e53bcded470cc127f7f97839fce16d237a5345c368d17220e0d885f2a829d7de

Analysis

max time kernel
130s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

715862d0ca414ffcf39548b83a34a840_NEIKI.exe
Size

128KB
MD5

715862d0ca414ffcf39548b83a34a840
SHA1

b34d4257e5e52f6a086d8e8cea52c2faac2b9d17
SHA256

e53bcded470cc127f7f97839fce16d237a5345c368d17220e0d885f2a829d7de
SHA512

64d1213230380594b891926ba0c8a5e154e20f3ab1a1e5f3fc010c537dc37ca8355ce993be9044d141f661d05cad0aa4712b60fe64b0112e6efaf147a18f8cfd
SSDEEP

3072:HTNdXq1DwS5kdLKTWVmQTqeDP5wkpHxG:HDXq2RdtCCA

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjeddggd.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/1696-0-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000c000000023b4e-6.dat	family_berbew
behavioral2/memory/5024-11-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000b000000023bab-14.dat	family_berbew
behavioral2/files/0x000a000000023bad-21.dat	family_berbew
behavioral2/memory/4472-28-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/704-23-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023baf-30.dat	family_berbew
behavioral2/memory/3372-32-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bb1-38.dat	family_berbew
behavioral2/memory/1488-44-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bb3-46.dat	family_berbew
behavioral2/memory/3928-48-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bb6-55.dat	family_berbew
behavioral2/memory/3052-56-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bb8-62.dat	family_berbew
behavioral2/memory/2420-64-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bba-70.dat	family_berbew
behavioral2/memory/3980-72-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bbc-78.dat	family_berbew
behavioral2/memory/4324-79-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0031000000023bbe-86.dat	family_berbew
behavioral2/memory/4220-87-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc0-94.dat	family_berbew
behavioral2/memory/3516-96-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc2-102.dat	family_berbew
behavioral2/memory/620-108-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc4-110.dat	family_berbew
behavioral2/memory/4904-111-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc6-118.dat	family_berbew
behavioral2/memory/4064-119-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc8-126.dat	family_berbew
behavioral2/memory/3904-128-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bca-134.dat	family_berbew
behavioral2/memory/3020-136-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bcc-142.dat	family_berbew
behavioral2/memory/1480-143-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bce-150.dat	family_berbew
behavioral2/memory/3392-151-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bd0-158.dat	family_berbew
behavioral2/memory/4916-160-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bd2-166.dat	family_berbew
behavioral2/memory/1496-168-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bd4-174.dat	family_berbew
behavioral2/memory/1844-176-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000c000000023ba0-182.dat	family_berbew
behavioral2/memory/2516-184-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bd7-190.dat	family_berbew
behavioral2/files/0x000a000000023bda-197.dat	family_berbew
behavioral2/files/0x000a000000023bdc-207.dat	family_berbew
behavioral2/memory/4556-205-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4828-204-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2424-213-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bde-215.dat	family_berbew
behavioral2/files/0x000a000000023be0-221.dat	family_berbew
behavioral2/memory/3580-224-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4268-223-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023be2-230.dat	family_berbew
behavioral2/memory/584-236-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3120-239-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023be4-238.dat	family_berbew
behavioral2/memory/5056-247-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023be6-246.dat	family_berbew
behavioral2/files/0x000b000000023be8-255.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
5024	Gfedle32.exe
704	Gidphq32.exe
4472	Gqkhjn32.exe
3372	Gcidfi32.exe
1488	Gbldaffp.exe
3928	Gppekj32.exe
3052	Hjfihc32.exe
2420	Hmdedo32.exe
3980	Hcnnaikp.exe
4324	Hikfip32.exe
4220	Habnjm32.exe
3516	Hfofbd32.exe
620	Himcoo32.exe
4904	Hpgkkioa.exe
4064	Hippdo32.exe
3904	Haggelfd.exe
3020	Hcedaheh.exe
1480	Hibljoco.exe
3392	Ipldfi32.exe
4916	Iidipnal.exe
1496	Iakaql32.exe
1844	Ibmmhdhm.exe
2516	Ijdeiaio.exe
4828	Imbaemhc.exe
4556	Ipqnahgf.exe
2424	Ibojncfj.exe
4268	Ijfboafl.exe
3580	Imdnklfp.exe
584	Ipckgh32.exe
3120	Ijhodq32.exe
5056	Ipegmg32.exe
3464	Jaedgjjd.exe
3648	Jdcpcf32.exe
4108	Jiphkm32.exe
3756	Jpjqhgol.exe
1332	Jdemhe32.exe
3700	Jjpeepnb.exe
3960	Jibeql32.exe
4276	Jplmmfmi.exe
4264	Jbkjjblm.exe
3060	Jfffjqdf.exe
916	Jidbflcj.exe
4692	Jaljgidl.exe
4744	Jdjfcecp.exe
4568	Jfhbppbc.exe
2484	Jkdnpo32.exe
1704	Jmbklj32.exe
8	Jangmibi.exe
4260	Jbocea32.exe
512	Jkfkfohj.exe
1860	Jiikak32.exe
3012	Kaqcbi32.exe
2520	Kbapjafe.exe
872	Kkihknfg.exe
2588	Kmgdgjek.exe
2188	Kpepcedo.exe
1236	Kbdmpqcb.exe
3996	Kkkdan32.exe
1996	Kmjqmi32.exe
3472	Kphmie32.exe
1552	Kbfiep32.exe
3944	Kknafn32.exe
4164	Kmlnbi32.exe
1944	Kpjjod32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Iidipnal.exe	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gfedle32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Ibooqjdb.dll	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jibeql32.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6104	5968	WerFault.exe	204

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmhjb32.dll"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphlemjl.dll"	715862d0ca414ffcf39548b83a34a840_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jbocea32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 5024	1696	715862d0ca414ffcf39548b83a34a840_NEIKI.exe	85
PID 1696 wrote to memory of 5024	1696	715862d0ca414ffcf39548b83a34a840_NEIKI.exe	85
PID 1696 wrote to memory of 5024	1696	715862d0ca414ffcf39548b83a34a840_NEIKI.exe	85
PID 5024 wrote to memory of 704	5024	Gfedle32.exe	86
PID 5024 wrote to memory of 704	5024	Gfedle32.exe	86
PID 5024 wrote to memory of 704	5024	Gfedle32.exe	86
PID 704 wrote to memory of 4472	704	Gidphq32.exe	87
PID 704 wrote to memory of 4472	704	Gidphq32.exe	87
PID 704 wrote to memory of 4472	704	Gidphq32.exe	87
PID 4472 wrote to memory of 3372	4472	Gqkhjn32.exe	88
PID 4472 wrote to memory of 3372	4472	Gqkhjn32.exe	88
PID 4472 wrote to memory of 3372	4472	Gqkhjn32.exe	88
PID 3372 wrote to memory of 1488	3372	Gcidfi32.exe	89
PID 3372 wrote to memory of 1488	3372	Gcidfi32.exe	89
PID 3372 wrote to memory of 1488	3372	Gcidfi32.exe	89
PID 1488 wrote to memory of 3928	1488	Gbldaffp.exe	90
PID 1488 wrote to memory of 3928	1488	Gbldaffp.exe	90
PID 1488 wrote to memory of 3928	1488	Gbldaffp.exe	90
PID 3928 wrote to memory of 3052	3928	Gppekj32.exe	91
PID 3928 wrote to memory of 3052	3928	Gppekj32.exe	91
PID 3928 wrote to memory of 3052	3928	Gppekj32.exe	91
PID 3052 wrote to memory of 2420	3052	Hjfihc32.exe	92
PID 3052 wrote to memory of 2420	3052	Hjfihc32.exe	92
PID 3052 wrote to memory of 2420	3052	Hjfihc32.exe	92
PID 2420 wrote to memory of 3980	2420	Hmdedo32.exe	93
PID 2420 wrote to memory of 3980	2420	Hmdedo32.exe	93
PID 2420 wrote to memory of 3980	2420	Hmdedo32.exe	93
PID 3980 wrote to memory of 4324	3980	Hcnnaikp.exe	94
PID 3980 wrote to memory of 4324	3980	Hcnnaikp.exe	94
PID 3980 wrote to memory of 4324	3980	Hcnnaikp.exe	94
PID 4324 wrote to memory of 4220	4324	Hikfip32.exe	96
PID 4324 wrote to memory of 4220	4324	Hikfip32.exe	96
PID 4324 wrote to memory of 4220	4324	Hikfip32.exe	96
PID 4220 wrote to memory of 3516	4220	Habnjm32.exe	97
PID 4220 wrote to memory of 3516	4220	Habnjm32.exe	97
PID 4220 wrote to memory of 3516	4220	Habnjm32.exe	97
PID 3516 wrote to memory of 620	3516	Hfofbd32.exe	98
PID 3516 wrote to memory of 620	3516	Hfofbd32.exe	98
PID 3516 wrote to memory of 620	3516	Hfofbd32.exe	98
PID 620 wrote to memory of 4904	620	Himcoo32.exe	100
PID 620 wrote to memory of 4904	620	Himcoo32.exe	100
PID 620 wrote to memory of 4904	620	Himcoo32.exe	100
PID 4904 wrote to memory of 4064	4904	Hpgkkioa.exe	101
PID 4904 wrote to memory of 4064	4904	Hpgkkioa.exe	101
PID 4904 wrote to memory of 4064	4904	Hpgkkioa.exe	101
PID 4064 wrote to memory of 3904	4064	Hippdo32.exe	102
PID 4064 wrote to memory of 3904	4064	Hippdo32.exe	102
PID 4064 wrote to memory of 3904	4064	Hippdo32.exe	102
PID 3904 wrote to memory of 3020	3904	Haggelfd.exe	103
PID 3904 wrote to memory of 3020	3904	Haggelfd.exe	103
PID 3904 wrote to memory of 3020	3904	Haggelfd.exe	103
PID 3020 wrote to memory of 1480	3020	Hcedaheh.exe	104
PID 3020 wrote to memory of 1480	3020	Hcedaheh.exe	104
PID 3020 wrote to memory of 1480	3020	Hcedaheh.exe	104
PID 1480 wrote to memory of 3392	1480	Hibljoco.exe	105
PID 1480 wrote to memory of 3392	1480	Hibljoco.exe	105
PID 1480 wrote to memory of 3392	1480	Hibljoco.exe	105
PID 3392 wrote to memory of 4916	3392	Ipldfi32.exe	106
PID 3392 wrote to memory of 4916	3392	Ipldfi32.exe	106
PID 3392 wrote to memory of 4916	3392	Ipldfi32.exe	106
PID 4916 wrote to memory of 1496	4916	Iidipnal.exe	107
PID 4916 wrote to memory of 1496	4916	Iidipnal.exe	107
PID 4916 wrote to memory of 1496	4916	Iidipnal.exe	107
PID 1496 wrote to memory of 1844	1496	Iakaql32.exe	108

C:\Users\Admin\AppData\Local\Temp\715862d0ca414ffcf39548b83a34a840_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\715862d0ca414ffcf39548b83a34a840_NEIKI.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\Gfedle32.exe
  C:\Windows\system32\Gfedle32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\Gidphq32.exe
    C:\Windows\system32\Gidphq32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\Windows\SysWOW64\Gqkhjn32.exe
      C:\Windows\system32\Gqkhjn32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4472
    - - C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3372
      - C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        30⤵
        Executes dropped EXE
        
        PID:584
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        31⤵
        Executes dropped EXE
        
        PID:3120
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4108
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3960
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:512
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        54⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        58⤵
        Executes dropped EXE
        
        PID:1236
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        59⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3944
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        67⤵
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        68⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2084
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        72⤵
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        73⤵
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4192
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:736
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:336
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2552
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        79⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        84⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        88⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        89⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        90⤵
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        91⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        92⤵
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        93⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        97⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        99⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        100⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        104⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        107⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5400
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5736
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        115⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 436
        116⤵
        Program crash
        
        PID:6104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5968 -ip 5968
1⤵
PID:6072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
128KB

MD5
41756721d5080b092d97ee8d98634361

SHA1
fb97b7988a44c0f9cd29f9b6db3403c89eb3f36c

SHA256
c830fdbfbafeb1bc9e5287fcf927b1cee0bfa2c5f70e8a724201812fd47d31c8

SHA512
3ecf506433c83e33af6eab8f7bdadbc4b3dfbcb2ffb2572b54fe019f6c0f288eefe7915386571a729e5f1985d85146fae1375941a34d6f2f57643b67ae796b65

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
128KB

MD5
a822e9992dd0d298818b4abf052b858b

SHA1
669933710112815ce8f3f3f95b1ef174d51c4547

SHA256
e8083d52ce4ceb09e3091a39f47b9506bdc2f2f784ed532ccc0cdf9eb267abf6

SHA512
1c89ca7608547aedaf41c23d5ba43411fd7623b611a235b19611b7acf7335e0f28b92b44b4742d4716dd9eccc84f4ac9879e09a0160a1f75a0a0c7065bb11ec0

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
128KB

MD5
a845f8b64cbdb752b48e563d511c28b1

SHA1
f1664ceddb79e1e96c07be900e8cc482798e55f5

SHA256
47558d8135fc2ae8d04768d73ee3eefbdc4ff62e430b2917dd1b17b25cc49182

SHA512
922c90c0bd5479d30200aa36a0d80c7b76d3438534723126b0009a25a19f2301aac63e41569463975f344fe6a713c9c4319bb85d55d4c79386e862244f8313de

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
128KB

MD5
749d59dd26596681f6a5156b610d14d5

SHA1
c8ae6fcdf67950435bafa5bfb14e38788a54dd23

SHA256
8b2746947421939fdf7b8ed79a9d82a03a1ca7b565215fa165c6fbe602041f16

SHA512
016212131d2e6670b6c5e9b992587bc221bf27d28e3d00d435c2bc609bb1153c6cfa51d199ed28fbc02819008576bab3476d3802b406a66021368ac84426b660

Download Submit
C:\Windows\SysWOW64\Gpkqnp32.dll

Filesize
7KB

MD5
d6947f217ea547ad904ad71339604503

SHA1
5d1161962c2fb7c80f18363be755464489dc41aa

SHA256
c8098e9a3cdc2787d7194597d47df786600f4fac95b4f42fae8287909e173f30

SHA512
079024d417f13ee29233715c24062f8a5daa5df940bf9e2ebbbf6390d7f98e8354de0db82c4068a9842712e8b3f60b6c165f80ee62203886fb8b116d442f8ca5

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
128KB

MD5
5bdb41eb5135cbff25e4283b403433dd

SHA1
c997b89a8705cfd26d8d4b3be41d2589ad3333a6

SHA256
10296a8b3d1c520889efb7bdb46cf83903ef1b21b40a1548ae921c34af588324

SHA512
8725ec0080b33372dc6d8d7d6e22a425f4f4ed7225ac6848e3bd2c36ed22b0a6887ea7e19b98a30c98931d299427b8f52f5dbdf3f9728f4b555cbc59a6fae605

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
128KB

MD5
f19e8ddc52bf388220dee0f835137e74

SHA1
a2c6c14068f65bf7656da9aa9396cedd493e7fe5

SHA256
4f73584609916757d8eeac08011e3838391e54357e13b6c231ef0b8801e337da

SHA512
ba841134cbd6b61fd7eb2dc1eb05138e00d18dc36408b38018807c48d50e6019815242b75058e579457005b0570a2b3f3d66b87b5c34f6f4902efb50dc7547fb

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
128KB

MD5
89ccd093a4dec06dba398e7bc140645e

SHA1
138241aed51b6223547669935267793f1ed8151d

SHA256
64b391144ab6a1b6f276c6f4e559ad9053d7ce5d4cc7a2c95017374827535a26

SHA512
eb1e5c4636a309fa27cf0ec68d53a683359d53ed3227fb9495d2a1c15ecec2fc4d57fefc6ec8a4a8151ba0458e92897ab8c929ef5e9f3067bf5c9e40a8356d24

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
128KB

MD5
43766567d34d6415bf259ca42dd09db5

SHA1
893441bbcbe2a4f473cb955f80e30fbe6d07ccbf

SHA256
05ca51852c2961cfffed6f1d9ad664e50d9d0eae66974da9d836db9ae47f7d7a

SHA512
dcc39fd4bc3394b827e0627578e6e4bcd7fc8e136b7c7968e44e3f65409db98bc49f88c609ac1bcc4264e189094643c2b6c1207632fb621160c7bc3cabc048c8

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
128KB

MD5
126d839b05256247c955ed817343bcb4

SHA1
987de576be2c67d55c1485779a251ad107282de6

SHA256
e75fe597b339f6945170891dab449d145792f222ab9e92a340bab0499bcd4d14

SHA512
2a2fa2e4b6a9fbe4ea5c66763f5d515d8ab7f2d115dbb24832572b9ee61df62f9ef8e093466258cd75a0158ddd16a473c7c3b8544b646aeb6b7e7c00d8983ef3

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
128KB

MD5
63273afa8e08d561123316368dda8126

SHA1
37479c2b16a3b23cc79ca5a11686bac87e8a1e9e

SHA256
7c87927eda1ec26c52fac53ada2f6672ef4bc8f27c9dbb0cb01cc0f2ac051493

SHA512
39d9c31e76b5a0e60d86e69ed7a4271c8655cfb24e90670b79106860fe7cda04e4764c8c3709b7491011bc4377b356a8e274def30755f22a9d0ec02859a971c6

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
128KB

MD5
c5fe592ffba1ef8e68d82dfbf65873bc

SHA1
76d4b97782d5d87c2866244d8f793c71d21389c8

SHA256
b80bea25a5078893d257b68fe4122c306c8f3652ce61fcbb0f66dcedb80fd631

SHA512
2c18f2788b097f51a0ad16e359e82b8f90f17e378391fa3015120f571cd0991f0a2e2985c304899393eca0e00d5e7fcdabdc4d31ec089a128783a27ec6edb226

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
128KB

MD5
f424bdb0606613a298db8d194a42410b

SHA1
a24b4bdface74da04e53d4b215bf6afad30ea2bd

SHA256
0d7d8b5d36f3bdcc590bae49113ac6def4fa52dd1d8d0a212bb09722c4a750f9

SHA512
be4114fe521d4fc325d9de227a24ccf56f3d872ef6181f32b7b3dd64ea4df090a645160fcfe17352ea86859754a35cc5790beae6f4b1e8ea2e673c3c9155ce23

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
128KB

MD5
194f1f3935742c29c05f5538505d705a

SHA1
5bcb4bfd4be57782b5530a0141c112e785d98aac

SHA256
603f512f1c03a7b11c12d062c77c0a49aed6e6923240cd141f61d0a163a8f73c

SHA512
16ae95f373cf25c4b4ddf1b39bf4d98533df9bf9ac2f605f1a11c9e1bdcf610db87db2100f59a02f0f1c2657b512bf81238f4e20ef707f20141a7a4c5c78646e

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
128KB

MD5
85ac08e1ebd9ac73fd7deb31ddc80dfd

SHA1
0b40ba4f0a929763897ced4bf13ef710ae652529

SHA256
3b049d4ce73dc34f48191e4392f33537836eda556d953171717c04a60165332d

SHA512
dda2a3cd1b64171d1675ed2357deb260d1e3c929153d40b2553208be70fb03481cdf35a9e3f49a40483a34e37dbf372cf8f146148772fb5b399a4996d5b8ae2d

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
128KB

MD5
acda4a7129145f92cf652e216cbf7c8c

SHA1
29d26e617ef3b765aa9955ce33a43f4fe49972b8

SHA256
621b2156a01e979bc1abc62291fc63f4d80c9e98f782b610116ff88a96eb6007

SHA512
a2d7a287688e7925e6d2caf5310f4c3273dc3d02a58a6ee85bd16125e37c037c403789de4526d4fc3212e78b933f147e2428880face012e79bdaac54077a6964

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
128KB

MD5
fce9a91e07bae55c53683b828fc90b55

SHA1
9bf721b28b1a5ed86571ba64c343e6dbd4293f9c

SHA256
1c43a51d34f6d3c47c3b33f2d14a9245165e4c98f0ff51d77f79ef918638793c

SHA512
1b5dc2e76e40f97af01e820f8fa1632b7715f288e066cbeb121cd95ce6371ca57ae9cb3d0939f8a22182bdb7b0fae24826169842151d25a6291131b08a6529b0

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
128KB

MD5
e0617a2eefd2f19c468b263689d23c0c

SHA1
ea05083b54f06c6ab069c1968d13db99b6bc21d1

SHA256
0ed28fe9ab780bdcbb1cc81832673cefc2b44fed5e8c7d02b7072eec0a66e5ed

SHA512
3769babc471d0872337dd9855f422df01a7e1de2457b0155e4527da9c2b0057e834157b4a0cb08a7ffd461b21a51f1cd475762e3379fb6c630253f708d9a3861

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
128KB

MD5
d96ca2119cd31e922dac3084d1f9ee75

SHA1
5e9cd39f4c32293e94064627bdbee35abbf6d1b0

SHA256
5dbe04db3d31a662deaea567e5361be32b17f2042b51ec72fabfc1995c9bc312

SHA512
bac7c4cea30d4ed8a0eca9de2298dc0cc4cd46ff1f737b13dae48bb4e72568fe9420ff1a8788b09c3591312f3a2ce6d44469ad3e49c8d18b6a9e377ea470c519

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
128KB

MD5
3090c2458356f408f094fb8099e3c515

SHA1
c8274af02e17f00284e1da8a9ddc021cc12a10ea

SHA256
f356ceda8da4c594541b814b8ae44808c777633e152337f7684046578f5536d3

SHA512
07782fb776147fcdb7dd2d16ea3cafe6019dc309f8182a9e424df150c0c003c425f347f04ecee793099eb366630de9bfe580547ed7a710fcd0ec5b6d58bdc99a

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
128KB

MD5
82b451957f2a86958c4b02dd2578ae4a

SHA1
879f8389e420707d9aeb5b9f30f08d54cf727167

SHA256
bd1c3d5f3b1c8e915745f22d78025b210be19d3890f8afe0cc29c759ccb30a87

SHA512
6cc2909a44dbc4e58b50d9cbcdfd5045ce0e2e18d8ab0b2fb911f9c72188b7c3dbfcd1e8f2d6d9a2c73cb5c15f392dac7d62838309065aa400ad34a32b355d93

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
128KB

MD5
b92dda3898ed6b42512a3a22f1db34b7

SHA1
63260c9fb862c2ebc5fc55b1c7d89acb333d2f5d

SHA256
395d62b61fbdf809e076dd275fe4d5f6cc2135ad755bad1b2268046cf5ed536a

SHA512
ce0b12c678213ac5ee80ed48b4c8a2ce822d3b01de49e9f2ee366e6968dc676a22eed62a9c891f962bf2ac9df40196b59af5192eca00b3779590b7a5dc2ac04b

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
128KB

MD5
bd74f093556f27acbaa0103daf82a1dc

SHA1
5bd458f335b77e5883c3a0ca5dec578f736dace9

SHA256
9576f7ea60d743c383d41e369a7d6121265278e8c765626ce3b7155aac23bd27

SHA512
ea7b48197fe5fdb045209edc0723a4aca6d2e41ae3bbee61842c5b9fba0bbb35a1a5d3b68551e9e0c0b6e9f205da632e32beb36fc1714e27829dc2d8c0680cdb

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
128KB

MD5
8ce8eaceb44a77d288c3886eb89c5b47

SHA1
124bd1cfef5019a8b4802aad73b5a59b73a55287

SHA256
6fc6fa29a79df26378d1b81333f809913a3175f316e5311c4738c5ec1d9b5734

SHA512
910f1695de814bccf932904fda02d9b6ed46e70dbe5b3f876ea591b93d660e6394aaae9322a1c49bbac7d1b9c0dce4a8e14c63eb1520120240c0553ac935c39e

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
128KB

MD5
6abfb2f7f71ccfb26e7d3309df310be1

SHA1
a3887be90c2794807d4ed66dff5d531dfaec445f

SHA256
289d49f68c2f55638b2b478184600d668acda7cc760022e3a8b927fedc266c60

SHA512
ca7500ff4604e1fce1a5b826376a4eb83aab6d4724a7e92394741cb86b11df718967f1872f0995864037991536d181908773a2670131372a02adfeba6e321a8f

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
128KB

MD5
2548094143b6f2d0afef76c813e0526b

SHA1
884569b2c92ed4f9ae8dfdca6183cb55b9d6a92e

SHA256
3fb5ca17dcd7aab90f9e322f2862114fa03c040a17ad698b4cd404800130305f

SHA512
27df07fae16062e857335820fc4439feea8c1e1c54f60b50cdbb487042603ab4bbbd3b5263f597faec123ca9393275582acc30b25e9738500f8d0a856aabc44d

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
128KB

MD5
00325dffde5e8d6f60c3d06cb2e429d8

SHA1
a9cbe620bbdd928bf345b0cda0e07b2dfcf924a7

SHA256
9debb5c89f9000443bd939954fd463caaee362d98bb7732664ed590a4b154e30

SHA512
cc1a08a6fa4e062274651e48d019aa517a32e83429d0696e1227aaffc9efaf1453a3a832152cf1a65e0239c6c93e268690490a580d672755dfa86937b5989c6f

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
128KB

MD5
60df41c77ffce89c770ed09206fd7ada

SHA1
69501ab92548c07b7442e34e3aa7434c75eee3ad

SHA256
adcf9b606bc17c53acebf89a64cdc419f24f7e84f5c795c469c5b9b69835b16b

SHA512
d8cbfbb6fbaa4d353db6f1135af71e31801305ac078aeaa0035e364bb4a5371dd282b3740d078928e6fec7dbd28c3603a656056834e340dcf711927fd29e0cca

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
128KB

MD5
bd1f29940f9eef7d5d5d5ee1b69a5c6c

SHA1
ff02bd43dc1444ce4266f0360c3b804b760b1239

SHA256
2f5bd97c9902c039772db1e36a036d1f78a7fdff1edea0cbd7b24a8761d8779c

SHA512
c0b4f05d969a52525af97432836b220fa0af96eb85661e740f4845ae8b559ceff1e152e99b917ab0e7807e15e1a7b1520a95812f230a3b90e2109ad56a3dfd52

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
128KB

MD5
a307b675ba673e5e3e78d507f0fe810c

SHA1
1852b9f0562215badd3c0af31a72e96529d7fe29

SHA256
af35882fe1c2028db3a54d6218bb59d0380881e36e56e2a885bf84f28136b726

SHA512
35b103d276b4838997be71a52f554ddc644bb5f16a59a80d68fef3a4c4951b6dbc0c799119a72f26393dcfa716024893a4012eab02caef5fe12eedd0540623de

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
128KB

MD5
c5c5762085a6f9fb3a423d82bc85d46d

SHA1
221bc36b0435a8a3045e376b381db9ebc52015e3

SHA256
59b33a7479645fc49fa870d0c7b1cf9eec8dab01fdf40ec75827e8ba3307ad19

SHA512
b6bade4542f5231efae7ce50ceb229956e871258033d818aca61f679de27efe81e71cb078e1e831585935edda28882a8b4d56f82519db4d13db3621998cb18ba

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
128KB

MD5
6578b16076285d94f92cf03fd54cb9aa

SHA1
b29db2495ea033e3517ee67aee1f85ffd854aed7

SHA256
d4ff683123a3f27a2b52d94d6c8519fe6c6a3b76a200a80dcf85713692ae7ac2

SHA512
188d0d7ee096ab7c392062298ac303a3a6fff75a9d1b7774b5b9e95ee9c7ae39110d7a2376169e6d1e5267ec7639fae3c239006a422f98ba8f63b5dbaddff9b3

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
128KB

MD5
0b350a5c75293f5754d54a3f384d103d

SHA1
73ff2bfcd382c55c2a50a1d608387a41a856e4c2

SHA256
e22f8d7b74c7b55c94558bd0a72c4f93cf11c6b55d9b64cbee552ad499f46c05

SHA512
1ef89eb600a94c1eebcf8916860d443bd9505532619df3df82f9189b4a49ae9eb66f6994aa7a8b19f885be002bfb936ab633839c771c008e19157368a2878b2f

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
128KB

MD5
34ab63f503a464e2fc55cc5349aa0596

SHA1
300c4e2f8ed32354244e0ed7e193fc50e88cae3a

SHA256
a769468798e348a3f911864bd225833b8f843310eb785bff995a4dd46bba4926

SHA512
7fde24118f3aa417dfe1db388a517081c3ba7d3a1ab2b36f29f4a9e07e6ecc689cf9853ceac7524ae3e52080fc6ff065ba55af367c57c040d16b3331ed59537c

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
128KB

MD5
f4508efde787502fe88853ee6287c47a

SHA1
f5468c1cf50e0b5b0bd06bac073fd9b30febf069

SHA256
0821c0dcc7c8c9040b6655955a1a3ffc8a61e1ccc25281cb52f26ec10a53a340

SHA512
bf2624b0f1306142d651b4558a04ca2a3acba0ff73d3a8e4c90245a2badb18dc3adff04ae6f20164790a69caf7f741884d99e52e11cb4e9c113b8075f15cf9bd

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
128KB

MD5
927374375885189dcd3d45b11f3da182

SHA1
7500ff396c175c0b18ea77bfd6cb13b80e009d9a

SHA256
6f1f4d64db51993cd6ee6b8c4c6aa70bcf80302cce7734142bed8f5126744319

SHA512
6518427baf63d907bca121a199e564d72ec96852ca5b647ee7cff6774714d131e76a923eea5cacebe30a8c3fd4e749db1e047202982afaa8fd2dd26f107efd2f

Download Submit
memory/8-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/336-524-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/512-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/584-236-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/620-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/704-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/736-508-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/872-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/916-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1076-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1236-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1332-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1480-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1484-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1488-584-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1488-44-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1496-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1508-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1552-434-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1696-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1696-561-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1832-537-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1844-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1860-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1944-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1996-422-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2084-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2152-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2184-539-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2188-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2420-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2424-213-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2516-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2520-386-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-526-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-464-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2588-399-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2628-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2664-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3012-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3020-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3052-598-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3052-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3060-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3120-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3372-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3372-577-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3392-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3464-259-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3472-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3516-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3580-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3648-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3700-290-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3756-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3904-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3928-585-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3928-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3944-440-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3960-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3980-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3996-416-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4064-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4108-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4164-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4172-458-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4192-507-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4220-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4260-363-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4264-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4268-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4276-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4324-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4472-28-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4472-574-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4556-205-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4568-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4744-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4828-204-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4904-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4916-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5024-563-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5024-11-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5056-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5164-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5204-550-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5256-562-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5288-564-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5344-576-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5380-578-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5432-590-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5484-592-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5524-599-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads