a32ac494a56d3c0f6e5f4535deb12fd7b7238a7d32b047822a014c166c5f7f14

Analysis

max time kernel
29s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cdce8fd6a8a20841d0ccd6d9260adc0_NEIKI.exe
Size

445KB
MD5

0cdce8fd6a8a20841d0ccd6d9260adc0
SHA1

91cada8f03a9c31907ce2024c5ed2e48b6a4e371
SHA256

a32ac494a56d3c0f6e5f4535deb12fd7b7238a7d32b047822a014c166c5f7f14
SHA512

91dc7eed37643279e64c95666363e54654c056631e1c3c1d7bbbefd8200ae3fc6beee650db45954f3178d3d60b490417ac8c5077767a45c50e905aedffc22a39
SSDEEP

12288:QrKUpV6yYPMLnfBJKFbhDwBpV6yYP0riuoCgNbbko8JfSIuMUb1V4D0:8KUWMLnfBJKhVwBW0riuoCgNbbj8JfSr

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0cdce8fd6a8a20841d0ccd6d9260adc0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lojmcdgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmladm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klekfinp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lohqnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhjhmhhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mljmhflh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqcejcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qiiflaoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kemooo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojmcdgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgkgijg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhldbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbfmgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qclmck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpjoloh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdpnda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jihbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemooo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhgkgijg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fdpnda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	0cdce8fd6a8a20841d0ccd6d9260adc0_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiiflaoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbfmgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kidben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqcejcha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afappe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampaho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kadpdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhenai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhegig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfojdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjaleemj.exe

Malware Dropper & Backdoor - Berbew 36 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000900000002325f-6.dat	family_berbew
behavioral2/files/0x0008000000023263-14.dat	family_berbew
behavioral2/files/0x0007000000023268-22.dat	family_berbew
behavioral2/files/0x000700000002326a-25.dat	family_berbew
behavioral2/files/0x0007000000023270-56.dat	family_berbew
behavioral2/files/0x0007000000023272-63.dat	family_berbew
behavioral2/files/0x0007000000023274-70.dat	family_berbew
behavioral2/files/0x0007000000023276-79.dat	family_berbew
behavioral2/files/0x0007000000023278-86.dat	family_berbew
behavioral2/files/0x000700000002327a-94.dat	family_berbew
behavioral2/files/0x000700000002326e-48.dat	family_berbew
behavioral2/files/0x000700000002327c-103.dat	family_berbew
behavioral2/files/0x000700000002326c-39.dat	family_berbew
behavioral2/files/0x000700000002326a-31.dat	family_berbew
behavioral2/files/0x000700000002327e-111.dat	family_berbew
behavioral2/files/0x0007000000023280-119.dat	family_berbew
behavioral2/files/0x0007000000023282-126.dat	family_berbew
behavioral2/files/0x0007000000023286-137.dat	family_berbew
behavioral2/files/0x0007000000023284-135.dat	family_berbew
behavioral2/files/0x0007000000023286-144.dat	family_berbew
behavioral2/files/0x0007000000023289-150.dat	family_berbew
behavioral2/files/0x000700000002328b-154.dat	family_berbew
behavioral2/files/0x000700000002328d-167.dat	family_berbew
behavioral2/files/0x000700000002328f-170.dat	family_berbew
behavioral2/files/0x0007000000023293-191.dat	family_berbew
behavioral2/files/0x0007000000023295-193.dat	family_berbew
behavioral2/files/0x0007000000023295-199.dat	family_berbew
behavioral2/files/0x0007000000023297-208.dat	family_berbew
behavioral2/files/0x0007000000023291-183.dat	family_berbew
behavioral2/files/0x0007000000023299-215.dat	family_berbew
behavioral2/files/0x000700000002329b-223.dat	family_berbew
behavioral2/files/0x000700000002329d-231.dat	family_berbew
behavioral2/files/0x000700000002329f-239.dat	family_berbew
behavioral2/files/0x00070000000232a1-246.dat	family_berbew
behavioral2/files/0x00070000000232a3-254.dat	family_berbew
behavioral2/files/0x00070000000232ab-275.dat	family_berbew

Executes dropped EXE 44 IoCs

pid	Process
4032	Jihbip32.exe
1256	Kidben32.exe
4544	Klekfinp.exe
3596	Kemooo32.exe
3132	Kadpdp32.exe
224	Lohqnd32.exe
3832	Lojmcdgl.exe
4824	Ljpaqmgb.exe
400	Lhenai32.exe
4572	Lhgkgijg.exe
1676	Mhjhmhhd.exe
2220	Mhldbh32.exe
4892	Mljmhflh.exe
2284	Nhegig32.exe
3764	Nqcejcha.exe
1456	Nqfbpb32.exe
2908	Objkmkjj.exe
2060	Ocihgnam.exe
4668	Obnehj32.exe
828	Obqanjdb.exe
4592	Pfojdh32.exe
4176	Pcegclgp.exe
3172	Pjaleemj.exe
2240	Qclmck32.exe
1444	Qiiflaoo.exe
4028	Aabkbono.exe
1972	Afappe32.exe
2628	Ampaho32.exe
260	Bbaclegm.exe
3128	Bbfmgd32.exe
1536	Bmladm32.exe
3964	Cmpjoloh.exe
4864	Cgiohbfi.exe
2632	Dnljkk32.exe
4128	Dpalgenf.exe
1448	Ecbeip32.exe
1688	Edfknb32.exe
368	Eqmlccdi.exe
3148	Fcpakn32.exe
2892	Fkgillpj.exe
3772	Fdpnda32.exe
2544	Fjmfmh32.exe
2172	Fgqgfl32.exe
4984	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ocihgnam.exe	Objkmkjj.exe
File created	C:\Windows\SysWOW64\Afappe32.exe	Aabkbono.exe
File created	C:\Windows\SysWOW64\Amoppdld.dll	Bbfmgd32.exe
File created	C:\Windows\SysWOW64\Mljmhflh.exe	Mhldbh32.exe
File created	C:\Windows\SysWOW64\Lhgkgijg.exe	Lhenai32.exe
File created	C:\Windows\SysWOW64\Hlglnp32.dll	0cdce8fd6a8a20841d0ccd6d9260adc0_NEIKI.exe
File created	C:\Windows\SysWOW64\Iankhggi.dll	Lhgkgijg.exe
File opened for modification	C:\Windows\SysWOW64\Ecbeip32.exe	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Fkgillpj.exe	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Lohqnd32.exe	Kadpdp32.exe
File created	C:\Windows\SysWOW64\Klekfinp.exe	Kidben32.exe
File opened for modification	C:\Windows\SysWOW64\Kemooo32.exe	Klekfinp.exe
File created	C:\Windows\SysWOW64\Balgcpkn.dll	Objkmkjj.exe
File created	C:\Windows\SysWOW64\Mjbaohka.dll	Cgiohbfi.exe
File opened for modification	C:\Windows\SysWOW64\Dpalgenf.exe	Dnljkk32.exe
File created	C:\Windows\SysWOW64\Bejceb32.dll	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Kidben32.exe	Jihbip32.exe
File created	C:\Windows\SysWOW64\Cmpjoloh.exe	Bmladm32.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fgqgfl32.exe
File opened for modification	C:\Windows\SysWOW64\Jihbip32.exe	0cdce8fd6a8a20841d0ccd6d9260adc0_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Lohqnd32.exe	Kadpdp32.exe
File opened for modification	C:\Windows\SysWOW64\Mhjhmhhd.exe	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Hpfohk32.dll	Nhegig32.exe
File created	C:\Windows\SysWOW64\Ebdpoomj.dll	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Onnnbnbp.dll	Pfojdh32.exe
File opened for modification	C:\Windows\SysWOW64\Klekfinp.exe	Kidben32.exe
File created	C:\Windows\SysWOW64\Fkaokcqj.dll	Mhjhmhhd.exe
File opened for modification	C:\Windows\SysWOW64\Objkmkjj.exe	Nqfbpb32.exe
File created	C:\Windows\SysWOW64\Ghaeocdd.dll	Nqfbpb32.exe
File created	C:\Windows\SysWOW64\Iocmhlca.dll	Ampaho32.exe
File created	C:\Windows\SysWOW64\Glllagck.dll	Ljpaqmgb.exe
File opened for modification	C:\Windows\SysWOW64\Ljpaqmgb.exe	Lojmcdgl.exe
File opened for modification	C:\Windows\SysWOW64\Mljmhflh.exe	Mhldbh32.exe
File created	C:\Windows\SysWOW64\Afjpan32.dll	Bbaclegm.exe
File created	C:\Windows\SysWOW64\Bgnpek32.dll	Lohqnd32.exe
File opened for modification	C:\Windows\SysWOW64\Kadpdp32.exe	Kemooo32.exe
File created	C:\Windows\SysWOW64\Lhenai32.exe	Ljpaqmgb.exe
File created	C:\Windows\SysWOW64\Obqanjdb.exe	Obnehj32.exe
File opened for modification	C:\Windows\SysWOW64\Kidben32.exe	Jihbip32.exe
File created	C:\Windows\SysWOW64\Emkcbcna.dll	Qclmck32.exe
File created	C:\Windows\SysWOW64\Dnljkk32.exe	Cgiohbfi.exe
File created	C:\Windows\SysWOW64\Fdpnda32.exe	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Emkbpmep.dll	Nqcejcha.exe
File created	C:\Windows\SysWOW64\Pcegclgp.exe	Pfojdh32.exe
File opened for modification	C:\Windows\SysWOW64\Pjaleemj.exe	Pcegclgp.exe
File created	C:\Windows\SysWOW64\Qclmck32.exe	Pjaleemj.exe
File opened for modification	C:\Windows\SysWOW64\Afappe32.exe	Aabkbono.exe
File created	C:\Windows\SysWOW64\Ecbeip32.exe	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Fjinnekj.dll	Fcpakn32.exe
File opened for modification	C:\Windows\SysWOW64\Mhldbh32.exe	Mhjhmhhd.exe
File created	C:\Windows\SysWOW64\Ampaho32.exe	Afappe32.exe
File created	C:\Windows\SysWOW64\Njonjm32.dll	Afappe32.exe
File opened for modification	C:\Windows\SysWOW64\Bmladm32.exe	Bbfmgd32.exe
File opened for modification	C:\Windows\SysWOW64\Fkgillpj.exe	Fcpakn32.exe
File opened for modification	C:\Windows\SysWOW64\Aabkbono.exe	Qiiflaoo.exe
File created	C:\Windows\SysWOW64\Bbaclegm.exe	Ampaho32.exe
File created	C:\Windows\SysWOW64\Camgolnm.dll	Dpalgenf.exe
File opened for modification	C:\Windows\SysWOW64\Nhegig32.exe	Mljmhflh.exe
File created	C:\Windows\SysWOW64\Ljgmjm32.dll	Obnehj32.exe
File opened for modification	C:\Windows\SysWOW64\Dnljkk32.exe	Cgiohbfi.exe
File created	C:\Windows\SysWOW64\Fcpakn32.exe	Eqmlccdi.exe
File created	C:\Windows\SysWOW64\Nqfbpb32.exe	Nqcejcha.exe
File created	C:\Windows\SysWOW64\Bmladm32.exe	Bbfmgd32.exe
File opened for modification	C:\Windows\SysWOW64\Pcegclgp.exe	Pfojdh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3280	4984	WerFault.exe	134

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kidben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Objkmkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmgil32.dll"	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmalg32.dll"	Qiiflaoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjinnekj.dll"	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcfpl32.dll"	Mljmhflh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qclmck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lhgkgijg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mhldbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Obnehj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afappe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camgolnm.dll"	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	0cdce8fd6a8a20841d0ccd6d9260adc0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmkcc32.dll"	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glllagck.dll"	Ljpaqmgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qiiflaoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onnnbnbp.dll"	Pfojdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogajpp32.dll"	Bmladm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0cdce8fd6a8a20841d0ccd6d9260adc0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njonjm32.dll"	Afappe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dognaofl.dll"	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kemooo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lhenai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkaokcqj.dll"	Mhjhmhhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mljmhflh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afappe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmkfp32.dll"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qclmck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0cdce8fd6a8a20841d0ccd6d9260adc0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkgppbgc.dll"	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbfmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocmhlca.dll"	Ampaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfqqddpi.dll"	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll"	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mhjhmhhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kemooo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfojdh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 4032	3264	0cdce8fd6a8a20841d0ccd6d9260adc0_NEIKI.exe	91
PID 3264 wrote to memory of 4032	3264	0cdce8fd6a8a20841d0ccd6d9260adc0_NEIKI.exe	91
PID 3264 wrote to memory of 4032	3264	0cdce8fd6a8a20841d0ccd6d9260adc0_NEIKI.exe	91
PID 4032 wrote to memory of 1256	4032	Jihbip32.exe	92
PID 4032 wrote to memory of 1256	4032	Jihbip32.exe	92
PID 4032 wrote to memory of 1256	4032	Jihbip32.exe	92
PID 1256 wrote to memory of 4544	1256	Kidben32.exe	93
PID 1256 wrote to memory of 4544	1256	Kidben32.exe	93
PID 1256 wrote to memory of 4544	1256	Kidben32.exe	93
PID 4544 wrote to memory of 3596	4544	Klekfinp.exe	94
PID 4544 wrote to memory of 3596	4544	Klekfinp.exe	94
PID 4544 wrote to memory of 3596	4544	Klekfinp.exe	94
PID 3596 wrote to memory of 3132	3596	Kemooo32.exe	95
PID 3596 wrote to memory of 3132	3596	Kemooo32.exe	95
PID 3596 wrote to memory of 3132	3596	Kemooo32.exe	95
PID 3132 wrote to memory of 224	3132	Kadpdp32.exe	96
PID 3132 wrote to memory of 224	3132	Kadpdp32.exe	96
PID 3132 wrote to memory of 224	3132	Kadpdp32.exe	96
PID 224 wrote to memory of 3832	224	Lohqnd32.exe	97
PID 224 wrote to memory of 3832	224	Lohqnd32.exe	97
PID 224 wrote to memory of 3832	224	Lohqnd32.exe	97
PID 3832 wrote to memory of 4824	3832	Lojmcdgl.exe	98
PID 3832 wrote to memory of 4824	3832	Lojmcdgl.exe	98
PID 3832 wrote to memory of 4824	3832	Lojmcdgl.exe	98
PID 4824 wrote to memory of 400	4824	Ljpaqmgb.exe	99
PID 4824 wrote to memory of 400	4824	Ljpaqmgb.exe	99
PID 4824 wrote to memory of 400	4824	Ljpaqmgb.exe	99
PID 400 wrote to memory of 4572	400	Lhenai32.exe	100
PID 400 wrote to memory of 4572	400	Lhenai32.exe	100
PID 400 wrote to memory of 4572	400	Lhenai32.exe	100
PID 4572 wrote to memory of 1676	4572	Lhgkgijg.exe	101
PID 4572 wrote to memory of 1676	4572	Lhgkgijg.exe	101
PID 4572 wrote to memory of 1676	4572	Lhgkgijg.exe	101
PID 1676 wrote to memory of 2220	1676	Mhjhmhhd.exe	102
PID 1676 wrote to memory of 2220	1676	Mhjhmhhd.exe	102
PID 1676 wrote to memory of 2220	1676	Mhjhmhhd.exe	102
PID 2220 wrote to memory of 4892	2220	Mhldbh32.exe	103
PID 2220 wrote to memory of 4892	2220	Mhldbh32.exe	103
PID 2220 wrote to memory of 4892	2220	Mhldbh32.exe	103
PID 4892 wrote to memory of 2284	4892	Mljmhflh.exe	104
PID 4892 wrote to memory of 2284	4892	Mljmhflh.exe	104
PID 4892 wrote to memory of 2284	4892	Mljmhflh.exe	104
PID 2284 wrote to memory of 3764	2284	Nhegig32.exe	105
PID 2284 wrote to memory of 3764	2284	Nhegig32.exe	105
PID 2284 wrote to memory of 3764	2284	Nhegig32.exe	105
PID 3764 wrote to memory of 1456	3764	Nqcejcha.exe	106
PID 3764 wrote to memory of 1456	3764	Nqcejcha.exe	106
PID 3764 wrote to memory of 1456	3764	Nqcejcha.exe	106
PID 1456 wrote to memory of 2908	1456	Nqfbpb32.exe	107
PID 1456 wrote to memory of 2908	1456	Nqfbpb32.exe	107
PID 1456 wrote to memory of 2908	1456	Nqfbpb32.exe	107
PID 2908 wrote to memory of 2060	2908	Objkmkjj.exe	108
PID 2908 wrote to memory of 2060	2908	Objkmkjj.exe	108
PID 2908 wrote to memory of 2060	2908	Objkmkjj.exe	108
PID 2060 wrote to memory of 4668	2060	Ocihgnam.exe	109
PID 2060 wrote to memory of 4668	2060	Ocihgnam.exe	109
PID 2060 wrote to memory of 4668	2060	Ocihgnam.exe	109
PID 4668 wrote to memory of 828	4668	Obnehj32.exe	110
PID 4668 wrote to memory of 828	4668	Obnehj32.exe	110
PID 4668 wrote to memory of 828	4668	Obnehj32.exe	110
PID 828 wrote to memory of 4592	828	Obqanjdb.exe	111
PID 828 wrote to memory of 4592	828	Obqanjdb.exe	111
PID 828 wrote to memory of 4592	828	Obqanjdb.exe	111
PID 4592 wrote to memory of 4176	4592	Pfojdh32.exe	112

C:\Users\Admin\AppData\Local\Temp\0cdce8fd6a8a20841d0ccd6d9260adc0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\0cdce8fd6a8a20841d0ccd6d9260adc0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\SysWOW64\Jihbip32.exe
  C:\Windows\system32\Jihbip32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\SysWOW64\Kidben32.exe
    C:\Windows\system32\Kidben32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Windows\SysWOW64\Klekfinp.exe
      C:\Windows\system32\Klekfinp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
      - C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Qclmck32.exe
        
        C:\Windows\system32\Qclmck32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Afappe32.exe
        
        C:\Windows\system32\Afappe32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Ampaho32.exe
        
        C:\Windows\system32\Ampaho32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:260
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3964
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        38⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        45⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 412
        46⤵
        Program crash
        
        PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4984 -ip 4984
1⤵
PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabkbono.exe

Filesize
445KB

MD5
0774f62e904c09efe6cd0f69af33294b

SHA1
99c92c6aa8d9cc3403d59c363f34cf908dd082a2

SHA256
70ba5de7e2964122911ebd43c9d4ffb8a5e2e9c36bc26f1ebd8906fe185ec3c3

SHA512
8414c2dbce6488c48a1e462bb2ae2383dbf75fc314762dfc29e4d3daea28bbff058481d64faab2ee82c64049a7fc0efdc78d73f2c8683ca8485869ec87083dd3

Download Submit
C:\Windows\SysWOW64\Afappe32.exe

Filesize
445KB

MD5
7c56b71cd1ccd0eba4c9cb699c48e21f

SHA1
b26e0a31a2404293022763a4330f9def82f3dde4

SHA256
995e1bc340b2b257c4c023985fde9e8ca62bef2e34648a8f536a96a801c8cccf

SHA512
35683abb448b0bf47c0edc7277644af67fd1cbbfe4c39281ffe207dbe2e5a9c16de7af7e06f4ed34be5264b16dea9f5a9d2618c5bb39fdcf7e9430a414f225af

Download Submit
C:\Windows\SysWOW64\Ahfmjddg.dll

Filesize
7KB

MD5
bd5a20ae9366d2343b1f64a37d3de919

SHA1
f64f0760ec51d7e5745f1f87afd768a557ddffb6

SHA256
5c2cc5e96b14c455e62065e74c8bbbc1a1bee5fba5caa15135ba905a437f9940

SHA512
b9555a8a6befa1c727f98667e53c46a08d3b19e05f1da84ac6e19e125c0124fbe41ed8a77c20544c327544636cc764b1284f7c5549f84033215018382c221abb

Download Submit
C:\Windows\SysWOW64\Ampaho32.exe

Filesize
445KB

MD5
eefbac470962a4701c7ba80b4f919810

SHA1
ebc88ba1aa8acb8de997fe75f09d82be18760e71

SHA256
9253fe1f34667a1d9d61b17f4b43eab804870d4d933678f243a8f750c96cd3ca

SHA512
1b6c5c0d35347b17bc7b01ddd659af48931e680fb18e98f17292c39e86fb0a3b1d82f4da3d88863cff157440251b91ddfa3393836deb374af0edc9d327947d8b

Download Submit
C:\Windows\SysWOW64\Bbaclegm.exe

Filesize
445KB

MD5
efa6aa2497dcd651fd0e339392c568a3

SHA1
088cdbaa3ea8b22eee3b271c2e4b87199d1f0c95

SHA256
d963c5745fedb860d0d062fcbec347da88b85907ff08496b406fba9dd28ea00e

SHA512
a7c1743778ea7c7c7886a42245a87ae5c340fa1c92956bfe28c9a0fc4af6b1baed1b5758f4b678bed364c2816845f659589f0565d51c88b64f2de4b1bad4376b

Download Submit
C:\Windows\SysWOW64\Bbfmgd32.exe

Filesize
445KB

MD5
bad57237c4609c4fe0cd57601c4a34ef

SHA1
1f870bde3ceaa4bb3a9fb1f226798a39cf666f5c

SHA256
f34a94dcf78d9ee56c114b7b27c189118acde2d3d5c5d9936362e83bae055981

SHA512
68450964250ef1f69a3fe4817e908457838fb5040e705ed74dcfae0d3276770ee8ec192678061abc02a493cbf166b2e19010db82d54065d57a2e227dbb0680f5

Download Submit
C:\Windows\SysWOW64\Bmladm32.exe

Filesize
445KB

MD5
8a854bf8889d011da7d6e2cd7888d441

SHA1
f0ec547ad8fa82e61ec3fc1218b3d0df4d3908d8

SHA256
051186279d7a1f1694d0af84d6d78547158c11eeca67c4a01a8243d19b49180f

SHA512
74b2c9e6d3ecb297687cc9b4ef9b12d92214bb6383ddef089437bfc61da40b82b82afb94d464b4f55d9596d9855becfabb6643db5568ad6d6f9a29c6253cecac

Download Submit
C:\Windows\SysWOW64\Cmpjoloh.exe

Filesize
445KB

MD5
413bceae7bde5e999deaa732f57e47a2

SHA1
7a864200f3605a1b412032e5fd5525b866732256

SHA256
e9c5d0c8f2898d253d2c099af4da24f451acdd296b9aeb8ee2aca475f0e61316

SHA512
72593c43e8e26b47e4f3e97c49e5c86176afc1e6779293e33bcc714f227138f3192884aa76b54d718075343bbbf5a30021d8b24449c973e69a5d17ad8b206894

Download Submit
C:\Windows\SysWOW64\Ecbeip32.exe

Filesize
445KB

MD5
98527943348f5ff1a40d79078acce965

SHA1
e93de34b2a94ef2b1d963001c797360958a33847

SHA256
574a2a38746ddef2f2f4322e0c2f5baaca5f9be62dd4ae5fa2c788b9fbfed588

SHA512
274be305e74b307843113d0c065d4a96426b91d2e6fddce8f0a83e5eb8458dbef32753a6e7bc9fed583909ec20bb223c46d836dd0c58147b3bf82249e8d1f1a2

Download Submit
C:\Windows\SysWOW64\Jihbip32.exe

Filesize
445KB

MD5
965a17ab00a2ac81392ad3b46069d7bb

SHA1
3717385452500ee8844b9d83e993dcc7ba1dbc95

SHA256
cd681215d362596505e5329868a00dee800274c50585d042f26adcfb720abc7b

SHA512
83708cf394250b246f6e646050d9fd74d6c1faa9c18054635a32c32323d6521aa60f03a3ac805187296296219187e3676deb197ee4c039c3d30338ed0e95b49f

Download Submit
C:\Windows\SysWOW64\Kadpdp32.exe

Filesize
445KB

MD5
3c8fb952ec15cf35aaf3ea8af9d95885

SHA1
b1de5ffdf8a52a2fb225e88146c853670b3c803a

SHA256
83b7db46d55ba1bbb508e4b141b0af29f6d953a90fb443673c2b2420122f4b80

SHA512
a0f4d3dda036437532040cd63376be0a03951dc95aeafcd460792e01c2cf36c57d2b1e76277b711c2831a10ca4dc9ff9c6032bf5f91c9d8b3451cdf140ae8608

Download Submit
C:\Windows\SysWOW64\Kemooo32.exe

Filesize
445KB

MD5
8da40595b52ba88c44af604d3d8bf567

SHA1
5c60af3d4e5a83cebb5aceca001567eff8bc66c6

SHA256
f5cc6697267bf32fd9956b3f2614d79ba1022977fb8645cb838af7b065e9eb71

SHA512
f12c3de9febdd38962fc1f3e881435b989e787abd4864894ad09d2fc0a1b73abafe09c95a8b4f3fb06ace150c95ab73e154f28c8046ef1dbafd280f084f4df82

Download Submit
C:\Windows\SysWOW64\Kemooo32.exe

Filesize
445KB

MD5
40eff4bf968f95c712c6cf3b5438b721

SHA1
a7f7ced176b47f0171714512194c7759548755fd

SHA256
aa27b03c4607c93d2c40dee401ac8b90afce6c512b508b79815d90439f626605

SHA512
23247f71c24a8f6a1b6ae434794c036b88f125a1cc5cb0b0b868ff31b2f4aa192aeee9151c1ff346707a17be6cd41cd9046f8494661933ced33cb9580cecd151

Download Submit
C:\Windows\SysWOW64\Kidben32.exe

Filesize
445KB

MD5
0a28317b099a31e830166b95dfca896e

SHA1
0272bee208998c626c95282fe8cbc4a6ebb8011b

SHA256
a106f7b8cd7bf975445d17e4d6d7dee50bf0f6769dfc1388a23f7538c3a7bd5d

SHA512
96480e07921c20496ca6979b80b864a7b9a7af925821d201d5e050f45044df75fe13a3f92a900883516910fc6dc9d696a81a845a560d1b3b8e3334cb4af9c318

Download Submit
C:\Windows\SysWOW64\Klekfinp.exe

Filesize
445KB

MD5
a366d200e83a95fd30e59b42a8e18cc8

SHA1
afe0776cb269d48cb6238a1e86d0683b327045ca

SHA256
3bd507ff97e8ccec282296d2ff1466775df4572f4c02dd1eb8b08c50b5c1aa6f

SHA512
aed8c0eeb0efd91b444d53694cef4e78760f426840eca2ee1962df6a76e29fdfccc55753a66d8163f7c4d3dfa6c341fa0d69df50cba070ec1d54a4336839ccf0

Download Submit
C:\Windows\SysWOW64\Lhenai32.exe

Filesize
445KB

MD5
7af4ac5622bd1287ee18f32e284d685a

SHA1
f6a2a76e63cada7368aafcac85408cccb79bce1b

SHA256
15975a9708f7a89da20b926c49ab3a317e4948fa433b87e85f9ae33a499186b8

SHA512
ba8a1a0d4df4db15bed68bda521cb77907339ed880d42f623bcd2199cfd0ca48d3ff85164f237495931f3e60c48f978d46be4d78d77870876522c4a561da9ffa

Download Submit
C:\Windows\SysWOW64\Lhgkgijg.exe

Filesize
445KB

MD5
b28f3f58779ddb8f286fbfc346682cbf

SHA1
4f3c7696f1567d414262a61ad7e82e983f3c56cc

SHA256
7cf9670def9ef99f8b83a032a0294ee534e7d5d6616268600dec8277b788cc73

SHA512
ad729015861147e7d8c0c7ea151bfc1e052d3de58a700ac3fc3552b342ef8326871b4d4bdae2c113207c136dd5a46c156c7b37efb882cec9bb70bab643a77fbc

Download Submit
C:\Windows\SysWOW64\Ljpaqmgb.exe

Filesize
445KB

MD5
1934319be6755461ec946687434fe0bf

SHA1
b9725bfa5f4d5d4e145497623cf16c57e9c97a79

SHA256
5db193d4d04fc549032924ba00bb46c239a0e306312dfb83e1c9dc590d5ca346

SHA512
c84c8bd8f400c5e95f670ebdcefe2b50b6c420463d61e496f4d8e95c7b7909f9e872b30970c5771f3fd0f4621d7d3cfde1a95a849f0759af070b07d00b5a0ac8

Download Submit
C:\Windows\SysWOW64\Lohqnd32.exe

Filesize
445KB

MD5
b660376d09ab0e309ea87d8ee8ed8c56

SHA1
b8c3a274e41967c8fc9327fc6ff8ba7f879be6d5

SHA256
fd25e34489d94c72efc5483362eae7248b4079bd71a8e81a9699a0d002cab963

SHA512
611022e5c2efab033c96b1dab972f468a2cf9d7b9d2e9717981d03e2db7ae1d5147a655b282e6fb2e6658dd52e602a7b69b8b8b57e6a7b35f33c887a610af3d8

Download Submit
C:\Windows\SysWOW64\Lojmcdgl.exe

Filesize
445KB

MD5
e4b84058c8ec541a3979865ff2742333

SHA1
7c3db0f566e52e3f7d09337f8373b0dd8a635d30

SHA256
9399741d31969c26d38e1218dbac1b0375a12374836b0322d1e7f49f42106db6

SHA512
b4b6d6537d81f3ff469cc4991a5dd61cd5ed261451e010e050143815a2c415dd2aabebc83fa9ecfefc4c1315fc0b511014c13aa4a9f6cafe67b01104ad65808f

Download Submit
C:\Windows\SysWOW64\Mhjhmhhd.exe

Filesize
445KB

MD5
8f2a19cc90d7fed3b725d53493b4f2f1

SHA1
862d19f43ee0538ce5306c24f2ef014913ded80d

SHA256
d10d862d8d6891f0431f871f3f662ca86e7cb06db7b6fd449c23f8619d5bc62c

SHA512
c8bd248a5d5f130d66c96ea1c130562cdc4fbcb05177204cbb3a4683a813148d82e4f8fd62abcd7227e389b9d6a835e1eb41b76c8f3afd85b1d107bcde5141f1

Download Submit
C:\Windows\SysWOW64\Mhldbh32.exe

Filesize
445KB

MD5
3b7cbbf73190c1576a184b1ca4b57a30

SHA1
17b1c6592e23bcbab37330e65484df8e4341650a

SHA256
9e93769380bed9a8e4fab856a3603001df615b6d79e12318bc85b0fcfe1fcacd

SHA512
0f652a2169939516b79de6f01119a250eac4b26ae102af365bc52c39b376de3c39338ad0b00591706228eba370f8d64d144d40ec0e5f310b1c24ece370d37a50

Download Submit
C:\Windows\SysWOW64\Mljmhflh.exe

Filesize
445KB

MD5
a2411d1e55d9cc01f7b270b49e983ad4

SHA1
3b37f57e727393997d73398fbbaa9e34e10a23be

SHA256
a70f13776e5c1c63675c004ceda03bdf326673dff0e3096a9d063d3c53a840fe

SHA512
060009517f40b5ccff8f676aad362f1ec18346d8a67298ca65c714a6328f19914d5e6c0da7fed59d679a46b03f91c05f02263924ccc47818a96393d18cc41871

Download Submit
C:\Windows\SysWOW64\Nhegig32.exe

Filesize
445KB

MD5
dcde98a47dbbf763fa6b5bcbd455702b

SHA1
7d11a4679df8ce1d107d8f255f0f8cd5a049d2aa

SHA256
af9e8baadbbee151246f3f40289b0c1cae3d126212824d37541cf0e78d5fe1f2

SHA512
04bb32b312db0ca13b10f69eed3d0325862493c2919e33f29cfb2fc28c7aed57f6b5ca2d5856c6260e6500d9ee5970c9bf178fece70a33940b76d3a076aad669

Download Submit
C:\Windows\SysWOW64\Nqcejcha.exe

Filesize
445KB

MD5
5930c6986baa118a349df280cbe6895a

SHA1
50e3339a618046dacb96ab9e8160f2e06d799a92

SHA256
c33e2ed90ec6841a16c8e7113eee6b3e51faab96ffb58256cb3224920188cf32

SHA512
c91089686f58c2b8c1641e472a62e858182c82c0ba7fd1d0d40720ece30d61548843cf078fdd33835f35c2d3a02bf7d835db4bec8febfee92322946f3a9857b1

Download Submit
C:\Windows\SysWOW64\Nqfbpb32.exe

Filesize
445KB

MD5
ba6e9ea67221695fea3fd4e8faf0d710

SHA1
2b4c697c8b5fb314fc750dd1395a348c778e5731

SHA256
9ae59e6e9bab662abbf43f8b52d80ec4c5307219dbe36e14bf23a7f5e3b6321b

SHA512
68e17e926eec49dea81c9bb60ba59be11e2cd44fc7873b2dc2ecad0d346a587ee0873ff0197180a766a3c91aaa89c3916c672e86ba3c9a8700162261cd1493d0

Download Submit
C:\Windows\SysWOW64\Objkmkjj.exe

Filesize
445KB

MD5
4e87f90e414194f55ed69de185c1f939

SHA1
2c2d5b7f738d11b392f6a49f22d5bc750762e8d2

SHA256
d26ba922f22afe3347303fa07098b7f4db654d043de4cec4dbfa9283bba8c8d2

SHA512
fa563a68b4df594da6bb1d9227b05bf67d029b79c22a4721296ede744caf05c274bea0430c268113d28dc3c792bd14dac89385a023658f00d06a4f7aa2a2775a

Download Submit
C:\Windows\SysWOW64\Obnehj32.exe

Filesize
445KB

MD5
666d778564e3308af7d74d93fc93823e

SHA1
a7fe6042ffb441b77c1f366045acd4abbb1cdfd9

SHA256
3b0264e99d7460fe1430128f4ddb1eacfd03b5c40408bca5c9bf81bdbb761bbe

SHA512
2278189ea888176fd7d1572d49d7376e0849ec9c56be1649ad656b2be637a9c60399182631190f28a79ab6ed53ee28904a699530f93f57de3f6f863a3ff0233a

Download Submit
C:\Windows\SysWOW64\Obqanjdb.exe

Filesize
445KB

MD5
df6a794ca4474a31d9e6b237811eee56

SHA1
35a841426ff2a718afce765918299423212c73dd

SHA256
404030d3448cb37ac3efea24bb3fe17b6815dc6c83e5b277142166ca8dfaea2e

SHA512
f1bfd4814d8fb0a894e1cd3cc2952cdeb93b6528ee917194816b9676edfb0f52f70795ba2cca989d2b8937241dd717f5be749cbe9fdf95f95bfe437b4e6378b8

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
445KB

MD5
588795f80c49214fd56a90cbdf0f48ae

SHA1
08498c0e99925759ca7c9752210aee87df75462f

SHA256
3d7cc71ee1725234ae73fc2ad7b3e29c14b2df68b3e069f58692d815a8a764af

SHA512
7128c3985092fcb6b7a77881f01a5429f97491f31f1eec2f9ea20df1399f109728558df19ada22e84586015f4460f16e2b1268285180279f5fdcf4a5e9ba2866

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
445KB

MD5
51aa2d12b63b4c08d9c1239c007c4929

SHA1
596cd5846766e82b339a50b796b0270efdcb3520

SHA256
6b4be03321a4b3aae8ead28da7ad76989638236d8782800b18ec0c3b73fab590

SHA512
7dcc7a8086d5e94ce706415aa03991575b284fd543a110354e1d94d45f00b3975f8790ea37af2a54a8ce39f6593a7e00eab48ea62e01e5c9efa1902f477cc518

Download Submit
C:\Windows\SysWOW64\Pcegclgp.exe

Filesize
445KB

MD5
3da549e6ed549d634797cc12a7360b02

SHA1
5c0c609e68664f6590bcfd1b49f29e4cecccabbb

SHA256
8f43345343b9bceb890f2221e45357f58a8900cc952cda3f7ea499ac87d2a447

SHA512
76b337b2584596f021301069d6da8a6c01b85cbd013dbdf34f49736c58a1c752733b33548543550406ab2901f971ffdc2fdfc1c394fe722c6f720b559871a243

Download Submit
C:\Windows\SysWOW64\Pfojdh32.exe

Filesize
445KB

MD5
acd8d2eb79abcee4593f15dbe04837c0

SHA1
128a195d65521012bf6041a40c4d8b7048aa29b4

SHA256
f1ea81f07bbc444289f556ff31d69c5b604d4ef9c8050f88e9c925c38ca302a1

SHA512
1e5ba292fe1a175e80351ceca2b7922789f32dfb61b0ee39cd4531170283392e4620ec68a8437356d23802e39573e83baaa9282d5317f56135477aeff9295a1c

Download Submit
C:\Windows\SysWOW64\Pjaleemj.exe

Filesize
445KB

MD5
ec747fbd41e4e164e914296fa0c1b86c

SHA1
6258122b8fdf1bfb7549b374cba4cbda66cbf764

SHA256
03013b4ec832cf98cb89a6bbde5ca6b1e4b797f8729806a2baac4bd18dd24c72

SHA512
aa152238e082735543e442093a0c159a5d41676dc646031780391e63afd3a0021b16433d1714db977eefaf7490fcf7cde4d2f294ccd009e04ebecf26966cbfcc

Download Submit
C:\Windows\SysWOW64\Qclmck32.exe

Filesize
445KB

MD5
971ba6ed12b695838966903c3bef75b9

SHA1
1801ce415498b7ddd79ae2e0d3868ff39121b907

SHA256
5efc7a02be35edc581e58625fb215229ec747ec983cc81c7035d97de722c1c4b

SHA512
f90a922ec468e7d6e40d6d2257a9db1c420d4ad1baa861732a91986afbd9e4b2580e2f1c7e73ac3ad68261ec37c89b93020e97d770408266d8fc509ee7bea0f1

Download Submit
C:\Windows\SysWOW64\Qiiflaoo.exe

Filesize
445KB

MD5
8ed2819b997a04f7cb7c97447d1c9dd0

SHA1
e63c0522f623ea5fd9d9525c426db616a2ae67d1

SHA256
bb8371a4248fb6c2fc46f8c46ddde25778be4132e93330396111214ade5156d8

SHA512
c9d1eeb268b30466dc4aef62dfcba3312406dc3333efa1ad7bb7703cdeb3652804a68f4b6682ef964f634d737e549291ca479f13b8f689cd64dfd09c28ed7536

Download Submit
C:\Windows\SysWOW64\Qiiflaoo.exe

Filesize
445KB

MD5
a97dc8f516c2e17d2c64d13637efc75f

SHA1
82a6bd501cf887e2477bd5118ab0853d43d3c5e0

SHA256
7c72827511de0cec1a4d15831d42fac9648b159754f5e5b34b19a64ac1b8eeb0

SHA512
61d940e22a98ec44bffee89b91389300aa392bca44a73389a85964feaecbff7e6c1a7d885b26aad71167478359cbe89ca5aead210d87e2d4f48d270ed2e4ce31

Download Submit
memory/224-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/260-232-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/368-292-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/400-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/828-159-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1256-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1444-200-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1448-280-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1456-128-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1536-248-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1676-88-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1688-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1972-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2060-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2220-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2240-192-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2284-112-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2544-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2628-224-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2632-272-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2892-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2908-136-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3128-240-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3132-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3148-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3172-187-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3264-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3596-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3764-120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3772-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3832-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3964-256-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4028-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4032-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4128-274-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4176-176-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4544-23-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4572-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4592-168-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4668-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4824-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4864-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4892-104-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4984-328-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads