fbbcb2e40113f21b23210d8b258b553c922a4836ca71b2d2ef7b4f8c08e40784

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2dd64877e8db0efb053b2ffdb048bf0_NEIKI.exe
Size

405KB
MD5

c2dd64877e8db0efb053b2ffdb048bf0
SHA1

2d767b61878b925db72f26414dffb5c236ed5e48
SHA256

fbbcb2e40113f21b23210d8b258b553c922a4836ca71b2d2ef7b4f8c08e40784
SHA512

5f93cc7e73f6ab8b74a17406e3dd2b7c26b3f5d9e4792ceccebb87759a99c64364231c470313bdc71e38b663c0b88d7b264e13f9a4b3e4c1c6340b228a92dba5
SSDEEP

6144:3FYdAVLlFzdWJ/oHeN+uqljd3rKzwN8Jlljd3njPX9ZAk3fig:3njRiQ4+XjpKXjtjP9Ztx

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c2dd64877e8db0efb053b2ffdb048bf0_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe

Executes dropped EXE 56 IoCs

pid	Process
3300	Ipqnahgf.exe
4688	Ifjfnb32.exe
3452	Iiibkn32.exe
1360	Ifmcdblq.exe
2100	Iikopmkd.exe
3304	Ipegmg32.exe
3860	Ijkljp32.exe
2640	Jpgdbg32.exe
2040	Jbfpobpb.exe
2152	Jagqlj32.exe
3756	Jfdida32.exe
3180	Jdhine32.exe
4684	Jmpngk32.exe
960	Jdjfcecp.exe
2720	Jigollag.exe
1972	Jdmcidam.exe
3232	Jbocea32.exe
4996	Kdopod32.exe
1004	Kilhgk32.exe
4560	Kacphh32.exe
1512	Kdaldd32.exe
4644	Kphmie32.exe
4192	Kgbefoji.exe
3768	Kdffocib.exe
5052	Kibnhjgj.exe
1284	Kdhbec32.exe
4380	Kkbkamnl.exe
1184	Lpocjdld.exe
2420	Lmccchkn.exe
744	Lgkhlnbn.exe
3664	Laalifad.exe
544	Lilanioo.exe
624	Lpfijcfl.exe
4588	Lcdegnep.exe
1044	Lddbqa32.exe
4872	Mnlfigcc.exe
4580	Mgekbljc.exe
4060	Mpmokb32.exe
2916	Mgghhlhq.exe
3308	Mnapdf32.exe
3972	Mgidml32.exe
4936	Mjhqjg32.exe
3096	Mpaifalo.exe
4968	Mdmegp32.exe
2676	Mkgmcjld.exe
3692	Maaepd32.exe
3228	Mgnnhk32.exe
3596	Njljefql.exe
448	Nceonl32.exe
2880	Nklfoi32.exe
392	Nafokcol.exe
4908	Nkncdifl.exe
1580	Nbhkac32.exe
5044	Ncihikcg.exe
4592	Nnolfdcn.exe
3148	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	c2dd64877e8db0efb053b2ffdb048bf0_NEIKI.exe
File created	C:\Windows\SysWOW64\Hiaohfpc.dll	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jdhine32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lihoogdd.dll	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	c2dd64877e8db0efb053b2ffdb048bf0_NEIKI.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jagqlj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4692	3148	WerFault.exe	143

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c2dd64877e8db0efb053b2ffdb048bf0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c2dd64877e8db0efb053b2ffdb048bf0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 3300	996	c2dd64877e8db0efb053b2ffdb048bf0_NEIKI.exe	83
PID 996 wrote to memory of 3300	996	c2dd64877e8db0efb053b2ffdb048bf0_NEIKI.exe	83
PID 996 wrote to memory of 3300	996	c2dd64877e8db0efb053b2ffdb048bf0_NEIKI.exe	83
PID 3300 wrote to memory of 4688	3300	Ipqnahgf.exe	84
PID 3300 wrote to memory of 4688	3300	Ipqnahgf.exe	84
PID 3300 wrote to memory of 4688	3300	Ipqnahgf.exe	84
PID 4688 wrote to memory of 3452	4688	Ifjfnb32.exe	85
PID 4688 wrote to memory of 3452	4688	Ifjfnb32.exe	85
PID 4688 wrote to memory of 3452	4688	Ifjfnb32.exe	85
PID 3452 wrote to memory of 1360	3452	Iiibkn32.exe	86
PID 3452 wrote to memory of 1360	3452	Iiibkn32.exe	86
PID 3452 wrote to memory of 1360	3452	Iiibkn32.exe	86
PID 1360 wrote to memory of 2100	1360	Ifmcdblq.exe	87
PID 1360 wrote to memory of 2100	1360	Ifmcdblq.exe	87
PID 1360 wrote to memory of 2100	1360	Ifmcdblq.exe	87
PID 2100 wrote to memory of 3304	2100	Iikopmkd.exe	88
PID 2100 wrote to memory of 3304	2100	Iikopmkd.exe	88
PID 2100 wrote to memory of 3304	2100	Iikopmkd.exe	88
PID 3304 wrote to memory of 3860	3304	Ipegmg32.exe	89
PID 3304 wrote to memory of 3860	3304	Ipegmg32.exe	89
PID 3304 wrote to memory of 3860	3304	Ipegmg32.exe	89
PID 3860 wrote to memory of 2640	3860	Ijkljp32.exe	90
PID 3860 wrote to memory of 2640	3860	Ijkljp32.exe	90
PID 3860 wrote to memory of 2640	3860	Ijkljp32.exe	90
PID 2640 wrote to memory of 2040	2640	Jpgdbg32.exe	91
PID 2640 wrote to memory of 2040	2640	Jpgdbg32.exe	91
PID 2640 wrote to memory of 2040	2640	Jpgdbg32.exe	91
PID 2040 wrote to memory of 2152	2040	Jbfpobpb.exe	93
PID 2040 wrote to memory of 2152	2040	Jbfpobpb.exe	93
PID 2040 wrote to memory of 2152	2040	Jbfpobpb.exe	93
PID 2152 wrote to memory of 3756	2152	Jagqlj32.exe	94
PID 2152 wrote to memory of 3756	2152	Jagqlj32.exe	94
PID 2152 wrote to memory of 3756	2152	Jagqlj32.exe	94
PID 3756 wrote to memory of 3180	3756	Jfdida32.exe	95
PID 3756 wrote to memory of 3180	3756	Jfdida32.exe	95
PID 3756 wrote to memory of 3180	3756	Jfdida32.exe	95
PID 3180 wrote to memory of 4684	3180	Jdhine32.exe	96
PID 3180 wrote to memory of 4684	3180	Jdhine32.exe	96
PID 3180 wrote to memory of 4684	3180	Jdhine32.exe	96
PID 4684 wrote to memory of 960	4684	Jmpngk32.exe	98
PID 4684 wrote to memory of 960	4684	Jmpngk32.exe	98
PID 4684 wrote to memory of 960	4684	Jmpngk32.exe	98
PID 960 wrote to memory of 2720	960	Jdjfcecp.exe	99
PID 960 wrote to memory of 2720	960	Jdjfcecp.exe	99
PID 960 wrote to memory of 2720	960	Jdjfcecp.exe	99
PID 2720 wrote to memory of 1972	2720	Jigollag.exe	100
PID 2720 wrote to memory of 1972	2720	Jigollag.exe	100
PID 2720 wrote to memory of 1972	2720	Jigollag.exe	100
PID 1972 wrote to memory of 3232	1972	Jdmcidam.exe	101
PID 1972 wrote to memory of 3232	1972	Jdmcidam.exe	101
PID 1972 wrote to memory of 3232	1972	Jdmcidam.exe	101
PID 3232 wrote to memory of 4996	3232	Jbocea32.exe	102
PID 3232 wrote to memory of 4996	3232	Jbocea32.exe	102
PID 3232 wrote to memory of 4996	3232	Jbocea32.exe	102
PID 4996 wrote to memory of 1004	4996	Kdopod32.exe	103
PID 4996 wrote to memory of 1004	4996	Kdopod32.exe	103
PID 4996 wrote to memory of 1004	4996	Kdopod32.exe	103
PID 1004 wrote to memory of 4560	1004	Kilhgk32.exe	105
PID 1004 wrote to memory of 4560	1004	Kilhgk32.exe	105
PID 1004 wrote to memory of 4560	1004	Kilhgk32.exe	105
PID 4560 wrote to memory of 1512	4560	Kacphh32.exe	106
PID 4560 wrote to memory of 1512	4560	Kacphh32.exe	106
PID 4560 wrote to memory of 1512	4560	Kacphh32.exe	106
PID 1512 wrote to memory of 4644	1512	Kdaldd32.exe	107

C:\Users\Admin\AppData\Local\Temp\c2dd64877e8db0efb053b2ffdb048bf0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\c2dd64877e8db0efb053b2ffdb048bf0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\SysWOW64\Ipqnahgf.exe
  C:\Windows\system32\Ipqnahgf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\SysWOW64\Ifjfnb32.exe
    C:\Windows\system32\Ifjfnb32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\SysWOW64\Iiibkn32.exe
      C:\Windows\system32\Iiibkn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3452
    - - C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1360
      - C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2676
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        57⤵
        Executes dropped EXE
        
        PID:3148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 400
        58⤵
        Program crash
        
        PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3148 -ip 3148
1⤵
PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
405KB

MD5
3b7786b0ece11c9b2aef42a408992216

SHA1
cc86cff38e01bc643e18fe303861b5344b2be08a

SHA256
b589d7b169a6360405b64af18438dc20d1c60bbdb2652f21c2bba53fab5e8a71

SHA512
4dc946793457a2b5959de6b9391a8a5d8b7f684ba4a6809d1d0e3a6171baf43d243870b451acb53210bf02cab3d2d5d19fcb7f06c9c2812c9856231ed70320d2

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
405KB

MD5
03335c6c79db9c443f347945a6b759ae

SHA1
28368720a365a442964d8e4528f9b130535ef8ae

SHA256
9fed1d083794e3b33b5635eb1f939dca11204eef4b3527dd98e4bf88c15c1c7c

SHA512
e00aae8faad9e00ffd5a055360616e9b247df9ab31afd74c0e2ca5b921ac50ec3dc3d87bd2afd02d7b3da9d716dd83a4dc52cf17f47038388065d1d31a80fee2

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
405KB

MD5
3e74d323ed4f96af8565f4f2f126448b

SHA1
3eddbfd0dd023768b62b99e6a1272da5554e1bc2

SHA256
ddce7bd582d6eb2becaea28b7d15e4a11f76168379a33a7e264335e3af3dc472

SHA512
082f8b3eca9bb854176171f528ccc646ea4d985482582840b399492115e50193fb250ee23818ef16e500d6a1a23898ee266cab38be8d78fd2c9f3c59ffc7e49e

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
405KB

MD5
050e586adb0824d9723253d1df292fb0

SHA1
eb882a640daad72f8da9872c7a93a9582a8418c2

SHA256
afb3a3ca3c3af3c12c19f0a15067ebba632be682f56e952505509ae5aaf17cc1

SHA512
b57e990f4f01eaf9ff40b0d6e72916a410e678aadf2d54df3d4a15fc243f3bfaedfee68382cbd010823ba7e40b6e117e138cc85f23cf2a1ed280ccedae9ac3bf

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
405KB

MD5
964248ea79f7989680df82f6e9a18f04

SHA1
86cab1d75cb06f76b62387f7677bc1e0176cdb19

SHA256
3ec8a8f06492f95ad21c50f94174dced5e30685fa6d6abe6ddef1af909fa0226

SHA512
2993171db10481c7f3951fcb3f55fa10832eaaa0d5f7022e3dc51eb1b8e7471a8ffe78043544bf0918d7e7a8dec1551033be92160de0eb0ecb65dd939e36107b

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
405KB

MD5
29d71cd0ecc7315f753588b566cd4948

SHA1
b12dd6fc33e1433748049ee3db1856f129a86e2b

SHA256
b042f4f3e949d9af24ae0984073d459e48dbc4a080d59096b4a6c4e42093afd3

SHA512
df5fc6b1da4bb247eb59572480eef27de1e28f8ec882f57d2231523d66ee83fdc7a08c48f5a8fc50cec7ba6e56ee203f7c5a8e23814ebb910114bf701d45f335

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
405KB

MD5
c07415bf1da7e4bacc7492f18c4115c1

SHA1
7634d1bda3c53e4c701bd48d3089ca6c2c85047b

SHA256
3586e7bb32f6f59301685f13caefddb9e52c352ba4f072be8d480edd292e9e21

SHA512
1490e00777f42801975ea84de1c59cd4b3461def189f37ab64b067862bb70f3b47ddc8bce59a85a5a2b7b84004f32600082744f88df60a36ad8881e0c0d7fa29

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
405KB

MD5
19d48f2dae80e8bf7c15daed55dc9550

SHA1
f69f58ba462a95528325b9cd0d28567cb58b27cd

SHA256
c4b783a43ec8492de91b3c5af847cbe4fbb631fb1d3ee9bb1a2e3b81a60b5d9a

SHA512
3874708a7b11fe4f9d0c6d32ee5989391e1848f19bb4569f2fafbd32b27228ed11e7d7655bf8b6f511b0df0a1fa407c2f6a219fb544d769a61b9eb4c39049301

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
405KB

MD5
9b99982a4fa38e5c79bcfe9f646b5296

SHA1
1661c67065a95faa528ac454491c66095f41f1fc

SHA256
479162813b4d3bae05a6ecc1bbb96ad404eedac369c57f70188e92286ebc4bc6

SHA512
778cfd640dd611affefb36b6f8f77119cff49bdc25fcc51c71833ff1b1c6af7a69bd18ddb39f3724ff3e4eb7437c03c4d56d006aa00e6fcbcf4d300d44bc0ef0

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
405KB

MD5
9e9f14320c229da113cda320c218ab62

SHA1
cccc4a4a168774a5dfb1901b47e1b23d7f86494c

SHA256
f61b9ae994af9afe2ea8dbede17f7bdd990da6f44c7ed3e187d80d327be12cb4

SHA512
a1e3a3d27d6ac7e4daa19d80a54303ecb41c0694b7ab59549ba8c2004f7f38d5d74fd897555b6080b8bd0d8bcaffb6b21bc69114d9003dab5b709d3584481f1a

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
405KB

MD5
103afa3fbcc82264c960287787b0d824

SHA1
01d051c22ae9e293aced750fa6f319cfae69b15b

SHA256
3046c9e5589cff80461863c9e688285fa56793294a51d2b87b0db22cd05db01c

SHA512
ce0b1e3dfcf017826ded37587c3f230e1b76e6521d0139ce5ac085cd31f5448300ac2907cdf875c0137f128ea6e13c153e69cda972d682dceb50ee9d8c6cf0fe

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
405KB

MD5
ae0e4c3a3ee15f3009e85d39bd840077

SHA1
4b0e56bb907d312978176bdaf86cdd10e6f17f74

SHA256
28231aac95675ec36829a1984a5180ee575fceddab91c66bedc7bf5336f702d9

SHA512
d067d770d9a31563f07613d5e387d7f50a6aefafd0ec4c3e38b058b7520335447b69ced649b14c132c177299107ff390358f7e521991d6f038d9c2faa10fe925

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
405KB

MD5
b2d7353a08089a9301dbe2c023697893

SHA1
99a1c1ce33eefd6170afd678ac8b306ce4c1515c

SHA256
6938f1b54556c90e9baf63fd5bd0acfa0dc4641fa06be10860fbf291919d21db

SHA512
30693124917a34e6d62a0c8c2f07c9da46b6ece3030d8de36e6c496f4bb71f32093b5e51cbbbcc4e11c5a1f9bd726cddd6b661d878a72eee117f7cd03595349e

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
405KB

MD5
398da069f182458e97f8c4a28f193291

SHA1
2ff67441c7d3c9aae59b93dcd6f5ac71658bffe8

SHA256
016ef86030c91ea2df852f7eb373c759884ad38fe6f6fd948ce7b7171ec46b5f

SHA512
59ad050effa346207ac041eff08fb8b1cf327867376f271d68c934c1fd3e0096ab300a7811dde3de89ec8495aa0f1fea557ded15165e408c697b81c7b514f434

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
405KB

MD5
a49085dfc5c5e1529fd4b173b478a324

SHA1
f41cbc831012506a722e647019318496ca1ada6b

SHA256
e51b8985818c6e787aa43506b8c23ff9896190c6940a79471f3119b38ec9d0f5

SHA512
87fd63d2bb940aed53dc2b1f057fb6eb02e7cedbd41939832a1ad3e99b20336d2b731abda8324b0435be927677a902759f8745e9e40bd216e0d3df86d50c1ec9

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
405KB

MD5
391fc73cdc7c345587231f56bf126099

SHA1
95c48dfed155baa9e9a7a778ecf17b15a3fdb098

SHA256
ff2725595e7fd1b24b94898c082b8d99811745549290c1fb8f56d4939f528fa2

SHA512
357a18950897b859105ac7df5134d8cb788b4d6356ab4871b36bb10ef174d3d4cdc8654903c036c8b85cb875d587a1da77fddfda7467aacac1adfb6a879eb3ea

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
405KB

MD5
46c7bcfee89447e8749d9ed667867b27

SHA1
ab421e68c583ed38fed472f89349d47d0fd8d14f

SHA256
107829083276bde21c4954e87f4d48ea869bb2db2dadb14fc447be8fefd6176a

SHA512
e6fa26c450481ac744999da2b51ab7bed47ad613138972e23c73b39c0615205afd9fd700a55cb9e2c9430e71740a077b777ca9af94668c8d1d35e811619d6ffe

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
405KB

MD5
cbd6593b6cb4036e2d92a345c45cf866

SHA1
5c728c5a0477a1c72fe289792dfabf5d504440d2

SHA256
073f723e3109dfb6cf04550df74cd066388376ffa64a9e845b50df7dcef79cfa

SHA512
030d5bd183d83c398880e6e496b9211887893f32f08eae2bc57f6fe1ba47d104353a8c4f701556e7607d717fb4d29eca57a1235380f02a304b57f15d8a478e04

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
405KB

MD5
c331ea1e94172d73174cd97b992ffd51

SHA1
2a8c799ee390d099540cc94057491da00ef6f17b

SHA256
b39f8ef183559629fe98d1222ee80403316d5eb68d5a2fef5a1357ff7d9d52ae

SHA512
19201c5f34de32c3ec27e1942d231170ba9cce236b2ae4b72405f830cc1efa5c1d0a3b97bc50a92a4978bb6c8950c6d5e68ce189f6e64d5a221b9205c6d4a007

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
405KB

MD5
e8118ecba7bc9dd97f36efa549904597

SHA1
065db11062b947e32cd9c1a416e3dd549bfed0e4

SHA256
174d69a5c2b54448869913d1399d35f3e26ef1c8503d4f46fd7561661d87d684

SHA512
101fa2992587cc1ec4b82a914b47c4f8021d8563630d6fa4d9f3f9e837c3d9c438a5e8cdb3c860045dddaf6e7f713f9aeb9c689ee9e2abd5620434b23ad2d83a

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
405KB

MD5
51335b7eccffd6edd095b7850432ad5d

SHA1
1076fd1c151f2b99e300390f3f482bcf83bafd80

SHA256
3e8c5e233f18239d210d7a4f20f53036a5557b8cbe3b05964a19dfb4a77c40b7

SHA512
0c1ad20eeaea41eb76dbb8e97f0330838137e2c2b97e5987269a37871e46dba455f7089d470cd534a31906f125148b1b8dad367a20f40b9c315d240cd9862bc7

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
405KB

MD5
6dfc65bac0d2ac651ef53a84d4193413

SHA1
3ded20f7c039368cd2584f35fd345ad645adafcf

SHA256
cdbb51d27ae8c479bb37235edb750cef1b8647e272a38526da1a8332e4017eab

SHA512
d0b8a849dfadbdbc6176b96dfd5437c35ef3f793777e1fe724a2fbc1ccd318464544ed6fa276c6a896efa78d81406a560de4dd3b51a97344843a397b6ad3a302

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
405KB

MD5
452e7656d3c5b000f9dacf35c9177aca

SHA1
001b462d1b96a9b43e2232976ddcef952c6f42dc

SHA256
17ba3c647d4559627f2490f7ecd43c990fe7e25ed10bfb0da5b4dad1012b11dd

SHA512
123eec2e2431851d30cf3ec728fc116bcc1f8020eece73a264b3d7c79706418ffe71bb5cc7fed52ba2b640f47b37c8c8a77901bc19a0c0d561658523419535b6

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
405KB

MD5
0aa0799354ceb8de1ffb4aeda0e854fd

SHA1
e60c2f84a94962dd0765e0b444e1b75288fd572d

SHA256
5ac25a3ff477a32220c5d2fc093ea3f70bfae772eca8cd065e1bb1a0fccc6ccf

SHA512
403cce780c0c726a116ffa5123a9debe961d03d65fbb2f1d19040aa7d0a23b9def5f17c7401faa65eba158ee3fd3b4a1e371b9df0ac762a49108ea1b4b9627c7

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
405KB

MD5
8ad6848d41c5373a98b94f574a9bb295

SHA1
4cb7263fc89e3f9840e21097483c2453370fce92

SHA256
d1f9a9ced484cd7a90babe3abe84ef5be6397708057bb3db402cd9d7d1d21d27

SHA512
035d94d126f68406fe9a1499049a65072fc34edd8692e3c41893ad8af09f3d3cfd45685df5618dba73a8eb8c4d4be1bb7b51804639b8bf66a55b5c23de939211

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
405KB

MD5
52661927e8d4fd4937d836440933ee5b

SHA1
f3a4ebf566e20c4254887cd1094564cb0efbf583

SHA256
7ebb2c2a9f5c4784973caf924654cc897b09765757da09a6c346d001a11eb52a

SHA512
7d533ab3ee091d2321c1cd774c9867cfffe2561e863d6770852042fa1741ff5b8e7961072861072aad4f63017eab459cdce96fa86867ee3b78e5b33b128942bb

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
405KB

MD5
235f98801109cd532cafdf2c4028d3a5

SHA1
cdc0615d0b35b135470d96656d5140747168c69d

SHA256
ab0f17c265defda2ceed088b270dac48dbd7a99da480ef9b2ba6a82335bd170a

SHA512
e91098b1c954f53438f1e01f107218c6928a6664bfe316d2469310f43a9eeaa839ad1d6fe793bbe610f99dc9f386368fc2ffa4b739566b7e440b67af96a4050c

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
405KB

MD5
1fd2346dadb1ffdea801b63417b49b05

SHA1
540eeef6a0f7dc6d5195d29da9e587f91199b4c0

SHA256
a635e59e12558e8ffdf95d9f706d5ff290a9eeaea88e9db0a71ce043abbfbe62

SHA512
9cb4851c110ef6100484da48cb2536bcfd984cb291436f15c67a63d8c1ea189ab44639051edcfd2050567ce3baa839d3bf0382981bf65f6a8d1271e438f98425

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
405KB

MD5
6f70d258b3c129098d3c150b81ae91d6

SHA1
a909a2de6366a7991cc1f0f7c9be2ab6c346ce26

SHA256
4d167cdfa58bbfcf9f93c5b9560d2646a3437ff13f8bdb33350aa0386d858e9d

SHA512
d00a52165507f39c07a4eb4b3128670fcf7bf836326f717f8104f61d3881af4d157826b6f26647b890d973acca49a0ee930ff1d696eadfbce557bb80c75d4f54

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
405KB

MD5
ace60a4e3b2dfb9149a30ad67bc344f6

SHA1
4dfc09c10d47331e118b32a37668c5f5839468df

SHA256
3e7dab58f84bb3b23240a2000f227db1430f3e8142061f6b820cce2e81bc2c00

SHA512
47a4291167498c23256d95f5072acd153f3f277bc4302920981f806306d3e6c8736f17e82f7e03753e4e01aef961860c912be158bc2a9c01e42a743ab57d7d5c

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
405KB

MD5
00e717e3fb1df4e89f1c8c47e2abb87b

SHA1
f218a119e7e0ff45ecdc23e8bdd67f3ef3e3553b

SHA256
a5df9abc6501c1b43548e62dd25613f68f72a3630607e5d58d3b11c8ff9b018e

SHA512
aa9c8244476d9ab5863356f061fae11abe10a31016021567f434cf7383a193588e1a9d0cf94ed87d992c37713103bcec437cbed31b3d4ff1fe5f2b9faea0d131

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
405KB

MD5
61159aed550e94fafc78f0e523acde96

SHA1
50d49260bf375a4cae3f5398c6e20b215fad1ac2

SHA256
47f5229a0dcfde3776f781db837fefd64978621daa60ab79bed7901cd7470742

SHA512
c5d0137173910e2753011f5138619c8af54c6e4ff6a6d9f5bcf0345a9d2ed2c5e45b7ee1f14dc6c55259b6896a60ed9ee8b3ac565595463f6f174f6ce6e19467

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
405KB

MD5
f4983f70bc0117a56a38f611d41bf657

SHA1
82227dd6039a78747182dab4bfa432297d1ed2a8

SHA256
f47fcd7f9e166b6743f7885ae532a6062af6a736cc370d9d3de2eaff3afebb0a

SHA512
b0958ef4fb6b08164e4d03fa8f073a149d7b412cdf537cd1476d3139b92983701e9f793aae17dcb52591dd22a38254e9d052324b9d97ef14de4b0a79ff74f091

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
405KB

MD5
f7b841d7260dc412c340db3ede27ed2a

SHA1
79b24da57d9c5afdc72c0929f94fe1fb09fa6bd1

SHA256
d929bb0d6a90c808a1ca8dadcad82151ba6292310b86070add59f386bfccdd44

SHA512
79cf7ca0809d3bd1e4caf0b7b51c9ad043b168339014db658bfc9e2b2e275ec21889c495f4316e70cc24e306d3757c87fa0d431cf1c9326b3957a20fe69104f5

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
405KB

MD5
c79980abd731b93ec2fda51d0f639d56

SHA1
8011c19e4010a58943b443d84340e27193cc0c63

SHA256
935c8756f9c53b95c53d95e5f03ece49ef9c32cd48db8897e9e131e60883b1e8

SHA512
eab2be6c694e17af31118067a05ad66d3701b7d930429ef6dc84c24a01588ede24acfd94a1c078456bfaf5789705faa2ea43cc06c675f3ee19426f9934f29c1e

Download Submit
memory/392-408-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/448-399-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/544-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/544-344-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/624-355-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/624-282-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/744-330-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/744-257-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/960-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/960-204-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/996-73-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/996-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/996-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1004-165-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1044-365-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1044-296-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1184-241-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1184-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1284-223-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1284-302-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1360-37-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1512-178-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1512-264-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1580-421-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1972-140-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2040-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2040-164-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2100-124-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2100-41-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2152-174-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2152-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2420-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2420-323-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2640-70-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2676-433-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2676-366-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2720-213-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2720-126-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2880-401-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2916-324-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2916-397-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3096-356-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3180-187-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3180-100-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3228-380-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3232-231-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3232-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3300-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3300-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3304-139-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3304-49-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3308-331-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3308-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3452-25-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3452-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3596-387-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3664-337-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3664-266-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3692-373-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3756-91-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3756-177-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3768-205-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3768-288-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3860-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3860-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3972-407-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3972-338-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4060-317-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4060-386-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4192-197-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4192-281-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4380-309-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4380-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4560-175-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4580-379-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4580-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4588-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4588-289-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4592-434-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4644-273-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4644-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4684-109-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4684-196-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4688-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4688-99-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4872-372-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4872-303-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4908-415-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4936-414-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4936-345-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4968-363-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4996-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4996-239-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5044-427-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5052-295-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5052-214-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads