400da495e36517b44549a5bf674ea62bd7c1e22e2b65daa3d7d8cdff4f845eb2

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5413cfe1c00460c24ac5ab1709d4d9e0_NeikiAnalytics.exe
Size

96KB
MD5

5413cfe1c00460c24ac5ab1709d4d9e0
SHA1

5c51e8f566bfa2fa5b799430dc9ca80bf60b8624
SHA256

400da495e36517b44549a5bf674ea62bd7c1e22e2b65daa3d7d8cdff4f845eb2
SHA512

2da20508c6b691b6dfded74b1000710c76b03c4ba54c8b5118c1737a0ebb80f47366bfdba386456ab68c575f0c5f3d7b774865c82a3dc4641e874aa416e9a5dd
SSDEEP

1536:+mrtzL7FHp5RrcaFrjHmXaowmnwfiA2LqsBMu/HCmiDcg3MZRP3cEW3AE:/1rLrOXalwqa6miEo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5413cfe1c00460c24ac5ab1709d4d9e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5413cfe1c00460c24ac5ab1709d4d9e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe

Executes dropped EXE 61 IoCs

pid	Process
1636	Jmkdlkph.exe
3956	Jdemhe32.exe
3112	Jjpeepnb.exe
4896	Jmnaakne.exe
4884	Jdhine32.exe
1332	Jidbflcj.exe
2824	Jaljgidl.exe
536	Jfhbppbc.exe
3100	Jigollag.exe
2084	Jpaghf32.exe
4984	Jfkoeppq.exe
464	Kmegbjgn.exe
4872	Kdopod32.exe
1108	Kkihknfg.exe
4116	Kacphh32.exe
2572	Kbdmpqcb.exe
4432	Kinemkko.exe
3268	Kaemnhla.exe
3232	Kgbefoji.exe
2132	Kmlnbi32.exe
1244	Kpjjod32.exe
2444	Kkpnlm32.exe
1228	Kajfig32.exe
2960	Kkbkamnl.exe
4404	Lmqgnhmp.exe
2168	Lkdggmlj.exe
1736	Ldmlpbbj.exe
1272	Lgkhlnbn.exe
4844	Lcbiao32.exe
4556	Ldaeka32.exe
380	Ljnnch32.exe
2524	Lgbnmm32.exe
760	Mdfofakp.exe
4292	Mkpgck32.exe
3788	Mnocof32.exe
964	Mpmokb32.exe
4028	Mgghhlhq.exe
1928	Mjeddggd.exe
4060	Mamleegg.exe
764	Mcnhmm32.exe
652	Mjhqjg32.exe
1464	Mpaifalo.exe
4420	Mcpebmkb.exe
4780	Mkgmcjld.exe
1612	Maaepd32.exe
4212	Mdpalp32.exe
3716	Mgnnhk32.exe
2788	Njljefql.exe
4332	Ngpjnkpf.exe
3228	Nnjbke32.exe
4340	Nqiogp32.exe
4188	Ncgkcl32.exe
4392	Ngcgcjnc.exe
1780	Nnmopdep.exe
1080	Nqklmpdd.exe
4052	Ncihikcg.exe
2584	Ngedij32.exe
400	Njcpee32.exe
60	Nqmhbpba.exe
4772	Ncldnkae.exe
1944	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	5413cfe1c00460c24ac5ab1709d4d9e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kinemkko.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	5413cfe1c00460c24ac5ab1709d4d9e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jaljgidl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3748	1944	WerFault.exe	144

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5413cfe1c00460c24ac5ab1709d4d9e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	5413cfe1c00460c24ac5ab1709d4d9e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5413cfe1c00460c24ac5ab1709d4d9e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5413cfe1c00460c24ac5ab1709d4d9e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 1636	4980	5413cfe1c00460c24ac5ab1709d4d9e0_NeikiAnalytics.exe	81
PID 4980 wrote to memory of 1636	4980	5413cfe1c00460c24ac5ab1709d4d9e0_NeikiAnalytics.exe	81
PID 4980 wrote to memory of 1636	4980	5413cfe1c00460c24ac5ab1709d4d9e0_NeikiAnalytics.exe	81
PID 1636 wrote to memory of 3956	1636	Jmkdlkph.exe	82
PID 1636 wrote to memory of 3956	1636	Jmkdlkph.exe	82
PID 1636 wrote to memory of 3956	1636	Jmkdlkph.exe	82
PID 3956 wrote to memory of 3112	3956	Jdemhe32.exe	83
PID 3956 wrote to memory of 3112	3956	Jdemhe32.exe	83
PID 3956 wrote to memory of 3112	3956	Jdemhe32.exe	83
PID 3112 wrote to memory of 4896	3112	Jjpeepnb.exe	84
PID 3112 wrote to memory of 4896	3112	Jjpeepnb.exe	84
PID 3112 wrote to memory of 4896	3112	Jjpeepnb.exe	84
PID 4896 wrote to memory of 4884	4896	Jmnaakne.exe	86
PID 4896 wrote to memory of 4884	4896	Jmnaakne.exe	86
PID 4896 wrote to memory of 4884	4896	Jmnaakne.exe	86
PID 4884 wrote to memory of 1332	4884	Jdhine32.exe	87
PID 4884 wrote to memory of 1332	4884	Jdhine32.exe	87
PID 4884 wrote to memory of 1332	4884	Jdhine32.exe	87
PID 1332 wrote to memory of 2824	1332	Jidbflcj.exe	89
PID 1332 wrote to memory of 2824	1332	Jidbflcj.exe	89
PID 1332 wrote to memory of 2824	1332	Jidbflcj.exe	89
PID 2824 wrote to memory of 536	2824	Jaljgidl.exe	90
PID 2824 wrote to memory of 536	2824	Jaljgidl.exe	90
PID 2824 wrote to memory of 536	2824	Jaljgidl.exe	90
PID 536 wrote to memory of 3100	536	Jfhbppbc.exe	91
PID 536 wrote to memory of 3100	536	Jfhbppbc.exe	91
PID 536 wrote to memory of 3100	536	Jfhbppbc.exe	91
PID 3100 wrote to memory of 2084	3100	Jigollag.exe	92
PID 3100 wrote to memory of 2084	3100	Jigollag.exe	92
PID 3100 wrote to memory of 2084	3100	Jigollag.exe	92
PID 2084 wrote to memory of 4984	2084	Jpaghf32.exe	93
PID 2084 wrote to memory of 4984	2084	Jpaghf32.exe	93
PID 2084 wrote to memory of 4984	2084	Jpaghf32.exe	93
PID 4984 wrote to memory of 464	4984	Jfkoeppq.exe	95
PID 4984 wrote to memory of 464	4984	Jfkoeppq.exe	95
PID 4984 wrote to memory of 464	4984	Jfkoeppq.exe	95
PID 464 wrote to memory of 4872	464	Kmegbjgn.exe	96
PID 464 wrote to memory of 4872	464	Kmegbjgn.exe	96
PID 464 wrote to memory of 4872	464	Kmegbjgn.exe	96
PID 4872 wrote to memory of 1108	4872	Kdopod32.exe	97
PID 4872 wrote to memory of 1108	4872	Kdopod32.exe	97
PID 4872 wrote to memory of 1108	4872	Kdopod32.exe	97
PID 1108 wrote to memory of 4116	1108	Kkihknfg.exe	98
PID 1108 wrote to memory of 4116	1108	Kkihknfg.exe	98
PID 1108 wrote to memory of 4116	1108	Kkihknfg.exe	98
PID 4116 wrote to memory of 2572	4116	Kacphh32.exe	99
PID 4116 wrote to memory of 2572	4116	Kacphh32.exe	99
PID 4116 wrote to memory of 2572	4116	Kacphh32.exe	99
PID 2572 wrote to memory of 4432	2572	Kbdmpqcb.exe	100
PID 2572 wrote to memory of 4432	2572	Kbdmpqcb.exe	100
PID 2572 wrote to memory of 4432	2572	Kbdmpqcb.exe	100
PID 4432 wrote to memory of 3268	4432	Kinemkko.exe	101
PID 4432 wrote to memory of 3268	4432	Kinemkko.exe	101
PID 4432 wrote to memory of 3268	4432	Kinemkko.exe	101
PID 3268 wrote to memory of 3232	3268	Kaemnhla.exe	102
PID 3268 wrote to memory of 3232	3268	Kaemnhla.exe	102
PID 3268 wrote to memory of 3232	3268	Kaemnhla.exe	102
PID 3232 wrote to memory of 2132	3232	Kgbefoji.exe	103
PID 3232 wrote to memory of 2132	3232	Kgbefoji.exe	103
PID 3232 wrote to memory of 2132	3232	Kgbefoji.exe	103
PID 2132 wrote to memory of 1244	2132	Kmlnbi32.exe	104
PID 2132 wrote to memory of 1244	2132	Kmlnbi32.exe	104
PID 2132 wrote to memory of 1244	2132	Kmlnbi32.exe	104
PID 1244 wrote to memory of 2444	1244	Kpjjod32.exe	105

C:\Users\Admin\AppData\Local\Temp\5413cfe1c00460c24ac5ab1709d4d9e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5413cfe1c00460c24ac5ab1709d4d9e0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\SysWOW64\Jmkdlkph.exe
  C:\Windows\system32\Jmkdlkph.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\Jdemhe32.exe
    C:\Windows\system32\Jdemhe32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Windows\SysWOW64\Jjpeepnb.exe
      C:\Windows\system32\Jjpeepnb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3112
    - - C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
      - C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1272
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:380
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        62⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 408
        63⤵
        Program crash
        
        PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1944 -ip 1944
1⤵
PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
96KB

MD5
a31757719dca7939645395fcf0a0345d

SHA1
98b54946271a3171108da7f39ee8b1884375f929

SHA256
a8c2b60f57f73fcfae57f13456a54ba0f700f0d5700cfa1d146246bd64b52479

SHA512
51d698a1258e6d455acd4fe62d2a76475558faf180b75619c98e35a19cb95fb1c07d660bfc02356837a459ea31f983a0fd8e8238ca80444d6e93cf9d01a380de

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
96KB

MD5
1bb17992e35ebfb6bd0b4665d4b68dfd

SHA1
409e3ec4b9e4bbbdf52e76e79cad7652330fd086

SHA256
0ac4e7d6aeb3700835e59ba39fbbd374d7c9c3ce995c2f9a0b6cd05f96b7ad16

SHA512
17a8638c519dae1078e5f9ae16158cb45cce6cca9ceb8ffe4e4e7405b4d2a5b039c520eaf9bbdbb45ecea222e022847a59e7501400b0b4d25e980b81deee48f2

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
96KB

MD5
2e58aee0637b61127f609ca53aa51fc1

SHA1
9ffb0feced228329166c9b446a823a5cf873f74b

SHA256
a955fef71b44b2ae387f1c845da39aaeda527d8448449780710e92b445cea6f4

SHA512
3c03a63817733365de2e9a22cd95eae8dcd837a6fb8885fde9eb9413b48b7ab6701cb32a1781c4aad1d91fbab028ed5fe75654f1d448c09eac110a6b4595bc0b

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
96KB

MD5
020beb11fa9fafd894a56019088ebf80

SHA1
3568f84569a9b09f09024e5a94837c87b739b9c5

SHA256
e55ae040779dd025abf8a1a46820e7bba32a48ce10bd3eab7c19ee8d0cffe0b8

SHA512
03f487f669f05451472be25bce6d22840250148d79548a94e0ad9b09434c9d80abada59c4ca7f78e55888ee144c3cdb487226bfde0d3a41f2f66cf8cb6afa92c

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
96KB

MD5
757ea21912b41676950ba297d1b0763b

SHA1
323dee3b8c05ad5edec172317196f9e009d92c7c

SHA256
61b5f7ef958f6095886499f98143e175ad7c7aa4e2465845de26e81428dfb2d9

SHA512
a474a97b7683f35731c5e85a5530df794ccbe73054f55118c5613ab495d46954b1b38981a920e1ef1bb896fef0dc0c42b0411e22dcc6fc7bd16890e85f681f7c

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
96KB

MD5
64b5c67af55697a6ba012111ed1b2144

SHA1
f066c07473d3c4d7edf307a46d1f6722079676cf

SHA256
6318e55035959f7d2e730f70305b24755408053461694c9f3914b85e7a8ef58b

SHA512
4c58e465887271ef2be11720f76bf451d844655757fcc276e857f9ddd324911322641d8b4b1facf7058de3b3a566fb7f1eddd4a6abd7b46a0898e62000255e33

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
96KB

MD5
b593fce26f6cb3e5ea3f199bdf8f8812

SHA1
08a4b5e160725b5b7210b3ca4636b82d452f6ef8

SHA256
07ff3e6e258a9c46b12a6dc14e774c0f54810a47ba9a724c42e681fa8ac96d50

SHA512
3c20d2601b31c4cd8b895bccee0481d3e10b41259896b0536fa3a12a4f8030daffeb6fe5b631e0d712d09073ee7508ffd523688ebd1737a8dc10f94ec9ebc0be

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
96KB

MD5
bc75a160372fb5e21926bfdc266d5e28

SHA1
7deaba25b3f0653bed89f84ebf87ee969166245d

SHA256
bdfba812309cf8254346ba9e5d14526da4bfa8d5a002b9dc008965290128048d

SHA512
cbe058fd39f83630b3af297ccb7093562eaa2eb7fbac5e269cc339634f54d126ce0299061a412bbe00e364633c713b57cfbed55c691c24d5324e21d03038e83f

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
96KB

MD5
ad36eea65bb7c4c0eea54fd84142cfda

SHA1
15be5c05961c259c2b8b34bcabb64541140a6a62

SHA256
6afba10a2ee663e864d92b1e616059b76d2b3d847d72c602974a71a8510ccc5c

SHA512
d9e5d1772e85c1c48657bc062f6c502530c6c2773f2f925bcddfd9dac54aba47e0b98541dce0dc11015726ea101d19e2d57d14b1d5eda3be4ee30260d8d401c3

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
96KB

MD5
1793daaefe97cc340e4b2c232675e621

SHA1
97e7649b7372587b2d55b887a6cb6fd4bf79ae93

SHA256
c99b808787dd4868e7dde650994df68baef761ffc4916b6a8abc1f509ba0fe6d

SHA512
a4dbf6e4687566d601ff890f69df71b237561062d1bfc48a196bfe6459fa6daffa1c71a535a6dba8c338bda59950d4b11975fef0e7ec793444fe1be2736fba3f

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
96KB

MD5
f7a5e744420e356a4148749949c1b7df

SHA1
b32ed8000fb903ad5350139ab021a503d899f559

SHA256
0379fe293df36f8781ca4f49bb72e6701e4e7b19dd2cf4fc5a7b63c0d3b91644

SHA512
301f0c45340ffb13fdfb361ec4332e86b8f61c8e8ba4aa4b9ec1af2ae112112df7759a32bbacbe59b9f3f4c88aabf57873b77da815bf821abe6c670c6898cbe9

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
96KB

MD5
32d084f63c9445148b482a5505a013a6

SHA1
449999b460a2ac848f95f21cac0f4db2a855147c

SHA256
5642572457cb10e7c72bdd7dbdb28f3344367f20c3e07f03f7a0038845903294

SHA512
455b5f6c144555372f0192bbb15ce571e94ffb91ae8d8c502508927b146b7feb26aca0b5ec09a21e175a0ee4277ff974b68bd7df309cec6df0e59695eaf0010e

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
96KB

MD5
a201ea940b2e1d379df8836997d7412c

SHA1
2ca5cb82d4de7b3cd482b257176b48e4b0d6b099

SHA256
cca75a8f08943eb5b2c5314210a7141b3dfb4f4cf7b858f8d34f05f6476ffd5e

SHA512
4a71313cf3810cbbb7e5593a9d07ebe4d9577c7e5afaf432295d2257469f24a9459144f55d93a939651db1f700687dcd449eaa2db83e588466eef9f6175cd20a

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
96KB

MD5
288576786350f696f3b3ec2c91c098ca

SHA1
5575269b00ab089241af05c772e54b75ff167487

SHA256
b9066d0632b5e895906c952180bcc40da61a802b402af1160bea953e2181d9df

SHA512
cfabc354e82ba567226986ed7915f84c04a1033ddd89ed1feebe0c03461ae8626a150a578f30f3fc3085ceadeda2418cd996326fa33d4d2c8908dda672ff5043

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
96KB

MD5
44ea2fa49f4a797d6ca32c4ab0c34480

SHA1
b11e0cc3db7945d249e421cb82a753b6b2a8fbf9

SHA256
8279b801219c6031bb18179047261e22724f3806e7326fbbe166cd4353691719

SHA512
40839040e22175bfc78a28af9ee020b29385e16a079d0103156240c8f4879ae49b9c11c11bb2f662f86267844d523a45813ca40538bffb18f10ba9663f07e1ed

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
96KB

MD5
798f0aa0fdf3a3f0e3e2bed6a98ca350

SHA1
01c54f6a989d7b13a86ffe911874283c245b6b0b

SHA256
7b4038c049ab975dfa28d68b115e10811e3105d1e326572109796e51895b2b6c

SHA512
bad769c5827dbaa49efe31e09d1919d8ea5880a870e1a612344b4ea3935590c94370d3793f54bc73e4e6e447da9ca8a16703f023b350dd954526003eb9376f70

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
96KB

MD5
55679b8b81da8111dceb5312ae30064d

SHA1
45678e9fd56e6bcede9e25e5891ff6131fa09428

SHA256
00609b4d0238c0450a24de4be3843b8d28c0c9aaa6a0d4d234ed17387e0e23d7

SHA512
d6f26b4cb1de80d9d0ccd98c562eacf1f08a2c4e08b211229d5dd57bd45e163f4d5d7a590d47ab835db38c30e79152c241dcca41ec735423945625a3f5986aba

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
96KB

MD5
204f6076b9ee6852a63fd114a6e27bd2

SHA1
d6913e5c0a2146d02902be2b0aad39779494f56a

SHA256
74a99ede2759cf8ab44966eae9a3b393ed81d54fc9bfcc88e9a59106a23ab0b6

SHA512
518b1f23ac1ee1b0b7fb3021f35d4698ef59e53282911a6e3203b234c4555db25a6cea9874ce573ea500af16f25846c3f10ff745e5cbb7fa4760d7fd74a99e64

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
96KB

MD5
cdc5eeedabb4fe41466580c4a32f72ee

SHA1
4d48d5c1b1f152ec206725514e55a060f513ae8e

SHA256
7bb894c1d45640bb39f2180aeb00d0890de542e92528f49dac19c39bad17a4d0

SHA512
b68a822121fec26fb27bc32057f2ffb7458252a362797891bd183a95a963769730526ea2f93449368089fba83800e3e7b242ef8dfbd7bb719ced7a8b717e1bcd

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
96KB

MD5
93431c33e3a3e18f5a35e69eb6a4632a

SHA1
da58aae4f83297ec34d5b0c598a8a47c8c63e12b

SHA256
69738ac6541e17a7db5fe7243b656691635cc856f1a6a2a5cb32255b7b3fd817

SHA512
823573cd9bd9cda9edb84a8bc66314f2312903a3407bb31e2225e84fc5086826e993e0924793b63aa7eed15e3e4dc40c2d3e00cd9b09cb7a5fb979ec8167c77e

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
96KB

MD5
4e3fe6555f98a736720b02679b529dd1

SHA1
f8d5e61692daf241a67d59111e1421eb021cd637

SHA256
f105e5fad3c5d916a932ccf1bc38c401bc144e112e31410e44563e7c93ee3140

SHA512
a8b24f792d417b8f30197cb8598c40289cb287a54f80d229a228ba45b935b4f91e2573d33fb1c4e3cb42521fdf028f325bb8232356a8b6e9c3581f9cbb244b9c

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
96KB

MD5
fa36671fe665299fc469813404b7aeb6

SHA1
d5237385b7df8eb3ae8de5982563176a383ee200

SHA256
90abd5d84822c112b1b7b39240c9c3885a2b701dbf64485d33c9d1689cfea09f

SHA512
349fd32a449b972239b449cf176b4353608b95b001ac298bea0b8a8dce74c67f204516d79b0422c86185bf07499087f39756b93d67f1d3957eacb981cb2bda26

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
96KB

MD5
0c6cec4d094771025c6b72eff007590d

SHA1
4d85fb6ad07f2ea0e2e17d10d8c5974d66c997d6

SHA256
468a0154f8ae7b99f58155752fe261d537346641c22dbd0d0f90894f0efb017b

SHA512
5b4dff24b71d02925690e455e5121e6b644c0eb0eca5dc5e43550e71c4279a6ff76911421807be04a74f0761f10e2e62fa794883d29c87edad61a5940c74e559

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
96KB

MD5
6dd40d6ebc8a0686e18bc68ea0b2c9cf

SHA1
a20ed868714770d4a09ade14e58ee40f859b0d92

SHA256
899e2ed74acad74d96f2ded419f808aee310d55fe10dccabd99cf17f02f54010

SHA512
be13991ab81eba9a29fb5561f1209fa962cc98bde514caaea6953c7145ed67768e484f56a65055860307ec6c48127e4bf70246d76dca753ce4428d2432bd1964

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
96KB

MD5
c1c584af820508610777e6de8386a62e

SHA1
e42ac8ecaffd0e7b995873a16982a00fa047136f

SHA256
71e964aae971193e1fc9ef317a2c53351b5aba3283bc7053f0252a602083e315

SHA512
5564472b08883d62c6ef2ff65f2f5e6a676da68d2a140b215b1ee30f5adb43d20e80916a94ad83c8785f58ba2a2a8df55348820da0b9be88bdffc061e1571320

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
96KB

MD5
33d69124904590df456448a8e509b3cf

SHA1
d78941488a2569271539038acc7102f8e187f776

SHA256
8a8bb613e32dbf5d4aa2f76f803bd2ff9b76cc7d59a72d221d70cb12681a8a7a

SHA512
bc4490fc9e0e368d077e8e3251ddbef6feea847a9aafd68d272217463ffdf4b12db75f92a2dd74272c835a7ea8095ffbd732fd36c08229e4e03dc90d41af7d8d

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
96KB

MD5
00d16080e64bb686f1423dab23534aec

SHA1
40c4b91324506bf0bba042bb910c5b5524882a15

SHA256
b8fb4113b45bf176cdf7d1b3a4fad41517b1d0c294fb8705c63ad555a55bec11

SHA512
a105a46a22970418bea8429b6c88f54c1f5f6c210b3a68092939381161122fce3e5f4cad5010384f16711d6f5a536d9491c1333b440bc39748098c6299e589f1

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
96KB

MD5
5c2b0a747fbad1cf6bf9d284596c5deb

SHA1
222c92c7f16fa3695ea7a2b1c5500c6cbe2aff41

SHA256
abf91308f9c2386c85d14c5388377cfc43c043c92c5f51f8ae11cf38b6bf3cc0

SHA512
342d88a34438f4ecc3ef163cfec3142ca8effa595ce4aea3b4b281dfe2b262f324cd081e175cf4aaba8998b7a004b9a7e2d89e9cd79d307c50fc83807f8f3a55

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
96KB

MD5
8190fd439600782ae42a8163b5f26c74

SHA1
32e88cc4bf67944744da05cfeea4b9c58bb1599b

SHA256
dfe242f80c6037d2225c602b599edcba2d4dfe181236ceabbaaf3f36cc2035ef

SHA512
69399b931612d801879c4f13fa337f324776160b935a20ac1705e06ab78fb0a7756565fe094bce5cd52dbbec95ad0224c991d9ba7bfca117c993ef508cae5d11

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
96KB

MD5
6703d0dbdfe16bcce58818590f0cfe31

SHA1
5662f703b8dae12e15647e7a8227b4a489e917a3

SHA256
bbc8ebe83537b1720624e0f832fd5faffeed372010fde61f9626686687fc8134

SHA512
dc810b41ef3961ffaf8c7353cbb21167c3cdda52469c62e204f1e2d5259ad742892081065c9b0f109dfa158a9cd8e2f9e8b920c5f30438c0d43fc5610ec61075

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
96KB

MD5
24990a830e3e069b29823b566bf7c688

SHA1
b106bcdd9a76a3bbe0820c257e995830f0bea64e

SHA256
1986fb6716576f9836b3a4fea7241c7a8c680a03fa4f000802be95fb836d8857

SHA512
1f64ceb556c189965de815a04985fe12b4808e4b09ceb56f1dd03949bc9049cd9e49ca754d1d1bb81139ad5a6224abd8a5b7194c805725caaa3977b96bbd3005

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
96KB

MD5
dd0edf9b30e9b65627eaf8267322e953

SHA1
c2b95d06101c6aac975c96ee3a421256b796671c

SHA256
35694706f080e85bc76c1845c74007760999621cf6d7284922aa89a072d357f7

SHA512
81cd6caeede331287a26b2aaa419c0eba436d0c418535af9d2572476968ced2203b5e15eff4092c00ebf9f77d96ec32d8b2971e712f65ab89481c3d023a4a49c

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
96KB

MD5
35b666298aff160e94462a7f01ed8775

SHA1
2cdcb3ee332bd41524d27161cdb947387bc380ee

SHA256
7fd37da200c71934f438e93a9e9762469dc2359efb2b5abcda7c8391044b56ad

SHA512
63532a604606e11a79591713ae76de7f55d497320ce9ae9706589d6a96ea83e04ca58b9de0c65dcbfced890fa7c8fbc5d1e3c2dae0f55c9a408419258c967b59

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
96KB

MD5
c0804711b14709ba3e490f2dc9fc6a2c

SHA1
0e243bdd000e86b33fa2f3e8afdf5ca851c9cdbb

SHA256
df8241c9c0b55fc760b6950feb6d03c6558f3530a7c835e06a895d82d03a7a29

SHA512
523984c5a40edec86e0c0017f231cbe906bfd5c736f8fb634e0f1ae48befda0041d08087720b303cf644cd42a055188fc205cdeef43feee95b9512f2e932781a

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
96KB

MD5
c22084f3af5adf2f0042275b5e7b89fc

SHA1
af6df03da9705b1dbca4c94b298ec307cbdb1e3c

SHA256
fb0c2a18038fe87c51331113cf28cc019d7818bee111bfb6185014057ab38052

SHA512
b2398c5201d0069823de8777a88604a37d3738cc14315f79e96ef5f5bbdeda6657c46ec9cb5067bee137ae6af386df1c79521fe10495b5e2bbb76392bcca035a

Download Submit
memory/60-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/60-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4984-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads