66a612a000bad5698985a5c5767ce73a6bbdc1852c0a76960d249640cb80d983

Analysis

max time kernel
95s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f069961e39b4c7266687a531ddb814f0_NeikiAnalytics.exe
Size

79KB
MD5

f069961e39b4c7266687a531ddb814f0
SHA1

888352643b30039929e352695048697ce559932a
SHA256

66a612a000bad5698985a5c5767ce73a6bbdc1852c0a76960d249640cb80d983
SHA512

b4daa2c498d06e076b56ee34306caa9b61846bd48c86a932b6d3145f788438f3f8390548e2282aefd39f12750a2b3a527df52414a968f05fdfeb6e3fddfc417f
SSDEEP

1536:6OM2EGYrJTZkvn5DTHhhuwUwfUEB9iFkSIgiItKq9v6DK:u2EGoJTZ45DjLu+fUEHixtBtKq9vV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f069961e39b4c7266687a531ddb814f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe

Executes dropped EXE 64 IoCs

pid	Process
3908	Jfdida32.exe
2752	Jaimbj32.exe
3612	Jdhine32.exe
4504	Jbkjjblm.exe
3592	Jidbflcj.exe
3304	Jaljgidl.exe
3996	Jbmfoa32.exe
1316	Jkdnpo32.exe
2256	Jangmibi.exe
3100	Jdmcidam.exe
2816	Jfkoeppq.exe
796	Kaqcbi32.exe
4168	Kgmlkp32.exe
3864	Kmgdgjek.exe
3120	Kpepcedo.exe
3888	Kgphpo32.exe
3076	Kinemkko.exe
3340	Kphmie32.exe
536	Kgbefoji.exe
3416	Kagichjo.exe
1764	Kdffocib.exe
1308	Kkpnlm32.exe
1172	Kajfig32.exe
1972	Kckbqpnj.exe
2012	Kgfoan32.exe
2976	Lalcng32.exe
1632	Lcmofolg.exe
2908	Lkdggmlj.exe
3264	Laopdgcg.exe
2820	Ldmlpbbj.exe
1568	Lkgdml32.exe
1948	Laalifad.exe
4380	Ldohebqh.exe
5000	Lgneampk.exe
3240	Laciofpa.exe
1044	Ldaeka32.exe
4852	Lklnhlfb.exe
1344	Laefdf32.exe
3680	Lddbqa32.exe
1036	Mjqjih32.exe
4052	Mahbje32.exe
2464	Mdfofakp.exe
2496	Mkpgck32.exe
2284	Mnocof32.exe
1860	Mdiklqhm.exe
3532	Mkbchk32.exe
3880	Mnapdf32.exe
1008	Mdkhapfj.exe
2768	Mgidml32.exe
4540	Mncmjfmk.exe
1660	Mpaifalo.exe
4744	Mglack32.exe
1884	Mnfipekh.exe
3948	Mpdelajl.exe
4424	Mcbahlip.exe
3020	Nkjjij32.exe
5032	Njljefql.exe
3276	Nqfbaq32.exe
232	Ngpjnkpf.exe
4320	Nklfoi32.exe
2580	Nnjbke32.exe
2584	Ncgkcl32.exe
2524	Ngcgcjnc.exe
8	Njacpf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jdhine32.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Njljefql.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3752	5028	WerFault.exe	153

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f069961e39b4c7266687a531ddb814f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 3908	1904	f069961e39b4c7266687a531ddb814f0_NeikiAnalytics.exe	82
PID 1904 wrote to memory of 3908	1904	f069961e39b4c7266687a531ddb814f0_NeikiAnalytics.exe	82
PID 1904 wrote to memory of 3908	1904	f069961e39b4c7266687a531ddb814f0_NeikiAnalytics.exe	82
PID 3908 wrote to memory of 2752	3908	Jfdida32.exe	83
PID 3908 wrote to memory of 2752	3908	Jfdida32.exe	83
PID 3908 wrote to memory of 2752	3908	Jfdida32.exe	83
PID 2752 wrote to memory of 3612	2752	Jaimbj32.exe	84
PID 2752 wrote to memory of 3612	2752	Jaimbj32.exe	84
PID 2752 wrote to memory of 3612	2752	Jaimbj32.exe	84
PID 3612 wrote to memory of 4504	3612	Jdhine32.exe	85
PID 3612 wrote to memory of 4504	3612	Jdhine32.exe	85
PID 3612 wrote to memory of 4504	3612	Jdhine32.exe	85
PID 4504 wrote to memory of 3592	4504	Jbkjjblm.exe	86
PID 4504 wrote to memory of 3592	4504	Jbkjjblm.exe	86
PID 4504 wrote to memory of 3592	4504	Jbkjjblm.exe	86
PID 3592 wrote to memory of 3304	3592	Jidbflcj.exe	87
PID 3592 wrote to memory of 3304	3592	Jidbflcj.exe	87
PID 3592 wrote to memory of 3304	3592	Jidbflcj.exe	87
PID 3304 wrote to memory of 3996	3304	Jaljgidl.exe	88
PID 3304 wrote to memory of 3996	3304	Jaljgidl.exe	88
PID 3304 wrote to memory of 3996	3304	Jaljgidl.exe	88
PID 3996 wrote to memory of 1316	3996	Jbmfoa32.exe	89
PID 3996 wrote to memory of 1316	3996	Jbmfoa32.exe	89
PID 3996 wrote to memory of 1316	3996	Jbmfoa32.exe	89
PID 1316 wrote to memory of 2256	1316	Jkdnpo32.exe	90
PID 1316 wrote to memory of 2256	1316	Jkdnpo32.exe	90
PID 1316 wrote to memory of 2256	1316	Jkdnpo32.exe	90
PID 2256 wrote to memory of 3100	2256	Jangmibi.exe	91
PID 2256 wrote to memory of 3100	2256	Jangmibi.exe	91
PID 2256 wrote to memory of 3100	2256	Jangmibi.exe	91
PID 3100 wrote to memory of 2816	3100	Jdmcidam.exe	92
PID 3100 wrote to memory of 2816	3100	Jdmcidam.exe	92
PID 3100 wrote to memory of 2816	3100	Jdmcidam.exe	92
PID 2816 wrote to memory of 796	2816	Jfkoeppq.exe	94
PID 2816 wrote to memory of 796	2816	Jfkoeppq.exe	94
PID 2816 wrote to memory of 796	2816	Jfkoeppq.exe	94
PID 796 wrote to memory of 4168	796	Kaqcbi32.exe	95
PID 796 wrote to memory of 4168	796	Kaqcbi32.exe	95
PID 796 wrote to memory of 4168	796	Kaqcbi32.exe	95
PID 4168 wrote to memory of 3864	4168	Kgmlkp32.exe	96
PID 4168 wrote to memory of 3864	4168	Kgmlkp32.exe	96
PID 4168 wrote to memory of 3864	4168	Kgmlkp32.exe	96
PID 3864 wrote to memory of 3120	3864	Kmgdgjek.exe	97
PID 3864 wrote to memory of 3120	3864	Kmgdgjek.exe	97
PID 3864 wrote to memory of 3120	3864	Kmgdgjek.exe	97
PID 3120 wrote to memory of 3888	3120	Kpepcedo.exe	98
PID 3120 wrote to memory of 3888	3120	Kpepcedo.exe	98
PID 3120 wrote to memory of 3888	3120	Kpepcedo.exe	98
PID 3888 wrote to memory of 3076	3888	Kgphpo32.exe	99
PID 3888 wrote to memory of 3076	3888	Kgphpo32.exe	99
PID 3888 wrote to memory of 3076	3888	Kgphpo32.exe	99
PID 3076 wrote to memory of 3340	3076	Kinemkko.exe	100
PID 3076 wrote to memory of 3340	3076	Kinemkko.exe	100
PID 3076 wrote to memory of 3340	3076	Kinemkko.exe	100
PID 3340 wrote to memory of 536	3340	Kphmie32.exe	101
PID 3340 wrote to memory of 536	3340	Kphmie32.exe	101
PID 3340 wrote to memory of 536	3340	Kphmie32.exe	101
PID 536 wrote to memory of 3416	536	Kgbefoji.exe	102
PID 536 wrote to memory of 3416	536	Kgbefoji.exe	102
PID 536 wrote to memory of 3416	536	Kgbefoji.exe	102
PID 3416 wrote to memory of 1764	3416	Kagichjo.exe	103
PID 3416 wrote to memory of 1764	3416	Kagichjo.exe	103
PID 3416 wrote to memory of 1764	3416	Kagichjo.exe	103
PID 1764 wrote to memory of 1308	1764	Kdffocib.exe	105

C:\Users\Admin\AppData\Local\Temp\f069961e39b4c7266687a531ddb814f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f069961e39b4c7266687a531ddb814f0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\Jfdida32.exe
  C:\Windows\system32\Jfdida32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SysWOW64\Jaimbj32.exe
    C:\Windows\system32\Jaimbj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\Jdhine32.exe
      C:\Windows\system32\Jdhine32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3612
    - - C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
      - C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        29⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        48⤵
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1008
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        69⤵
        Drops file in System32 directory
        
        PID:4184
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        70⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        71⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 408
        72⤵
        Program crash
        
        PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5028 -ip 5028
1⤵
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
79KB

MD5
162b1a1592f554959df5dd635ad63932

SHA1
ef6f3b530beced92ceda0e59f5899e0b7e126b7b

SHA256
2a45bd2272c4b334aa1ac32f46cb790e648ebbe3e865a2afb430c7f8f75f12f0

SHA512
7bf18efb6fcb0a3d45fba4ef056c7faeb3c2b8a7518f9da60b7826baa01c4bce16aced1b3dd05c47a6f520c7cab4a9ec9e067979c4f9a2f1cf54c6981ce7b9ad

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
79KB

MD5
a534f8f327fc196a2fccc98310c07e2c

SHA1
3884d1b6492bce28f14a525890cd8d90b5638f81

SHA256
848ea88c16ec025263fb7628f5dd925c883ee2e2b01aadcc9b3c2e00e029136e

SHA512
0c0183f0f9a639fefb1896c9c67f6d9c0fe0c20b41faea256fa1f7b2ec2e12fe3add640638479d0cc8cdf03a5f3852407bd967a98f7233f075428ad149e0ef39

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
79KB

MD5
28f098e9c91d06d97b2af98294a7c26b

SHA1
5ba6c45f02e7a0c8d6c0428bb5afd59da1ca5505

SHA256
8dc75039016292c56c288597f4143282dda16f501fa323402cb00d02186d5b48

SHA512
a2adb013095ea322f2bd276cdd875e400a1e66bce822c1bd4a01a1a53b500c694d401746b99cb55dc56355af9ae5056502c9501c972144fb4bb5b3391445b221

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
79KB

MD5
ae9a721c0630af78060d50e9ea3ba15e

SHA1
a879a93bf1beaef3da97e95cf8518bde5c4b754a

SHA256
212824478f0d670a2f105b1f697e422b07e90bfd2bc8b65c6196211837f3634c

SHA512
d994f0df98470811867ade939b0ead0a85c2e4cc1b3467eacc94965ae5f8bac460e2735593214b771909e5971b3de336e585b00d683433bd871e69452ace86a3

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
79KB

MD5
7cea3ac5bc0f28691b457bb4c84cdf36

SHA1
6ec92e401d9b552d55485d4c340380fec9dc5b36

SHA256
9dc4f716ee673f7241931fdd4ffe2dd8f183da77d71ae9dd6447b515fc74d88d

SHA512
b7a522656620cfacdb15790f438ffc73d6fbb07be091643e32511ceb25fcd8aba4597deeb7d8fec8eb3b3c8b6027cb8fc80a79e714847e4fe221a0a5ca67f497

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
79KB

MD5
3f9b4545aaefc04052da9e72ae1d8cd7

SHA1
779ed6f00b1b810d08a9ef7796354c0d23346055

SHA256
876198aaa3f0d14fea4ddaabf8bd08572129e08c38a44624ae7c3bd072ff3d81

SHA512
e191b39d4b50b6ed126d7eb52f54a286adcaf0238838741191f441aa2b946aa2c9a1910d27ff468f3d5a661c43b2c39813be00f08cc7f426579b94d6cef163f0

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
79KB

MD5
7291e13a5f86b93b587397f3c88dd12d

SHA1
64d67cc1e8ec06d399db8c45708ff89d1ecabb19

SHA256
ac70b4430a5ce47126ecce034a971de81477790324b42cf84fab7122bd44ef02

SHA512
98c1c44759fe9a5454e922d8ce023e4ca6a3dd28d5cf8b9dae126b00ca0d4d9d71793032badb2bbaa8f9cb3299a4afe8047cc9a4550b0f9d305ed6569b46740f

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
79KB

MD5
2d81c0c9b21c5f5ee8d1b6d72261558d

SHA1
2670f29351832b53bfe712e4cbcecf622de87b95

SHA256
043f76af1927fdeb6ff2555b963b425e5b53c34f6ae5aeae7c060179bbb75fcf

SHA512
539bb344df9bf380589fa46cfb43bf6d9650507a9b80eacbff4a73936cb77201df3b531d1dfbf8b53250028234b6778dfb4ab624dd6c5d4bca55b6957f7e0293

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
79KB

MD5
229196244f95de6794857807ccc51137

SHA1
0f641b61d041fdde1261b7c00c7611789c3c69b1

SHA256
8b24aad4c78c3ffda79801a579e799149e7d600193f4435fd1937a28793bcaa3

SHA512
882b38a39fc8e5f96b47905bbc784f8a66c4b3dcf0a5e3e3e817a6e009f17219316322b7a1cd5c0845d9f6be55f318f8189ef2b91bbb32182b0fea19a3cfa7a5

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
79KB

MD5
05d4c77296611dcca59568adbec6863c

SHA1
afb9fbeb777ab2437f404a1bbfd62f301d096afe

SHA256
6ab94086ff655b4fcad258fa495f3ef8d36b4698c65ebb39c376043d079d88c0

SHA512
2476e6fccc83d00748a6a0db07fa741fd8d07a7b4d01c37020b03a782394b02aa64fd8268db4fe9b6066aea77dff9b3bccdb0316261dd4b5113fa419c449429b

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
79KB

MD5
f92448b4c3662e1df86f5c475ed30d54

SHA1
5f5b2689eb20316fbb7ece15b4928c0d0fb091c5

SHA256
6e269762c9536444b86f12f875acc5d3475e4322968d19ae59127e8d566fb854

SHA512
0567b83a8a94b35bde07d41e8f824ab8251c2dfb6eeda4023a4b5184f7bd2561610f761d23aa534ac2d7472db9dc0005a19d8c804895f07110070b552296a838

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
79KB

MD5
59d67f2cb0ceffdee4e8cbf9b0832ba1

SHA1
28c4499edb3c6a673d89f01a9fdf20115cb1df74

SHA256
4899bf3918a5bd7d3d4b13833e9c46112a315575af43876609666f562b4d5e54

SHA512
8f39eb94cb8a308de0fa394e1b1523503a134b03f19e1f39cf793e94aadcaaa047c633c9bbe2999cd66d1c56cd9908ea0aae1232aa5851dfc06a7a836e09a704

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
79KB

MD5
2ed5d733fb1933a4193b65915da4bb20

SHA1
990a0004d8bda5ae54f07406ba1ead460b48da4b

SHA256
b8841f43fcad343b4772d20aa9c605089a6c4a28d4612976e80bb36987472bd0

SHA512
70e6d684397830e8bf4a09eb434db65a0a43c84f062886681843e37042e4cd3c95d799f0226577337b65c2c34b0f551f39f6374faee36ffcaaed31f1b84a5ee5

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
79KB

MD5
65b1ac969a91b2378ae318f1100edd99

SHA1
703cd2f478887cb841ef95eccf017ba85a1123b7

SHA256
4293d56cb427927e7fab9d6f1da9edb0fea6115d3685bd7fe4ac313f001a1283

SHA512
ba934b558f1706e9ad8a0cad4dd927a9e0e3b7b935fa528b989ea7db588f518e20e5e8b85456da958048796920fc192a987e77c93a98c63904909b07c6c348fa

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
79KB

MD5
f8a2cb482e6b48be4678be65eef06c37

SHA1
281be57aeb11be42ba5f49f97f03d0be50376a26

SHA256
1a58afecfb19bb227ae2c31509d8752da20e72c73c748a9133a6730d7f7fb758

SHA512
bd2336d0a6e6f24b392da75c659958eaf2721938161a80f08c3dd6b232553f3bbe4b0ac2c617ac4cfc9c6c181b273dfce84d84cd78cde6ebcf0412e78f09600a

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
79KB

MD5
45ef0965de0c8269186ae294ec18bec5

SHA1
7eb3422c003c630cd458865e3b5dddf97c8bd937

SHA256
f72a12f212c1ff8ae749c543c6faf35c3e4543bcd6722f8a42b1839a41ca27b7

SHA512
428fc69e6c27f9e1153d81db1a3e5981ddcc5bc6bf680b8ef5e3f426d670769146e8464d2db50085af15c092e787659ddfdd4ee25fc9c016111feac0f7a127db

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
79KB

MD5
1a0d2be78ed1b348ff1e8a4f82ce9fc7

SHA1
886a12e5881072462159fbc8725a9b35e2631a77

SHA256
d44cef71085df0efa03356bb859476e587e563d74964541df4150a2a823e3468

SHA512
ffb20b55c0b586c4e26d25f8d3d8619e92adba2bf3865ba28138000055898bd8ad5d7ea1859071d900a04b8b0ba4dcf08cb2e8939167f21d5e51fe4f3fd61542

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
79KB

MD5
d6a0f8e8f32ffe905101e1ab240e7247

SHA1
8b19d10ff06517e9c33eb069df8c2f97da509e76

SHA256
e7a3f78e41639ee1a93d55a91dc1a880417c14547b9cebf98962596d06f01a7b

SHA512
2b176924f989cfe431b5f9c8a42904d8a63fee090d2b19175026c0c94b0e1ee2683593dd865259bdd1e05f0715ca7a09990a6788ab427c0155879cc3dadf2f58

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
79KB

MD5
50024d331f9525b17ff468aaf9ed9b45

SHA1
17da7e11571517d9fd191409fe6be07f459d08bd

SHA256
73b8d756b7766ed2ab70216c67976bb6d253587a239541fb4eaa8890d15c59f4

SHA512
1ce5b2f9ae36279cf2e7e942627016a16fd902bfee83ef042bbf3ce119bc41153d3a139be7e39ad621a307336b14116c16a69d19ef23d159ca760014e70f98c8

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
79KB

MD5
82bb821798831432c42fe67427404dc6

SHA1
453fac7682d7008d82e7e9e71afff5b352f315f4

SHA256
edcbfd2374233f4696b488b49c50066916a1c63db53246605f7b5eb54923424f

SHA512
5b344f278f79c4f21a986c8dc9a4ac61bd34d5320277a0d3a1e81774f91bf8d8517ad85e911ec4a9e4027f9d18d77818eee346c15fe3b3fa2a50eeb8d2eed8cd

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
79KB

MD5
a1e848878c204b94985ae139c558e78e

SHA1
9accc35df250f6bacbcfef9ec9221869931ea6cb

SHA256
eb87c6ab36bd9aa7681d4fb8fb1c3bb5e08786abe4b5b7e9e372bffe628f6dc7

SHA512
7602c57e0bacc2b1feadac7d630d4c6c6e78b61c738718149e5e24085b6471d72a9c74302ad0707c4e42863cef1f9c17bb72fa92a9a4abd838ec4a249fc9bf57

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
79KB

MD5
3aa9ce092854d427bc1c58ea1f6a17ba

SHA1
de026b0ccaef8731f561ed05ab5f6ae059e53db5

SHA256
9b0293b84eebf63bb77f4f02e809eea9d00ffea20176ace885b72674eae630e2

SHA512
e8e42ae2f997ac0fde186094e1e87f4aa4a8e975d4df98f34351baa9cab67363d31065fa6de1e21729d7c40a0f73e06a434b46196f4876a8cf09970e6250b564

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
79KB

MD5
bd63d5608894041a4abbd4296a369c24

SHA1
0c04a09e5050ddb4ab4241e89cb9fc3673164bdc

SHA256
7e7918aa8051f06dd42f3e809906178396462b1db179d94cab1dc4bc3f17af8d

SHA512
847329c0e02b03874fbf18a13829ba50e464d04efdadd3c82bde6b3cf12a8c7382f8aaec0c2717bcfbd7be36c577751d342b844d6299ea94f96012f456916ed9

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
79KB

MD5
d8c41e3f427383a1cdcc21f4f38bffe0

SHA1
45b980002eefb8521f2cc659818124a61fedbf71

SHA256
c9682235f62e8514b648415600238380f54c0570e5091d91c51f9801e7e86744

SHA512
a5c7130eadfa2851fce280d14ea4c2a20b1ec022c2e6ab0d4f0f88355752b6ed0515f3c7ae8abbc66cb365f87f48560947d5d3df053abaa042fca26769c61b74

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
79KB

MD5
63bcb0b5fa87057af388d7239a7b268a

SHA1
9204332c6a63d4b5a9190a834aa58d95982cb97c

SHA256
c69ca95486bbffa5b6be94b3c836784631a7fdad28f5158c0496fb63a26eb450

SHA512
5296a503538d9e1873a45b6733b816a11a4fb51c52faceefaa93641d6a15df4e1e75cec6a73440caff5f9688246fe803bec2c66c99f155435d501e3668525d23

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
79KB

MD5
2ebb744a8c94f7471fa1f3d541dbdef4

SHA1
a55438781b2c270b7c520d02de62ce310a3e18c2

SHA256
3e4f009db4588a5f14991645fdcc8b4faeeb2efdc90d701eafe661ca5e1447b5

SHA512
29963e587ade91f8e47184476a1864db3e7fb9019dfbe2be9f04c6b2a7cbf1aa09baaec9740b2352d744fd60d6d74ec128c378b2b233e0fe4f0ea7de015d9980

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
79KB

MD5
b114cd9bc970524d9b840cb2720fb438

SHA1
df16a1fed0df4cd7f14dbc119a9ad0880bf09006

SHA256
e0df54e412d58a2373c32b5067ac9c9ac604e2f72b34a26607208ea4dc428baf

SHA512
ac0d652cc0331647d940a9e925f7b81231a7906fd0bf9ee3489a84ad7f17d55fc74caa3ce9dc1851f3e35cd1584ef6f5cf84c7e9e493e194cb6802ed1ef9fea2

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
79KB

MD5
0552d78390f70e7da623a649eb43c69d

SHA1
706c9e7c646a7adf1f055d720a4b00cea5672c8b

SHA256
6630bd9f1a0a1cf3be329fa0094a2dab414dd4fe38fb2a79a073d561a8d91349

SHA512
d35e4812c04b25d77dc78cd85c48344f696a1d3c98e560128423bc935c5abb58d06b2c80ce681e29c7ca3dd859b52609914b28771c4d4f41a6faa111d6ac5085

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
79KB

MD5
a084cb05a7b249eef78b7fe8e9165c2f

SHA1
f6d5765c73a494d2c4da4fcf924ee86225fa3663

SHA256
8dee4545978756429c28e99101f810f6900e7407eb5b7eaf17f68e392deed31e

SHA512
a317982aa0200c7a2bf6a84e1db5d58fffc16d12f2a1a3b8999c18b1ba48471fdb096d7f9c06bbcf04942d28758f16ef008f20f2059efa8ee1a8d7aba10cfe81

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
79KB

MD5
ee533a505dfd19a31cc2fa2740675df3

SHA1
4a20031b7b2ae1cbb947dd8b45378935d13babd4

SHA256
a56bcd20e6a154a1198c367993753a9aee78f95b1fedc349c2c9072ab578bd9a

SHA512
e5d4f848d95f678d34ea92c113b571217e90a9d8090256bf37225e9f069f138684962d6080e515b024bb65f8f4cc3d4696465a29b110fce680291ecdceefb79f

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
79KB

MD5
065bf32e0fea687c84d51fc904af94d6

SHA1
ec87913f7c67f8ba4a3d91925af2491b0ea74d18

SHA256
34406ac8daa57de8141de9aca6e58f107c5fc5330b8ef0076cbe9e173d530f9b

SHA512
d8e837fbd8c415ac4bc927568a31606fc2043498c7e53597f2e3872e6bf95aa55ecb93e13fc92d94b7c29933b5706cde17167b567435e4f06a846391aff8d27e

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
79KB

MD5
e1ad74909d573955e56363d0cf910532

SHA1
2bfb08655c0c7c97083c2e36683940cae73de559

SHA256
1980984320c67d9ccbb00b1e217c60bf73ed0003ef7f4759629cb63f692cb9a4

SHA512
ca3850eb06152b35355de22f1f1b3d91d8aba49d0a8d87c1020a71d0b960257f4858766aa6181fd2b4b3b12b7615944949b07d5a4cdc50339fc8bc94466d6eb1

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
79KB

MD5
c81f0f86115dc462773ee6575d5bb016

SHA1
1969c1299d6f394f7f0d6b4db819be0a14e24b74

SHA256
23a4a947b81cf40a7a80144ea3b043cd42e7ad42a4cc78ea1d6b5c5b15ed1414

SHA512
831729cacd9e04fe5ca5cd82760e32e5905fa19257e33e8ffbef10f50c9c697bbfe4082523777dc9665ae17002c6922a21530dcf211ebaadd32c23ee205de24a

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
79KB

MD5
876b36a932dc8110b5c4e53b8ddaa899

SHA1
289d94a18647f499e0c4e43740b2d7b187ec7d49

SHA256
35d609654b4014f809487e1b8e00190ea21a2579562c91cb614a1c5d94881ab9

SHA512
c49c19ce058642b5cdebb2ad2333918a4ba079dbace737bde0f2a92adc6b1a12df84d88a38636ed27207e12ceba53b1bf313cf99c3b203249ca787b03d3e630b

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
79KB

MD5
c82cc2be04c38203da665300aefd94d1

SHA1
28dc627ee9bb9da3d84bae2279d771f455f03195

SHA256
40dc31a7876f2fd2795e2cd7990d108b8fd1810de34ab6474628fd36078bfa70

SHA512
3d95a9e43d687aa5a0e4926b42c8692adbee5f44701a6f3aecd046f1eea17f6521e4bdd967b724417caf52bc560c3063b686a5311ac5b2643d81198406e84afe

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
79KB

MD5
ab678b3f8456f0b47610379a3aa4101d

SHA1
4302a6ee38e6903b5272161378950e4ce8ae9aae

SHA256
ed0437a8340deeafe46c396c11924cc1e9af9f272a65e31096db1c1e7a2fe05a

SHA512
511fd1172512381935d87b2d88d90f480324dea1f1a9f79b31a726bd656bd5b7beb678a65b8b32bdb08a94fb19d64edfbfc7b9d51172a459afc7562ed30dfa30

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
79KB

MD5
d088f424f0c227e4c2fdcc3519f698a2

SHA1
6de3c6dbdeaa07af930f1f2f36bbe485e53ed399

SHA256
24c3c86c3e5c668792039dfd854a299950fd1fd1d89fd9ac5701c89b99e3039d

SHA512
ca8d50cc2e7ca009f1f712a94f8ac92eeff65847f86208c6cd461383f08665d8972293e17288b275eb3e6dad07fb253d260340d7e581abba1ad8d2e822878505

Download Submit
memory/8-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/232-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/232-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/536-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/796-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1008-500-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1008-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1036-508-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1036-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1044-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1172-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1308-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1316-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1568-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1764-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1860-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1860-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1884-496-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1884-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1904-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1904-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1948-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1972-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2208-487-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2208-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2256-77-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2284-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2284-504-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2464-506-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2464-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-505-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2580-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2580-490-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-489-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-499-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2816-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2908-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2976-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3020-495-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3020-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3100-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3120-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3276-493-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3276-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3304-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3340-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3416-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3532-502-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3532-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3592-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3864-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3880-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3880-501-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3888-131-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3908-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3948-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3996-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4052-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4052-507-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4168-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4184-478-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-428-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4380-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4504-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4540-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4576-488-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4576-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4744-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4744-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4852-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5000-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5032-494-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5032-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5084-486-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5084-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads