fc00a5cf52f3e100bb9679c48163026cf682dcc564b8bdf01b72e6c6bd252a46

Analysis

max time kernel
93s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 20:03 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3248bee96b8a4dd99c6e9015487b6e60_NEIKI.exe
Size

128KB
MD5

3248bee96b8a4dd99c6e9015487b6e60
SHA1

5fc70ce35d0970f20841812603a850c784211686
SHA256

fc00a5cf52f3e100bb9679c48163026cf682dcc564b8bdf01b72e6c6bd252a46
SHA512

4dc6de3f8e932b45ae406803f56cd3bf4465c6a928b10faa6e4e28fa9e04bf1de28fa5e06401e81d527a3b99e0053a54986a2dbdf30f890896afffd607b0c976
SSDEEP

1536:4oPPyxBiWg9MCHRgcAC/F3/4danXUwXfzwuTloLxhB1OspLuDbOJrePojhg9zIBW:dN9vHRrMaTPzwuZkO0aDb/IBPC7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe

Executes dropped EXE 64 IoCs

pid	Process
4536	Imgkql32.exe
1676	Ipegmg32.exe
2992	Idacmfkj.exe
2700	Ifopiajn.exe
2988	Iinlemia.exe
4904	Jaedgjjd.exe
2972	Jjmhppqd.exe
2004	Jiphkm32.exe
1384	Jbhmdbnp.exe
4052	Jibeql32.exe
2448	Jplmmfmi.exe
4932	Jfffjqdf.exe
2832	Jaljgidl.exe
4656	Jbmfoa32.exe
2104	Jkdnpo32.exe
1192	Jmbklj32.exe
4428	Jdmcidam.exe
2492	Jfkoeppq.exe
3132	Jiikak32.exe
1752	Kdopod32.exe
2508	Kkihknfg.exe
3716	Kmgdgjek.exe
3288	Kdaldd32.exe
3556	Kkkdan32.exe
3228	Kaemnhla.exe
2304	Kdcijcke.exe
4876	Kgbefoji.exe
4460	Kmlnbi32.exe
3800	Kpjjod32.exe
1080	Kcifkp32.exe
3980	Kkpnlm32.exe
3304	Kmnjhioc.exe
100	Kdhbec32.exe
4432	Kckbqpnj.exe
4528	Liekmj32.exe
3988	Lalcng32.exe
3108	Ldkojb32.exe
3548	Lgikfn32.exe
2960	Lmccchkn.exe
2296	Lpappc32.exe
4024	Lgkhlnbn.exe
4552	Lijdhiaa.exe
3932	Laalifad.exe
624	Lcbiao32.exe
4928	Lkiqbl32.exe
1928	Lnhmng32.exe
2216	Ldaeka32.exe
1884	Lklnhlfb.exe
4192	Lnjjdgee.exe
1188	Lddbqa32.exe
3316	Mjqjih32.exe
372	Mciobn32.exe
2244	Mkpgck32.exe
3084	Mnocof32.exe
4864	Mdiklqhm.exe
2148	Mcklgm32.exe
316	Mjeddggd.exe
2320	Mpolqa32.exe
1880	Mcnhmm32.exe
1468	Mkepnjng.exe
388	Mncmjfmk.exe
4920	Mpaifalo.exe
1772	Mcpebmkb.exe
1848	Mkgmcjld.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	3248bee96b8a4dd99c6e9015487b6e60_NEIKI.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4132	1984	WerFault.exe	165

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mkgmcjld.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 4536	2660	3248bee96b8a4dd99c6e9015487b6e60_NEIKI.exe	80
PID 2660 wrote to memory of 4536	2660	3248bee96b8a4dd99c6e9015487b6e60_NEIKI.exe	80
PID 2660 wrote to memory of 4536	2660	3248bee96b8a4dd99c6e9015487b6e60_NEIKI.exe	80
PID 4536 wrote to memory of 1676	4536	Imgkql32.exe	81
PID 4536 wrote to memory of 1676	4536	Imgkql32.exe	81
PID 4536 wrote to memory of 1676	4536	Imgkql32.exe	81
PID 1676 wrote to memory of 2992	1676	Ipegmg32.exe	82
PID 1676 wrote to memory of 2992	1676	Ipegmg32.exe	82
PID 1676 wrote to memory of 2992	1676	Ipegmg32.exe	82
PID 2992 wrote to memory of 2700	2992	Idacmfkj.exe	83
PID 2992 wrote to memory of 2700	2992	Idacmfkj.exe	83
PID 2992 wrote to memory of 2700	2992	Idacmfkj.exe	83
PID 2700 wrote to memory of 2988	2700	Ifopiajn.exe	84
PID 2700 wrote to memory of 2988	2700	Ifopiajn.exe	84
PID 2700 wrote to memory of 2988	2700	Ifopiajn.exe	84
PID 2988 wrote to memory of 4904	2988	Iinlemia.exe	85
PID 2988 wrote to memory of 4904	2988	Iinlemia.exe	85
PID 2988 wrote to memory of 4904	2988	Iinlemia.exe	85
PID 4904 wrote to memory of 2972	4904	Jaedgjjd.exe	87
PID 4904 wrote to memory of 2972	4904	Jaedgjjd.exe	87
PID 4904 wrote to memory of 2972	4904	Jaedgjjd.exe	87
PID 2972 wrote to memory of 2004	2972	Jjmhppqd.exe	88
PID 2972 wrote to memory of 2004	2972	Jjmhppqd.exe	88
PID 2972 wrote to memory of 2004	2972	Jjmhppqd.exe	88
PID 2004 wrote to memory of 1384	2004	Jiphkm32.exe	90
PID 2004 wrote to memory of 1384	2004	Jiphkm32.exe	90
PID 2004 wrote to memory of 1384	2004	Jiphkm32.exe	90
PID 1384 wrote to memory of 4052	1384	Jbhmdbnp.exe	91
PID 1384 wrote to memory of 4052	1384	Jbhmdbnp.exe	91
PID 1384 wrote to memory of 4052	1384	Jbhmdbnp.exe	91
PID 4052 wrote to memory of 2448	4052	Jibeql32.exe	92
PID 4052 wrote to memory of 2448	4052	Jibeql32.exe	92
PID 4052 wrote to memory of 2448	4052	Jibeql32.exe	92
PID 2448 wrote to memory of 4932	2448	Jplmmfmi.exe	93
PID 2448 wrote to memory of 4932	2448	Jplmmfmi.exe	93
PID 2448 wrote to memory of 4932	2448	Jplmmfmi.exe	93
PID 4932 wrote to memory of 2832	4932	Jfffjqdf.exe	95
PID 4932 wrote to memory of 2832	4932	Jfffjqdf.exe	95
PID 4932 wrote to memory of 2832	4932	Jfffjqdf.exe	95
PID 2832 wrote to memory of 4656	2832	Jaljgidl.exe	96
PID 2832 wrote to memory of 4656	2832	Jaljgidl.exe	96
PID 2832 wrote to memory of 4656	2832	Jaljgidl.exe	96
PID 4656 wrote to memory of 2104	4656	Jbmfoa32.exe	97
PID 4656 wrote to memory of 2104	4656	Jbmfoa32.exe	97
PID 4656 wrote to memory of 2104	4656	Jbmfoa32.exe	97
PID 2104 wrote to memory of 1192	2104	Jkdnpo32.exe	98
PID 2104 wrote to memory of 1192	2104	Jkdnpo32.exe	98
PID 2104 wrote to memory of 1192	2104	Jkdnpo32.exe	98
PID 1192 wrote to memory of 4428	1192	Jmbklj32.exe	99
PID 1192 wrote to memory of 4428	1192	Jmbklj32.exe	99
PID 1192 wrote to memory of 4428	1192	Jmbklj32.exe	99
PID 4428 wrote to memory of 2492	4428	Jdmcidam.exe	100
PID 4428 wrote to memory of 2492	4428	Jdmcidam.exe	100
PID 4428 wrote to memory of 2492	4428	Jdmcidam.exe	100
PID 2492 wrote to memory of 3132	2492	Jfkoeppq.exe	101
PID 2492 wrote to memory of 3132	2492	Jfkoeppq.exe	101
PID 2492 wrote to memory of 3132	2492	Jfkoeppq.exe	101
PID 3132 wrote to memory of 1752	3132	Jiikak32.exe	102
PID 3132 wrote to memory of 1752	3132	Jiikak32.exe	102
PID 3132 wrote to memory of 1752	3132	Jiikak32.exe	102
PID 1752 wrote to memory of 2508	1752	Kdopod32.exe	103
PID 1752 wrote to memory of 2508	1752	Kdopod32.exe	103
PID 1752 wrote to memory of 2508	1752	Kdopod32.exe	103
PID 2508 wrote to memory of 3716	2508	Kkihknfg.exe	104

C:\Users\Admin\AppData\Local\Temp\3248bee96b8a4dd99c6e9015487b6e60_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\3248bee96b8a4dd99c6e9015487b6e60_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\Imgkql32.exe
  C:\Windows\system32\Imgkql32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\SysWOW64\Ipegmg32.exe
    C:\Windows\system32\Ipegmg32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\SysWOW64\Idacmfkj.exe
      C:\Windows\system32\Idacmfkj.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:100
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3108
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        42⤵
        Executes dropped EXE
        
        PID:4024
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        51⤵
        Executes dropped EXE
        
        PID:1188
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3316
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3084
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        59⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        62⤵
        Executes dropped EXE
        
        PID:388
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        66⤵
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        69⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        71⤵
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        72⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        74⤵
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4520
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        82⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 408
        83⤵
        Program crash
        
        PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1984 -ip 1984
1⤵
PID:4404

Network

DNS

74.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.32.126.40.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ql_GTM_ONpMo5qqYZfWLXzVUCUxPfaAsUhuXVacKbL1BUazIdy7YFIqD5njFrJ1cxcRAHGO3iw3qB_R3MKBS_sVlGA4hee81f6RAUKhyVtYNfXLLiv5VlwvQYju4m-6Cu6-hy_U6FbqktIcfsYiU7ioekKAEPNx_wSq1jjchvNa-h1n1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c4f43c7d1b914bebd6f25fcb316d9af&TIME=20240508T113230Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ql_GTM_ONpMo5qqYZfWLXzVUCUxPfaAsUhuXVacKbL1BUazIdy7YFIqD5njFrJ1cxcRAHGO3iw3qB_R3MKBS_sVlGA4hee81f6RAUKhyVtYNfXLLiv5VlwvQYju4m-6Cu6-hy_U6FbqktIcfsYiU7ioekKAEPNx_wSq1jjchvNa-h1n1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c4f43c7d1b914bebd6f25fcb316d9af&TIME=20240508T113230Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=1B3F9C6E4D3767500C1488174C1066C7; domain=.bing.com; expires=Mon, 02-Jun-2025 20:03:30 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6645E36B10A64313BEBE401812AB5C72 Ref B: LON04EDGE0714 Ref C: 2024-05-08T20:03:30Z
date: Wed, 08 May 2024 20:03:29 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ql_GTM_ONpMo5qqYZfWLXzVUCUxPfaAsUhuXVacKbL1BUazIdy7YFIqD5njFrJ1cxcRAHGO3iw3qB_R3MKBS_sVlGA4hee81f6RAUKhyVtYNfXLLiv5VlwvQYju4m-6Cu6-hy_U6FbqktIcfsYiU7ioekKAEPNx_wSq1jjchvNa-h1n1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c4f43c7d1b914bebd6f25fcb316d9af&TIME=20240508T113230Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ql_GTM_ONpMo5qqYZfWLXzVUCUxPfaAsUhuXVacKbL1BUazIdy7YFIqD5njFrJ1cxcRAHGO3iw3qB_R3MKBS_sVlGA4hee81f6RAUKhyVtYNfXLLiv5VlwvQYju4m-6Cu6-hy_U6FbqktIcfsYiU7ioekKAEPNx_wSq1jjchvNa-h1n1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c4f43c7d1b914bebd6f25fcb316d9af&TIME=20240508T113230Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1B3F9C6E4D3767500C1488174C1066C7; _EDGE_S=SID=272FCE444F72690D3BDEDA3D4EB268F6

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=es7Atluxao-VFe6lZgBid5ehun6Bejco9zUQXPiTOSA; domain=.bing.com; expires=Mon, 02-Jun-2025 20:03:30 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 889A1D953185446C900BFE2ACDEB555C Ref B: LON04EDGE0714 Ref C: 2024-05-08T20:03:30Z
date: Wed, 08 May 2024 20:03:29 GMT
GET

https://www.bing.com/aes/c.gif?RG=c3c79f65f6c14c27a14a392cf07f76c8&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113230Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182

Remote address:

88.221.83.232:443

Request

GET /aes/c.gif?RG=c3c79f65f6c14c27a14a392cf07f76c8&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113230Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1B3F9C6E4D3767500C1488174C1066C7

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7391D3C731324516ABC8160A3DD1755D Ref B: DUS30EDGE0317 Ref C: 2024-05-08T20:03:30Z
content-length: 0
date: Wed, 08 May 2024 20:03:30 GMT
set-cookie: _EDGE_S=SID=272FCE444F72690D3BDEDA3D4EB268F6; path=/; httponly; domain=bing.com
set-cookie: MUIDB=1B3F9C6E4D3767500C1488174C1066C7; path=/; httponly; expires=Mon, 02-Jun-2025 20:03:30 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.e453dd58.1715198610.2a8961ac
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

232.83.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.83.221.88.in-addr.arpa

IN PTR

Response

232.83.221.88.in-addr.arpa

IN PTR

a88-221-83-232deploystaticakamaitechnologiescom
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

88.221.83.232:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=1B3F9C6E4D3767500C1488174C1066C7; _EDGE_S=SID=272FCE444F72690D3BDEDA3D4EB268F6; MSPTC=es7Atluxao-VFe6lZgBid5ehun6Bejco9zUQXPiTOSA; MUIDB=1B3F9C6E4D3767500C1488174C1066C7
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Wed, 08 May 2024 20:03:31 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.e453dd58.1715198611.2a896a58
DNS

240.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.197.17.2.in-addr.arpa

IN PTR

Response

240.197.17.2.in-addr.arpa

IN PTR

a2-17-197-240deploystaticakamaitechnologiescom
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ql_GTM_ONpMo5qqYZfWLXzVUCUxPfaAsUhuXVacKbL1BUazIdy7YFIqD5njFrJ1cxcRAHGO3iw3qB_R3MKBS_sVlGA4hee81f6RAUKhyVtYNfXLLiv5VlwvQYju4m-6Cu6-hy_U6FbqktIcfsYiU7ioekKAEPNx_wSq1jjchvNa-h1n1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c4f43c7d1b914bebd6f25fcb316d9af&TIME=20240508T113230Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

tls, http2

2.5kB
9.0kB
19
16

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ql_GTM_ONpMo5qqYZfWLXzVUCUxPfaAsUhuXVacKbL1BUazIdy7YFIqD5njFrJ1cxcRAHGO3iw3qB_R3MKBS_sVlGA4hee81f6RAUKhyVtYNfXLLiv5VlwvQYju4m-6Cu6-hy_U6FbqktIcfsYiU7ioekKAEPNx_wSq1jjchvNa-h1n1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c4f43c7d1b914bebd6f25fcb316d9af&TIME=20240508T113230Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ql_GTM_ONpMo5qqYZfWLXzVUCUxPfaAsUhuXVacKbL1BUazIdy7YFIqD5njFrJ1cxcRAHGO3iw3qB_R3MKBS_sVlGA4hee81f6RAUKhyVtYNfXLLiv5VlwvQYju4m-6Cu6-hy_U6FbqktIcfsYiU7ioekKAEPNx_wSq1jjchvNa-h1n1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c4f43c7d1b914bebd6f25fcb316d9af&TIME=20240508T113230Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

HTTP Response

204
88.221.83.232:443

https://www.bing.com/aes/c.gif?RG=c3c79f65f6c14c27a14a392cf07f76c8&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113230Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182

tls, http2

1.4kB
5.3kB
16
10

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=c3c79f65f6c14c27a14a392cf07f76c8&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113230Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182

HTTP Response

200
88.221.83.232:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.6kB
6.4kB
16
12

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200

8.8.8.8:53

74.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

74.32.126.40.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

232.83.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

232.83.221.88.in-addr.arpa
8.8.8.8:53

240.197.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

240.197.17.2.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
128KB

MD5
252b43ea56f85ad01cb80b271a468c4b

SHA1
11a7d612d215c49db5bedd3d2694f4bfac9e14a3

SHA256
83e769b62ed4f3bc255aa5a0f9b92f1f0f6dbc6979416b23c9eb572fe4d32f12

SHA512
93f220139f0ffd42a82ac9e9ba17aa55425b2ee51513c90ce7d4fc93b286b44fb78149f20742085bf5af15a13dba21b5152b3b6964d488cf4e45b00bd3e0f783

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
128KB

MD5
de6c4900126c1c8b8dd55022baae3785

SHA1
691de2e7d58b7e0e58b6a11200622127dd915d75

SHA256
8bbddc4a29f1f1bafc1dfda4d0df6bed3d5f26707b5b5effeed995884e572921

SHA512
badb23ff0e05ce7d5f1df99cf6218e9e16055221cccd59ff79fcf31bbf94d6a5ad5d384c9a84a2ecad5a80a8da95e106c37521ec56fd900080d67c3970720865

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
128KB

MD5
d83fc386c9d6a20ff9a0cb5eee61a59e

SHA1
baf3bbe8f54346054272cea5af5b3fdc7609fe9f

SHA256
f4e4233ca34f9321f0254c56e30e9844e3ac6b854f2db22e89dc75b77ff0b131

SHA512
c9f641c7528fb983c7cc2a29f6f09c88a23c20fb011d7bc405d718909e5a20502ae9ac670bf3a0e67a94d6d20951ae76e6d751f80155910d5b03ef9e7e80f7d7

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
128KB

MD5
dd24f930ce9a67699993b17cabd31c71

SHA1
c098c072ad3d3efe8f24b98d5313befa703b95e6

SHA256
7effb8e2b3f3b468f1bb57277dd0f098f79d2db73aae3c371e684b2818c955a1

SHA512
5f8a50d35e65c12366bb1e006ca8326df0019a06ac41f93e2005ed565f07dd1873c5f1c7043d5d44d5ccd2769e492b1ab2990739b37cf9f95b760e956392d54d

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
128KB

MD5
5b47dc7551daad63cfa6cd9e75f61505

SHA1
f1ddfd569a1594d4a932a206fd2772cdc51b43d6

SHA256
32bc3031e60228006fd899d35ff7467ccb9f86de631dc2d6bb63f5883e508b01

SHA512
73403f20717f28384c7aaf64315c24285c8939b1ad11cecbbceb29349d6b9aaa815cecedb7004381378d09b5089a577b08ea40bca0a43b070e64bc0f2b70f0c1

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
128KB

MD5
6d9b82c91a8a54ccd488037f31b1587f

SHA1
1eef45247ebce9d3bc99728483deb8e56469f006

SHA256
abaf86c3b3cdb904144b9cdec5d4bec4a988d239e1c9dad65532dee8c2f52379

SHA512
9aa15a9d8026481c19835bc9826190c62f7bef3fa30d877be6773e9cb11b6db444fa196bacb5c62187a8cd0251975e64bafe3129a31635c7a2452bcbeb965e8f

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
128KB

MD5
fc4f4c02ac7be7ce979e7fd372657d5a

SHA1
91fc49e81640ec005d17794db9740bb9e7feda94

SHA256
296bb6031a1435401736cf261ab7f7b413fe643b04f037c2ad3ca3dbf9eb38bd

SHA512
a6090372e27c96853b20b49572b39b592575a6ca6ef83d7ada9a411b9e554d135631737077375052fc662d259eaf8221407f31155858b341ef2e402bb2bc14e9

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
128KB

MD5
df24f1d8bb0503640a258499095d3516

SHA1
1c1e446ce953a34031888411ca6322fec539cc8e

SHA256
1c87e6edb4b75a91ac8b43d87a4177b65ce0494e7ed49b04d4776f9fddd4a3a6

SHA512
da20ffadc8c8565381720e7552499bee56a2371cb9edf8a3438555832aefa5d5e887bec87119ce3402915aff043baa779bd52b6f271ef8279a7c72d5bd8f0e98

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
128KB

MD5
42f3fe464a5291d34143e89a8a1e37d5

SHA1
eb73a4ae7b22f5a19422fcf9e7bf03a718eb23db

SHA256
76897ef9797fd1a5aeeb409a3eb325f149633570c12bee0e790b78f2815a995a

SHA512
8f8998d65c04196de6f9086a6614ce260c4190b51d86b1da144f33da3d54da00a67a561100008e83c51150dd0e9728bbe07fd2c372e8d11b5d85e3901afb2496

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
128KB

MD5
4aa7de31ec9ec9f4b7b83367daa6c981

SHA1
572d175c08708253ac1f41610dc2fa2918fe9f8a

SHA256
77df5cf0c29d96f701577c108ec2d6952cbf6e16fc05af5ae59fd5560f7c98fe

SHA512
4e46f4b773727dd6ade5ff49240dab69a699854bbfa5960b610904716aedc06e0420decfefa4892220209a8f3a64f86960028bc41d496c1fc897011b50a7feae

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
128KB

MD5
71a39c18a6572cb2b5614fcbe91f7952

SHA1
85df2df3828c81a9276c75f1751b5a5e56d9a873

SHA256
cbdd6a2ec6bd58102462edffbd93b7b7fc59079d66c9326c717364205d6ef4e9

SHA512
481a13fb0a1384bc6cbd409067399a9fff67c39792fce04903a8d6e5174f5e93605da8826f186beccdf92758d987621249e28703be41bb79c20b031ac81fedc9

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
128KB

MD5
3334edc89cd6d2a887ecc4e3c0cc4850

SHA1
c5ee2eabe9c989261c21586387a9ba1ba070c432

SHA256
82fce1e254da6446ef9f2267edf47d8b09f722135683bd9976207bdf561050ac

SHA512
5036c6fcc2ba5156da58c4e93fa1f61832014792f47f2e4edf421d3ddbe91fd53c0c4dd6bd6af673d86e2f1c66cd86be8858cf24aa5a1d95d074629e29af3f9c

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
128KB

MD5
a7875a7c7c73dcbb60e57c06fe7f3f66

SHA1
8281ae49e0eba170aa57d7bcfb97a24d1e073bcd

SHA256
03451ecae7a3de44f9f6ba06df306ddd2affc3ac25621a811f18791fdaea69d6

SHA512
578a28d179dc63e6d3d0a924bf39109c886c35633f6999e27d28562c241725bcdc841c9206770b90749383a7603c6d1c93d06741ae9e8bec971cca9eb0212e01

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
128KB

MD5
ec655704d1765b5c81e7e5644575bf23

SHA1
9bde3dd17b94a79827416e6ce318753ca1562c2d

SHA256
1251d5203ab7fe356be5097e28ab0c8f053d0856151a0384aa45d2d3484bda26

SHA512
b3c7f9d8a51603e4b74c744632bb539b07b495e8351ba27b41a9f880e1bae8b377fa266075cad2f082bb2090ef03334f171e53d41f8c7443973feb61e7517aed

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
128KB

MD5
54f6d56afea7e573d83661ea97f45c84

SHA1
058932b9d45613ab60d604d8adb77fddcdf09507

SHA256
14540f6613b096b45f9a9d7eb83d6a62585524f981c3cc1fbd1941e436c6a808

SHA512
fd79db9dcd48812bd6ba0b5c3f3ef6a9b6e1564ed0bac07daf5718cfea8565d99b7cead7f6e987541eb0ed26081959a5f1219d1f86a6ade7ffcf751bb677c73f

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
128KB

MD5
31adaefcc8b05e59b5d272df0d9c780f

SHA1
e018c6bff43148211a0e593fc5203ca5c669204d

SHA256
45a50b19ec2efd7d7ad17b2d526d0d690cac5c6dbad2dce1586056c97d6fe0a2

SHA512
ae4708305dedba5ca71871acd4c027d143aa3f6d2b2305a59495ce67d23dc85853105b65aadc4ec9daeb8785cd834c280dddd556e0c0c3de4bad68191f0c3c19

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
128KB

MD5
0cc4558cc91d2047faef2ee9ed68ffbc

SHA1
9dfef72dab797fe9c2bda4b4605640b2386f4df1

SHA256
c82d8c2202ddacd9295426f65f37baf8e2536c9d4a9ffe6aa30b571b2753ced4

SHA512
3df4b41dcad496081624405ed5dc38a17b98eb85eebae93a2c88ff3d33c18f55d55b8cbeaa47b00ab8bac7b6b334160c978d26ddd253d4b7bb783c26a9ae8ee4

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
128KB

MD5
9009e0461fa57f16177acdcce90e3e82

SHA1
aac484625c12424d3fa84ae69989eaca38ab5559

SHA256
4d2cabb2287cac8b3747697ddc6103418a52ff83a5e9317077b47b0983022738

SHA512
50f6de81c2e672fe5d03d8b31047a92f623f87d87e9f541c3ea471cc43201e1d49ef4226463b7840657cfd1941eb7463fc23c05618e4916920828b9729c89a6a

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
128KB

MD5
0dba6f755f31c329ed33a1968ff76bbe

SHA1
b6622d807b9947075ddcc726245976db3b69b8f6

SHA256
1b40040a61995cc9e0e6d075c6ee6694bf1de43c96438e78db44426aee7e43f2

SHA512
332ecbe938b4d3e21379b52cb5818b579236138def853726bfdc51fbc3d1c3801044c7515f5ffadb9f5f7eb2248c30866d6957dd09f6eb9b7b50c35ff527c612

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
128KB

MD5
1dd04ff3411c7f47208f89c177418b06

SHA1
d653436dcea33c03b28724d615c9158a3a716ea3

SHA256
5ea305d60e0c08126332cd502d3eb10d4fcd967bd2380809f072ad548ea87986

SHA512
b71a131e2aa33de2fda9cf6ca7e53f9c877b0542f2f1149bce7eceb2858fe867f41012da8538030d17ec1504c33ec4988016420dba86e2423cd866f4a3b5762d

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
128KB

MD5
1752bc1d6d624d96fb9210fbb4ed3a9f

SHA1
087e1c10f6e74241453597d377e52bbc2ba68dd6

SHA256
571a521b4dfa5e949d8333f92e7e30d3f0ece541097bc1393a077d89eb2e3b18

SHA512
460e6c3806211fc1b0f14c7a8bb04c9e94a9db4c2128019bb9ef2fcaeab97480c2f0dd21643206b5c65aa5420f3339f162f615f0c8ff9d3a11ad36f657abdfb9

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
128KB

MD5
d08d08c055273208257beb6a02c05f95

SHA1
791ef10a45d4a9154875a0c408aac61d479af841

SHA256
6a25758e82052edf346755c1a945e6abdd8ea53c8a7cac60036b0709375ff244

SHA512
75eea6a5d606752cd34ba369c1cb948ef38e4e5bbec974f82a193303d7dc8021f5fc82ccd111778284e21a919b08004177fed6bc7a3c5afb8091832e6de3e7d4

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
128KB

MD5
b5809ab665c1fbc16ae258faf74a5d66

SHA1
2367bff04d43eb2c7bc0f657c474615c4b7cac57

SHA256
3df156d120431552945451936b41e32a23d94bfabeb8902117d189eeadc5c272

SHA512
2bd151b25a63730f23a9f68146edd09f21310e54d1a58d809043c61a604b76d57a7e6b349a2f9271046129fd6286c2b56a147897c561e0677abcc121785e138c

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
128KB

MD5
14722412866d511a4e50686d82c7cf4c

SHA1
48555ce7fcc7987fb5342bf2f36cb1220b8e4d88

SHA256
2e69e82a2e95ca4765323086cbe8bd847e25d76d7274e453e8f6eabf042c99c3

SHA512
6bc919008f9ce0690471163e331b89be19d611977dafda69ea55c7a1ba15bcf2a3280d1f5f6b7e7a372f9a595f7eeca5157ffdc2b9349f3417d0ecf3c1fcf632

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
128KB

MD5
63e123723ff86598d53dae2992c8043c

SHA1
b25703e11e46f683f104191ca32d45e1eee8a5ae

SHA256
d20f7c540d54bd261fc91016020cc433ce9a2e8fb5ff06ba384d3fde9a0bbc36

SHA512
6db05e5bec27d7e9cd4e3d713af431ae4fc6d05479de74062f63d8f8854b32b89632e7b98f23735adc8816bf7090869dbdf2ba15525a34dace73739d03e44355

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
128KB

MD5
15a5609014cc8c949339baba9881e62a

SHA1
185007a8d730ae9ea93c90e296bf863625454c39

SHA256
9af55cefbcad84df7a67a257ce13523fc33d21ea30082ece1704e04dd6f5e8e2

SHA512
117fdacf28e59a03761f138e29d67b62a0ef223b2befea62ee770deedfdccc8e787f8efc48268f5923ab98c330edbc446afb9b249ab3afcb8f1a11c67311b680

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
128KB

MD5
5b4f537cc63053125a91c9658e37cd00

SHA1
997e4ed8fbfc0f032775339da63850b7324cf325

SHA256
56d7499ac1743286af2ed9d256a334b2797a43a01cfd4b7a3add4ab61ed5b187

SHA512
1a125c5852be10b6e967fc14a267c3323161c58f0edb4a473bc3d0ac3c9b5c04ff2d661b41229cbf040e413e8a165a1fd7d8a9a577fe9f6375d30dc76263e8d3

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
128KB

MD5
63bc1fe43d2fa1a5fc817c4dc57438bb

SHA1
bc8cedad0c5d865bf053f3b7cd230f6e7662132b

SHA256
916530d33cff8bb23769c225b801c66a40d8c03c676c6875358fc7d9ca9f64dd

SHA512
4a085f1b282b8ca539856135fcb941b012f5ffb45685c9729eaca22419fea6dcb57a78cb4fc8061d6d8a6c4bb374828589f734e9cfaa0e0a45d9dd931e509076

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
128KB

MD5
31968c03bd871dd2b686bf0eaca80ab3

SHA1
77c68837130867ecc590b0a626de7d634a29077a

SHA256
7483736008ebf639e92e8ef7332c778d79952566fd5fc1281b1e060acf7f11fd

SHA512
9f7ba30c76f58992f82d274296b1f1573481d3333e3e3299872fae13f998babede6c4e63f2cf352a98edaaeaa8920d3ad81355d9691acf651accad4b0745c42a

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
128KB

MD5
925e8c82a1580a1cb40e571c825554ba

SHA1
5bc99d8e4c38a4c6b8349e254426f1066cd51cc3

SHA256
6b4f45b3f4a3e5b6223ad04084a67fab872ae0512dc81d33b9c30d96c3a58368

SHA512
38f691151546481fc622e4e690ade4ec2facbae51ebeeeadd3768b06b5d61fcc1ac23924d258a7f84b8f4784829ab54ec3a3b96627bf9d559c577a92ea0b7bea

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
128KB

MD5
8f759ec1e75e31f04c2adcc5a7041db2

SHA1
ce668cc6e9e7f0648038478c8fced11b1200ec74

SHA256
ad35c01d00179830ed2bf10c9fe54ae63658ad8e9900b106a17a6fcf6f0530f3

SHA512
03d428ec6261e363457e9a55dcaa9737162d7e8fa631cef443c7a2b80a78b7e2c9b3ce83b0ecc4bb84a303c1acc554dc6a65984c51081e441a2034195f2bc8fe

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
128KB

MD5
5323373af0bba96173fc864d153889b6

SHA1
cd02303af7f118c5b7ef72345ce4dd1244ffebb8

SHA256
c1f85ea1ca2b14395e474950cb1e46320aa364edbd866eb06a5ddf13e00a5a78

SHA512
90a019e8e5b20ae454f48d4fe0c84b6c84e82f0dba053bb55754c7e31d3038870a818643793422c51db155992e20b8dddd155caecce1166cf3b36ccdf04bdf1c

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
128KB

MD5
c8151b61a9db6ecbbd5a5d87374f8125

SHA1
012008bb8e2a8a98a1a172f206de47b0530a3d00

SHA256
f9578e3492e5151dda0e2222f5d46161f2e00149cf02f8e7279355a6f371b171

SHA512
e51bfb4089000beced3ab2f0b0dadf7e98c08e549fa4916d04b228dc4d47075a05c5e2b36095c80404d12167d4cdb160845b39ce9e49cbdcbcb3174a605557de

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
128KB

MD5
af21cef91b939deb3b45dbc82bbb7607

SHA1
3f4a6d1ca3ddb453827bc52bce201cb27447ed76

SHA256
11ebb926428b1c8a0240be6e98be3e1b472e28124c38ad847a1a60d2752866cd

SHA512
1852e1a4ee63c393296c417370009c010402c450f920964d6a6ef60e9b161f4efba0bf7a927b2ce61255f2209c333ac0d76314ea969dc31eab677f4e849aefa5

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
128KB

MD5
d835c16715cc94ccb6a5bb59eb9b0aaa

SHA1
809dad75fcb0301e384caea33ba3ac2d9bb30d66

SHA256
41698a4810ac540afff128fa510954cf62f05e80c5cb81d49516b8e7c3837ecf

SHA512
17898d109b855e02f6068be60e080d3e6d2ff7c43d4a2c3e9028e67c0f9970ecb65151e9c45688976a71dd178d2b1cb360a1bc88017266824d1188c8850c4d19

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
128KB

MD5
e8a1af2d33287ffc4e0355fd501168f9

SHA1
b1469de8faf2345450d29d9d811022e9ed0279d7

SHA256
f7400abc2f3120ff4c369bac4888f00af9f9d3bd8ca4af6e7450d2800df51a02

SHA512
397f2f2a7fb50456df444c495bc5bc505473b6071893001404eebc489d6cca13d887112a8d87f1578ebeca67d3060b9fd7d160c02d9ed2ddb2cb5fb6313e27ab

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
128KB

MD5
b8f202530d36b9755bc9d0a150187ac6

SHA1
38276613cec8a2c194778f524de2e1f58a82951e

SHA256
900994ca237205f1d30018e341ce9ecbde61c6df468cfe24d2f0b0ebbbcfe021

SHA512
676057a39bcd5fd971fdfd16baeb6ebcff322bdbf8a9f85e4b3113a1f3278dbe64140897c80e567f7c9c9beb4b309db2d5f7b08727527a399ec331facba00663

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
128KB

MD5
94de08f448b009b93c8466f7523383dd

SHA1
3a58abc0fb4ac35124ae724ad4f713e9b65be9a9

SHA256
e0aee7c4803f622ba6375696da2b3a4ea03ac2ba96f0af2438f3c058f8898679

SHA512
6e523d5c5414cb8778198372d93c8af734dd38a6945ffd922d94de6f75b71165117b370f991ee51c783e6517b30352c82d8d6d5467d2e56cab128fe388e38f97

Download Submit
memory/100-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/316-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/372-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/388-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/624-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1080-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1180-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1180-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1188-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1384-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1468-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1484-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1484-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-571-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1772-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1848-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1880-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1884-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-553-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2004-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2148-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2216-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2244-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-653-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2448-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2508-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-563-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2988-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3000-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3084-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3108-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3132-666-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3132-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3228-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3264-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3264-575-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3304-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3316-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3332-548-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3332-555-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3336-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3336-561-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3548-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3556-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3716-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3800-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3932-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3976-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3976-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3980-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3988-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4012-500-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4024-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4052-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4072-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4192-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4288-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4288-568-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4432-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4460-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-557-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-542-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4552-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4656-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4688-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4780-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4780-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4860-578-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4860-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4864-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4920-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4932-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.