f4f48463f7223ef69885d89a26954a6d5f272531e661a52dd39a3c1736c696d5

Analysis

max time kernel
120s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70d57b10bd186515e2045ea159811800_NEIKI.exe
Size

451KB
MD5

70d57b10bd186515e2045ea159811800
SHA1

0e0b4a32e606cc94e8158e64038c916fc8383060
SHA256

f4f48463f7223ef69885d89a26954a6d5f272531e661a52dd39a3c1736c696d5
SHA512

abb911235ceee858f417192b7e1f77cd178b3a9cef07494a962805ac46b7f5eda1fbc1d5412ff5a863ce4000b1af7f424efeb93c9845e6766a480d46e4881649
SSDEEP

6144:ET1M6CN9Otopg5tTDUZNSN58VU5tTvnVn5tTDUZNSN58VU5tT:ET1KOtoq5t6NSN6G5tbt5t6NSN6G5t

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	70d57b10bd186515e2045ea159811800_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe

Executes dropped EXE 64 IoCs

pid	Process
4696	Hmdedo32.exe
4344	Hfljmdjc.exe
3160	Habnjm32.exe
3760	Hjjbcbqj.exe
2968	Hippdo32.exe
792	Haggelfd.exe
1240	Haidklda.exe
4580	Ibjqcd32.exe
4028	Impepm32.exe
3328	Ifhiib32.exe
1352	Iannfk32.exe
4288	Ijfboafl.exe
1144	Iikopmkd.exe
3752	Ifopiajn.exe
1172	Jjmhppqd.exe
868	Jbhmdbnp.exe
5084	Jplmmfmi.exe
4012	Jbkjjblm.exe
1156	Jangmibi.exe
4604	Jbocea32.exe
4488	Kpccnefa.exe
400	Kacphh32.exe
4492	Kgphpo32.exe
2544	Kaemnhla.exe
1672	Kgbefoji.exe
4424	Kagichjo.exe
2256	Kmnjhioc.exe
1888	Kpmfddnf.exe
4564	Ldkojb32.exe
1700	Liggbi32.exe
3304	Lpcmec32.exe
1520	Lilanioo.exe
3616	Lgpagm32.exe
3956	Ljnnch32.exe
3228	Lphfpbdi.exe
3468	Lgbnmm32.exe
656	Mjqjih32.exe
4704	Mpkbebbf.exe
4980	Mjcgohig.exe
2236	Majopeii.exe
1560	Mdiklqhm.exe
452	Mjeddggd.exe
3876	Mpolqa32.exe
880	Mcnhmm32.exe
3320	Mjhqjg32.exe
2188	Mpaifalo.exe
3396	Mcpebmkb.exe
4668	Mjjmog32.exe
4904	Mnfipekh.exe
1008	Mdpalp32.exe
2352	Nkjjij32.exe
440	Njljefql.exe
4384	Nqfbaq32.exe
876	Nceonl32.exe
4852	Njogjfoj.exe
3540	Nafokcol.exe
3196	Nddkgonp.exe
4076	Ngcgcjnc.exe
1564	Njacpf32.exe
2052	Nnmopdep.exe
3032	Ndghmo32.exe
2396	Ngedij32.exe
1592	Nnolfdcn.exe
1872	Ncldnkae.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jangmibi.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Habnjm32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Haidklda.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Honckk32.dll	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	70d57b10bd186515e2045ea159811800_NEIKI.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Iikopmkd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1844	4216	WerFault.exe	150

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	70d57b10bd186515e2045ea159811800_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denfkg32.dll"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phogofep.dll"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	70d57b10bd186515e2045ea159811800_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 4696	2200	70d57b10bd186515e2045ea159811800_NEIKI.exe	80
PID 2200 wrote to memory of 4696	2200	70d57b10bd186515e2045ea159811800_NEIKI.exe	80
PID 2200 wrote to memory of 4696	2200	70d57b10bd186515e2045ea159811800_NEIKI.exe	80
PID 4696 wrote to memory of 4344	4696	Hmdedo32.exe	81
PID 4696 wrote to memory of 4344	4696	Hmdedo32.exe	81
PID 4696 wrote to memory of 4344	4696	Hmdedo32.exe	81
PID 4344 wrote to memory of 3160	4344	Hfljmdjc.exe	84
PID 4344 wrote to memory of 3160	4344	Hfljmdjc.exe	84
PID 4344 wrote to memory of 3160	4344	Hfljmdjc.exe	84
PID 3160 wrote to memory of 3760	3160	Habnjm32.exe	85
PID 3160 wrote to memory of 3760	3160	Habnjm32.exe	85
PID 3160 wrote to memory of 3760	3160	Habnjm32.exe	85
PID 3760 wrote to memory of 2968	3760	Hjjbcbqj.exe	86
PID 3760 wrote to memory of 2968	3760	Hjjbcbqj.exe	86
PID 3760 wrote to memory of 2968	3760	Hjjbcbqj.exe	86
PID 2968 wrote to memory of 792	2968	Hippdo32.exe	87
PID 2968 wrote to memory of 792	2968	Hippdo32.exe	87
PID 2968 wrote to memory of 792	2968	Hippdo32.exe	87
PID 792 wrote to memory of 1240	792	Haggelfd.exe	88
PID 792 wrote to memory of 1240	792	Haggelfd.exe	88
PID 792 wrote to memory of 1240	792	Haggelfd.exe	88
PID 1240 wrote to memory of 4580	1240	Haidklda.exe	89
PID 1240 wrote to memory of 4580	1240	Haidklda.exe	89
PID 1240 wrote to memory of 4580	1240	Haidklda.exe	89
PID 4580 wrote to memory of 4028	4580	Ibjqcd32.exe	90
PID 4580 wrote to memory of 4028	4580	Ibjqcd32.exe	90
PID 4580 wrote to memory of 4028	4580	Ibjqcd32.exe	90
PID 4028 wrote to memory of 3328	4028	Impepm32.exe	91
PID 4028 wrote to memory of 3328	4028	Impepm32.exe	91
PID 4028 wrote to memory of 3328	4028	Impepm32.exe	91
PID 3328 wrote to memory of 1352	3328	Ifhiib32.exe	92
PID 3328 wrote to memory of 1352	3328	Ifhiib32.exe	92
PID 3328 wrote to memory of 1352	3328	Ifhiib32.exe	92
PID 1352 wrote to memory of 4288	1352	Iannfk32.exe	93
PID 1352 wrote to memory of 4288	1352	Iannfk32.exe	93
PID 1352 wrote to memory of 4288	1352	Iannfk32.exe	93
PID 4288 wrote to memory of 1144	4288	Ijfboafl.exe	94
PID 4288 wrote to memory of 1144	4288	Ijfboafl.exe	94
PID 4288 wrote to memory of 1144	4288	Ijfboafl.exe	94
PID 1144 wrote to memory of 3752	1144	Iikopmkd.exe	95
PID 1144 wrote to memory of 3752	1144	Iikopmkd.exe	95
PID 1144 wrote to memory of 3752	1144	Iikopmkd.exe	95
PID 3752 wrote to memory of 1172	3752	Ifopiajn.exe	96
PID 3752 wrote to memory of 1172	3752	Ifopiajn.exe	96
PID 3752 wrote to memory of 1172	3752	Ifopiajn.exe	96
PID 1172 wrote to memory of 868	1172	Jjmhppqd.exe	97
PID 1172 wrote to memory of 868	1172	Jjmhppqd.exe	97
PID 1172 wrote to memory of 868	1172	Jjmhppqd.exe	97
PID 868 wrote to memory of 5084	868	Jbhmdbnp.exe	98
PID 868 wrote to memory of 5084	868	Jbhmdbnp.exe	98
PID 868 wrote to memory of 5084	868	Jbhmdbnp.exe	98
PID 5084 wrote to memory of 4012	5084	Jplmmfmi.exe	99
PID 5084 wrote to memory of 4012	5084	Jplmmfmi.exe	99
PID 5084 wrote to memory of 4012	5084	Jplmmfmi.exe	99
PID 4012 wrote to memory of 1156	4012	Jbkjjblm.exe	100
PID 4012 wrote to memory of 1156	4012	Jbkjjblm.exe	100
PID 4012 wrote to memory of 1156	4012	Jbkjjblm.exe	100
PID 1156 wrote to memory of 4604	1156	Jangmibi.exe	101
PID 1156 wrote to memory of 4604	1156	Jangmibi.exe	101
PID 1156 wrote to memory of 4604	1156	Jangmibi.exe	101
PID 4604 wrote to memory of 4488	4604	Jbocea32.exe	102
PID 4604 wrote to memory of 4488	4604	Jbocea32.exe	102
PID 4604 wrote to memory of 4488	4604	Jbocea32.exe	102
PID 4488 wrote to memory of 400	4488	Kpccnefa.exe	103

C:\Users\Admin\AppData\Local\Temp\70d57b10bd186515e2045ea159811800_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\70d57b10bd186515e2045ea159811800_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\Hmdedo32.exe
  C:\Windows\system32\Hmdedo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\SysWOW64\Hfljmdjc.exe
    C:\Windows\system32\Hfljmdjc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\SysWOW64\Habnjm32.exe
      C:\Windows\system32\Habnjm32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3160
    - - C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3760
      - C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2236
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        42⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:880
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4668
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3540
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1872
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        66⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 408
        67⤵
        Program crash
        
        PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4216 -ip 4216
1⤵
PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Habnjm32.exe

Filesize
451KB

MD5
eda4016909169a7b76c27a118e2c5118

SHA1
f1e81c634c05f8fbd2028050c100014c62fe4ded

SHA256
289f983da6c3b3a579edd6e8db2ca8e776e9cba8083708e21492bf41a8bb52bd

SHA512
bcedb61509004942bdda764bded2ac1fd8b5fc000cb4ba3025de4369c7667cf1a65da00ad7a31db602c3ed37ba45929969123f019f7f9627cddb803e250d55d9

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
451KB

MD5
8188e852555bd5168e24f2c9c7cc9388

SHA1
f441ab9ed9c596a1b140d4baadb3e9deeda7f530

SHA256
f99b2ccf9ca2b631953f24f15e4f1ef50c69b537a6c305e41532ab4039b44d10

SHA512
88b45c9bad64831f0778860f6d45f0e04289a78e75084af361e76b3315d2bbef44f4d73614059e8334e6e24f73d104e0088ddf96496da64923c31c2f997bec45

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
451KB

MD5
cfe83a35562b27034c9b054d4ecd8047

SHA1
00d252159c5f2dd659a928561bc03bfad694101c

SHA256
68a15aa9fa1a8fa1e4524120b768f7a2e95ab95194e887a6a664f8ae3862c73d

SHA512
3dbf002903717eedb7c8f157e86d4d3dfb03b04e31c1ad1aff43541b47f7202084bf18a34c7ecd07592a8724d7c1231b043923870ddceb0e28f8b0ced39b843f

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
451KB

MD5
322ec7c4f0c22df744befb9ac349a95d

SHA1
95d2e7aa8d1d8fcad70c7a99527d8911912ac348

SHA256
2fb36e5ad723a9ff4526a506278965c29fcc3f14935c71c9ac0ae094e10bc3c1

SHA512
5a424ff379921f97d903121db27c69d762c6531cb3c1b21da9e4f058c0cbd87424829d9d82010fca84d03ebb71a615c95dbe2eb689a057b895867a5f5ad8f978

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
451KB

MD5
effd49b974127e48e7888c4dbdaf6f52

SHA1
9ecb1140a44329903d4500633f158103e187cb9c

SHA256
b5875d3c7c07f5468b6f4082fdec817e9e1c88a2d55204d95b60a61a6628a5f8

SHA512
3f90fb5fa60cf3f38276f433531fc2f57483561df0464ed358b82653d731a8fd92c62896e148426ce28f4a7570989c43fa25ca24e58bac561b1c56817405ed50

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
451KB

MD5
445e82321c5ace1f224516d1eda2a22e

SHA1
9afb4ab0c8df27b1ad0dd9fc344cc2332ab71aa3

SHA256
8b2853c1e14b42c289b23427b82ea2b2bf979e11ba77c352b8d0a123107cdb4a

SHA512
6a5e4e5ee49325e28187c52792fe957a99e7154b30ddddc6bb3c1c25cdee8147a7032f77d4ccfccd7e10dbd041b01d8cf8d0143b351e08926a1da0ef7a8b6a01

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
451KB

MD5
8a4a6a4cd28573d0845d571a4ebe2c73

SHA1
806815c2d183447922864942984aceda62ec00ed

SHA256
614706ecb6715b25ec6b67b5cfa70258044c1c7ea8df0da04e7b788103d3837c

SHA512
ad036297c3a068567d61b685e8c5a062d9f011009848482af960d110441b074fb63a56dd861e90d1b539079bcc2a4ef2bebfb207847a699adaf38deb903a69a6

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
451KB

MD5
fd23233ad2170c92e516c525b265259d

SHA1
67509a06788460d4b5fcea9aa37d1648429d0ff2

SHA256
bb7307aa12512de797730f499ca6662a1da5ed665b98c98b303cabd77dc447fe

SHA512
8546a9231420fa4745ecdf6dd981463e530bb24ec5f2bd165d0cac2c580e71ab18f168ba8ccda678a9ae304f1c45790e4ca6de3122285668a24fce6ade58f019

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
451KB

MD5
fc1355d0039fb9b96b9df457863c8fb9

SHA1
644f57b4cad540b7e602f3af6ee23b0f4a04cf12

SHA256
1a27a8df51323303c8a444a47076470c3cbd763a2164842a7d6dae861b898599

SHA512
2a10b82d6abfdbaf25a20a349a22dcdfdf82d49742887dd9feea25b760b4453eed8c5bb19f4ca2746154c448709427cedc61b3758edccdc1dc5880e1d6b50ff1

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
451KB

MD5
aaac72c9fb2d62fc0ecfa296bca1c30c

SHA1
cacb9fb46775244bff9685979c7cb74e08a87027

SHA256
ec113dc213958fc3ab84b5085aacdcccb595305ac79cbb8999798418deebd685

SHA512
9a736187b6ebeb4ddd70d41b46b909b0004576dd99f9c202650fa27c87729a6dfc593525f35edd215b9b8b7a0286efa8baa9c99b1f9bed6a0b6c6cb435ea60c7

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
451KB

MD5
bf29569cf494eb5c9b9dadbe4cbe90e2

SHA1
8eb3565a1c0a632a9add7f6e4632786f3109a6b4

SHA256
46db87afc8a88570e11ad8d97a0e71a42fd4ed169a256518adbf89961669f5ca

SHA512
e197740a5b436bddd67f639bcdda5c665676879980bf49de4a015c7fb4cd9648ebcb757acae387c38d23db5ecd122706a6dcb68ae3118a1122112afdd5c3ab2d

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
451KB

MD5
49cb819e2817b7c9181e9bb3c0153400

SHA1
57e49ed9d1886446724cf2bfcd7ec6b2a38ac233

SHA256
1b09fa593c6f3e8a994d4aa49e3c8f6a5a0b4295c460c9c30f2dfda7f05b35dd

SHA512
59d668355a1b6bd39dae48d7fa9bc0f3bfb0e03cb3415c2d2b304f2e78947435c897b45ccb51373b322abab29286bb411aef5bbe02a512e95dc0de8e9b45a821

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
451KB

MD5
76dc455daf4376a439aaa272c0dbf817

SHA1
6dbd8daacffae4683b64e1f1aef207168b8be8c1

SHA256
19d246e5c2e04d050371142142a15c90c3d362ffb9a8f86cf33df7cf36ce2534

SHA512
9ec9ce3a06732ddda7599d4d899cf98ee78cc1efd566a4f810d854e8748d2127fb5d2b0f35213be6de8d4079a91eafbd0890f2b8f5d61f91dd117afd65649934

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
451KB

MD5
c887c0b9bf1aaed2d37aca0ff26b5715

SHA1
9b21616bce5bf41313bea1ce2993d6cca4a090c3

SHA256
faead4992d0251f0d2abbcff295c62538bfc4462ad3f65f4557d7405e4ddeff2

SHA512
0fb3bd385c3ba6966c4a97ea74766d266ea7b9a29780b4a9a378e2dc630da3bf2020cc01e00163787268297d09c06ff3219539b63c4a4d326ce3b6838954f40b

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
451KB

MD5
9efc21dc7b387a594c31723dd9399230

SHA1
b514e82d0ccd8569adb1f10bad5539001428a7ee

SHA256
3ca023723171b4ae5248f7c942e31ac3ce2a4bccaca8bd17cf4fc3adee1f0fa8

SHA512
d32c53c32e2b43124f9fa9856d5896fc255fb4df4eb5280090218c832cd5c485de79c1838c2c0f5e3896b8c1ec61a6f57a14d1ce14c2b2e92cbcaf12afdc7ba9

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
451KB

MD5
b9b233fb9fdb8c67ad38ad307e4132c6

SHA1
270eb18ea7109f39c6a66702f4e3a6dbdb1d0966

SHA256
f3dbdccb6ea1a9704dbba9d8dbf04f297bf4013ba7de70c4325268e41fc2883a

SHA512
d1f2e2e090780e488eb34a4efc2369bdaa101bf4c5083f04dc8ee53ec28b82acf6f56f79026983c909c662c08a6d273b5bf388aa2ddc181061b6f82c468ba318

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
451KB

MD5
bb6a33698da210dccfc20e6b3e4c3f06

SHA1
6e2944a387a7f6a00b49e0e76fec68de16d3cf1b

SHA256
a257e1f3c62aefb0af602ba569955102488331bfc78a7519fcf0872f1549dbad

SHA512
33575c6304b2a00bd9fd3709c68c9593417824a12f28545cdd2771dbcdbad2e00a9ee17554f591594a5695e3521d4c77cc548af6fad5ba437199223777ef75fe

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
451KB

MD5
3d77725367fb580dee6782e4577722d1

SHA1
7d38f8a743efe1718b643fd73095a69a8da5f34e

SHA256
89641b052b56239ae66f7fe518bfd36046bb1e889f07a324ae22537ab7808807

SHA512
a90129aa5b5ce326831ff5700aea980f53983ad0ae23f9ee554a33a0d511f18ebcc2f6537608d09cd5cecd14c9f72323c977f173d05f28ada57a14cf72a4ca20

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
451KB

MD5
95728ee6dbc30cb8ad33bc62c73287c6

SHA1
0c0aeb6f3607d5211a9cddfa236f6dc00a283245

SHA256
9456f6473e1923db2c8dfac92324619c7d0c86324586f920ab7af4e1ccaeadde

SHA512
3bbcbc52b8e2d349a579f7b2f9faac64aaf696e08ed021cc28a7941b646302d09e10f8d9172fa5de87b9006ac489e8615f98abc2b245550810115b2bd7f8c25b

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
451KB

MD5
48326ab76ee991e32cf7098339603f20

SHA1
bdbe15ae8f89cb59531e614fbf45b03d9e129ddb

SHA256
838c6ea31aa6a5cc0a362856dfccc5d010521146f392f8b455455bf10bf8ea0a

SHA512
2a7c291bf27d0a12903d31d20e6c8350b0119e46ae166196524dbb3f42615e2f77ee24e1880e8be8a1263159a6f6e8a94fa65e126147363f33d6c9571dab8da3

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
451KB

MD5
aa8ae8668c8de45717c1800e2993f8aa

SHA1
e78ab7fd49d182d534178fe137a9cbd3f5a62640

SHA256
b7e898deb2ad228d7b6a90290b459ee10cc34986b27922c0420616078d3885cf

SHA512
f342c720087b7daa9cfccd4b4182f850a4ff1388ac6937e128d4a0809921d1878b6e51f99a56c449d985b5bcf371d8ad3dd854a6434770b194c9d1923fb6212a

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
451KB

MD5
04d70f095a5d020f174ff45a57a51471

SHA1
f21b900252cbf93cd51df8d14235269302bd12c8

SHA256
1ef593a7e50711ebb60c6eb72ce78950434c4fb22c65ead9611e80154c185a91

SHA512
0fec0ce49ac6ff0563b55b1e19997c0b730bdd84aab1fbde4e84bfaf7c111a8827a74156238c5d4a34a5f856540626d5e96ce577cd559563804ca2e4c0294b97

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
451KB

MD5
fb3abcd70164b0280ef8d252c204058d

SHA1
055c943a0bb593e76bd636fd02a0d98c4692baed

SHA256
45f647e62ce2252527f9d4e7fb1c8cd143c9d36ad57cf73d2998df06e487e174

SHA512
13329bd48ba730d54551592a0bc4a34aa1387ff3e7a401546c146f480a3a3adbfe57b4778d64cb1485a789b5c4889f74441bb2b66cc4cd3b7c3de4b7b112bf6f

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
451KB

MD5
5fefed22f3a5af7cb83b009935e86062

SHA1
c4ff15df729b350debbccc0034109bb89b0522e9

SHA256
8b64983f62db3a225ddd803053d105968f994913ce52d92b507c1b9a441522fa

SHA512
c555faf171a69c63bb355675787d0c73129cadc58fb681e63f49cb63f3a72131c4146c90b5ce707d99fbfd18b03a296b258fe935a6aabdc1824bcd576964b024

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
451KB

MD5
cd2d3715057595514770b6eb9f8afb4a

SHA1
a32d79edd8dec2235bdd8a748ca614e2ec5e76da

SHA256
304d6df7d0f316fed5f554fc281ad9da070cf569ba4c81d1f6aad52ba9592d41

SHA512
8e546b104db9e77c345909a1f80fa6dda6cc3bfd70ae66eaebe42fd53fd34eda32c9a1f4c8019c5cf3e60b483f18709c02ab6a5fe30ad500015e28a59576c859

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
451KB

MD5
3ac2a6604b815464cac4ff3cc9cc6aff

SHA1
e67b2cec894efdbba0982cae8cd6d904941f8866

SHA256
857749b159d572922d7e953218f0166aa32133a362b723e6e6c2407f2b7909c4

SHA512
57f1bec5d23875e3ec36fce6e77e0e433c118d34fc87dd36935b95764392ae0ff0e11cf7cf0fadeb97c370bf3f39d88fc8e277d69a5ae5df425eec6fd46932c0

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
451KB

MD5
dc03adf694752ff4f3031608ca33a330

SHA1
fbd977b707ef2b1fe15061f654a9a4894c97cec0

SHA256
1b43677223af9337a3f5b09403aa849a208e8d10226ae73bebb8df4545b3f0dc

SHA512
c38ba9b2c6de5082f2bc0c892ed5c727dacb67d1a6fd1bfd5d99ddf61236b0e5626e13a478a23341832c18ca1858bf3b537dbb653a523b436b75ce4167d6ee22

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
451KB

MD5
e739ed1be7fa4838f211a54b19f78e3a

SHA1
be8e9ae35f941b4b80d7e408e7e9a00755aa13ce

SHA256
fc57ae59538dc99f63d94e50ab4b597b2fedc040a93c3f74b87104d601b2d863

SHA512
b7dbf6c02389efd583fde8cd72f0aeda2e0d12a90ae32915519e40739ba33308c1ed3f5edf812ce003520fdb12afc808494d4586a6eaba813db64be20a19c3b3

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
451KB

MD5
ff0941afefe3236555c667c2d7ab2aac

SHA1
3691bb68cf272cb43febf926ede7d71b3a4ce52c

SHA256
9df1aed341dcfec95c11bd3fc30136fcb4b2908b76948563812616d329b5e351

SHA512
db50e0b65e1e8cd6e350f8346bbfff4cd4618ce9d6b33c11a99384193c069b5a6cbd924517f5d974582a13294ef6ea589f748de0df85e6941cd3452ae262dc5e

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
451KB

MD5
7639fa431bc3c06276159e3a4f2cc0da

SHA1
8e4c2d1b41ee748a952dd06c85b5b5e65f5a1c40

SHA256
4d60b4b84cc9f3f16a55c20ab310c273efcf97c520b9b1bf69a7637caee7c96e

SHA512
3aeb07778bcd41f0258a0125be3024eee6f5144f9f772f274fa7073f6c6942fcf2de74bfb68ff2edf6ff7c0a47635ee7884b9081a230f3116874d9aa319aefbf

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
451KB

MD5
e3ac64ea12dc515a938661d0f92ae9b8

SHA1
b45a15600c852015d8c9f3c282170a8f65101bd8

SHA256
7989599531ee5132f2d2a3b94ed7965b4da9dd98a5427241dade258c664ecb29

SHA512
08d996484ec6f68917c2824a6d08b16b6e69f6deb06a1d5183caa661dcc77cd1f733e6e442f54bef5c9b48da4d91d5adf60d8959c66b455cd9c84bc2b9175f30

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
451KB

MD5
d2f544f084ef5d8b2e7efd3634bc4d1f

SHA1
b8742b4b7fd8a342026ce0f841b67ea81a688e98

SHA256
e8f4cbc752a1c4dde3afb0514eb2d909461c56a5b41a5c638d693cf457c4c949

SHA512
a24faf8473093599668cd549c7b8153ed13b0e7dc7341e0416d86a5d660f46e38ab951baf6bf5774495070c3a3d9f6e1c4dd8fe7fa1835e4720de114ba7e4d18

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
451KB

MD5
8ce4924c7d11788af9b473ed134fb232

SHA1
423cd3cd1c5862b9c5b6924fe85bbebdff3fb4e5

SHA256
d1da17dc2a8b738a9d724c75a2b95e766f72775f179d1996264e928959592379

SHA512
59d0bdea56d7e025a46d37fc07046cec093a123f4aefb7961e188648e0e6943a590883e494a0b4024eb2c90c668f42b6988e6ae1c97e8bf6eb8cac8c1ab4bf3e

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
451KB

MD5
cf67e71ce2dafbed1d18c97d9c468df3

SHA1
2b9d1b9b75e5f634f485fa3960fe0b49c1451955

SHA256
4553c2bd9c905905b93857a4193578b25dc69125f1d62dde1b08639ca501a179

SHA512
346d67d2bd4dbdf3424f54159166d1c604fd39a0fdd161f5e0c360c0b79684d79c80ceae76b783ff54faaa24bbb1cc0c06f0b1d0229dd4436cf96f2624bf8043

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
451KB

MD5
a6cdf99e824fbb0db5f3091c254d9c51

SHA1
8518c6ed2c461e94f20f87db8ee28fcd32d3744a

SHA256
965bb00225bbc7f8eac6c2f6c4c1c97e610d548426467b33b802dff57f9525da

SHA512
fb7c36a50bb446db2aa6a31abf1b6cdb287a7e71a2966dce0afa1d09034753d5b3246a90f046315556ca3de382796911a58e5769fb0098ec0a89a5f6be721213

Download Submit
memory/400-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/440-378-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/452-468-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/452-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/656-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/656-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/792-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/868-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/876-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/876-462-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/880-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/880-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1008-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1144-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1156-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1172-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1240-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1352-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1520-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1520-477-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1560-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1564-459-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1564-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1592-455-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1592-446-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1672-483-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1672-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1700-479-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1700-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1872-452-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1888-481-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1888-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2052-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2052-457-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2188-464-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2188-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2200-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2236-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2236-469-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2256-221-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2352-374-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2396-456-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2396-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2544-484-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2544-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2968-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3032-458-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3032-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3160-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3196-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3196-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3228-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3228-474-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3304-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3304-478-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3320-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3320-465-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3328-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3396-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3396-463-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3468-473-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3468-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3540-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3540-461-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3616-476-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3616-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3752-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3760-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3876-467-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3876-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3956-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3956-475-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4012-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4028-76-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4076-416-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4216-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4288-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4344-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4384-387-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4424-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4424-482-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4488-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4492-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4564-480-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4564-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4580-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4604-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4668-356-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4696-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4704-471-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4704-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4852-398-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4904-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4980-470-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4980-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5084-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads