e212b7046da01e2bc470352d4b3c529e9d0c37d798f6549b2892148a4959f17b

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebcb7397bed9943ef01640c0338b46f0_NEIKI.exe
Size

368KB
MD5

ebcb7397bed9943ef01640c0338b46f0
SHA1

b5613e5018cb4717430d4b1df0410a41cb909e67
SHA256

e212b7046da01e2bc470352d4b3c529e9d0c37d798f6549b2892148a4959f17b
SHA512

21e170aa40123928cc00559c1da5c987791238ae1c7f260f539b43979a435d1d4208622b0ba81726a8fa676f57f93b04ce41a843f4e93166fa2100559373e936
SSDEEP

6144:K9mazxsXlTjZXvEQo9dfJBEdKFckUQ/4TIHD4xutM3VOEIuV5t6R+0I/VzogZW:8xsT9XvEhdfJkKSkU3kHyuaRB5t6k0IY

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdojjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkkik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aibibp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pffgom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnlme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhgonidg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbekii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihibbjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iajdgcab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Inebjihf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fgjhpcmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lohqnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lplfcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhmjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqbcbkab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbiockdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccmhdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhiemoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkjmlaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hicpgc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bboffejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilnlom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jahqiaeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Koajmepf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afockelf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onocomdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pffgom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geldkfpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbgkei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iijfhbhl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnibokbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbdiknlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ebcb7397bed9943ef01640c0338b46f0_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inebjihf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iahgad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loacdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjoppf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adjjeieh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feenjgfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaajhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Noppeaed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfmolc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilnlom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbagbebm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflmnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnphoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hldiinke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hihibbjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ebaplnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Niojoeel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjkic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Feenjgfq.exe

Malware Dropper & Backdoor - Berbew 47 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000900000002326d-5.dat	family_berbew
behavioral2/files/0x0008000000023273-14.dat	family_berbew
behavioral2/files/0x0007000000023275-22.dat	family_berbew
behavioral2/files/0x0007000000023277-30.dat	family_berbew
behavioral2/files/0x0007000000023279-38.dat	family_berbew
behavioral2/files/0x000700000002327b-47.dat	family_berbew
behavioral2/files/0x000700000002327d-54.dat	family_berbew
behavioral2/files/0x0007000000023280-57.dat	family_berbew
behavioral2/files/0x0007000000023282-70.dat	family_berbew
behavioral2/files/0x0007000000023284-79.dat	family_berbew
behavioral2/files/0x0007000000023286-86.dat	family_berbew
behavioral2/files/0x0007000000023288-94.dat	family_berbew
behavioral2/files/0x000700000002328a-104.dat	family_berbew
behavioral2/files/0x000700000002328c-110.dat	family_berbew
behavioral2/files/0x000700000002328e-120.dat	family_berbew
behavioral2/files/0x0007000000023290-128.dat	family_berbew
behavioral2/files/0x0007000000023293-134.dat	family_berbew
behavioral2/files/0x0007000000023295-143.dat	family_berbew
behavioral2/files/0x000700000002328c-105.dat	family_berbew
behavioral2/files/0x0007000000023297-150.dat	family_berbew
behavioral2/files/0x0007000000023299-153.dat	family_berbew
behavioral2/files/0x0007000000023299-158.dat	family_berbew
behavioral2/files/0x000700000002329b-166.dat	family_berbew
behavioral2/files/0x000700000002329d-176.dat	family_berbew
behavioral2/files/0x000700000002329f-183.dat	family_berbew
behavioral2/files/0x00070000000232a3-198.dat	family_berbew
behavioral2/files/0x00070000000232a5-207.dat	family_berbew
behavioral2/files/0x00070000000232a7-209.dat	family_berbew
behavioral2/files/0x00070000000232a1-191.dat	family_berbew
behavioral2/files/0x00070000000232a9-223.dat	family_berbew
behavioral2/files/0x00070000000232ab-231.dat	family_berbew
behavioral2/files/0x00070000000232ad-239.dat	family_berbew
behavioral2/files/0x00070000000232af-248.dat	family_berbew
behavioral2/files/0x00070000000232b3-257.dat	family_berbew
behavioral2/files/0x00070000000232b1-255.dat	family_berbew
behavioral2/files/0x00070000000232c3-306.dat	family_berbew
behavioral2/files/0x00070000000232c8-323.dat	family_berbew
behavioral2/files/0x00070000000232dc-383.dat	family_berbew
behavioral2/files/0x00070000000232e2-401.dat	family_berbew
behavioral2/files/0x00070000000232ec-431.dat	family_berbew
behavioral2/files/0x00070000000232f4-455.dat	family_berbew
behavioral2/files/0x00070000000232fc-479.dat	family_berbew
behavioral2/files/0x0007000000023302-497.dat	family_berbew
behavioral2/files/0x0007000000023339-679.dat	family_berbew
behavioral2/files/0x0007000000023345-721.dat	family_berbew
behavioral2/files/0x0007000000023349-735.dat	family_berbew
behavioral2/files/0x0007000000023357-784.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
4580	Onocomdo.exe
4416	Ocaebc32.exe
4896	Pffgom32.exe
3812	Pjdpelnc.exe
4452	Qhhpop32.exe
1936	Qacameaj.exe
624	Afpjel32.exe
1204	Aoioli32.exe
3944	Amnlme32.exe
2100	Amqhbe32.exe
2336	Agimkk32.exe
2676	Bhhiemoj.exe
4008	Bdojjo32.exe
3692	Bpfkpp32.exe
2564	Bmjkic32.exe
4612	Boihcf32.exe
4068	Ckbemgcp.exe
2556	Chfegk32.exe
4924	Cpbjkn32.exe
1028	Dhgonidg.exe
4656	Dqbcbkab.exe
1860	Ebaplnie.exe
3436	Ekjded32.exe
2160	Fgjhpcmo.exe
2696	Fqbliicp.exe
4496	Fqeioiam.exe
3416	Fkjmlaac.exe
4032	Feenjgfq.exe
4584	Gbiockdj.exe
208	Gbkkik32.exe
4676	Geldkfpi.exe
3644	Glfmgp32.exe
1392	Glhimp32.exe
4944	Geanfelc.exe
1752	Hnibokbd.exe
4420	Hioflcbj.exe
3808	Hbgkei32.exe
3896	Hpkknmgd.exe
3568	Hicpgc32.exe
408	Hnphoj32.exe
3208	Hldiinke.exe
4516	Hihibbjo.exe
4024	Inebjihf.exe
2560	Iijfhbhl.exe
4412	Iogopi32.exe
4824	Iahgad32.exe
908	Ilnlom32.exe
3520	Iajdgcab.exe
3508	Iamamcop.exe
1216	Jlbejloe.exe
864	Jaonbc32.exe
2188	Jhifomdj.exe
1520	Jaajhb32.exe
2448	Jbagbebm.exe
5012	Jhnojl32.exe
2548	Jeapcq32.exe
4108	Jpgdai32.exe
1640	Jahqiaeb.exe
4124	Kakmna32.exe
1052	Klpakj32.exe
1400	Keifdpif.exe
456	Koajmepf.exe
1852	Kpqggh32.exe
1768	Kabcopmg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pafkgphl.exe	Pbekii32.exe
File created	C:\Windows\SysWOW64\Djkpla32.dll	Pfhmjf32.exe
File opened for modification	C:\Windows\SysWOW64\Ocaebc32.exe	Onocomdo.exe
File created	C:\Windows\SysWOW64\Ampillfk.dll	Bdojjo32.exe
File created	C:\Windows\SysWOW64\Dhgonidg.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Cidcnbjk.dll	Fqbliicp.exe
File opened for modification	C:\Windows\SysWOW64\Keifdpif.exe	Klpakj32.exe
File created	C:\Windows\SysWOW64\Mckmcadl.dll	Ojnfihmo.exe
File created	C:\Windows\SysWOW64\Ipecicga.dll	Bfmolc32.exe
File opened for modification	C:\Windows\SysWOW64\Cajjjk32.exe	Bmladm32.exe
File created	C:\Windows\SysWOW64\Kjamidgd.dll	Afpjel32.exe
File opened for modification	C:\Windows\SysWOW64\Hbgkei32.exe	Hioflcbj.exe
File opened for modification	C:\Windows\SysWOW64\Iijfhbhl.exe	Inebjihf.exe
File created	C:\Windows\SysWOW64\Laiipofp.exe	Lohqnd32.exe
File opened for modification	C:\Windows\SysWOW64\Aabkbono.exe	Qfmfefni.exe
File created	C:\Windows\SysWOW64\Abjmkf32.exe	Aibibp32.exe
File opened for modification	C:\Windows\SysWOW64\Aoioli32.exe	Afpjel32.exe
File opened for modification	C:\Windows\SysWOW64\Dqbcbkab.exe	Dhgonidg.exe
File created	C:\Windows\SysWOW64\Fgjhpcmo.exe	Ekjded32.exe
File created	C:\Windows\SysWOW64\Pbekii32.exe	Ppdbgncl.exe
File opened for modification	C:\Windows\SysWOW64\Ppdbgncl.exe	Oflmnh32.exe
File opened for modification	C:\Windows\SysWOW64\Cancekeo.exe	Cmpjoloh.exe
File created	C:\Windows\SysWOW64\Onahgf32.dll	Amqhbe32.exe
File created	C:\Windows\SysWOW64\Fkjmlaac.exe	Fqeioiam.exe
File created	C:\Windows\SysWOW64\Fckjejfe.dll	Gbiockdj.exe
File created	C:\Windows\SysWOW64\Iogopi32.exe	Iijfhbhl.exe
File created	C:\Windows\SysWOW64\Diadam32.dll	Laiipofp.exe
File opened for modification	C:\Windows\SysWOW64\Niojoeel.exe	Nmhijd32.exe
File opened for modification	C:\Windows\SysWOW64\Pffgom32.exe	Ocaebc32.exe
File created	C:\Windows\SysWOW64\Hknfelnj.dll	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Odaodc32.dll	Glfmgp32.exe
File created	C:\Windows\SysWOW64\Iahgad32.exe	Iogopi32.exe
File created	C:\Windows\SysWOW64\Dagdgfkf.dll	Iogopi32.exe
File created	C:\Windows\SysWOW64\Lplfcf32.exe	Lhcali32.exe
File created	C:\Windows\SysWOW64\Ilnlom32.exe	Iahgad32.exe
File opened for modification	C:\Windows\SysWOW64\Iamamcop.exe	Iajdgcab.exe
File created	C:\Windows\SysWOW64\Jlmmnd32.dll	Lplfcf32.exe
File opened for modification	C:\Windows\SysWOW64\Amnlme32.exe	Aoioli32.exe
File opened for modification	C:\Windows\SysWOW64\Kabcopmg.exe	Kpqggh32.exe
File opened for modification	C:\Windows\SysWOW64\Hioflcbj.exe	Hnibokbd.exe
File created	C:\Windows\SysWOW64\Ablmdkdf.dll	Kakmna32.exe
File created	C:\Windows\SysWOW64\Keifdpif.exe	Klpakj32.exe
File created	C:\Windows\SysWOW64\Mbdiknlb.exe	Mlhqcgnk.exe
File opened for modification	C:\Windows\SysWOW64\Nmhijd32.exe	Nodiqp32.exe
File opened for modification	C:\Windows\SysWOW64\Pmbegqjk.exe	Pfhmjf32.exe
File opened for modification	C:\Windows\SysWOW64\Afockelf.exe	Aabkbono.exe
File created	C:\Windows\SysWOW64\Onocomdo.exe	ebcb7397bed9943ef01640c0338b46f0_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Bmjkic32.exe	Bpfkpp32.exe
File created	C:\Windows\SysWOW64\Hicpgc32.exe	Hpkknmgd.exe
File created	C:\Windows\SysWOW64\Inebjihf.exe	Hihibbjo.exe
File created	C:\Windows\SysWOW64\Ildolk32.dll	Nbphglbe.exe
File created	C:\Windows\SysWOW64\Lfgnho32.dll	Pakdbp32.exe
File opened for modification	C:\Windows\SysWOW64\Ilnlom32.exe	Iahgad32.exe
File created	C:\Windows\SysWOW64\Ldfakpfj.dll	Abjmkf32.exe
File opened for modification	C:\Windows\SysWOW64\Bfmolc32.exe	Bboffejp.exe
File created	C:\Windows\SysWOW64\Bmladm32.exe	Binhnomg.exe
File created	C:\Windows\SysWOW64\Cajjjk32.exe	Bmladm32.exe
File created	C:\Windows\SysWOW64\Pakdbp32.exe	Pfepdg32.exe
File created	C:\Windows\SysWOW64\Qfmfefni.exe	Qpbnhl32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhiemoj.exe	Agimkk32.exe
File opened for modification	C:\Windows\SysWOW64\Ckbemgcp.exe	Boihcf32.exe
File created	C:\Windows\SysWOW64\Cpkhqmjb.dll	Chfegk32.exe
File created	C:\Windows\SysWOW64\Gbiockdj.exe	Feenjgfq.exe
File created	C:\Windows\SysWOW64\Mlhqcgnk.exe	Mcoljagj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6024	5200	WerFault.exe	211

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpkcqhdh.dll"	Dqbcbkab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hnphoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjamidgd.dll"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kabcopmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfkgknc.dll"	Loacdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbgkei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jaonbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mneoha32.dll"	Jeapcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmbegqjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qfjjpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaodc32.dll"	Glfmgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hnibokbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnfhilh.dll"	Hioflcbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpehef32.dll"	Geanfelc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgilf32.dll"	Mfbaalbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ildolk32.dll"	Nbphglbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nodiqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afockelf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kihgqfld.dll"	Geldkfpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Inebjihf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kakmna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojnfihmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pafkgphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggocdgo.dll"	Hicpgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dagdgfkf.dll"	Iogopi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hanpdgfl.dll"	Jahqiaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdjkflc.dll"	Afockelf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engdno32.dll"	Aibibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnflfgji.dll"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Glfmgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghklqmm.dll"	Kabcopmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qfmfefni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figmglee.dll"	ebcb7397bed9943ef01640c0338b46f0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fqbliicp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmmnd32.dll"	Lplfcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbgkei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjoppf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkhqmjb.dll"	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papambbb.dll"	Ebaplnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fqbliicp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plikcm32.dll"	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphnbpql.dll"	Kpqggh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jahqiaeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bboffejp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ebcb7397bed9943ef01640c0338b46f0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebggoi32.dll"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heffebak.dll"	Ilnlom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Keifdpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agolng32.dll"	Oonlfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chfegk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 4580	372	ebcb7397bed9943ef01640c0338b46f0_NEIKI.exe	91
PID 372 wrote to memory of 4580	372	ebcb7397bed9943ef01640c0338b46f0_NEIKI.exe	91
PID 372 wrote to memory of 4580	372	ebcb7397bed9943ef01640c0338b46f0_NEIKI.exe	91
PID 4580 wrote to memory of 4416	4580	Onocomdo.exe	92
PID 4580 wrote to memory of 4416	4580	Onocomdo.exe	92
PID 4580 wrote to memory of 4416	4580	Onocomdo.exe	92
PID 4416 wrote to memory of 4896	4416	Ocaebc32.exe	93
PID 4416 wrote to memory of 4896	4416	Ocaebc32.exe	93
PID 4416 wrote to memory of 4896	4416	Ocaebc32.exe	93
PID 4896 wrote to memory of 3812	4896	Pffgom32.exe	94
PID 4896 wrote to memory of 3812	4896	Pffgom32.exe	94
PID 4896 wrote to memory of 3812	4896	Pffgom32.exe	94
PID 3812 wrote to memory of 4452	3812	Pjdpelnc.exe	95
PID 3812 wrote to memory of 4452	3812	Pjdpelnc.exe	95
PID 3812 wrote to memory of 4452	3812	Pjdpelnc.exe	95
PID 4452 wrote to memory of 1936	4452	Qhhpop32.exe	96
PID 4452 wrote to memory of 1936	4452	Qhhpop32.exe	96
PID 4452 wrote to memory of 1936	4452	Qhhpop32.exe	96
PID 1936 wrote to memory of 624	1936	Qacameaj.exe	97
PID 1936 wrote to memory of 624	1936	Qacameaj.exe	97
PID 1936 wrote to memory of 624	1936	Qacameaj.exe	97
PID 624 wrote to memory of 1204	624	Afpjel32.exe	98
PID 624 wrote to memory of 1204	624	Afpjel32.exe	98
PID 624 wrote to memory of 1204	624	Afpjel32.exe	98
PID 1204 wrote to memory of 3944	1204	Aoioli32.exe	99
PID 1204 wrote to memory of 3944	1204	Aoioli32.exe	99
PID 1204 wrote to memory of 3944	1204	Aoioli32.exe	99
PID 3944 wrote to memory of 2100	3944	Amnlme32.exe	100
PID 3944 wrote to memory of 2100	3944	Amnlme32.exe	100
PID 3944 wrote to memory of 2100	3944	Amnlme32.exe	100
PID 2100 wrote to memory of 2336	2100	Amqhbe32.exe	101
PID 2100 wrote to memory of 2336	2100	Amqhbe32.exe	101
PID 2100 wrote to memory of 2336	2100	Amqhbe32.exe	101
PID 2336 wrote to memory of 2676	2336	Agimkk32.exe	102
PID 2336 wrote to memory of 2676	2336	Agimkk32.exe	102
PID 2336 wrote to memory of 2676	2336	Agimkk32.exe	102
PID 2676 wrote to memory of 4008	2676	Bhhiemoj.exe	103
PID 2676 wrote to memory of 4008	2676	Bhhiemoj.exe	103
PID 2676 wrote to memory of 4008	2676	Bhhiemoj.exe	103
PID 4008 wrote to memory of 3692	4008	Bdojjo32.exe	104
PID 4008 wrote to memory of 3692	4008	Bdojjo32.exe	104
PID 4008 wrote to memory of 3692	4008	Bdojjo32.exe	104
PID 3692 wrote to memory of 2564	3692	Bpfkpp32.exe	105
PID 3692 wrote to memory of 2564	3692	Bpfkpp32.exe	105
PID 3692 wrote to memory of 2564	3692	Bpfkpp32.exe	105
PID 2564 wrote to memory of 4612	2564	Bmjkic32.exe	106
PID 2564 wrote to memory of 4612	2564	Bmjkic32.exe	106
PID 2564 wrote to memory of 4612	2564	Bmjkic32.exe	106
PID 4612 wrote to memory of 4068	4612	Boihcf32.exe	107
PID 4612 wrote to memory of 4068	4612	Boihcf32.exe	107
PID 4612 wrote to memory of 4068	4612	Boihcf32.exe	107
PID 4068 wrote to memory of 2556	4068	Ckbemgcp.exe	108
PID 4068 wrote to memory of 2556	4068	Ckbemgcp.exe	108
PID 4068 wrote to memory of 2556	4068	Ckbemgcp.exe	108
PID 2556 wrote to memory of 4924	2556	Chfegk32.exe	109
PID 2556 wrote to memory of 4924	2556	Chfegk32.exe	109
PID 2556 wrote to memory of 4924	2556	Chfegk32.exe	109
PID 4924 wrote to memory of 1028	4924	Cpbjkn32.exe	110
PID 4924 wrote to memory of 1028	4924	Cpbjkn32.exe	110
PID 4924 wrote to memory of 1028	4924	Cpbjkn32.exe	110
PID 1028 wrote to memory of 4656	1028	Dhgonidg.exe	111
PID 1028 wrote to memory of 4656	1028	Dhgonidg.exe	111
PID 1028 wrote to memory of 4656	1028	Dhgonidg.exe	111
PID 4656 wrote to memory of 1860	4656	Dqbcbkab.exe	112

C:\Users\Admin\AppData\Local\Temp\ebcb7397bed9943ef01640c0338b46f0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\ebcb7397bed9943ef01640c0338b46f0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\SysWOW64\Onocomdo.exe
  C:\Windows\system32\Onocomdo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\SysWOW64\Ocaebc32.exe
    C:\Windows\system32\Ocaebc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Windows\SysWOW64\Pffgom32.exe
      C:\Windows\system32\Pffgom32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3812
      - C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Dhgonidg.exe
        
        C:\Windows\system32\Dhgonidg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Dqbcbkab.exe
        
        C:\Windows\system32\Dqbcbkab.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Fgjhpcmo.exe
        
        C:\Windows\system32\Fgjhpcmo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\Fqbliicp.exe
        
        C:\Windows\system32\Fqbliicp.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Fkjmlaac.exe
        
        C:\Windows\system32\Fkjmlaac.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\Geldkfpi.exe
        
        C:\Windows\system32\Geldkfpi.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Glfmgp32.exe
        
        C:\Windows\system32\Glfmgp32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        34⤵
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\Geanfelc.exe
        
        C:\Windows\system32\Geanfelc.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3896
        
        C:\Windows\SysWOW64\Hicpgc32.exe
        
        C:\Windows\system32\Hicpgc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Hnphoj32.exe
        
        C:\Windows\system32\Hnphoj32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Iahgad32.exe
        
        C:\Windows\system32\Iahgad32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3520
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        50⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        51⤵
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        58⤵
        Executes dropped EXE
        
        PID:4108
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:456
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        68⤵
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        69⤵
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        72⤵
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        73⤵
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4348
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        75⤵
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4476
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        77⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        81⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        84⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        85⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        86⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        88⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        90⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        92⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        96⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Qfjjpf32.exe
        
        C:\Windows\system32\Qfjjpf32.exe
        97⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        98⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        100⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        102⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        103⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        104⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Adjjeieh.exe
        
        C:\Windows\system32\Adjjeieh.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Bboffejp.exe
        
        C:\Windows\system32\Bboffejp.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        110⤵
        Drops file in System32 directory
        
        PID:3368
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        112⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        113⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        114⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        115⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        116⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        117⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        118⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 424
        119⤵
        Program crash
        
        PID:6024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5200 -ip 5200
1⤵
PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:6688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adjjeieh.exe

Filesize
368KB

MD5
f46372176cb0fda29aedf4b788acf03b

SHA1
5ff7043b8e7b184383567b0da48eefa9d9deb283

SHA256
1d45710480b8bf703fec833bdb7b2ff45470b35144745b3d80a4f39128433492

SHA512
7a525f5e3cc129e2165e06fccc557d445083ee6d4e455ce91b4f7a08d16648aa0d441c93b1d839e54eff12c133d675ef3fdafce8a503187138d9970079e0b9b2

Download Submit
C:\Windows\SysWOW64\Afockelf.exe

Filesize
368KB

MD5
d6af92e5f900e7c5fb399626cbf028a3

SHA1
215edc0c393c30176cb4786d3781de3de6183bde

SHA256
87014f2b9b3aa2940e6e8d941f7b8ee9c33b72581fe05f66e23b2d9e3b36d31f

SHA512
a112682fc88f1fe5a10adfe58f300e983ef707b8a555580515af5ac1be14278bee409c0d1193f567b97e42bffb696cef21d8715fea1d4c2840571fafc23f90c4

Download Submit
C:\Windows\SysWOW64\Afpjel32.exe

Filesize
368KB

MD5
ff7af03af73bfb8f3bed83cd82bf62dd

SHA1
3e5d8ba28a5d87f31292f29ad7eddcd72622ab2d

SHA256
bd86978ec7ab3f2ccdef8b18e81adb9e30553014ed0c0d9df383dd722b7d4c41

SHA512
d9e55f7fa862f3af56609796b85c9073c9449b6e079162b3ab29e4c9485e390a9cbfcf1fd0a8675769535fdb6d844bed36b17194eb92a604d2b3468baa662d17

Download Submit
C:\Windows\SysWOW64\Agimkk32.exe

Filesize
368KB

MD5
71c4ad115348372fb54d5a33569dd95c

SHA1
c9be42bce9ae66126211f7324c7b0d0793bd9656

SHA256
371ecb80c32cd6412f52a94273383b0ff73aedc74b9874f1022192b440d43f98

SHA512
73edc4160ffde0861241e4130d791b01cddd65bffd59ad52fdc5432f982b59940c6cbe60876b26b540c532dc8a0358850ecea75cb804e46cba66d63c634d420c

Download Submit
C:\Windows\SysWOW64\Amnlme32.exe

Filesize
368KB

MD5
56aa00aff4dba6ac6aacc97483c6752c

SHA1
add2a91e832e0185ab9414dbe803bd5f7526bbc0

SHA256
8a37eaf99561bf456b5c5bc5a33646ed53a98d10f6d653ef9043f76e246ead14

SHA512
401015963595660509c215393cf7d4499bf7d3bddf6e5ca15dc0541a3b3a8169d4e19d851694d4dec6b97bfed15a21d83a8d5b0083154e30be86c35f67cb1ca3

Download Submit
C:\Windows\SysWOW64\Amqhbe32.exe

Filesize
368KB

MD5
a3e841f30985b490a3a019727e15a7c2

SHA1
fb17a90d1de6e352416f8edcea28272d15cf0221

SHA256
44df483c9a67e668d1775074460e3dd1890f5d9cdf82b4ed2263bdbdb9ada76a

SHA512
3337534ac0727fa9ebb4b484f436ca3561e405c9d8776a339f4d47798db813894bb7b0f3210f063510e6a285fdb836d8183091d6218da3e14add216939197b6f

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe

Filesize
368KB

MD5
9048e6bd013ab6988a8234b0026adb83

SHA1
e1153c1868b70456011c332bf2b864646f96127a

SHA256
e3683c6a3f3e644c2ab25369576df3c3616e29561ae9ac09f66613db6e4754a1

SHA512
38c9497de76216381d9647f06193f6fe342042095fa2136109fdc38834d327108c99b9dd4b7fec35660e60b324e6d5979d0be4a0c03434d645eb856442e7b7ad

Download Submit
C:\Windows\SysWOW64\Bdojjo32.exe

Filesize
368KB

MD5
336f35a5b47abf185767e4a9ad33a4d7

SHA1
1a992adf2aa07051db9d53373e716f6b82e30799

SHA256
fad3e5c08b26ce85ee14685fb5ea41788f9a3056e6a1d9312374eaab7a82c0c7

SHA512
7956716e6fabadaf53266db76833da3b3524ea24e73835fc9fce47eacd2779ce63b4355deff021d5279b100497dfc87cdbbc694ee20a77b9348d6670fd4c57b9

Download Submit
C:\Windows\SysWOW64\Bfmolc32.exe

Filesize
368KB

MD5
77c0244b896bf84999af069bf70a6899

SHA1
25b0117794369c9e980b74898f35ac33f8cbf525

SHA256
509b89e769b6db4ba417591e5460fba7205d65b9d204689c3bd9391a7827ef2a

SHA512
70c518fd32d6d03fa9c2449cc1db7375b98ff4f412f50a551887c2ee34428f95cb47f7af3f5111d1f16f68721aa6ae4bc2c96d902ea60118a55763f35f4636a5

Download Submit
C:\Windows\SysWOW64\Bhhiemoj.exe

Filesize
368KB

MD5
63dc8f3eb0fec0e72ab40abc95d75592

SHA1
6a8abfc34176e38698b9d22a0f10e4d162f85ebc

SHA256
3dbf242aac6d54bd701e7f8d026c3820a1b37a4199ec45a52a0a2a9dbdfcf563

SHA512
01d736837a92eb94f47ad4f48ad59a0be90403b262370010e11cbeb6de5db2180e58f4b5242c15f5ef30b1dbe14d84b50e0180215676efb7449da2718b157a56

Download Submit
C:\Windows\SysWOW64\Bmjkic32.exe

Filesize
368KB

MD5
7076978988ea37e351258de7700b15ba

SHA1
6215bc37cbc31c65d4a917994420dc46aa77cfba

SHA256
37078549a84c9205856dc689b6926a69e098b46775685a8c1557e3a1da4460e9

SHA512
4fb1230b4482551281b5cbccaec20bfd614f7e3d6c14f6224f0378b6948cf91940fa1f22899f945d4d94ec52f6a50bf96224c99df23547de3e7fe0c967e7220a

Download Submit
C:\Windows\SysWOW64\Boihcf32.exe

Filesize
368KB

MD5
c47c2a028a6eb0ef49bdced8ff83350e

SHA1
007ee6a4c4d4e9d61772170d570097b5f72e4e04

SHA256
e07f56c20bb48e252d00305bb9fe8192f95e66c547c8bc9a01e5b3e4f861d41d

SHA512
1b942f9070e1c5b2edc9487ded0da81b8b6272facf3a86b66bd7a6861e714eb5bb7e96e0dab577c5c758143ecf4806c9aaf62e84a875eabf5b39f63c32c69a23

Download Submit
C:\Windows\SysWOW64\Bpfkpp32.exe

Filesize
368KB

MD5
0fd70a85bdc0cfa1a3ab966f8c889398

SHA1
9a7aeebb70ab5e25dbb83ce6b290a081e2fc6305

SHA256
84716402b0a1ce17cfbd4e10c7f481e49109d23929d729769cc5622ecd9f1509

SHA512
5ea08f0a5c5e0c4a5084d3353844b38b349c4c73e9351a4e17e20f7c102b9fc662d4855511072e170888b830ac4d43117c95a26eb120af28992339f02aed40d4

Download Submit
C:\Windows\SysWOW64\Bpfkpp32.exe

Filesize
368KB

MD5
b736896c9ef8340663d63c53d8a1cd69

SHA1
c36ee90f04a2225b24555489f2fa00e9fb4f6202

SHA256
5a3b76099faab9e23eb67de5ae742b816dd1fb77900923a99fcc13699bd868f5

SHA512
72cdad2c5fe762415405d05e4a37438b70f7a65cfa0e22bbd7b7a747d0ebe60d6cfebba7f43f7160d4513b4fc40e4ac928fc4a5d9ae99d98f9c15aa52459728c

Download Submit
C:\Windows\SysWOW64\Chfegk32.exe

Filesize
368KB

MD5
f961a961fc4e6680dc8026467b55a7f0

SHA1
d55e875e20622e7f60c91b121ac526e98545d3f3

SHA256
746e890eab94914658b22fef36d5710b5684c241ada4d823b131e9807b0e3ab0

SHA512
8db4db7894a4428fe298cd4c4f22b829e9db23d4a5d43c41aba6bf476de2bc0af72761685d678b5b47c2fa013b99c8aacc14913ce9b220aaaa7f257d6fabae13

Download Submit
C:\Windows\SysWOW64\Ckbcpc32.dll

Filesize
7KB

MD5
cb28383264e5558313612bdbf878926c

SHA1
497d70c4546cb6b5ab1199854d9206d8b9ef445a

SHA256
0cd475d70194f0fb7a112b950cb3321d468ebc1fc489f998f5857f8c5b95bf78

SHA512
400cd61e6189ab6d15683436db06bd0223226c4acc3eec0d76fbee3f81b2276d164d5b993db0e39c3ce4845c7368d6b34e119a736fbe930f04ec49c3041d5390

Download Submit
C:\Windows\SysWOW64\Ckbemgcp.exe

Filesize
368KB

MD5
1e2c3ca586f6ed549dfa84d4f350b08f

SHA1
1a170a76b3c10a96ed64ab42f765802220d3da7e

SHA256
bdce48ce4f4dd231e61eb191b49c3e227e94bf6480d7b04a47ea404da970e25f

SHA512
f3b063ccd9af51a622d6865326bda757d85d77bdf76528be0be8a40004fde1f24425872b1329793fd216d58ce93be3a01022b2fbf076886e973420f1170ad19b

Download Submit
C:\Windows\SysWOW64\Ckidcpjl.exe

Filesize
368KB

MD5
2414e39b160bcdc7c3dbc720ac7b7f6b

SHA1
a351487eed9caa20bbe72c9e40d3ec019a023a7f

SHA256
9345b52f0054be96ffe28fb9720b8a92cbdd816740d3bb7765a3dc53a2da883d

SHA512
56ce472ca398a82ea33ad1a7465a310dde2b7f2f26056c93fb7141e0b2a2c5e4cdabb5906c9881f6e6644cd31e606d5a5f21787364569cdae999536b3ed53178

Download Submit
C:\Windows\SysWOW64\Cpbjkn32.exe

Filesize
368KB

MD5
d116d6ee6b261609262f0a5fde90283f

SHA1
19fc9f34d6b24369e096033e7f11f7bf69bb609d

SHA256
cb501aad78efa41d2dbc78c74f4ab2dd41e0d1d760160caf30e0c76970536571

SHA512
afd90046df7b976be3631f0640949108b7f6f7a178405f90807cec261fe8f3d232af368f2c8cf3708bbf6235723966914e73e9073e4ca855a52f67b60b9daa36

Download Submit
C:\Windows\SysWOW64\Dhgonidg.exe

Filesize
368KB

MD5
da76d2439e6ff26eb4ed29357275614b

SHA1
a544ec515d6a5082e396121aa93cc03d4e59e340

SHA256
4391c7ff6f0f23167b70e71c104ee86d7ce580c69abcd26e731d4e308a4948ee

SHA512
7528be43c56216b7810794a1f40f462991b446628f24ffad770f19804f07c9a4ee3e2dcf3e9113754a825ba237eae3c865a8ef37d55d9fe7d188fcb70946e78c

Download Submit
C:\Windows\SysWOW64\Dhgonidg.exe

Filesize
368KB

MD5
7c5d4de5b62b75c14cc12159d3e740aa

SHA1
892b73a5ba7289664e93f148fc3d2e8d4e5ac0f8

SHA256
2d223864c02e353894d09124762355b70f4495497f9d59bccb8c9382524420a0

SHA512
245716b0c5f024090a9ce2e29db65a0cced381755bd9c171c09b5982de2185bfaa9d1a586eca0c90634756f632e2286ede6073bf1bce59c846c5f6e22f8c25bb

Download Submit
C:\Windows\SysWOW64\Dqbcbkab.exe

Filesize
368KB

MD5
d740a425ba921032a3f5f3e5b454b805

SHA1
aa37c897b032967d3a0b1a324cc909dd98bb8588

SHA256
b615940a4b3c4958eafcdd9f8a7b7b82b2edeaabba16c173a5a95a463211173d

SHA512
4353e87b83ef94d52b84f42e39cad09742114c6d0244e9dbb4d630df689e5943f4e90e54bb701ccb638c2d7d4c82820041b6ec3fe295488c6fd0b7cdafc73144

Download Submit
C:\Windows\SysWOW64\Ebaplnie.exe

Filesize
368KB

MD5
44be8127dcdc7317045c478e7fa5bb8a

SHA1
a9dbfd0f3fa35e383215c1a0e4a1a6b1ef9809fb

SHA256
038916eda9d6c9bf7a75645355843f4747be18c5e5c3f2c121971c8c4b69f7a2

SHA512
a929fd11c13d6edd54bc5ce4e1c5d7056f82be5624a0e2cd90d557a000b3cd43eb4cbbd615bd1fe66d42dc0fae819829933b137eb9ead0727cb1fb1ce9edd5db

Download Submit
C:\Windows\SysWOW64\Ekjded32.exe

Filesize
368KB

MD5
0bc048a6dca76a7856e88fb5e713b2f6

SHA1
a3746de7e256d61b57e43ef10f588c2372abcd35

SHA256
30a6fdcd67d35a2486647fc422b797c3436299e520ddf3dd4fa97c93eb0209da

SHA512
202b98fa6f23f0e913808a9693cfb6a321d1677b350ae1dc5453a1abbabde869254fc560d1d146ae74e535c2c3b5d82a1e972e06a2fbf08c439c3e525a78e76b

Download Submit
C:\Windows\SysWOW64\Feenjgfq.exe

Filesize
368KB

MD5
0ab49dadf7c318bb5056d4187c6228f5

SHA1
41ec8ee1538cfead45ae6de77a532bb60f5b152d

SHA256
0814bd882d5e64eac50d910fbd767a2e86397a668642ef5aa99c76f14bccf990

SHA512
af281eacf49de7a5f06a2daf7e82b711c761210873afa23efc5e7997bff547315b7aecf619fafb1d02195415d5a688f851d3bcce4caa828722a4a80670eadbfd

Download Submit
C:\Windows\SysWOW64\Fgjhpcmo.exe

Filesize
368KB

MD5
e656c82f0d8c78fbccb6c0fe02476a85

SHA1
9781b1204ac9c9f000564aa6647d11a9ddea9fe7

SHA256
1ba8d35d03135136b7cf9e2903a5c8dddb4995fe8324a4358873f4f9a42e4123

SHA512
d21ed227bf68bf54fc4b12778e74ae74f0d1d3b996e3e78f03c9ed472ff56e9dd2fce69bab36f86f6b0cf5b248668c7761fe6c0d50cede42a134a8901eefef62

Download Submit
C:\Windows\SysWOW64\Fkjmlaac.exe

Filesize
368KB

MD5
5538d6d97e36f46a0b326029cf6fd76e

SHA1
8c423fa680ef533bdfad092f41b257325e7b612f

SHA256
ea24b5d51a3dbaf31a2abfe80930f65958bf70379c91beca730d236dab68817a

SHA512
1aba9732b306e0612b89f4d215a84caba8fa2cff61086f0221b59c8fd7353614ca2f19e763b6a88bf174a49b28676d200864ba3a3b6fc5efa84b0156cc5e6089

Download Submit
C:\Windows\SysWOW64\Fqbliicp.exe

Filesize
368KB

MD5
1bbbe31d6cdcc4d5d18fd1fc7c86cf03

SHA1
cd506ebee2ae05e80fb0929cd96be39adc05736d

SHA256
15f82f9f8e192e6ef504e6200db6770cdb2fbe726dff01cac045da342dabf128

SHA512
979b34272ac032b3d177139e04fad90a0ef4998ea8287d6ea7e45a94caaab5c05b31356e79577f4a08f338fb602f11f5343152c7283bcaef07ecea8087c0d297

Download Submit
C:\Windows\SysWOW64\Fqeioiam.exe

Filesize
368KB

MD5
9dc48892602547685cd6b36004a28cae

SHA1
a5270e79b56e05176a10c471494dbc047145bbc4

SHA256
4a5bea5e7461c6824f36f00374291dfcd2758fe750f8224d3182ee619c6f50cb

SHA512
ded2bec0cb7d26da22c3f4b1af329dbe922633eb3a86bc961b5411e250f2c1003fd15bb3755b6d6aba8fbc906b90affd2345f65659040c23e153cee48bdbcb77

Download Submit
C:\Windows\SysWOW64\Gbiockdj.exe

Filesize
368KB

MD5
57a77de9fef9bc76804614731f596bf9

SHA1
bac97203d974b5ad89a4d14084a986891474aa3e

SHA256
4a7c9f46b589aa1b345bdcf4ddd182a81d34124ddd2a6e40f4e7f8d22b984c0f

SHA512
0d1c49546a8a6d170b7f79e61df93c90a7b77ce0b4f5042a0f0ac098c6b59caf455263383b663dc2941b1c6bbd501313332ff7cebfcd9c7d8422b19f8e42bd49

Download Submit
C:\Windows\SysWOW64\Gbkkik32.exe

Filesize
368KB

MD5
ea5ff2ccaeda768de2bb73fd30c6d624

SHA1
edc30ebd79fa76dfad44a48a3f284429731ffbc2

SHA256
fe9646fe8e4b1c7b25b91a6f8eaeb92b8e92726e0496912658b76b840d042845

SHA512
91de7ee29b9ea96f8e4d8f45970f72e43b3d85a43195199cdd2a28ba6ed2a41f729c07bbe834c37da8bc322217b7256439d6d70ca32e59f0779580f07e6a2041

Download Submit
C:\Windows\SysWOW64\Geldkfpi.exe

Filesize
368KB

MD5
823d5b57eaa152b6e622036553266bd7

SHA1
c971ec38d826f58ec410ca6b676e1d247421da2d

SHA256
ef7ff90644ae7bf36c8d0a37a070818f281b9533da4eff35257c08b015387410

SHA512
e9ccec22e7abae00dd097a5b951f81c38ed4df5c345a9c12fce77e22a7ebc630c911fb7b4caa5106247099007d44af6a16e093355cb0faa0e151bfb67f2e13ec

Download Submit
C:\Windows\SysWOW64\Glfmgp32.exe

Filesize
368KB

MD5
1badab98fa69f506943c451cf6777467

SHA1
fc0d2e22c87b4b98cc0a855b283fb11523279536

SHA256
f89bd158d60f7db89111a3fce3529999c09e45754f7d401dad303eb266e230c9

SHA512
749363bae68fe97084c41846ad3bdfd6a30fed0028ba9ff6d1899e512ee57c5563beff527fc203f4a57e53a0cbbbe711c07f3818ce8d3035ca45ccfcf2045e70

Download Submit
C:\Windows\SysWOW64\Glhimp32.exe

Filesize
368KB

MD5
7efd45356df8897a93a5472bcf84093d

SHA1
0c4a1478b975a33a828f8ec258b8255dfc17fd56

SHA256
22795f573b1bd297e0ee008153fa18b692a9dc25efcaac123085b13a8246fc1f

SHA512
0bd1a49f99138c8c84ccdceba0ab8efbaceeb94e039bcaf860cf6b95a890bc91a26d50641bb9a5b924ea891db59622f7f17de68b24ca895495b2d0343b94e14d

Download Submit
C:\Windows\SysWOW64\Hldiinke.exe

Filesize
368KB

MD5
86327042536e347684391b3795b27a46

SHA1
09acc53f7f77f34ab3d765d9b021ec783b6b371f

SHA256
305f0fb81b03ea91fb9764fad8bd75734107b8b93d9b98ae666135c3647e16af

SHA512
d5daaa3f5bbdad913f47d21311b12f417ff24083201ea0eb4f7162923485b914123115505be9ef17c0f36df213e55d54a68d00716ab140f4425f943b68d8ad95

Download Submit
C:\Windows\SysWOW64\Iijfhbhl.exe

Filesize
368KB

MD5
70e4d1b9a80e5457c0250e2bb430261a

SHA1
dd74f1096d4c9b99c0e6bf7b1bd416d26e241ba5

SHA256
7815fff8513e46b917d259d3f0020c48d0aca8e78ac9def60b9048fa1bd6c5bc

SHA512
34e4707b5c9198a99e0bce7a63c220cc21b2eb53402c0c6fdbb75b18409b58d00735a519be027d53918a023522b3c4a8e62b4e9a6ce36cf9a27f1654d52ba675

Download Submit
C:\Windows\SysWOW64\Jbagbebm.exe

Filesize
368KB

MD5
2b3d32a8316bdd5a9978a6a499a25fe0

SHA1
42ca7b8a6cf32b6c7dc4b3973063f9e868d7f3be

SHA256
251be4cd6ec4c1e32b2f2e257b31335185edc6367088cbf80b49cba4390400bb

SHA512
6f5fd14360d5ba14d2ff9faea8a5c55bd0c9f02ba7816029855cbbae82f25574db0e17530b3e01bed515380cad22c862c0043f17c0a37dbc5ad2610f2e19094b

Download Submit
C:\Windows\SysWOW64\Jpgdai32.exe

Filesize
368KB

MD5
362283927089dcc1f553a629b5376788

SHA1
1930a89663ce0c704c0e0e4906b03d6add4a6942

SHA256
0319c92d615afad5911911322aed5144f1cea53e3fbfd0f68338e018002a9b83

SHA512
6a805b7a14440eb4fbc86052e6357f0e04f1a14046a8e0540bbdf96fdb9039e7426b884231d745334d51e6a4deb76f923411f5d814f6a2590483a675fd6cfe8b

Download Submit
C:\Windows\SysWOW64\Koajmepf.exe

Filesize
368KB

MD5
d6b79aac013a21bd5dab0a7ab0ea387b

SHA1
569f8df1da887a2587430c3e64f4835d3863d6d2

SHA256
fe9edbbc3673c391d378de7d64e3b91610637197a02ac86ae2456a0b025c9c9c

SHA512
a23798fe5b387935a9345d7773d1f8261f4f4316cd1de40f97a922bac50a158c94d6f07975518ff906ed446e498df20daddf871b58501f263440d6e02a820abb

Download Submit
C:\Windows\SysWOW64\Loacdc32.exe

Filesize
368KB

MD5
5c151d1933fe384d6cb881b21e5113c9

SHA1
7489e4866acb67140f2b01cf0376e2aaa9dec21f

SHA256
eb38f0e480085a984f5fb6a712be9e6a246ee681c3614852df7bddadcfe8b477

SHA512
9c02b02045cc8e64d85cd25262429e2210ce1a7ce7c3abaf45bb184394c293562dde49882797f2eb40c62a73974610fed3ee73853ddb88cb6ed3ca4ab916c7a6

Download Submit
C:\Windows\SysWOW64\Lohqnd32.exe

Filesize
368KB

MD5
f5be2e4a33e83930240f7832e63f338d

SHA1
f5b9482e4c835fbef30d93074f1ebe0fd17799ec

SHA256
aa0e0bb6ff8ccb923373d6173a30c5fc72c4f9537850d0e3746b0705f8d2624d

SHA512
89ec529457fead2d6edbbca48d74ea277cff8a8ae980969c508b9285f15e3126798574f2e7e638a5ae61b03676aa1e2eef2c402753e105982c2867f9ef0a4f53

Download Submit
C:\Windows\SysWOW64\Mbdiknlb.exe

Filesize
368KB

MD5
978b3b9c2eb6235d9f31c553c00e1562

SHA1
b6e66345705dac2b1337e570060c8d6fc66b3c10

SHA256
3d1521a390c1c13a17f886d1fb1be78b79a8de5c232d189e9f83cce2b297bfd6

SHA512
050a2b930ffc4ad3458a5ca16c8fc6389a132f5a1cf025e20fe24be24db85017940504acb0f8944434f2adbd803571da083f04774d64b45b7a2c0077a01c4036

Download Submit
C:\Windows\SysWOW64\Ocaebc32.exe

Filesize
368KB

MD5
2f9673a12ffcc31c2fd3301af244b50b

SHA1
8623660d6f9fad4454fc6fcd90919cbd57250074

SHA256
f5c735a846cbc869cb01c57f1489c631b7235fd6ee72a1e728328a997ade05dc

SHA512
fc32883ec2d298fb4610552b59cec22c6bf3f5f9faf362245ff556a6fbd4055d3752711122c5e906ecff85e9e3cf2a280797e91993f77cad84e9862dcf72dbe9

Download Submit
C:\Windows\SysWOW64\Onocomdo.exe

Filesize
368KB

MD5
31960bc6c6d86b85bbe145e244184cf4

SHA1
2fd4aa09d69b90a377fa7c808d476192f1453b50

SHA256
061c575d6fd276d81bc30de146cee7c8000a95537b5d0a1784d6c307318b6911

SHA512
760010f96713d95c23f2e18acb1c62457862d0a2ef75375d4d8be4083832fe7aa36982613bec32b22027e130c7e60eef79d2abbdcdef87eeb7623345b1caba12

Download Submit
C:\Windows\SysWOW64\Pffgom32.exe

Filesize
368KB

MD5
6d1a8649629ab90f1dd7685078e96160

SHA1
9b1d8a65c5ffb43998d72b9ccb4beb5a6719a5cb

SHA256
c5d4f4f08663af2b274b97d7c55de8b0f15c04e515ccebe53d958d5e878de910

SHA512
433f730e44c4ac92f923b23fbe172cf8ad4503c77384091c8345fed57fd022cbe94b325f61a77ea5e8d13551f3ff6173d022e82c5e8c9c63c376d8d7245aabf6

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe

Filesize
368KB

MD5
0e9c5b915e8b107c6d98c79891ee2dd0

SHA1
c036c36506a4c81ec451a20d12fcf506cb032fff

SHA256
3c0d4cb956f1f47b69880aac6d8d5bc464d61f1782368b7d92a313e00b3b0620

SHA512
617328566d40da206bd7a3d337a3aaee3698094f48e1442c18832a72a08f8621edf80aa1f69dcc60bb07b45cf5853c2d3fb6fa51bced627dc28bf48ca5ea6b5d

Download Submit
C:\Windows\SysWOW64\Qacameaj.exe

Filesize
368KB

MD5
16f96d523425746e7f0cb31ad1f8d053

SHA1
656e0dd6447e83d972d458632c1e8f55d393d7ae

SHA256
672dc0a9436163b270065c64b3bd5ebf1b46ce8b899082beb58ca5ff37dcf944

SHA512
5ad3eb9106502e61b3ae28f8c44ac4c42e0dbfd5dc72f4a1d2b0ea226e3520827f91126d54c8f4940c1cc292daaee926e2890d2ab32743620ff13545e56cf969

Download Submit
C:\Windows\SysWOW64\Qhhpop32.exe

Filesize
368KB

MD5
ba4dbe6bd7381842e6601f7fe4300ed0

SHA1
5a63c50c3aaf63360780263c6ad8b9359cd8f2a2

SHA256
f3da16620241cf5cf1c646a6f7462391f1ae5aa80dbf9560175059cabfe39a89

SHA512
ae214a1642349322fa19b76c0662f1de40dcc052e2cc3772619abeab6ca71753025bb120d52e85c0cd21f00df8dbd4fa34de91abda46efc08183d91188e71cd6

Download Submit
memory/208-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/372-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/372-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/408-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/456-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3416-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3568-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3808-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3812-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3812-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4032-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4108-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4124-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5124-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5168-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5208-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5260-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5312-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5356-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5420-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5464-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5516-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5580-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads