7aea39c7fe3d92b1466b649d3061ef17875e3dcf3c4f6f18fe85f814f0b49030

Analysis

max time kernel
95s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 01:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b688c3f8b6897e0f8dc0766feddc1f10_NEIKI.exe
Size

194KB
MD5

b688c3f8b6897e0f8dc0766feddc1f10
SHA1

705ef98a71345ce5d6d68dddc29b391699d5a4ef
SHA256

7aea39c7fe3d92b1466b649d3061ef17875e3dcf3c4f6f18fe85f814f0b49030
SHA512

4779d8cc44c889cde766dad296e510faed0cb4edcf6648d601ec2bd965abbc286f0e30cae5d8bc38cd8b32790a983e37c3bb78266fa4e34f401ba01298726dc7
SSDEEP

1536:UDN5zTTBgVIebVYKhZatMIM/5/KEatMIGuatMIc/zT4a5GV:2HTVMmMIM/kEmMIGumMIc/1GV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b688c3f8b6897e0f8dc0766feddc1f10_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe

Executes dropped EXE 58 IoCs

pid	Process
1604	Jibeql32.exe
4140	Jfffjqdf.exe
3288	Jidbflcj.exe
4208	Jbmfoa32.exe
3580	Jfhbppbc.exe
940	Jigollag.exe
3528	Jpaghf32.exe
1216	Jiikak32.exe
4300	Kbapjafe.exe
1832	Kilhgk32.exe
1520	Kpepcedo.exe
4652	Kbdmpqcb.exe
5076	Kkkdan32.exe
3428	Kaemnhla.exe
3440	Kknafn32.exe
4504	Kagichjo.exe
2472	Kdffocib.exe
5488	Kcifkp32.exe
5092	Kmnjhioc.exe
2516	Kdhbec32.exe
5684	Liekmj32.exe
4064	Lalcng32.exe
4072	Liggbi32.exe
5124	Lgkhlnbn.exe
572	Lilanioo.exe
3084	Lcdegnep.exe
3496	Lphfpbdi.exe
2288	Lgbnmm32.exe
1488	Mnlfigcc.exe
4152	Mdfofakp.exe
2792	Mgekbljc.exe
428	Mnocof32.exe
4076	Mcklgm32.exe
5284	Mnapdf32.exe
4888	Mpolqa32.exe
4148	Mgidml32.exe
5292	Mjhqjg32.exe
1800	Mdmegp32.exe
4720	Mcpebmkb.exe
4036	Mkgmcjld.exe
2572	Mnfipekh.exe
5128	Mpdelajl.exe
5696	Mcbahlip.exe
1396	Nkjjij32.exe
3236	Nacbfdao.exe
3264	Ngpjnkpf.exe
4308	Nklfoi32.exe
3172	Nafokcol.exe
5236	Nddkgonp.exe
920	Ngcgcjnc.exe
1200	Njacpf32.exe
4316	Nqklmpdd.exe
5976	Ndghmo32.exe
4608	Ngedij32.exe
3372	Nnolfdcn.exe
4376	Nqmhbpba.exe
1156	Ncldnkae.exe
4408	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	b688c3f8b6897e0f8dc0766feddc1f10_NEIKI.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	b688c3f8b6897e0f8dc0766feddc1f10_NEIKI.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jbmfoa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3816	4408	WerFault.exe	141

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b688c3f8b6897e0f8dc0766feddc1f10_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6124 wrote to memory of 1604	6124	b688c3f8b6897e0f8dc0766feddc1f10_NEIKI.exe	82
PID 6124 wrote to memory of 1604	6124	b688c3f8b6897e0f8dc0766feddc1f10_NEIKI.exe	82
PID 6124 wrote to memory of 1604	6124	b688c3f8b6897e0f8dc0766feddc1f10_NEIKI.exe	82
PID 1604 wrote to memory of 4140	1604	Jibeql32.exe	83
PID 1604 wrote to memory of 4140	1604	Jibeql32.exe	83
PID 1604 wrote to memory of 4140	1604	Jibeql32.exe	83
PID 4140 wrote to memory of 3288	4140	Jfffjqdf.exe	84
PID 4140 wrote to memory of 3288	4140	Jfffjqdf.exe	84
PID 4140 wrote to memory of 3288	4140	Jfffjqdf.exe	84
PID 3288 wrote to memory of 4208	3288	Jidbflcj.exe	86
PID 3288 wrote to memory of 4208	3288	Jidbflcj.exe	86
PID 3288 wrote to memory of 4208	3288	Jidbflcj.exe	86
PID 4208 wrote to memory of 3580	4208	Jbmfoa32.exe	87
PID 4208 wrote to memory of 3580	4208	Jbmfoa32.exe	87
PID 4208 wrote to memory of 3580	4208	Jbmfoa32.exe	87
PID 3580 wrote to memory of 940	3580	Jfhbppbc.exe	88
PID 3580 wrote to memory of 940	3580	Jfhbppbc.exe	88
PID 3580 wrote to memory of 940	3580	Jfhbppbc.exe	88
PID 940 wrote to memory of 3528	940	Jigollag.exe	89
PID 940 wrote to memory of 3528	940	Jigollag.exe	89
PID 940 wrote to memory of 3528	940	Jigollag.exe	89
PID 3528 wrote to memory of 1216	3528	Jpaghf32.exe	90
PID 3528 wrote to memory of 1216	3528	Jpaghf32.exe	90
PID 3528 wrote to memory of 1216	3528	Jpaghf32.exe	90
PID 1216 wrote to memory of 4300	1216	Jiikak32.exe	91
PID 1216 wrote to memory of 4300	1216	Jiikak32.exe	91
PID 1216 wrote to memory of 4300	1216	Jiikak32.exe	91
PID 4300 wrote to memory of 1832	4300	Kbapjafe.exe	92
PID 4300 wrote to memory of 1832	4300	Kbapjafe.exe	92
PID 4300 wrote to memory of 1832	4300	Kbapjafe.exe	92
PID 1832 wrote to memory of 1520	1832	Kilhgk32.exe	93
PID 1832 wrote to memory of 1520	1832	Kilhgk32.exe	93
PID 1832 wrote to memory of 1520	1832	Kilhgk32.exe	93
PID 1520 wrote to memory of 4652	1520	Kpepcedo.exe	94
PID 1520 wrote to memory of 4652	1520	Kpepcedo.exe	94
PID 1520 wrote to memory of 4652	1520	Kpepcedo.exe	94
PID 4652 wrote to memory of 5076	4652	Kbdmpqcb.exe	95
PID 4652 wrote to memory of 5076	4652	Kbdmpqcb.exe	95
PID 4652 wrote to memory of 5076	4652	Kbdmpqcb.exe	95
PID 5076 wrote to memory of 3428	5076	Kkkdan32.exe	96
PID 5076 wrote to memory of 3428	5076	Kkkdan32.exe	96
PID 5076 wrote to memory of 3428	5076	Kkkdan32.exe	96
PID 3428 wrote to memory of 3440	3428	Kaemnhla.exe	97
PID 3428 wrote to memory of 3440	3428	Kaemnhla.exe	97
PID 3428 wrote to memory of 3440	3428	Kaemnhla.exe	97
PID 3440 wrote to memory of 4504	3440	Kknafn32.exe	98
PID 3440 wrote to memory of 4504	3440	Kknafn32.exe	98
PID 3440 wrote to memory of 4504	3440	Kknafn32.exe	98
PID 4504 wrote to memory of 2472	4504	Kagichjo.exe	99
PID 4504 wrote to memory of 2472	4504	Kagichjo.exe	99
PID 4504 wrote to memory of 2472	4504	Kagichjo.exe	99
PID 2472 wrote to memory of 5488	2472	Kdffocib.exe	100
PID 2472 wrote to memory of 5488	2472	Kdffocib.exe	100
PID 2472 wrote to memory of 5488	2472	Kdffocib.exe	100
PID 5488 wrote to memory of 5092	5488	Kcifkp32.exe	101
PID 5488 wrote to memory of 5092	5488	Kcifkp32.exe	101
PID 5488 wrote to memory of 5092	5488	Kcifkp32.exe	101
PID 5092 wrote to memory of 2516	5092	Kmnjhioc.exe	102
PID 5092 wrote to memory of 2516	5092	Kmnjhioc.exe	102
PID 5092 wrote to memory of 2516	5092	Kmnjhioc.exe	102
PID 2516 wrote to memory of 5684	2516	Kdhbec32.exe	103
PID 2516 wrote to memory of 5684	2516	Kdhbec32.exe	103
PID 2516 wrote to memory of 5684	2516	Kdhbec32.exe	103
PID 5684 wrote to memory of 4064	5684	Liekmj32.exe	104

C:\Users\Admin\AppData\Local\Temp\b688c3f8b6897e0f8dc0766feddc1f10_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\b688c3f8b6897e0f8dc0766feddc1f10_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:6124
- C:\Windows\SysWOW64\Jibeql32.exe
  C:\Windows\system32\Jibeql32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\SysWOW64\Jfffjqdf.exe
    C:\Windows\system32\Jfffjqdf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\SysWOW64\Jidbflcj.exe
      C:\Windows\system32\Jidbflcj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3288
    - - C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4208
      - C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5488
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5684
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:572
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4152
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5284
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1200
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        59⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 408
        60⤵
        Program crash
        
        PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4408 -ip 4408
1⤵
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
194KB

MD5
5ea0e99955c0f5dc0ac53b90c29c27d7

SHA1
27028fe4590ac674533b4ad69ba635f2e40604fc

SHA256
dc3dbc255d0e3e3f1d1e610082601c6b96e4718621fbaae6494e5fb2484f77d6

SHA512
a43190110bed02c218ae279147c6a9ee079101dcfd2b052f92556d0be55203b5053b33a953d0d04da16144c96713f90681b6db493e83fdeca8afd425b30b0b77

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
194KB

MD5
fd3ec9f5e82183a5ebf78e78470ed71a

SHA1
0ea42ed4db792f5362b2de89042e0f830ad7390b

SHA256
bdf3882addd2636e2ec7f1618901f06f9979ed38414397d9ac9a3d526ccdfa53

SHA512
6831e9de30dc686877814a4bc4598528f106f2eb7276f8dd5bc0b1b11bafcdfa92d1b92cac9dcff58e8eccf7f4df10bf48c64926eaefa3e1532fae88a1bdee73

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
194KB

MD5
5565ab175bd5b79593e53d9adc8ea973

SHA1
132ef4cd088de5c30332c370374ae8ba4bd153ca

SHA256
eced5bc98fbc43efcc908438eadcc535df952c219c067d910474be060751e08e

SHA512
6084ddab2c36e9346c892a22b82ac2ceb63a22ab2f75945b114f7b28b32151b80a02da3def6c0d769fefc8c2d2ff842787d2a0b7eea13e3af762e4ab19df1e3b

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
194KB

MD5
41839d427c51c27471bdf299a96b0f4d

SHA1
f483461fb0e3b28c8a356f7d023a1ba21d7b2a85

SHA256
7e5683d052ef6a0b8b22b8d7b20a935dcb16da8fcbc93727e79f78bbd8fad360

SHA512
5ba96c62981c0dc79face53236c3ca6e0d3d0acfae0344939191439be0116f56acf6cd1d025ce3ad8db71647ab9be648b434ee569816230958d440ac8d0b728b

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
194KB

MD5
41a80c8a15c0eb913606c3aed495a654

SHA1
bcda1e8bc3be4db48b96a824958e7d111ebbf03d

SHA256
26bf591259bc2051649766726d983f3ca8e0e93ac7ee84c1cfc5f1798f190082

SHA512
cb2070bbc63bbcb4498db544c453a7fa246f54a4d66b078c9838c9a9df90de8819e82a2b1dba15db584f266b302a60f1397b8cad8f2e51741ae753d2506366b0

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
194KB

MD5
2a6d11c38f2a3af6d9b8b9cf248b90dc

SHA1
b7270b907dadad0959dda7c823824934ccc9bca1

SHA256
dbcb0dcabeb22cfa2da4c19c23a0ef7b477e5bd3b2d741af3e33ff864e257e90

SHA512
f65c2fc78b57a57998daf8057bfadd54c971671bdc5ed60dc6dbe88c67ec8408301ee9e785672506f6eb820fa2fdd9d221167df4facc778bf50b5e8846d9be6a

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
194KB

MD5
911864e8c37ff99b7a9af5509e10388d

SHA1
182dca55dfd692b9613d2497019348377029c9f8

SHA256
f97aafabef99b10a4c23aaf74f3838e5e52ae94dbc244fafa361a29b5951e5b2

SHA512
fdcaf85780a7f8220687731d6362bd38d3d755e4ab44b7bb81096dd49b7fe9af24c68a838aecdfb91b568f9aca09d9d463a38bd60e65c9bc751023fb356b740b

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
194KB

MD5
a1b14897fcac0301682af12f17d8bf3d

SHA1
e04dda29a99dea4b96fe33e5f5d09296fae71b4c

SHA256
aec0d6eb89f9d4c5d3b5d995d7b2db26ea39ec832aa03f36865ca937dc2f0279

SHA512
819182e242a87e4f9b8f9d0d3b5cdf6f5a7989fb5d171c5d0c5f458b8bdbf306ad37630e8b6304697e58329430f8bc211d3d42ea4f398ecaed20c15510de001b

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
194KB

MD5
b347c21530eccd648fa06bae6ad4d9ac

SHA1
ca0243cbcd5e32274053cdf7c86038f55769e4f2

SHA256
aa9ba20de18f1f8cc8f16cdae29960b3952c1aebedd4543f42157a12063bacd2

SHA512
6146f5ea29aa53cd4bfa43cb2951809c32d95903b940ddc44efc75e5ace2cfba277b5ec94961865984f88588c0f51c395e5201d6001728ca2071f5d93440a6c3

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
194KB

MD5
2f7a941bb0de5836575176d9996bc1c9

SHA1
3f14bf3e51ce9f718932781930c55b66ffdd061a

SHA256
3f723e5feeb542c211cfc4e1d525f2c82fec6c1ab1e887860eaf49502c71f3eb

SHA512
af1f3f79e9075ce3b7d8f5c045f608ab18e1a13b0541ec66610ebe8dc0c0abfae63e7530d5a36bc8997c372651ae441757e4af9650cc35614328b90813e9d560

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
194KB

MD5
8a2174ad20cbf615a6a3d46455198cf7

SHA1
b2dbd55cd0c70a65e6c27212ad357013c2bd7d38

SHA256
96309644a2a6627c090c124d95561d52ebf539a200f9d7348625e142548d7116

SHA512
dbc6511b3f865d15f4687f3ef5f072114c71977f423ce551d19690c1c0aa5ed9f79c7e15cc84a477eb1b16c8248a8913844f565a149abf4af0b59b4d987dfee0

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
194KB

MD5
d33e81d24f679d9271793e6de46b9cd4

SHA1
eb84648f098b328e6dcd1d2f30c6d22ebb48a6eb

SHA256
c8996dfdc936f31f53e9729c14e5ddce7cd39ab67521b68479759792ab4caa89

SHA512
ce87ad9aa857d8b9c7961ae39a706114efd9f1d8942ff9b15faa752312063084cea271f95c24cd3e847057b460a086491cdab52ce3c78347a1ff249d184fc05a

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
194KB

MD5
be8ab4ff83e9a9307e1e850e8eed01e8

SHA1
8bc684481822b67cb52e18944588411b5826ab7d

SHA256
596917ba7d0c4068cf7c76a57cbacfbc65db46f5f58f557a5b1a50cb2a3eafbc

SHA512
dbd48eacff67647e15d8e68da6815177cc91fd0e582b420873517f5763ad1f3045578b9b0eb66b1c9c99c6e59ba29ca19842c56d4162f66a18e823b77231fb5a

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
194KB

MD5
b7b4d528a377f66b74e549cd4ea63685

SHA1
18d594e202cfea2c2035602829789750a8dbd522

SHA256
0c197e93c45effeb954d3d7c6df2eb76bc5531bfdd9c25a02574ebc698d1f394

SHA512
65aeedfe01a444fa97b8a05195f779fb61729115045eb48f949aec2b2c12e7bcd025c8470a9b8edea8232da0c955b30bd208c3041b8ffe001e9992be7e8a2619

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
194KB

MD5
5ddc07278262ad99481f273de9c0746b

SHA1
6ee7b140a9a8124e3a12f06f43fe8ab8c44f680b

SHA256
61d72157236880eb4f4fde2b21663262fc68786e37e292a758d5d65e55c174c0

SHA512
4a6d61fb9715d3ab69ead698a57e600f37f26a3b847e7d8d8fea304489189c951e093b84a522218ec34f7f90e584b837d1013ad96a9ad895a81724dc211a914b

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
194KB

MD5
48f2e0585c23ee3b4ba3cb15caf6b75d

SHA1
94830ade9f37397d593e8a9f5840526ca878116f

SHA256
ba37792b6b047e8a9fdafc67a18e552d0d1e60177e53b49f9e9201106207729d

SHA512
d35d22e4fea324d74da98a272606d5c9d04c886eaacf9c1a20468769632ab34bc7892b3562b4eee653768a896fcc29ab366df06787fbb532cba222643472971e

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
194KB

MD5
dcd982bfccc692a9d5a827e331350769

SHA1
b1efdb543e88ef9573d6d59cbc654536e00d329e

SHA256
76fcd8722e043c773857e1262c83099189b333a165d1e5a34ab0a3e2ab29f8bb

SHA512
5dd7fb736730c315f0cbf602240d776db56f559b50ecdfd615fbbdf8ce050a95271af5338134847291d35facf7e761ac9ca46e378d6bc809c6f89befad5b2dc9

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
194KB

MD5
ea2a3aed9bddbb50a6ddbf9ecbc55c67

SHA1
5cef066159f73100f77260f4b4afa1a00c30d0ab

SHA256
1f453899c84c9ce0ddd085e689ce7f2d1d1236a250672748b51951ed27b74bb6

SHA512
e8cae3c534d9e944269296e91284c72247980f24416cb9cd04ee112195bbb1fb99f19c5c0b55555dfbaf574b52a6f99cfc84ec0fb7c46cd7afac2324b5a688ae

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
194KB

MD5
5252c236fb5c1acb003846e30c78d289

SHA1
dbad6dc24f764282ec4fcd97723de5459607e929

SHA256
b7e45485c9e26e8aaae87c88b2a988e1dd382a13ef99819d6a38ebb71450e321

SHA512
0dec42d63a517a6c86171ea6f11d4c93f0c561888e2d83f14184acea0ec2836780e54eac89f687696687725b15dead921e6b8cd532dd63cca0aea509e5c2bf36

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
194KB

MD5
0641f4e17b9d07533f20fbd5eaa44612

SHA1
8249fbc1ce175f7289ac44a8231335f64b4242c9

SHA256
ae67b72bcc1182a37e1817e1a5fee9337e679b9cf5fe13ad89811418c57d41b5

SHA512
a445bb7e7aec4de7f3432ab889275a177b08445eded21b5f22dca3d56b34c7bc87b9d47caf39fb28c2f3d11e196bd03ef44797a6fc65a6268a0acb177ff2b4b3

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
194KB

MD5
e922e3f6868072b3476cccc95c656e83

SHA1
2334e836ef907f7628f748b8a2aa028e6f5a2520

SHA256
7a36dac88f21ce5db1d1d8a6cf6f1f47048292fc6f7d07676836f2cceee708c5

SHA512
a78986f2fa6de8274eacfa0f70abbeda18dd9fdd3a9465f056c71616dcf91eec1ec3b8225b765ae708eb59d6cf24c4e688ffd9b666bdb65cc82b99058c55f9f6

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
194KB

MD5
4039ff60452cdbb5b950848f1c4bbf6f

SHA1
4980360b9f7ad572b34827743e65688e3e06a8ce

SHA256
326e71a3480940cf6c762a6fc9c77a55f622f85d84e09fc7d98360c1e4a352c0

SHA512
f49e60da1feae799067290888f9c9f7d394abf4760ff88a26918af37b3e32528f000a93fdc4044667d1edac292ffb69ea12bc0add96b5493393c78ad176ffe8e

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
194KB

MD5
a6b0f639424d15c975be837cd0667987

SHA1
38c39bc5a51a339d30f615b4ff4b44982d1c0054

SHA256
c899aa30486581a337c01ae4e9c4a28206b3985ffec0ad8e2319d08a9b485c4e

SHA512
7c03354edbd7fff883998aa86d72681d9185484d1fc8a24debb5c5b59a08b68901407fe23809f154f1c85bd90d27772a59531ddff4fede533fe12eed38670e5e

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
194KB

MD5
09b00da7cbd1a101b89c703a8dc5393e

SHA1
0c2c9fa0db3ede708e86972b697cf581d2e404cb

SHA256
b127c53c0a59e3f23ee7452cac2ba4d2358b06cf8e0c8d99e61135e07caad136

SHA512
aca331f2069d25cb58a1d2f821b524c5e206c04ff4bf3736de6c00ad28a5c6ab99bcb1113c2e9e808f726222a5583f2c9c4548f60b7a80044099ebc0909aa6fd

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
194KB

MD5
7ad9ea6a7eaf73f6d2f486e362006583

SHA1
e13550c72a00b1e12776664769992419c627390b

SHA256
9278946ee000363ee5cdfc32f037a239a22c755beee3d24f1d579c35ec88ea0d

SHA512
efb804ccd0e505272dd38db6d8f14f8571c9196d78e9d30bc9a74f1c58c4d78bffc3357a8d771f35fe7c17bd2787c8c2beb200c94d83367fa18bec63e0f4b272

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
194KB

MD5
e7b18f2a3db14dffc950acca9757c019

SHA1
921d68c4a599aecfa00cc7bfae073d5edf7eb514

SHA256
5ad49bc4a03cf858f5df180949d33432fb679d23c1c4092e190ef734d752ef62

SHA512
19781728959536fcab88c66b017b0dd8cf8f845cfd3c9dc845ba48950843c42d8654201a804ed245e7a6425ee53d05fcbcaf9a591f287ce98a8ada598efce091

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
194KB

MD5
7b7aba4e03ee7f73a0f909ef4943cac3

SHA1
3a9b4a31380653cdfd28601736465bdee5cba03a

SHA256
ecc6fc007325f938a78ccb6ce5465ace717988c543c046869a288841210b314e

SHA512
f966de43871490914d375f4cc8c8cbda219ed48b1342dc38dcca916371572e2317758c8640d06e1689339d3dc17f5929ba0707074666609d0b599d5624d635de

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
194KB

MD5
da2585ed6ebd74e9c5223a9d5a177b1b

SHA1
cefd0eab256998bc66a34ce2e79318cdcbee94d6

SHA256
0e0edbd4b656187ae0ef14badc0d62e62fcae6c543aa21f0405ebc1d76fa303a

SHA512
8a6af8373cd7e04992d7104271ac8f885d113111c491707f9ec6cf4243f76bf86ae6c8d8dfa8908a0842b1a0e5d0c72af7ef64338a057fed374738b90b585b79

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
194KB

MD5
4858eec0eec32122ac5751f0770eaec5

SHA1
69e7966c21a9c8d0992511ba9adb73f06d804782

SHA256
143dc1712bdcf1085b26d5e337ddb6a6ac7938117ab484356aaa7adb14b758e1

SHA512
d6cf82f29f0b835149b8846fa033608d83746bb84438e836f31b8ce0e81bf25e9ccb4d00ae164c70815b46d9c305b4c7e7b315ca0341a0ba39bdc6a52b437bc4

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
194KB

MD5
a32a652dd5f14478807058b17b2138d1

SHA1
269f3008ee59ab6c15660034c52d457fab0719b2

SHA256
3762781b241c3be1f161ced654597882f71478fdeb310cf0515b658d17f862fa

SHA512
fc254ccbfbe0381244163f00bf0924e00bcdc14130fd07708809e8f71b3b96eedea0277a6a1dda85193e09c4ff46c80e083d11ee9d5ac1a0c0fb721208215a9b

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
194KB

MD5
6f8f9e5e47dcb8486a88c19163202a45

SHA1
2ddc0aa4d443d8fe1009e4841daff453a6592baa

SHA256
74e1e4811e00c18945d4c459720023c8a3419e93dc372cdbc2ec068e60c4f7a7

SHA512
b099e8f02f404626fbb1406dbdf3caa4edab824ad2ea013d76bd4a200ea98a4086022903754c617a299f0ea2f18e10f5b8f95a1887b5a1c1cf82efb7cbb19fa2

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
194KB

MD5
d393712ca3ea82a613b75bfec1bf3a76

SHA1
30ae393bbe592368cf7a3f579a9ce57291ca8862

SHA256
368b29b033cec59cff57fdf2c06dec7f97f7fc00854997fd8c39d27ccf9b9cbb

SHA512
7b630a985a5abc03d0a733ab62a00e04add52b4bad39ddda0d5f4c4cb4811ec9a896ab461165626d7372d557b65eabff43d2042861505d9a71d12895216e1cf9

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
194KB

MD5
45514d5dc5514d219265f374da148414

SHA1
accee5e1c4d72910d5b3c5667007a9441f71e73c

SHA256
7eebdc5a760e744d15a1ab9d077788d06153ca98e55a23c29a0cfa5693aad84d

SHA512
611efafe7b35b47c3f4885b673698c32dac6b00c37f5d76d29857bcc66425c78a5bcdea8ad878209948013a888a7f2e16233aa0c54a7e3bbf297e89acb49abb7

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
194KB

MD5
2617d3b1f64f5b21844aaa96c11fcd84

SHA1
290b93c2760c9d2bb523273894dcf3182c3a5945

SHA256
a59a0cd12a91d546f2f428864854b2d6bb8814b088ecad876f1273d9a40b3fc1

SHA512
bf1fdd791a4116a9bb4813e4c41c735a866cca4aa2348d57f76fd8b0f922b84e66d99abd05ffed67cb76acd82d7c843a8a5397a0e403c1fa05b00033e838b6ce

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
194KB

MD5
447499f7a095f4e9ff86930490ac8fa3

SHA1
ac8a7b6ec11f649b9a8263166b69715733386056

SHA256
7d17c61c239d8738cb23f97c4f077a87ecdbb25d6759037eb6bd52482c20570b

SHA512
9669d78656cc3958c499a44c8276cb1c10fced63a87e205654cadb4845738785c221502693f4ac17ea43a18f49b344e2f62f775113dca9dc3936d66d8cf149b3

Download Submit
memory/428-455-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/572-197-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/572-469-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/920-419-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1156-406-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1156-396-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1200-361-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1216-63-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1396-431-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1488-228-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1488-461-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1520-497-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1520-86-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1604-7-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1800-443-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1800-290-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2288-463-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2472-485-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2472-137-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2516-479-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2516-157-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2572-303-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2572-437-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2792-243-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2792-457-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3084-204-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3084-467-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3172-344-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3172-423-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3236-429-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3236-326-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3264-336-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3264-427-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3288-23-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3372-384-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3372-410-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3428-491-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3428-110-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3440-489-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3440-118-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3496-213-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3496-465-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3528-55-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3580-44-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4036-439-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4064-475-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4064-173-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4072-473-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4072-180-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4076-257-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4076-453-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4140-15-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4148-275-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4148-447-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4152-240-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4152-459-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4208-36-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4300-70-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4308-425-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4308-338-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4316-372-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4316-416-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4376-394-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4376-409-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4408-405-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4408-402-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4504-487-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4608-412-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4652-94-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4652-495-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4720-292-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4720-441-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4888-269-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4888-449-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5076-102-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5076-493-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5092-149-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5092-481-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5124-471-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5124-193-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5128-435-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5128-309-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5236-350-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5236-421-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5284-267-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5284-451-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5292-445-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5488-140-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5488-483-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5684-165-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5684-477-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5696-433-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5696-319-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5976-414-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5976-377-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/6124-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads