e676792060aefcfc2b45991dfe8f7ade87d3daedbdf452f4e6a0b3dccfb1468e

Analysis

max time kernel
95s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ce0db10d25177f6895a6936f8b751a0_NEIKI.exe
Size

669KB
MD5

9ce0db10d25177f6895a6936f8b751a0
SHA1

cea2593ad7434cbf1ac3e33085d4ec2fb967140c
SHA256

e676792060aefcfc2b45991dfe8f7ade87d3daedbdf452f4e6a0b3dccfb1468e
SHA512

427eb5ee77d237af4c0300c95aeee512d0f59422ff79ac021ab4f813342cb2bc5c55dff483c9be442f0c8aa9087d9c3e15764d1d4a906de0f17bdc8d260e9183
SSDEEP

12288:i6PrXeVoo8ukpeeV24ihMpQnqr+cI3a72LXrY6x46UbR/qYglMi:JP6p6p5vihMpQnqrdX72LbY6x46uR/qR

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	9ce0db10d25177f6895a6936f8b751a0_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe

Malware Dropper & Backdoor - Berbew 35 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0008000000022f51-6.dat	family_berbew
behavioral2/files/0x000800000002340c-14.dat	family_berbew
behavioral2/files/0x000700000002340e-22.dat	family_berbew
behavioral2/files/0x0007000000023410-30.dat	family_berbew
behavioral2/files/0x0007000000023414-40.dat	family_berbew
behavioral2/files/0x0007000000023412-39.dat	family_berbew
behavioral2/files/0x0007000000023416-54.dat	family_berbew
behavioral2/files/0x0007000000023418-62.dat	family_berbew
behavioral2/files/0x000700000002341c-70.dat	family_berbew
behavioral2/files/0x000800000002341a-78.dat	family_berbew
behavioral2/files/0x000700000002341f-87.dat	family_berbew
behavioral2/files/0x0007000000023422-103.dat	family_berbew
behavioral2/files/0x0007000000023424-110.dat	family_berbew
behavioral2/files/0x0007000000023426-119.dat	family_berbew
behavioral2/files/0x0007000000023428-127.dat	family_berbew
behavioral2/files/0x000700000002342a-134.dat	family_berbew
behavioral2/files/0x000800000002340a-95.dat	family_berbew
behavioral2/files/0x000700000002342c-142.dat	family_berbew
behavioral2/files/0x0004000000022ac4-150.dat	family_berbew
behavioral2/files/0x000700000002342f-158.dat	family_berbew
behavioral2/files/0x0007000000023431-166.dat	family_berbew
behavioral2/files/0x0007000000023433-174.dat	family_berbew
behavioral2/files/0x0007000000023435-183.dat	family_berbew
behavioral2/files/0x0007000000023437-190.dat	family_berbew
behavioral2/files/0x0007000000023439-198.dat	family_berbew
behavioral2/files/0x000700000002343b-207.dat	family_berbew
behavioral2/files/0x000700000002343d-215.dat	family_berbew
behavioral2/files/0x000700000002343f-223.dat	family_berbew
behavioral2/files/0x0007000000023441-230.dat	family_berbew
behavioral2/files/0x0008000000023443-239.dat	family_berbew
behavioral2/files/0x0007000000023446-246.dat	family_berbew
behavioral2/files/0x000b000000023380-254.dat	family_berbew
behavioral2/files/0x000700000002344e-268.dat	family_berbew
behavioral2/files/0x0007000000023458-299.dat	family_berbew
behavioral2/files/0x000700000002345c-311.dat	family_berbew

Executes dropped EXE 46 IoCs

pid	Process
3416	Iannfk32.exe
3088	Ibojncfj.exe
2488	Imgkql32.exe
2532	Ibccic32.exe
3016	Imihfl32.exe
2608	Jpgdbg32.exe
64	Jdhine32.exe
2856	Jmpngk32.exe
3676	Jmbklj32.exe
3724	Jfkoeppq.exe
3596	Kmegbjgn.exe
3648	Kdopod32.exe
1736	Kgmlkp32.exe
1820	Kmgdgjek.exe
944	Kdaldd32.exe
3300	Kgphpo32.exe
4228	Kinemkko.exe
2108	Kaemnhla.exe
4860	Kkbkamnl.exe
4348	Lpocjdld.exe
2836	Lkdggmlj.exe
4868	Laopdgcg.exe
864	Laalifad.exe
3104	Ldohebqh.exe
448	Lnjjdgee.exe
3668	Lphfpbdi.exe
812	Lcgblncm.exe
4640	Mjcgohig.exe
4396	Majopeii.exe
2624	Mjeddggd.exe
4524	Mdkhapfj.exe
3756	Mglack32.exe
2792	Mdpalp32.exe
1792	Mgnnhk32.exe
4424	Nnhfee32.exe
324	Ngpjnkpf.exe
4908	Njogjfoj.exe
4316	Nafokcol.exe
3680	Ncgkcl32.exe
1872	Nkncdifl.exe
2652	Nqklmpdd.exe
400	Ncihikcg.exe
1108	Nnolfdcn.exe
4704	Nqmhbpba.exe
4852	Ncldnkae.exe
2248	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Imgkql32.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Iannfk32.exe
File opened for modification	C:\Windows\SysWOW64\Imgkql32.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Iannfk32.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nkncdifl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2476	2248	WerFault.exe	128

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	9ce0db10d25177f6895a6936f8b751a0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmebabl.dll"	9ce0db10d25177f6895a6936f8b751a0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	9ce0db10d25177f6895a6936f8b751a0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 3416	1608	9ce0db10d25177f6895a6936f8b751a0_NEIKI.exe	79
PID 1608 wrote to memory of 3416	1608	9ce0db10d25177f6895a6936f8b751a0_NEIKI.exe	79
PID 1608 wrote to memory of 3416	1608	9ce0db10d25177f6895a6936f8b751a0_NEIKI.exe	79
PID 3416 wrote to memory of 3088	3416	Iannfk32.exe	80
PID 3416 wrote to memory of 3088	3416	Iannfk32.exe	80
PID 3416 wrote to memory of 3088	3416	Iannfk32.exe	80
PID 3088 wrote to memory of 2488	3088	Ibojncfj.exe	81
PID 3088 wrote to memory of 2488	3088	Ibojncfj.exe	81
PID 3088 wrote to memory of 2488	3088	Ibojncfj.exe	81
PID 2488 wrote to memory of 2532	2488	Imgkql32.exe	82
PID 2488 wrote to memory of 2532	2488	Imgkql32.exe	82
PID 2488 wrote to memory of 2532	2488	Imgkql32.exe	82
PID 2532 wrote to memory of 3016	2532	Ibccic32.exe	83
PID 2532 wrote to memory of 3016	2532	Ibccic32.exe	83
PID 2532 wrote to memory of 3016	2532	Ibccic32.exe	83
PID 3016 wrote to memory of 2608	3016	Imihfl32.exe	84
PID 3016 wrote to memory of 2608	3016	Imihfl32.exe	84
PID 3016 wrote to memory of 2608	3016	Imihfl32.exe	84
PID 2608 wrote to memory of 64	2608	Jpgdbg32.exe	88
PID 2608 wrote to memory of 64	2608	Jpgdbg32.exe	88
PID 2608 wrote to memory of 64	2608	Jpgdbg32.exe	88
PID 64 wrote to memory of 2856	64	Jdhine32.exe	89
PID 64 wrote to memory of 2856	64	Jdhine32.exe	89
PID 64 wrote to memory of 2856	64	Jdhine32.exe	89
PID 2856 wrote to memory of 3676	2856	Jmpngk32.exe	90
PID 2856 wrote to memory of 3676	2856	Jmpngk32.exe	90
PID 2856 wrote to memory of 3676	2856	Jmpngk32.exe	90
PID 3676 wrote to memory of 3724	3676	Jmbklj32.exe	91
PID 3676 wrote to memory of 3724	3676	Jmbklj32.exe	91
PID 3676 wrote to memory of 3724	3676	Jmbklj32.exe	91
PID 3724 wrote to memory of 3596	3724	Jfkoeppq.exe	92
PID 3724 wrote to memory of 3596	3724	Jfkoeppq.exe	92
PID 3724 wrote to memory of 3596	3724	Jfkoeppq.exe	92
PID 3596 wrote to memory of 3648	3596	Kmegbjgn.exe	93
PID 3596 wrote to memory of 3648	3596	Kmegbjgn.exe	93
PID 3596 wrote to memory of 3648	3596	Kmegbjgn.exe	93
PID 3648 wrote to memory of 1736	3648	Kdopod32.exe	94
PID 3648 wrote to memory of 1736	3648	Kdopod32.exe	94
PID 3648 wrote to memory of 1736	3648	Kdopod32.exe	94
PID 1736 wrote to memory of 1820	1736	Kgmlkp32.exe	95
PID 1736 wrote to memory of 1820	1736	Kgmlkp32.exe	95
PID 1736 wrote to memory of 1820	1736	Kgmlkp32.exe	95
PID 1820 wrote to memory of 944	1820	Kmgdgjek.exe	96
PID 1820 wrote to memory of 944	1820	Kmgdgjek.exe	96
PID 1820 wrote to memory of 944	1820	Kmgdgjek.exe	96
PID 944 wrote to memory of 3300	944	Kdaldd32.exe	97
PID 944 wrote to memory of 3300	944	Kdaldd32.exe	97
PID 944 wrote to memory of 3300	944	Kdaldd32.exe	97
PID 3300 wrote to memory of 4228	3300	Kgphpo32.exe	98
PID 3300 wrote to memory of 4228	3300	Kgphpo32.exe	98
PID 3300 wrote to memory of 4228	3300	Kgphpo32.exe	98
PID 4228 wrote to memory of 2108	4228	Kinemkko.exe	99
PID 4228 wrote to memory of 2108	4228	Kinemkko.exe	99
PID 4228 wrote to memory of 2108	4228	Kinemkko.exe	99
PID 2108 wrote to memory of 4860	2108	Kaemnhla.exe	100
PID 2108 wrote to memory of 4860	2108	Kaemnhla.exe	100
PID 2108 wrote to memory of 4860	2108	Kaemnhla.exe	100
PID 4860 wrote to memory of 4348	4860	Kkbkamnl.exe	101
PID 4860 wrote to memory of 4348	4860	Kkbkamnl.exe	101
PID 4860 wrote to memory of 4348	4860	Kkbkamnl.exe	101
PID 4348 wrote to memory of 2836	4348	Lpocjdld.exe	102
PID 4348 wrote to memory of 2836	4348	Lpocjdld.exe	102
PID 4348 wrote to memory of 2836	4348	Lpocjdld.exe	102
PID 2836 wrote to memory of 4868	2836	Lkdggmlj.exe	103

C:\Users\Admin\AppData\Local\Temp\9ce0db10d25177f6895a6936f8b751a0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\9ce0db10d25177f6895a6936f8b751a0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\Iannfk32.exe
  C:\Windows\system32\Iannfk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\SysWOW64\Ibojncfj.exe
    C:\Windows\system32\Ibojncfj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Windows\SysWOW64\Imgkql32.exe
      C:\Windows\system32\Imgkql32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:324
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1872
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1108
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        47⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 412
        48⤵
        Program crash
        
        PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2248 -ip 2248
1⤵
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iannfk32.exe

Filesize
669KB

MD5
7a19c0a4ddbee39b4410a63287063d20

SHA1
0887654fef3ad6a8460a595f648cafccbbc9d717

SHA256
ae2c02ef2c4cdc8aa825c39ef6b1f9d0a53fe67bad9619bc2258932411a05fa6

SHA512
7f4dd1fff5a79ae1a8f9f7a34722406c740ac73a629884deae5477d8a5f42baf87616ba0aad7d5d5c7ced5aa72ac91d05a4e1e0a4766b545c75c6037a5c34189

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
669KB

MD5
21078c6beca36081e8e3952d930a3357

SHA1
778dff16fa9ad29da02f34f1f04ec69cd7e07e39

SHA256
ab36b74314f2c4ccf6dff4da43a0647f1c5b0b6f2ba7b39eab5a8c4e0bcf0278

SHA512
649b8d0e8ac17eb94307c1caf16be6efae5d48b01c4bea95d110f85dd1d0e827d1a8f031ab08b2b956af9882e6cf18e707b9b6abdccdd03a5b8d1a4a7841c2c2

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
669KB

MD5
dcf3f260ea3ebe3344e2da017ac5b68d

SHA1
a5e80b2c75324ca21efabf5a597555f855e568c3

SHA256
f4fb9dbc89acf65ac8772d622583f94836634c2068df990fa7d7959c3f3ee751

SHA512
d655bf7b422eac5dc110bf24b71135c22bfdaa4a4aec1bb90e607d7fb727d17d037932574ddd9fddd56a752520362263f7b9784f084e2541f4a4d1bee828616b

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
669KB

MD5
fb04d48a10d630b88e476e0edc8cadc8

SHA1
2d8a696b0f68ac5075a975b05d063537ebd7bb5e

SHA256
21c3bb32321d22742074a235ab4a99675c5660f419cdf2d9d1f3f2368d6f782d

SHA512
bd400c2984fdb70a14dfd92ab9080b6740ae4c8260bb7418f08cfbbdc237af01a88604f11afa8708d8a099c1fffe24d5b116f9fd904cca5e12d38e0496097a17

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
669KB

MD5
78f73999dd5f6b4201a8bdfe0a060875

SHA1
928631775e77bcbf702c93f96a7773b71021daf5

SHA256
3e43ead50a5a9028b45582971821987a05724a9cda7300178150a15a11e7e360

SHA512
2f3e040125e96d9568ee2b0d6520b0275613c4c47d001f0ca096b3c939d6c490222bad7e1a799ea06c842f944cd43d9b610ff7d357578be4e2d492dcf35d00e4

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
669KB

MD5
5d5be1d7264a0194aa7e15d9331aeecb

SHA1
75a7ba24372376cfe607d31b3cfbb351577cd345

SHA256
ee707f5417e92da61ff89b6916f3a09a032cf806303fea4990b4c68533d79260

SHA512
1ce5493c3e3b9b8864ac5c4039ee37bbaf2701f4d1c327c687253dc5e0e9cbc02bf40ec0225f62ada03840178aa1dd515a19abc1e9648d0204ebd4941e8349ca

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
669KB

MD5
0d542eb9d62086f0beddf797ad97fedd

SHA1
577aef070e5d7389936452439c665b2c91897acc

SHA256
3b1c9f51c9ebb8526afa03093568db235b0e7690f21c0f301e45abac0623fab5

SHA512
00d7b9da52b4d0a50d13bd3c75adc97dae467e2fa57b1f332999710f8df2dbf355ee4a4181fd1197db4ca4d2d24f053d799981db6148dfede57d96b2a459488c

Download Submit
C:\Windows\SysWOW64\Jibpdc32.dll

Filesize
7KB

MD5
66ed302aab6f1d534a1eef485768ab75

SHA1
cce980044109d546b7200e71414d51b2c3db9c4c

SHA256
2fa8f776a833ab68d63781f117e6393dfe285782ee78e4f42d8590b7ddffddb5

SHA512
87d61393bd98b565c2562bcc18e20f793506d04783c61ea7b42e8305c65510ea0f8ca4e6c3faae96876be524fae7b392f870eb2c552b7ef946ac473b2f8c4ffe

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
669KB

MD5
4dff907e16004e7ab8b116c87b732701

SHA1
d755b4da95db18275e7c031c233830d0dea6c2d6

SHA256
6afe6b91d2603b066f08e14019930d410a1af1e31d1e7e54a16070aa8cd1b2ef

SHA512
e4e9841ac81e513bd8c6c409ba6c9430bc4f34455009a376aef178358af10bc76f6d8cd0801241a977f3e822c098eeb535f2bd1c1ed7d75092424bbb0668d73a

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
669KB

MD5
9f02cd15a3d38d748d7eaa83b72cd3e3

SHA1
8be584c52f41241c921b86e03e2ceb721c3e4c79

SHA256
ed9edd26ee5aa31048260a1954fb8fffc198d80bd2c51d1635b1c344d8ca4e68

SHA512
5675d88bfaab07fe27aff18310c6d16d4716e479756efcf71ae0e7b9e117c264cedc7135e36f1828c3d901a1036a7af1880bb446a8b0cc563064a45b54bf9489

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
669KB

MD5
71bf3f157fd55398e164e7e62940c84f

SHA1
41879aa598ec91e12bb5608e4a31b8546b7461ef

SHA256
ee2366f9b09b7ea8d4fc07c5de9e9ae6cdd8cb304d93a846df4ad19f98eecaaa

SHA512
783d26a050cfd3dc67d250ded6bebb275382cdee5cbbb455bf343c5f38d14f8bbb1fa41fe01d7633f2fe7cbe60ba2fe4efdb8c1029696a88bdd9877c6ecbea97

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
669KB

MD5
f0e4b8a1e7865949e95747acb99a86e2

SHA1
782040febff301e6ac4272d4ac989140303e6c2d

SHA256
468acb6d71878ab5fd649b05c76cc6b3056ecea288d6f1a70db4252f11abadb5

SHA512
67881772057969a979cb2df9d2508e8bae7627681052cf20bca7c13f315b697b797cfc4aaa383ab32aeb2f142df968c9e4cb9518e34f910cc126c5f53bf1843f

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
669KB

MD5
f95e2547070be6904b0150ba6cb8b237

SHA1
cbd7b8913deb12216ca84be69a7e56c6a5182d5d

SHA256
568cf5e30abd8a58b9b4438ebc942ba8fd3df1453aaa28c396f4c437b07fbd9a

SHA512
8ec78d900a55494f23aaf904cb7b8f8b0bd575836e3f511336c2ba30a729c94d0f3cd53df213a05deb16e0172b2c38e14fc8f260248dcc60aade76580f9cc9de

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
669KB

MD5
5aed6d22ab1484412ed8602bb635c8b5

SHA1
829d531a409817f81b3ef2532076f70899ebd495

SHA256
8deeb6526d7910116a6385c350fbd6c0b10954fc852a8aa3c0e88a8c2f6bea88

SHA512
2b2b2205a52f128f171692045ce460f39692c49803448828cda98b384182b33c2958c2327488a9f52d07a7db75e6c4f701ec137f6f969815f6c8a810f22ac12f

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
669KB

MD5
7b9d9c8c3ec975ed61f2104f71feab76

SHA1
fd0e9f566f61fd5d7ef18156e0f5193176598cf6

SHA256
9bf54bc633af7f4b8562f4bd9c62de645e8d6e1470589e17379c06fb4ca68e28

SHA512
147e382d0e98b832e85e29292df107a5991ffc526c5ad2055d627e4ce067cb6358113559f841debd5d4c9b2b215fd8cd7d1deed664b8819dba54b59f1f7dc6d0

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
669KB

MD5
39e537da7a53191214190fd4706972ad

SHA1
669116a924c3ae096fdf269b1d8a791d0ddc0b8d

SHA256
3a8be6e4bf14c700ec47078f5fad01c9eb8121ff896cb3de4d762358d90a47c8

SHA512
e19ada0ccdcaba13eaa3a3256affe46e4639ad0f512a49e5cbbf58c7a3afe9768fa0806821afc72cc82bad52188a2e663986081083ad934d6fe6e55f451bf0e9

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
669KB

MD5
6656ee3707ddccbb3931bb9d2a5afcc1

SHA1
8f1d97b14e8ef13ba265f340212189422507c60d

SHA256
308967a203d2278b3f54188911d504b227c2f4631fc2c41e379d5a157f9609db

SHA512
317566dd7d1f29c85aa13b39d551cf65a671ec86d9dcf9fbc229f9a3e771511784a208e209c8635014708263f296e861a645f1707ca4820ca42831fec2b737c0

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
669KB

MD5
920ec0b76bffd769b303295168729abd

SHA1
003f889ed7aea871728050045fe30881785ab0a4

SHA256
7c665bd4570c155d443e13b1eeccd6aab9473849001ae98b7602d1d3e006f4f5

SHA512
44cb1d4f9ee6a194f6913e7b9bf9a873e8b533dc1ad86acdf4f2b91b51bcf2635a7223b33bd00892d6749315ec4f1e5dd1ab9e273e5ca2a95f4629441042bc34

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
669KB

MD5
10aa7edad46ac96e0d1f9bfbe6c91fed

SHA1
4394e7a5b70fd8405cbb9508b62471072df31ab6

SHA256
dbd12566a1d32b5de254d310608c7695072617202b287784226bebb61ee6435b

SHA512
86f5cc2e7f118f7d4c7f85450428263bd1ff8ed3af28bc09aa9704be83359aa0eda7dab273eabfa4ae8825a3c963a07b1d9d9a56e34e7bbfaed9e4e363c10a77

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
669KB

MD5
ef90deb583144c06cf4820f7f299a620

SHA1
bcf3a1739ef6ef00e76f2509346136d38a8b4742

SHA256
95bce8b868af23a689448285b0082ad2e646b520780a4888d575fbb7458a0265

SHA512
b7426844449acfc167b4201198f26112cac92a78411fe1d1341669063e4290c75ad3cf74613953b06a8f4ed5a7d1641fd5a4e3fa950274dd1bfb7b08fbe9691c

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
669KB

MD5
0b7904d20e813184b501d6b9f7fafa6e

SHA1
fe1f5e98784aca6baaa06fdc56b112f707523ebb

SHA256
7110cf90e3e1c47902243e00e76ef4009517d7b64cce54a9dbe978dd99d1048c

SHA512
9ba9988def8d763183a5f07443125798ca5c4bbbfffd2ab8b71f1a6e5641d4ee390fae06f11138ad4eab6859256dbe77c65af0c7a21d6cfca20e58185c2178ad

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
669KB

MD5
c5855be43fa8f411f5a9f4991e53a867

SHA1
7233980e7a85f74fb1a410b8cf067fbdc98ecf85

SHA256
c164ce726635e04f9912a37848e9fbc49f6bdfdce8a8306b0be2613fffee7f5d

SHA512
3cb438d62852b93c6b2c334e02e67d3170cddc804a684680483942e88c8bf9ddfc52cff8ba8f22e5d6cad75de4adf0b132fa1c4fa29718ae0895df8b0f66e250

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
669KB

MD5
98d6e2893abdb3a4a126d35aac214036

SHA1
0192d632ab5a514524edb71a00b161ec4123b778

SHA256
adeb953d672f2b48226dc38d451dc2f53361396573a1b512ca55b06bda010c61

SHA512
13aa95847cc5b2927481d181f0e66ec3db1012f602c59bd59aaf154c7822a78f4bb95d10ad2c4664775f6a0e4109757dcb81576103c72c8dbfb94d142ed36a53

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
669KB

MD5
0f208fc895da164f7d28889523c8be7f

SHA1
a29edd3ba39c35f309c0eecbd9de2c7ab98c1d27

SHA256
d185ac49dee6d0420ebcccb0298225350dd524091492af97fbda3979a00e0598

SHA512
3c870c8e680fd10f3dc4eef6a21170299a838035e3754f9eb7f266df3bd5bf39bdca4b8173860b54db3a88d7aff124c606521643ee85145e2d84795cc304a688

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
669KB

MD5
1fbe52294cbfcc5a076d442d03b20c43

SHA1
973c3fd3beb4516eba819437aa606b5777adf027

SHA256
a90e7b209cf13a521e04e65908e746845df40a55e148a9db6f18d70cb9bc5687

SHA512
16dc9fddaaacd2293ae6af457b2fbb78bd82397fb6a205a36cf31bb1d336e514d938e64eccebbc5fbffe3ff37b89d79eceac068e0a3fe247ec0a8d2f0c71edd2

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
669KB

MD5
a8deb55625612197e707f84d22bb747a

SHA1
aa50e77e6f25f73e1edeceac3c884a2f4106fdf4

SHA256
1aa977d139e6528daa2c51281e0534954c00d89c49f5568e535d8b271fb961eb

SHA512
be474b1fde0bc916e462d9712c60a42e20452381c92f800ee452e09005588d2723e733e84948aeb86122e7df397fe566bd70bfaa44001c4aafc5d5b97150ca3a

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
669KB

MD5
9ea19e0414f5033b31953bf70ef80a7b

SHA1
305522d08eed5e4d5839e651c24230bff05deeec

SHA256
b634a9b8ef88b6a0a079da638b2f5a28be4060284ab0cc2bf3ff4f9f8d857729

SHA512
b0ad01e655657a6b4c03ac351a49ce04e73994efc4742211988d182bd031b582a780ee1708c79eeb14f2472ee7fea1b53808b1930478d9cca47bf6ff651196f5

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
669KB

MD5
37bbb11628b0e8df0f02ba50f019217b

SHA1
82ad24d9f8e58b1664d03effee8c373cb65555ba

SHA256
6c858273d614f7bf041850f9b3140e8db316539a3465dc32365217c73481f8ac

SHA512
62e46f2c7122733bc16b4c6085e9ed21cde4c3ef9fbe257d02cc5083620f8f2f85534810022cb732e13ae9e1ad897a379dc6aa920394ab6c35511de0802b0a44

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
669KB

MD5
be70fab4bd517d43b997997d78441b11

SHA1
0a0f6ca837a702554ed4d14cce8c9454b818769d

SHA256
f678b784e55b7ffe01987525f1aac2af3ddb5b9eec0fe34bb06d44c71f345dc7

SHA512
0f82f999c0b6bd10a76f4a547e53349568d5ccbd5e424e425537a013daae515daf9d72c7ab028c04d31d17d1c2d17619db638f13390318909a0a1cfa02342efb

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
669KB

MD5
a38f33873556c0542fb31b7639aa3538

SHA1
918462a996daffe3773c7ee32daf2f770949edcc

SHA256
9eb3e6b783c072590b0fc41d538ad85101d3669e35ea261c062daee17b88b661

SHA512
6697769c57f089b8413685f2dce7105832fcec057637c5a290576e37207d7ee98ee9f874c80e5f68eeed6e9a38cfe5e23c955e747f408b595e1b0c1603b24bad

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
669KB

MD5
4b33e73c6bacd53af0a7fd828f96b8c3

SHA1
09f490892ddd573eb8e7f9cd04881e8dbb0cc179

SHA256
5608e7ec945d828e13acbd9ca41d487dd6109b39c517358391ef1001332f7aca

SHA512
c1596cfbb3ab1359e31942aa02b88f49ec9b686835383960d4284badb98130f6bbfadf8ea855acc896d5eda59d11fa9bec8c80fe1cab6f9ddd8aefe096bf44e8

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
669KB

MD5
d8c984767c36e1572ad857bf61ee2d7c

SHA1
e28b95276557b23cabbd489ba50aaf3b8ffbdbee

SHA256
bbb5215c00b5b62cb3f0eaae2dbc2d343784a584e8e5baa9ce2926df8e3d172a

SHA512
276c4b06c4faae14b6c1da3d60c95e750bf027f314fcead40df3890a847b8f81a456bd8bfd0fc44919477b893a476d095bd9b7ada2c991fb3f57af61fad37046

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
669KB

MD5
082d8016be9408c974021b2d6acb59d4

SHA1
5a046b1db62f866a3bce4d2216009592e233a79a

SHA256
985d3963a9d4df16c0284df4d50f77283860f9b61f80086095cab5f4b72f6a91

SHA512
68376fe55ee04ab8ce5c7825d5392f352da08945a340e8071d5f233de2b38a44818fe17bf519a864e814ca479ed7b19b9644d9c503c057a6e1718349c6b01189

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
669KB

MD5
a00fb60e4d2bfbf477eea0f55f23ffc2

SHA1
3208f035b6819e87d4ffed7c2ba833766f038e1f

SHA256
e3974ac317824d0fad3943af41ecfd203bd1d678ee389a5a7cb3a38f66d07c86

SHA512
f79f94529fd49eb6b3eee8a3d2a51d7977acd676fc1aeb62f2bd1f21ed5012e8db439319f9042c1b4e485784e64dace70a017c36085d79cbee4ad1b6fc0664e1

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
669KB

MD5
357230f95ae6563bad4d6b229d2e2efc

SHA1
3d37d7980bf63071f88bde9443a5e95ac25f36e1

SHA256
b080b07cbcc1187bc29bf5fcaa3f88fa83449f0ad3d2f7aae17c9b323c9ba150

SHA512
40410f14a3cb06399db90a7e0a4a156eba58d7841a956455ebb547efa21d6978c76d32a52601bfc362c0a9891331915c1d6504960e361aabdd8d4b3c4968fe9c

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
669KB

MD5
ccbef1ed67a1caa0dbd630b59c2c8e14

SHA1
728c7b0b168efec30ab1cd5f9e4aad7f94891b78

SHA256
0fb1a4b1838931574f45b7a9143de3efa6fb5b2a58c4539b9570465a4a6b2633

SHA512
dcd85f4f59cec673c5866b0df40b9275574d6c71a52b406b8922fc774208d1a573965bf8734e315cc9d6b78fcd99360affc14e0109a1b9eeda0215dde533a2bb

Download Submit
memory/64-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/64-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/324-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/324-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/812-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/812-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/944-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3104-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3104-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3300-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3416-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3596-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3596-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4640-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4640-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4704-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4704-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads