a106ffdb21cc898432833059487005da80ff89081db8fc32571b6de902a66345

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0ea44dcf0fca383026e0cc9c1477180_NEIKI.exe
Size

280KB
MD5

d0ea44dcf0fca383026e0cc9c1477180
SHA1

c484ea05bbaf72c582488b6b1f995afd2ac5ba85
SHA256

a106ffdb21cc898432833059487005da80ff89081db8fc32571b6de902a66345
SHA512

1bd88c349317e5838a2f412dedd36a26a34e9e33fda9168c3018c75969de20e5a3e5e49e0786102ab0ddfc25da5b1c480be696f993cd79e714bc94ba92720532
SSDEEP

1536:TGS7xMNm8WdutSUd5kKGktWWAWIcyohseMUKPeoxZslAGhZxPBljjGs8f7hG6q+j:KhWwAU4gA4hZK7xVG9Btj676ZBI

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loighj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaenbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehpadhll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlppno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d0ea44dcf0fca383026e0cc9c1477180_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljceqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnoqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hecjke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edfknb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coegoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Foclgq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljdkll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mljmhflh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egohdegl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qamago32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d0ea44dcf0fca383026e0cc9c1477180_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcnfohmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbocfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilibdmgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibeoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqoloc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qamago32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcnfohmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aopemh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnbcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnbcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcapicdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jphkkpbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dolmodpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nciopppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqoloc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddfbgelh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgkfnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dncpkjoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djegekil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilibdmgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lomjicei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edfknb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loighj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfnoqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coegoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmhdmea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgiiiidd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baepolni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibeoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgnjqm32.exe

Executes dropped EXE 58 IoCs

pid	Process
2400	Jphkkpbp.exe
1676	Kgflcifg.exe
408	Kgiiiidd.exe
2724	Kgkfnh32.exe
3388	Loighj32.exe
1560	Lnjgfb32.exe
4420	Ljceqb32.exe
432	Lcnfohmi.exe
2768	Mfnoqc32.exe
4556	Mgnlkfal.exe
1524	Aaenbd32.exe
968	Apmhiq32.exe
4636	Aopemh32.exe
1708	Chfegk32.exe
1628	Caageq32.exe
5028	Coegoe32.exe
4312	Dolmodpi.exe
4460	Dbocfo32.exe
3344	Egohdegl.exe
2224	Ehpadhll.exe
656	Fnbcgn32.exe
4704	Foclgq32.exe
3724	Hecjke32.exe
4344	Hlppno32.exe
5016	Hpmhdmea.exe
4992	Hnbeeiji.exe
4764	Ilibdmgp.exe
3628	Iojkeh32.exe
2392	Ibjqaf32.exe
4020	Kibeoo32.exe
4940	Keifdpif.exe
3780	Kcapicdj.exe
2236	Lomjicei.exe
2600	Ljdkll32.exe
1844	Mljmhflh.exe
2592	Nciopppp.exe
4860	Nqoloc32.exe
4432	Nimmifgo.exe
1448	Ookoaokf.exe
2864	Pcpnhl32.exe
1540	Pmphaaln.exe
2532	Qamago32.exe
4888	Aabkbono.exe
2432	Aalmimfd.exe
3224	Baepolni.exe
212	Bagmdllg.exe
2800	Cienon32.exe
4104	Ckidcpjl.exe
4548	Ddfbgelh.exe
2544	Djegekil.exe
1592	Dncpkjoc.exe
984	Enjfli32.exe
4224	Edfknb32.exe
3740	Famhmfkl.exe
4596	Fboecfii.exe
1344	Fgnjqm32.exe
2128	Fdbkja32.exe
224	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dncpkjoc.exe	Djegekil.exe
File opened for modification	C:\Windows\SysWOW64\Edfknb32.exe	Enjfli32.exe
File created	C:\Windows\SysWOW64\Kgiiiidd.exe	Kgflcifg.exe
File created	C:\Windows\SysWOW64\Jkjpda32.dll	Kgkfnh32.exe
File created	C:\Windows\SysWOW64\Mlmadjhb.dll	Pcpnhl32.exe
File created	C:\Windows\SysWOW64\Aalmimfd.exe	Aabkbono.exe
File created	C:\Windows\SysWOW64\Nqoloc32.exe	Nciopppp.exe
File opened for modification	C:\Windows\SysWOW64\Mfnoqc32.exe	Lcnfohmi.exe
File created	C:\Windows\SysWOW64\Bagmdllg.exe	Baepolni.exe
File created	C:\Windows\SysWOW64\Acankf32.dll	Dolmodpi.exe
File created	C:\Windows\SysWOW64\Qckcba32.dll	Ookoaokf.exe
File opened for modification	C:\Windows\SysWOW64\Ddfbgelh.exe	Ckidcpjl.exe
File opened for modification	C:\Windows\SysWOW64\Lnjgfb32.exe	Loighj32.exe
File created	C:\Windows\SysWOW64\Fcpjljph.dll	Loighj32.exe
File opened for modification	C:\Windows\SysWOW64\Aaenbd32.exe	Mgnlkfal.exe
File created	C:\Windows\SysWOW64\Fmamhbhe.dll	Caageq32.exe
File opened for modification	C:\Windows\SysWOW64\Lcnfohmi.exe	Ljceqb32.exe
File created	C:\Windows\SysWOW64\Inmalg32.dll	Qamago32.exe
File created	C:\Windows\SysWOW64\Ckidcpjl.exe	Cienon32.exe
File created	C:\Windows\SysWOW64\Adbofa32.dll	Famhmfkl.exe
File created	C:\Windows\SysWOW64\Doepmnag.dll	d0ea44dcf0fca383026e0cc9c1477180_NEIKI.exe
File created	C:\Windows\SysWOW64\Loighj32.exe	Kgkfnh32.exe
File opened for modification	C:\Windows\SysWOW64\Ilibdmgp.exe	Hnbeeiji.exe
File created	C:\Windows\SysWOW64\Hmcipf32.dll	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Aehojk32.dll	Enjfli32.exe
File opened for modification	C:\Windows\SysWOW64\Jphkkpbp.exe	d0ea44dcf0fca383026e0cc9c1477180_NEIKI.exe
File created	C:\Windows\SysWOW64\Dgeaknci.dll	Aaenbd32.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Chfegk32.exe
File created	C:\Windows\SysWOW64\Hmafal32.dll	Aalmimfd.exe
File opened for modification	C:\Windows\SysWOW64\Kcapicdj.exe	Keifdpif.exe
File created	C:\Windows\SysWOW64\Famhmfkl.exe	Edfknb32.exe
File created	C:\Windows\SysWOW64\Fboecfii.exe	Famhmfkl.exe
File created	C:\Windows\SysWOW64\Mfnoqc32.exe	Lcnfohmi.exe
File opened for modification	C:\Windows\SysWOW64\Apmhiq32.exe	Aaenbd32.exe
File created	C:\Windows\SysWOW64\Ehpadhll.exe	Egohdegl.exe
File created	C:\Windows\SysWOW64\Pkpbai32.dll	Hpmhdmea.exe
File opened for modification	C:\Windows\SysWOW64\Kgkfnh32.exe	Kgiiiidd.exe
File created	C:\Windows\SysWOW64\Caageq32.exe	Chfegk32.exe
File created	C:\Windows\SysWOW64\Cienon32.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Acffllhk.dll	Pmphaaln.exe
File opened for modification	C:\Windows\SysWOW64\Ckidcpjl.exe	Cienon32.exe
File opened for modification	C:\Windows\SysWOW64\Caageq32.exe	Chfegk32.exe
File opened for modification	C:\Windows\SysWOW64\Ehpadhll.exe	Egohdegl.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqaf32.exe	Iojkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Keifdpif.exe	Kibeoo32.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Pijmiq32.dll	Kgiiiidd.exe
File created	C:\Windows\SysWOW64\Lnjgfb32.exe	Loighj32.exe
File created	C:\Windows\SysWOW64\Aaenbd32.exe	Mgnlkfal.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fdbkja32.exe
File opened for modification	C:\Windows\SysWOW64\Nciopppp.exe	Mljmhflh.exe
File created	C:\Windows\SysWOW64\Nqobhgmh.dll	Mljmhflh.exe
File opened for modification	C:\Windows\SysWOW64\Pmphaaln.exe	Pcpnhl32.exe
File opened for modification	C:\Windows\SysWOW64\Aabkbono.exe	Qamago32.exe
File created	C:\Windows\SysWOW64\Ljceqb32.exe	Lnjgfb32.exe
File created	C:\Windows\SysWOW64\Apmhiq32.exe	Aaenbd32.exe
File created	C:\Windows\SysWOW64\Deocpk32.dll	Hnbeeiji.exe
File created	C:\Windows\SysWOW64\Jicchk32.dll	Kcapicdj.exe
File created	C:\Windows\SysWOW64\Djegekil.exe	Ddfbgelh.exe
File created	C:\Windows\SysWOW64\Binfdh32.dll	Dncpkjoc.exe
File created	C:\Windows\SysWOW64\Glkkmjeh.dll	Edfknb32.exe
File created	C:\Windows\SysWOW64\Bpldbefn.dll	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Fdbkja32.exe	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Dbocfo32.exe	Dolmodpi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1616	224	WerFault.exe	149

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpmhdmea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binfdh32.dll"	Dncpkjoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll"	Baepolni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d0ea44dcf0fca383026e0cc9c1477180_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jphkkpbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljceqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcmfjll.dll"	Lcnfohmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Foclgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jphkkpbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faagecfk.dll"	Cienon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijmiq32.dll"	Kgiiiidd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qamago32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enjfli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgiiiidd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgkfnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imnbiq32.dll"	Mfnoqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhkilook.dll"	Dbocfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmolo32.dll"	Ljceqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpldbefn.dll"	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agecdgmk.dll"	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnljbeg.dll"	Lnjgfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfnoqc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbocfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Foclgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pboglh32.dll"	Iojkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glkkmjeh.dll"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjiib32.dll"	Djegekil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgflcifg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loighj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghehjh32.dll"	Ehpadhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deocpk32.dll"	Hnbeeiji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ookoaokf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baepolni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acankf32.dll"	Dolmodpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqoloc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djegekil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d0ea44dcf0fca383026e0cc9c1477180_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikpndppf.dll"	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeaknci.dll"	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehblpall.dll"	Egohdegl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnbcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmcfjdp.dll"	Nciopppp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hecjke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlppno32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 2400	3192	d0ea44dcf0fca383026e0cc9c1477180_NEIKI.exe	92
PID 3192 wrote to memory of 2400	3192	d0ea44dcf0fca383026e0cc9c1477180_NEIKI.exe	92
PID 3192 wrote to memory of 2400	3192	d0ea44dcf0fca383026e0cc9c1477180_NEIKI.exe	92
PID 2400 wrote to memory of 1676	2400	Jphkkpbp.exe	93
PID 2400 wrote to memory of 1676	2400	Jphkkpbp.exe	93
PID 2400 wrote to memory of 1676	2400	Jphkkpbp.exe	93
PID 1676 wrote to memory of 408	1676	Kgflcifg.exe	94
PID 1676 wrote to memory of 408	1676	Kgflcifg.exe	94
PID 1676 wrote to memory of 408	1676	Kgflcifg.exe	94
PID 408 wrote to memory of 2724	408	Kgiiiidd.exe	95
PID 408 wrote to memory of 2724	408	Kgiiiidd.exe	95
PID 408 wrote to memory of 2724	408	Kgiiiidd.exe	95
PID 2724 wrote to memory of 3388	2724	Kgkfnh32.exe	96
PID 2724 wrote to memory of 3388	2724	Kgkfnh32.exe	96
PID 2724 wrote to memory of 3388	2724	Kgkfnh32.exe	96
PID 3388 wrote to memory of 1560	3388	Loighj32.exe	97
PID 3388 wrote to memory of 1560	3388	Loighj32.exe	97
PID 3388 wrote to memory of 1560	3388	Loighj32.exe	97
PID 1560 wrote to memory of 4420	1560	Lnjgfb32.exe	98
PID 1560 wrote to memory of 4420	1560	Lnjgfb32.exe	98
PID 1560 wrote to memory of 4420	1560	Lnjgfb32.exe	98
PID 4420 wrote to memory of 432	4420	Ljceqb32.exe	99
PID 4420 wrote to memory of 432	4420	Ljceqb32.exe	99
PID 4420 wrote to memory of 432	4420	Ljceqb32.exe	99
PID 432 wrote to memory of 2768	432	Lcnfohmi.exe	100
PID 432 wrote to memory of 2768	432	Lcnfohmi.exe	100
PID 432 wrote to memory of 2768	432	Lcnfohmi.exe	100
PID 2768 wrote to memory of 4556	2768	Mfnoqc32.exe	101
PID 2768 wrote to memory of 4556	2768	Mfnoqc32.exe	101
PID 2768 wrote to memory of 4556	2768	Mfnoqc32.exe	101
PID 4556 wrote to memory of 1524	4556	Mgnlkfal.exe	102
PID 4556 wrote to memory of 1524	4556	Mgnlkfal.exe	102
PID 4556 wrote to memory of 1524	4556	Mgnlkfal.exe	102
PID 1524 wrote to memory of 968	1524	Aaenbd32.exe	103
PID 1524 wrote to memory of 968	1524	Aaenbd32.exe	103
PID 1524 wrote to memory of 968	1524	Aaenbd32.exe	103
PID 968 wrote to memory of 4636	968	Apmhiq32.exe	104
PID 968 wrote to memory of 4636	968	Apmhiq32.exe	104
PID 968 wrote to memory of 4636	968	Apmhiq32.exe	104
PID 4636 wrote to memory of 1708	4636	Aopemh32.exe	105
PID 4636 wrote to memory of 1708	4636	Aopemh32.exe	105
PID 4636 wrote to memory of 1708	4636	Aopemh32.exe	105
PID 1708 wrote to memory of 1628	1708	Chfegk32.exe	106
PID 1708 wrote to memory of 1628	1708	Chfegk32.exe	106
PID 1708 wrote to memory of 1628	1708	Chfegk32.exe	106
PID 1628 wrote to memory of 5028	1628	Caageq32.exe	107
PID 1628 wrote to memory of 5028	1628	Caageq32.exe	107
PID 1628 wrote to memory of 5028	1628	Caageq32.exe	107
PID 5028 wrote to memory of 4312	5028	Coegoe32.exe	108
PID 5028 wrote to memory of 4312	5028	Coegoe32.exe	108
PID 5028 wrote to memory of 4312	5028	Coegoe32.exe	108
PID 4312 wrote to memory of 4460	4312	Dolmodpi.exe	109
PID 4312 wrote to memory of 4460	4312	Dolmodpi.exe	109
PID 4312 wrote to memory of 4460	4312	Dolmodpi.exe	109
PID 4460 wrote to memory of 3344	4460	Dbocfo32.exe	110
PID 4460 wrote to memory of 3344	4460	Dbocfo32.exe	110
PID 4460 wrote to memory of 3344	4460	Dbocfo32.exe	110
PID 3344 wrote to memory of 2224	3344	Egohdegl.exe	111
PID 3344 wrote to memory of 2224	3344	Egohdegl.exe	111
PID 3344 wrote to memory of 2224	3344	Egohdegl.exe	111
PID 2224 wrote to memory of 656	2224	Ehpadhll.exe	112
PID 2224 wrote to memory of 656	2224	Ehpadhll.exe	112
PID 2224 wrote to memory of 656	2224	Ehpadhll.exe	112
PID 656 wrote to memory of 4704	656	Fnbcgn32.exe	113

C:\Users\Admin\AppData\Local\Temp\d0ea44dcf0fca383026e0cc9c1477180_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\d0ea44dcf0fca383026e0cc9c1477180_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\SysWOW64\Jphkkpbp.exe
  C:\Windows\system32\Jphkkpbp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\Kgflcifg.exe
    C:\Windows\system32\Kgflcifg.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\SysWOW64\Kgiiiidd.exe
      C:\Windows\system32\Kgiiiidd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:408
    - - C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\Loighj32.exe
        
        C:\Windows\system32\Loighj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Dbocfo32.exe
        
        C:\Windows\system32\Dbocfo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Egohdegl.exe
        
        C:\Windows\system32\Egohdegl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Fnbcgn32.exe
        
        C:\Windows\system32\Fnbcgn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Hpmhdmea.exe
        
        C:\Windows\system32\Hpmhdmea.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Hnbeeiji.exe
        
        C:\Windows\system32\Hnbeeiji.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4764
        
        C:\Windows\SysWOW64\Iojkeh32.exe
        
        C:\Windows\system32\Iojkeh32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4020
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3780
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Qamago32.exe
        
        C:\Windows\system32\Qamago32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:212
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        59⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 416
        60⤵
        Program crash
        
        PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 224 -ip 224
1⤵
PID:5064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaenbd32.exe

Filesize
280KB

MD5
6f1a007504cf67de2c30878db761878d

SHA1
09af3559be9578ab7d64f39ade27ff14a70c7a3d

SHA256
fafd46f515c0c93326e6571986373b2e4b22194e457cd30748b0c3d40be88be4

SHA512
5f3af0b22a237623855020f425bac3b8dabba7f47a435e106655f419c5629cad5d2193fa51bd10de35cb6393975f095782b9b741e463626c31d8983355fb67c1

Download Submit
C:\Windows\SysWOW64\Aalmimfd.exe

Filesize
280KB

MD5
1611fe97cd9c410f45e928c2c58ae65a

SHA1
3d4b86bd371fe07da23bcce832d909a093f59871

SHA256
d99c9fadd004dc8c53537f736626daece3f63ed463b597da2398ec13e77e3bfd

SHA512
659ac1c0345b27bff5de59c74b0214720a7ea4938f4c9643dc44556c0d8d9b3d3d6d95909372cd745db6b42b2ba7ee3c90c8e8999aa851aae9fe1b6f73e74156

Download Submit
C:\Windows\SysWOW64\Aopemh32.exe

Filesize
280KB

MD5
49f290c6bebbf10a96263e9db51646ff

SHA1
c4f9a87ebde19a5156f83c526026489644a06df3

SHA256
d54b31c7243d383791547deafa8b34232e7d54e23495fd5c40f61108b87dff30

SHA512
df32a5f1db5ca0d5a5fa318147c8e9c17b326566ea754bee732a2e7ec3c91a08aad10a97d068d71d86139d88589d6083d13de44f64b4c1218f4bc84366d995a2

Download Submit
C:\Windows\SysWOW64\Apmhiq32.exe

Filesize
280KB

MD5
f13d086a877a23c8bb80648632f7bdff

SHA1
4a3f8d191673f950aab598eb5ff9fa71adea4b68

SHA256
c94862a4d033ddeb9f016807aa59c08e4a58e2825f1951b7449d468488a05503

SHA512
c6c2831466b5cf261f9035c64a4618623d603e1827c2b67774fb4942a870bc069d4b780399a3e9ed21db1be9a3ebe1c36a22ba371fa93cc5feb12b480523ff26

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
280KB

MD5
a26e3f52afa2c8314180c3e8b7264e2a

SHA1
b817c633b18e0b670a6050c6188de6932295c22c

SHA256
36ba8e7d45392335d5d868271b7e052096a93e4b38cd568af5baa701e9409963

SHA512
fd9da496b529f7f99bdecf1ef0879048816d9198d09fc259b23f2f6d95fe7ee9824c49f5a148e21f9bfe80cc1462ab4cd269e4a5700251a7f286fbf2ff83cf37

Download Submit
C:\Windows\SysWOW64\Chfegk32.exe

Filesize
280KB

MD5
bb8fbd531a1f0adb3977bb218c5232b9

SHA1
f650ce88d48c617322165ef52db5b374200109d8

SHA256
ae208fd8aae811c12b13afb3af957da61fb1dddf150d25233a255e84f98337f0

SHA512
1194d9f319b48c179ff48538bc68c5cf1fb6e7db7f85ab5b9f7e9460f0f298d94a46146a4dab4bea72f526e3815fc2b5f2d93097e46ad1a611f431937538e645

Download Submit
C:\Windows\SysWOW64\Cienon32.exe

Filesize
280KB

MD5
7ebe6124505ab26026a5dd0cacc6a81b

SHA1
067961bc31c730deab2abc25c2f428cf17bdf52f

SHA256
53722c523892c8e4f5bd7dca62d3f6715df6bd7933ae615ae8285b8be9f2664d

SHA512
69c6c3b72a78e34f2a475d4bdf64e0cf877eb710b589d7350dd407ca01ac6beb759f9a5d13b24f005400d5fc1147bcd0d3b2d627c30e62ae5b46ef68c7c6ff9c

Download Submit
C:\Windows\SysWOW64\Coegoe32.exe

Filesize
280KB

MD5
2efad88ddecb4872de976fe5f94f8577

SHA1
f345b12fd9954dac5cf20fbd068089d80097412e

SHA256
829c6c23a6ddc5cc3c6e460cdf9310bc9fbfafcb3ef44630b6d45126fa8af90c

SHA512
ea4857ce913078cb194a7cf08050f4a69430ff14ed1969a7d53090de5609526b124b2c0ae24f4f5dc7cfb0f943f50d96d0ae5df05709528865ba83a9d425f8c6

Download Submit
C:\Windows\SysWOW64\Dbocfo32.exe

Filesize
280KB

MD5
e13107bdbe6e912e4b43b9eaa567958a

SHA1
4a701ed363c51594803ae4dae94e25d753abe0c2

SHA256
d032cdbc5b06ccff3b23df374d0b77422bf6e4fbe5b1e9bb425d7079513a24c6

SHA512
5b7d8f6ec1963b6abc0a0ecf5398aed373e66ec7346aee9adb5387f93a0b72ac342427837dc45659736cf9c7c001b01aa9e798dd34852aa9e0ba7335a4efa0be

Download Submit
C:\Windows\SysWOW64\Dolmodpi.exe

Filesize
280KB

MD5
0849437a6785f84d35716d200add6f9a

SHA1
019d107c39b1ff1bcfe01c456115c6ea62d221fe

SHA256
cbb874ef8801abdbe23de833df3fdffb1152be452d85bca94357eadefa2eea06

SHA512
cd49c4b05576d590fe2681bba8982cadbe826e04e098ba76308f582bd97cab9e473eba70ea6e05dc2a3420593e8329bf64ccec25e4457b4a42224d8cebdc53b7

Download Submit
C:\Windows\SysWOW64\Edfknb32.exe

Filesize
280KB

MD5
d99283669cffe1d3fc9cd5cf64a0128a

SHA1
31bdf84b7787a39c4c18542db71978120daa75cc

SHA256
2c91a35a233559ce6ddcf8a485f5e386141d6c6594ce8484755180f43fbbfac7

SHA512
48ea7976ac7e6655f13732169ad0e722472507c3b2ee4ba3b6389193afdb1aed9d1acb914836ca3e0cea95f3ad2aedc513407e37efe1e52acc70ec9fd9114a26

Download Submit
C:\Windows\SysWOW64\Egohdegl.exe

Filesize
280KB

MD5
c8ee9174645d0d5c42fec4e6fbd62313

SHA1
6f9ee9908dce372b8724c182ebd5e678c128656e

SHA256
210405ad3a9570992f047ec68a251ed7077faf37b0278688904e1db2ad6e555b

SHA512
d64f4c4082cd8c0e5ddc445c9973f0161c70944a55321f2a5ff66263d762afb24f956f5caa172095967c5afa500b5e090f7803f0dea782acd8fd852c9272f4ca

Download Submit
C:\Windows\SysWOW64\Ehpadhll.exe

Filesize
280KB

MD5
aef84d4b4c95e0850ab7873b230154f7

SHA1
9887ba5edb50a6370f4f3806512cd7ccda2ec156

SHA256
1f89aef02f789f07fe17703bba4b883f0d71bba56b9bb6e0f97f0242d0747faf

SHA512
4f4558f812b3e4e29f73b7c226983cac9fb3d45e5cb72eccddcbd4386ca74828aa8c17c5268c07c85979ceb1bf8ed9daf1d2d11bafe6a54c5642c33c28c506f6

Download Submit
C:\Windows\SysWOW64\Fdbkja32.exe

Filesize
280KB

MD5
00d4640d8c71dc69146a7886ce3ea94f

SHA1
36bfe0eb2c7729998287e4eb25846b52b068d5e5

SHA256
261ee947ce863a324fc8f7bfbf210f4d9ac8e16c2b728ce284d739a51e3f91e2

SHA512
4d33224069462248388eb24a461c0ee090f99a4d39c584e84612dc233ae562858ac4d7da6e70dac8173850c07ecb81249ea9a76cd0821166ba016463bf5146c3

Download Submit
C:\Windows\SysWOW64\Fnbcgn32.exe

Filesize
280KB

MD5
b82a4202016b5253b8b59265887f809b

SHA1
878fe46c6b0a13221c6790d33a8b9df21678b13f

SHA256
afe7dfc77b5e41e1aecf98f191c93a63941099f48ed2b103a657dffa37bc9a8c

SHA512
cd34ee61d9cccea69af32cb760df77bd7ea5e94fbd95ed041c48804411f3f6e1a2a7c311a37600a42cfcbd16dcb9978122d5c6a926de3af8ccea98ed29ee668e

Download Submit
C:\Windows\SysWOW64\Foclgq32.exe

Filesize
280KB

MD5
692d7f26cf1327df418c9725a1eb9c88

SHA1
0af679a65379466f876ff4f2aa7ab06b0ea021bd

SHA256
e87d795390b1606737dc78abad8aa26c08add998f355e8198ce9ca4f871db685

SHA512
0364cc5e26f058a7a3128b7cebeaec06366230db102519963537d9fcd1643420b12aace2fbaabd5cd986a6fd285a9bbefbdede658096af4f8250b804de604b10

Download Submit
C:\Windows\SysWOW64\Hecjke32.exe

Filesize
280KB

MD5
95cbc8b25b2e70ec64c8abcfbe147493

SHA1
1f307585e6bff10f22f899beaeb5445803a981ba

SHA256
160a4003f704f93010df09b8a1774c39679883f39fb13be6d462c0be505ce5e2

SHA512
5233ecc6a09b8cae3f37955e71918b35bbc131c6d4d114b2d5329d71b1e5b41a1abd49f5890b8c2541878ea86ad4076114cc404c0d5bcad9daecb934b10b0ed5

Download Submit
C:\Windows\SysWOW64\Hlppno32.exe

Filesize
280KB

MD5
a0b02e05ac7c97bf57e6d4ead1d86065

SHA1
fedddc0ba3ff40d3559a27b85a38d0cf599dc011

SHA256
09e81151711aadd25d1934742ce0a67ab1172cb02aaa70a4f02898383f7c2345

SHA512
5aec27dc85f8d106a22a2cf2d3c565e73d24212e8e1eda2d5a762f2411dd379063ff19ba2358c49b56bb8c2cd39756a365b60d90485e71aa2f859ccb51cc585e

Download Submit
C:\Windows\SysWOW64\Hnbeeiji.exe

Filesize
280KB

MD5
4c52e18f5f34f8f24b488a432810eae3

SHA1
851cda4d1f57681c1a832f4b5cfc78bd0ebe1cfd

SHA256
31c5bbdc2bf59f9d42698b82d6c47af5c4f88d25da4b315d7aa6973fb1b52eb1

SHA512
35ab89046497c0c0dea7028247b57fd6ac8c9a38dcb9ba8ea33fc450fe716bf68460d39439ade6126f938ec31aa2d75dde17fac3ce0779286bf14042ef9563ad

Download Submit
C:\Windows\SysWOW64\Hpmhdmea.exe

Filesize
280KB

MD5
0a4ce632f196ac40de99c08624f1d467

SHA1
89ae92c82a711ce3748b79f5470c284038a4a03b

SHA256
7b52070872bd2d8085ed5c9aa3cbd3fba8b0da6a1b8e8e583a42b1c9d35ce01e

SHA512
9c7864aa8fc564a8060335f132b69f20b1b63ce006b1d4a3229d5789da373c53bc2c19e1cff9ea5f672b8f1a367aa19009665f98a84df0b1ce56eb338a074fb8

Download Submit
C:\Windows\SysWOW64\Ibjqaf32.exe

Filesize
280KB

MD5
dbdae7622e87e2431b1c19666b1b1f65

SHA1
9bf819b790609bcf133e3ef7edd14fcf8a13293a

SHA256
3887c11d6e6a4a2e5580bdce4e78654bfbbe49779d59deadf6a8575c2acee276

SHA512
ffb24f253a159daf6f846a6e5e655ff702b384946bfc6fc88f02df4a7b94ce072ccc14613e4c0ccf4fc435c5d50f8b3e0b1c908e495b12b8bb70a6f660355026

Download Submit
C:\Windows\SysWOW64\Ilibdmgp.exe

Filesize
280KB

MD5
bfcb98030a9ff54cf26b827ab2682092

SHA1
68c112284efcbdb4a68e885f3c7c1e549da7d07d

SHA256
8b52dc13ce2ba58455c1014ae5b0e92a3b0bdb3657c40ade2473d884706ff90c

SHA512
a701e55ec6aea4bda181964a65f22fc29c80429028aa0d4875473f889fb5d28e7f3e5f24c46701677c3e1b77579841d564afd63ac4a5e40421209688d83996fb

Download Submit
C:\Windows\SysWOW64\Iojkeh32.exe

Filesize
280KB

MD5
6eecbe64c11bcbddbeb72f98404005c6

SHA1
18ec8f24edccfde22f82a4a30ea46420928a985c

SHA256
ed368d91b26b17d34d9f059318bdef32d6da8cc6a4602e8c5782330ed2d11d1f

SHA512
007b8d569d76e3a280aec391479a6daacd191e50a0db9ddda18d11226837ccbf5a5c2866e809b06649b8c055cc1314b3fc0c52bee119b48a4ff5ec8d3488131e

Download Submit
C:\Windows\SysWOW64\Jphkkpbp.exe

Filesize
280KB

MD5
9c8e181e5bb681971b23dbf4e9810e33

SHA1
0392cd7f287489f6752980ff95152592c5061830

SHA256
f6985c539ee309270e0af51104496ca1273c73645bf08968849626723de034ed

SHA512
6d5d55fbf98111714483787a26d099aba648d25ee628c4e2fdb42400e594f3a78bcac0f36477036f590996a9db4dc05dc5c67bd5b91deb3877728713759ee463

Download Submit
C:\Windows\SysWOW64\Kcapicdj.exe

Filesize
280KB

MD5
5d0dc5953a4d08e8639e0f579e7b1db6

SHA1
cbc7e0dca00a26eef6d23c2258d7d3eb687b7eb4

SHA256
466e02a8ae79040eed4b9f08e5871ffea3fceb8a1168b50241f73ce53c0b2642

SHA512
baefd060d6837269f26d902118a7ac484cc00c60d30e06f4672f3aabaa8de235bd9d3279b2705c23cc24738ebb3e03fb4773b34822f9af1584e04281685c6623

Download Submit
C:\Windows\SysWOW64\Keifdpif.exe

Filesize
280KB

MD5
76ab232f580b437510b740d3a41cdad4

SHA1
4444610753582c6e6857888735c87d6cb615068d

SHA256
e5c9d1c07c2c55e09483dab2694dc12fd7eb60efeb34eceaf62584b7b7c216e2

SHA512
e6172838ec0c69925b1ebf816f3ac1497efed70e95ffccf1db7d1ce0afe5d3324910f37f3ad374475af51a3ecdd2d475f9e87727924880da7f46773c480d60ca

Download Submit
C:\Windows\SysWOW64\Kgflcifg.exe

Filesize
280KB

MD5
56ba513714ece8ab68e6f7dae74fdc65

SHA1
c1d3a460a42734ed482fead392bbaea7752bdde4

SHA256
f70dc939a313c19384d749a4a7d886658ac858ef2ae27b2548f50b74ec365962

SHA512
8a053f5dd24a3466578cbd7f3c8af3e96cd0b5aaf2254753f1040be8b9606d7b96fcde2b68ac6139b655cb7861e6fc21a2050751b2974a7816593eb4e76d5ef2

Download Submit
C:\Windows\SysWOW64\Kgiiiidd.exe

Filesize
280KB

MD5
937e57fb42015c36d735f51adfb9496e

SHA1
5d60293794487e77cc4e1eeeff1adcb2237302e2

SHA256
38fd66c657a2295ed56b2ada500ae8365e79b068e8ecea6046f9349c78af12bc

SHA512
44caffc8c5f9f0faa816d0543208c95e2ad639c41a14929996cd3b8c4a4341904d6fa77d726da32b21c6adec29956053943efe97127c3b8f57294c667d3cfe3a

Download Submit
C:\Windows\SysWOW64\Kgkfnh32.exe

Filesize
280KB

MD5
7c5af52798bf603d506fc792286753a3

SHA1
e07ed17f533ff56801c671ff018295c4c95010c4

SHA256
5fa07f873b3f00b91abd841e18ede9d1cda703b9f431dd973901071ba86c4852

SHA512
bfaef32223b137b720c939ec6b6e14a923704598144d188acb1e88496a9e3d5739d847fd56f6e374da64c3320aa49484c386a8f7fcd94c8ea58c45527a13bb05

Download Submit
C:\Windows\SysWOW64\Kibeoo32.exe

Filesize
280KB

MD5
c665920ebfc76be67087cd27243ec755

SHA1
e66054e1043dfd4ce136806713bd0521a01f87e6

SHA256
e9965c2cf8c34fc44687666157e676ee89b26935e9f0ead70689a5939ba31ce0

SHA512
3a2225bd2b7b1976a4770ec84bae52714de3ac6902f85df3d23fe7c426d6b67d4ddb3546bf097cd3c58c3cdc3810a0d416e483577b3af62331f808b782219e8a

Download Submit
C:\Windows\SysWOW64\Lcnfohmi.exe

Filesize
280KB

MD5
025968c418beb2339769d33be156ad3d

SHA1
ae2f16be63b0eb8c15325098c0cae24075d95c69

SHA256
846e06ae5db0cf76e35f3dfbbed398bf9437132e333de4a035aabf55682d857a

SHA512
8dc96fb5c487b4afbae4c38ad2b4d24ab27d37d244ef9ba3b7a67d160c18275046ea60cb3ec72bd600a35a06ce795aeb9a8c51cc9285e993693f7a97ab505c54

Download Submit
C:\Windows\SysWOW64\Ljceqb32.exe

Filesize
280KB

MD5
070ce85d37b4dc0d147af80caadd0f1d

SHA1
3c52c1e155cfca31f3269a048d976d4ec28012f0

SHA256
d03c6f7db2b37d23fb1b02b02563d339811bf8532a05cd66d13329f2c3174fbd

SHA512
8216b25e1cd3aa4d29dc02a21e8e251c5c8f421edf26fee77f0a312a4b81cf26bf8d83ce0ad7960e433acb5d19a218ca94b81c958d42f10a5cd9733b32d6fbaa

Download Submit
C:\Windows\SysWOW64\Lnjgfb32.exe

Filesize
280KB

MD5
78f9fa320d5190e899c5c63f973aaa5b

SHA1
c7250cf19c8349c0679e21ce05b993d39d160592

SHA256
47fc89d9b9b28421e22a0eda7557991db5b59384b319d223c8dea9dc54646689

SHA512
3f0418ca9c6bf4c28dec6aa160a915499411d1c4fb11dec35df884cb48f094fbff1d4900751385dd5153857e08fff21ca8fc9a074d70cf8f292ac12288957354

Download Submit
C:\Windows\SysWOW64\Loighj32.exe

Filesize
280KB

MD5
e18c59da7913ba9b9bb0dd0200a6277f

SHA1
d594aa2709423a3902505040073775c8c0982b1f

SHA256
78fc83f8d8e374c29f7fbd43ce4e3142aef32d10208fff0d9df22ab9c561ee16

SHA512
0ed4781dde06ef31234fb8f7485bd66dc05b93a98e3bb354dae4cfd87f89b3c636a465bd763806df58f5ac40bbe4a334a1fa33ebe58bffaee64dee547027200b

Download Submit
C:\Windows\SysWOW64\Mfnoqc32.exe

Filesize
280KB

MD5
feee87c6f4e18783ae0c03f54349bb9e

SHA1
2dd82530ea886518e5ff1fdb8970c522ad0cd711

SHA256
5cb49190cdc61cd0f9c6fc8c69f27aa8319e17e8c73ad94a1e6a6fc92c5dad7a

SHA512
6580ce807c5192758e1616270cb16f8ad07ad7669d0bef88b62b7ad4dcc9da568d16a37d0d9ce747068d8e0d923d000bde1f8f7c0f7b5b5f12bbbb9ba7c96a87

Download Submit
C:\Windows\SysWOW64\Mgnlkfal.exe

Filesize
280KB

MD5
3749f4a3b09c10f0593f038f61b7eadb

SHA1
853f59cc02b7d5b6fcb65c28578249b731a40827

SHA256
0402ec57db88904b69bbeb15d1e19ee1919bcc46111c914340dcf16cee41bea8

SHA512
b486ec70a9dab6946c39de12fe46b4f9ad7b82aa56fde30cb8dcfd12d898ea2390f12bffe988bd754c88f6c72ef013dde1bfcb516d5feb8f15d7f93e68ded130

Download Submit
memory/212-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/212-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/408-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/656-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/656-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/968-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/968-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/984-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/984-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1344-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1344-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1448-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1448-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-512-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3224-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-494-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3388-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3388-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4020-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4020-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-486-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4704-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4704-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-498-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads