865ae52acfc2edc830bd3721bcc8d93673566f8f57d4eb5f49e919c144ea2659

Analysis

max time kernel
136s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24b9d3ea98fe84f0f618731e98cc2560_NEIKI.exe
Size

62KB
MD5

24b9d3ea98fe84f0f618731e98cc2560
SHA1

604130e2981e33f0591e35a63aed0b545dba2ae0
SHA256

865ae52acfc2edc830bd3721bcc8d93673566f8f57d4eb5f49e919c144ea2659
SHA512

2f9778d15235936b129097b4bf83f82d1562b184e3183c42dfa8ee83405ef3f0c1540d3ac14e913644b1d53597ee2752c15e238b524b8c57d718f002649f140e
SSDEEP

1536:sbHdB9LZEkg0Dn/49RZqAe8SAyuve8Cy:SdB9lLDn/49XeBA3ve8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	24b9d3ea98fe84f0f618731e98cc2560_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe

Executes dropped EXE 58 IoCs

pid	Process
4108	Jfffjqdf.exe
552	Jidbflcj.exe
516	Jpojcf32.exe
1156	Jdjfcecp.exe
4192	Jfhbppbc.exe
428	Jigollag.exe
1428	Jpaghf32.exe
2444	Jfkoeppq.exe
2160	Kmegbjgn.exe
1240	Kpccnefa.exe
1652	Kbapjafe.exe
3868	Kkihknfg.exe
1488	Kpepcedo.exe
4700	Kgphpo32.exe
680	Kmjqmi32.exe
628	Kphmie32.exe
4204	Kgbefoji.exe
4936	Kpjjod32.exe
4372	Kcifkp32.exe
1872	Kmnjhioc.exe
4324	Kdhbec32.exe
2180	Liekmj32.exe
2248	Lcmofolg.exe
4572	Lmccchkn.exe
3520	Lcpllo32.exe
2496	Lgkhlnbn.exe
4392	Laalifad.exe
4884	Lgneampk.exe
3396	Lpfijcfl.exe
2592	Ldaeka32.exe
3264	Lnjjdgee.exe
212	Lphfpbdi.exe
2664	Mjqjih32.exe
4364	Mdfofakp.exe
3824	Mgekbljc.exe
2636	Mjcgohig.exe
2800	Mpmokb32.exe
3016	Mgghhlhq.exe
3208	Mamleegg.exe
3088	Mdkhapfj.exe
712	Mgidml32.exe
2284	Mjhqjg32.exe
5012	Mpaifalo.exe
3756	Mkgmcjld.exe
4648	Mnfipekh.exe
2268	Mcbahlip.exe
1008	Nkjjij32.exe
4664	Ndbnboqb.exe
3260	Ngpjnkpf.exe
4940	Nnjbke32.exe
1912	Nqiogp32.exe
4752	Ngcgcjnc.exe
844	Nqklmpdd.exe
1696	Ngedij32.exe
4644	Nnolfdcn.exe
4152	Ndidbn32.exe
4072	Nggqoj32.exe
3224	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	24b9d3ea98fe84f0f618731e98cc2560_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	24b9d3ea98fe84f0f618731e98cc2560_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mjqjih32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4660	3224	WerFault.exe	143

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll"	24b9d3ea98fe84f0f618731e98cc2560_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	24b9d3ea98fe84f0f618731e98cc2560_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 4108	2516	24b9d3ea98fe84f0f618731e98cc2560_NEIKI.exe	83
PID 2516 wrote to memory of 4108	2516	24b9d3ea98fe84f0f618731e98cc2560_NEIKI.exe	83
PID 2516 wrote to memory of 4108	2516	24b9d3ea98fe84f0f618731e98cc2560_NEIKI.exe	83
PID 4108 wrote to memory of 552	4108	Jfffjqdf.exe	84
PID 4108 wrote to memory of 552	4108	Jfffjqdf.exe	84
PID 4108 wrote to memory of 552	4108	Jfffjqdf.exe	84
PID 552 wrote to memory of 516	552	Jidbflcj.exe	85
PID 552 wrote to memory of 516	552	Jidbflcj.exe	85
PID 552 wrote to memory of 516	552	Jidbflcj.exe	85
PID 516 wrote to memory of 1156	516	Jpojcf32.exe	86
PID 516 wrote to memory of 1156	516	Jpojcf32.exe	86
PID 516 wrote to memory of 1156	516	Jpojcf32.exe	86
PID 1156 wrote to memory of 4192	1156	Jdjfcecp.exe	87
PID 1156 wrote to memory of 4192	1156	Jdjfcecp.exe	87
PID 1156 wrote to memory of 4192	1156	Jdjfcecp.exe	87
PID 4192 wrote to memory of 428	4192	Jfhbppbc.exe	88
PID 4192 wrote to memory of 428	4192	Jfhbppbc.exe	88
PID 4192 wrote to memory of 428	4192	Jfhbppbc.exe	88
PID 428 wrote to memory of 1428	428	Jigollag.exe	89
PID 428 wrote to memory of 1428	428	Jigollag.exe	89
PID 428 wrote to memory of 1428	428	Jigollag.exe	89
PID 1428 wrote to memory of 2444	1428	Jpaghf32.exe	90
PID 1428 wrote to memory of 2444	1428	Jpaghf32.exe	90
PID 1428 wrote to memory of 2444	1428	Jpaghf32.exe	90
PID 2444 wrote to memory of 2160	2444	Jfkoeppq.exe	91
PID 2444 wrote to memory of 2160	2444	Jfkoeppq.exe	91
PID 2444 wrote to memory of 2160	2444	Jfkoeppq.exe	91
PID 2160 wrote to memory of 1240	2160	Kmegbjgn.exe	92
PID 2160 wrote to memory of 1240	2160	Kmegbjgn.exe	92
PID 2160 wrote to memory of 1240	2160	Kmegbjgn.exe	92
PID 1240 wrote to memory of 1652	1240	Kpccnefa.exe	93
PID 1240 wrote to memory of 1652	1240	Kpccnefa.exe	93
PID 1240 wrote to memory of 1652	1240	Kpccnefa.exe	93
PID 1652 wrote to memory of 3868	1652	Kbapjafe.exe	94
PID 1652 wrote to memory of 3868	1652	Kbapjafe.exe	94
PID 1652 wrote to memory of 3868	1652	Kbapjafe.exe	94
PID 3868 wrote to memory of 1488	3868	Kkihknfg.exe	95
PID 3868 wrote to memory of 1488	3868	Kkihknfg.exe	95
PID 3868 wrote to memory of 1488	3868	Kkihknfg.exe	95
PID 1488 wrote to memory of 4700	1488	Kpepcedo.exe	96
PID 1488 wrote to memory of 4700	1488	Kpepcedo.exe	96
PID 1488 wrote to memory of 4700	1488	Kpepcedo.exe	96
PID 4700 wrote to memory of 680	4700	Kgphpo32.exe	97
PID 4700 wrote to memory of 680	4700	Kgphpo32.exe	97
PID 4700 wrote to memory of 680	4700	Kgphpo32.exe	97
PID 680 wrote to memory of 628	680	Kmjqmi32.exe	98
PID 680 wrote to memory of 628	680	Kmjqmi32.exe	98
PID 680 wrote to memory of 628	680	Kmjqmi32.exe	98
PID 628 wrote to memory of 4204	628	Kphmie32.exe	99
PID 628 wrote to memory of 4204	628	Kphmie32.exe	99
PID 628 wrote to memory of 4204	628	Kphmie32.exe	99
PID 4204 wrote to memory of 4936	4204	Kgbefoji.exe	100
PID 4204 wrote to memory of 4936	4204	Kgbefoji.exe	100
PID 4204 wrote to memory of 4936	4204	Kgbefoji.exe	100
PID 4936 wrote to memory of 4372	4936	Kpjjod32.exe	101
PID 4936 wrote to memory of 4372	4936	Kpjjod32.exe	101
PID 4936 wrote to memory of 4372	4936	Kpjjod32.exe	101
PID 4372 wrote to memory of 1872	4372	Kcifkp32.exe	103
PID 4372 wrote to memory of 1872	4372	Kcifkp32.exe	103
PID 4372 wrote to memory of 1872	4372	Kcifkp32.exe	103
PID 1872 wrote to memory of 4324	1872	Kmnjhioc.exe	104
PID 1872 wrote to memory of 4324	1872	Kmnjhioc.exe	104
PID 1872 wrote to memory of 4324	1872	Kmnjhioc.exe	104
PID 4324 wrote to memory of 2180	4324	Kdhbec32.exe	105

C:\Users\Admin\AppData\Local\Temp\24b9d3ea98fe84f0f618731e98cc2560_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\24b9d3ea98fe84f0f618731e98cc2560_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\Jfffjqdf.exe
  C:\Windows\system32\Jfffjqdf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\SysWOW64\Jidbflcj.exe
    C:\Windows\system32\Jidbflcj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Windows\SysWOW64\Jpojcf32.exe
      C:\Windows\system32\Jpojcf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:516
    - - C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
      - C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3520
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3824
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:712
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4152
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        59⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 400
        60⤵
        Program crash
        
        PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3224 -ip 3224
1⤵
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
62KB

MD5
1ef91328864a1699e4258825d2b1dc47

SHA1
59fd5de9b54f26da5d923096c09c3adfe58607dc

SHA256
5fd60c221fcfeebc1c494107acc711fc6b2adb25c53547cfd8c9400d7d21e368

SHA512
72dfb707485891acb8e54ceb2d095910e5be03b93d73aeacdf3ee67a05c6c9dcd8a50878ae0e5185d8ba1e68c6857337b450a0a1024f9914dc7a40017a88b82a

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
62KB

MD5
0ff7d3e7a2eb51c1256576001b828efc

SHA1
414df44465797c43a380fc5cfa33d5b4e3e716e3

SHA256
4c9e6cf525ada305014ca267471b3fd1fc967b609ca769c6e5ff902faee59c9f

SHA512
d6f790daed37837a8c9bf62d962bb56981018ad00ccdda57d9e31cc198e2041c155a525e29db023f922ef7c39f42318d534f6c838dbaf934ddca81943eb7ee66

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
62KB

MD5
54fd5094003309096c6d1dd1aaa8240d

SHA1
2fc2f235ee8e0217502c4e67011e7bb0e700d732

SHA256
25c6d21ee68cbbf02309fc4d6663c1f9640c01569df01e91a1638964f10a2e37

SHA512
260602e63fa6e57a20538a371d343885bf2f229f640888bc647ac3a4647a8e5c07eb22a813daba04d8736a00d72c8c590e39e29d194c252dc88f84010493220b

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
62KB

MD5
3c0f0bd7b7dee3aa5515ad29a8717d55

SHA1
b1172036a87d41d5c176d36ca9a40cf46b5bec3e

SHA256
fb6729f38cb1b81a88f582c91631f13eafe7ba7dc6b763f0df4fb04f4beba046

SHA512
3d84741912c4700d5abb4e86f2437200bba787a59ca5af98d4c06b1fd7dedb9d0fe0a039606f5463f1efd8c8d9d63cb7ecc2d1b8f0d8ff0a5cfee53b66add44b

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
62KB

MD5
6ce1ccaf1c6f336e38677e4c222fc8c0

SHA1
ee190238cd3a6c8b5e2d271172af4c4e06743805

SHA256
13cbe6f2c91ad9fc2ec8cb2291b982be6db8a40488d290bc2b33bed591a99b33

SHA512
07fe8e54ec9f298c206c2fdc503edbd21b7278e98606c0334ee2110673de6ee91e18d138c60e6532ad92e3383bd5f178eee3a61b16e4ab317c8462f37d274c6c

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
62KB

MD5
1782e5129f1d78764551721e3f643f3c

SHA1
b488c669807773a6a41c9e43d57996292080bbe7

SHA256
64732553553fdb325d1d8a8215b4b6976dd08cc958a9c1c25731929f39a4f81c

SHA512
2ad39df703a9be8449a7b22651edd798597835e0cf830391d97c5849e56ff34bf0049299974ecedb009980fac81fcecf734b2eb997b12762814dd58071c98fdb

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
62KB

MD5
c2daa102d8659d8b214ee0b90eb645c9

SHA1
d561a269950e93a8256d8a43acb08045c10c1743

SHA256
5f9202bbf2bf3c9b8655174643892d4d47a6c129bc3a0ced337aff6c8285c24e

SHA512
1d1c72ba86fe7f43a2e295cfbad3689689e3fc695342ace8bd8b4e72a71e3fb8752b12d7d2575a389161732c1076b9ae6553e2cdb9caeebbed5b2fdd26c706df

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
62KB

MD5
7266ecfb19c3a60967168f6b439ff249

SHA1
de57c4622b573e5d0d2e47255272fd8f615dc8aa

SHA256
1aa72a129c6713e6f81b94f726d7e00b9a4534cc4aa8cef64d686ba0b32696d4

SHA512
12fcf26f47c11e3efde97903db577aca0a8b1574bfd69fa80a2a9c8a409fec079477db107846be247523daa3bf946a3d426d1d33c1fa82b7e830470aa7451b4d

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
62KB

MD5
9194b1fe2f7f958d5a5fecb5b1a71548

SHA1
6264fc44e9be8acfafd1dd37971d0a5a4566aa75

SHA256
250ba91ed0c5fa038f7b92f86084e4d846f4678def2dbf537e79f77c91f64e0c

SHA512
b374ec5c8e9579ed17384f7554e2d62631d8230ede1d90fb35914f369ee5431a9e0b317f7d080993695d8761c091af07b226b33698f2f6a374c70333f3b3c1a5

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
62KB

MD5
0defec99dc212bb23753a3d977e4edfc

SHA1
1898fe3e250616b6ae8656958b1a9e099060e97d

SHA256
bc3ab310ebb881876f0445d09040f0305270bfe1b0b21a91430df3a761828be3

SHA512
fc1405c4ee6fb2963cffe0814413bc916a8b43b404768af101af50f2b5b7a338e993ce5768c52be33133b3b1ca31e3497a14cabd4d04a8455cb664d6327fb8c8

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
62KB

MD5
d0e47f56dddefc1610adfca800b7918d

SHA1
90c014c9dd6fcf42328940200a22db8f0c1e2d0a

SHA256
dbaed76545cb68f1f1bfbc4172947b63ba60daa67ecc19ca40d91c4d7be9305c

SHA512
5abafce3201450d83244edf6b26b8aa98b7e74c314aeb593d35de8f45e685be8a499833100f2d5a8564b272345857b3f3a1ec95c270192dc9732a704cf55b794

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
62KB

MD5
95853429d8444e34bca48bd677733eec

SHA1
f178506adcc0c6db9824a2890777009fc9933308

SHA256
acf557baf812ea6228c877b8cf106e3cb71b3ffeb9a5c6feab395b4202bcee9f

SHA512
6b89ab12f09e5bdf5208e42a000bafe38979d690a6e9aa8d2e80d8d14d693b904e38302a6614304c56e56c5bcd434146e8776e092e8009793dfdcb5eaa9b68a9

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
62KB

MD5
763ced921e46625248d809ac6cf49d7e

SHA1
b35c51b5b06dc1310c649283a9468ae03405d074

SHA256
9edeb5f350c7b434d214412f9cc3d2e5693b0b61fc6154af4923d3570868b3a7

SHA512
e15cb09de6b36de2d0e4a5f11d65d17a2cf830416f351ce1e2266c03d6ec9a7202bf4580cf887cd2e133ce439295a46e389f0133ee882e2dfe0e321ee40e2b53

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
62KB

MD5
5842be7f8f214989cf0424fff6ad9412

SHA1
aa8909da793668aecc0d98693e3b3d5cae817b12

SHA256
4897b6568b1276ee2ed799effca4b5e189053a423c2eca48956bd80899574244

SHA512
ec598986509af8648b416d3f93d89d8eae07c76c2ba6adc6b80a67f5222fcdd0e8d4df49bcecb3b1e2b4cc5176783acede4155b407b737504ac29a768baeaf1b

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
62KB

MD5
4abee94e1f8062defee7892a17075477

SHA1
0f1a95af36ed20680f8216c9d17d10b9a669e1af

SHA256
05ac925d73247bfcb2f540c6ff027ff6a5c9f0d12d946019b9ff680bb6ba919c

SHA512
05db5c986449765673238915890f0f906340dfae396d950bd85ff86a4e1ff16eb3c181bbe25ddbfa3dab4f2e90be393971190a7418c86fb9892cc5c06d8e164b

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
62KB

MD5
3e0c12a8530bd0c623d8da2e8e3e200a

SHA1
7e4b484cf80246e3d16603c66c3980018409e43f

SHA256
aab2db6f9135b723fd815be1cabf61a24dc00fbc45de3e37dfc02a343573e999

SHA512
10100c653ed3c37928afe4a9a816bf9b563d333199c9124a1b533350b8090c63fa40af30848a598233633ecdc86e999339f648b62e6c9e550200bc268ee81dec

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
62KB

MD5
b2bb4ecdc2158a7ef8108b2c374fe3d0

SHA1
3887bfe53d7601f0303e93e484f13b7421df4c8a

SHA256
946f117859bf793a720b20f597cfe504e6c717e7688cf519800d42242782cb8e

SHA512
4113c949ed7e99b3e4af05b0be7cb22d985bae61bb7ba98b1b7c31947746503f4b3d60baf840c1ceae0c3f20498f8d6264cd009cfea1f372c9283091c9e9e576

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
62KB

MD5
1cc5f9b8cb73f06efb9ac058c5083bc9

SHA1
27c0efd3a05ec5c008b77d1bf2c4dcf90948de08

SHA256
e024eb57ff8e12d4c84f7c2150c842ed92d938ea514957ac3d891fccba722801

SHA512
e104a505d3d241be0b2f1ca92d8ef5bd094b3d0dc432db3de8af2a607e44f7ab33513c443c3ff45549cf17cbe9d9856613de233ddbf0cc431837c24ea403d809

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
62KB

MD5
0c725d93284af0ae44e5bb774ce07cd0

SHA1
1c4df5cafbde75adfdcc01d082dae823ce45a176

SHA256
33f33459834b0105a7a82b4e6a55922cf783b26390879ff13148087f93e8f99f

SHA512
4b09bcab9befeceaf1ea3a5251ba6e99a8416eb886f7aa5c3a72754fe127afb551fb18eb72554adcd6b0af850980ef77a6785156f130c0001c138f1279402d83

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
62KB

MD5
4a7383a3702298038bbb2663b88e7563

SHA1
16951cfbc3155dfdbdf6fb5342b454339e45d8c9

SHA256
24d1d1eb447a8c13c7922e161d39a544cf3b168a6f48cd53f4df69780b11bcb0

SHA512
72b75d87a5c87db4585424e5e36647a775165404a039ee2f64439dc416a150341cba37a94852a842c399b6c7a285d18df73238c5ddc32522dbe05d995e7d2435

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
62KB

MD5
c8e0b84df8d96b591746035f99d17815

SHA1
a0fa1b5162024e228f82fb5012a290bb62082296

SHA256
387b97ebb44fe0a3989658b4b385d6cec455bfde46e7a46b16642d09dff46ad5

SHA512
d8c5160604667dbd0354f99541bde4a44c580d159aee9db939879121580b71ba208fa9fcb937ea5b695445b732bf4589a2963835dbd22a79383391fd9916798c

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
62KB

MD5
923c437df745d0982c32b9593174139e

SHA1
c378af975cbd9701b84c219018e1c44f3826808a

SHA256
ce7d65ff5f7dfe2c0bea72fade3975b4a8e305c4be0a21399cd5b53aa0f69fa9

SHA512
ac9f3a78a1206d6ca666bf5b754a5f1a67d7720cb07e8a710b94974a9a51b6d0de6bd3dbd0287220c9c262c89f2deaaf58b21701de029492eeb0f3759f18c314

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
62KB

MD5
45a5fd784fc7b846c0ad573785a20ad3

SHA1
ef7cca163bf90a9b0a459e0f693cced6bec94792

SHA256
c8404b70133d349a871cedce10fde095828a77457cc12303b79dcdab9e4ebe56

SHA512
19bfe8f53a5a7aa09a1b2bf7013cabe93c488ca56df4d76ed5d6773df60167c66f44d8b01a55f5d3c0f7d873f45b54b46d440b0faa1b530da083bca5d1c9879e

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
62KB

MD5
1dd9e6e04baf5a409ebadd1113e30f07

SHA1
b3a69f4a784aca08fdf81bb106166a0b0a335eb2

SHA256
c2175530f516ae877381049efa98aa30efde440ffca1f83ea5e6a8c8369542c9

SHA512
810e7f3171f31ab4e7e7613c936ae6740712647d77cf2814135a8c09987b476664205a302b4dcf98fe7d103d5859def10426d4835f621af20c2bfd66b1bbf73e

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
62KB

MD5
0cb5ee5ab1353a8dd6d09858814ff4ef

SHA1
7253379e289ee7f5b7202f548dcb5820da8149e5

SHA256
407aa015355d6c8db653185f078d8da03e7a0a82a305ad4e5b4f2f38672d4dde

SHA512
024d9f353679b555f75545dd5128bc1e1822503fa7f769bc8e608ca66f3fd59368f9d9b5da7588cdfd88d72eb4fb04ffe438c06bea3fd60f82e6eff9728b03de

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
62KB

MD5
4246429490e60a9561b018ed663b8414

SHA1
fb80de6d4830b3027af5cb14cfab5e0b93e94a68

SHA256
2810c5c284d15cea86a42b426877a89907d8f7cdd8a6cadbfb3ec3f31dff3d43

SHA512
7e396a234eb41ea44d4512912133e15bef0170168f6242287319eccce70fa6c607d959955143dd9067d460dd820f912149dd73cf794be23967811d31a2e15104

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
62KB

MD5
6a13888ef83909e3c700a404f675e7ee

SHA1
42c83a12c078e33de76a48877e634f3d97fe29ec

SHA256
925ed5a28b826322986bb1aef7bfd5d7ac0a6fa980269b55cae1f749e46fe27c

SHA512
81a237167ccd6754007b354a12e1f2a8fcd83bba7ebe72f3e13b95c135892cd20753ef1969d4f0810e5e1d3abbe9e5c7fe5aef5ad6fcf9232ec230322afbf30e

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
62KB

MD5
0eb0cf248bfc151144b92515999e5071

SHA1
60a4b28b476e20a9d5315b26452f49079a6730a2

SHA256
664f9e8f520b752209ed85d7cbe1f35027305621024caf90368dcfd814f27e05

SHA512
a9822491f78baac28f89bf06f473cc92594d1ee7bfa2517ec6aed01427898a84dfa7ae76d676a7b16aaf440b530354a58da2bd16d294aa9aa719e571bfff329d

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
62KB

MD5
578459c77d4d16e613d9269ae7106336

SHA1
6592f8de89d9d050836b0a02a32528fe9625da73

SHA256
90a6f88b12ffdafd9aba3b1364a8f6aae7fdac6920616c816f60e4fc7bc72036

SHA512
ce18e3ad096597be13a2165e8278d0ccc42255d0b27cebacf1d047e054e173051500d8e42f2de2c36e8a7ba7e0db6297313455a43dd2d4a4bf71126ba9c4797a

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
62KB

MD5
8b59cd6f5701573a25df414dccacbe4d

SHA1
0ad44596ac48c88c28686a775dbe7028ec81b5db

SHA256
df22aaa15e08a35d571f7c5eb56438f877d0aa26b1efed7b2594280a0ea09ad0

SHA512
3c2dbd1a1f7a9a1a1149003e1f2575f366d7a91c096f71980be7cbe03c32cb8e41b7b693745e0c69e1ce73eec8edbd2459c0f975bf5b75218392bb0c0cb45165

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
62KB

MD5
3a90051aeb2e5e5488ddcef1f04e2e05

SHA1
6f2e71cf9872accb6500db967729a08e9cf259a8

SHA256
d12c49fdadeff485521699451f32cd45444a1629e4cf83abca4e7e7bf2773cfb

SHA512
accc71d345dae62b9c38088f3a4dc698dfdf75ac00e00855a776a8bda4f61400438a4ec21a162bab0aea72ea5ed860b3802c0a9cb6186b5f804d1f524f4d6d6a

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
62KB

MD5
9d8ce566ab6d305d3db91b514b1762b9

SHA1
d5787f75cd440cea816efe466b709df455f66e0e

SHA256
9fbcee82f8940447dea64f6465ad34b7aec6c81cd09408605f10060cd8ff03dc

SHA512
e1ca6be8f9358d4e2e3031dd571686d67e98a66e0a8bda83f2822ffe269a329635bb6581b5ae0daec178c8871205c3f711a03202bca5f0327bbef71d3f93453f

Download Submit
memory/212-344-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/212-274-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/428-49-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/428-131-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/516-29-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/516-106-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/552-98-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/552-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/628-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/628-221-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/680-123-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/680-212-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/712-338-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/712-406-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/844-421-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1008-380-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1156-37-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1240-87-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1428-141-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1428-56-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1488-193-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1488-108-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1652-175-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1652-90-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1696-428-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1872-255-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1872-167-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1912-407-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2160-158-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2160-74-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2180-273-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2180-186-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2248-281-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2248-194-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2268-373-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2284-345-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2284-413-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2444-65-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2444-154-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2496-222-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2496-302-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2516-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2516-73-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2516-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2592-334-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2592-256-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2636-303-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2636-372-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2664-282-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2664-351-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2800-310-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2800-379-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3016-386-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3016-317-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3088-335-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3208-393-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3208-324-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3260-394-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3264-337-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3264-266-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3396-248-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3396-323-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3520-213-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3520-295-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3756-359-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3756-427-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3824-365-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3824-296-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3868-99-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3868-185-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4108-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4192-45-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4204-229-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4204-142-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4324-265-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4324-177-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4364-289-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4364-358-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4372-159-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4372-247-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4392-230-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4392-309-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4572-288-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4572-204-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4648-434-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4648-370-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4664-387-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4700-115-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4700-203-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4752-414-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4884-238-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4884-316-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4936-155-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4940-400-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5012-420-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5012-352-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads