0d7286db1a5b50ad620a8ca08f5f4fb205d91f4654e9506b188880ec8f0a92e5

Analysis

max time kernel
128s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfea17e78d6240e2a36398725a2535e0_NEAS.exe
Size

78KB
MD5

cfea17e78d6240e2a36398725a2535e0
SHA1

3e2dfbd93318c488414f7bd0fa1da1b131a98d9e
SHA256

0d7286db1a5b50ad620a8ca08f5f4fb205d91f4654e9506b188880ec8f0a92e5
SHA512

62d4d0f8fb73899111f39c4064a82d7bd25ce7a752d2559bcf796ce659d1eea114d57e7aa1b0c1f2c17fc7a4f5ae3d6a1cfb8076ee087227302a5e4628fc9765
SSDEEP

1536:gSOB0HHqQZVbAK/tmKFFPZIiVo4N+zL20gJi1ie:CyHK2Vd/tmimiVo4gzL20WKt

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe

Executes dropped EXE 64 IoCs

pid	Process
4956	Ipegmg32.exe
528	Ibccic32.exe
3252	Iinlemia.exe
2308	Jaedgjjd.exe
2284	Jdcpcf32.exe
4172	Jfaloa32.exe
5064	Jiphkm32.exe
2776	Jagqlj32.exe
1068	Jfdida32.exe
4644	Jibeql32.exe
1684	Jaimbj32.exe
3188	Jdhine32.exe
3000	Jidbflcj.exe
2212	Jdjfcecp.exe
4524	Jkdnpo32.exe
2408	Jangmibi.exe
4580	Jpaghf32.exe
1712	Jbocea32.exe
3156	Jkfkfohj.exe
4052	Kpccnefa.exe
388	Kkihknfg.exe
3736	Kmgdgjek.exe
1240	Kpepcedo.exe
400	Kgphpo32.exe
2160	Kmjqmi32.exe
4132	Kphmie32.exe
1924	Kbfiep32.exe
3176	Kmlnbi32.exe
3864	Kpjjod32.exe
1376	Kcifkp32.exe
3336	Kmnjhioc.exe
1928	Kdhbec32.exe
2948	Kckbqpnj.exe
4416	Lpocjdld.exe
3224	Lgikfn32.exe
1112	Laopdgcg.exe
4040	Lpappc32.exe
3296	Lcpllo32.exe
892	Lijdhiaa.exe
3684	Lpcmec32.exe
4840	Lcbiao32.exe
1640	Lilanioo.exe
3600	Ldaeka32.exe
3264	Ljnnch32.exe
4696	Lphfpbdi.exe
4224	Lgbnmm32.exe
5068	Lknjmkdo.exe
4188	Mpkbebbf.exe
4300	Mciobn32.exe
4504	Mgekbljc.exe
4064	Mjcgohig.exe
2892	Mcklgm32.exe
3624	Mkbchk32.exe
392	Mnapdf32.exe
972	Mpolqa32.exe
2936	Maohkd32.exe
4640	Mdmegp32.exe
3776	Mjjmog32.exe
4856	Mnfipekh.exe
3704	Mpdelajl.exe
3484	Mdpalp32.exe
5024	Nkjjij32.exe
4572	Njljefql.exe
2516	Nacbfdao.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jbocea32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	cfea17e78d6240e2a36398725a2535e0_NEAS.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5088	1132	WerFault.exe	167

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cfea17e78d6240e2a36398725a2535e0_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 4956	1588	cfea17e78d6240e2a36398725a2535e0_NEAS.exe	85
PID 1588 wrote to memory of 4956	1588	cfea17e78d6240e2a36398725a2535e0_NEAS.exe	85
PID 1588 wrote to memory of 4956	1588	cfea17e78d6240e2a36398725a2535e0_NEAS.exe	85
PID 4956 wrote to memory of 528	4956	Ipegmg32.exe	86
PID 4956 wrote to memory of 528	4956	Ipegmg32.exe	86
PID 4956 wrote to memory of 528	4956	Ipegmg32.exe	86
PID 528 wrote to memory of 3252	528	Ibccic32.exe	87
PID 528 wrote to memory of 3252	528	Ibccic32.exe	87
PID 528 wrote to memory of 3252	528	Ibccic32.exe	87
PID 3252 wrote to memory of 2308	3252	Iinlemia.exe	88
PID 3252 wrote to memory of 2308	3252	Iinlemia.exe	88
PID 3252 wrote to memory of 2308	3252	Iinlemia.exe	88
PID 2308 wrote to memory of 2284	2308	Jaedgjjd.exe	89
PID 2308 wrote to memory of 2284	2308	Jaedgjjd.exe	89
PID 2308 wrote to memory of 2284	2308	Jaedgjjd.exe	89
PID 2284 wrote to memory of 4172	2284	Jdcpcf32.exe	90
PID 2284 wrote to memory of 4172	2284	Jdcpcf32.exe	90
PID 2284 wrote to memory of 4172	2284	Jdcpcf32.exe	90
PID 4172 wrote to memory of 5064	4172	Jfaloa32.exe	91
PID 4172 wrote to memory of 5064	4172	Jfaloa32.exe	91
PID 4172 wrote to memory of 5064	4172	Jfaloa32.exe	91
PID 5064 wrote to memory of 2776	5064	Jiphkm32.exe	92
PID 5064 wrote to memory of 2776	5064	Jiphkm32.exe	92
PID 5064 wrote to memory of 2776	5064	Jiphkm32.exe	92
PID 2776 wrote to memory of 1068	2776	Jagqlj32.exe	93
PID 2776 wrote to memory of 1068	2776	Jagqlj32.exe	93
PID 2776 wrote to memory of 1068	2776	Jagqlj32.exe	93
PID 1068 wrote to memory of 4644	1068	Jfdida32.exe	94
PID 1068 wrote to memory of 4644	1068	Jfdida32.exe	94
PID 1068 wrote to memory of 4644	1068	Jfdida32.exe	94
PID 4644 wrote to memory of 1684	4644	Jibeql32.exe	95
PID 4644 wrote to memory of 1684	4644	Jibeql32.exe	95
PID 4644 wrote to memory of 1684	4644	Jibeql32.exe	95
PID 1684 wrote to memory of 3188	1684	Jaimbj32.exe	96
PID 1684 wrote to memory of 3188	1684	Jaimbj32.exe	96
PID 1684 wrote to memory of 3188	1684	Jaimbj32.exe	96
PID 3188 wrote to memory of 3000	3188	Jdhine32.exe	97
PID 3188 wrote to memory of 3000	3188	Jdhine32.exe	97
PID 3188 wrote to memory of 3000	3188	Jdhine32.exe	97
PID 3000 wrote to memory of 2212	3000	Jidbflcj.exe	98
PID 3000 wrote to memory of 2212	3000	Jidbflcj.exe	98
PID 3000 wrote to memory of 2212	3000	Jidbflcj.exe	98
PID 2212 wrote to memory of 4524	2212	Jdjfcecp.exe	99
PID 2212 wrote to memory of 4524	2212	Jdjfcecp.exe	99
PID 2212 wrote to memory of 4524	2212	Jdjfcecp.exe	99
PID 4524 wrote to memory of 2408	4524	Jkdnpo32.exe	100
PID 4524 wrote to memory of 2408	4524	Jkdnpo32.exe	100
PID 4524 wrote to memory of 2408	4524	Jkdnpo32.exe	100
PID 2408 wrote to memory of 4580	2408	Jangmibi.exe	101
PID 2408 wrote to memory of 4580	2408	Jangmibi.exe	101
PID 2408 wrote to memory of 4580	2408	Jangmibi.exe	101
PID 4580 wrote to memory of 1712	4580	Jpaghf32.exe	103
PID 4580 wrote to memory of 1712	4580	Jpaghf32.exe	103
PID 4580 wrote to memory of 1712	4580	Jpaghf32.exe	103
PID 1712 wrote to memory of 3156	1712	Jbocea32.exe	104
PID 1712 wrote to memory of 3156	1712	Jbocea32.exe	104
PID 1712 wrote to memory of 3156	1712	Jbocea32.exe	104
PID 3156 wrote to memory of 4052	3156	Jkfkfohj.exe	105
PID 3156 wrote to memory of 4052	3156	Jkfkfohj.exe	105
PID 3156 wrote to memory of 4052	3156	Jkfkfohj.exe	105
PID 4052 wrote to memory of 388	4052	Kpccnefa.exe	106
PID 4052 wrote to memory of 388	4052	Kpccnefa.exe	106
PID 4052 wrote to memory of 388	4052	Kpccnefa.exe	106
PID 388 wrote to memory of 3736	388	Kkihknfg.exe	107

C:\Users\Admin\AppData\Local\Temp\cfea17e78d6240e2a36398725a2535e0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\cfea17e78d6240e2a36398725a2535e0_NEAS.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\SysWOW64\Ipegmg32.exe
  C:\Windows\system32\Ipegmg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\Ibccic32.exe
    C:\Windows\system32\Ibccic32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:528
  - - C:\Windows\SysWOW64\Iinlemia.exe
      C:\Windows\system32\Iinlemia.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3252
    - - C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
      - C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1376
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3336
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4224
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        63⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        67⤵
        Drops file in System32 directory
        
        PID:844
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        69⤵
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        72⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:112
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        77⤵
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        78⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 400
        79⤵
        Program crash
        
        PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1132 -ip 1132
1⤵
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ibccic32.exe

Filesize
78KB

MD5
91c64465ed4f0ffe9e1d00d1d7db1343

SHA1
805fcd5663f41b296f24697e81f066e4d54cd7ae

SHA256
c90a39a434fb101b53654a29f09ad78db7ab6217ecb6a9a66f152a62799452cc

SHA512
b2b68e6955cb499a0e7d64fee18cf163e1f2aa58ad50f7980773ee39aaec8a79e20d2e6e97cfaa0eedbd29afea44ea4627896b091e13f59539ba874e6bf81051

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
78KB

MD5
f6f45a5dbbf2e03e7291751cb4f24bbd

SHA1
55b3e2833db5e355309bd2867f31d3b36bea2ae1

SHA256
1e4d7329a37521840b4a7089ff05bb2fa05b156ca2309a9d0c84a5dbdd61d39c

SHA512
4eeb5c8e8cf954f533854859096816a54fb1739d1285cd43e35fd2256d1512c61aca1b901b7d78e3e84649a431b387e961ad399feb7beb2c448b10f076d87c53

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
78KB

MD5
538a2208ea372f5f9d0271716a4023ac

SHA1
01e104fd58148e2a95fcf27202be9c25c026a67b

SHA256
4835113870e2e3ce7db16a0e5452d8c5f24bc3adc46616e3c5f17347fb64dc3a

SHA512
c3535be486f63a8b431791d9a9cb506710a611a180a46a718f08863cfc5263820ce856ec1ac235ea8a6708627202a7702b4cd191ef0d669846f008cb9cd5d8fd

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
78KB

MD5
b8c75159f9cb20648c2cbbd45de2eb33

SHA1
ddfc3384ef168b9958666995aeec4fca01446885

SHA256
9703c9ff8e4d34bf32441c382946acafd4133d03230e0037165808e177060ede

SHA512
940eeeff05100487f82b0baf620ac8db91f2cd78be1506dccab268b4784e95b0b94cff6a106e4c17c70ce14fbb0fda610e7d57779640f6668f85104c63d89f80

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
78KB

MD5
7cb69445f10a90b9dc5b0b8e61176ce1

SHA1
1f52444e5d1728bc9b5072f7a87c28583c4b2d42

SHA256
d3b945f319fa0217033315a82370f88fe6fd26e51dcebf147213fcefcab8e3ed

SHA512
a8848c92eda410c709abdc81bd4477bc0382005568da4113475c636cb49a27a38ddb3c8b3127d54d26e1de9f5ceeef253e3983948084ff6fec16d36190af1418

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
78KB

MD5
248d9492710109718d29ca20b094a788

SHA1
9cf3dd0ec05e59bfb18a8f06dc59a513c94cf0e8

SHA256
461cda7490b1e537f42731ae93340b1b05cbae4a2ec216f8f6ef5362188ee9a9

SHA512
eb5b82e9c16ba8523c50095db8cfb88b7e8139d55bbe4317eaf32a0de3b1daef98ac5a587bc7a16f38c440e14395dddb1ef1c58b1a7b8fca318e731872064317

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
78KB

MD5
4bf9ac7430a1dcea8739cfa41d45ea7a

SHA1
e49de837748b9976fdb991684cfb48ca9663e002

SHA256
770a9beabfb4ba00f1ee27d32a47d5642eb41ccaada627de1536b55c1adc521a

SHA512
e4fabd5545a55b7f3ed199a9be864e2b47f54e0001d0e4437780fcfb2208079e2fe83c9caa9dd66d9eba77f8c5806bc4843febbcc8975051615f9c07bcf19fdc

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
78KB

MD5
355f9087ae0f973368c559c4a0d34839

SHA1
73c19e0f399a85d070595317f202659b77905f9c

SHA256
3df74ff3cedef9abeb4a9cf743c955d3417f734de48d78d7117b6fa43eec657a

SHA512
90b5ca815fd82f5355c0acaaac2bf9ae1186cba555420425ab4f2a277f81f7c5cda9b1438c4d516ffdbf6e6758738b3358aa05ef12c146bd8879582af292f1be

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
78KB

MD5
c414f4a3bd84882fd49f6f9ac1506ce2

SHA1
d7dbc4bf2ed437398587be5ab4b09b4546642238

SHA256
acea0bee9c6503b92e6d289838b174791949c2f06bc275dba89ac51d74f70398

SHA512
ef71107610bbec791492fc63b0d93ef20ccb9e976e7caa34ca217a5b456a8aa22c053096161c2edc6a1968295199ceb251a9343c13efbcfe810a57c1f6ba8509

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
78KB

MD5
0cd222bea2100cbdcd7c74e0b7079ea2

SHA1
92475a62db4897391927e068375f52095b73a289

SHA256
cf94b9fae24dc88b5ddec0955870ef749c8d74fa0c1d0ae69b2eaadb8073bf9c

SHA512
00f64194f63a0e073e4ce0af22fa034c4aded7e840b9eb8f26c00f6ca289b84ea7704bd06dcd105eeaf21657030d91c0bf6add11d85bd596edc404ae26ab663f

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
78KB

MD5
aabdcf3c012827265d586032279db92c

SHA1
c494c12885516f9111e79880193b84a82b08c752

SHA256
90a5e013e8bdb1dcce325abb3a409adf8d9bd1b67730b7308e7e35a908b349a9

SHA512
8991a0e2f3c416ae7f9be9d35e4d378c92db4237af54f70d544494889edbdfed2544c2cf95a4944b4c86194e02ea477e64495d10b44039c9f71347a77e3d75c9

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
78KB

MD5
5636d0d16c7ceab977c4d21616bc5f9c

SHA1
3f490e8eb4481f5223c4471a48a545287c4bff84

SHA256
c5de6b412675db0e1d980df10aaf53ae145a4646ec0e3139c17904c0a1a481a4

SHA512
52d1a1f1cb61474259e1bba02fa6355c673fe5de53f23b88cf214c88641ddd10b2dbe25a3520086b753b34f29da3c6ce650f9f3670801a279bd25cf6e633d33a

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
78KB

MD5
25f303e0b53d5d09d208488d33c19d4c

SHA1
c3056437969a6743f5365cbd3a2b8ef2112a4397

SHA256
1cd59712444558e43a406091890c7fb6fec5a67d66c3bd919a6e477f6d2e64f4

SHA512
71d96b128e5611548262d6e0f28fca4dab85b752ea71bde9d4d6d80d8f44b83b38c72049b7ca280f9521d4df2b42629f95734c7a56b6c34093a11f5c85b04971

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
78KB

MD5
ec0df258468f946fbe82a2d3208d6b64

SHA1
bc048f535678c89580010a11553eb3b31f1b85a5

SHA256
7d2b1b7e4a7a26351435634e0bc5894903a7c795a8af3354edc4a7e697453934

SHA512
44363e7fb933b869f9a56401a6f55173c957b5324bcd68d4505f0783639512fe53d9c80c57c74ee6400251228c7cefb14b78b928b12efb542a9f1fd4b05e011f

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
78KB

MD5
6c972277f90153b876728de4a5a43fec

SHA1
f8ff6b354ae19a18887ecf3eca01718dd269b4b0

SHA256
354701196efcb7c329808dd4df1c0cb8c5ab240fd04522948b92295a3887be95

SHA512
848a701b73f99a26c714afb2d351c7da5707c864674b858dca74c2f21793ef4572cb4b97413ce658dd86ca423974cac199c74cffd8b558e806718393c5aebf47

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
78KB

MD5
1b44c130e323cdb1d8f32170d8057b5a

SHA1
58c661edb692cc9088d31e60fd5d1b867d4f158e

SHA256
3a229bcb36defb7c9c20a6ea588b5225e32d5251a0be0a75dca9b96f8b270e78

SHA512
f3547d6561f55970b086c285169a812629c761e22803614eaa8e8a2be63ec0f1ca81b51d84c2a07e1641ee8f166d508c1f534ccb8844d73619af4baa22b24f83

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
78KB

MD5
a245d6f149219f017c8c118cbae382f5

SHA1
9970e7a44f3180c95d97c00f24ced1901aaf725f

SHA256
7b2c342c111888096c9d12108eba40d8f44480debecf4b88e6f85ac747af31e7

SHA512
bd24758c1f78f25cf76cf6d25e6f798a53efd675805fb9abfca72273299b309d587f472521b98f77697a7e86cccb1d1f4d692f84ad67eba2a99caa7133d60018

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
78KB

MD5
0980bd2de52e4913b01120e45796efa3

SHA1
7f74ca1607b89f5f9e98cb6121803ebf42af6c6e

SHA256
87a4e0d75b59ab217d2bdec681cc93936efec8acc03f89c5c2fb0a1e0a9b3ee7

SHA512
87ec62e2b08d558cf20cc1d93e291f7d895abdac15e26d4f25d44b100823f91281d34cc0f884a2c7898a7a6bc63e6da28cd69598367090caa14e54e5309ce7b5

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
78KB

MD5
b3b4dde26f82fa3d40f1080352f95660

SHA1
b13abbb0d55fcb4a7b9a590888ebf49c1a19e4b1

SHA256
d6188b3286a801e8e605befff3049008fcd964bcaf02091edae54e42c7b6cf0e

SHA512
c499c676459d1480ca85abf9e646a02ae096ff097314b9e098e3f3071911594583793e539a463757f4bb3ce82a9d876003c82ea7e798940e26ecddfaae9e2407

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
78KB

MD5
14ec727475380b8f60eca38a633bbe0b

SHA1
279d456525b78ce3ff91949e6f84d015fb315385

SHA256
5a62b348e4b1d7e2af98c62e0b74a808a34c11ff93be4a603ee97ea49fef8f38

SHA512
5d5af58df2f4d815875119f4c70e302016239f6a3a62724f3c26955502ca62af5790a623631d7c3c547390c3c6df90f5064dd7a4d85419a45a7355979a0273a8

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
78KB

MD5
87bc8243eda83b5a5a7d9989223da528

SHA1
35571eb6d624b8d4acddd6c20b3c025baf722c71

SHA256
31697c323097bb5cf181c2541b24898697462c74d564e2f0bed19a430aa677ff

SHA512
ffaf9fbe65f3af956e9b12d66ec2046195180227b620d2a910cb24455fd2dbbad3298695bf13a68c4f8bab85013ee995b9b7660becb4421cccd6ae08b9baa900

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
78KB

MD5
ed92d04bb60ece00439d24c53f0b58fb

SHA1
bd656373aab7b46058d92119aea53bc0acc50808

SHA256
403712e6ed5e0e712f6e4857eab2aea703de96bf08c02b9432681abadcc01cb4

SHA512
45b7565446d93c7817509486899bbf8335abce4672df3f6380f8d2a52b3a056c71a275f6c63e05fc54fc96f4f91ada034537bdaec6bae6a51a96d922ccce4a32

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
78KB

MD5
a5802e7d762d9c5509e307b1296fbe90

SHA1
38d96c9d75bd1f3fbef13804551f4d2274534e9e

SHA256
0a058d4bab9d8e12e05864dcdec6689550267f23ef4fa1db1d61b0876bd7549f

SHA512
0dca8d31beb8901216b6cf1b0a16b3ba98d1111ea8228beafc8aa7211599e411b216ca78444e91cf8d816652562af1ad97fb01efd8bb1d2eaae3fceda3ad725c

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
78KB

MD5
85a5ea1be0c514bedbe817ff83cd719e

SHA1
725d0d46711b26d14c6de97487a945dd6b2a7fba

SHA256
afc25007386da5cac94213eb0b4e961c8d8815a4fc6569aa3b340fb43efdbb08

SHA512
ea34ed33fd7bbf3e927d34a95e63d11c9c897d7e83eb1fd7d3eb3d430f0af1487009add01d47a96133e99100cbf47265189745c0330e5db8bd15676c86f1ce86

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
78KB

MD5
647b945b8215b88b7566a95b4d298903

SHA1
c151b60ee759afc61a4b277ac3b1b7ce88c1d761

SHA256
786af22ffdf0d028572295d3fb3114799c80715de3b5a956ecb1f8487e0a5940

SHA512
677141cbae9169ac162f29c427e41f518c561c2fc9b6dcc73b3fe5a0effed1208f5e10f704cedf067f85104bb3bb14ca383c5cfe94e7e33b434380ec99efd28f

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
78KB

MD5
fa0ffb88d3884863a73732255fd71b68

SHA1
07e198d6133d47977ac44b8aed9284ec927d7584

SHA256
b84bdbeaf5b6da4c3d96435aa60e658089a55265a3270bbb66bb65efe308d9d0

SHA512
18d63bed411e6adc9b988e4d1bbbb688b4a3611c1c67c88ecb460dc8f4ec8136e47df15d4a5db8629059708526a2129330624e3bc3da659b965a7bc8b51a3f8b

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
78KB

MD5
0838b92e1a40958435ad6880721a6449

SHA1
cd029c581a30b6cc6102612e7eb799ab920d4200

SHA256
e56cf9010647a4dadc34f05019e65a6b37de77353e430550b0ab471da7c65457

SHA512
b064c1f0ab8ec6fe28299f236f33b2d0ed82d88a936ab20f0e8ea6852bcab8e8a786dffa43167f49c3ac2c1ad12fbba894cd10b65e7201d00de33295c7228a01

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
78KB

MD5
439f39ac3d948a2e417c9179d16d9496

SHA1
10592d1d2ced848fa7a54031c07d1d7b577b4f7d

SHA256
6c20e6186b57cc44fb629b63b6e7cdd2492c733db4c8175d597ffdd25af320e6

SHA512
d9f3201c5ce4c290e6ec7dfaa64e5ae3da143afc673980436fe0bb5e1887f68c5270d15d94f048c95f809ff7273891fefd273cfec570388ceb5f14b7955b6fc7

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
78KB

MD5
d8bd74519b6cc6386a940a4117f26ac6

SHA1
c226b333d95611f8c5ed04a4adf7659de9e4e4b2

SHA256
6a800e1244e622f7c3353787728383cc9bfd7f3e6abc8405c8cc89af9ad38330

SHA512
224f896705071329d4766e527da8130d4c1ebe4b7779cb1f496c436b2a3ec56e7379fe01cf6df5459ddf4b97d0d4592ace12a09ef3b45eb6198d72da6b929e4f

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
78KB

MD5
a963cdb92de1cc2af9e4f855dd863837

SHA1
58d56a2cc3eb381ebebb402fb9ea16fbf63c9ca4

SHA256
bd52c6255e51cbc96faef309eee7caed62c102ee7cd16a5ce1224dd2437856be

SHA512
cf1cd39c6496e76efe498b813c55078c5ad5cd47edda613545cb6d665e619de835b21a5785626e55b7484799c0ba465843a693fa3d369ba7575f107fb6f5dc86

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
78KB

MD5
3e1caf7f630ba18879f1177d00396ff2

SHA1
a5d2cf34b64b747b1b5c65264bfee2e6652c0b5d

SHA256
9b8bef89c4b3fcecfc52edb120801f05a27f9178a41a98323eff67f756ae59bc

SHA512
75cf88029a345b9eaa507a47ee87b5236696c9aa04c8a5521267b39ccbe703d2f43b2d4c403baeb711a56aed1fcb104928253e519d112c78f8f9356d4c122989

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
78KB

MD5
e78844db86c29a1e69d199d33f032ea5

SHA1
83daa45d14ee1b5af7ca4797d30ce27bb552d13d

SHA256
908171cef9273ff44b5862855f167dba99a9f287617f9f8e894bff869d8d99c4

SHA512
2c20998b016870e4307972a913edc9c0da117d93281d74ffe7bc2a24a2b77ebb9734d37fb41f15d46b9eef09842fa3743f3d31e6214487f3e9f9aabe04228cad

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
78KB

MD5
5fa18ee2e4bfe8ecafaea73d38f8ceda

SHA1
8504264e34674600bd2d36dc2cca3fedf03327be

SHA256
4c9c5198e1b806507a0758c5f06181edb8d42dbd367f234f60b7d9a5fe7ceab4

SHA512
1be8d6f3fd685e548325ff554f5ca7c4e0cd98e342671089ff4a5ee3f286dfe0ee6bf8fb69c8192203c9baef4c4c32bb41c77a2839679430ff6c7fceef32dd6c

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
78KB

MD5
273b854ec564a848a797f4fb9264e50d

SHA1
7987fdbd2526d4dda9ec00cba6c41f7071b5990c

SHA256
1e98533b387fcffbca0f1209be98e8f4a25224cf8683e246cc8625bf7449684f

SHA512
9ebde096a7e4423c2f2d76a5efc8bc7395b9f2660a92ed47ba46d76629452419e6c307a28f2af4306a95c63381f87ef3d6169b09ad114a92f7f67e76cf80e5c5

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
78KB

MD5
c3c728555bace5dd1e30dbf536c23922

SHA1
efd90b971f21e90373488d165c7bad070bacb0ed

SHA256
2b7c385cc35a57ff0e757e998fc08225777c6a85efb918ffde955699c60c2fb3

SHA512
9ed5243036ce843be3d77c8de3aa3e94ec2f8be1ff4aff133e5e94cd6abad2a4ffc8ea20b43607f619a9874d12851abfa96db84fa31eecec3606c150099111f8

Download Submit
memory/388-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/388-265-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/392-429-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/400-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/400-205-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/528-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/528-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/892-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/892-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/972-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1068-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1068-78-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1112-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1240-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1240-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1376-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1376-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1588-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1588-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1588-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1640-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1640-409-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1684-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1712-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1924-235-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1928-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2160-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2160-295-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2212-122-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2284-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2284-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2308-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2308-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-221-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-158-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2892-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2936-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2948-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2948-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3000-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3000-195-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3156-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3156-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3176-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3176-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3188-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3188-190-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3224-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3224-362-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3252-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3252-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3264-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3264-428-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3296-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3336-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3336-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3600-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3600-420-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3624-422-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3684-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3684-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3736-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3736-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3864-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4040-309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4040-375-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4052-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4052-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4064-403-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4132-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4132-222-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4172-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4172-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4188-384-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4224-441-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4224-369-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4300-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4416-355-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4416-289-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4504-401-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4524-213-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4524-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4580-149-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4644-86-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4696-363-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4696-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4840-402-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4840-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4956-94-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4956-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5064-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5064-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5068-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5068-444-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads