8629eb6fb3a60f7b52a4465b93bc44f9e83dbdd3fa107db5fe47ca8108b03360

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02c8e5f35aa232856b2574900b5acb90_NEIKI.exe
Size

112KB
MD5

02c8e5f35aa232856b2574900b5acb90
SHA1

99ff044dae00f67f34567bede345b8de0f91047f
SHA256

8629eb6fb3a60f7b52a4465b93bc44f9e83dbdd3fa107db5fe47ca8108b03360
SHA512

e28c05ccfe0bef853baccd0093dc92f8ddb2261ae1c38dbc8b5d809defd1b2e8d627391f04c7bdb3a19f0e96221a654d4972e101ca6ef4286dcaba75c097630d
SSDEEP

1536:jEqhmfjE/nWWyxGPsJU08uw57/FwcDuP83YPpBFRqikRynlypv8LIuCseNIQ:HhqjEWdGUiow7/FTDudRq+lc802eSQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe

Executes dropped EXE 56 IoCs

pid	Process
440	Ifjfnb32.exe
3320	Ipckgh32.exe
388	Ibagcc32.exe
3924	Imgkql32.exe
4224	Idacmfkj.exe
740	Ijkljp32.exe
716	Iinlemia.exe
3084	Jdcpcf32.exe
2200	Jfaloa32.exe
5064	Jmkdlkph.exe
1816	Jpjqhgol.exe
1080	Jfdida32.exe
1700	Jmnaakne.exe
3796	Jbkjjblm.exe
2696	Jmpngk32.exe
2472	Jdjfcecp.exe
3744	Jfhbppbc.exe
4536	Jangmibi.exe
3248	Jdmcidam.exe
4912	Kmegbjgn.exe
4644	Kaqcbi32.exe
1368	Kdopod32.exe
4452	Kbapjafe.exe
3076	Kkihknfg.exe
3060	Kdaldd32.exe
2052	Kgphpo32.exe
1724	Kphmie32.exe
3404	Kipabjil.exe
3956	Kcifkp32.exe
624	Kmnjhioc.exe
5036	Kckbqpnj.exe
4204	Kkbkamnl.exe
4376	Lmqgnhmp.exe
2784	Ldkojb32.exe
2812	Lgikfn32.exe
1340	Lmccchkn.exe
888	Lcpllo32.exe
4636	Lkgdml32.exe
1528	Lpcmec32.exe
3664	Laciofpa.exe
1172	Lgpagm32.exe
920	Lcgblncm.exe
768	Mnlfigcc.exe
4124	Mjcgohig.exe
4656	Mcklgm32.exe
4420	Mamleegg.exe
3488	Mncmjfmk.exe
2120	Mglack32.exe
2828	Mcbahlip.exe
4808	Ndbnboqb.exe
3632	Nqiogp32.exe
3920	Nkncdifl.exe
1628	Ndghmo32.exe
4048	Njcpee32.exe
3636	Nqmhbpba.exe
4708	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jfdida32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	02c8e5f35aa232856b2574900b5acb90_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nkncdifl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4832	4708	WerFault.exe	139

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	02c8e5f35aa232856b2574900b5acb90_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	02c8e5f35aa232856b2574900b5acb90_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	02c8e5f35aa232856b2574900b5acb90_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	02c8e5f35aa232856b2574900b5acb90_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kcifkp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 440	1100	02c8e5f35aa232856b2574900b5acb90_NEIKI.exe	81
PID 1100 wrote to memory of 440	1100	02c8e5f35aa232856b2574900b5acb90_NEIKI.exe	81
PID 1100 wrote to memory of 440	1100	02c8e5f35aa232856b2574900b5acb90_NEIKI.exe	81
PID 440 wrote to memory of 3320	440	Ifjfnb32.exe	82
PID 440 wrote to memory of 3320	440	Ifjfnb32.exe	82
PID 440 wrote to memory of 3320	440	Ifjfnb32.exe	82
PID 3320 wrote to memory of 388	3320	Ipckgh32.exe	83
PID 3320 wrote to memory of 388	3320	Ipckgh32.exe	83
PID 3320 wrote to memory of 388	3320	Ipckgh32.exe	83
PID 388 wrote to memory of 3924	388	Ibagcc32.exe	84
PID 388 wrote to memory of 3924	388	Ibagcc32.exe	84
PID 388 wrote to memory of 3924	388	Ibagcc32.exe	84
PID 3924 wrote to memory of 4224	3924	Imgkql32.exe	86
PID 3924 wrote to memory of 4224	3924	Imgkql32.exe	86
PID 3924 wrote to memory of 4224	3924	Imgkql32.exe	86
PID 4224 wrote to memory of 740	4224	Idacmfkj.exe	87
PID 4224 wrote to memory of 740	4224	Idacmfkj.exe	87
PID 4224 wrote to memory of 740	4224	Idacmfkj.exe	87
PID 740 wrote to memory of 716	740	Ijkljp32.exe	88
PID 740 wrote to memory of 716	740	Ijkljp32.exe	88
PID 740 wrote to memory of 716	740	Ijkljp32.exe	88
PID 716 wrote to memory of 3084	716	Iinlemia.exe	90
PID 716 wrote to memory of 3084	716	Iinlemia.exe	90
PID 716 wrote to memory of 3084	716	Iinlemia.exe	90
PID 3084 wrote to memory of 2200	3084	Jdcpcf32.exe	91
PID 3084 wrote to memory of 2200	3084	Jdcpcf32.exe	91
PID 3084 wrote to memory of 2200	3084	Jdcpcf32.exe	91
PID 2200 wrote to memory of 5064	2200	Jfaloa32.exe	92
PID 2200 wrote to memory of 5064	2200	Jfaloa32.exe	92
PID 2200 wrote to memory of 5064	2200	Jfaloa32.exe	92
PID 5064 wrote to memory of 1816	5064	Jmkdlkph.exe	93
PID 5064 wrote to memory of 1816	5064	Jmkdlkph.exe	93
PID 5064 wrote to memory of 1816	5064	Jmkdlkph.exe	93
PID 1816 wrote to memory of 1080	1816	Jpjqhgol.exe	95
PID 1816 wrote to memory of 1080	1816	Jpjqhgol.exe	95
PID 1816 wrote to memory of 1080	1816	Jpjqhgol.exe	95
PID 1080 wrote to memory of 1700	1080	Jfdida32.exe	96
PID 1080 wrote to memory of 1700	1080	Jfdida32.exe	96
PID 1080 wrote to memory of 1700	1080	Jfdida32.exe	96
PID 1700 wrote to memory of 3796	1700	Jmnaakne.exe	97
PID 1700 wrote to memory of 3796	1700	Jmnaakne.exe	97
PID 1700 wrote to memory of 3796	1700	Jmnaakne.exe	97
PID 3796 wrote to memory of 2696	3796	Jbkjjblm.exe	98
PID 3796 wrote to memory of 2696	3796	Jbkjjblm.exe	98
PID 3796 wrote to memory of 2696	3796	Jbkjjblm.exe	98
PID 2696 wrote to memory of 2472	2696	Jmpngk32.exe	99
PID 2696 wrote to memory of 2472	2696	Jmpngk32.exe	99
PID 2696 wrote to memory of 2472	2696	Jmpngk32.exe	99
PID 2472 wrote to memory of 3744	2472	Jdjfcecp.exe	100
PID 2472 wrote to memory of 3744	2472	Jdjfcecp.exe	100
PID 2472 wrote to memory of 3744	2472	Jdjfcecp.exe	100
PID 3744 wrote to memory of 4536	3744	Jfhbppbc.exe	101
PID 3744 wrote to memory of 4536	3744	Jfhbppbc.exe	101
PID 3744 wrote to memory of 4536	3744	Jfhbppbc.exe	101
PID 4536 wrote to memory of 3248	4536	Jangmibi.exe	102
PID 4536 wrote to memory of 3248	4536	Jangmibi.exe	102
PID 4536 wrote to memory of 3248	4536	Jangmibi.exe	102
PID 3248 wrote to memory of 4912	3248	Jdmcidam.exe	103
PID 3248 wrote to memory of 4912	3248	Jdmcidam.exe	103
PID 3248 wrote to memory of 4912	3248	Jdmcidam.exe	103
PID 4912 wrote to memory of 4644	4912	Kmegbjgn.exe	104
PID 4912 wrote to memory of 4644	4912	Kmegbjgn.exe	104
PID 4912 wrote to memory of 4644	4912	Kmegbjgn.exe	104
PID 4644 wrote to memory of 1368	4644	Kaqcbi32.exe	105

C:\Users\Admin\AppData\Local\Temp\02c8e5f35aa232856b2574900b5acb90_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\02c8e5f35aa232856b2574900b5acb90_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\Ifjfnb32.exe
  C:\Windows\system32\Ifjfnb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\SysWOW64\Ipckgh32.exe
    C:\Windows\system32\Ipckgh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Windows\SysWOW64\Ibagcc32.exe
      C:\Windows\system32\Ibagcc32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:388
    - - C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3924
      - C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3060
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:888
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1172
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        57⤵
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 412
        58⤵
        Program crash
        
        PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4708 -ip 4708
1⤵
PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bpqnnk32.dll

Filesize
7KB

MD5
f408afdd3f25a6ebc2463bfb2a4847bd

SHA1
543c2ddfb6b44afaf4cf247db22976066acc7341

SHA256
c203a6d118c08b0b368ef798e50aecc2fd78f459595267b0041133d296afaffa

SHA512
fcb23cd3f025d0e743b886322885a1a08d81c96408eb0f6801953755ccd91a6963a6a5b950800aec42c26ba28b50e959f0261011be53ce2f3cba176d24bb893b

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
112KB

MD5
5ea5ef7a3e02f504bf880832270121ea

SHA1
fa2cf18f4d601eb78fe91992b41613ce8645a94d

SHA256
e5ed0d42149ec72e3674f0588771ff062e011b9bd77448d63093be0600e9aae7

SHA512
fd65eed57d40db748d6d1fb8e35043987e496aba37a0e464eaa0855c65352fa3b68a4e3dbe64c8891ece31053e897753efb90095c4f72455298b765f963fcec4

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
112KB

MD5
dd6340bfc8cab496a315357ceac45f1c

SHA1
725f83b551c61beecfacbc7d128933e5bc243e8f

SHA256
2295b5c49a4451247ccb80201ca455af81cdc7cfdc21229091dbcce264415afd

SHA512
389b681b20158ae90dff2f3bdcdede5028e21e56cab46ff9525599586d735bfa49db72d52ba28167d1600ae917ab84ac54ef384975bd719b474e108105f3fac9

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
112KB

MD5
3c9d164f39229ceed07bc53f8a4d6dc3

SHA1
c5c33b6f6482f111d3ec57029786217588cf6542

SHA256
01e8c27383fd98874f4b48023debc06b94f428d57c657d649d8ab69f77cd2f3e

SHA512
eb845c20c51033ef155dc6faeab1a283e5238edc7b5ec786446205c4b0c86c3022e0c875f743f2c0cbd3976680bb1ae84d5a8283baccbf026a9e18a437b3c083

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
112KB

MD5
d28384369e59f650bb9af9dd994551e6

SHA1
68637a486e007db50aa69637541b86f6b02018af

SHA256
34ed7a222d0c95127e2e0237685544b96b62bc14a806a7dc56a2c5bc7bc0b2a1

SHA512
d4909cb6e49ea226cf1600fcf514431dab5ac78f124c09f818756f15a227041da37b20f170d5542f35a7563d9fb0d44afb14a40723f72ef8bb9ffb7475dc3d3d

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
112KB

MD5
89a79b486525b398c9de99a11aabf595

SHA1
417a3e653375ef71620ab777bc49cd24d477ff04

SHA256
42a1f28060acf2bd655a8765bf22ab117e153afe60cc4502bae5a6cd4caeb53d

SHA512
27bb50b0bbdaea726d0f5e7be5311ced894f9ee186f4b7bd17987cacbfbe3361f1de2efc9f1d8e42e90fa04bb225649b99754cb04b1adb1097f786e9005c5375

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
112KB

MD5
1b8c51e575b5ec4cc20fdcd92b8fefef

SHA1
3413273fdac3cba56b5eace5b71c23272d51ccd3

SHA256
aa098215c56607c5ab8e559035b449379613128938999cd89177266ac8bd511c

SHA512
e710f2c828f9e8ade2c90086761490b60856ae154c09f99c67f92bc598d29f48025cbb78be1ceab1b09f1fac8ce092fb7b64cc4ee397baeddaf0997cd3ceaa34

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
112KB

MD5
292b99ef5693235f412dfb5c94b29efa

SHA1
a3fbc7e1ffdef9cebb82e1bf70d039f488dd6b1a

SHA256
5c2a5314ff17aa60751280e99f0f0f73afceb95133e0bd60c2b050a7015d7d9b

SHA512
9b83ef42450e4896a6e59671011cef786f40c130c9c99d6c7eb4fb4552b688c7f85c78891217f3e86609dc91fbd19dfe1ebb1ca1d4c4e492af69a8038b2ea76a

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
112KB

MD5
0407b3ab4bffb0c0533220b576c3a53c

SHA1
70a5f924ff4b3305cd1618c6d1cc5371ba8c7a98

SHA256
f2b850b2373d8d078a6b744b2a952d664d69ef51029afcc8bde2c7bbb3af6778

SHA512
2427dabedd091aaa997ff328f188757dd6af0c5be775e1c12bfc191d06661a0b1d1f5fa26684c34cf93538c2029b9c6ac41497e5980b8f8f8eb627865fa58f4c

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
112KB

MD5
d2c44f6e18d6751cbcbb449019907d9f

SHA1
2b4f879cde66a9e47190c64bc81c39fcfcd0d36c

SHA256
c2a1613fc0788050126211e5e44fcef4524b32946e064e3359884c35176a60d9

SHA512
fcd261a80c4c77fc1979f2aca2c92c3a19f1f44350df5f127d8d687338f381ef13c11611562f6e5afa683a5a335bb187416d0fff1e410ae444c461464f6d8f98

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
112KB

MD5
0978cdc9de98a0b1dd78f4db468a2f5f

SHA1
9a541c8710eb940bc535e4fb02bda6353bd2a974

SHA256
b0e53c5da81f69ecf994e0c818c13964e7938d2c23a214d03eefbb915942aad0

SHA512
3e713033c812ca57faa48654f5370a50e38ea1fd805e71cefaeff1047faf4924297c9ad307fb135e0c60e8a959e3eb25836b34b32b0f9b633c1e3054dd7bc4bc

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
112KB

MD5
75630bb2ff69f15551e26dde00b4d3a6

SHA1
cc3fc9ad1ce6e97bb258fe9244e528c2b7683a06

SHA256
0499d64aac8f1c11ef67549d544db191e8fc62bcd39d1ecf6b4fe4b4b77e3939

SHA512
2152a165da5cc5fa1d5839a379bd5592dee49f09631192f9f7655588b1bc7b289e6525803a8118dc8dd0642ef21714ad3bb2d779d53c8efaa3e9491a0196ea74

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
112KB

MD5
2b593a6b359cc51cd086577716e2e506

SHA1
948fb1412fe1012efce5cfc53084c4b2076edabd

SHA256
aed514dc595685f903e4677919ac3952c565849a3e01dcc3958a58d7445c14cc

SHA512
26ee94d0847cca485a81a15f29a6ffaa2b43c65369e79fd8cba7de0b4256036e74117fce1d0aa4a55ec3d1534cf86275702e884441877f719b6b2c1efe1eda5a

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
112KB

MD5
0f59897db096e9f3771c620874e63240

SHA1
1e44f6b086fa27823fa751401ec01832486b49e6

SHA256
33cdfc6139615e5e981da152fdb29e4dd750c02270ef4e7d68b7c4bc84c7551d

SHA512
327444854094f2208dda910255ef9ad9742ce08d8e70a2f02aa87acf0c78c59b4f7b1efae6ba762f75182b7eb012af74d4ff2ae5450ba22c5a2ce8f173c2c935

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
112KB

MD5
90ea3016ab426e30191bff7e873271ba

SHA1
33c1611c983dfc1fd7c417e18fbaf3841749ac18

SHA256
a61c5a348509233a968c568cc7767b638067ae9e559a198e16fcec8f4f53c315

SHA512
eebe1a2c79ad3d7f8830cd4a24525bb631a9a2488e793fc52b295db1eabfa0f20e5f9b8e5a9d6d037ed5da831f23eddd95b487f6ea03563c0aa8d8ebfd082da7

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
112KB

MD5
085f84e14b47578ad8188bb99316e53a

SHA1
ba3fe9a302a969b527bafc99752423c389cf2e31

SHA256
43984c3e8295d085bb66a7a5419afed74dd53dd67b36db4ecce570d995f32114

SHA512
a60486bee944a4523a48f2419138f14e316491b4709d451fb0f4bc5eb35d24f70ab7111c4e1a4b10e84ffcb8942c01318c5410e578224f7e4b3b057bb4396ba9

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
112KB

MD5
4d199ff7ff273d8d755439b2e02b1716

SHA1
79f58a15d151d1c685bce9002a080743cbda95df

SHA256
847163597b97a746e506d1a0ab72100f74fadd2565aba91adfe4155e0faaa73c

SHA512
fdf9c06ad186ec9faf7adf00fb7f891b607d46eb876940a6f2a4382dd8d73a1f96d5205b9d8f826eaa95c0cfc1cde082ef4c324ffc3722db3b472111dbc06ee4

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
112KB

MD5
347f004419165c066d07ee91b427f9b5

SHA1
2a2496699970d683ea69fe681e29be63c234060f

SHA256
7784ee4b459b7e857fdf3257a12373d729c0875570511cd852baf3c633a32a49

SHA512
b504c1c2f0ef043d0a6178324f4a3bbf650315d21eb5f0c508d8d5fbc061d8838cf560b600ca7662972acf15bcb90b7cfe742a1b32df6f6c713dc9787ade38d8

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
112KB

MD5
ef28e5792511c8856361e8118c8fc77f

SHA1
10bb2cf583280e143dfb52e7948c08784f6e6011

SHA256
d5f820ef4c84023931c4a1b1e757676b951fd441991ff37f42d2fb6a9401ede5

SHA512
3744ebab5725b7fd0f02747ef5fb370b17162f53d1948aba8ba64d914a7ecdfc8c64c4f0e8a0967468566dc077e8cb9d9b7f5a7096dbf44bb65d281dd07b6756

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
112KB

MD5
b817c267e9bee73e4bff509a090c7bb6

SHA1
a129a69c38494ec1caf1cd44b3200d85d48d5d43

SHA256
ced560d5b57bae204961b7acde7295cae06efbc91f180acf47b617f8f78dd9e8

SHA512
c5d467d778edccf40bf92777657042e8a52fb9c6f02b4ed4492bcda16b0045c8f651699ae791ddeda1522174e993287b3026d1605547040f2ca5e97c256b24be

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
112KB

MD5
c4e1c648629d1ced12411a33d93f4271

SHA1
d51a5093e9557198f347283c130184ad4392631c

SHA256
b7731e7410c1660987add6957618b2b835c7de6f664ae0c2b53cfd649305e8c6

SHA512
2e092228c13f606577a16e6d2e6ae2a63623d3a179eef4d545053f1be09d52bb5be3ae537f3574e52311140de1b3346e81e716084bc7bc1a8bac8addfd14e3a6

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
112KB

MD5
4152481f9f877ac1220665c7064539aa

SHA1
682023285d37a3b08f77564e98e481db2aaa6281

SHA256
e80c6cba8d25e8953024deb17c65695aae6f306cf303157ce5069ced79e63d1f

SHA512
da040def37bfc4da04a0b6e293a58564a1a1fb8403d2bcb797a4ec56e918a81e269aa73a8d61b61e7815d61a380e10d68e11e06f10ea36be3b7aa597fc02a573

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
112KB

MD5
5c3375a5074cd9099bff3a09191eb7cb

SHA1
e8143d55027934f6010b7a0dc6b9553ab79eb3a7

SHA256
da8fcc57b4fe3eabf33a71f8422418a6f0429b01e0828197ad08312a864cedfe

SHA512
9b24105fd1696217587861c169229860cc9fa0262ec56a66e5f65708f5850366f9201e929ff7da1fc54c52a21111e2d1b5a990e620e9abefb4ab10335122dbd2

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
112KB

MD5
8adabedcedfe09dcae2b2466bf889b78

SHA1
27110cba76f01629bdb04b4e72f892b8180f15b5

SHA256
fa93a09567eb275b974791d3c568f71c624ef28c9676e24d26076c6d969b1bf7

SHA512
38c745925559a3cff5dbca63a09979bcb4c9b8f4a1bf81e19de106ed41eb2fc52b169cea8e9f9ba8cb7f9233eaf2b06c4b0cea3ad4e7bf006c0ee9b8a756165a

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
112KB

MD5
ac5da441e3c4d38a68e5325a1e655c82

SHA1
a46a6a04a5bd06213b04d82bad701f4b1a6ab7e1

SHA256
f61eb96d67cca84afad9b6a75324a03f2d8a48ea50c94dad39465334ad617637

SHA512
0a9612c506950aba4c43e3a3121bcdb9c77c2d930a723fe5b0d5fa8278d473db90e88c87e4035b5ef60ff55f3a788c95d6c1e5fb92465ddf9dd2f796248ec8bc

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
112KB

MD5
55d4568e73c358aec9e6563eb2339631

SHA1
4de08af9ac05033096bb945c38f395dd1e832f4c

SHA256
c4c7ac8d44f942cef9767c0a82a7091e4e5b8bd41a1af493349ae5ed3adc89ca

SHA512
407babcaf030b3dba5e1ae9170118b992b74a30250d1be019b3421343d4f715d8e3152d500ec43b764d471f521500f6b926524cbd626462f97bbcf55f2ba87dc

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
112KB

MD5
b99ae700986e79881bbf1de6ea509b3d

SHA1
d21abb3fbfde8564914b851242c2637fec24d687

SHA256
fdcf7bcdc8abf15ec80af6c663821782581d0c6fd558a0811cede8e5bafab5f6

SHA512
10e4d01e22aa3b29290c87c6e485f31aa31a493966e20b018e5b58ad92e6b94a4e9faccccefc8a4361acdfec43c638b3acc8bf4d964ebfaa1cace0d83bc3af60

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
112KB

MD5
fa1d6b4d18a17579a9ff236ea5c878f1

SHA1
c2f912c8a3a55fba2ed9941373c767b90c91a4a2

SHA256
bae0873c2794044cd298d3d538a566a311f1699892c7a719a32b7af40c294a1e

SHA512
3c4f8cbd8e60176d0f77fedce9fc94cbdce1b2fc99f5c50ff0a8091de69950e52514b90165206ac01a0be8ce49da039f920a7a87fd12218881b967bbb62866cb

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
112KB

MD5
00cfdb0d8640d1148707afc395975fc5

SHA1
18df4822b128ced6f6f52fa9250602befe884ad7

SHA256
2aa02d546e8fb69f347c20a66efdfbddd348c19b12cc257f0f4a620b7c9b12a1

SHA512
415610cdd5342bb33756dc3a8147ca49f01efe54fde18800a83ad5a4c6284803cd3fd2a9277f76bce18c806b7aa16ec39a5a31ae6d215486a69031d5eae80229

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
112KB

MD5
0cf2533718bfe2b35bce92d8b19912e9

SHA1
a272fc6b52337e59ea1baa217a11f8e60c73dff8

SHA256
7703992f0bd4558735bcac0155c9b395a9e9673f2d30ba92f6f47cc5aab4885b

SHA512
332dd51e517c7c0e94e156e5408f65dc89c8f09018b73ede75e209c245e0645e3b3d5cf3c8dc8ab4fce64f97377bd6723336cc41fff59e3f6541cd1aa8b73ab1

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
112KB

MD5
5d4745478392fffe616b87994e5a7189

SHA1
fe90dd66168eacce4e1dbedd47e4b755bee4280b

SHA256
70099019d040a4c11d1719e23ad03c25997fc8ed6f7722b78e4d7906cb85cc58

SHA512
6463782c44543d8ac4f3aef2db6351388160a3b792cce8974efab4058508caf95ec1927275d63ff2b787e8ec7ba864e1468d3b3a72d49f5cc10c55a89ba64633

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
112KB

MD5
c7a7a5c2de5b94fe2512a95aa72ecd3a

SHA1
d2f7c9c9e0477ce2c755790464c8ba42caaa8233

SHA256
b6215f205474b5fd6639e6d5d916d42a779af2498e8e7da2f5e10fc9d1d1cba9

SHA512
9c6f64d3bbba3592d5f19ca65b7ed0187da80ee281b141620d4dbd86d177fa9a0128f6840a6b67a048d975c0b1d69f240bd80a26286e7d95db1fc1a656e3242a

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
112KB

MD5
d8c458ad66d983f865318533bc6e6f55

SHA1
3f076ec54749d0ff4d50ed045ce1c9b9583fdfc4

SHA256
787f2a0dd31f63075e672ca78d2e7917f5e60156365e24735f35c93a4fb943cf

SHA512
0dff7ab0c8830c53b7f01872843906532122d11ff6d7ba52817dc8dd344f362e31d8a28be8bd3119c34ca18aa32768e330b0ca8f97cfdebdfebc7a0183e55090

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
112KB

MD5
7a6141057265d01045cc4d1abb607ac7

SHA1
f82fee717677bf8d2cf9023def4daaea560a7cba

SHA256
fb841e2c993f45b7198c3d5effd0000099488f188b6185107fe558410325ab03

SHA512
eebb14427916317a61bce884d8b49087e6c6cfb27e7961681d56157f44dad1718e275e17799552853f244d439c994ea3b53e4c05bcac69bb50e24d972650b556

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
112KB

MD5
bf06b6495f0211020f0ec2556acad3f9

SHA1
d56eb95cec2d082aa60fa6cfd11a320e78698c50

SHA256
ec5ed08fc4255dd0a7786013f33ae3d7efb761b101892166d21b4595a0a8b50e

SHA512
b1807d2f94493f287687a3282f809c06ca090fa7e61caf6b0981627032623082eb068aff6ab92ead62da7021922d4b0f6b72f99e10b6b59b91bd970d46f0917c

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
112KB

MD5
de09397ff4ad576b7ed926c95f03bfa8

SHA1
23064ccc778fcd51ed7bf9241257b7571e7d0e14

SHA256
85b5d0519b98873c642c89bb56b594325bc8482cc1fc4b3f165f12815af37fda

SHA512
930a098661be8ad239b3fad2e6da637980a79e8b32ff5048045d9568479f701245f89198ec40f49991322871607d7821593721ab1c4277c6867410b707067741

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
112KB

MD5
ec398992eadf1f2871f014145b3dec34

SHA1
448c956370ed145fde80d4583fc14da3fa971b7f

SHA256
d2e7ef7c14513c1bd94761b93e7fd1f97ada5aa93cf6caa334c003047195ae4a

SHA512
9f08d85b0233524c34bbb3e5c8e778a7013e4040f937adec2a3d9a6e44c5f287157add7d0bf447535def0aee564f18ece0a44b3ce44084cd149ae02a8701cfcb

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
112KB

MD5
7804b496356a65c8b904871417dc2d2a

SHA1
9d8f243f6eb2e931e4c0e7b050692371e4cbdc33

SHA256
fa3ed70e43b51e7524a402ce2d7e309f0ef51bda528f2f2bac223f17450ea127

SHA512
874523891a0682593357c395fa5eefce3002c99e24e0a5ed1d87b4f65784b5a24a28e41abb7d16f123f58c82290b07dec07d402592c9b62c0e6905b7bb6b41c7

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
112KB

MD5
6c1b3fc2a0d832ec0fc10b46224c18d5

SHA1
1584d07ea5c369935d878a80a69d5bd5e6e63fa0

SHA256
a22b7631c53b69c343ac1d99fe59536ccab8dc7af597613ec9090b8ea4363451

SHA512
111576d8028a94c7043cb804e86c79f245c918fc9aaa1605bfa97c427e7a102ee143ab607aee9a2369c9e63877b065a41937ef779633ed528b7d5dbb3e3e8903

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
112KB

MD5
229b7b6daa85ed93df8d312753b81bbf

SHA1
9f9512fb24310d49dc8bcaefee74d5fa66c4b78b

SHA256
35353f96cd69eba23bd60d1a5f58173c30a659f888b385b8580c86a4d28b65ef

SHA512
ed299a881aeb9ed794353676aceb27b36083856bd2f57f9a3cefbb9b6f68105a2ea06345828e403f7e5b49e4788a66d4990b1f052e8b6b1d4b16f24be40ae6d8

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
112KB

MD5
9325b5239a521569a0af4e5be76b0069

SHA1
10bf7adff05ca413808ec4ca3f562737908008df

SHA256
ab20f55f5cc7fe646774bfb5cb8790256fec62c59925ff8a41e235d1e3ade108

SHA512
ec2d0c04dfa0a4bc530441f20960ebcbfb34aa644543810c8c5d9b547aca425039a213b59bdf160c114215d915930c8f229bd1b8a00177f8be5f72d6ad813ebf

Download Submit
memory/388-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/440-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/624-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/624-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/716-54-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/740-51-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/768-321-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/768-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/888-417-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/888-285-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/920-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/920-315-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1080-99-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1100-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1172-309-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1172-414-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1340-279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1340-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1368-174-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1368-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1528-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1528-416-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-381-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-402-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1700-102-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1700-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1724-214-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1724-427-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1816-86-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1816-437-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2052-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2052-428-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2120-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2120-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2200-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2472-131-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2696-434-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2696-118-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2784-267-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2784-420-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2812-419-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2812-273-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2828-357-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2828-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3060-203-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3076-429-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3076-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3084-67-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3248-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3248-433-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3320-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3404-222-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3404-426-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3488-345-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3488-408-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3632-369-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3632-404-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3636-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3636-393-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3664-303-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3664-415-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3744-139-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3796-110-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3796-435-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3920-403-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3920-375-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3924-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3956-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3956-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4048-391-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4124-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4124-411-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4204-422-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4204-254-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4224-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4376-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4376-421-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4420-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4420-409-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4452-190-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4536-147-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4636-291-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4644-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4644-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4656-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4656-410-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4708-399-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4708-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4808-363-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4808-405-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-432-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5036-423-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5036-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5064-78-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5064-438-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads