan.dll	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Mmpijp32.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Migjoaaf.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Icplcpgo.exe	Ilghlc32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Kpbmco32.exe	Kboljk32.exe
File created	C:\Windows\SysWOW64\Hmjdjgjo.exe	Heapdjlp.exe
File created	C:\Windows\SysWOW64\Lmbmibhb.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Allebf32.dll	Liddbc32.exe
File created	C:\Windows\SysWOW64\Ecaobgnf.dll	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Knkffk32.dll	Fhqcam32.exe
File created	C:\Windows\SysWOW64\Gkoiefmj.exe	Gofkje32.exe
File created	C:\Windows\SysWOW64\Kpjcdn32.exe	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Gdkkfn32.dll	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Meiaib32.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Oijgnaaa.dll	Ffimfqgm.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dhkjej32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4388	956	WerFault.exe	194

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ippggbck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjcdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qghlmgij.dll"	Gofkje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oendmdab.dll"	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfgjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Choehhlk.dll"	Heapdjlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fljcmlfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	a004c013a52e176a0a3d197e35b63230_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcmgfbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkoiefmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkebndc.dll"	Hcmgfbhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eepjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Heapdjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkkfn32.dll"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgagbf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 2460	5032	a004c013a52e176a0a3d197e35b63230_NEIKI.exe	79
PID 5032 wrote to memory of 2460	5032	a004c013a52e176a0a3d197e35b63230_NEIKI.exe	79
PID 5032 wrote to memory of 2460	5032	a004c013a52e176a0a3d197e35b63230_NEIKI.exe	79
PID 2460 wrote to memory of 4464	2460	Eepjpb32.exe	80
PID 2460 wrote to memory of 4464	2460	Eepjpb32.exe	80
PID 2460 wrote to memory of 4464	2460	Eepjpb32.exe	80
PID 4464 wrote to memory of 4592	4464	Fljcmlfd.exe	81
PID 4464 wrote to memory of 4592	4464	Fljcmlfd.exe	81
PID 4464 wrote to memory of 4592	4464	Fljcmlfd.exe	81
PID 4592 wrote to memory of 4900	4592	Fhqcam32.exe	82
PID 4592 wrote to memory of 4900	4592	Fhqcam32.exe	82
PID 4592 wrote to memory of 4900	4592	Fhqcam32.exe	82
PID 4900 wrote to memory of 1352	4900	Ffgqqaip.exe	83
PID 4900 wrote to memory of 1352	4900	Ffgqqaip.exe	83
PID 4900 wrote to memory of 1352	4900	Ffgqqaip.exe	83
PID 1352 wrote to memory of 4420	1352	Ffimfqgm.exe	84
PID 1352 wrote to memory of 4420	1352	Ffimfqgm.exe	84
PID 1352 wrote to memory of 4420	1352	Ffimfqgm.exe	84
PID 4420 wrote to memory of 2356	4420	Fhgjblfq.exe	85
PID 4420 wrote to memory of 2356	4420	Fhgjblfq.exe	85
PID 4420 wrote to memory of 2356	4420	Fhgjblfq.exe	85
PID 2356 wrote to memory of 3096	2356	Glhonj32.exe	86
PID 2356 wrote to memory of 3096	2356	Glhonj32.exe	86
PID 2356 wrote to memory of 3096	2356	Glhonj32.exe	86
PID 3096 wrote to memory of 4720	3096	Gofkje32.exe	87
PID 3096 wrote to memory of 4720	3096	Gofkje32.exe	87
PID 3096 wrote to memory of 4720	3096	Gofkje32.exe	87
PID 4720 wrote to memory of 4228	4720	Gkoiefmj.exe	88
PID 4720 wrote to memory of 4228	4720	Gkoiefmj.exe	88
PID 4720 wrote to memory of 4228	4720	Gkoiefmj.exe	88
PID 4228 wrote to memory of 2164	4228	Gbiaapdf.exe	89
PID 4228 wrote to memory of 2164	4228	Gbiaapdf.exe	89
PID 4228 wrote to memory of 2164	4228	Gbiaapdf.exe	89
PID 2164 wrote to memory of 1548	2164	Gfgjgo32.exe	90
PID 2164 wrote to memory of 1548	2164	Gfgjgo32.exe	90
PID 2164 wrote to memory of 1548	2164	Gfgjgo32.exe	90
PID 1548 wrote to memory of 3200	1548	Hcmgfbhd.exe	91
PID 1548 wrote to memory of 3200	1548	Hcmgfbhd.exe	91
PID 1548 wrote to memory of 3200	1548	Hcmgfbhd.exe	91
PID 3200 wrote to memory of 1292	3200	Heapdjlp.exe	92
PID 3200 wrote to memory of 1292	3200	Heapdjlp.exe	92
PID 3200 wrote to memory of 1292	3200	Heapdjlp.exe	92
PID 1292 wrote to memory of 1384	1292	Hmjdjgjo.exe	93
PID 1292 wrote to memory of 1384	1292	Hmjdjgjo.exe	93
PID 1292 wrote to memory of 1384	1292	Hmjdjgjo.exe	93
PID 1384 wrote to memory of 4512	1384	Immapg32.exe	94
PID 1384 wrote to memory of 4512	1384	Immapg32.exe	94
PID 1384 wrote to memory of 4512	1384	Immapg32.exe	94
PID 4512 wrote to memory of 1908	4512	Imoneg32.exe	95
PID 4512 wrote to memory of 1908	4512	Imoneg32.exe	95
PID 4512 wrote to memory of 1908	4512	Imoneg32.exe	95
PID 1908 wrote to memory of 3512	1908	Ippggbck.exe	96
PID 1908 wrote to memory of 3512	1908	Ippggbck.exe	96
PID 1908 wrote to memory of 3512	1908	Ippggbck.exe	96
PID 3512 wrote to memory of 2868	3512	Ilghlc32.exe	97
PID 3512 wrote to memory of 2868	3512	Ilghlc32.exe	97
PID 3512 wrote to memory of 2868	3512	Ilghlc32.exe	97
PID 2868 wrote to memory of 3412	2868	Icplcpgo.exe	98
PID 2868 wrote to memory of 3412	2868	Icplcpgo.exe	98
PID 2868 wrote to memory of 3412	2868	Icplcpgo.exe	98
PID 3412 wrote to memory of 4816	3412	Jfaedkdp.exe	99
PID 3412 wrote to memory of 4816	3412	Jfaedkdp.exe	99
PID 3412 wrote to memory of 4816	3412	Jfaedkdp.exe	99
PID 4816 wrote to memory of 232	4816	Jefbfgig.exe	100

C:\Users\Admin\AppData\Local\Temp\a004c013a52e176a0a3d197e35b63230_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\a004c013a52e176a0a3d197e35b63230_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\SysWOW64\Eepjpb32.exe
  C:\Windows\system32\Eepjpb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\Fljcmlfd.exe
    C:\Windows\system32\Fljcmlfd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Windows\SysWOW64\Fhqcam32.exe
      C:\Windows\system32\Fhqcam32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4592
    - - C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4900
      - C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        27⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        30⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4600
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:668
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        47⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        54⤵
        Executes dropped EXE
        
        PID:336
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        57⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        66⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3736
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        68⤵
        Drops file in System32 directory
        
        PID:3888
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        69⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        70⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        72⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2320
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        74⤵
        Drops file in System32 directory
        
        PID:4576
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2872
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3260
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        81⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        85⤵
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3652
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        89⤵
        
        PID:832
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        90⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3160
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        92⤵
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        93⤵
        Drops file in System32 directory
        
        PID:4304
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        95⤵
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        96⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        98⤵
        Drops file in System32 directory
        
        PID:100
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3332
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        100⤵
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1632
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        105⤵
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        106⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        107⤵
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1048
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        112⤵
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:712
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        114⤵
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        116⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        117⤵
        
        PID:956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 408
        118⤵
        Program crash
        
        PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 956 -ip 956
1⤵
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
844KB

MD5
dd9c65fe80f1ffc999a14f45c57868ce

SHA1
63ba8ba6dae92a3f515d03e13bf9906d7fd70fec

SHA256
dba1281de32487b980ff9aff65c041413b2ce64825854cea52cf0da3b0344948

SHA512
a062a762c5b2e90c6b5be05f79fc5965866d635f8a8ffc78269b2802ec42ed4af0b649d992b45c140b789772d6f37df7e897888f0863bcbccb76e05d8f3607a8

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
844KB

MD5
7fdacd98812efdca033f9cea982ec7eb

SHA1
a061e3aacea3efa19849695b931071926a08265e

SHA256
93bf5199a9f5aa1b8a6af8eecc61d31d27e13fc3bafba323412bbaa4048cba6b

SHA512
00a8b4399210eb372a59b4d8d6df848242053136e995d851ad9c83aea6e6f3fa9a511bf359682f1735ed095cec47973de3c0c4ad366098c6bb9ac63d95a136da

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
844KB

MD5
9b8e0ca143b48380d10bff78fe01e15a

SHA1
328891c3961ee6c56774aabfa5986f996d3e2657

SHA256
87847bddd0893e97557f46ba3c940e63a5fd92bbb7cc4f19f35e719c4aff897c

SHA512
16ddeba018576dcbbe9a15a1487869d9bef2870198eb7cc1d8cfb238d80cb35d3ecd1f861f29b5235ed1080e8afa1fa9597b968277ca7901e94c3b32ce8bb822

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
844KB

MD5
373081dd539015d5a6d2b8b39ba6cd7a

SHA1
72bc13ace9c86e3139928203c0a6bacd79c2f0f5

SHA256
d7b80271d6c0ef88feef3c9dceb2be0695880545c0fae71568f421b47b355732

SHA512
878e1015b3e573972ea95bd047502f59e57b60886a1494bc948a81cfb4b3e3457c60dac708eab1b3cabafabee3a2061d41042435ff9036e702ec08861541cc2d

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
844KB

MD5
39d25bde0d4ebb02c3a5ee9c2439fd4a

SHA1
edacdb6137fc70feea2cacd516668bdb1378d715

SHA256
045ca1b920128d15341292dadcee841d5ddbe47a18e53354b6b051c5ed654c74

SHA512
7506bce5825c4abcbed078498398af28cbccbae73691193ca5b374447cb46c553ecd9a8466e7cff89e70070eea474379dde0912635574e766f8ff1c2a5c54691

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
844KB

MD5
fb2fe5c59c51e145805ef293eb2e3d0c

SHA1
0e504b51c72670881130900cdbdc5bea44bf59d2

SHA256
4ab68221bd0c4d85a73502f7a205a9cf9ff33933510de206470d1c520b10504f

SHA512
e500b06439aea67acc947b8b75ec760360a7923f3021d835896052d6a953a891a0df913a3e33689015b24b32f387c9f44400bd3acf795df32d2ba8b5528e883e

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
844KB

MD5
2b5bcbf8a8344071873df62e52476b29

SHA1
bf49397f59ef26fd55f23ef04c3bfa39ae4f6615

SHA256
747784687a4e5ec0c1b14e30670d7151d0f9e4072317a9542789bd0706834bbd

SHA512
06296bf47f48558fd675474af1d65b3aa6ad567c0c80b9af5a140f4c8e3c7ff650acaa2e6bbb7118394a09aebfbf0899be81d2d03c1a73527663a7c49493d59d

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
844KB

MD5
ea5565f6d32c4277cd88ca460059e907

SHA1
42f71777ae3f0b552aed77604dca443e417121f9

SHA256
66a29ec71205d78eabde71afe267f6f4717906c1921c7e8a5c386d7d8e4e7a1f

SHA512
c43552e71e44a5a273f52cadfbd522be03aa73d75f653b884b4bd60be63e5f2d36acac762813068dea5e10d6ef906120dcbac53652fa19dd1ab8d82eff61ccc5

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
844KB

MD5
58e4244a08f4f4294fe9fcf7f6e37ad2

SHA1
ef233abff67b6c2720c1fef0b6a79aad9891c2f3

SHA256
6fc0be833ab0e0df7118c17f58474c81883846e081b8fd1e1010418e4ca4df99

SHA512
b5b63153b4d8946cd13d669b2ebd105f2ff954ba9474f5c215aac0da25c28e5f659babec2679fe126cf837aafc9963148fec5016135e086fc6f4deaee9198ca8

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
844KB

MD5
b94b87abf61b27249971e9ba62d21d9c

SHA1
ad66052441148e564f4ad551e1371abf6590af19

SHA256
4ee9ede6d04b95d3a42afaea7cd13ccea70c8f2add62c57f9c4601960bbe65cf

SHA512
33c3ada057a5ee2660b8edfa05db4df5228620e0f58d475fce8e38b1186c7a807ebd51235f252670d01332a63925ac746436c94d6dcc9eb916c23119fc3cb46b

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
844KB

MD5
97e59ce08429ed67bbeb90ee13e83254

SHA1
1f5dd8e44a05892ee6e88c2f2da2d6f1213861c2

SHA256
567b6e322d44f5d6d26a4ab90eb6a5bb0fc0beb64c084390fe542878c6f29162

SHA512
17559f49768facbfab4437f29721f9bdedc7beb24c8346d79067d252323ad95979b0cc6ae46fa3059d41c20a2a16af628cea6c5e0853dcf9a235cdd2ad82598b

Download Submit
C:\Windows\SysWOW64\Eepjpb32.exe

Filesize
844KB

MD5
efc399f95789945a9871d468bfdfd441

SHA1
eabc7f8ab859c0efc53d4b30395943aa4072c690

SHA256
d1dd8ab685178ead81be9c6ff8cb6a4e1cdf998ca9849549cddfb41598f124e2

SHA512
e711e5d163ce3b88aa7a368ebbb0391a9776ffe4ec5d000b95aac70144b2e093075b1a1c6308626738928cb17ebc4d68aac450a2e6c4db02379a85d179a056ab

Download Submit
C:\Windows\SysWOW64\Ffgqqaip.exe

Filesize
844KB

MD5
3346149d9ea54dfcaf6cfb16a72bab4d

SHA1
ded8c7e2975f07b9eeb87e33a24bc494e9f2d3d5

SHA256
7bac0f01deafd59c840f0dd1c1b98978dd788b93ab28975aba37c5ad26b72bdc

SHA512
3e0bb4941ca5738117dbbd01b110628c776aa3bc2457c850916893dfe585a3b086a09e098a30a5580ec2b67c2838e39c144d9c657026cc8ed4da9b4084130c1d

Download Submit
C:\Windows\SysWOW64\Ffimfqgm.exe

Filesize
844KB

MD5
cc8e1c1402bee2c6c3ac381ce19b982d

SHA1
a29ce8200e3a6d110961b5ea66c5d899034ccffa

SHA256
9c709a77df74d52a84dedcf128d8b268bf4887c6d73edd2ff0fb23905f5fe292

SHA512
d5f47301286940e36d699a5f40fa022e38e44fb8ff46c1bc60e13c9f68545ba108542593d12b1a1ae45f9cb9ad8fc4111e8fcf5edd78ffb91cef4e81496529f1

Download Submit
C:\Windows\SysWOW64\Fhgjblfq.exe

Filesize
844KB

MD5
be8e60d07aad30c16888fa7308ff8a91

SHA1
ae92152c98d234f18cad20de062af0b014c0eea5

SHA256
5548c94aa75ee1b7884096f52b81f905eecc9445e5ca14aad8187d4b1a7aad13

SHA512
45ac9a29bc08249e4ca82a15a954f84121ad23341ddc056f1a1225ad708ae4f30fe23bcc22d00258e64323f6869f2c7e90cd51bf87e40cd7de7f28c60fd88da6

Download Submit
C:\Windows\SysWOW64\Fhqcam32.exe

Filesize
844KB

MD5
72964d764062d9c9c4f9cd0aa81fda85

SHA1
af6cc20126f755a4cd080a73656a5686f051e340

SHA256
38309c730f65279741d3652289a3ecd940b47fbd806dc01bfa0f7540485c36aa

SHA512
cc80961f0b4d20c3d0742747f0faf265ad888d1d905afa07fc0479a37144a1c58713cb432a7cb6b54761718d3bdb4ac56e41a62051b27bc4895500c3acea09e7

Download Submit
C:\Windows\SysWOW64\Fljcmlfd.exe

Filesize
844KB

MD5
01c8ac10effd2820aaf9db504538a992

SHA1
654cb739876fce84b45f789d35665b8e1abcf1aa

SHA256
2c560a60dc769106cc33dd5fbd10c257751c7d571b2274310b47f39363865af1

SHA512
b7c21af52a8d61342cef6ed42aa6b67a3eeb61d7e0ecbeb03483232ccaed3d7daa8e1807f3d91b1253fb51e1668e45d6a169340293cdd154b075d243b99d892f

Download Submit
C:\Windows\SysWOW64\Gbiaapdf.exe

Filesize
844KB

MD5
cc4c101e3b1e01d65f6080d1d963f5d8

SHA1
3dcdd8cbb2e906829f8a6bb5d5b63d2bf8629280

SHA256
bc14a35cc6a160e1164c3cd79def83eb36dde2f622f7e50995132a6ac086da6a

SHA512
0ddd19dd9a52c778eaad6e0b3911e436d86cc5f2f40d50ffa086a6d75746ce69a2a18288a68f2b2a0fc8dfc27873af5cfee45ef6a83948711f03567faec4e1a0

Download Submit
C:\Windows\SysWOW64\Gfgjgo32.exe

Filesize
844KB

MD5
581d7b298d12f1445c056518454ec157

SHA1
28a5e81942a8d94325422471d1a611c9a88fda58

SHA256
ef549992a09e7a29e500c5d917aa661efe7ed1ead1a03f908f19cf6bed244657

SHA512
f16c23a78f29c670e9531f61a6ba20d778d7c29d3f933d1cbed7c77ae8bfa40cd5abbb5c33163a562441ac7cd2567cea45ac566a8ca2d9f0b94ec0ce345b2276

Download Submit
C:\Windows\SysWOW64\Gkoiefmj.exe

Filesize
844KB

MD5
9d6417ce1345b09b31903ffaa6d0b4c1

SHA1
403d9cf428c3de29c7f64d11715ea6bcac0ac316

SHA256
28152a64459a550dc1b323b2099983bb8a776f47121f7ecbbb2185ecccb618ce

SHA512
2cf95839cc923d3d3ce9714381632fcaa5b004d1949e399fd249a0cd9f6156c4348f2bb6ed2e5769007d37fe5bb3d2241dbc40e15c1153207386cf017b72ba2e

Download Submit
C:\Windows\SysWOW64\Glhonj32.exe

Filesize
844KB

MD5
00bdcb5c92436a08d17009fa160288ec

SHA1
7cc1054016794ea0c1df6582215fb2211108d547

SHA256
71627b266e5d1ba3ac72cf077ed34cc699a0c9e4fb6676bb5ea1023fb80d4c23

SHA512
e66d0bbe4053b84ed9dc55b9826f14329ca3cecbb94f99408ff6db9e8dd74d8707709b53eb2c5dbb7ac06b6834a00b9a7f088974b10d091caf50032eb77a3632

Download Submit
C:\Windows\SysWOW64\Gofkje32.exe

Filesize
844KB

MD5
01cd09011413b8c53894a327e5c23519

SHA1
5582b86f87b192513e0c6a54dbebed60fe75155e

SHA256
d4549eba231dad91fa47581d7e5812d2a2517b6290fe02326f8f9843f4d18688

SHA512
530d95da133b3c50043afa959e5dd6ea97af58c784c4c100822f91f94c8197ccd812db589bfa3d5b17a47d4152f19ba345120ec27c92e088038f9b2fcd2d20e2

Download Submit
C:\Windows\SysWOW64\Hcmgfbhd.exe

Filesize
844KB

MD5
aa8a5f593a8618b13b1c876e8ee571ee

SHA1
6c617982a510a7b96e5354fdac5b9cd14581ff67

SHA256
2a9c9b435d3832d31bff299d88d4719ef07763158748a76cfb825dbbd90a35ef

SHA512
873a687ce250746cc8a98b2d5aa7857a0193308400d67394d9caf9532fdcec5a20658144f18aa5cb955f34e9fa3738e8314cec881f8b508371b13c8c8bca46c3

Download Submit
C:\Windows\SysWOW64\Heapdjlp.exe

Filesize
844KB

MD5
7c57a16ca421388bd170d6ce61b90200

SHA1
5f25aa29011ae59865cdbb8c08eb893af992634b

SHA256
0a24a2f0c4c5a9f276c6e282fa3b01011aa93e6f583053e621f4b1cfbfa6a4fa

SHA512
73120deb82e9428a42218299aaeb3477e9efe4b25e26a6c91ca4bcce4b962de4cb366d8be429d20bd5f6df645399b243c667808c53564ebd70fb47c1856998a8

Download Submit
C:\Windows\SysWOW64\Heapdjlp.exe

Filesize
844KB

MD5
636fde5bf242c13bb7e16c8698a5ad48

SHA1
523998fcb818203ffcc514dbc4f6d15530e80a50

SHA256
88dd10f5171deb12f5c88b2599c76be3792bfc4e765a88d2b8dd51a10757985f

SHA512
382ee5da619f1b62173570cf9d8c61858bff741a5dba58c578f291c2dc355ef2484e5863b9e43ab4f723f7be7dae42fdc53aa6850b7af4a57bfa718115e3d62e

Download Submit
C:\Windows\SysWOW64\Hmjdjgjo.exe

Filesize
844KB

MD5
844e17140cec97ad835c012add268291

SHA1
e90f7adb2c0ee0cf635f8cea5bb8eb9568fa84b5

SHA256
8319f63efae37ce238ba05bf2256ab614e03092ec2ad55128954a4905ded30dc

SHA512
7f05373fd7bfbe101720a43068c7cc65c683e6ddd01329fac438d6db5d0cb733b8c1efb6d2505fb846799f40be56e2fbb8287c6deb6e65447baab9847818a573

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
844KB

MD5
060c8fdb9980b230292b640d61a82cd4

SHA1
165994591a5471289d2718d1f44dd19511af4ee0

SHA256
9ad74a5bd57cba8c512546bff52241fbc117b0f3d739993aa667709a9bb25c07

SHA512
6fbb14b30bb259a6b635ebae8b3c08b258e329e01141e5cf3b1c784639481de34a35e69e3203ae62655c25bb66b1b927449e70d8ce19672cbb157b279c239db1

Download Submit
C:\Windows\SysWOW64\Ilghlc32.exe

Filesize
844KB

MD5
c1b1577fa44d51440bc20c009c291785

SHA1
df4e8d34c5b6b2946940ba840f2308d76445c0df

SHA256
3dda40efc9d4ce9f622106ecefc2cd3bdaf5385d9b6ba614b177ea7c9138d201

SHA512
b147d8728eb9266ea472182b57c90c3d4e9a325f9473afc0b78aee17951813071968b14c6da857676f63224eeff9b6bf7072f08ca509a330e642bd61b92f1d4a

Download Submit
C:\Windows\SysWOW64\Immapg32.exe

Filesize
844KB

MD5
0d188f41469ea99be0ca01d7bb7bc875

SHA1
d615c4570ae9f4e3c648782742115887657e79f2

SHA256
f9b308eda1e65500569a3e8a5c3a4923a976b7fde199596a172b2978f2eb3c9d

SHA512
83dbf20ec73ff23b1339df26ff7db0c71f9182b8b9cafdab5261005ac82f2ad6c11ced9e73128b3937d56fb3349b52c389a7157caeabe9b2f6009de09b18b22a

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
844KB

MD5
c1c3244628105499b84f384e86e5e273

SHA1
ff3facf2d5cb04e98896d453af903b062888b02c

SHA256
a15faa40c773c92736ed86e16646b72ac5ac9112372562e0e9d4646db9f300dd

SHA512
080dc0bdee49ea194340afd377233d2a608ea2483b162a38a5af16e4978ded7ddbad95b764b92081ebb678bce4c697d1e7403830694ffc9e9535f98229ee60e7

Download Submit
C:\Windows\SysWOW64\Ippggbck.exe

Filesize
844KB

MD5
fcb9bbf68ec66c85f2f2b0b65e4ec8d0

SHA1
2da6e391500fce7a41350e42b7bb36a1b4b72e5c

SHA256
d7070a446ae5356b54ee938404c2937b905ba10ad5a7bf8d5913ee2358d2558c

SHA512
315a7e6f5b9a5f70fa203c564e87c10edebf47812be9d54ad5564caea347905307444366ab93694f6f08f20bfbfe44d255d556d7ede02d5a13328fdd1b5ff82f

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
844KB

MD5
2def581f33f626c4a3becf17fd9415a4

SHA1
c7fc6fe15d66800b80767a55c3dda5f21a8dfe4c

SHA256
89720a433b6b0ae0732ae5372bf170981d42f0d354a9da7d7e472ea0c3a3011d

SHA512
5c200c9c14fac286a8234949a41c62a3678190f9183b566dbb6341200f8ecd7842e0cf8bb99899d46241cc748b45076e1290521fb323565ec06b2fa605e32768

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
844KB

MD5
5d6f1484451355a57d57c02f85f1dc4c

SHA1
61e1dba6919c5bdf446c019b0891663e4626d3d0

SHA256
b24d2eca1a28e79b60f8a4f244a479902a33ed0e74105471f1b2fa307d39c603

SHA512
e05612afa4d93ecf4ab4f29615e70e7132d9106c88cb6b3e24f453c3ca2fed5fad87bcc02c7ac32a14569e203e97c51a4a62f778e1114e079f48abb8964c8113

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
844KB

MD5
4bdb71466e06638647f99da6bc330276

SHA1
3cdb5b78ffe1f9a22c33bc9da12041777b002ada

SHA256
5c0257821f73a9253824234fb0d691ed5eeb88729adac0c40fa1f0e5aaff8406

SHA512
7ef2336d5c938cb0b50f01128f986b751cf40748154cb7120d10db815a8956027f665b71690ef923299aef8ccababc80f8c1b73a52b5809f72a3d89ccf5126ba

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
844KB

MD5
6ac6fe1a27e97d9c8211b20316865807

SHA1
96837f754bdbf55f2bad86c48e615e2f8753cf6c

SHA256
c1db572f1000cee6dba39a5898884755fc031f54670795773fe51908c82a1e87

SHA512
ac3c06a156d60486cfd395baa79dfc65b701ffba8e1598a0d3adfbac5601c538abe08e10c6c0ad6db7994a9706569b203eb06b608684487c5c5902fb578905f0

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
844KB

MD5
c7fd5ab7e57a0dad6f0073358e7d17d2

SHA1
fd350eb432bebec683ffc2bc11e218e92fc1cb33

SHA256
9306a42945ef3e42a9ebb644e073ca5b5fb1d6474fcdd329051a3527969719ae

SHA512
aa9a46162782abd5fa84c01156c410c9807ce4b7b4ecf78b4dc2e396c10054f5af3c2ed0771478b32b61ffa8e6661cef422766e2fb0ffecb65d521b92ac14620

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
844KB

MD5
63a6549b497f9c9cab5728a89437bc9f

SHA1
d48202948462c92f355b78b84f2cf72e3fb92e2c

SHA256
ec1259aad622c74efdcdf29b1639c7341e6824956328af7336cfb6c9738a0915

SHA512
8f9dfae45abf8f3a713fbd7edd671ec2d9f164e5656ce785bbf8c110f1c21a5642929c3ea72a2cede918b26b35c0c92a4b13a3079a08086dc4a284ef80f213b3

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
768KB

MD5
845370a5d22dc6c2bbc8b42361aa7e80

SHA1
d2e70eff373c84bf18be106428072c02e56dbfd5

SHA256
ed43edc8d9f711524c446b73eb04f7888fb8f39f11b3ee7b1414be774c7c16eb

SHA512
92b203fea50f75cb4181ece2898db21fd4a3d131d3698eb0b6a05fd91510879c7ea0c78c9cbb7cbdd763b1fd89dc170cf24872a369828d3c2a501ea2be3385d5

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
844KB

MD5
50651bde0b7fcae36643c207ebcddbde

SHA1
932a9845936d00763ef9b517242d81d27e734ee0

SHA256
d1f551d4b9ef59cfba1842518037a8f6ce94315da3dc11c59b53ea37b86f7a06

SHA512
5460130471dd3ef0db1cd5650c714b567c28aed7c9586cbd2cc855adaf5a53950cf3b658bbbc6854199cd27afd499f87a0fa5be154abfbd8640df79d49af833c

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
844KB

MD5
6947effcddeb3307993639dcf1845018

SHA1
28e53453876ba4056e6dad1983368f5cb61969de

SHA256
7cef110f3545ecb73e338c73c0cbd277cc223400e46b97da2c8c36ade0b79c8b

SHA512
83b38270f313789db15694e2ce4cde7cad55ed6eea568c132e37cadfb7bef307b51c6952c61b6cbf767eacd7d9c17e11606f9120cb9ecb361ea68b54a7416574

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
844KB

MD5
680e0b5d853a2534dfb349058a32951d

SHA1
d2797af9be81dedafb74cdac8fdfea666d79515e

SHA256
26328e5b1dd9a7b0fed03beedb2d610d2f26313b36ce1d2ac14f00efb49e930c

SHA512
eaef1119e2fb1eb4eaee4bc2452aa9a1a1f817dfc925360205988f99e8b14e149f2cacd060d9e5cedd9a57b60f1e897c5b7d66ce2ba527ca9a480751362f186e

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
844KB

MD5
e5ebab6a8b04b790de2b8c1358513e36

SHA1
a29f292ee3fcad85fc96a17eecee11bfcb627eba

SHA256
42b4422c0cf4859dff1cc558f4141945320102bcbb740ae7f02153370a233f07

SHA512
e936f9a072ccc6853efd0faa95711665250988ef803f346dd3265053580066ec5281bba36f39b895dbaf3addc5f9dfdcd399403ac06887d7190873e5c62182f7

Download Submit
C:\Windows\SysWOW64\Lhclbphg.dll

Filesize
7KB

MD5
8d25c6fa86618bbe139236ca563d1002

SHA1
bfd5397c57e57346459158c62d8b5d04e0169003

SHA256
34127b9a167161e43a5107f37d8c76a135a34593f4cae51a90bef48ffc5fbcf2

SHA512
d65844128c403ab20151743cc2c2a8406de978e822d77cf2952312fd82a0e6970ffcc631353b318cc883a884b57d53f9e1ff025479b15d7581fec0ffb760dd13

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
844KB

MD5
730ba8a10dbbfd1d0c619bc8b177717b

SHA1
b400327d8ea28bb810a7486e594a593374c47249

SHA256
f043f50318a75c342fc24bb9f8cabef0e7a9d0948a3321f5715420a59209a1c0

SHA512
8d4a197a63fda290bf7b19b5f44bf8d84dfeda8cf45775c3326ca0d8540fd8c5ff88fe4249748053057c3cc07bb43bc8e10e9750a894980af2962c391e4b381a

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
844KB

MD5
6b1c18cf903cc5cc8979035efecd18b8

SHA1
0cd6e30a480909a18e38c5becacc0306668a4e69

SHA256
4655f05019f4792f9a7fe2a8b420ad0059e2c242896d9f46c4e6dfef158a1554

SHA512
8d7d7830fb29277177cbb68b08b0668b02200d1aad04d34bfea52793c0ddb746b38ba9d1fcba22b7e7afe77de9c80b48ec4713c0c71c0488137ffa8ae8a15573

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
844KB

MD5
e36c91a248d68ddf52366dad4baf3e9b

SHA1
90a97e4f738a2ed0ef3d5580ec3610c89edea6ef

SHA256
a5a5e12d12de9de1bf803c376bdae672a4fbf9f30da0c2bd7840700580659214

SHA512
bc05063754b43a33fea1c5cb3d5fa291a59f27ced09bcb6fa13c943ac04cc62416d79c3412ef8812a94993582cb7a721b00965ca30942536ef0d677e3c8196dc

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
844KB

MD5
3f906c6fccc5ab6a547bbd32c7f9491b

SHA1
c5550ca321f30190d5542db1852550b265322ab8

SHA256
d20d05ba44230bdd0955d5d8fc141eb6f6f79524d0b9fa7ddae5cfb7ec697617

SHA512
c99bd1aa81315475c4249451eb0eeb45acfcfff47d01c9491db1f2781177be07be53022c8558e33e958b19095eadf1a5d5911ffc36dd037e7b3dbd287607847b

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
704KB

MD5
2d9f5809d65db962ecb3861a7ff44bdc

SHA1
bf35f5cbfe8e9d27b14b539dd7fda88bd5544936

SHA256
f1bc3be904e8997f8da84a0e72ac2548e3e6ea444d5dfbfcef49722a002db6aa

SHA512
a0148340d0b5012ec9b7ef13be51481d8e4f0b0bada72cac87364701c575dbbe92bef92eb1ac7c4545cc46457989773ec5e7bd45e3334853a45cda0eae8fd301

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
128KB

MD5
9b5d6674fd8ed47a11fbfe8c9614948b

SHA1
c43e879f0c4714f61cfbde6fb60d063756cec9b2

SHA256
00d602ff3e66912174fdce5fdb6b0ecd07306b385273ecd16f09963424e5eb8d

SHA512
78c9d725fb770bfe28bf29defa2331bd318e9c8d0f6ff4fdafb2dcd6450560539234deb0695f7eb670d44fe5837358d44443707b6a1fc8c0c4b8793e3d9e2d1e

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
844KB

MD5
72126322d574a9c15fab905470115b55

SHA1
132de2ebe59500bb7cc0e187e02d7ed28a44018e

SHA256
dc036e74adb25dc653357cb4fd8ff893869a225198dca4cba9a77a1b5c656329

SHA512
a839d4a58cbb1328e4c8cc5ead4470e8feba80999d60e2d971bd713c78c27ea0ce7e9ef734742fdc696e0cec9b59fa2af9adcf613959dd1509f7dd603bf15c8d

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
844KB

MD5
9bd452bfc4c7c68034e7218f4e2ca510

SHA1
e7a295c09c9f4614ef5b8635065f96f3021b1dad

SHA256
a26578f633068ac2c6d4725beb1cc07020b570ea73d59e8994cf6cd6aafecf0c

SHA512
bf4821ee356c0f936b3709600856470fe92423b6594d0fadaa2f4ef3e9eb5ce66074130041f75d445674c072b3c14c9d2536ed80da82f0583318f7a0af222691

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
844KB

MD5
7c7f45f4ae542c0dfc231e8ad9c8de82

SHA1
103a1ed24c49014459c14888fff042c5d509e563

SHA256
b2545b59becc0dda5bf52058bfa09522f8295f2a0c889b3855c88b8057daf542

SHA512
dc6e80dc4324b0b0155ff6271990922e635ed60f4f67e3373e381b269104f2659d95e978841d6fac2d9f5037db56a1cd84800d112f8a8ccab065772cc392cc93

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
768KB

MD5
bfa51d1f19ae58d9df5b03b23c9d0cb4

SHA1
f6f0d105cffe99c7abbea07a173f8bc61e61b318

SHA256
66d2a2c408c6a87aa62e98c31a1ff29e975c606202d43d35a1521c5e8579c86f

SHA512
7ea43bb464d2f6dea218d546da31cf9b1d65cc88608b3a9cd2a4dee6a0e76eb0c6f45bb4fcdccec5cc902d8bd82ca1ed0f61c72ebbaf1bc247538f93ce7d4bb3

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
844KB

MD5
96ac0d43bf60b20e8214c61079344ad5

SHA1
c878f154b29ea102f0686251e122756142c42cd5

SHA256
06f6df15d52547dfcd6d1c6ddbbe2cd0a08fd718fdee6d91d0d02dbe58bfa038

SHA512
d14bcbaf971c86c8cecf4363148cf6ba423c6b5c0ed1d2373ae60fab296e5686adc3c87800809000a441a8106fad32a2187c66adde7c2153b28e9878b63dcaad

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
844KB

MD5
aa1362217715cad50ef12fab3b7039a6

SHA1
f4211278e67249df2256d33b0f90b22476629407

SHA256
fcdb5c0684fc911e0b735e66155d9830a32c0cc4855228be583fa1bccade4d9b

SHA512
c2116e67469e077145950ce6e0dff9208f397b341fd9f44cc7293e5ffe3791c82e39b1ebf6ba09760465e84734a1c3da2e121087c2a444a95921f2b436848614

Download Submit
memory/232-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/336-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/668-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/832-599-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/908-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1280-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1292-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1352-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1364-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1384-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1420-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1540-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1548-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1560-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1568-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1584-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1692-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1716-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1772-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1908-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1924-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2012-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2148-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2164-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2308-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2320-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2356-60-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2376-545-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2460-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2460-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2484-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2668-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2708-475-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2748-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2788-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2800-573-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2868-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2932-527-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3040-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3096-598-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3096-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3128-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3200-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3212-272-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3228-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3260-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3400-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3412-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3500-559-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3512-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3548-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3588-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3652-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3676-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3696-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3736-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3812-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3860-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3888-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3908-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4164-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4228-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4328-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4384-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4400-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4416-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4420-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4420-585-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4448-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4464-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4464-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4496-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4512-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4536-592-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4540-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4544-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4576-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4592-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4592-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4600-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4628-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4640-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4720-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4816-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4896-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4900-572-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4900-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4988-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5020-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5032-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5032-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5068-552-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads