njrat | 1601228e8bf079a8506262097df70cf74f0ca9a40df460eac24cbe4af31b5dc6

Analysis

max time kernel
138s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b031db93bf4c2a54667fe4c3ef353330_NEIKI.exe
Size

337KB
MD5

b031db93bf4c2a54667fe4c3ef353330
SHA1

54b8235a8e9d89c3aef248bd62024e44f6d65098
SHA256

1601228e8bf079a8506262097df70cf74f0ca9a40df460eac24cbe4af31b5dc6
SHA512

4f7239c00567fd536cca938604be10028c194620f4b900e25a6e49506349d5fa57e6d203c96f31c19f14a0aaf665cce3839e33bd02d8350f118d5b6015e6129f
SSDEEP

3072:eEb+idu5PYQM3NKfgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:eE/u5PI21+fIyG5jZkCwi8r

Score

10^/10

njrat persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 59 IoCs

pid	Process
4872	Hjjbcbqj.exe
4020	Hbeghene.exe
3644	Hfachc32.exe
1488	Hjmoibog.exe
1788	Haidklda.exe
1716	Iidipnal.exe
1668	Icjmmg32.exe
1388	Iiffen32.exe
1172	Ifjfnb32.exe
2240	Ipckgh32.exe
1132	Ijhodq32.exe
4408	Ibccic32.exe
2052	Iinlemia.exe
4920	Jbfpobpb.exe
4264	Jmkdlkph.exe
3428	Jfdida32.exe
4604	Jplmmfmi.exe
4256	Jidbflcj.exe
2184	Kkkdan32.exe
4528	Kphmie32.exe
2596	Kknafn32.exe
4492	Kpjjod32.exe
1888	Kmnjhioc.exe
2488	Kckbqpnj.exe
2892	Lalcng32.exe
2520	Lkdggmlj.exe
100	Lcpllo32.exe
544	Laalifad.exe
4328	Lcbiao32.exe
2740	Lpfijcfl.exe
3864	Lklnhlfb.exe
808	Lgbnmm32.exe
1048	Mahbje32.exe
744	Mdfofakp.exe
4284	Mkpgck32.exe
916	Mpmokb32.exe
4800	Mkbchk32.exe
1364	Mnapdf32.exe
1072	Mpolqa32.exe
4652	Mdkhapfj.exe
2188	Mkepnjng.exe
1952	Mncmjfmk.exe
1560	Mcpebmkb.exe
1284	Mjjmog32.exe
3780	Mpdelajl.exe
4128	Mcbahlip.exe
4564	Njljefql.exe
2276	Nqfbaq32.exe
2360	Ngpjnkpf.exe
3712	Njogjfoj.exe
3312	Nqiogp32.exe
1300	Ngcgcjnc.exe
3352	Nnmopdep.exe
2764	Nqklmpdd.exe
884	Ngedij32.exe
812	Njcpee32.exe
436	Nbkhfc32.exe
4112	Ndidbn32.exe
1356	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Hjjbcbqj.exe	b031db93bf4c2a54667fe4c3ef353330_NEIKI.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Qchnlc32.dll	Hbeghene.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jbfpobpb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2200	1356	WerFault.exe	145

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglanoaq.dll"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b031db93bf4c2a54667fe4c3ef353330_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchnlc32.dll"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b031db93bf4c2a54667fe4c3ef353330_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b031db93bf4c2a54667fe4c3ef353330_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 4872	4748	b031db93bf4c2a54667fe4c3ef353330_NEIKI.exe	84
PID 4748 wrote to memory of 4872	4748	b031db93bf4c2a54667fe4c3ef353330_NEIKI.exe	84
PID 4748 wrote to memory of 4872	4748	b031db93bf4c2a54667fe4c3ef353330_NEIKI.exe	84
PID 4872 wrote to memory of 4020	4872	Hjjbcbqj.exe	85
PID 4872 wrote to memory of 4020	4872	Hjjbcbqj.exe	85
PID 4872 wrote to memory of 4020	4872	Hjjbcbqj.exe	85
PID 4020 wrote to memory of 3644	4020	Hbeghene.exe	86
PID 4020 wrote to memory of 3644	4020	Hbeghene.exe	86
PID 4020 wrote to memory of 3644	4020	Hbeghene.exe	86
PID 3644 wrote to memory of 1488	3644	Hfachc32.exe	87
PID 3644 wrote to memory of 1488	3644	Hfachc32.exe	87
PID 3644 wrote to memory of 1488	3644	Hfachc32.exe	87
PID 1488 wrote to memory of 1788	1488	Hjmoibog.exe	88
PID 1488 wrote to memory of 1788	1488	Hjmoibog.exe	88
PID 1488 wrote to memory of 1788	1488	Hjmoibog.exe	88
PID 1788 wrote to memory of 1716	1788	Haidklda.exe	89
PID 1788 wrote to memory of 1716	1788	Haidklda.exe	89
PID 1788 wrote to memory of 1716	1788	Haidklda.exe	89
PID 1716 wrote to memory of 1668	1716	Iidipnal.exe	90
PID 1716 wrote to memory of 1668	1716	Iidipnal.exe	90
PID 1716 wrote to memory of 1668	1716	Iidipnal.exe	90
PID 1668 wrote to memory of 1388	1668	Icjmmg32.exe	91
PID 1668 wrote to memory of 1388	1668	Icjmmg32.exe	91
PID 1668 wrote to memory of 1388	1668	Icjmmg32.exe	91
PID 1388 wrote to memory of 1172	1388	Iiffen32.exe	93
PID 1388 wrote to memory of 1172	1388	Iiffen32.exe	93
PID 1388 wrote to memory of 1172	1388	Iiffen32.exe	93
PID 1172 wrote to memory of 2240	1172	Ifjfnb32.exe	94
PID 1172 wrote to memory of 2240	1172	Ifjfnb32.exe	94
PID 1172 wrote to memory of 2240	1172	Ifjfnb32.exe	94
PID 2240 wrote to memory of 1132	2240	Ipckgh32.exe	96
PID 2240 wrote to memory of 1132	2240	Ipckgh32.exe	96
PID 2240 wrote to memory of 1132	2240	Ipckgh32.exe	96
PID 1132 wrote to memory of 4408	1132	Ijhodq32.exe	97
PID 1132 wrote to memory of 4408	1132	Ijhodq32.exe	97
PID 1132 wrote to memory of 4408	1132	Ijhodq32.exe	97
PID 4408 wrote to memory of 2052	4408	Ibccic32.exe	98
PID 4408 wrote to memory of 2052	4408	Ibccic32.exe	98
PID 4408 wrote to memory of 2052	4408	Ibccic32.exe	98
PID 2052 wrote to memory of 4920	2052	Iinlemia.exe	99
PID 2052 wrote to memory of 4920	2052	Iinlemia.exe	99
PID 2052 wrote to memory of 4920	2052	Iinlemia.exe	99
PID 4920 wrote to memory of 4264	4920	Jbfpobpb.exe	101
PID 4920 wrote to memory of 4264	4920	Jbfpobpb.exe	101
PID 4920 wrote to memory of 4264	4920	Jbfpobpb.exe	101
PID 4264 wrote to memory of 3428	4264	Jmkdlkph.exe	102
PID 4264 wrote to memory of 3428	4264	Jmkdlkph.exe	102
PID 4264 wrote to memory of 3428	4264	Jmkdlkph.exe	102
PID 3428 wrote to memory of 4604	3428	Jfdida32.exe	103
PID 3428 wrote to memory of 4604	3428	Jfdida32.exe	103
PID 3428 wrote to memory of 4604	3428	Jfdida32.exe	103
PID 4604 wrote to memory of 4256	4604	Jplmmfmi.exe	104
PID 4604 wrote to memory of 4256	4604	Jplmmfmi.exe	104
PID 4604 wrote to memory of 4256	4604	Jplmmfmi.exe	104
PID 4256 wrote to memory of 2184	4256	Jidbflcj.exe	105
PID 4256 wrote to memory of 2184	4256	Jidbflcj.exe	105
PID 4256 wrote to memory of 2184	4256	Jidbflcj.exe	105
PID 2184 wrote to memory of 4528	2184	Kkkdan32.exe	106
PID 2184 wrote to memory of 4528	2184	Kkkdan32.exe	106
PID 2184 wrote to memory of 4528	2184	Kkkdan32.exe	106
PID 4528 wrote to memory of 2596	4528	Kphmie32.exe	107
PID 4528 wrote to memory of 2596	4528	Kphmie32.exe	107
PID 4528 wrote to memory of 2596	4528	Kphmie32.exe	107
PID 2596 wrote to memory of 4492	2596	Kknafn32.exe	108

C:\Users\Admin\AppData\Local\Temp\b031db93bf4c2a54667fe4c3ef353330_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\b031db93bf4c2a54667fe4c3ef353330_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\SysWOW64\Hjjbcbqj.exe
  C:\Windows\system32\Hjjbcbqj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\Hbeghene.exe
    C:\Windows\system32\Hbeghene.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4020
  - - C:\Windows\SysWOW64\Hfachc32.exe
      C:\Windows\system32\Hfachc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3644
    - - C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
      - C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:100
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1364
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:884
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        60⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 400
        61⤵
        Program crash
        
        PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1356 -ip 1356
1⤵
PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Haidklda.exe

Filesize
337KB

MD5
b19283d0ee8923a05d91cac5ba5a9c6b

SHA1
ea36164d6c6ec9d1a1d6c5982332a886818f4779

SHA256
7dda7abc107e8d807fac90f0df4d761daef623e6d47ca8febec8dfa2b708d1d0

SHA512
5d7090f7f6fb118ea44c1e77f3b49cdf69b51d6209e6a55760605086ab1d154e1138cbeaec95898483f83e2901aada8db004eb91c73d3cd7cacf124c3d8df570

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
337KB

MD5
53044e4ae33e057e3f5d8e5e4ed04f92

SHA1
759e65ae7b7319e56c725c1e02580d1f0369f25f

SHA256
3e43c8178b9f1364ff50dde25cad4287799a2703bfa9fe7a63ddfbad964d0a71

SHA512
a1adeb6cf1d8539fa1ff4d31a3e1f7ee9e710034d1d52154a16216462ab9d74c0ac5893510e0706c867f30fbf7977ff5e02eb7533056633095e928be1bbff378

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
337KB

MD5
db52c086f087057b6f8d63b745b746ee

SHA1
e1ab8016fa469295a95a3ed08c1d916c06abdaa6

SHA256
244961c939de0821708510cbd6f4985424516e68a8cd9676cc1234ce2f5fc253

SHA512
09781ba0559b8bc75622029189ddfe8570fa6ab863b15fbe4bdda6d83d91c26d5ca083533db85ea058ca2092096dd2365f1f0ba39863e45f176eb3881f867a0f

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
337KB

MD5
c61ecfcc0de823d1cf8311d2f3e46338

SHA1
b229044c7c2f00dd45439f516cfbaacf92a2d29d

SHA256
7414e6247bd912305045b6280b7edd2fb1956781e8a1e75ed3ff94ba77410866

SHA512
a19b8a40a69d791cfbea75f1f874eddad95f771edd233fb9f6223653e417fb92a587f7ac70d83e302f64307d23350c5b7929f929ae779e297f4fbf764cf47231

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
337KB

MD5
455a6fae97729ebff3aaaa4b5cfdc433

SHA1
5a63ea82206ecc21dbfa43cc9a7d8eee77e694cd

SHA256
da367bc05aac4bcb232c485902c70954e3d9058d2d87b7cb5b25c21ae6f94cf7

SHA512
f5265d2bb4e0a52e8331d738c61b0ddb61a515fe9ef616a5368d9f0e4a987c3209476267c43bf7e4131100d068c19a323b077c8cad51bd54f24b6b7d8f006b32

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
337KB

MD5
2837a95c1440e02b57c316213e54621d

SHA1
0f398cf32681e7882efbea0def34a2c821fba893

SHA256
cf7daa10a6c2a84439df38ad39f65648d5b12fecd058495bbb462177434c2c35

SHA512
7a970fffd4ee00d6652034bb905f896bb3a8b5867ea84a006219963eb8f0d03e61763ed78494a19f86f6a9b50b01b531c4b9b297381ef12d44fb93a68dd10f0f

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
337KB

MD5
2e5147eca5ec6c9379c708e28fcefd6c

SHA1
20099466f871906c3408e822066c018fd09aa527

SHA256
082325674966280dbb629a28502ca52e37da71b2cc5a14b4799cbf95770629d1

SHA512
712090e8ae709b8bf07033f2a0e42ab20f7183060687cff7805be68616dd4914a0ea98db1cd3803ed5b1997dee2232bca1df0decc95e55d042f4869de8487c51

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
337KB

MD5
702e85ffb9e2168d22821243e099a40a

SHA1
5d738d4e1bd541006f7e7ed9fb23a9c5b7ae21a6

SHA256
07bef3e08dfda55e8561e016c5393258306b5d5329be990a5e7cded1d8da7115

SHA512
4a7c8463e0c16ab1d9736855258d1b03fb9ff486bb055141b9e9376ab6481ed2348837d6afb4d89f8b27ac21684bc20e0b0bfadd40127e3e1bbb6f22a7d85464

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
337KB

MD5
497adacb163fc8e5a27b28135377dd00

SHA1
c8d709ac90332131d1503c4147d185e964e1759a

SHA256
933da237ca2c533200b50ce67fac7c05ce1a1b29640e4ecfbd2d7340699b6858

SHA512
8f59cc0d7db86a08f07c70c86d821027adc2d45a2af2be3e680f6a6f3bad08dd1bebe63ca1758de745ff26cb74cc60d45c72f0233c6d24b831ee87141094b8a7

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
337KB

MD5
513fbdb577c32f846aace01b29b03602

SHA1
dd89e27bc9050285ea7870735216ad114b20deb7

SHA256
a2a1455af6c74cb55bdaf1a0b921fc3c1aa1be89c8d4c2175ec7bbb1d519f90c

SHA512
710d701ee3937b30677e74be384f548394ed53a9d6511ad77973f4e9cf8b70665f62c76c607b45102be6d33f9d8e04a9d25cdb67a9e7ec298fe2e92b5539d5eb

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
337KB

MD5
5f7df9b721e09d183f29387e7386e803

SHA1
a37094bbcf81046b3acb5cd777ad7c9f9af2038f

SHA256
320584825d478d5e34f14a64150bc748a38a8112d6eb08ad71a6ea404978f33d

SHA512
7cdb5e9bccc4f9999a1fb3b86cef1fb0d0db00caa2b7a4c291f6c7472b4bbb505a00690698aa1c34d05d2d23ab70e4badacd769a3be61783036a76cb84bc95cc

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
337KB

MD5
51a1116f9c590a1e5c5e1936c4a0cb18

SHA1
ea25d935777b5716a8ea823af8cf7aa24f4c2736

SHA256
6524523d5cfaf6ddcf1a5fedeceac6e99298ff6eaf1f5f9764c719ee84b3f9d6

SHA512
18eaec10ec70cb0186596f806c0d00e002c131233e8da2b9407cc17d99b307a2817dbaedcc7f412a3f2fb41bc9b91696716fa966ce6b6136793e97d779732a6d

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
337KB

MD5
0df5cf07453a10dd3c027a54e8fc7671

SHA1
50561cfc2cbf361d0433283f491636300bb384b1

SHA256
2a6637819902327f10d4cd91d4827a540d0ce8e8acddad7b24dc74daf5797930

SHA512
d4fc91b6f172b16102a7f22f0d04454c405a01341a23fbb653da96c47df5ceb4a75685aa701a181304db8c53a60b7fe41ce72dfad584aa660388076158c4da57

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
337KB

MD5
28e893ba069d42083e85ca2d0cecd8c8

SHA1
1794a8b23e055047508ba844ff4b096c880dad3c

SHA256
090be95a6ebdebac66f90b7d91dd1f11dd14c8d814c10399d1315d6ba5970246

SHA512
a551b72b06c2229f4f5fe61c3d9e437e768e47a2ebc051be36cb064b64a21925db90b7dd3b576cfbaa9af2516463571cacf552aa8abb289cb032825e7a1af8ac

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
337KB

MD5
bb4e17b1e35fc0cfd66b8b0a83500210

SHA1
7af836acd489d5097f9840b225bdd89c80e56eb7

SHA256
66b970313d6dcbaa4da77b11bd38d84825346042f90a9017857e383039f5d1d3

SHA512
dc48aa98f65127115308fa2563f8d3d6ff7329f8403fb3753551ef5cc0a4ae6b2a330f2b374001cb247a8ad5d43805a0e11fc4a1d797cd1d774a4f0bd709474b

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
337KB

MD5
7109180201307ff65f65e5694c5d1c73

SHA1
34f41bc55bdd08b5c85ac2f78efab04f8203f203

SHA256
0bcbb04acaec54be2db2113242d9478571ad5f8c487e7c84cd8682bba26ecadd

SHA512
9d2b0107b90c6adc3244e2a72dda99a1971a3db9fd66123d147ebae4a2175365fe2f24e32aaa6375e5bceee30eebf2a6300a742f599a29d7623448f5fd6683a7

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
337KB

MD5
f2d2898efa881369d743285f7c44e3af

SHA1
92a64a7dfb30ca58ed4ba8e7d19a13cad93bce75

SHA256
6bcf336a654b80e9d060e7537a69bc131a212381752c27a938f2c41e0132ad10

SHA512
5c3b552b0a5fb981b9bf527093350092d635414f986a48b54c66dccce1305e770851cae37bcc9db5a2aae4e3e01201656d2abadbbb952243555a9a1bda5653cf

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
337KB

MD5
4f0adac55ad2539a40ae02dbc3df373c

SHA1
9e5acfbefa99951cedaeee1b8b5eb3c652c808fc

SHA256
464b1de3f603a29420493276dc63d288077d368e52cea5aa10327ce4286c73ee

SHA512
e4e5f3cef58473b68fe9149f60d42604cc49b4c01504e7f9e607c91f380bef102310fa269056ce0d9a1d51e09e06c41d30c7facf9ce03e1717384891d51fd229

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
337KB

MD5
fe7e13f74ec4aa7180c306a054e77bee

SHA1
076c35ae8ec1758a01844f81d87297cea82a58a4

SHA256
cc73150114d2b6c96f3b1f207b860c6b6c1cc4609b705be61bbe354d102053f6

SHA512
85c2a68c9b3dec815259464607c8e68ae47cde0172c48b13d0bd6b45edfbe495546c2efd784aa2c867933bc18586b88bddd62e508a6d003064d1ba42c71281dd

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
337KB

MD5
f75dddaa1e610e6bf8ee67ecfa32421c

SHA1
05b682ebedd0a4a52b40b3b99879eefa938603f9

SHA256
40a95527df1a480c30db1b906b59ac005a792029e9acd0b6a8387e4752c18f09

SHA512
2aaffbbc49a2d3b49cb6484c15af36d9cf91318a0f854af9e263b78f2983c9c6073afa21d6e9b9e6d49193c2b0419da46e16fe6bec479cf593a7450c0c9bddd5

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
337KB

MD5
bbe420d1ea68dd5e6cbf530ddddb3baf

SHA1
b1ff80bacd9fe6516be3246d7a34d50e6a61a16d

SHA256
6361a45ad8bad9d288925beb0d9a4cc10b122e7b891948fa3d0e96493f95efa3

SHA512
697bf7a0284a9b180fd018565a874e084adf6fab8efb377884b1610c3a534fb1b6833d764e3bdeac9aea29a9edf78c6bbf5c104e178762a4dcf48e49f516187c

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
337KB

MD5
95f3ac479934809994193a526724a587

SHA1
5d8e74a7e86c1d9f8ccf1155ad5981b6231dc42b

SHA256
77c11eea12358f2e3fae495c1bb33643e7eaba4bdf877542cca7065a8f970b02

SHA512
eca961fde22a6ece607485a3892fffe59a18ed08b53485b7bf935d51e7836db1adf3ddb260b52080b45575f013879e3ec45ece94c44e07a8032c21ec84e256be

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
337KB

MD5
bdd4ac252d8c8d13fa4feac46d8fb48a

SHA1
ca4975c5e0cb82c91ab3830744f3f979c8c613ff

SHA256
434a066d48316e6f575fa74cae6cde57496d6ce1ae020154e1b9cb5888c709f2

SHA512
6985ec2f80df08d4b604f65a13d435cfaa8993ba89efbf7776b694eb85b002bb2ef9b3de836bc39852dc4a37e8642bfa46cb4f24a7ddea7d733307233a00d7af

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
337KB

MD5
069f7b336c592a4be2cd8c58feb6aaf3

SHA1
80bb40a2d3292c97d2beec35dbf3c26a35df7919

SHA256
6d3c844585d4ab4b1980db04c30739938a3fa6543e466ea52e03138acd4cfd10

SHA512
df10d573585309c0923d9a67b4dde3258f3d171d1d3eecd9ea68a3f02fe1b98cbf749a41e3e5e3f50079ad5a80ac9e23545d9b974ce7713f083653fdb01e371e

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
337KB

MD5
e03bdc267f222edf2e0c0c95945cf993

SHA1
90ed36ee52169c98e5ba58e14d7800bc2cd3b0d8

SHA256
65f1ee90062903678c992cfaa19322fb44680f61954396a9a1aeb8b5b4e9017f

SHA512
012170ab5c3094415b7cee5de14af897fe474be1de6e0edff915adecc0864b303ecc099c2044ecf82abf5d0deb4903639b59e96096cff9a30baaec979e66cb71

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
337KB

MD5
92c9c308affed8bc69fa6966953e9293

SHA1
4ca4f237fb8a22b679a23097f3c83a0240d46967

SHA256
b4cfcfbcddb66eb466c142fbbbe4fabf22764e8c9864360a67992efd95adb6c0

SHA512
79e0e6a3e2a53375255a33d4e0c194e4fde350bd3b88a02585c11da2788508aa2a9b1c190deb0d425fc0d7594f59d847e48102752a8be344256904fb36b7c7ea

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
337KB

MD5
3567a3fbdb87c473e3a0490b6513c1d2

SHA1
21342883211be56fee2ab8b2dbdc8375e7c792d7

SHA256
33942a63f66c209a740d53b6367ae907720722e915cf5cd01ba0f3971e502f33

SHA512
29ffc3c49bfbda330656fa2a0abe905683636683efb1543833c268df806b943b0888e948b1fbcaf871249d5b2889371328a241923ef176c30aa28d2c3ab4d7f2

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
337KB

MD5
6c86e5402ca0fbddff76626fa249f522

SHA1
083edfe9cbb56ad5c56f846cdd4c20f3e6b1518c

SHA256
d3b60f30103e16211760f06a0516c7df7c315b05c5bf94356b86f3a85a463d77

SHA512
216a997eeeb53384ff86658692c970fd4cde1e6289c339b083008ebb52752915bc8fd17838466e2a0a7ca780f07378a19bf921113b555d0bb1ff62eda75daed0

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
337KB

MD5
a8650b2b4cce685519773c87dfb34fb2

SHA1
3773da1543736da9c37326f999e41ef82f75278c

SHA256
8d5d0b7f812feb2e785b6764848a1490c3aeb4d226bcd28ad51b6f389cc8a055

SHA512
cfa073b6f873a83f8794823aadc61442bdf7f60c21c6671b2d221b64716f4d7e150e0977866c41ecfab3b7f6184d599cc1ec90c02813ffe1c89f4c12fb2869c4

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
337KB

MD5
abde98f2ef161680bd7bbb3198cb322b

SHA1
3f241d7356c775a134482e835477272c1e91faf1

SHA256
a6503d22178fe8a4554d434b190514ee4bd4a628fc136f6cc72f98f8525ed2b5

SHA512
b76302cce06f74fd04d2d12b7806d2b2b1ff206a4e047474d12853c68cbe97718da63c733c853ed23d526be3545f47e424a0fe76a5275a6d884a199d48c3a962

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
337KB

MD5
f612f33087e70ca87339714f8b6a5af3

SHA1
95733fc5282263c8299841b526dc19c130b796bd

SHA256
c871abf46aa91cfc7bfc690b6888139146828cce5089e10c9dbab09ca3d70cad

SHA512
a8adf9560e5e86d5b04c25aa6ffe0eb1ce6622a2d732d260e4974095901d1b884d0f75d404b6cb81a1aac3308c8d8548e10d8959cb2016ace3fa4163401b7461

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
337KB

MD5
9a60ba448d06cbaedce5bf5e23905972

SHA1
98455c07062c37c604bf3ca9a568a951923b6cc1

SHA256
0e690a860c9714344420db4da865e96eeaab63e5f026a1006e258630d7dcc9b0

SHA512
23f6ef0dffd759c27d4e928f3a334fdcbe868e76ceb16b5e724c9681accf22a17bb94757e4bdc1fcb878bb90f0687feae771bb80fd49eda1375e375f28e58dca

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
337KB

MD5
9e3838ab12f671053ec5c4b20cc01b38

SHA1
756b46fcdc2cee5d9f438646d80198684da19da7

SHA256
2efe75ed6097b2ddbd7b054cb774364bf6b206f42126612d6f73c04955f8b8d5

SHA512
79a189fbd9ddaa4d9aa3d47fedce72bb5a763f328cbfe970b70f80b83e69f3d53d91c799a9134bd04d7d06513f773890df79aefaec191ad89312c455150386fb

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
337KB

MD5
1aeb7bc31205888576ff54f121e16627

SHA1
aa83ecd37530218a2c1ac42e75e4e52023dda929

SHA256
5bb9161b3af7649be4405cd908245f4cdc5a8bec83d505b93f0f6a439f87d40f

SHA512
bd60fb284bbef15c421258accb35a65c9ce6b53411c888ea6a8acddb44ddf49da347ca31d5c069a49a65969bd709f8e84069cd2cf41adf81a4b494036b725960

Download Submit
memory/100-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/100-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3352-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3352-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4800-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads