c99e62fc3744aab9e559bcc8d561daf8b400fe1888b0488ffaf24e13f048eca7

Analysis

max time kernel
92s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c620cabe32bcd83b1eab010b34856db0_NEIKI.exe
Size

256KB
MD5

c620cabe32bcd83b1eab010b34856db0
SHA1

da9152c5b024a9d475e665a0d390ed07c5c2a8d3
SHA256

c99e62fc3744aab9e559bcc8d561daf8b400fe1888b0488ffaf24e13f048eca7
SHA512

4c1014119f6e3afd8cc1c9dc4d283818531c33cb5fedd28fed57b2b34ce294d4d48e3f4d587edb2d58faf8171523c2d647d4ed037570369815d2702e67b95bf9
SSDEEP

6144:8IyTO6KpLrM5Dq4rQD85k/hQO+zrWnAdqjeOpKfduBU:xfnaTrQg5W/+zrWAI5KFuU

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c620cabe32bcd83b1eab010b34856db0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe

Executes dropped EXE 58 IoCs

pid	Process
716	Hfjmgdlf.exe
3508	Hihicplj.exe
1556	Hmdedo32.exe
2992	Hpbaqj32.exe
3536	Habnjm32.exe
3340	Hbckbepg.exe
2316	Hccglh32.exe
2088	Hfachc32.exe
2876	Hippdo32.exe
1184	Hbhdmd32.exe
1036	Hfcpncdk.exe
2204	Ijaida32.exe
8	Impepm32.exe
1188	Icjmmg32.exe
2068	Ibojncfj.exe
3620	Iiibkn32.exe
1136	Ijhodq32.exe
1140	Iabgaklg.exe
3316	Iinlemia.exe
2824	Jfaloa32.exe
5056	Jagqlj32.exe
1996	Jbhmdbnp.exe
2080	Jaimbj32.exe
1456	Jdhine32.exe
800	Jdjfcecp.exe
5012	Jigollag.exe
1088	Jangmibi.exe
3544	Jiikak32.exe
640	Kkihknfg.exe
2740	Kkkdan32.exe
4384	Kknafn32.exe
2332	Kkpnlm32.exe
2172	Kdhbec32.exe
1236	Lpocjdld.exe
4196	Laopdgcg.exe
5052	Lcpllo32.exe
2388	Lpcmec32.exe
3240	Lkiqbl32.exe
2248	Ldaeka32.exe
1592	Laefdf32.exe
208	Lknjmkdo.exe
2608	Mahbje32.exe
1112	Mgekbljc.exe
2972	Mpmokb32.exe
2956	Mjeddggd.exe
2064	Mpolqa32.exe
3616	Mkepnjng.exe
3204	Maohkd32.exe
4832	Mcpebmkb.exe
3748	Mcbahlip.exe
564	Nacbfdao.exe
2156	Nceonl32.exe
1424	Ncgkcl32.exe
3336	Nnmopdep.exe
3520	Ncihikcg.exe
4284	Nnolfdcn.exe
5016	Ncldnkae.exe
4176	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jigollag.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Ijaida32.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mlmpolji.dll	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Hbhdmd32.exe	Hippdo32.exe
File opened for modification	C:\Windows\SysWOW64\Ijaida32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Hihicplj.exe	Hfjmgdlf.exe
File opened for modification	C:\Windows\SysWOW64\Hpbaqj32.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Adakia32.dll	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Hippdo32.exe
File created	C:\Windows\SysWOW64\Ijhodq32.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Habnjm32.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Habnjm32.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Hccglh32.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Iinlemia.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1968	4176	WerFault.exe	139

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	c620cabe32bcd83b1eab010b34856db0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchnlc32.dll"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 716	2148	c620cabe32bcd83b1eab010b34856db0_NEIKI.exe	80
PID 2148 wrote to memory of 716	2148	c620cabe32bcd83b1eab010b34856db0_NEIKI.exe	80
PID 2148 wrote to memory of 716	2148	c620cabe32bcd83b1eab010b34856db0_NEIKI.exe	80
PID 716 wrote to memory of 3508	716	Hfjmgdlf.exe	81
PID 716 wrote to memory of 3508	716	Hfjmgdlf.exe	81
PID 716 wrote to memory of 3508	716	Hfjmgdlf.exe	81
PID 3508 wrote to memory of 1556	3508	Hihicplj.exe	82
PID 3508 wrote to memory of 1556	3508	Hihicplj.exe	82
PID 3508 wrote to memory of 1556	3508	Hihicplj.exe	82
PID 1556 wrote to memory of 2992	1556	Hmdedo32.exe	84
PID 1556 wrote to memory of 2992	1556	Hmdedo32.exe	84
PID 1556 wrote to memory of 2992	1556	Hmdedo32.exe	84
PID 2992 wrote to memory of 3536	2992	Hpbaqj32.exe	86
PID 2992 wrote to memory of 3536	2992	Hpbaqj32.exe	86
PID 2992 wrote to memory of 3536	2992	Hpbaqj32.exe	86
PID 3536 wrote to memory of 3340	3536	Habnjm32.exe	87
PID 3536 wrote to memory of 3340	3536	Habnjm32.exe	87
PID 3536 wrote to memory of 3340	3536	Habnjm32.exe	87
PID 3340 wrote to memory of 2316	3340	Hbckbepg.exe	88
PID 3340 wrote to memory of 2316	3340	Hbckbepg.exe	88
PID 3340 wrote to memory of 2316	3340	Hbckbepg.exe	88
PID 2316 wrote to memory of 2088	2316	Hccglh32.exe	89
PID 2316 wrote to memory of 2088	2316	Hccglh32.exe	89
PID 2316 wrote to memory of 2088	2316	Hccglh32.exe	89
PID 2088 wrote to memory of 2876	2088	Hfachc32.exe	90
PID 2088 wrote to memory of 2876	2088	Hfachc32.exe	90
PID 2088 wrote to memory of 2876	2088	Hfachc32.exe	90
PID 2876 wrote to memory of 1184	2876	Hippdo32.exe	91
PID 2876 wrote to memory of 1184	2876	Hippdo32.exe	91
PID 2876 wrote to memory of 1184	2876	Hippdo32.exe	91
PID 1184 wrote to memory of 1036	1184	Hbhdmd32.exe	92
PID 1184 wrote to memory of 1036	1184	Hbhdmd32.exe	92
PID 1184 wrote to memory of 1036	1184	Hbhdmd32.exe	92
PID 1036 wrote to memory of 2204	1036	Hfcpncdk.exe	93
PID 1036 wrote to memory of 2204	1036	Hfcpncdk.exe	93
PID 1036 wrote to memory of 2204	1036	Hfcpncdk.exe	93
PID 2204 wrote to memory of 8	2204	Ijaida32.exe	94
PID 2204 wrote to memory of 8	2204	Ijaida32.exe	94
PID 2204 wrote to memory of 8	2204	Ijaida32.exe	94
PID 8 wrote to memory of 1188	8	Impepm32.exe	95
PID 8 wrote to memory of 1188	8	Impepm32.exe	95
PID 8 wrote to memory of 1188	8	Impepm32.exe	95
PID 1188 wrote to memory of 2068	1188	Icjmmg32.exe	96
PID 1188 wrote to memory of 2068	1188	Icjmmg32.exe	96
PID 1188 wrote to memory of 2068	1188	Icjmmg32.exe	96
PID 2068 wrote to memory of 3620	2068	Ibojncfj.exe	97
PID 2068 wrote to memory of 3620	2068	Ibojncfj.exe	97
PID 2068 wrote to memory of 3620	2068	Ibojncfj.exe	97
PID 3620 wrote to memory of 1136	3620	Iiibkn32.exe	98
PID 3620 wrote to memory of 1136	3620	Iiibkn32.exe	98
PID 3620 wrote to memory of 1136	3620	Iiibkn32.exe	98
PID 1136 wrote to memory of 1140	1136	Ijhodq32.exe	99
PID 1136 wrote to memory of 1140	1136	Ijhodq32.exe	99
PID 1136 wrote to memory of 1140	1136	Ijhodq32.exe	99
PID 1140 wrote to memory of 3316	1140	Iabgaklg.exe	100
PID 1140 wrote to memory of 3316	1140	Iabgaklg.exe	100
PID 1140 wrote to memory of 3316	1140	Iabgaklg.exe	100
PID 3316 wrote to memory of 2824	3316	Iinlemia.exe	101
PID 3316 wrote to memory of 2824	3316	Iinlemia.exe	101
PID 3316 wrote to memory of 2824	3316	Iinlemia.exe	101
PID 2824 wrote to memory of 5056	2824	Jfaloa32.exe	102
PID 2824 wrote to memory of 5056	2824	Jfaloa32.exe	102
PID 2824 wrote to memory of 5056	2824	Jfaloa32.exe	102
PID 5056 wrote to memory of 1996	5056	Jagqlj32.exe	103

C:\Users\Admin\AppData\Local\Temp\c620cabe32bcd83b1eab010b34856db0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\c620cabe32bcd83b1eab010b34856db0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\Hfjmgdlf.exe
  C:\Windows\system32\Hfjmgdlf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Windows\SysWOW64\Hihicplj.exe
    C:\Windows\system32\Hihicplj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\SysWOW64\Hmdedo32.exe
      C:\Windows\system32\Hmdedo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1556
    - - C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
      - C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        29⤵
        Executes dropped EXE
        
        PID:3544
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:564
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        59⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 420
        60⤵
        Program crash
        
        PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4176 -ip 4176
1⤵
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Habnjm32.exe

Filesize
256KB

MD5
6a95e4706874844c73e1999564b4601e

SHA1
32f6f67639a4bf4816c9898343a52a31e5697590

SHA256
8cce4bfa4d3ccc8d21fd0935c9bf4b6763fe605b94e152100c4349bbb4db7c8a

SHA512
37a10c01e2d2061c8c807b2824f9dcb177369876d76f6721028f24efb15f39aaef9c17a5cde2fa876d02d4cb5245948c9d51c72816a115a55613bbf73d85e697

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
256KB

MD5
f66495ad945a00d22bd5c286233beec5

SHA1
271087ecabfb7972cddd95f285ad74fed4b39e4f

SHA256
93623b57e2d425faff55b6aca67d1981508fc80126d6d9ee9ecb4289ed33541b

SHA512
8f372638a16343a425629a7afc2d59fec53a288481c7945a799f46b77baf05586e6367b1ee2aab601d9b79e8a4694d45efc4bef582a7e27395830b94b3a5e5ab

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
256KB

MD5
797bc5e1c231061d14ad212d694c7526

SHA1
f9c3d4f64e23700806e4060e6b1b5835721d1ca5

SHA256
45826903f118cdb6cf17ff0a9303bf2f837ec842544cf26dd958a731ca4948b8

SHA512
d4ec5aa0d06c9205a2ddcef6d82c195f5318507682a1eac5ab35ef3c4b21327e2d0af37c410fce7e8106c087bd506acda3c67932761972772cda6dbfeb530ff2

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
256KB

MD5
65d7792bc965d3cc5297b345dc284e66

SHA1
fcdb578877060429e5879c69dd2079448e110278

SHA256
12eef57c8ed4adb87446d5994a051109b08352e5347e8e1b98d183a4afb57108

SHA512
7b7b5dbc89cba412f24c5a60f698c87d33c4e26bd6dfd7be0c53f10790aaf93fdb25d4ebf1f075e6435722fdc372a71e21ada8d1f3bd086959a7e8c99c443e91

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
256KB

MD5
db803b336120c0f223c3a7ece730d33a

SHA1
cc5d475b624fd984fe776792313912c18ef76883

SHA256
f644ab6e2e525cfc47954469d209b3db7cd5b90e81478b674d7c9c5deb408ac4

SHA512
aefe7317124c72625675881fc2ae3e95c98c98ebee9481ef9b3c0c38ed5656f8bc91081570c13f33e77abd8b8a84d8687bb11a5b89ca9479f8f982b8c9c8cd99

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
256KB

MD5
b319f9485273ba88217a286143f8b32c

SHA1
f1a83bfca3ec582bb7c2ed0637f5470febf98a4e

SHA256
c51eb0bf5a5c31e9b63dc26ccd4d1c724ae4efa7008998baae7c5b17a7b937cc

SHA512
89e4222aab4701baae0557b0c3a253890d10c72aaf4aad8752963dede5bcf96c1754497507900131f9db756c5062c5a5f1ada8dcf518e1b6f34991194b30d1fa

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
256KB

MD5
cf40ab9e4c859662493ab9c8769c6b28

SHA1
db0644f814de0af5d24b265b370097f96a08ff18

SHA256
caea8fc6cfa6dca5f1dfca7fb0760a42b9eb5ecac9cd389b17d7cbfbb770d327

SHA512
7994afd10eddbcede17e6482d1b3db451dd53447c18436e204f704124659773eb886679049f96b0f66c666329a5496e3130b73e89a4b70339742492e54752e52

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
256KB

MD5
40cb29390c80afe26321b90d1878e152

SHA1
a64072c662c94cd910608d7ac88a256bd813a725

SHA256
be33721b41a6f5b0a34ccc0e48fa96ff82e957001e52d48d89ef327853097b0e

SHA512
ebd784cb1bb738ba0efd9d849d674754c4b031592909571da5d5436836e95d7286302890a536e493e64501b1db88aaa9864b34a3ab428e4cb0b3f91bf7d1bf80

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
256KB

MD5
55dd7c37b4f3a5c39041542894109d93

SHA1
4ecb5afd360390e5332b1405ba9280f3e07250a5

SHA256
0e99c5d68e1c797f5039c414f32430aa029de17884288b4f4e0e61bf90d41f95

SHA512
26b6d8c0c1ac8e5cb8182b800162f25e7c54d74a24a8939497d4daa0f5d326b4105bd7dd9f72dd24f4ca10ec74d8d8288a936ba674e60894a5a933a5372ed34f

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
256KB

MD5
910354b5731089fe94925e633cceb946

SHA1
c1e80c7f18187b6c0e2a8fb9e315a5e52ced8e19

SHA256
de101d0930fed12db690688d9fce2b7f14d8701193023fb5f3c318e9869b7470

SHA512
7796005c9c8491dbe62f800b7710aa1f9efce161669b68af77f42b5228afdc8605708f059662134efe00c564c526bacf34aeebcdff358da00f3b13c5db3bc744

Download Submit
C:\Windows\SysWOW64\Honckk32.dll

Filesize
7KB

MD5
bb007e837f9c35b60e005b3bfe114989

SHA1
58d9944e4cacf8ae7f3895660b0942ea5f8ef493

SHA256
cb52df86360072311a5109f81457f06e3765920cb6e656572142480badbb04d0

SHA512
9b7305ad1cbc4ece3b5b5f3c952ae5b4a06e07edf5c29f4a1615c4aefb25647125a1dcbde7a4abfd4fa82b2dac241f131b67156836baf55b2f5da2de157e0202

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
256KB

MD5
a41405b66978401b4f3df6db263e4827

SHA1
a4588e98bdf815addf79d37af19125e6ce74ed99

SHA256
d2a66f46ce1abfcd909156242588ecfd85891223646632cc61f91e4a2faaab52

SHA512
89271aa41fd6434f814f1deeb00fe3e9a7676fe80db8ffee05c90eedb90564d89cf5280ae9675b2254146f2295e812a2af0d5e2ea2c32b54df3e12034badc2d3

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
256KB

MD5
0d41f71e31f75637324591d64c8df6e5

SHA1
906ba7a397cb9d1218d2d57f5dde2fd6c76e95b4

SHA256
df8aae224910f1d06522d44abab21d09dffe74571bedad20a11c751e2ad6138b

SHA512
9be07ab6eb6aac4fa6057dae1754c21232f930775fb872b878b8bdc404e17a4e217a52a070187dc721f4d36804c6407f6e264cd2deb121602033a2a18aab7ee5

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
256KB

MD5
1ca2531a66d1e3f863670da20658ccdb

SHA1
14cc86522abdf30686ce055f701c2bba2ed7216f

SHA256
35b45c78f2b311c6fe8baf2aec74768e33f344123b6a221d4d26278f13e1c45e

SHA512
1841f155baaa40da4a21188f10606017fb22914467e1ac46e19010321a7ad0c473085c8f6db1bd977e28a1404e983b6e803cdae3add13b76aac0141b5de27a9f

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
256KB

MD5
c130c716c8a0bb3b095b7e9e33a0e9ca

SHA1
daf57584e6de5cce87c15ed7fb16464922540f52

SHA256
89ac531e665d0945305621fa3be33a9ad5e33dd3392443f0ca97e5afc654a5e2

SHA512
1e82987c282736ade44efff0376d4d23f63c9889c91d199b8f918cd7c60bc1ee7ec69da0e4deea2c744ada6b72727d5b34d210d81b5d34bb076dfc26a0fbe57d

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
256KB

MD5
e897ae9c9f0f40847db82e540e3af8f7

SHA1
c0563ac9ac58a98bd0789d9f0426ab063f96f0f9

SHA256
7204ddf4ba0444bbf81cff2ae3e349b94a5302ebda67ca815f20c54748248380

SHA512
c7ba14d46ae8ab384e26967ad41075ff7131e54c2c777e2c8a4b53d008966a1676cae5fed96568ba148dce6973f86bbe5de5c2320976a9a5868b8a570fbf51a2

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
256KB

MD5
3417b9f51f4719e067387e74a5048815

SHA1
15b7c8ec9e8d30d105a10add702d8371df07879f

SHA256
93d817e0afc86ae24279c505f9f80d10a123c4d518d948ed723a36d465a36b14

SHA512
59dc7579282db30c3683e768c55340781771c6096f9cb99cf0c0949ed2626cef115554b2e86262d55f9819377f8a3871b951264705e7d321be5a399d64a302cd

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
256KB

MD5
c0101965c3d70b11269c8118ea41a6c3

SHA1
f8206956a9cf601414aa4ae3d99b700f861a38ef

SHA256
2048024dc6433ef6d0c92c14aeb48907ae4c815221754043650f97374d88d8e1

SHA512
e2d271e3a3eeda5ae34ec73b31a564a8c31af77281a7ef0f0b35ba6fe65be19ba55ee1ddfbb38f8ac3bc83d4461fb3c2d8cf41fc23e42cb6d626afd23d5c1f77

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
256KB

MD5
075970eb713af9d02ba045d57bdfce05

SHA1
3475f22a01ae64d4ce5ed9d6f54190780baf8cc1

SHA256
1cee12c6f22d6584e82655dfc66b5bfb9977dfffc6f38a712da5a770be7b0215

SHA512
02d1b44bc42440d49f22b4035dc2f87b16cc8442e226da08c1f983891390155aef221026e31071769ca9bd3697c0f624bb62094f731431fa9f341c6cbc35c260

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
256KB

MD5
71e420f68622b89177069be3aa215fca

SHA1
1dec7a07256d55f588e725046c41f19cbfd5a8df

SHA256
863cadaac058017bc87348371ad1d16635ac616aa09282d0bbe4609773f60438

SHA512
61d000360e2d66d31d75cd209c5ceddac5d0fcc7abe86170f13b8ba8402c8546825220921b7bb8e77b6247093d94de739664b83bb71888db90aaf7dfaed46825

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
256KB

MD5
187d8dca666d6d0bd37b9cb79852dc33

SHA1
df7ad203c6c119285de16e685bc7b8b2902bc370

SHA256
d95099c0b38b53934559b1971732b2014bd7b31f3d59a8f33e5532190d729165

SHA512
bd3e2a98f5f5ad6169db40f68d91b831c9aacad35a47cd53fb73a7b2f3d6e104b83f98779555718825d3efac687935825f792b7aef0edb6a0b3e9b8534a181d6

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
256KB

MD5
4100004ac63d6f996d3cb75ce649efb0

SHA1
56b0f62166e454953b6e30c8576baab0e08b9487

SHA256
4510d31dc7f38c931728b8b76a418f03dfd6ace51ea096714e11a7fae119a834

SHA512
26679cca7a849321435b799be126d9bbba32f44aedbb28f8d1cd4a51d5d8011ea90f21ddd78af90daebedd379d5079e97a5f4c6fbaeeca96a5c9cbad92fc75b2

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
256KB

MD5
5e41e0ebd02e05754e1143f17ac4fe41

SHA1
1dc51c01d8711b8cd10f6e705162f0cdfbc87eb7

SHA256
a636930b7314b79b2a41d22eb2038d8ceec2ed0d447f6a922aa5f47dd81ba6b0

SHA512
fd8d655c76a887563c3b8db777106483c9c5f7ed6d420847494cd83dc91fd9736d02e464518259cce139ad5b2c46525e9a9b5a611c6190f39b64dd9a2cfa8a5b

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
256KB

MD5
2c32eed451b529fa8f059c6e4ac3f58c

SHA1
d53c1b1103823ffaf4904efa1700d300ddcb5da5

SHA256
17c9811b1d52f20fc31db98a0fcd0ef2592762908ea7b23eb54bd9fc6fe7aa71

SHA512
fe32276cf0977a9ff4a184938b3913e94512763c4df8ece758aeae8b68129390e699ce172cbf29aba316a292ff2ffc9eca0c7fb4cd46a546c9c116e800167737

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
256KB

MD5
da2341d34c6baaab03463110e92f1d6e

SHA1
87f164adb390b0f3b13215e854c9ef5f7623c64b

SHA256
af33856c52c5bfd3a46849b69d5f531e66ded9891411a9dc35bb49565c8af6c6

SHA512
20c113559ac76f0ab856ceb3a8c4030fa67d2237b7ee23127e4874f0c277378404cd2d09b8595ea799a95a515572367fd694d4b6f686b80f74a6403b8b550f6f

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
256KB

MD5
4f57ee644e028b6319eaaa7b846620e1

SHA1
2acb132eab8d4a9e959bcf7eedd4e93d49b2d3b3

SHA256
a044f46f7b212482a447384ff11f83abfb12bdb3c4120167bf586b3060d4c7e6

SHA512
b33505fce0f42410ca88a7e95ce6128274e3a2037fe44e639858d7c903387905818bf6674b0f93be0abf55cbd31dd9e532b9d5d51e2bd5fe7d32d64555ccfe06

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
256KB

MD5
b82f050f421def55984d7f0c51e754c4

SHA1
9b341a9e108bb1cdb329ea7dc243b5cb3bd8deb4

SHA256
2f2454fc6f5d92939dbb52637ecee191bd0a747f5e64a0ce27f9e7c5a0219661

SHA512
b9fb1370bd2c67e0ba813a05205b351874bb47fc3c077f4441a9352cd8ba2ad19cadf48b5e3a6b9cb1e1316e46609493e6ed799ca25e57b3061c5861d4150dd4

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
256KB

MD5
1da2dca380b2ff4a0b71c71b62f1a9f4

SHA1
22a97218f3776885c2f9587a594691ef91e5fdb7

SHA256
e1b8c61f18d1c360f76faba6c8c3ff5132f67678cece5a54e35ae85fbd363f66

SHA512
b5dd2e0c4edae3ba23a4458d57b60100ae3b6f21a2c8f599653f9a0d0a4d1b1a43114ef8b5c1b33c51d73c02b7b6bf6d2aaf843e3bcdd63c0f0b018d1c67a20a

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
256KB

MD5
5a548fd5f58a6fadd38e2ef196f8b7f3

SHA1
0232b8c9e6f4368da157a874d90c652653b90910

SHA256
fe739c1b853f9dcf068ee115b3fffb4d98955b455fc1a98428ada6f0a4bd0a73

SHA512
69637ef70c9b097842adc26789b40eb83194b44c21b505cca5d31d4132928dce450fb56915d9e0b96c8fd16626c92b47f506d95d0b5f261c03a3e1e08933c4d8

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
256KB

MD5
fbd93a21229f2ffa1fed2603f94d2e34

SHA1
2e793dddfaa03483d51521997d6390daffb7edd2

SHA256
f78c359b9890104bf6184e6dca7a9bca173159d4926d5c36eebd6850ea86acc0

SHA512
02fa7d844f31323e7db408f5e668bb24029467ad40f7af853dbba6382a1b16e01633ee1976d1c037cc8f6320cf5b77b11d597a1ecc7749420fb3110b2f956392

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
256KB

MD5
0f4325c4a51be081c34d8d0d010d5512

SHA1
b9ae94391113841c606b237317802e07747e741d

SHA256
a1963f886d299d29c14cde3acaad0332180b64d44857c43513e4baa521a6e2c9

SHA512
67dbaa97a3c083c2f7335ac1f1f2ee786bbdf4fbd617a3671fc5704196e343ee28facf5c1ed88bb9349ad3ed16667ab3206bad4ec6828e7f39876e432d20f0ad

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
256KB

MD5
c606a30d3d7f6d991d3322f5a11d36f8

SHA1
f7066e3f4b99f579d9ee635f3cf53b92421896a6

SHA256
b11eedbea92f686ff85575e0a197f35b01d72bf92ed722037d151a8f28bb7c12

SHA512
6fcd586d778a3965b00dfe04a13d9b8da27a981a4564a64747b54c143cd98184bba4705c830ea1f2f2db9911e929034497086c0b0a28c9f8270d3c9c9200dc27

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
256KB

MD5
16ac624bfa1de3882748fdd5b3b9912a

SHA1
294f495b0fe3aeb2de023e829fb96063e39ae66d

SHA256
47cd08591c2993df7937dac60f49d3b62ddf95cf6c185208b16655a7f660c2bf

SHA512
d4ba078cc507d09d05482ce6b82d53b1a75d99e10d1605d7f267c45571bdb132cb1c4664c9d4b34807cb3a1c0f8cacf924da6b95d4363dc0769eba738fcc4803

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
256KB

MD5
a5d44b963c3320985f4b49f4b884669f

SHA1
b707792c99ae03ad1a6f6f1c9ca771f7175a7b55

SHA256
8b223e382c746bf58136b284c76735f021fdaf14dc3054301a0ac7c816ba3830

SHA512
4ff7011032341e1ddd8690283358aad538808e51873353d6cee1a29dcaa50f0cf71c0d423ae8c904bfe36e55d868a7890d92a1571c5f338895ae1712775285f6

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
192KB

MD5
b43fbef75ef062d7aa655840ef2e0580

SHA1
000e697a742b62250f0084a0bed2c3986a113a4d

SHA256
0d2defdc3de872b43072f8c35c42ebbec8e9ffd8c2f380c8ddd2efd3570d7688

SHA512
aade154c3ef7b645130215bdff73934b2f62008b03f0c1e6d18ee7d240e1b7f0d054c3ec6464879a14187eb7cb3238c0f155e7295e0f228295f10dda8b06bf43

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
256KB

MD5
fb46311f477d9cb2cc7fa5b6383578ec

SHA1
33902b93b7054159d6b8ee7abfe54709e4866e8f

SHA256
da707c65496fc41c581d2ce5a7c2612172cf0324f716b9fed815c6e9b095da8c

SHA512
7e6bfe9e918bd313f7450f01f1f5910c0e8e089f358008682d7c380aa67077511afe6b3be751c55840137603011638b0c68bee27e83f831b906d692018b783ee

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
256KB

MD5
32f5bd19c127ac3b2df51ad212791522

SHA1
d254ef58c852a714fd3f3e61c0428001c1f63ad4

SHA256
73902598751ce0aae699a382a6d8d17f916c008f42a8514ecfa8310637a3d65b

SHA512
bb6a6235824d0e7e524c01e95ef2cbdc3ce30c5b426c8f27366fd63489e6f04d9f156e11a55bce9d63a2f266e4bf1b633cd1fbb01aece9e3cf802afc62a67d6e

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
256KB

MD5
df24361e9905f3a9f2614d2c421133cc

SHA1
678e81c4a34d8f3ec4edc61db681c6db1b44f58c

SHA256
53041d01d2bdec091d263f31237b8b2a98eeca20e9b9b103ea11b85e9d997def

SHA512
adca0317fb7453daaf354c29c72491fde93d54f8643a75f1d9ed18595b0e928f65c3e8a12e3c45d87591b51ce2a6d68509301143e02eeca1aa562067509fa8f9

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
256KB

MD5
5ad9e62a06d37af3ae1ce720c8c33201

SHA1
135370973d3b56ef0f9988785aa28e79939d4218

SHA256
2762d68d267b3b7f36f5d4bbe4ff5b1bb9cafe39cb4c41c4758cb775bd07a5f2

SHA512
e0ab9eed66115db77981f3d880f09320b303934d485fbbb1829d2aed92e5fecbe1555775cce128e966bd8436a9a60b44670088b1cdaf2fee5a45ef039ae3b50a

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
256KB

MD5
98a528677d7d65bc2e33e3981f1111d6

SHA1
56e38b9a05a729c64636278dfc19959eb391dd0c

SHA256
1738563f170dc06515729242773b0dbe50d6d16443e2b87f85783b2247f90835

SHA512
2ea139372008f7b07c1548621224df4decbcaf195fde9de068edd2cab0ae36d52343dfbba3b5be8de68997de10280c4c27c9ed4f5384c16d9798ec7b3abb9476

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
256KB

MD5
69fa57069243af220a56222cbe7fb592

SHA1
5efc382884d510a930e21798b58c49786b3900ef

SHA256
3f8612c20bfb0d3fad61c29c533b0e4959f3873cc85c58334ccd0062c2a1b33c

SHA512
e4846c88c9b151c28ad5b8bb89f82a0e79a2700c235c2263ecb28fa4812663d28deed0f9824213128e7bcc215e60200ed5580041c7354f0c265273c5f72f1e5c

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
256KB

MD5
fdfca9b0f0afe344309968f5d8e8acff

SHA1
34f6a5f15383be0ca129a1b523ca7732ccae5105

SHA256
be0b45e6fc02ec67b572d7c30ad83fa96369a6e7c51457aaa60f5138cc16bf4b

SHA512
190882fc759b11ffef069b4ae4b9b8e70bdfb30524b27486d87e917a0c03d8beaedf147091fe6b7dd5298425285e0e520cff879a1c09e5104210c60b446bd0c6

Download Submit
memory/8-108-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/8-198-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/208-404-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/208-340-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/564-405-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/640-246-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/640-321-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/716-85-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/716-14-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/800-210-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/800-295-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1036-89-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1036-176-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1088-307-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1088-228-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1112-350-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1112-418-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1136-144-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1136-227-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1140-236-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1140-152-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1184-86-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1188-116-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1188-201-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1236-287-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1236-356-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1424-419-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1456-203-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1456-286-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1556-27-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1556-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1592-397-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1592-329-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1996-184-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1996-273-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2064-439-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2064-370-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2068-130-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2080-199-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2088-68-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2148-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2148-84-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2156-412-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2172-280-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2172-349-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2204-106-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2248-390-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2248-322-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2316-143-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2316-60-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2332-342-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2332-274-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2388-308-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2388-376-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2608-343-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2608-411-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2740-255-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2740-328-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2824-254-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2824-167-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2876-76-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2956-363-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2956-432-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2972-357-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2972-425-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2992-115-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2992-32-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3204-384-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3240-315-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3240-383-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3316-159-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3316-245-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3336-426-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3340-48-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3340-133-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3508-102-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3508-15-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3520-433-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3536-40-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3536-129-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3544-238-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3544-314-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3616-377-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3620-134-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3620-219-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3748-398-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4196-298-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4384-265-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4384-335-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4832-391-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5012-220-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5012-300-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5052-301-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5052-369-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5056-181-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5056-263-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads