8d7f6b53e831b0260030049e8e040854beca571bc99ef4f5c3b3c48fc8c3cb20

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24fd54db7bc727d0e43d18e328edd670_NEIKI.exe
Size

1.9MB
MD5

24fd54db7bc727d0e43d18e328edd670
SHA1

6ef6b8438c7d5b42437702f720f22a112f76ec4f
SHA256

8d7f6b53e831b0260030049e8e040854beca571bc99ef4f5c3b3c48fc8c3cb20
SHA512

43027e5f205b80605c345114d0d585f7a168cf6bf27e5422ca28b9eb2e345b20bf2133b4d6375a0947cf9e59e67bb87c592691b92b9b9f6a5af81de2250abc17
SSDEEP

49152:CaSHFaZRBEYyqmS2DiHPKQgmZUnaUgpC7jvha51N:CaSHFaZRBEYyqmS2DiHPKQgmZ0aUgUjY

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffekegon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe

Malware Dropper & Backdoor - Berbew 32 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0006000000023298-7.dat	family_berbew
behavioral2/files/0x0007000000023414-15.dat	family_berbew
behavioral2/files/0x0007000000023416-23.dat	family_berbew
behavioral2/files/0x0007000000023419-31.dat	family_berbew
behavioral2/files/0x000700000002341b-40.dat	family_berbew
behavioral2/files/0x000700000002341d-47.dat	family_berbew
behavioral2/files/0x000700000002341f-56.dat	family_berbew
behavioral2/files/0x0007000000023421-63.dat	family_berbew
behavioral2/files/0x0007000000023423-72.dat	family_berbew
behavioral2/files/0x0007000000023425-80.dat	family_berbew
behavioral2/files/0x0007000000023427-88.dat	family_berbew
behavioral2/files/0x0007000000023429-96.dat	family_berbew
behavioral2/files/0x000700000002342b-103.dat	family_berbew
behavioral2/files/0x0007000000023431-128.dat	family_berbew
behavioral2/files/0x000700000002342f-121.dat	family_berbew
behavioral2/files/0x000700000002342d-112.dat	family_berbew
behavioral2/files/0x0007000000023433-136.dat	family_berbew
behavioral2/files/0x0007000000023435-144.dat	family_berbew
behavioral2/files/0x0007000000023437-152.dat	family_berbew
behavioral2/files/0x0007000000022976-160.dat	family_berbew
behavioral2/files/0x000800000002343b-167.dat	family_berbew
behavioral2/files/0x000700000002343d-175.dat	family_berbew
behavioral2/files/0x000700000002343f-184.dat	family_berbew
behavioral2/files/0x0007000000023441-192.dat	family_berbew
behavioral2/files/0x0007000000023443-199.dat	family_berbew
behavioral2/files/0x0007000000023445-208.dat	family_berbew
behavioral2/files/0x0007000000023447-216.dat	family_berbew
behavioral2/files/0x0007000000023449-223.dat	family_berbew
behavioral2/files/0x000700000002344b-231.dat	family_berbew
behavioral2/files/0x000700000002344f-247.dat	family_berbew
behavioral2/files/0x0007000000023451-254.dat	family_berbew
behavioral2/files/0x000700000002344d-240.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
1536	Ffekegon.exe
4788	Ffggkgmk.exe
3720	Fjhmgeao.exe
2392	Gbcakg32.exe
3488	Gmmocpjk.exe
3472	Gcggpj32.exe
4976	Gjapmdid.exe
3520	Hbanme32.exe
3264	Hpgkkioa.exe
2768	Hjmoibog.exe
1116	Hpihai32.exe
5052	Hfcpncdk.exe
5092	Hmmhjm32.exe
1980	Icgqggce.exe
4460	Idacmfkj.exe
3016	Iinlemia.exe
1356	Jpgdbg32.exe
3004	Jmbklj32.exe
4856	Jfkoeppq.exe
2520	Kbapjafe.exe
4704	Kmlnbi32.exe
1452	Kmnjhioc.exe
2364	Kpmfddnf.exe
432	Kkbkamnl.exe
952	Lgkhlnbn.exe
1988	Lpcmec32.exe
1532	Lcbiao32.exe
2492	Lilanioo.exe
1528	Laciofpa.exe
3860	Ldaeka32.exe
3916	Lklnhlfb.exe
1696	Lnjjdgee.exe
464	Lphfpbdi.exe
744	Lcgblncm.exe
408	Mjqjih32.exe
2684	Mpkbebbf.exe
3644	Mciobn32.exe
628	Mjcgohig.exe
2828	Majopeii.exe
664	Mdiklqhm.exe
4952	Mgghhlhq.exe
2632	Mjeddggd.exe
2240	Mamleegg.exe
4640	Mdkhapfj.exe
784	Mkepnjng.exe
2164	Mncmjfmk.exe
2628	Mpaifalo.exe
624	Mcpebmkb.exe
760	Mjjmog32.exe
840	Maaepd32.exe
4552	Mdpalp32.exe
768	Mgnnhk32.exe
3864	Nqfbaq32.exe
2560	Nceonl32.exe
3844	Nklfoi32.exe
2796	Nafokcol.exe
4644	Nddkgonp.exe
2524	Ngcgcjnc.exe
3204	Njacpf32.exe
3724	Nqklmpdd.exe
4792	Ncihikcg.exe
3884	Nkqpjidj.exe
2096	Nnolfdcn.exe
5016	Nqmhbpba.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ffekegon.exe	24fd54db7bc727d0e43d18e328edd670_NEIKI.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Gcggpj32.exe	Gmmocpjk.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Gbcakg32.exe	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Fjhmgeao.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Gcggpj32.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Gmlfmg32.dll	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Gbcakg32.exe	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Ffggkgmk.exe	Ffekegon.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Icgqggce.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ffggkgmk.exe	Ffekegon.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gmmocpjk.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2792	4100	WerFault.exe	150

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnlpfhd.dll"	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	24fd54db7bc727d0e43d18e328edd670_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	24fd54db7bc727d0e43d18e328edd670_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1536	2028	24fd54db7bc727d0e43d18e328edd670_NEIKI.exe	82
PID 2028 wrote to memory of 1536	2028	24fd54db7bc727d0e43d18e328edd670_NEIKI.exe	82
PID 2028 wrote to memory of 1536	2028	24fd54db7bc727d0e43d18e328edd670_NEIKI.exe	82
PID 1536 wrote to memory of 4788	1536	Ffekegon.exe	83
PID 1536 wrote to memory of 4788	1536	Ffekegon.exe	83
PID 1536 wrote to memory of 4788	1536	Ffekegon.exe	83
PID 4788 wrote to memory of 3720	4788	Ffggkgmk.exe	84
PID 4788 wrote to memory of 3720	4788	Ffggkgmk.exe	84
PID 4788 wrote to memory of 3720	4788	Ffggkgmk.exe	84
PID 3720 wrote to memory of 2392	3720	Fjhmgeao.exe	85
PID 3720 wrote to memory of 2392	3720	Fjhmgeao.exe	85
PID 3720 wrote to memory of 2392	3720	Fjhmgeao.exe	85
PID 2392 wrote to memory of 3488	2392	Gbcakg32.exe	86
PID 2392 wrote to memory of 3488	2392	Gbcakg32.exe	86
PID 2392 wrote to memory of 3488	2392	Gbcakg32.exe	86
PID 3488 wrote to memory of 3472	3488	Gmmocpjk.exe	87
PID 3488 wrote to memory of 3472	3488	Gmmocpjk.exe	87
PID 3488 wrote to memory of 3472	3488	Gmmocpjk.exe	87
PID 3472 wrote to memory of 4976	3472	Gcggpj32.exe	89
PID 3472 wrote to memory of 4976	3472	Gcggpj32.exe	89
PID 3472 wrote to memory of 4976	3472	Gcggpj32.exe	89
PID 4976 wrote to memory of 3520	4976	Gjapmdid.exe	91
PID 4976 wrote to memory of 3520	4976	Gjapmdid.exe	91
PID 4976 wrote to memory of 3520	4976	Gjapmdid.exe	91
PID 3520 wrote to memory of 3264	3520	Hbanme32.exe	92
PID 3520 wrote to memory of 3264	3520	Hbanme32.exe	92
PID 3520 wrote to memory of 3264	3520	Hbanme32.exe	92
PID 3264 wrote to memory of 2768	3264	Hpgkkioa.exe	94
PID 3264 wrote to memory of 2768	3264	Hpgkkioa.exe	94
PID 3264 wrote to memory of 2768	3264	Hpgkkioa.exe	94
PID 2768 wrote to memory of 1116	2768	Hjmoibog.exe	95
PID 2768 wrote to memory of 1116	2768	Hjmoibog.exe	95
PID 2768 wrote to memory of 1116	2768	Hjmoibog.exe	95
PID 1116 wrote to memory of 5052	1116	Hpihai32.exe	96
PID 1116 wrote to memory of 5052	1116	Hpihai32.exe	96
PID 1116 wrote to memory of 5052	1116	Hpihai32.exe	96
PID 5052 wrote to memory of 5092	5052	Hfcpncdk.exe	97
PID 5052 wrote to memory of 5092	5052	Hfcpncdk.exe	97
PID 5052 wrote to memory of 5092	5052	Hfcpncdk.exe	97
PID 5092 wrote to memory of 1980	5092	Hmmhjm32.exe	98
PID 5092 wrote to memory of 1980	5092	Hmmhjm32.exe	98
PID 5092 wrote to memory of 1980	5092	Hmmhjm32.exe	98
PID 1980 wrote to memory of 4460	1980	Icgqggce.exe	99
PID 1980 wrote to memory of 4460	1980	Icgqggce.exe	99
PID 1980 wrote to memory of 4460	1980	Icgqggce.exe	99
PID 4460 wrote to memory of 3016	4460	Idacmfkj.exe	100
PID 4460 wrote to memory of 3016	4460	Idacmfkj.exe	100
PID 4460 wrote to memory of 3016	4460	Idacmfkj.exe	100
PID 3016 wrote to memory of 1356	3016	Iinlemia.exe	101
PID 3016 wrote to memory of 1356	3016	Iinlemia.exe	101
PID 3016 wrote to memory of 1356	3016	Iinlemia.exe	101
PID 1356 wrote to memory of 3004	1356	Jpgdbg32.exe	102
PID 1356 wrote to memory of 3004	1356	Jpgdbg32.exe	102
PID 1356 wrote to memory of 3004	1356	Jpgdbg32.exe	102
PID 3004 wrote to memory of 4856	3004	Jmbklj32.exe	103
PID 3004 wrote to memory of 4856	3004	Jmbklj32.exe	103
PID 3004 wrote to memory of 4856	3004	Jmbklj32.exe	103
PID 4856 wrote to memory of 2520	4856	Jfkoeppq.exe	104
PID 4856 wrote to memory of 2520	4856	Jfkoeppq.exe	104
PID 4856 wrote to memory of 2520	4856	Jfkoeppq.exe	104
PID 2520 wrote to memory of 4704	2520	Kbapjafe.exe	105
PID 2520 wrote to memory of 4704	2520	Kbapjafe.exe	105
PID 2520 wrote to memory of 4704	2520	Kbapjafe.exe	105
PID 4704 wrote to memory of 1452	4704	Kmlnbi32.exe	106

C:\Users\Admin\AppData\Local\Temp\24fd54db7bc727d0e43d18e328edd670_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\24fd54db7bc727d0e43d18e328edd670_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\Ffekegon.exe
  C:\Windows\system32\Ffekegon.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\Ffggkgmk.exe
    C:\Windows\system32\Ffggkgmk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\SysWOW64\Fjhmgeao.exe
      C:\Windows\system32\Fjhmgeao.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3720
    - - C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2364
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:432
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:952
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        28⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:628
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2828
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:760
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3864
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        57⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        67⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 400
        68⤵
        Program crash
        
        PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4100 -ip 4100
1⤵
PID:452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ffekegon.exe

Filesize
1.9MB

MD5
2000cf3eb3606b4465d110c13d36d46e

SHA1
8edc83d9a03cdce455220d348c14750b76beae2d

SHA256
9af1e4c7dc5659de099bd08ea62a60410d1af3f9c042938bcf9941619ae88b93

SHA512
3932f9eb93a1f9d1cb9c342b88087d69509969c0b0d356a0e60a1308ee32099e5ffeca9baea69b84cc9156ea7b2c893b8c347be6c5cbc05fbdbe30425553936b

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
1.9MB

MD5
7f35582192f27ed6bf52b1842f2172ce

SHA1
fa3e944f9a9865a29a15da276938d9b94c18f33f

SHA256
2cd8c9e78cf6149407060e3653ea33ff7b75803590100ac2cf87012cd98f01bf

SHA512
a694ea6d4a94ea32a269d3742577e28ec5e08fe5b4f6ed189afb2244fe81737aa16049fbd9374b12dfe63f4d8229585e02e3b7fe45e580a870313033d58584a7

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
1.9MB

MD5
000950b5038c82468a43ffe82e80b2cd

SHA1
cc159303ecec6d2fdc75ccc1c9785cc35352f0c9

SHA256
fc0a6293a0e038e8d9e7f6b06d23b14297414bfda7d9fd08e997e3f56aa6bb0c

SHA512
ee09a50f73136d79bdaed389412eaae3b8e0dfe9e95f991665ee683c7bff37107be7d8ff31c52884a321dff0ff1b839a171f861b49c78adff6d364ce576d5d4e

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
1.9MB

MD5
c766310de3c2c11f3ee244d66d8238e5

SHA1
45687746204019a03e3aaeb38204161a83f94642

SHA256
4d6421e399fe2098d0ffbba4290b3db1b0120812af2187ec6e3b5bb5f8278bfb

SHA512
ef3bee5263936e7ab4ed0885551fceca94f059827bf6efec5fc1536e89267ece68782d39c916f40c6bf743eea8c0bd635ac5440b22f98898bad798deda6df74e

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
1.9MB

MD5
783919326c11d19768ce54c4ce146dd5

SHA1
d55dce7fe09d6403d46a46874b40e42714ced8c0

SHA256
a5f9339c3f52b722fb81dbae448cc552a79754ec58b9620f31473b0b557d1940

SHA512
7cf66571eea458c4fd171d8a1ba3befd5e5497826e2dc528487865e68f3a1e0f7777925ab697bb82a9d7644ca4b18a19afe5e440dc49661edf4bf390c3af2a5d

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
1.9MB

MD5
01ab90731beb8e3a4b32d6e8842f4f52

SHA1
572e5eb96b7b2eb82347a668803ab1a333a0d088

SHA256
d7b4c60df9a8649219b511270a17d6460457b2700967a5f066689d06e760ce6c

SHA512
1aea74871309f56230d9efbf5633e0ba8a3815a810c96ee87f93e2f3aa017b94bfd64455fada30ff12f34e59159ea608a2f65d524630e83b729130e78eae8e28

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
1.9MB

MD5
edbfe4a0239b410dae798b0afa99eec2

SHA1
b7bbc53f6dce0b5a92fea5fa656f2d0249c80f8d

SHA256
4ea4e0d25fca09bb5412a88073e3f2d9f859d70b8d76ead56f934ac2b90025ec

SHA512
1995634d833b9e6f77697723beecec23f2925a5ae1b36a3e480f0a4c3136006abb02819b463ec798541bf1617da8b243ac9a7a82bc82913d264b46852a1f264d

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
1.9MB

MD5
417aa6ccbfe1bedc3319dcc508d29d94

SHA1
2c80dec0094224e0599633c8d58dc90f3cb5c645

SHA256
c8ec55f9e9cb9f377caff61624a290ce56eb2a3b353afa28d984c676457d4719

SHA512
94e86d9dab95e06a045e01b3982b262a63a880f9d546e530edcc0c3aa900a18fea3ff29c20533c4f12cd9aec7b0f94c84dd66dc28e40173157b578209be7a8b7

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
1.9MB

MD5
2d5fe51535630e2f8826b928148fbd16

SHA1
6f40e315ed619f60d11e59f4de33753714e5716d

SHA256
2da47693ceba17c17dde1c0f2a78eb43c5e33ea360af95483eb2851ed53a889a

SHA512
1cb76f841671a47d0a80a0b9e9711ed8d468a128580b2558e56b9985480d43095bc42ecff6b886ea24e1d66a90306c1d23d2e86e6bc53b2a1542292b97b6855d

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
1.9MB

MD5
e9fd05adfb33ca1ba7ead8cb7af0ab6b

SHA1
6bb8fa19cc588c49236f49d0802e9adf0b8633ab

SHA256
d0442989ee86a42a99ea994a2fa827328f2b5de505eb79881a1e1b0643de237c

SHA512
bbdb07e3dc639dc05fc49d70998c4732de5946a79ad85d83087f5ad481b6b64457a502473c17553a09bdf19de036045cf4ed733101ab0f747157754b81f994fe

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
1.9MB

MD5
52b668437b097a1d29e6d6cd39c2e697

SHA1
a4d9c9e5db5d3dc4858c7b1b06d5d7a968d9e683

SHA256
9b89691b05015efdd5b65d96f8bf5804694743addfbe6b6af41b6550ddcb0eb8

SHA512
7ffc3cb3dac6fbe91553b3e99b8f89920d80233b2a003ffe361c947043cdb864e0ba8ebed987c6054faf119e003ea9b2f677e2cb6410fa82f258c5aab64a995a

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
1.9MB

MD5
b55a21095903f1194e07d4e3c0927b22

SHA1
06852356ef06a25434a2a6d4f88f60df74267c10

SHA256
4e259d5dc76e5028398472d139042baae2df9802896890acbca71f7e9708c339

SHA512
90e7594844dc7358889ce003f15553f3192432147a0d7f0a1cba7ba77b491f65b5f9d6bedf95ca3e638bdcdac1e6dd5b15924d8a15b827670862da9798adc379

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
1.9MB

MD5
007a6ca0c39fc34ba538671cf2da257e

SHA1
a7057cfc049be2dfa6e240666e2f10f04a0f6338

SHA256
d334dca6c4e0661dad63a0ab4a6956e9dad2fc27229062a1c36767bd529ab2bf

SHA512
83fdef85e864aca738dbacaf78fd1df99779342ffc8b738ea7f9062b276ba23ec5e2d8fab82e6090b80d9c68182073d6e28458d0b55ab853eec1c0d69ee0dc81

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
1.9MB

MD5
3ad77098bf022b85970fdb8591dad5d0

SHA1
469d4aee8b48d60060cd8f81dca43e86ba6d9559

SHA256
233cd8297d46a067260f6ce83aa138f7278fc1b158796642c1e03116a64672c1

SHA512
f9f55163af3a6f1e3bfd2960a3e537b27bb89e1947134dccbebbd98d82cdc973596c5c1cda51eda8eb0196ffeb7983348c3070be2adf68a11cf2f59192560744

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
1.9MB

MD5
85e2de82a8c5ffd7661374dad8101c1d

SHA1
abed9a5572f75d77b70ed906bc8ff0c1b8eb9e08

SHA256
e7cf882ff1630a6d92733aaa11157162725e09e740e8111cb29e91621f7d73a8

SHA512
72d8782185418f3b2e602ab85f78bc4c653a9e271049b10de6ac0252e6e9cc32494a27f0afdd3c4bee7bc0d17211189bf5b564183a69e417dcef41d15d3cb9da

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
1.9MB

MD5
f4cf644ae983f5c3b16ef62df75f9670

SHA1
50b7c2eb88b1a6efe3678708895a8c823cbfdae2

SHA256
a6038d4129b5b819ea4946388547b65b194088e6c3181a0f4bffe909720653fe

SHA512
4bf40fb5fd951806e0d0267c0e827f5c25c950830d966c3018cd223b866595cc1a462fca452a422b6634081e67c1cc96b5bbbfbb6c5c49689a31096f792b8229

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
1.9MB

MD5
440f0e903421b437cf513e9f7f146579

SHA1
6e326acac815d4a17eef719c02fa68717f19a05f

SHA256
ddcd454eb9b1bef87916191f3313f0bd84fdfbf4acd16ae034679be85a8b28db

SHA512
ca856e13d2adf26bf4cf4443124e0a163c197848bd42cba5c6bbd466f205eb7aae903e7cb73e3fa25381845fcd01e2c3e368a03343de029b04217c6ff70a1256

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
1.9MB

MD5
9dcbd6d24a506edca0db81b4178189b2

SHA1
addd27d1a72a38fe5bbd26fbf3b90fae0e48ca58

SHA256
32f5bed75dfb88fcde2763cf1c0de1094640525cdf779a4293066a45cd98fd8c

SHA512
7096e5b415305be31b046ddcdc3de4d358c54749ca32163f740ca2439393449ab4955a0ff2c68c3667930ea51aa9160dcf1550627fb27e47d21d942efd94a123

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
1.9MB

MD5
bb694f32d660c21f2d4774b0d13289aa

SHA1
1f3924c03c05992e759d9b666e8752b37245716b

SHA256
c75267bf5272c7d397717b01300393e28c83f33360f1390c2518b8c5ea73c6e2

SHA512
678b1acafc5117c0ec9122b38a79b43981e72a1bd5791c539746816f7e8e19bd9c47390b4882e20df4c1118fc92ebdc37e9a69fcb3d37da969802e1828565245

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
1.9MB

MD5
966a065b83c1724fe106a8f385c361eb

SHA1
8184e4f8a46dd94efb7a4fd5de5de8711a500991

SHA256
c864a8124806e517b58f5e86dfd5b86ecc73e3859516167b6014f03f813a5b2d

SHA512
f35d65fbbc85c223b7fcccef0ee0962b89385b8edcaf8eee99bfbf5e20f960d6ad57ac16a815e0c68f9ebbc330ed0251f6aa6eab321590218aebc3bc7acb5f8d

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
1.9MB

MD5
320c427ef131aa36e88dded55340f8ac

SHA1
315e8ce3e59137d7db6e01eaf445dc21812f8b37

SHA256
389e1b15fa811c20908fb242c4d4f1f160f5a5d7355d4a9219a4f80746efef7d

SHA512
be1a9695aca791bec3711cfb321d4901d42fce220356e781a837bd9dc24cf6ee630447c5847f12b6dadf8d1eba4bfc1f5ebbe86bd060dd1526a3dc50eaef2371

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
1.9MB

MD5
831f9d9df06a39c785a738c67e71f521

SHA1
d24bf6e090c5742914b6051565e3791190fe24af

SHA256
8efcfe7b6e3597dd47741e689a5955be10e23d37ba25281a0893fb017c0c0c3f

SHA512
3539c3182b800d94c13773aea2fbd91a7fc8d8c535acc0289eefd56b98bf91c9eb96e14a8c08ac89ba814e6074ba1c216fdd296f834b23bd311f695535779378

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
1.9MB

MD5
7f86ac03bb4c70e48f32a93f3e68df75

SHA1
a7d34e9a14bb01e238716b5bef2b238dad45dbcb

SHA256
1ebe53ed1e447d06a13dc3199414ec945fc41b802cdb60218b39282766591469

SHA512
3148b786557f6fc4c64d667117b0fe1c70254639c86a33dcad1059c1cec558b09bc10565fa9edc57642c96cf22ab6772674434546f505cf7268dbfd5b2bce199

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
1.9MB

MD5
e88e092a8f16329d1e2332268357363f

SHA1
f9ea294f2f8cb17c01160403ff1410e9f110d653

SHA256
489b665f72779a567f47731fa8a2fac5f628241f63fd63475c7093f95cac8845

SHA512
2c8fbd33a348d842d57b4d340374d70dfa1cc832114d985a5cad1e6480bf29f98db4aa72357507dc49b576c852e0394ac69c53c36c601bb35ee5cafb8a2f97f8

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
1.9MB

MD5
67460d5988f26d17ef4f295a76da9c0a

SHA1
bc9ffc6492d6684efc6de69d418749dbd9f83dfe

SHA256
31103178f3e05bd3f92e57487175823fb0aeeebe7233db7818559f8a6c3dc8f2

SHA512
feec14747b7e61376e5896eb90c743611d49ffd0661ebb1643638302fdf6c34c6f0e97168d11f877a1a2269c140a01910d8f2aeaf99df6bf0e78b45582500197

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
1.9MB

MD5
a77d3bda032f703e2f45f06e9dec713e

SHA1
e388628814a3717b44a4cc87cd97247a526304ac

SHA256
6bebeb6f56efa55abb1afc335d162ec8545599f329e7b0e4454892719b13f333

SHA512
fa54a615e67502bce098d1b47def2f7434114490d6b2f5d86ce4e922fec1d2d9bd0a0b883450adb87788334d1c1bb077677b431cc1e078791fd1c2739ba90b22

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
1.9MB

MD5
de846d0f75064ad32d5013e02a7fec7b

SHA1
0afd80c35201305fc57cd273dddea4f7a811b608

SHA256
0957a00fde203bf399feb30918923160fb9cbef1e6ba7e8f60dbc19b272e6df3

SHA512
104e34a4964825d63f912481bb65bf537f119c7d88d23c3bf956785e5fb6d84ce0d4695bd5dfd27890ecead8ac12f4416ca7b57b0c5900d9c09289688e2c1fb2

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
1.9MB

MD5
1fd35f81f2ef6715f7b9c1c94ede7864

SHA1
a2c6b2477d1442659c12a6559368d4eb56aac1da

SHA256
00fa19a444c898ce8362578ed936ad53ac4e7f61b0ceb66f452e64bf22635d51

SHA512
739c78bd6e8f60b7c15c9d84fe6d51eedb17bd0d5397a4927b9fe833224648ed7cb48e77a40f84c9a625b44f29ea3031e05ce3bf48496d40f1d19d4b99de6cb8

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
1.9MB

MD5
e5f15062b22a57f45eb02884fa18e9d4

SHA1
135395e2bdd708ada5a59b5ecede8226cc36a67e

SHA256
2b6216c7d6579c39d5808d4cc555bbb75cb830042c7d0d3bfe7a0f336c0c1797

SHA512
b69e3559825e6c9424730eb481ad92c8c6b044043017cf6925887b7628bd5e87fb66dea45b561651a953f13422ec8b364162771fe1c58dca35ae0c41dbc674c8

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
1.9MB

MD5
2d2c61aa7ea1eb2f70e77f01b4fe1cd9

SHA1
c63f332729e5022393345bb13082aae03cc7f66b

SHA256
cd36345dd95ad8dfeb74ddd34bfe1d395cb043ccb9a9fb88d4f6f8c07d4d388d

SHA512
592a6aed3add798ccae548850e458d6831836a8660695d6f0a138ec7daef4468b623088adf65e2c184b21528df3af503549a0c96657ead0bfe4c7ef07e8ee3a7

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
1.9MB

MD5
34638f83a435978c55e77fc3d580c6c7

SHA1
d1f5bf083fac602d3a09882ffce0cf5527979a30

SHA256
311526c6cc9cd5ea2db3c96d5fe3e07bc460b0901830c1a1c616186c1908c79f

SHA512
e3feee2b2a7c364f327e5ed78050c21cb81388d3d0a5f20eb3d35c1e390eaead85732f0bb8a8f591728d3a5c6174b24d243265d2f1cf41834e48bf823852ec1f

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
1.9MB

MD5
4e5cb3de1fda6a88125e1be4c70dee29

SHA1
40093d7489d29d7d0fe71539a9097aa27cd7d961

SHA256
c2863b33d2afa583e566ef9f1bdbacd058af8429f1380c1637089d92738807b7

SHA512
e77a764fa8a47e0d8142cbbd14982ff2a692c19449498ff4ad0857cea79a5b4355e41c64f9a08efdfbfe469db9bee2aaa63594d0677540cb5dbfebdacddd23a0

Download Submit
memory/408-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/664-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/784-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-2-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2028-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-529-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads