ec393a61fa35255bfd59a30fb80c1e11d1f3c69dfd77df4fcf15ba8afd188601

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b8f08af72b70dc77254043d60279c60_NEIKI.exe
Size

109KB
MD5

1b8f08af72b70dc77254043d60279c60
SHA1

d81e1528e87f87af51e0ce6edd31a08ff1eda949
SHA256

ec393a61fa35255bfd59a30fb80c1e11d1f3c69dfd77df4fcf15ba8afd188601
SHA512

32976a1823b590b300320b42c0f493cfd0abf47f2c4b99bf59cad9c59fd1c00d7b2d1c76e5b99cf088e2525d94a954d9c870c711ae95eddcebad1b29a2790bbd
SSDEEP

3072:8CZndynF6LaLDOQBjCUZ5J9LLCqwzBu1DjHLMVDqqkSpR:8Yw6WOQBjDTJ9Xwtu1DjrFqhz

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	1b8f08af72b70dc77254043d60279c60_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdcijcke.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/2796-0-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0008000000023459-6.dat	family_berbew
behavioral2/files/0x0007000000023461-14.dat	family_berbew
behavioral2/memory/4892-16-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023463-17.dat	family_berbew
behavioral2/memory/2068-8-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2040-32-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023465-31.dat	family_berbew
behavioral2/files/0x000700000002346b-49.dat	family_berbew
behavioral2/memory/4716-48-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023469-47.dat	family_berbew
behavioral2/memory/3680-68-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023471-79.dat	family_berbew
behavioral2/files/0x0007000000023475-95.dat	family_berbew
behavioral2/files/0x0007000000023477-103.dat	family_berbew
behavioral2/memory/2820-104-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002347b-113.dat	family_berbew
behavioral2/memory/2920-128-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2388-143-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/1712-152-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023487-168.dat	family_berbew
behavioral2/memory/3584-184-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023491-206.dat	family_berbew
behavioral2/files/0x0007000000023495-223.dat	family_berbew
behavioral2/files/0x0007000000023499-238.dat	family_berbew
behavioral2/files/0x000700000002349d-249.dat	family_berbew
behavioral2/files/0x00070000000234a1-263.dat	family_berbew
behavioral2/memory/1068-286-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/648-321-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4720-346-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4424-357-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4468-370-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/3704-380-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x00070000000234cb-389.dat	family_berbew
behavioral2/memory/3524-406-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/1296-441-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x00070000000234e9-485.dat	family_berbew
behavioral2/memory/4960-500-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2652-518-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4232-526-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/3692-550-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4892-558-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4128-570-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4580-593-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/3680-599-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002351f-657.dat	family_berbew
behavioral2/files/0x0007000000023533-727.dat	family_berbew
behavioral2/files/0x000700000002352d-706.dat	family_berbew
behavioral2/files/0x0007000000023527-683.dat	family_berbew
behavioral2/files/0x0007000000023517-630.dat	family_berbew
behavioral2/memory/772-592-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/5016-590-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4716-589-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023507-580.dat	family_berbew
behavioral2/memory/1832-579-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4452-573-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2040-572-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2520-565-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4072-563-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/1780-552-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2068-551-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2796-544-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4240-538-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2472-532-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
2068	Jpgdbg32.exe
4892	Jbfpobpb.exe
2520	Jfaloa32.exe
2040	Jjmhppqd.exe
2144	Jmkdlkph.exe
4716	Jagqlj32.exe
772	Jdemhe32.exe
3680	Jfdida32.exe
1792	Jjpeepnb.exe
4488	Jmnaakne.exe
2932	Jplmmfmi.exe
1200	Jdhine32.exe
2820	Jfffjqdf.exe
1472	Jmpngk32.exe
2396	Jaljgidl.exe
2920	Jdjfcecp.exe
5112	Jbmfoa32.exe
2388	Jkdnpo32.exe
1712	Jmbklj32.exe
3156	Jangmibi.exe
4160	Jdmcidam.exe
5084	Jfkoeppq.exe
3584	Jiikak32.exe
2356	Kmegbjgn.exe
4156	Kpccnefa.exe
3516	Kbapjafe.exe
1260	Kkihknfg.exe
1384	Kilhgk32.exe
636	Kacphh32.exe
4480	Kpepcedo.exe
1468	Kgphpo32.exe
1164	Kkkdan32.exe
3776	Kmjqmi32.exe
4828	Kaemnhla.exe
4084	Kdcijcke.exe
3668	Kbfiep32.exe
1068	Kknafn32.exe
1404	Kmlnbi32.exe
968	Kagichjo.exe
4140	Kdffocib.exe
424	Kgdbkohf.exe
648	Kkpnlm32.exe
2692	Kibnhjgj.exe
1312	Kajfig32.exe
756	Kpmfddnf.exe
2728	Kckbqpnj.exe
4720	Kkbkamnl.exe
4424	Liekmj32.exe
4336	Lmqgnhmp.exe
1656	Lpocjdld.exe
4468	Ldkojb32.exe
3704	Lgikfn32.exe
1120	Lkdggmlj.exe
4148	Lmccchkn.exe
2400	Lpappc32.exe
3204	Lcpllo32.exe
3524	Lgkhlnbn.exe
5060	Lijdhiaa.exe
1256	Lnepih32.exe
1496	Laalifad.exe
624	Ldohebqh.exe
1296	Lcbiao32.exe
3048	Lgneampk.exe
4476	Lilanioo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Jpgdbg32.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kpepcedo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5268	3616	WerFault.exe	198

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	1b8f08af72b70dc77254043d60279c60_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	1b8f08af72b70dc77254043d60279c60_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mahbje32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2068	2796	1b8f08af72b70dc77254043d60279c60_NEIKI.exe	83
PID 2796 wrote to memory of 2068	2796	1b8f08af72b70dc77254043d60279c60_NEIKI.exe	83
PID 2796 wrote to memory of 2068	2796	1b8f08af72b70dc77254043d60279c60_NEIKI.exe	83
PID 2068 wrote to memory of 4892	2068	Jpgdbg32.exe	84
PID 2068 wrote to memory of 4892	2068	Jpgdbg32.exe	84
PID 2068 wrote to memory of 4892	2068	Jpgdbg32.exe	84
PID 4892 wrote to memory of 2520	4892	Jbfpobpb.exe	85
PID 4892 wrote to memory of 2520	4892	Jbfpobpb.exe	85
PID 4892 wrote to memory of 2520	4892	Jbfpobpb.exe	85
PID 2520 wrote to memory of 2040	2520	Jfaloa32.exe	86
PID 2520 wrote to memory of 2040	2520	Jfaloa32.exe	86
PID 2520 wrote to memory of 2040	2520	Jfaloa32.exe	86
PID 2040 wrote to memory of 2144	2040	Jjmhppqd.exe	87
PID 2040 wrote to memory of 2144	2040	Jjmhppqd.exe	87
PID 2040 wrote to memory of 2144	2040	Jjmhppqd.exe	87
PID 2144 wrote to memory of 4716	2144	Jmkdlkph.exe	88
PID 2144 wrote to memory of 4716	2144	Jmkdlkph.exe	88
PID 2144 wrote to memory of 4716	2144	Jmkdlkph.exe	88
PID 4716 wrote to memory of 772	4716	Jagqlj32.exe	90
PID 4716 wrote to memory of 772	4716	Jagqlj32.exe	90
PID 4716 wrote to memory of 772	4716	Jagqlj32.exe	90
PID 772 wrote to memory of 3680	772	Jdemhe32.exe	91
PID 772 wrote to memory of 3680	772	Jdemhe32.exe	91
PID 772 wrote to memory of 3680	772	Jdemhe32.exe	91
PID 3680 wrote to memory of 1792	3680	Jfdida32.exe	93
PID 3680 wrote to memory of 1792	3680	Jfdida32.exe	93
PID 3680 wrote to memory of 1792	3680	Jfdida32.exe	93
PID 1792 wrote to memory of 4488	1792	Jjpeepnb.exe	94
PID 1792 wrote to memory of 4488	1792	Jjpeepnb.exe	94
PID 1792 wrote to memory of 4488	1792	Jjpeepnb.exe	94
PID 4488 wrote to memory of 2932	4488	Jmnaakne.exe	95
PID 4488 wrote to memory of 2932	4488	Jmnaakne.exe	95
PID 4488 wrote to memory of 2932	4488	Jmnaakne.exe	95
PID 2932 wrote to memory of 1200	2932	Jplmmfmi.exe	96
PID 2932 wrote to memory of 1200	2932	Jplmmfmi.exe	96
PID 2932 wrote to memory of 1200	2932	Jplmmfmi.exe	96
PID 1200 wrote to memory of 2820	1200	Jdhine32.exe	97
PID 1200 wrote to memory of 2820	1200	Jdhine32.exe	97
PID 1200 wrote to memory of 2820	1200	Jdhine32.exe	97
PID 2820 wrote to memory of 1472	2820	Jfffjqdf.exe	98
PID 2820 wrote to memory of 1472	2820	Jfffjqdf.exe	98
PID 2820 wrote to memory of 1472	2820	Jfffjqdf.exe	98
PID 1472 wrote to memory of 2396	1472	Jmpngk32.exe	99
PID 1472 wrote to memory of 2396	1472	Jmpngk32.exe	99
PID 1472 wrote to memory of 2396	1472	Jmpngk32.exe	99
PID 2396 wrote to memory of 2920	2396	Jaljgidl.exe	100
PID 2396 wrote to memory of 2920	2396	Jaljgidl.exe	100
PID 2396 wrote to memory of 2920	2396	Jaljgidl.exe	100
PID 2920 wrote to memory of 5112	2920	Jdjfcecp.exe	101
PID 2920 wrote to memory of 5112	2920	Jdjfcecp.exe	101
PID 2920 wrote to memory of 5112	2920	Jdjfcecp.exe	101
PID 5112 wrote to memory of 2388	5112	Jbmfoa32.exe	102
PID 5112 wrote to memory of 2388	5112	Jbmfoa32.exe	102
PID 5112 wrote to memory of 2388	5112	Jbmfoa32.exe	102
PID 2388 wrote to memory of 1712	2388	Jkdnpo32.exe	103
PID 2388 wrote to memory of 1712	2388	Jkdnpo32.exe	103
PID 2388 wrote to memory of 1712	2388	Jkdnpo32.exe	103
PID 1712 wrote to memory of 3156	1712	Jmbklj32.exe	104
PID 1712 wrote to memory of 3156	1712	Jmbklj32.exe	104
PID 1712 wrote to memory of 3156	1712	Jmbklj32.exe	104
PID 3156 wrote to memory of 4160	3156	Jangmibi.exe	105
PID 3156 wrote to memory of 4160	3156	Jangmibi.exe	105
PID 3156 wrote to memory of 4160	3156	Jangmibi.exe	105
PID 4160 wrote to memory of 5084	4160	Jdmcidam.exe	107

C:\Users\Admin\AppData\Local\Temp\1b8f08af72b70dc77254043d60279c60_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\1b8f08af72b70dc77254043d60279c60_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SysWOW64\Jpgdbg32.exe
  C:\Windows\system32\Jpgdbg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\Jbfpobpb.exe
    C:\Windows\system32\Jbfpobpb.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\SysWOW64\Jfaloa32.exe
      C:\Windows\system32\Jfaloa32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3584
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4156
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        32⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        40⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:424
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        48⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        49⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3704
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        54⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4148
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        57⤵
        Executes dropped EXE
        
        PID:3204
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        63⤵
        Executes dropped EXE
        
        PID:1296
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        66⤵
        Drops file in System32 directory
        
        PID:3676
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5072
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        70⤵
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        71⤵
        
        PID:716
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:548
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        77⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        78⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4240
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3692
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        83⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        85⤵
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        86⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4580
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        92⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        93⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5408
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        97⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        98⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        100⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5636
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        107⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        108⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        110⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        112⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        113⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 232
        114⤵
        Program crash
        
        PID:5268

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3616 -ip 3616
1⤵
PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
109KB

MD5
003506b40e0b1cc56549edba62290b67

SHA1
2c39feb1ce73ec777cdbb5c0f04ef3eaa6bc5002

SHA256
10c65ddcf892e0672fbcc0768d39b07a985de161920205819bfbbf59b288e77c

SHA512
97f4ccc8ff050f8b0db897df804e4a719e528487df47789fd71717779b209da928fb73007781ce8d995aef44f14069469acb4af7a58e1251ec67980542b2fde3

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
109KB

MD5
bffa1953bdb8fc38ae5a8214cbd28dea

SHA1
99b4a6b6a01bc111e3a6e554ffa45d699da66113

SHA256
37096b8b11c1a494a256f23df309b2aeba41baa580de222c8e3e93d83d3742ad

SHA512
c06f7443fdc625788adca1c2edf8d4051a249b92f1971b5d1633d9dad09d301fd880bba5f3a492a6c82b16e57ca43d671782dcbd84497e44c341f4e6962197d5

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
109KB

MD5
422345967bd9a3368a70ca61aa0c940e

SHA1
d6627ceb1c276ae0c7f6ed484f552948bfa29aaa

SHA256
85b2df43efc9840fd494ea3b35338d2aa39d1962474bc0e0e372d0267c732d3a

SHA512
1ab843981f5fbf9826779ce11be2ee8f4198d5868fbb62f226e3e1598ffe89c5f52847d78ad50be1b21c3e0cf50e1ec6622a0237bf164e97e4607d7cd86bf677

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
109KB

MD5
1e27a33f57ff66b41a6c40584dac5038

SHA1
d674160a2e74dd07671cb5adb7690d26774da1bb

SHA256
83f235be757232098e317660124d6e8fb98ac3a0d07f1aba7ed915719ae5bf87

SHA512
06fd023774d7c97f9d88736a1f6f6685f3a9f2a3af029037d7ef770f4492fb79477e3daac5362175ba5673294f76644ded06f7174e8b1aecf7410573d85225ee

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
109KB

MD5
4061d3135eb7f1e4e3882fc84eef44d7

SHA1
3eb4e90d275f37c366e867e07150b2002ca577fe

SHA256
47ae675f06ea4d8ffe2314ce2e8aaf23de62c68e0cdbb04e4adaf1ce903fde02

SHA512
b5e2f0f3b14e7ea385570790f53f156ee212cbf870ff58861b847424a02eb4fc71469e32445e75ed69b16987b9b954887f7bdcb042bc5dd1d7b5faf7d773f8a7

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
109KB

MD5
06f06925a3da5f659d2553463aca22f7

SHA1
cc485befbef1fe3df7accd9b784f0be6ad059575

SHA256
1a3aff1bbc5ec10e19a8ad01f672242a02acb0080380a00aed89b09987413369

SHA512
d2cb23e27a0fb32400011b0886d04d2c26c0de1f548c8b8793684d241fe718da2d40eb9b67c9f9cd53c7e9420fb3b272e4b7b1cc06c3e701129484d5d40fca60

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
109KB

MD5
e922e4c1defaf6773a566a9f485a4741

SHA1
f79308f9bf41fb759110ae4fa4d7e04fe6190113

SHA256
3f6cb32000cdf19e8a954e06c11e70a022e876f3306a1a850e7e30e30ddb3c81

SHA512
bbf22aaf7c6a4cd362f27295f5ccfeb44ff39d73858b0a616b2b5d2145e163273139a74a55188897a39d4480bb7b5d4d4e500a85fd8df2f686fb07bdf6fce517

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
109KB

MD5
4cbcf3cd0e463815380bc223b3852eac

SHA1
dd57b4a664b0537021d097b85d414ca8c9ad639a

SHA256
13e1b06d5b048c542fe77d9c132d953fe8a1595ade2a2bf5036d20caa7718140

SHA512
e20fad1b95cdf7511d21f571969ff810bd048b4b8318d0bffc9a55d594519d8a7b3b5f6b4854d89343233101b62265d55052990001e617ae0e8b0e2bb09a5f2a

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
109KB

MD5
d2177abd3887ac5df2cc1746655cdea6

SHA1
69687de5d37fabf201557a95a4016a069269d0d8

SHA256
6ea613febe53d1b2729024fa44a395469f9eb2802e2f74615b661ab45388587f

SHA512
96bc7bcfe88926c558317ec808388f753333e5e36cd9449171e949a37e769df051cbf3571534fccf53c67e7401205c6fa21e65be0ceecf179b0130901913af73

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
109KB

MD5
742b3b368d3e8f96fb84eada98990050

SHA1
eff6115bd24f7417955ae3c49358a0a35aeff51a

SHA256
91e2e5bcaa8f24bb3188d82eb803d46d043847cf8e332569a1433965792a9bda

SHA512
fd351cd6b1d1ed52f9bd1bfa3dd28e8a07c2a4fe9dfb9ecddf2183e01cee63525596d275cff247761d850c811d6367dbc0b0bc02e50025021fd2de89e787533f

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
109KB

MD5
d1346950ca82c807f4cb1dafb0a7cf2e

SHA1
61e5357585d56fd6c0540c95f8d7a6242c6d3585

SHA256
ed6bb0fd3554ec45a04a111bec9aea6f5abbcb4a2134fa44ead34b1920eb1a9f

SHA512
a4b3cb75f60809189c0be4f9c84b33bbb59f027dbe593e09ef00cdcc4b3a6bd4089d8ab5b482aa777df24c1c8d0ee13ee73f37f029d2da2ca08c085855efd9a5

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
109KB

MD5
dc4c91dca4e1d549fd1317dc6af80017

SHA1
dc7e21b40a66d8e9392877d677a41c44d46a865b

SHA256
aceaeede974f0efb511e80de1d73dd85a62e7d71860c1a07c34eb8e251b52b16

SHA512
8d88179605020f3d450f98b26df561608dfb3af8acd8dd00d67f4184120948c45ff04ed602b3fba46011f13769fffaf2c065f1c1eec41a1e9a41a426744ec1da

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
109KB

MD5
ce6921ac1258f59ce6d7422859f4e12b

SHA1
41f43b9597d49bfcb115411d3f897d910310ac50

SHA256
7a9fc707ab347223262366554e8bd62a79f09d0280b83dd9644dd9afe28cfde1

SHA512
ab3331000fe5f94321a943bca479e371bb044b97dcdb260c72e9b91d0d508b752f6fe441f7767b852a0677b9639367f102c279acc3edf6746b578051d1d5c668

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
109KB

MD5
3fe4959663dc2b7587780a6999d8dea7

SHA1
960604e08cb1f3c2d29a24621a8e5999c86f7ddb

SHA256
97f8ce831e784eb942eab920d822cb4e3a385d075a8d51262c90fca49d7a8b48

SHA512
f6e699ca19bf8543e163213c7491ba3dbe3abea9944804e2e095803ae6cda11b89c6eb7ac9fa8f55b4825d67936cd7218f133b643f43077fc149d168d8fd7013

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
109KB

MD5
a86e94686362c5f603b6829312fcc936

SHA1
1c5c6ef53a43b5d9c0b53f2881247498100af4fe

SHA256
5a4acb726f5b47cdca0f7427c64d8a9f781359c18830b3ed51395b1fa13b95fc

SHA512
13ef74c5af0b5610d04adfeb3ff9b5197a7830798e9eea60b4015d520556fa046a55e4fcf23fe9497d2fc3ee0bc8258b2df23dd01fb3480cbfd8ee3b84929121

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
109KB

MD5
0079c5e1335d837948b48ae17d47000a

SHA1
529957d94e65d77242b23842738f783626909ff0

SHA256
9954f3b1a26c4d76beb32ff3b64178161d6c27677b9fbaa44be69e4f1816ea32

SHA512
b179a518446ee196c935a423573099b0a918e0e5046de41ffcf6d9d217d70c59e36793b222a3f5cb6befa038fae49004202b637c77cdf74cfe9398dd4cf7cefb

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
109KB

MD5
9e660967dadad926fa53cf256891d41c

SHA1
679e6fa787df011b296aa254786b8b974859b929

SHA256
7bfa414e6f83e2cc10cfe22b87abcac450aaa8e69a2712bc1281864f76ef0b7a

SHA512
e53f38ccbb2aff18513e9f9d012f4e1776f939f0ad99e778dfe35b50f4cda74e8720931d64f5f5cc6a60e9296cf1400fde41042093cd4284f5ad015a20c7f2e3

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
109KB

MD5
3fa99f8a83cbd4df0286304281c7f582

SHA1
3431a8cb9d93746354a011f04fe426669b096dd7

SHA256
c3d9014243994f8b57b385667050c53a776cd54c3709872be9074fbbe37d797c

SHA512
4d861898d4eadfc868c63e356e7b0fa69f6c5feaa3c7fb1d5c74235298e425599d829a19addf92a3792acf1c4d824e9ed14e6b9a57b4e0737c38b816f88e6cba

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
109KB

MD5
4303ae1bfba11dfcd7445ea2923f309d

SHA1
aee98033e26e665aecdf3d410ad818c27054c535

SHA256
93c9af86c662a0e6949be885a796a32aed8bdac1b510da8b3c070c24492b6f71

SHA512
b5211a0a8307c05396202fd01fcf1943e2c9260a964a3084d8df2688a30b40a18b67734cb1f586bfdf2830fa7d20870a986afdcc6801b3044f39e68245f9c479

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
109KB

MD5
d8db06232dc7caad8ace0defe4630d50

SHA1
be5d26cc07ad7392a04adb877a8c297a98cde936

SHA256
47e2d675211708d6e6911bc491aa2b2a0ae2e13ac446ae4db9a5033ec0f7bbd6

SHA512
5e1a0387bf2a4c6e5b59e25b08e4f1553e5322c41958ef3a2d37ca80f5b3eea15c14f22c2bba92fc01a564a9e4698ffbbbffb17670a0defb92b4e34d97872bbb

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
109KB

MD5
7d237dda754e8ba8ff183be1e0baf19a

SHA1
14ee48ffeb90e54cbbde30ee073b0d97e3592a6c

SHA256
1e8c2ab3ef25514a4d837c6ed84ea91a6f16e412f0c1864270e9d8258bebd03b

SHA512
8715a3a0a3e8ae26cb2f2f210c786738031df21331e2ceb38619ab89252880835ffd6eb835e96b81fbb2cb82f0db733fce2c2c84484cd9b6f2cb8cc2f2693ce3

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
109KB

MD5
de0c568c7a9e97314175eae5ae8ce851

SHA1
78c12c66f49317635bb0b0c88a6b35fbaf2fbd63

SHA256
bb21a35d2029b8baf1523997256b52e9fdf25d6225d8b4d7066a16d8b579d719

SHA512
7f4a37dac1dbbcf6b28059ed80aa0fd91b2fbb862bc978fbe0ba2b300f088f508d06d596c3729f75cd86d47251327e54293807a980d9bad320d47008f25ba4a5

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
109KB

MD5
015534ab45f23c6c78b9bbaae0fdc1af

SHA1
1665d1247256d29fbcc8f66c560df78c4ae866d3

SHA256
514090af768fa399adc44f697d91603553c97bd9edb05f10409f9b1142782469

SHA512
b98d27209d1f06a0afd02a601ab01a65083a836330bd06346051b2447bce5469f4a0a4e7737b1dfa49e71ffc5bb43bb519542b00cabea666e91fb7d2f1acb2f0

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
109KB

MD5
4f4c4f8970fbc605fc1537f88ade190c

SHA1
8d7492ea69f451d04cb297d5b84c9ee9c341ceb3

SHA256
d867b77c9b439f6a668a7f5951f2f0dd39617ef444f35ee9b08fd87d61f62d54

SHA512
931354f0bc4d983cddaf92f5f496b2381cc5862e07ec274d3be9cc59a26de126b65535b9b76f8d8e41023867d8cabd4e52433c69e722bccfe5223dc4f8d2a078

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
109KB

MD5
3b11217814bc46c9b82c3f4055851ca6

SHA1
c725ab935075992c0942092d994a513dcaa2b46e

SHA256
56c14e813397e89201bbdce3746956f25eba765a24ae42f409bbb24f260e7a2c

SHA512
f53671f98084e25758990565d877a92abc074df4fe29c9ef3ea6a317477582390c2611286ccf4fbb9931f1e82ec1f4cbffdcda9cbe5393da9a882f753b4f314c

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
109KB

MD5
efc09225494ffb2e7923dc124ab60036

SHA1
be8414c371b7018f242f91b1bb4d3ec2fa290075

SHA256
7ea24beee41a297707621b787d435ef30507ee1b8dfe2ba888ff4d86010ae0dc

SHA512
67d7b59c0a8b86b18941de21123b3ba360c24ba1467e9fb9eb6bc81b0dcee59c03074a5c28528eab831a5ac357734818860183000b1f90227aa14b39b14c6160

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
109KB

MD5
fbd715fbc3e258a09e3a4e6b01ffa468

SHA1
4a89f7af186a6d5a3b47681878d9faec899ea74d

SHA256
ed857cc1deed1ac64880c1c98b70d21c9f6f906c77ba414933304becdca50311

SHA512
9a0fcca8439be975a03faf15adcb06b56c14ed30e2d06568b913fef57b72f53ecac001058db56def94de35fcad5d5cf71b5d32559e0e3f4490ae2afa8a36fe28

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
109KB

MD5
77b71abb58e23035457a81f0b78bfbd6

SHA1
8d41ad2b139ede92b9c4a9030800a832d6ab6cc6

SHA256
33b996eef96b942f31feebfdd3c5d6e8c24cb6c09dccc6db4c7b02804005b1f3

SHA512
3e47d40c56b7fb60614adfa6da0743548616f2e0ed8161e1bf9715cf46af38929fb912ea1830a6c29df35d8c04fe3c1c5806d786bd9cb33737da543d8feff70d

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
109KB

MD5
2ec05c1a5f87c975ebeea005144d9d9d

SHA1
37fe0ef0dbb028c86ec95dc2d06f3cc7724d6f1c

SHA256
0c46c04d2365fed4ea1057915486014394f55b39a82ada24174d4f87cdd8e0ec

SHA512
ff1d1e8445a846d10b5e6b648b0ad58dc2a30a92b391cc29dc13d59ee15beaf9d0008075bbfc6f76a4bdc03553042d107d8c076b7aacef6539355dbc63c32499

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
109KB

MD5
029c90865b46b4fd8f3ed7bb234a13aa

SHA1
e9ac359b48314a6bd56b560201fe816404fd2f25

SHA256
32ed18db5320fdeaabce16bf38dbf4621257aa5215211b570902a02608f67bc3

SHA512
c3c3e61e06fa2240913323135c3abcedb2f7bcbd4f8e0d72b9db181d0f634c1333913a6b9e04d8d027db92fe00caadc6413ddc6e468027c4fb35320c429d2945

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
109KB

MD5
d7d09773505dceb52edccb385fb1d907

SHA1
4bcf19e18504a1af48d0630fc89f0e80201fdbd3

SHA256
4c0e7c744a165d8828c2a522f7e5aa35f08fb064093e6aa2883861240bc5ccf8

SHA512
34e16e46b9fa1cf11f09ec13e583bac2204ab6b3f799740a15e60eff7a34b5a952e3948921d44887e1fc4f0308953baf6f0d474b1ee3bfc3eb8384f26fd73402

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
109KB

MD5
1293c62c5c79a74b410bdecafe7e44ca

SHA1
9df97436e4879e47747efd9bb2d9436bb922cecb

SHA256
f6f16d784a6328d4787db6875df8c6fc72abbe18e17c4267dbdc9a73183331c9

SHA512
ffcf64630551cae7abeaa0b9041f7bff7276bd1d28d3395fe39b1936f124b66602270d4f14391aa8ac5ad33e191e9a5f1dd6b5f2ff7beec6d00645046b425cf5

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
109KB

MD5
5521efa3dc797758f0d195f6504a2db7

SHA1
bf294ee801074e8f38fd547da694007571f2de21

SHA256
473ff86b82c58774130cd5ba02f101a2ec99767d6e93ad15dfde487e200f3e6c

SHA512
b0978ca5339649692f294b1d9f632de46d6571205ab9bd1f46344bfb32295af1a4066814bf7cf6851f719f453f7dab5bb9fbee799a9ced525fc58cd8ed92ae3a

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
109KB

MD5
871e046e534006af3cde9cd362c8738a

SHA1
cb9d557512e185e6eadf58b62a6f7bf0545ab2ed

SHA256
2712ffca42d466791a493bbdeae4cc84b84604fac63721c259b538a7cb97b686

SHA512
cba3fc4e38a8ab68db5684ccfa998cfdb7ef9cb6ea7bec4b30039e5898347a64dc22618e74df819b5e412ac5533de2677abd86c9636faa1d1bad90d5fa583c70

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
109KB

MD5
85d1690c1cd52d9428f197710f183b35

SHA1
21753d1100ba8571438a06f6bf8267fe14848016

SHA256
cf1922d8e6d96a39a3e9d54a36c5e3b6b7114d1f418e967428c29bdcf0d37531

SHA512
c70643936ee978ea689601b990047732a526c9eb21ea17d22c3df808c1d7cf2328e8a208f0719bdcd1e08fbd1f9a8d508db8dc22c6dc2dce47d47d7f56c80b4c

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
109KB

MD5
1af126e35c0f141dc71669c364963843

SHA1
2172a6a1c69eef2137bc5899abaf47a31904642a

SHA256
9b2502a88a8c88f36d3547668461d5d40de2fc5b08bf63d1105fb752e927f185

SHA512
bbf53d9bd610c499b1d55255fe195097228fb5ef11b9fc88fb9ba57c59ee0fba5aff12dd3a0a3540a85b6f4a8782d0cf5bf617f8351ea757419ec60e1ca1ec2e

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
109KB

MD5
b4d0420a7e218bfccb19e6361db974ca

SHA1
a2ca353818de791d024fdb6710cd56adbde9b284

SHA256
181e9afc8de0146800d07a7723cc71a12753513290b9a1932921eb80a87440cb

SHA512
87ff8d33b56566c676f8a821fc2e6a0509a20e22052816375110095ba6dfa2b466e5d40a1b8e46f0c915ad98abdde6b6fd3a0ad95255a18826e84f6099ea6d7e

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
109KB

MD5
1c9cb2f347899590b01f16f15a3dae21

SHA1
04103bca11a61727c3b4224d91b291be4ff58d19

SHA256
8d69fb52191ce5162d946d954cc7c6706122177f8df694c6e5f81f5e877ccfdd

SHA512
4aa71c9ade04138e380179b702a1175fc1516f257d02e897fe82a36eb6b34df41a0447a082a6dc7ba2ff61ee0c76d93f6ea5b2573b1d39c0b4397cbb1e9ba1f7

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
109KB

MD5
b999c5b89db1fe046f520c50d2eba5cc

SHA1
866967732595cb62939d25973cbf72a81a129548

SHA256
12a69ee6ee119d5b2f0be583d4d688d93c942f7f62c14a82b01abd89c84408af

SHA512
a5dabb082429d4e078967b20fa6b975c70cca1cab759beadeef338ca128ce43016a93acb675b9198fa43e81385be3398f5d8b2d7d9600af9db0d1908f530af81

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
109KB

MD5
0690030b05e27c694bd31dab37b9cecb

SHA1
383aca042032a80ace7e90d4bcd9e02a60b951c9

SHA256
1022f913c00255fdd28428f5a36d99ebc1bfaac72e63292f14d579209841757b

SHA512
37723313badf63ce9a5713b5003dc014e9b5101347223db5ea1e13ec4ce9f2c79546870e3cb2fea016a52584e9e97499e657989a6a0d8a0fd725a9d7a5045391

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
109KB

MD5
03cdb4545dbd9825e04cd0da8100301c

SHA1
1de89adb54cce9498452461e8e32f25b1682c2f4

SHA256
c2413315d3e37e4e43352af1a4880ac5e485a433955501a0c35584dedeeb66e9

SHA512
f87ee698ffa8cee56c546a840c1c352ae577ae60643dbeee8fec568fb10e99a38c16c5e8114ce7cc5571ef431344624e0f77d700cdab1a875cde8bfca39826d3

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
109KB

MD5
e34d9992db0896c51fbd49ca2c72cdbd

SHA1
0681012037e60bc827db6130340afb64e00a632e

SHA256
77669737a30c6100062c8210f9cb3bc2e95f15a4e76fc6be53d0df5b3e7a06af

SHA512
96c23754aa26d7b9b3634d3e0a5ff00a1625b4de80d8f669f150d212f7dc25193cea7bf6dfa0ea06950b180ea82294b8aeb5a187e45508131e25200e08acaf82

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
109KB

MD5
fbc3a09716f824946657e22290fca576

SHA1
7eb43f50b7bcf55349814e7c0607a7c743b9cf04

SHA256
f8876539a095adc230b95cd4e7004a36d48b26b2cb7f9c60cbc4cef96c35d5dc

SHA512
edf8cf8d7dca78e9bdaba0268902c847a3b01cc17fd1c64de8a6e11953abb9145295303ec85e77ba5400f83f791a57a6d373e55fc99a4ea6c607e39d970fedb6

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
109KB

MD5
b1f7ebc4abb4bf1f1b5ad8bf7e35f129

SHA1
f39d13d5983f02d0326ad0a40c7b067a8999b5b5

SHA256
e4da42e17b30d108fe3fbc582fcc18abb93e419a82ff7b2bf3dc893267696c73

SHA512
653e8b2e54a32b75e5cc65f5f1aeba5b3239a541e06c01c1fcbbb2ff03b0edc550927beed823aa8d716f0f0f47ffe4a3fb874baa4e6601a122941c55199cb33d

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
109KB

MD5
50681ce966496fa0b49ca9cd58e28918

SHA1
44acd37cf1bb7c6065d1379526c299266c8c19ab

SHA256
365f09624921c536d94f4c722c609acc68e0568d25a8ef484a6e9dbb0ff07f98

SHA512
0afd96dc0354270f1d3b3a6b14132d1b4473d8a6e6d784f76ea5d904fffe43d861899471114c0abf5d5440b082061fa4831930efb8e725e4f530e0ed95092959

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
109KB

MD5
a8b660560cc385b4ddf8d163027be1d4

SHA1
43c734aa8d62d0b48f5982c49171e764eefe99bd

SHA256
04a427c728a07ba877a7ce1ebd73b3d058989f04034da9544cabe3c8f50b30f6

SHA512
02896e99a197cced571f572b9d72a8e5d375b2fc92660ebadeb20c41d85e299322ac79530ee3661379448bae3ff17817662c23591bbfe7c025449ed377d84a69

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
109KB

MD5
68b2928ebe421333f9e2e9e6bf70798d

SHA1
2165ecc78765c3b8801e69a2b22ad6d572567550

SHA256
a0d9d869704dbbf8fa66c9e5bca9aeca6ed01d3a826835533020ba3f09fdf798

SHA512
f6a2003b46885b658d329f5fe7cd328f443a57c257f4af8d4ca92ad3c5a9bd0d885845b81fed0e1ca19bab46ba879952bf9917b1646b90f218892c91c243f3a4

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
109KB

MD5
e360516ad4878e3d01aeb78343af6327

SHA1
119b481ad4bc8d6cf196a0bcff75b22424082366

SHA256
22dc9f8b75255d382132f63eb47ebce2df610a29bf2d87943e30a909dc6fab79

SHA512
6efd548cdc14bcb77cfd561d553ee3bdf62bffa8006745f7e0fe40e6b88cf7a23bdfc5a69b226bab8640aaace204fba290b9e48f531192c6c81418ca6e544d78

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
109KB

MD5
ec336a55c28e9ace40245c878b5e255f

SHA1
ce9151b6464f2a87aee6c4bc86fe61564205b44e

SHA256
e89eea835a03f2a07d13aa3fd87e96004e3bb624dfa86580429c2e8d53c7a682

SHA512
e74878865048f5ed3cdc6964b6b55992c614cd44584210aa983244ba89bd75d9a054523e5ee12be2e970abb6f6b80a7de2e35a5b676ebda96012adc1d3084cdc

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
109KB

MD5
57e4f07cdba61300ea889201b1afe3dd

SHA1
0a0d3275e507e1d230cd4fcd7ea9637895b12ac6

SHA256
f913a64856dac62c8082110697fb2e40e53d5dee4d167df457eabecfebe81a96

SHA512
b9970c107651f75db767bf65b4c128b85c75a0b69b01ec29723fc23538e0d2d7330b583bb9890c9fbb16a3e4d1e608910306cf54933fa6cb1803f855c80e75f6

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
109KB

MD5
bcb585a745121d15b03447416465110f

SHA1
992b1ac2244875171b2d1d00733e88586d4074a1

SHA256
d57dd23d7872dde9ec03ddeb0c866af6c191397d42fe0e3c6db72538281e1358

SHA512
96de600368ebfea1629c33cc05d663dfd091ae980fe1066f0f2cdc245d184261572cf5e916af631dbed377b4a7beea240f3496f1c4cc48376711fbd6dcdc3161

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
109KB

MD5
63697857dbf82693b236f27081c0e888

SHA1
51b3c655733c1cee3e5a7f46b118f35d66513744

SHA256
ffd372126baf18dcf2e8a37a4d1e56f3ebc98a9dde72fabbee36c81d48cf1fc5

SHA512
4ee91b5c50f0a185c2649db42b83146e8444af725bba789e6b74f2bbd82b7c8fed25f278c6361f95b2dad07e8d687c75c2575a094d9a4206a0772f4fed8d0e2a

Download Submit
C:\Windows\SysWOW64\Qnoaog32.dll

Filesize
7KB

MD5
457450c5a2e59cadb4af67d50cdfae35

SHA1
19657e31568294cd032e12158028ec91a26628bb

SHA256
88f37855fb85cb2493b98711419f95f471bf1fdb936c3adde7fbaf449589decc

SHA512
b1bf0d5f56eb3729eb74af4103d77db307ef30eab3c2b96aacfdc9af1365c9e5dcabe31fc8b38b2e6465a4461c2e250363c87d36ca1c0721338a79295086fc74

Download Submit
memory/424-314-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/548-490-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/624-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/636-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/648-321-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/716-484-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/756-339-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/772-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/772-592-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/968-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1068-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1120-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1164-260-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1200-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1256-422-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1260-216-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1296-441-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1312-332-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1384-228-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1404-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1468-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1472-112-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1496-428-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1556-502-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1656-369-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1712-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1780-552-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1792-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1832-579-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2040-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2040-572-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2068-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2068-551-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2144-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2356-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2388-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2396-119-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2400-398-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2472-532-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2520-565-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2520-28-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2652-518-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2692-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2728-344-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2796-544-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2796-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2820-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2828-520-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2920-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2932-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3048-446-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3156-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3204-404-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3516-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3524-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3528-508-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3584-184-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3668-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3676-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3680-599-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3680-68-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3692-550-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3704-380-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3776-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4072-563-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4084-279-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4128-570-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4140-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4148-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4156-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4160-167-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4232-526-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4240-538-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4336-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4424-357-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4452-573-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4468-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4476-452-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4480-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4488-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4580-593-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4716-589-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4716-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4720-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4828-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4836-481-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4892-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4892-558-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4916-465-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4960-500-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4968-472-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5016-590-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5060-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5072-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5084-175-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5112-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads