8d7095c3a66b48b7cf31f91e1cbeeb6ecb45ffb6611459815f7ce719301e4ab1

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c254c84d346f4b192ce951161d6b2d0_NEIKI.exe
Size

169KB
MD5

1c254c84d346f4b192ce951161d6b2d0
SHA1

c974d7a9143c19b49b82392e0271c777587308a4
SHA256

8d7095c3a66b48b7cf31f91e1cbeeb6ecb45ffb6611459815f7ce719301e4ab1
SHA512

cb51fd8835b460ae844d063826100112ea45e736adbb4bf5f05f5ff703e38c84fdc14d64c32805dcb64f22acbb9687a594cdf570c50f488c043d08533ca1f855
SSDEEP

3072:RPt08X2HVpm2nEJXuDAcZPxMeEvPOdgujv6NLPfFFrKP92f65Ha:bX21pm2EJMZJML3OdgawrFZKPf9

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	1c254c84d346f4b192ce951161d6b2d0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laalifad.exe

Executes dropped EXE 60 IoCs

pid	Process
3428	Jdemhe32.exe
4564	Jfdida32.exe
2148	Jibeql32.exe
4132	Jplmmfmi.exe
544	Jbkjjblm.exe
3400	Jidbflcj.exe
4532	Jpojcf32.exe
3008	Jfhbppbc.exe
3128	Jmbklj32.exe
3248	Jpaghf32.exe
2088	Jbocea32.exe
4984	Jkfkfohj.exe
1248	Kaqcbi32.exe
4820	Kacphh32.exe
4912	Kbdmpqcb.exe
4560	Kmjqmi32.exe
2284	Kphmie32.exe
800	Kmlnbi32.exe
1932	Kpjjod32.exe
3548	Kkpnlm32.exe
4716	Kckbqpnj.exe
2620	Lmqgnhmp.exe
4252	Ldkojb32.exe
3456	Lkdggmlj.exe
1256	Laopdgcg.exe
4688	Ldmlpbbj.exe
4196	Lgkhlnbn.exe
1116	Laalifad.exe
2232	Laciofpa.exe
3964	Ldaeka32.exe
2500	Lgpagm32.exe
5044	Lddbqa32.exe
5092	Lgbnmm32.exe
2160	Lknjmkdo.exe
1120	Mpkbebbf.exe
2212	Mciobn32.exe
1732	Mgekbljc.exe
5028	Majopeii.exe
4384	Mdiklqhm.exe
4728	Mjeddggd.exe
1108	Mnapdf32.exe
4008	Mpolqa32.exe
1708	Mcnhmm32.exe
3656	Mkepnjng.exe
5096	Mncmjfmk.exe
2712	Mdmegp32.exe
3592	Mkgmcjld.exe
404	Mnfipekh.exe
3740	Mdpalp32.exe
2552	Mgnnhk32.exe
2992	Ndbnboqb.exe
1576	Njogjfoj.exe
4444	Nqiogp32.exe
3452	Ngcgcjnc.exe
2264	Nnmopdep.exe
2932	Nbhkac32.exe
4908	Ngedij32.exe
3156	Nnolfdcn.exe
1056	Ncldnkae.exe
5072	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jbocea32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	1c254c84d346f4b192ce951161d6b2d0_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3364	5072	WerFault.exe	150

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1c254c84d346f4b192ce951161d6b2d0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	1c254c84d346f4b192ce951161d6b2d0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lkdggmlj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 3428	2092	1c254c84d346f4b192ce951161d6b2d0_NEIKI.exe	86
PID 2092 wrote to memory of 3428	2092	1c254c84d346f4b192ce951161d6b2d0_NEIKI.exe	86
PID 2092 wrote to memory of 3428	2092	1c254c84d346f4b192ce951161d6b2d0_NEIKI.exe	86
PID 3428 wrote to memory of 4564	3428	Jdemhe32.exe	87
PID 3428 wrote to memory of 4564	3428	Jdemhe32.exe	87
PID 3428 wrote to memory of 4564	3428	Jdemhe32.exe	87
PID 4564 wrote to memory of 2148	4564	Jfdida32.exe	88
PID 4564 wrote to memory of 2148	4564	Jfdida32.exe	88
PID 4564 wrote to memory of 2148	4564	Jfdida32.exe	88
PID 2148 wrote to memory of 4132	2148	Jibeql32.exe	89
PID 2148 wrote to memory of 4132	2148	Jibeql32.exe	89
PID 2148 wrote to memory of 4132	2148	Jibeql32.exe	89
PID 4132 wrote to memory of 544	4132	Jplmmfmi.exe	90
PID 4132 wrote to memory of 544	4132	Jplmmfmi.exe	90
PID 4132 wrote to memory of 544	4132	Jplmmfmi.exe	90
PID 544 wrote to memory of 3400	544	Jbkjjblm.exe	91
PID 544 wrote to memory of 3400	544	Jbkjjblm.exe	91
PID 544 wrote to memory of 3400	544	Jbkjjblm.exe	91
PID 3400 wrote to memory of 4532	3400	Jidbflcj.exe	92
PID 3400 wrote to memory of 4532	3400	Jidbflcj.exe	92
PID 3400 wrote to memory of 4532	3400	Jidbflcj.exe	92
PID 4532 wrote to memory of 3008	4532	Jpojcf32.exe	93
PID 4532 wrote to memory of 3008	4532	Jpojcf32.exe	93
PID 4532 wrote to memory of 3008	4532	Jpojcf32.exe	93
PID 3008 wrote to memory of 3128	3008	Jfhbppbc.exe	94
PID 3008 wrote to memory of 3128	3008	Jfhbppbc.exe	94
PID 3008 wrote to memory of 3128	3008	Jfhbppbc.exe	94
PID 3128 wrote to memory of 3248	3128	Jmbklj32.exe	95
PID 3128 wrote to memory of 3248	3128	Jmbklj32.exe	95
PID 3128 wrote to memory of 3248	3128	Jmbklj32.exe	95
PID 3248 wrote to memory of 2088	3248	Jpaghf32.exe	96
PID 3248 wrote to memory of 2088	3248	Jpaghf32.exe	96
PID 3248 wrote to memory of 2088	3248	Jpaghf32.exe	96
PID 2088 wrote to memory of 4984	2088	Jbocea32.exe	97
PID 2088 wrote to memory of 4984	2088	Jbocea32.exe	97
PID 2088 wrote to memory of 4984	2088	Jbocea32.exe	97
PID 4984 wrote to memory of 1248	4984	Jkfkfohj.exe	98
PID 4984 wrote to memory of 1248	4984	Jkfkfohj.exe	98
PID 4984 wrote to memory of 1248	4984	Jkfkfohj.exe	98
PID 1248 wrote to memory of 4820	1248	Kaqcbi32.exe	100
PID 1248 wrote to memory of 4820	1248	Kaqcbi32.exe	100
PID 1248 wrote to memory of 4820	1248	Kaqcbi32.exe	100
PID 4820 wrote to memory of 4912	4820	Kacphh32.exe	101
PID 4820 wrote to memory of 4912	4820	Kacphh32.exe	101
PID 4820 wrote to memory of 4912	4820	Kacphh32.exe	101
PID 4912 wrote to memory of 4560	4912	Kbdmpqcb.exe	102
PID 4912 wrote to memory of 4560	4912	Kbdmpqcb.exe	102
PID 4912 wrote to memory of 4560	4912	Kbdmpqcb.exe	102
PID 4560 wrote to memory of 2284	4560	Kmjqmi32.exe	103
PID 4560 wrote to memory of 2284	4560	Kmjqmi32.exe	103
PID 4560 wrote to memory of 2284	4560	Kmjqmi32.exe	103
PID 2284 wrote to memory of 800	2284	Kphmie32.exe	105
PID 2284 wrote to memory of 800	2284	Kphmie32.exe	105
PID 2284 wrote to memory of 800	2284	Kphmie32.exe	105
PID 800 wrote to memory of 1932	800	Kmlnbi32.exe	106
PID 800 wrote to memory of 1932	800	Kmlnbi32.exe	106
PID 800 wrote to memory of 1932	800	Kmlnbi32.exe	106
PID 1932 wrote to memory of 3548	1932	Kpjjod32.exe	107
PID 1932 wrote to memory of 3548	1932	Kpjjod32.exe	107
PID 1932 wrote to memory of 3548	1932	Kpjjod32.exe	107
PID 3548 wrote to memory of 4716	3548	Kkpnlm32.exe	108
PID 3548 wrote to memory of 4716	3548	Kkpnlm32.exe	108
PID 3548 wrote to memory of 4716	3548	Kkpnlm32.exe	108
PID 4716 wrote to memory of 2620	4716	Kckbqpnj.exe	109

C:\Users\Admin\AppData\Local\Temp\1c254c84d346f4b192ce951161d6b2d0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\1c254c84d346f4b192ce951161d6b2d0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\Jdemhe32.exe
  C:\Windows\system32\Jdemhe32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Windows\SysWOW64\Jfdida32.exe
    C:\Windows\system32\Jfdida32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\SysWOW64\Jibeql32.exe
      C:\Windows\system32\Jibeql32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
      - C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3656
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3592
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        59⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        61⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 420
        62⤵
        Program crash
        
        PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5072 -ip 5072
1⤵
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ibimpp32.dll

Filesize
7KB

MD5
1b0d5d2005726f68215742f553d43368

SHA1
8a338726ec778ca26c9bb375d3e2eba288a3118a

SHA256
728a82d1bdb521cc22c6349c18b0d82ba35bbf7375917fa0d8d0913adc0bf5a0

SHA512
02838d4e10e75ee29370102ebb3376648eee84080c78fb6ca9e399bbd5a6dee9e464eb207d1e9f7c7507de992e12895ad5e29e889e442fd1c7343f8ca7069c34

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
169KB

MD5
6f01f6fe9541ea652c719a2155031091

SHA1
9e650fdbcf3c984870104efbe48fd5808ba6a072

SHA256
73e37fb18b43ee076526ac79543fca481788b06c0c526a7fd91f5da19e59c343

SHA512
fb1395eff0ab174b0de13d83cad744accad62a37ad19b75f4c2f5c29d436f819f03fa29b8ed111a0f7e262cf5d1bc10be0ae46353fdf02ded039bdabb0f264b9

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
169KB

MD5
0b9cc487bca24c85cf09c719edb2d293

SHA1
86db032e385fb54621e31482cd6f9b845673f50e

SHA256
ad71dc1b98844a1ccd41b2b768980c64f8da592f0151e9f6789aebf9a5c9738f

SHA512
6c9d8e2187459a6722d19f8018b17efbde02fc6fe0bcdc0dbb795b1498ab8ccafd3c0954bd9f96774da2f0a7da307ef39f821ccc129c9115e8de50b0fdc9f651

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
169KB

MD5
0773a857d9d5418e68a7590ee03bc4cb

SHA1
20e00faf5cbaf4814e82cd6961878e20ef42a001

SHA256
43cd44bacc0b3a9e4b8780cfd95f425847046121e91f3a7883c0f71c3c55067e

SHA512
9c73b5c3b7bc8320302b317ddc3d38eb40003e1fdc7f44757da7f5a4a061300e57873980a59a3c950b663d6f09545f1a01a40031dca056addf10222f40b64bc3

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
169KB

MD5
d3065a57f082d0b99a6eaa747526a6a7

SHA1
875726f780f53c7f28de02df94fc68e0b9b909f7

SHA256
4093759e6d7fb1d74cecc1a2cf784b049e113d72fcf914aa806353fb83b3e44a

SHA512
30d3062f86f1ce456a7321469269c8957d8ee5a04b79eebd8a7fb6958a38655269fb27de01d06bb3cd2ce5ee1eeec98d1cd95f8847f99f323a7b2e5d3a12338d

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
169KB

MD5
e738076aed5e39f71abf7d9184390b26

SHA1
381e463938b02a7357624e537ec55d051b6dc7ba

SHA256
74266eead5fbb67a3e438ddb801ea9dee01dfc227f0d936d7d85173c82f1d08c

SHA512
9f74301c4f2c88e1a0ef675c19e52b236f78c7d3d815c685f6643ea44267ecab2a67ebcea45df2e54c9e5a459789234abf3e1410060a012cbda40841e4b7e30a

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
169KB

MD5
ecd7dd48001a80245cb3b66981bf5c12

SHA1
ee7778bf915c7ee3723efcfa30abfe41ab0d8e68

SHA256
c5bf96a4fd0b3ee23ed9224b6b094a6625cd145757145c4931c563cf10288b00

SHA512
294e54cdbd9e1f71e271686790c095f87c5d5801fec19f1fda0e41922d392f78b54c2e99dcc35edebf3bc0cb3fc83e1b990969e3e816c1b09d54f33af0e0c411

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
169KB

MD5
3dd72151f2849a77dd6595a42c162eb8

SHA1
d4a8eeb227288ad802053deb7a4f97fa4602772f

SHA256
40c693e72cbf5255945f6c19ab5cc870407df25a7cc1d20d4e18a643a555e4c2

SHA512
adcc6ffa08d0aacb376a75d3f0183aeab0ad3ae870d2c6e4c7fe9b71493d1f5b4eda0fce6575733b994e91514088028cb0ebffff5afb76de78debbf6ea37fcfe

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
169KB

MD5
5ba4cc85b8b17790f349d839eda1f290

SHA1
9c72671c78b1d090e41470a440328355c818ece7

SHA256
a9c859df59b3e7eaba13f863bae4091e3d11eb0bc034bf0435fd7c43c7c1b114

SHA512
ead375ba86ae62868dfe38117a3e5a3a07b17a3dc7d1f87ad012f7aa1109687daeac895e47ec1e8aafe29494e58c899545a382007c15db9a909646d174bb3bcb

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
169KB

MD5
04dca160bd06c69fd5fc21814981fa13

SHA1
fcdb6c6942b3e35f9e5406e19d573623f71fa1d1

SHA256
d3e2e0e054ed143274a2770bf11cb28bb150a857c32d4f3b4526b4c5a7f5268b

SHA512
04723ad9193392538bd4ef84cc714a44fa7425831a3a6877596101e3d4569073e71dd85e3aa50ca660e2aa3b2ff13d26984e4a3ecdf4a06516a8d31d735c1c75

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
169KB

MD5
55907191c1cc4161885056644803fd27

SHA1
e342d492c99695e1584a4cf937e2a968bfc7bb3f

SHA256
e58d4f542b2f7ad67fcf53cf62696d0dc91f104fa75483c5da9c9f73c232ac1b

SHA512
69e873a07c400ccfabaeda56a277476e49107bf331d549a745293d85e458864982c9e94762760e455c3081c22813ec5c6abd41d57a05e1805f262b8c58509313

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
169KB

MD5
adb5cf6324aea9fb2b0f87346494520c

SHA1
4b39a65e477d7f89606f909b1412465b76754715

SHA256
8db5115193b4183d8e26ccf3fc92a44e7ad92953e8a9398de1a8fbb14960c8eb

SHA512
ba0b6c1fad964096ffa78a4f9b6da61e877fc5e595b2b924f029556e69c48d8f58e733562a47cbd66bfa0e5d4c1c833bfa0199f585534c13beb189ee3860d435

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
169KB

MD5
73117156f4c861ebc5b24e5421346783

SHA1
9b3ac908c82b114737e077ebf30631a11614cffc

SHA256
54e8b11c4f20ae05f670851d68a3c954887d66918a02525abe944d96e8e68dfb

SHA512
ba538f062f2608c33148f6772e77e8f09cad947453c80c247fe1454c9fb790006847eb08cecb8b3059f555ccb528632ad8dbb6b117bc3e6bd955b8f9c4de83b9

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
169KB

MD5
e94ad1ba8fe770966e9340c4a65e7eed

SHA1
098b09fb35c729b61f6d5a21da1bcbc5a1c131a6

SHA256
1a31c7e47f80dfc28ec2006b59588e811d92dda6ad12134faca1415ee50c158d

SHA512
e4b8006df2d9143402e7a1a92fbb964fd0ada324db3b3f242c2de10fb7f9a61a18de4438e205f6a3e6a2dc8affe86f245680cb228204e97e691a0eeeec75e7c5

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
169KB

MD5
4c3f6df0f4eccfe660dd8038daf03785

SHA1
9b2db8c1cce43e52090c9b3265297b72b5855c83

SHA256
03c526536cebfbca43e34c340c203c653581d77eed58a210dde2676e14e1c97f

SHA512
288f475e529f9a1c00998e49c8557e95f941089eec14ded5349bab63ad198d8dc5e3ff74d41abd1c78af911ed0a37f120de171ac876a28513d722881108c68ee

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
169KB

MD5
811cb325656122d4b8c776e66a9681ae

SHA1
e7cd8d69741b97511a2799c9ab723030ecf221ae

SHA256
21ee751b86055886b7ef891350568d60fd4bf57a5cd8226d41e94862a24667b4

SHA512
c65296b537483a1d61efe218edb492a59aaae54189d4c86f262a62467a1c93e2ecca644ba381dfa4409a92be8c7df85720fbe9073b3efeb62a9cd444cdb82378

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
169KB

MD5
8ca58273425e6128d23a736e19951f99

SHA1
10a11193a83af2996a8a92c72928c493f0950ee0

SHA256
e16c94503d4b7ac9d7a7cfd3dd784e34c3b21058e9360122639146e50c33b884

SHA512
9bf23488f482e1c3d836d72b0ba4ed6e6b68c934bb2c67646f1ef619e8dbc9dd81f32b9794500607b105758ca9bd6b6a808c86b3eec0737a3c4b906164041507

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
169KB

MD5
2972210a5c8b498ad1d5b4ad6ea0c105

SHA1
89dec65d3c9b5491e0f6009538ee3eb42aeaa01b

SHA256
6690b45d0a1923ce5e36908128e5c521aeaa2a60a0a6049c793ebb064c910c55

SHA512
413fe1ae537d4316f9d539fb1b0b01d4185a05adaa589ea3a4c7be8af7fcd96cf9bbd9daf02b67fb17bb64bfdfc4f80fea850531407b46eb06db9ff7140e38be

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
169KB

MD5
4e03905a5fec510461a1c7b658027fac

SHA1
625c110373393ba1b70ad5a52b53fd966e97165d

SHA256
a5e5032a9d7b3eba06c1ef6b778caaba8bc9d56297a86bc1aca9a5e04d3f3ef4

SHA512
5abb30c05d9b91699a9d18ca1fea651ebc57b75d401444537b18d5a1255abab4615f0cfeb500f63cbdf3e5ba4663712b3de30dd1600a5b68e8d97244d8457f2c

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
169KB

MD5
ea09003ce5fa83a0b399b3f7231738c2

SHA1
58efa3a46a414cd57ca8d72069dbb624bc2c99a6

SHA256
4871f9abe51d056d03734c72dcbed2990a21523d433538eefcdc96a581b1120e

SHA512
41308e5f9e436910a0413aef763c7b8184b9394730a3f38b73ae0e40e8c2813af77a66023353a0738af721b8a2f291b235aad20ffb88bd95e1f5b195e973901f

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
169KB

MD5
cf7f06f95585084e9a0c7d7288a3e1ef

SHA1
4e7f411fb796032283fe461d48443a46ee5c3662

SHA256
07023a03a650139879dd65af7e44ad35895a8f8851e5281995fa0c15ecac8b0a

SHA512
15c65b736c8455f20b599ac9c992884e4f584b360b2054b31119cf72bc32ee76464635ca41beab8febfb4c1ba9183384add61b9c6aecfad4a5287a57397e7579

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
169KB

MD5
6bafebe96921bcb91852bcdc0a491a41

SHA1
cbed1b87613f4ee6443e65fb97f15615cedfbdd8

SHA256
2bdc847c98267d2fcb8eb36ad90c93a83e3e6f76f760db3cda7aca4024ccc560

SHA512
1e9c910fd6043a73ef64437b10e9a85141000589bedfdcdf29c2a5669470e7a9e30240af0cd844a972298212207aa256ef880b0dd5f7cc3d3a6517d6afa9b084

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
169KB

MD5
d8b649c8fbbfe7b730b0d24cc5c7ff1d

SHA1
762d371cfd30fd966360905f3000c2a546a7e508

SHA256
a036ced730f256b08a712040f69fe348a57ef70ba2879bc6573a1199d8878f7f

SHA512
6bd93079de4ee4b4bafd65d0f6cc7a8557c413d105a64fffde618d35daedd4e6126f3e9a2dadca7b7a25cccb685bb7717dc7cc5acfdfc9ad9792ae89309e59bb

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
169KB

MD5
200f857e4e1193d06a7c7f0d162c7d70

SHA1
0a714969353d07736fb2e57f65cdcf74adce33de

SHA256
eb2dd04ecbf06bdb151f138a6c81cced41bd725c9dc2e560109e56c7dfb85508

SHA512
93e125235cd8b7e9fb2f2b043aa8cc9aac195370ee0f2a760af6816983532600dd35c1ebdbbebbda2f6df51006189da5b9ffeefbafd2742190adaa899b969843

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
169KB

MD5
d82dd3a490a953fd008d022f5e57ea14

SHA1
2de18a5a7a569506ed4322f7d5127a7516e5a0a7

SHA256
befffaaaa6c223f6679a5a621bded4df943e8fa83ead37c2f1dc60da60a41e3b

SHA512
021fc9e39a8df59c39fa6a9e7786a6a7cf5edf1f8a4a86ff058855a807707c95c909c61c513bae1fc9aaac028b71954a919b445ff4785d28a068e52d1cc0e775

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
169KB

MD5
0de216d25adc794b609bc723433b348d

SHA1
82a6f9627c880f1995b19d8b4d025401adee43fe

SHA256
40ef33789cd23013523d5593cc80799d8a01da7c5d4cc40aa6749e176f24f5d4

SHA512
c9f42373e11af0d1a0f87631dea0bc88c35bc5eb492920c1ec5085168fc29d81846fc8a08a10f1b188eabed63fb972b313da276e2ce9524bbbe405b92bf91798

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
169KB

MD5
48afe5a1cf40082f3a3a992bc7779ce2

SHA1
e85f65a400304ab65ae36a43bb1f5f56f3b23353

SHA256
9485bfa2ca39178da1dcd0367f32f26adfa5569b1c15a0e1f0f66f76d437252f

SHA512
ff1de0187014f15b58f22f6d262fc715f2ce166a3753866db1b7bbacca0969756abd4067129e33f6cfbe92c4160852d05e4141cbee97aef70cf8b321754c26e7

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
169KB

MD5
6a455eca712d20b6dff7d8fc6bd44e4f

SHA1
8e6490edac64677801fedffeb9ff341355f43f2c

SHA256
efabeecf3f6ac8d6fbb233e4aaa2dca442da6493fdc5d0d33e5aa92c0c7da181

SHA512
11bdc02516bf9a7f0ec39f60807f8453c4d410638b3cff1d0bdc7acc0a493c56294312a94b9ee055eb0549ee045efdb398e17e86a02edf43bf77a88389568e95

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
169KB

MD5
1a5841eae39aa75e31df23e7ca4944b1

SHA1
a41f93263ba0e64584000f5aa96b52c750879af9

SHA256
54dc4016a31581ab66f5b7a29dfbac4e0afb791874163663e2e96974f3fdaf8b

SHA512
758916b4040297dca1568ec650c98bd558e29de9ce55aacf5e6ee0e428dc3687666cd8a6ed5851a40b05b13d7877174b45cb351f79c37784044bbba96b2001d9

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
169KB

MD5
bba6e9a609e8144bb53dc06dd39969e1

SHA1
0ff3b3609261fa0d2a317c5e92a680b95eee82e7

SHA256
258a35d5e76c073aa6bd9354232e52490b53f18e3f75468b8ec2a74639f3985a

SHA512
51adfe20c7a3beafe995acbc36326b9c5d9ada4dd14ea0b507c2fea3c39f4e116d09bcb8aa9c6cf289e88cb5c6747f3ee5341c47f367eaaac16a11dd4955adfc

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
169KB

MD5
c4a06678c07e5d2cf8c9f34a5c17ef64

SHA1
ef155a0ec217341782e8fa91ca96af8353b89f5f

SHA256
481295c9ce14e2c4ce530dd15e86411ca92c592502a0d090a6b0fa7990a96214

SHA512
6be8d76e0be09df02aca9f819fc4ae3eec3c51852e61b44377101fb8930ad8d21ca2be3cbb0289f59aba99fe10be8ffca93315b3c301a6975d3f80b14dee8fcf

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
169KB

MD5
c2e47f98facdbc05fe6f235164b8b00c

SHA1
b33a08f3fb12d901a6afa90e267a8a8033d79497

SHA256
73a982e0e447cd8d04a6cbb6194c9df1f32547035a66560087bb304801b99b0d

SHA512
7ad31f2ee7f0db6ffe3aa1b6dea7f1382f5541857364dc51e8db86dde0da407bb0dc960549552286b73701f030feae81f4538d688b200dd6dbded838fd89e2d2

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
169KB

MD5
e22bdb31b17799d8cb99d3eec201246b

SHA1
3b2c8a64da1aa1e919d8a5279c742fd17c5acec3

SHA256
c022530e40dc2160e0e79037e5aec84fe904e90a59aea80c565ab2dd52bcba0b

SHA512
1dfe3871c43ffd8ad8e626eca7950ca5af3a0fab876a26c6e4285f38fc9d4a70e800301bf342cac6eba0e86b92aec7fe39536183decfe7578b96fe264dd784e3

Download Submit
memory/404-381-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/404-447-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/544-125-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/544-40-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/800-157-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1056-454-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1108-335-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1108-401-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1116-314-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1116-241-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1120-360-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1120-295-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1248-108-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1248-196-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1256-222-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1576-409-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1708-351-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1732-377-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1732-308-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1932-166-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2088-179-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2088-90-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2092-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2092-80-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2148-107-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2148-23-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2160-289-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2160-354-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2212-306-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2232-321-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2232-249-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2264-432-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2284-236-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2284-143-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2500-267-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2500-328-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2552-395-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2620-277-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2620-188-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2712-434-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2712-367-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2932-435-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2992-402-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3008-64-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3008-156-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3128-72-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3128-165-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3156-448-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3248-81-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3248-169-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3400-48-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3400-134-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3428-8-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3428-89-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3452-421-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3456-211-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3548-170-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3548-261-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3592-378-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3656-358-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3740-392-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3964-262-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4008-341-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4008-408-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4132-36-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4132-115-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4196-237-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4252-287-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4252-197-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4384-391-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4384-322-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4444-415-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4532-142-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4532-56-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4560-135-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4560-224-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4564-16-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4564-102-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4688-223-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4688-301-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4716-266-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4716-180-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4728-394-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4728-329-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4820-210-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4820-116-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4908-445-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4912-126-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4912-221-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4984-104-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5028-380-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5028-315-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5044-280-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5092-288-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5096-431-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5096-364-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads