97458d4351ac23e77fd489beab54403ba2ec745c11a3d7824df801ee591b4362

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 12:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ccfeb63c8a8dd2e4dfe00bb6373a4246_NEIKI.exe
Size

60KB
MD5

ccfeb63c8a8dd2e4dfe00bb6373a4246
SHA1

ce791ac4e63f34ea84f0d9ea334863d69f370030
SHA256

97458d4351ac23e77fd489beab54403ba2ec745c11a3d7824df801ee591b4362
SHA512

eb5b418d6a9e503b542962b94ccc7a5b2ba26d0f62390c18965f3f22243847976935ea9a127cea899a4c23846195919e3def95956e2b85d65bfd775e2ab95450
SSDEEP

1536:D+7/KZ/ccD48BjFCDiVQzLoAprwpYrLB86l1r:4Kp3D5VEiajpkpYLB86l1r

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ccfeb63c8a8dd2e4dfe00bb6373a4246_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe

Executes dropped EXE 63 IoCs

pid	Process
1216	Ipqnahgf.exe
4804	Ibojncfj.exe
3948	Iiibkn32.exe
4400	Ipckgh32.exe
920	Idofhfmm.exe
2408	Ijhodq32.exe
5100	Imgkql32.exe
3576	Idacmfkj.exe
2248	Ifopiajn.exe
1472	Imihfl32.exe
3612	Jpgdbg32.exe
1176	Jbfpobpb.exe
1376	Jjmhppqd.exe
4184	Jmkdlkph.exe
5032	Jdemhe32.exe
2796	Jjpeepnb.exe
516	Jmnaakne.exe
2104	Jdhine32.exe
2596	Jjbako32.exe
4968	Jmpngk32.exe
4704	Jdjfcecp.exe
3292	Jfhbppbc.exe
1680	Jmbklj32.exe
4328	Jbocea32.exe
2964	Kaqcbi32.exe
4072	Kgphpo32.exe
1992	Kphmie32.exe
1408	Kknafn32.exe
3564	Kpjjod32.exe
5044	Kdhbec32.exe
220	Lmqgnhmp.exe
4648	Lcmofolg.exe
4524	Laopdgcg.exe
3320	Ldmlpbbj.exe
3816	Laalifad.exe
4224	Lcbiao32.exe
3516	Lilanioo.exe
3916	Ldaeka32.exe
512	Ljnnch32.exe
4208	Lphfpbdi.exe
2924	Lgbnmm32.exe
1728	Mnlfigcc.exe
2468	Mgekbljc.exe
3796	Mpmokb32.exe
1344	Mcklgm32.exe
4828	Mamleegg.exe
1516	Mdkhapfj.exe
1316	Maohkd32.exe
1768	Mpaifalo.exe
3192	Mglack32.exe
3060	Mpdelajl.exe
756	Mcbahlip.exe
1060	Nnhfee32.exe
448	Nceonl32.exe
3296	Njogjfoj.exe
2280	Nqiogp32.exe
2504	Ngcgcjnc.exe
1940	Nnmopdep.exe
388	Nqklmpdd.exe
432	Ngedij32.exe
3084	Nnolfdcn.exe
5116	Nbkhfc32.exe
1116	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	ccfeb63c8a8dd2e4dfe00bb6373a4246_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ibojncfj.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Jpgdbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mgekbljc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2252	1116	WerFault.exe	146

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ccfeb63c8a8dd2e4dfe00bb6373a4246_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	ccfeb63c8a8dd2e4dfe00bb6373a4246_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ccfeb63c8a8dd2e4dfe00bb6373a4246_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 1216	812	ccfeb63c8a8dd2e4dfe00bb6373a4246_NEIKI.exe	81
PID 812 wrote to memory of 1216	812	ccfeb63c8a8dd2e4dfe00bb6373a4246_NEIKI.exe	81
PID 812 wrote to memory of 1216	812	ccfeb63c8a8dd2e4dfe00bb6373a4246_NEIKI.exe	81
PID 1216 wrote to memory of 4804	1216	Ipqnahgf.exe	82
PID 1216 wrote to memory of 4804	1216	Ipqnahgf.exe	82
PID 1216 wrote to memory of 4804	1216	Ipqnahgf.exe	82
PID 4804 wrote to memory of 3948	4804	Ibojncfj.exe	83
PID 4804 wrote to memory of 3948	4804	Ibojncfj.exe	83
PID 4804 wrote to memory of 3948	4804	Ibojncfj.exe	83
PID 3948 wrote to memory of 4400	3948	Iiibkn32.exe	84
PID 3948 wrote to memory of 4400	3948	Iiibkn32.exe	84
PID 3948 wrote to memory of 4400	3948	Iiibkn32.exe	84
PID 4400 wrote to memory of 920	4400	Ipckgh32.exe	86
PID 4400 wrote to memory of 920	4400	Ipckgh32.exe	86
PID 4400 wrote to memory of 920	4400	Ipckgh32.exe	86
PID 920 wrote to memory of 2408	920	Idofhfmm.exe	87
PID 920 wrote to memory of 2408	920	Idofhfmm.exe	87
PID 920 wrote to memory of 2408	920	Idofhfmm.exe	87
PID 2408 wrote to memory of 5100	2408	Ijhodq32.exe	89
PID 2408 wrote to memory of 5100	2408	Ijhodq32.exe	89
PID 2408 wrote to memory of 5100	2408	Ijhodq32.exe	89
PID 5100 wrote to memory of 3576	5100	Imgkql32.exe	90
PID 5100 wrote to memory of 3576	5100	Imgkql32.exe	90
PID 5100 wrote to memory of 3576	5100	Imgkql32.exe	90
PID 3576 wrote to memory of 2248	3576	Idacmfkj.exe	91
PID 3576 wrote to memory of 2248	3576	Idacmfkj.exe	91
PID 3576 wrote to memory of 2248	3576	Idacmfkj.exe	91
PID 2248 wrote to memory of 1472	2248	Ifopiajn.exe	92
PID 2248 wrote to memory of 1472	2248	Ifopiajn.exe	92
PID 2248 wrote to memory of 1472	2248	Ifopiajn.exe	92
PID 1472 wrote to memory of 3612	1472	Imihfl32.exe	93
PID 1472 wrote to memory of 3612	1472	Imihfl32.exe	93
PID 1472 wrote to memory of 3612	1472	Imihfl32.exe	93
PID 3612 wrote to memory of 1176	3612	Jpgdbg32.exe	94
PID 3612 wrote to memory of 1176	3612	Jpgdbg32.exe	94
PID 3612 wrote to memory of 1176	3612	Jpgdbg32.exe	94
PID 1176 wrote to memory of 1376	1176	Jbfpobpb.exe	96
PID 1176 wrote to memory of 1376	1176	Jbfpobpb.exe	96
PID 1176 wrote to memory of 1376	1176	Jbfpobpb.exe	96
PID 1376 wrote to memory of 4184	1376	Jjmhppqd.exe	97
PID 1376 wrote to memory of 4184	1376	Jjmhppqd.exe	97
PID 1376 wrote to memory of 4184	1376	Jjmhppqd.exe	97
PID 4184 wrote to memory of 5032	4184	Jmkdlkph.exe	98
PID 4184 wrote to memory of 5032	4184	Jmkdlkph.exe	98
PID 4184 wrote to memory of 5032	4184	Jmkdlkph.exe	98
PID 5032 wrote to memory of 2796	5032	Jdemhe32.exe	99
PID 5032 wrote to memory of 2796	5032	Jdemhe32.exe	99
PID 5032 wrote to memory of 2796	5032	Jdemhe32.exe	99
PID 2796 wrote to memory of 516	2796	Jjpeepnb.exe	100
PID 2796 wrote to memory of 516	2796	Jjpeepnb.exe	100
PID 2796 wrote to memory of 516	2796	Jjpeepnb.exe	100
PID 516 wrote to memory of 2104	516	Jmnaakne.exe	101
PID 516 wrote to memory of 2104	516	Jmnaakne.exe	101
PID 516 wrote to memory of 2104	516	Jmnaakne.exe	101
PID 2104 wrote to memory of 2596	2104	Jdhine32.exe	102
PID 2104 wrote to memory of 2596	2104	Jdhine32.exe	102
PID 2104 wrote to memory of 2596	2104	Jdhine32.exe	102
PID 2596 wrote to memory of 4968	2596	Jjbako32.exe	103
PID 2596 wrote to memory of 4968	2596	Jjbako32.exe	103
PID 2596 wrote to memory of 4968	2596	Jjbako32.exe	103
PID 4968 wrote to memory of 4704	4968	Jmpngk32.exe	104
PID 4968 wrote to memory of 4704	4968	Jmpngk32.exe	104
PID 4968 wrote to memory of 4704	4968	Jmpngk32.exe	104
PID 4704 wrote to memory of 3292	4704	Jdjfcecp.exe	105

C:\Users\Admin\AppData\Local\Temp\ccfeb63c8a8dd2e4dfe00bb6373a4246_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\ccfeb63c8a8dd2e4dfe00bb6373a4246_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:812
- C:\Windows\SysWOW64\Ipqnahgf.exe
  C:\Windows\system32\Ipqnahgf.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\SysWOW64\Ibojncfj.exe
    C:\Windows\system32\Ibojncfj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\SysWOW64\Iiibkn32.exe
      C:\Windows\system32\Iiibkn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3948
    - - C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
      - C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1992
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3816
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        62⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        64⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 408
        65⤵
        Program crash
        
        PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1116 -ip 1116
1⤵
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
60KB

MD5
080ba0df0825611872ec6f91fc2739a7

SHA1
c31f94fc5d1ffcfb97477ea3e20152786a22f270

SHA256
9e7fdd70b95888a1ad8923b3b64ca293c226f6f5320a30e0442ec30098bc0700

SHA512
c54447623bec6a57b49cfadfa209981f0fd3b3942145f80f37d1bedd1011993bf2dfb44493a706223a6230fdbf8f5aaf53929e91faf30092e13452f9513aab12

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
60KB

MD5
9101facfadfdc8208c19e04a9422dff4

SHA1
6090598303037bd436d0b86ca3f2bb1bbd549d9a

SHA256
698d7276bf92c0bd3d578e5ae44a2735364ef2bfaf038a5dfaf13e6136da9c8c

SHA512
60e88c3bf92b63d15970804149a4dcc0edbcb014ddd132ea7f3174439baacd640ab151078e4b57c4e3a66cd82ad90b7215f01a7df6ab4170a40bfad9bc8bce77

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
60KB

MD5
e4c0a013b86ab69360f6a0ebd99796ef

SHA1
e129708955f51a11a2706ca245b99a467e9f58f9

SHA256
a08d4af697d8821b763e5fa47d7c5c8bd12b7b2289312772944eeedf16eee152

SHA512
4d19da5065ea545e238ebdaa924f600fe27838b3c514392579519bbbabebca82ffcfa699761752fd678dd9936b1a1b66c0fb0e4aa2658afe819ec9f3b9790915

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
60KB

MD5
b7bb9652e68c1262133513b9e0558276

SHA1
737a3695a77c0c983b74a02dae93d4f57cbbb764

SHA256
dcff203c5b366a8732652640e405e35fe10d9825ac9b78e323a92e36438295ec

SHA512
e0309ca8763ddb4507cf33e8cd63d0e2f79940dd930438b3732e44b503bb5ed8f5a68b850f44253fcc95449513aecd9e0e0cfcace09be1848615e650a9bd7710

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
60KB

MD5
e28a9ea23719f7e131e9f1de0a17dd8a

SHA1
357afb3397fde6c05509ec8d811d888f2a1972a0

SHA256
de233d093a7e1e265ee71d35132a4f62202563d8643b8cc462a31781283a1a67

SHA512
d69eedb6ff4e53a63a568e85659228ee886e69485fbd04331df3a892f960b4999ce06e69cadaab5fae7bcaf03ded4151cb12600b9adfe178aba0abe71979b9a4

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
60KB

MD5
14b15153767c60d7404126ca613a8d8f

SHA1
7fb0a6cbcf9c78c1b93090102c3a1f4173debd7a

SHA256
e3142977cf414b62061ebf2ad61e7f1a5388133f3407f2b6fcfce22804472dd1

SHA512
ab0bf205e5b8bf6c921ce7aa2816567690450d5818bf0ca9b19ce237c9865d948d5fe5b8346a7114838b458552c097638f432a5fe12ac59966ed54e6de1d0ca1

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
60KB

MD5
8ff8951ea44e34ed1bef8062ccd97c8c

SHA1
f0a656bb22cc3a3b92cd04e6ffc7bfa76ab9e997

SHA256
1a05e858c28a3fb491bb37b180e7d40a0a51ddc25897efae8d15151ec218127f

SHA512
90273f0e8be9e81872d5e738d807c6b3ee7c2f985e0c8665f3402ab4870e96f334b1fc145aa1aadaada1ecb755a6e78beb81dbf845891fedc26a010a5d5126a5

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
60KB

MD5
1bac11eda07c4a26605b2503344de050

SHA1
78213f101b244d2665e6541039a22c9544850755

SHA256
9cc04a5c8a5939eaacbebec446aebd4eef08701f38fadea3fd95059521171be9

SHA512
267e783978a2893b48f8b5c82f8495c3f4cd7fc313c0e8351693a5dad262f9465eb2910d90e7f8c3fbb8242d600b280f33d2093d5c6a9eb5f2c6c45da5904e7a

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
60KB

MD5
a8c24a9a9224112c748a9e77eb4600ff

SHA1
244409bae155e1ee46c581655047a6d4f751d108

SHA256
6f2c7db6fc356829debfc23226d1b24e94efeee14945cbe5e96c5e69591410b4

SHA512
428d4b1b8b4bbbbb6c2b06ff870c84505b9bd175e7eba9d6756ea13a85721c7722748daf638f516f0386d4a940f8d2631bba2963caff433d956fc91880e633ac

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
60KB

MD5
4dee33fd76c7dbd09e2070f1aceabf0d

SHA1
b9161b831f0d88d102faaa60cb10ea33f7d48486

SHA256
4ed5dd17af9a0b75daffab18e25c54770642f9a02acb21670842cb5d7d56f02e

SHA512
b219f4618315bcc12e6b58c418201f9c18f37c601c69edddc4a089b31821d81b7be443a2c09d47db34d0da61af5f297a0cd05e016e42a5c61f5f90288882896c

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
60KB

MD5
002668641bc97a07c2e191f6249833c2

SHA1
96d9ae85d8b5b92fc593c328bf30e4fa244df14a

SHA256
1821b109f4c7276846502e220f761171c0898e306b61571d16a0df12c4d3807e

SHA512
d51fec1a6a29f58b27a779faf60af04e94d237b99f4ac5a64f98975e7b67d7f16ce8b385ff0a27f916bb744598ac82cdc007194bfebf055190a04a7bcc133715

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
60KB

MD5
df4b3338f124cf2d4a62cb270b489e4a

SHA1
48a39dc1f0605681d6e41f024bc26c179043cdb3

SHA256
d666ea359bf3b242ebdcdb2954931f508b684f4ee5f33ac7b0e807dceaefa76b

SHA512
56ebb46896e3e7f0dad984c0ea27d7ccd37e6ab859c749f46b29d67dc66f0001583f0e0e05fa4a658ab4ccb09f32c89953385cf37e35e6c54763c8433c50b4b6

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
60KB

MD5
e5ef32b2da6078db5df5d8906c603f87

SHA1
e497a5ef7862c4878445e2ca73250e1a67c215d4

SHA256
3b1d9332d37bd3df1814b664ae7764967b64f42e1efe0a1960eb3b068b39de37

SHA512
764825e2b84a2afdd3a06e4df830c38f5932b931497eb1f155979257f54c3932b41099f0e49061e5909520eafc40483e6d0cd5c79ff444800ab5df4876aa717b

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
60KB

MD5
6d92939fbe3349f457be24ef0e6190db

SHA1
99bafd5aecec29bc3bf8db80d761b0c15e5c3dc5

SHA256
558804ee9cdf919abf801e9034a7c4d588f2aa6d9a92c9aab3337279df0b1a01

SHA512
c7190a23b1571c4dc681e3ba110d8d8c09b0f4f1a1dd8e7d7584b4a99f52c7229ff4a4f0dad6f93b33112b5ae3c940f7577afb573244965e91c18e477aecbda6

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
60KB

MD5
dd83d6078541f37d56afe9eb326920cb

SHA1
b1f9a79f7450be16c4fd07211c241f5d1e0035e8

SHA256
af1627bc0c68b89052b1015c402d83b827f669d353c4dde84ad597ce3213d337

SHA512
d5dc531c7f1a4bf47b4f7f1ab7d07f9160a59bf710a1d210458eb9c0cce5ab9de180df1833a73a16f0e963d1e52b9d202a60b1757fa69931a79f8adddd2477d9

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
60KB

MD5
2890df75253755583a3c354bd3c0de08

SHA1
a13eb41a0d5867dfbb407bb67efe743e56e6b6e7

SHA256
0f387d784d335fee1a011c888e6b9ccc41303b3474ae69b360b9b410ca56aef9

SHA512
4973432a344670f629a8a227b27211736bf3db99579d252e70a14180dd25c5ec2d011b42afb1acdbac10a5dfc93ed71a5ef7f43c62800b37147183af1335e86e

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
60KB

MD5
7a7e9ace44943828b1ca71f3592e20b4

SHA1
f150276122230ca2012c1e983c149dffed3e0990

SHA256
9dc466b2152e8c33331817b5dccb54d87c913aaba956999ac45efd885e9542d9

SHA512
e1648e0efa8af839dc695cd5683cdcb6edb802b31d961d0c1820bd8f4bcdd518d0425f3199f879b16a504672eeeab9d0bcff13b1ec059b1695b83b22c045de74

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
60KB

MD5
e977380e6cc6ee65290c9111f10dd5ce

SHA1
256bb155306a1e7f9a1d7047500b263191e6a870

SHA256
3d4798fe86a0cffaa97eb209812a384d18b1e3d904847101b9f4ba07dfabc50a

SHA512
1051b1475782bdcbd7f8a685799e6e07988812d12ce3711c78f85823ca7fa79f0cb6bc80d30e7f9ce8254b097af84f57d41ffab9aea03811b917f9d385aa3ad4

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
60KB

MD5
b5a5ea9a09a4e4263c89717f79a3a20b

SHA1
501c622ccddb9cc66af80f875b99657d52e760b1

SHA256
a867833b9a67106a4ea192d7dff78ee58018ce214da9ce913a4f4bfc0ccf8b6f

SHA512
37443e1ad4e0644947df40e9d44a0a5c9b8ef2f971b01d8ba236ddef8b0753dc5e4025067334e7c3242054273686bbee2d1c644cd462e7161399540f7251bbe7

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
60KB

MD5
b606d3d62db4d2112b7721cc3147bbfa

SHA1
9b31c5a3cc0473a4cf35b6900b7f3664b57c9b54

SHA256
659cdb28279d2e4cbff2c37012dd95300d58035be834f959af2062e99199068b

SHA512
d5c19d9d1c161e133537ae23188bc3c9775b92f8f41be20d5c889b5f886de0557775906150d56c030e9f48f7d03fe04914116066750e2cf1c46c39b055a0acb1

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
60KB

MD5
2492fb48604a9fce958c18a728d200e7

SHA1
c89dafbfe4db977a4c124ea9a82d69500952dd8b

SHA256
9cf14eb7dfd09b7c472c94ef6e1894e1a6ee95b13a9ec77f535e85f52e9dc5fd

SHA512
32bb27660ee2a2c94fc3c6fa5f9ad0079971cd3bd61b52e1b50de392cb498824d7c2227f3629e8b44ba8b0a860c9b13bd3786c173254e7797f5bc4342d357993

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
60KB

MD5
92ff06b61077d771c65f292b11237a47

SHA1
a1985bd7203ab699ea85094f8e0e63c730756ebe

SHA256
25fa0dae6443376b3be825f337ac4ca73671cae6ab45f38d504e12f6a12f8cc6

SHA512
31b957f7da8dc09004443bd0a31a7d52354feac1750b6c9afe178235ef27a5544e213c80e94304f578398c3c42ffc132286374ee91d27f3791480aab161d84f3

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
60KB

MD5
471f053f9bdb3b6a7aad07c5397b7419

SHA1
ba44e37ab75a747ea0398f56d72c5390d17272bb

SHA256
99bf0b70ee85a4f7a8c4e9b8b234a6f55198fa93dbbf586c746f30861c226a5f

SHA512
d7b271e58a61b79d295cab6aef62ffdba149c3b40a588a86425a6fb0e0228f88086445535986f293f1de323b6ab9dd7a504d952959d85820ed1e7039526b6aa1

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
60KB

MD5
10ad6339adf9e8451711e0c4f941f1d4

SHA1
06e5b744fde0c3c9d2cbd4cec419701c43f4c20f

SHA256
678edb0e44e0b623653b1e0117ebb1947a467a3913de6bb4a76cc10a2d43888e

SHA512
259fe61b4faba0d75f5b9bb49e2f87e621bf94e37002c751783d7e85e68acc8e66238be49102fa72e99d81a90bba0efffb003bd56f2bd42db71e47f95a0a9401

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
60KB

MD5
aa048a818cfb13b6104d31f071a39ea5

SHA1
c196586d34d164f9825f6372054f604732b1b572

SHA256
9cc1ff4ac73281dddf46e6ce82cd9eea70a43e3000fc46df6183065403dec806

SHA512
f5a54a4b912b4b1c719cfcec448abb454268f8f64f4c6433d3be643fa77f72ebe16c4e3be4dd70664fb1dd84612c8d666abb284701a82e223e311441c6491edd

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
60KB

MD5
7f4ad573a841a5aca090c71c4c66a720

SHA1
02c0c4c2fb1e05d0da19a0d96703b3e6e7b2ed7f

SHA256
5132da2b9f3114f43ff8cfa1ae6d6ec4f87ffde0e5c43a12b375720af846933d

SHA512
39745ee64521567c20df4f0d5ba3fed333b5c0518d19ff973621ca048a6a8125f99060bc1f1533f2d38c3bd46106a399aefa8269c60c284e4833bcdf738df784

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
60KB

MD5
c53f50293276007059959abbe8004be3

SHA1
4f019c2213ce918ee76e85b65036589d084cd1ea

SHA256
b3489316bdb512e76041164c56d565ba3d65ff40d5320c4092c7f0663ad62f0f

SHA512
c902f7b482ea95f1339997cc2f6abac9d402b85c6ac9f052c4d8f232fde343e543d1526653f89527162c8f4084cc3dadc34b53392c987cd7cf7a466eed8b555a

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
60KB

MD5
7b3c09e1d4bf70d742c7dd92efe07a89

SHA1
7268bce5dec899ae6c0761fb88cc9214e1fa9d50

SHA256
d790665d31924abae65883abcbfa5fef87ab1a54b3c300e72e0451abf11a5eac

SHA512
cca8a3b66c6be4c3a46ce4a9bb36848a668ba13f7bfe7225d0408cdfb3138885698af54604bc8ed7e201038c087bd7718c6a9dc6ab2cc0f432fd6054089d852b

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
60KB

MD5
df93e7e4eade016fefa0365a65fa29c5

SHA1
ab901e89d2b073c943424487714fc993500cfca3

SHA256
cbde5954ffe4fcb9c262790068e077dd24c9775a732e61b83845a78abf436d9e

SHA512
f6a51f1a0febe5233ab92762b71b846c1e0a91ad8812dda321d2a55e5111a21b6a5f0423d4c31dc3f94124d43c8be5d4110748a85a5e21701c0aeecee8afa077

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
60KB

MD5
7b5d8293505e3da6cf054682645c190b

SHA1
ffd152e2e6aba65a22a67a5a9bb7274beee96c68

SHA256
a13448898f28ef3c53c61937fc6b26ae077b2761aa71896d34b2f034941b1d58

SHA512
5a8a535f2feeed2c9b3525353d769b17a59cbb389b4bb2b4bf4348e1d4c1c223d71b527b95e0dd0d058a5129dea58a831d4c0680fbacadec0adb22463b854e15

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
60KB

MD5
a26eaf5a9618db9e93fd7ed6cae31677

SHA1
482fd80cc67323dc772496dd2f304d7b88e9d230

SHA256
e073e59572ad752cdbacc32a8b48f4dde36349648854c7685788a78fb174c9b3

SHA512
a3a1bc2ac9f4b0f92b42b5eb3a03b3d8ce90085037987f7c17efa1da184b58440bfb8ba170e9b39b64fc105195e22a7df9185a18913d1ddc6206f7780b5818f3

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
60KB

MD5
b15b4b4df512a09bd95e25ae9660a4c9

SHA1
ae19618f94bf192685e304cb731dfca2622c69bf

SHA256
3335ea8ea0476d84166d3067cbe542817b05abb9f7ae8d49eb59b5049e49745e

SHA512
b280e3974576cdf93b9aa03116556f6c20890689f398e7349c4e23c58ea62297a0e293df649fa012dd91b8b8b20d41c47ae6cef9c4c3c3011add37b262db0bc9

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
60KB

MD5
a07f2bc32eeeceed3f6d7659c65ee6ef

SHA1
f58fd502b23823d9a8fc167feb463c70c4f7aa07

SHA256
acb2747a7ba607ab5594741826c4de8e52efa324c75c84c6021769d3cd8ef2c6

SHA512
044cc86efb361d309f67375557efd9fb2bb8613bc49de6d0cb09f6d59b9045267d890744c9d7de41cfdbfd9520a517687109480ff09ed64a3457bc822e00484b

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
60KB

MD5
68b91d0fa5acfd7872d630beaad0a940

SHA1
3ebbe875a71fb25d14705f32cf4386e9f10c20d0

SHA256
09a8b32f44e8fa0f0dbb8b7e392365a7fba1d8d7b4392850204db531620e67b4

SHA512
57c3aaf2545c1d8a6ebec77d2586d3dfca287aae03242bb89440159427340df83376f638a46f2164c9623a7cce1eb26ef73c8a74d55ab012cdfc5bedf96982a4

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
60KB

MD5
7115c4ca2e39606ad00611e3ba592799

SHA1
06fabdbca32467a7a2dac9d2ba99b544fc4390ed

SHA256
c2ffb5ef64030806d36192d550c859c7c5062bcf8b0f9dab5ed491a2e7e9dd88

SHA512
b10b20402a9a3bb924b16988d834e161f5d0c2f8a74dd083a5a1e88454a4a8838f80a880c672f98ea50995700ea7afe02f6b525849dc1879c3383213c208beca

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
60KB

MD5
4b43e33bbe58750e31499da2736842be

SHA1
fa72f2379b3d6dcf32c06eff44d3f9bbfc7bcf62

SHA256
e023bf287b135d7ef20aad8e1ae8cf6ff5a0735d006d48791be992adeaacb03f

SHA512
9ee4d1cfda25e7b04c486fdf62bfec918fb0a4e0f22b6ea91f7154da73ae8dc1b3f6d22fa659bf1f0427b87822d4f90fb4e8c3605b54403ff9ec17695072461d

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
60KB

MD5
215f0425d21f9f1dc3746c68a65da10a

SHA1
d8e97766c50228661b2755a4e38bfbc8cbbf6581

SHA256
af90238a9ff0ee351f96dfaffd031118c79bc6fc15b19444359cd7ad8ab25813

SHA512
533dfa2eb4c16c94055f955f597c5a90a487f2e9a1b4b8d6e1a183194f06cea9edebfd946f33112e79f1a9299799f97d029d9e66cf0e496a2f1018c5f9eb99dc

Download Submit
memory/220-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/220-265-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/448-425-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/512-321-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/512-389-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/516-229-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/516-149-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/756-411-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/812-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/812-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/812-5-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/920-124-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/920-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1060-418-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1176-105-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1176-186-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1216-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1216-9-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1316-387-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1344-363-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-313-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-239-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1472-82-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1516-444-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1516-376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1680-194-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1680-279-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1680-564-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1728-342-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1728-410-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1768-390-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1992-306-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1992-230-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2104-153-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2248-73-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2248-161-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2280-438-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2408-49-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2408-134-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2468-417-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2468-349-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2504-497-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2596-246-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2796-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2796-220-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-528-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-403-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-335-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2964-213-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3060-404-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3192-397-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3292-188-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3296-431-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3296-501-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3320-287-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3320-355-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3516-375-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3516-307-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3564-247-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3564-320-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3576-594-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3576-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3576-65-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3612-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3612-177-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3796-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3796-356-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3816-293-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3816-362-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3916-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3916-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3948-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3948-112-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4072-299-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4072-222-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4184-202-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4184-117-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4208-328-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4208-396-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4224-300-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4224-373-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4328-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4328-204-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4524-280-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4524-348-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4648-341-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4648-272-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4704-263-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4704-182-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4804-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4804-103-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4828-437-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4968-169-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5032-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5032-211-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5044-256-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5044-550-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5044-327-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5100-147-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5100-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads