bd2c1c016e9d3f0596f9f03bd37486adf4eee11bd450b96c516254722a7eb188

Analysis

max time kernel
94s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c55192103ee9393660ac0cc0196986b0_NeikiAnalytics.exe
Size

80KB
MD5

c55192103ee9393660ac0cc0196986b0
SHA1

e87363ef57828759587ee23347dca53d8d13d44d
SHA256

bd2c1c016e9d3f0596f9f03bd37486adf4eee11bd450b96c516254722a7eb188
SHA512

e5105423ba688a6334460df066b6a7fa170ca6c83b032c5fe40ab68a17b2d9781264091b23980cfb713d0bb556bc6d7fbee0eb01579f8ba6ce81355235e35db0
SSDEEP

1536:t088w+Dzpe/R+oOM79UwJlOBbspHy/ats2LyS5DUHRbPa9b6i+sIk:t08LKpGOWSGdUavyS5DSCopsIk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c55192103ee9393660ac0cc0196986b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe

Executes dropped EXE 64 IoCs

pid	Process
2064	Iannfk32.exe
2328	Ibojncfj.exe
2524	Ijfboafl.exe
4476	Ipckgh32.exe
4428	Iikopmkd.exe
3404	Imgkql32.exe
1608	Ibccic32.exe
548	Ijkljp32.exe
748	Imihfl32.exe
1444	Jbfpobpb.exe
2540	Jiphkm32.exe
5028	Jagqlj32.exe
2852	Jdemhe32.exe
1616	Jjpeepnb.exe
2832	Jmnaakne.exe
636	Jdhine32.exe
2160	Jjbako32.exe
4776	Jaljgidl.exe
4860	Jbmfoa32.exe
1604	Jigollag.exe
3176	Jpaghf32.exe
4888	Jbocea32.exe
5024	Kmegbjgn.exe
2508	Kdopod32.exe
1540	Kkihknfg.exe
3644	Kacphh32.exe
3500	Kgphpo32.exe
1992	Kmjqmi32.exe
4536	Kbfiep32.exe
4752	Kknafn32.exe
4000	Kpjjod32.exe
4808	Kcifkp32.exe
4460	Kajfig32.exe
2600	Kckbqpnj.exe
4968	Kgfoan32.exe
1668	Lmqgnhmp.exe
3112	Lpocjdld.exe
2948	Lgikfn32.exe
3932	Lmccchkn.exe
4400	Lpappc32.exe
4148	Lgkhlnbn.exe
3852	Lnepih32.exe
1672	Lpcmec32.exe
5052	Lcbiao32.exe
3312	Lkiqbl32.exe
1964	Lnhmng32.exe
4784	Lpfijcfl.exe
4668	Lcdegnep.exe
3896	Lklnhlfb.exe
1628	Lnjjdgee.exe
676	Lphfpbdi.exe
2716	Lcgblncm.exe
1560	Mjqjih32.exe
4516	Mnlfigcc.exe
2548	Mdfofakp.exe
2004	Mkpgck32.exe
2348	Mjcgohig.exe
3784	Majopeii.exe
2960	Mpmokb32.exe
2532	Mcklgm32.exe
4872	Mjeddggd.exe
2092	Mamleegg.exe
1716	Mcnhmm32.exe
5076	Mkepnjng.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	c55192103ee9393660ac0cc0196986b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Iannfk32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
560	1232	WerFault.exe	167

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phogofep.dll"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lpappc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2064	2928	c55192103ee9393660ac0cc0196986b0_NeikiAnalytics.exe	81
PID 2928 wrote to memory of 2064	2928	c55192103ee9393660ac0cc0196986b0_NeikiAnalytics.exe	81
PID 2928 wrote to memory of 2064	2928	c55192103ee9393660ac0cc0196986b0_NeikiAnalytics.exe	81
PID 2064 wrote to memory of 2328	2064	Iannfk32.exe	82
PID 2064 wrote to memory of 2328	2064	Iannfk32.exe	82
PID 2064 wrote to memory of 2328	2064	Iannfk32.exe	82
PID 2328 wrote to memory of 2524	2328	Ibojncfj.exe	83
PID 2328 wrote to memory of 2524	2328	Ibojncfj.exe	83
PID 2328 wrote to memory of 2524	2328	Ibojncfj.exe	83
PID 2524 wrote to memory of 4476	2524	Ijfboafl.exe	85
PID 2524 wrote to memory of 4476	2524	Ijfboafl.exe	85
PID 2524 wrote to memory of 4476	2524	Ijfboafl.exe	85
PID 4476 wrote to memory of 4428	4476	Ipckgh32.exe	86
PID 4476 wrote to memory of 4428	4476	Ipckgh32.exe	86
PID 4476 wrote to memory of 4428	4476	Ipckgh32.exe	86
PID 4428 wrote to memory of 3404	4428	Iikopmkd.exe	87
PID 4428 wrote to memory of 3404	4428	Iikopmkd.exe	87
PID 4428 wrote to memory of 3404	4428	Iikopmkd.exe	87
PID 3404 wrote to memory of 1608	3404	Imgkql32.exe	89
PID 3404 wrote to memory of 1608	3404	Imgkql32.exe	89
PID 3404 wrote to memory of 1608	3404	Imgkql32.exe	89
PID 1608 wrote to memory of 548	1608	Ibccic32.exe	90
PID 1608 wrote to memory of 548	1608	Ibccic32.exe	90
PID 1608 wrote to memory of 548	1608	Ibccic32.exe	90
PID 548 wrote to memory of 748	548	Ijkljp32.exe	91
PID 548 wrote to memory of 748	548	Ijkljp32.exe	91
PID 548 wrote to memory of 748	548	Ijkljp32.exe	91
PID 748 wrote to memory of 1444	748	Imihfl32.exe	92
PID 748 wrote to memory of 1444	748	Imihfl32.exe	92
PID 748 wrote to memory of 1444	748	Imihfl32.exe	92
PID 1444 wrote to memory of 2540	1444	Jbfpobpb.exe	93
PID 1444 wrote to memory of 2540	1444	Jbfpobpb.exe	93
PID 1444 wrote to memory of 2540	1444	Jbfpobpb.exe	93
PID 2540 wrote to memory of 5028	2540	Jiphkm32.exe	95
PID 2540 wrote to memory of 5028	2540	Jiphkm32.exe	95
PID 2540 wrote to memory of 5028	2540	Jiphkm32.exe	95
PID 5028 wrote to memory of 2852	5028	Jagqlj32.exe	96
PID 5028 wrote to memory of 2852	5028	Jagqlj32.exe	96
PID 5028 wrote to memory of 2852	5028	Jagqlj32.exe	96
PID 2852 wrote to memory of 1616	2852	Jdemhe32.exe	97
PID 2852 wrote to memory of 1616	2852	Jdemhe32.exe	97
PID 2852 wrote to memory of 1616	2852	Jdemhe32.exe	97
PID 1616 wrote to memory of 2832	1616	Jjpeepnb.exe	98
PID 1616 wrote to memory of 2832	1616	Jjpeepnb.exe	98
PID 1616 wrote to memory of 2832	1616	Jjpeepnb.exe	98
PID 2832 wrote to memory of 636	2832	Jmnaakne.exe	99
PID 2832 wrote to memory of 636	2832	Jmnaakne.exe	99
PID 2832 wrote to memory of 636	2832	Jmnaakne.exe	99
PID 636 wrote to memory of 2160	636	Jdhine32.exe	100
PID 636 wrote to memory of 2160	636	Jdhine32.exe	100
PID 636 wrote to memory of 2160	636	Jdhine32.exe	100
PID 2160 wrote to memory of 4776	2160	Jjbako32.exe	101
PID 2160 wrote to memory of 4776	2160	Jjbako32.exe	101
PID 2160 wrote to memory of 4776	2160	Jjbako32.exe	101
PID 4776 wrote to memory of 4860	4776	Jaljgidl.exe	102
PID 4776 wrote to memory of 4860	4776	Jaljgidl.exe	102
PID 4776 wrote to memory of 4860	4776	Jaljgidl.exe	102
PID 4860 wrote to memory of 1604	4860	Jbmfoa32.exe	103
PID 4860 wrote to memory of 1604	4860	Jbmfoa32.exe	103
PID 4860 wrote to memory of 1604	4860	Jbmfoa32.exe	103
PID 1604 wrote to memory of 3176	1604	Jigollag.exe	104
PID 1604 wrote to memory of 3176	1604	Jigollag.exe	104
PID 1604 wrote to memory of 3176	1604	Jigollag.exe	104
PID 3176 wrote to memory of 4888	3176	Jpaghf32.exe	105

C:\Users\Admin\AppData\Local\Temp\c55192103ee9393660ac0cc0196986b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c55192103ee9393660ac0cc0196986b0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\Iannfk32.exe
  C:\Windows\system32\Iannfk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\Ibojncfj.exe
    C:\Windows\system32\Ibojncfj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\Ijfboafl.exe
      C:\Windows\system32\Ijfboafl.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4476
      - C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        24⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3500
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1992
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3112
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3852
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        59⤵
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        60⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        61⤵
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4584
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4368
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2404
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4160
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        73⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        75⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        77⤵
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        78⤵
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2860
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        81⤵
        Drops file in System32 directory
        
        PID:1068
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        84⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 400
        85⤵
        Program crash
        
        PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1232 -ip 1232
1⤵
PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iannfk32.exe

Filesize
80KB

MD5
d356e6d487384f07e7712e1d4c78406f

SHA1
46454e6b129f7817535079f566ce2df7a07e3a34

SHA256
848a3bb6e1a6c0d62134c56988854063f1b2583ddd831a3e47e847f475a3d401

SHA512
9fc1ad75c6e950c43c4bb80f5c95d2bcc733a03725b65e1b942ef8851b2d767b3212776adb154ff2d770c8d4009831ec06cded026b311eec2b5f7d30ea0ace48

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
80KB

MD5
7d30238e948608cd545f52c729eb1642

SHA1
b4c29d3fbac75801d7f932482985b55f2e1942c0

SHA256
93ac2b59bcac7fcf745016ae9996219ea034cef6eb27dfd45da4b4f864e83798

SHA512
e8a43d8be58fcdb35930522d25c462c7ed498e47489bb30c8c538e36f8873a31e659f4c49c460361e0be61d36fbe48d917a8a79e8546936dc4d4413088e95b24

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
80KB

MD5
561c8a3a9c4f73af7aaa8309c42932cf

SHA1
77ce7f6f507782732a766790088c1cfd58a045e2

SHA256
60d4bc4d15cd2d819b5c7394e9af09106e7c4ccedbd0b9dc89e160ef67dce8c6

SHA512
14e732e56293ae9d5867b947c3ebe527279753c38d85461a6895b511e9d290bac3fdf2a6a44039cae2d276ec859c0c84199f6185a5ca1ace591170abafd4798d

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
80KB

MD5
23435110344049eb3674169f0ef1f2db

SHA1
38bea5753fac653e5b378b8d79354b5ee111f668

SHA256
91e4ad064b522981dbbfecb2b2d045973536469f3c49393b8588c69c69b324e9

SHA512
b885b00c5b4ab8a58b5fd894cc017197326e503732b526edd1920d7e2b97ae802562013f36e143fb5fc67672c0fd9273e480eddb364a4cb401fb98241b3f7e6f

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
80KB

MD5
693c405adcdb54f047bda633fc8ae4c3

SHA1
3ff0f557279ffd5c6c379e082cabbf4a93b9cc66

SHA256
9a9cd5bc29ba7f6223d7411bb3aa0d91e7f987ed002532e2312a70402806c46c

SHA512
dbfce5eec7d8d39a609f17af4bee7ece88bec884475dd928412aea438434d880ace2b798345f32feae75743cc57bf97d1166ebeadfa1cb3db06645d981e76a7a

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
80KB

MD5
1838ce24d57da6312d5ac1b6a1fb3cb0

SHA1
3ddf495d981450977b0c23bae7004cf46c2a8f15

SHA256
56b856c54490479cf8156cc6354c1f257138c8ada00d7c61ecac70a65824408e

SHA512
f374e4c9acadafe1122df8fe11fa969f44001a61fbf32169768d554f390f928dba1617c7be0d0a694e044b7d55d7e9d650baae802dd214e20f237bff9c680009

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
80KB

MD5
0a28a744165b27bd523f9a26c55f789a

SHA1
477d35c2026dd3811757ea53305fc7b72c1a13c6

SHA256
0a4160b487e9bd6c25bafb1de0a5d6e46ac7ab016343b62c3597c8da83204cf1

SHA512
678913f429ad3aefdae9ea8cbe781c2882505b11a4c6b69ba447b863f5d58b7d8613c0442e77b517b733b3cfaac8e3051705a91c8e5399b6149fa06d3e7c5ca4

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
80KB

MD5
6c326d5fea7b3b1d5f1d3c983d14d3a3

SHA1
b3668e8fad5c0229ba63a9b22309bc737ffab38f

SHA256
7867db1040da4263ac6d814ee3a5946c1a1a621be7aaad9c73645cfae877fe6b

SHA512
e45ea76b93c378a591a5dafedae2484a3ddad41512971b4425ba3c3ce9037960f2d182876cbb168708b95b872393b82d4bb71ea1c7d0a8585aab3bb8c1dd2986

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
80KB

MD5
4b0aff07fbc19a30b9526a8c07d9d57d

SHA1
5f061478b63cf7538aacb30e214933dc7bf1464e

SHA256
36c862753d7742e4300bf901338acd84beb4a3eb8e9cca37ed8468b76c1111ea

SHA512
c02b513e9c22194cf683b4789ae325d938dac5a2e5db602e6b1041eca0e0032b2c5c5ab3c069e27ca4ec6a613d80cfc19679d0e2dd04600ff51c18666f8a287a

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
80KB

MD5
abe5112a79df21ac9a05186598f2e2f8

SHA1
b25ffff332dfe18c512197fc7a1ae8a8e2ece602

SHA256
fc9cb6e51781fed297890035ed76f8d347a311bc2505e2f5e296b8c543f11514

SHA512
9b7121a94eeeb6cabcdd7b89ef0a53eced9098f18be8d980797374ee59e1d53f02678ef215e230dec372df84abedc8b85b7c96a58449d98221f05a3ec9e1f8f4

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
80KB

MD5
54c2398a8b58428279ce83ea6c7c8fe2

SHA1
0bc852de6036fddce36f7d8cf723ac7b6039089b

SHA256
472b71a34a2bbea23264eb9770768f7aa137afa03886cb76ceaf82977969e717

SHA512
13f1ef2632c44284ef0c7ff6b488fae94593519b6eea570cc42c1ab040b2b8ce17453f93842f69d3395ba0b015af843fa0399a6bd361e5b792fa2330d040e1cc

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
80KB

MD5
cdd513a61f5fa2541e148508099d580b

SHA1
2700c1016bacaeb6d797b071b8cbbebf04ca43b2

SHA256
24dfbb3d59eee1907e83e9cae9e96802dc93bb8ad989bb4f3dc0183891541f31

SHA512
50c07882c06ff3c832869583c22a5a5c17dd20c01f142065dc31e11b9c9957d4bb2a68dd7a8995162499ebe7efbaa125d9f077777792b842e0a2d38d5b9cc395

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
80KB

MD5
1791a8c539b81279a503824af5d59e80

SHA1
0ac26025c9e8d1533d73564478cc6d4c9dea6e18

SHA256
1ed2be40595af76e811665156b63c87c8824b829d3d79c740894b79f82380b5e

SHA512
a52554aba8e4c5306499b7c262bc85697e975b57bda0c9104fb3432346afb34867769d54f311494aa3ea9e3db9c78dbfa7a5cd5bdb629891f11fdc852461b5d2

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
80KB

MD5
9678b064379f6d55e2a936fd99b09708

SHA1
f8f62fb619f174e0578c12a2737dbee2e270d3db

SHA256
b4a757b2239da8bfefe8b693e199883ef9f828ce04e2c52e9ea91efee1c86b8b

SHA512
5fc675f3704a123c5494dc2507a760d04cda0887194ec2cb111dbbea169860e54ec04e73f49a5478aed3bb55e367c8645161d3af4930f0092cf7f6e4358b5d3b

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
80KB

MD5
3e3161842d104593cc2a0e6de53e5986

SHA1
6bc3992ed85f00fb21ddf67d54b5e3ac47454402

SHA256
310bb31d0fdf668e724511aa757f947a9daf6fefec16bb22c31f9392c51b3f84

SHA512
c8a35ca93a22da80be7139f46b02e135666bc2c1be151e6ff73d241327430717ef9afe5a1cca72201a436965f323dcdfaf41c1620f7204396959c5fcca9545d4

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
80KB

MD5
576657a0589f80a858990ae35e3f37eb

SHA1
b4dd070f1b14710c8d83571a011d24b48968ffa2

SHA256
f6f9cc4e3b7d84277c1d17b4e6fe15af5c81e78790876ae2f16f4ca84b8ba3ab

SHA512
2926cc22ca6884ccce73d4d4bb77760d745f820dc12ee7b7977692ae95bda851ac7e9093d5b1c8dab8baf27577827e19c9fc5bb4b0b1819b3629ac6fbb63495c

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
80KB

MD5
604b621ee4a6cff6eb1b91cb8bf420aa

SHA1
cfa73abf94b9884a616254790668b1e8acdc2be5

SHA256
2e1ad13c4a1d5a5083fe3e532c4ecebc8d4f3604531c38f7f2c3c0ebb08189be

SHA512
8db9820d988ea1d606b5dd15e73497c974d3190658ecfea5e2c76538df82b0faf99eae92721bef3325adcc888879ded20dfe87f283acd3cfe07da069ff2e084f

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
80KB

MD5
a2826d0499d46b46028cbf39372dddd5

SHA1
29eb608fd9375960f6501fee6ef9ba377b617e21

SHA256
b692c4fed2189f45a819ace1c675e39a6fd529c1c2798195f95cbf846e7f9ad3

SHA512
3cf2664f995e8c2b9436bf2dade1741c12983134aee2f4fdb9666edb97681a7cee085928e63de4d089c629743ee1a38c1735b5f9557a292d1d9a7ddeee878ead

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
80KB

MD5
701601fd251f280d7ec9d4511c8cbfa3

SHA1
5dc8b368a8e505f91909a31b3fa613f11c5f26f3

SHA256
6f1b3735f363351046457f6ebe3d2dcba3729036d9049d819902ab62b2cee17b

SHA512
44f3e98955684f2ac2acfcc302807fbc2985a4121edee823b3855a45d0bc6f68b67b7a2185040d8fa8e3122e418c7eb78b336e67faa47e82b0b83d5213a0a79f

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
80KB

MD5
76b5d37fad1c587bef8f252e7928f1f8

SHA1
15062350193eac74a36365d392902d11ba365a32

SHA256
d8078cbf734c3fe50a2f8f599f3628f03521be00933d1252a93a8aad0e17d683

SHA512
1d75407498f20fccc1a8c2b7f41a3319a733be7a9be109a60135fb83c2598fbe79e0d833833d955abe182782fda43e3f15ca3f4fc06b94ffa514c46c1e1e0d85

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
80KB

MD5
2020c576d5ec110041a0d610ecdcb681

SHA1
3fd4184cf17411ef9d3c5fc6fcb04101bc4e8da6

SHA256
a680805dbe6b4112bfe6b783959b8299f78f7b69953678a5c9deecd69270f140

SHA512
986df01589003c3e420fe1890393e861ea00adcdb62ba42040e865c0bbb2a96c2802aaf6b2abcd13cf6b065b897044e00a27eb33b36f5dd036bb2acd0819538a

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
80KB

MD5
24ac50d54c2ba336058e0db850fdb7ad

SHA1
7ee77d5a3e5c7b7bc1d9aa4149e6aa30f83418ec

SHA256
89b84232f421f6ccc0639c3b355f77f7a5865fbd3d813997dd389d6b2c9a0b4b

SHA512
66a0808408f401cafd7c7ce78471f0bd66e04d7f7e7c22ec619f9fbf70d6563676e80bd18b31e74855d5e85a93aa5e33adbdb45cf7145d97675a0c9e3564fcf1

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
80KB

MD5
1cc594cd6b15d4f983680eb3a372e2be

SHA1
08626f32977e9e4117d3d443fa1e76933f9a69eb

SHA256
e75a88e723ddd2f8d77599cd6d9a443b66f9b3379dbc119ae44c454310a3bc00

SHA512
53821b44318ac24e021e1814a2d8f3f3b5f99bf30530efdf403c5b7048ed0e77bc34df422881a461445a0d9220d1cdb59157d816a0d406b7806d7018b995bdfd

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
80KB

MD5
f20192e7456175507cae953ec69432dd

SHA1
4e1fda57849ebdebb212132cde70e2a70bdce896

SHA256
84176829577321628860c40a5b606f409aa767a0f6d1f7f2d4c56e2c01745ad7

SHA512
6ba951e4887c507b7c65934e14e98ebc1e46de119eeda5a625d8ef033adeb457fe5799bdc8db488d0304a8fa5434f1b533b70d0375b601747aa8cdbe6a2406d8

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
80KB

MD5
a58a8546a8f7416e10c903541d4d4462

SHA1
6287df965eb33c412db533134adb8cb96813b0a4

SHA256
3d9257cd879bdd322c658d0309c4bbc483b5143c08ec9a67738f88ad83e574f4

SHA512
5f6672147bfc0181ffb88bf295aa3b80ad691bb22c786d4cbb52a95b5b93a2ca9f531c9adeeb07fb2ded08089c7d3649fd5fb707957719d56d7ee2c63e3b20b0

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
80KB

MD5
41cfd2412d8d596bc81389d5ab8478f3

SHA1
c5e1d0492071d5e5525a34628022f78b1afff847

SHA256
88adf5fa3c36abd559d8f8bc6a18100c7ab693cfbee97d3f950a0808b10d1143

SHA512
b386a7f0b0db5ef42b56ca6a46f5979a3507f639eb0bd479bc583f9f1b3075667a8d4f3bc4fb0197063cfb7de584de114b0fdf6b687744430a51e3c1b75c0cf9

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
80KB

MD5
e58e4c855a03d03a2d47fd53bf4cc83c

SHA1
b89c8728864fc265c5afe39a697e0ce5d14acd89

SHA256
635993ef9ca040f3cf561d29c153c5b86c62c346808f5fb52884cae896f2c655

SHA512
fbe82209c9e22b6266465766a7905dff58e5088621a751730d2eaeebd4235e299cfe42fab6c5514fb14f395c6cdfea7ed7328bbc9be736a7fe2c2c9f78e8cf3d

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
80KB

MD5
fb8e642103b054e6b4ad119e6b86063f

SHA1
3ae41619b99803c86a855275f222a04b477a8388

SHA256
2b160700601e85ff1c7fbcbdf94d9f556ee5037e16a1e9d82717996eb7030447

SHA512
43f26af4dead2fe78aad9860a5afe0d01d7a783cca9055a6a67780e60d57f8aff8d153c41da390ffb2b16d7d3e5e1525000476c2f526e55df971d31f51c9a85f

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
80KB

MD5
37bf23c1613be4a02cac2e1be2cd5041

SHA1
4570fa859e8b85091943f10839138c5be99a6894

SHA256
ca324e28f380517779e8556ecc0fb67c90fc4991dfd17fe511afb0a510dc3dd2

SHA512
88e28e50e57443000ca07b3aa42220b05658841aa81bed1ef29d28e10d98919cd0024d4cfa04bacf6d33466349458e06b88c09ae147048e2fce4f144c38cb5fa

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
80KB

MD5
9b9ba78e4529acd857e2f3a7c93472b6

SHA1
163596e55f5106cd8d58c9f962a6d4e8d03ce5f5

SHA256
41fedba4e619ffca686cb7497568c491cb95db5b47748439ed54d1021494d0ba

SHA512
1983a52d919e6094f16f8fc9e9d33e6a85fc0f5d528ff1e3f341e30fcdce1ea981667eda3ceb6f8a36e29a81ee33a0b60ac72e647338343498f985e8505f5b27

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
80KB

MD5
0ebdc7a9ce72ae3f4678115d7aa4eb50

SHA1
8a367c1fad840fe05c96ade8e0717891ab3f431d

SHA256
45bd3229e233afbe0dc3f2e7458744f047ea63356c13b8f56e395426536165ee

SHA512
675d0624862818e10f273f3c1336e93d653398ab004d53cd50544aa3d55c1a6d8c7615602f597b4f24ef2f6f58c3fd8bd78c02ca5950625655e3e28f7f6faeca

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
80KB

MD5
e50d66eb2523d565cac8838551adc33a

SHA1
b688f5f367c5f6e8101bd4395ca0e0353cb327d6

SHA256
9076d94537a65a6b0b6dd4422989ff5e460d9b33f6e2f0556a820a81bf8aba9f

SHA512
9d70144b293819fbdfbfd11da20bd9945568f50b5c316605bef324e186a87fe46345e9e24dcac61243ee554a26614cde647f0e2a26351a2794e437cee9ead031

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
80KB

MD5
d22cb30afa305d521c09c825d50091a9

SHA1
b9eb8a44bb4cd27e8f4049d3735cef06897a260f

SHA256
8a80fc2b153b7f7b740f1ee240470421c27a097aa6bba0a2423364d6ac136110

SHA512
96d82c6a5279bbad75071420b67fcd09d8a4941797900f4165391483d0efdbac5d94d21b6b9a4192bb592b3bd859772e5310c93ccc725df0d36c92276f06e58f

Download Submit
memory/436-519-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/436-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/636-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/676-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/748-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/868-570-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/868-553-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1064-471-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1068-551-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1232-568-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1232-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1444-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1540-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1560-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1604-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1608-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1616-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1628-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1668-285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1672-325-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1716-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1912-531-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1912-571-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1992-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2004-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2064-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2064-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2092-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2160-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2328-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2328-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2348-411-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2404-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2524-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2524-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2532-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2832-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2852-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2860-537-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2928-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2948-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2960-423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3068-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3112-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3176-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3244-521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3244-572-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3312-339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3388-495-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3404-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3452-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3452-574-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3500-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3544-560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3544-569-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3644-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3664-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3784-417-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3852-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3896-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3932-303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4000-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4148-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4160-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4368-462-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4400-309-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4428-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4460-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4476-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4516-392-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4532-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4584-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4668-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4752-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4776-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4784-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4808-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4860-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4872-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4888-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4968-279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5028-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5052-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5076-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5112-544-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads