2b0d06f7a6a92fde957c1c8420eecb84cd73f42b5efcd03c48792b27a6d8cf37

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd453d39fb36a572f00f3adcda5255f0_NeikiAnalytics.exe
Size

93KB
MD5

cd453d39fb36a572f00f3adcda5255f0
SHA1

4cacf72bbf545dd8527e6dd81976dcabc4148bca
SHA256

2b0d06f7a6a92fde957c1c8420eecb84cd73f42b5efcd03c48792b27a6d8cf37
SHA512

68e8dee21c751849d841b28fece17ad04b6c2d98216cd74a350640f0e872a01b234ef159a15903d89ad90d14df8143e727e7c68564beeb4a8c2e34080708ade9
SSDEEP

1536:NxtgJSDVpfNZkgMTO2dxPogSSiNVIgWinKC/DR54ikYgZEwIsRQRRkRLJzeLD9N2:FvMgMvPogSSbYKg54i6ZEwXeRSJdEN0/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cd453d39fb36a572f00f3adcda5255f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe

Executes dropped EXE 53 IoCs

pid	Process
4312	Ibccic32.exe
1264	Ijkljp32.exe
4184	Iinlemia.exe
32	Jdcpcf32.exe
3452	Jiphkm32.exe
4584	Jmkdlkph.exe
3540	Jdemhe32.exe
2700	Jjpeepnb.exe
2408	Jbkjjblm.exe
1976	Jfffjqdf.exe
3448	Jaljgidl.exe
5012	Jbmfoa32.exe
4276	Jigollag.exe
1936	Jdmcidam.exe
4196	Jfkoeppq.exe
3308	Kpccnefa.exe
3340	Kgmlkp32.exe
2244	Kpepcedo.exe
2564	Kmjqmi32.exe
3016	Kknafn32.exe
4144	Kdffocib.exe
548	Kajfig32.exe
3212	Kgfoan32.exe
116	Kkbkamnl.exe
3480	Ldkojb32.exe
2064	Lmccchkn.exe
3436	Ldmlpbbj.exe
2816	Laalifad.exe
1692	Lkiqbl32.exe
3516	Ldaeka32.exe
4404	Lnjjdgee.exe
4396	Lddbqa32.exe
3684	Mjqjih32.exe
384	Mdfofakp.exe
1776	Mjcgohig.exe
3420	Mnocof32.exe
2900	Mgghhlhq.exe
2280	Mamleegg.exe
4100	Mcnhmm32.exe
3728	Mncmjfmk.exe
1640	Mdmegp32.exe
4492	Mglack32.exe
2744	Mpdelajl.exe
4024	Njljefql.exe
4376	Ndbnboqb.exe
440	Nklfoi32.exe
1616	Nqiogp32.exe
4620	Ncgkcl32.exe
3548	Nkncdifl.exe
1944	Ncihikcg.exe
2392	Ngedij32.exe
4516	Nqmhbpba.exe
776	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jdcpcf32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jigollag.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2448	776	WerFault.exe	133

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	cd453d39fb36a572f00f3adcda5255f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cd453d39fb36a572f00f3adcda5255f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkbkamnl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 4312	1520	cd453d39fb36a572f00f3adcda5255f0_NeikiAnalytics.exe	81
PID 1520 wrote to memory of 4312	1520	cd453d39fb36a572f00f3adcda5255f0_NeikiAnalytics.exe	81
PID 1520 wrote to memory of 4312	1520	cd453d39fb36a572f00f3adcda5255f0_NeikiAnalytics.exe	81
PID 4312 wrote to memory of 1264	4312	Ibccic32.exe	82
PID 4312 wrote to memory of 1264	4312	Ibccic32.exe	82
PID 4312 wrote to memory of 1264	4312	Ibccic32.exe	82
PID 1264 wrote to memory of 4184	1264	Ijkljp32.exe	83
PID 1264 wrote to memory of 4184	1264	Ijkljp32.exe	83
PID 1264 wrote to memory of 4184	1264	Ijkljp32.exe	83
PID 4184 wrote to memory of 32	4184	Iinlemia.exe	84
PID 4184 wrote to memory of 32	4184	Iinlemia.exe	84
PID 4184 wrote to memory of 32	4184	Iinlemia.exe	84
PID 32 wrote to memory of 3452	32	Jdcpcf32.exe	85
PID 32 wrote to memory of 3452	32	Jdcpcf32.exe	85
PID 32 wrote to memory of 3452	32	Jdcpcf32.exe	85
PID 3452 wrote to memory of 4584	3452	Jiphkm32.exe	86
PID 3452 wrote to memory of 4584	3452	Jiphkm32.exe	86
PID 3452 wrote to memory of 4584	3452	Jiphkm32.exe	86
PID 4584 wrote to memory of 3540	4584	Jmkdlkph.exe	87
PID 4584 wrote to memory of 3540	4584	Jmkdlkph.exe	87
PID 4584 wrote to memory of 3540	4584	Jmkdlkph.exe	87
PID 3540 wrote to memory of 2700	3540	Jdemhe32.exe	88
PID 3540 wrote to memory of 2700	3540	Jdemhe32.exe	88
PID 3540 wrote to memory of 2700	3540	Jdemhe32.exe	88
PID 2700 wrote to memory of 2408	2700	Jjpeepnb.exe	89
PID 2700 wrote to memory of 2408	2700	Jjpeepnb.exe	89
PID 2700 wrote to memory of 2408	2700	Jjpeepnb.exe	89
PID 2408 wrote to memory of 1976	2408	Jbkjjblm.exe	90
PID 2408 wrote to memory of 1976	2408	Jbkjjblm.exe	90
PID 2408 wrote to memory of 1976	2408	Jbkjjblm.exe	90
PID 1976 wrote to memory of 3448	1976	Jfffjqdf.exe	91
PID 1976 wrote to memory of 3448	1976	Jfffjqdf.exe	91
PID 1976 wrote to memory of 3448	1976	Jfffjqdf.exe	91
PID 3448 wrote to memory of 5012	3448	Jaljgidl.exe	92
PID 3448 wrote to memory of 5012	3448	Jaljgidl.exe	92
PID 3448 wrote to memory of 5012	3448	Jaljgidl.exe	92
PID 5012 wrote to memory of 4276	5012	Jbmfoa32.exe	93
PID 5012 wrote to memory of 4276	5012	Jbmfoa32.exe	93
PID 5012 wrote to memory of 4276	5012	Jbmfoa32.exe	93
PID 4276 wrote to memory of 1936	4276	Jigollag.exe	94
PID 4276 wrote to memory of 1936	4276	Jigollag.exe	94
PID 4276 wrote to memory of 1936	4276	Jigollag.exe	94
PID 1936 wrote to memory of 4196	1936	Jdmcidam.exe	95
PID 1936 wrote to memory of 4196	1936	Jdmcidam.exe	95
PID 1936 wrote to memory of 4196	1936	Jdmcidam.exe	95
PID 4196 wrote to memory of 3308	4196	Jfkoeppq.exe	96
PID 4196 wrote to memory of 3308	4196	Jfkoeppq.exe	96
PID 4196 wrote to memory of 3308	4196	Jfkoeppq.exe	96
PID 3308 wrote to memory of 3340	3308	Kpccnefa.exe	97
PID 3308 wrote to memory of 3340	3308	Kpccnefa.exe	97
PID 3308 wrote to memory of 3340	3308	Kpccnefa.exe	97
PID 3340 wrote to memory of 2244	3340	Kgmlkp32.exe	98
PID 3340 wrote to memory of 2244	3340	Kgmlkp32.exe	98
PID 3340 wrote to memory of 2244	3340	Kgmlkp32.exe	98
PID 2244 wrote to memory of 2564	2244	Kpepcedo.exe	99
PID 2244 wrote to memory of 2564	2244	Kpepcedo.exe	99
PID 2244 wrote to memory of 2564	2244	Kpepcedo.exe	99
PID 2564 wrote to memory of 3016	2564	Kmjqmi32.exe	100
PID 2564 wrote to memory of 3016	2564	Kmjqmi32.exe	100
PID 2564 wrote to memory of 3016	2564	Kmjqmi32.exe	100
PID 3016 wrote to memory of 4144	3016	Kknafn32.exe	101
PID 3016 wrote to memory of 4144	3016	Kknafn32.exe	101
PID 3016 wrote to memory of 4144	3016	Kknafn32.exe	101
PID 4144 wrote to memory of 548	4144	Kdffocib.exe	102

C:\Users\Admin\AppData\Local\Temp\cd453d39fb36a572f00f3adcda5255f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cd453d39fb36a572f00f3adcda5255f0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SysWOW64\Ibccic32.exe
  C:\Windows\system32\Ibccic32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\Ijkljp32.exe
    C:\Windows\system32\Ijkljp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\SysWOW64\Iinlemia.exe
      C:\Windows\system32\Iinlemia.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4184
    - - C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:32
      - C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3480
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3516
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        54⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 412
        55⤵
        Program crash
        
        PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 776 -ip 776
1⤵
PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ibccic32.exe

Filesize
93KB

MD5
6264ccfc20c7c547c63e474ceea1845e

SHA1
64ffdb5c71f621d5f81f72daea8066f2c2bfa1a0

SHA256
913f71a2668a092630dd64cdb4924020b12d7acbd6f93674efe4675d27086275

SHA512
ff0f5290a6fcb6bb934aeb9275d21c14fb1df09d16aa7e3f55e61a1c7b7cfbebdcf5e37a982591d32b79a7956a12163aa40bb9edd15d92bffea74c2edb9b3d29

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
93KB

MD5
06a028fb838aac45627495306496b9c7

SHA1
7e15ad06f0209ba6c0134842d5554a0b634268eb

SHA256
db71b04d9cef962e650bc3e34c983dcaa79c2ad03aaa2f6696a774912be28eb2

SHA512
19ce9ab5224e5f37f84e931121f01366ad691eeeb8f214d4757e3f5c96294b395c6d0781e2fbeb677c236bb971dc78beb495cf55d1054bdaf57c354bef16706e

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
93KB

MD5
d27d7ab9896922c9c2f565a3fded5906

SHA1
979eb93f964f78fab957a0c88da760ab0fba8094

SHA256
d1c40bac33bf910d8f1c92309b31597585ff20a4a7459bf6737fd13452e26c53

SHA512
59beeb0d9fc819275107b6d323029b2b6624b0467535b9611dd71cedc4705e7badd9096acaad928b577fb5e0af410e63818025e5da5bd1874f8e018563f913c2

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
93KB

MD5
88a34a9ed4a1c3b83f31b3b3e0273309

SHA1
9943fa804b0280079bb7864df1b4bf232cc646ed

SHA256
9088498413a1cc14284c29252475f1ffda192b697cbea87e4bcdc2e0e17aecfb

SHA512
c5a81b10379b7b0e65c19738a3e7b056c69b2a81d439993a8722396e5a4574fa12a74fcd5432a0a708d0276f9471db3cb1e29a9d6632f72984c8fa020ceeb5f9

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
93KB

MD5
d8cac6d74c35deb40a0b7c2123e38b81

SHA1
047b1cc02113afd93f4cc2231af2721ee35e2c1b

SHA256
085ef32d2ed4f1eca24bbfe7ad6f8466022bd49626c841d5267c5715524329dd

SHA512
4335959b5d1c6c8d81037c043e2df087b1a3f128d7534fd5e7bdc428a11f0a0a0c6eb22c3a57f41dd82f7f6697769fa578c4c63e00adcac6b10610b339406ff6

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
93KB

MD5
3403689ed6d42d1c68f32407d87598bd

SHA1
d0e842c5025490459b540034d8536b1974075697

SHA256
8bba42a76e2fde1ceba59365b0ab7ea4d5c092e06752542347b851ab51dd40ee

SHA512
8be6a23518fc5110e0d9823f95cac5afc0be8e68c6ab059d4f3f1a61a3b5a7374f3fea986145c5cf0310c8ca304b66006ab843f48b8a5d3c8550e085533fef79

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
93KB

MD5
ab5669a3763ef86b3405b567f324c29d

SHA1
f1efde4b3e2f98ed5f9f7879afd0895e13e52da9

SHA256
11c70daab43806f5496740feefc9328559254ccf2878c5da15cb5c7039a3aab2

SHA512
4ddd277237bdf0c1a7ce572f3d5c887d72317097d0cf5cb57b1495b065f45cadb90492ee6f72db18e84ab0201e2eecb81393c9a041fced698fc96fdd97123cc8

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
93KB

MD5
8377fa466d6cd05b618f9a9853e32534

SHA1
6bb04af4b645d9a0425d752bd01a22d2ab34c465

SHA256
8dbbd1d3f89d08e6760ff3ec89762ee7092f2e22c450d05fcb02754c8dc1733f

SHA512
1d2f14bcb5c135f139cd54493a5f94eb0bda20c55d861437b6f8f1379774da7f581f945fb3d3ef38346a8f628f69f091e706befba950c4dc31791de19e702fdd

Download Submit
C:\Windows\SysWOW64\Jdkind32.dll

Filesize
7KB

MD5
bc5dfae494512ef648bcc663652ade17

SHA1
cd29b68b4e3c08146a340adc7d2bb766582ca0e4

SHA256
e5265ef13431f55d42c247987175f22fd62eb1bf28b71c54b257eedcc8849d5b

SHA512
1657f08326a44696cb8312eebbf0bb019fd86afbdb25c13dbec50e68baa574cca2baf9cf4e461ae2ab85aee0d1e406e127d493af3f626273c7d8bb43cd25743f

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
93KB

MD5
8a28d6b602cc557f8595c5b56fa6e60e

SHA1
c8abf0e90a0315c548c04af8eba78e8b407e4648

SHA256
f4968c22d9430d49d17d2c6f0b0bcb4db85b0a1252a4bf8ae6a61940f7490272

SHA512
f4155d0314d9097a5126a3a18300b7edda95cbf4fb3ededb4ec684ce49109d4e67c1d6521178b69d1f368db04f8ff7385932b82e7924675d0c0475aca95d1bd6

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
93KB

MD5
c0dc92c0034b0041377312b8c4e5f42d

SHA1
10b0d8d6f89d84041cc6984f8b199d8185f3f58a

SHA256
3e7cdb17364344636984a2f81c5aecbcbc74a43b9adffd1f200ebf208b1a197c

SHA512
1c21588b11e9585d355a7dbc76d359ce6dbfcb4ab6d9fa10df4e90984f65ce9ef138e2605275c693ab8c96cbb5b0c2598f94f7bb4d1b2efca95bc354305fb898

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
93KB

MD5
64eec54220618e6dee6260951a8738ee

SHA1
ffb311b6c6472f94d1523bce0d398b12f28b3c2d

SHA256
de69fa73a279087b67d39443d9dce8d002378b5c898918cf228d9c09bfe36f3a

SHA512
721e430af7266c18964220a4bd37ff1d48f11c5f2942e9ffb6495ca0a9f0c16565f7234f7d9bad8918642f350aa1a1c9793ebe966c1285db1448c307702cff2f

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
93KB

MD5
73ed7339aa795052f4e6702e1591d703

SHA1
b7a3d946fa13e4678d59279bd44e32f1d9f5b395

SHA256
d386799880ac035cf51639f8194407e7d803484ac98057d9cdd305722f609594

SHA512
372a49c24c9146ea8e88e07cf4f32bca9c4bc61675b06416b5697edcdfa71db2f72409c6179bdc399bb4f06a3e0b137ea425b625d326e306fc4ad292402a72ef

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
93KB

MD5
ab29dab70ef343b06a2b7fb7b4d7e07b

SHA1
0b4cb885567918b8f37f0b362b3aee95e3b2456d

SHA256
3ba6523dcb6462e9320d17cf8abffd9be2d0e92badc314503a42a7d96b588be9

SHA512
f66af6ab71059a952cd73553c10f3574f905f24bfd6483333ad4123f438ff335a4469dabb16a97c19f29c94e1c940fcd6e483794ad4dfcd9e825685884fab0c2

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
93KB

MD5
4a064fa03a7ea9a2ce837b47d66380a5

SHA1
24cffa113ff3806a5bd7831b91f48f1eca70242b

SHA256
c020f7379f04ff335439f882f2cb28b23918c94d031d1fa93b092339906fdcbc

SHA512
f04a268c83246d2e020fd05137e8dc9fecec893b81cf88f2de271354201fd75c9e1900780349d8e18921ebd4ff0a6ff7d3c96ce2d0c342c7c2d54d95e96604d1

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
93KB

MD5
f78cf9466d133928a1a0efad36efa956

SHA1
c10376739434e3ccbd99d0b882b29d260714ae3c

SHA256
ee4b4c575609ebce2e65fa5b316364cd5da12b884167dd24c0494d6d689324a2

SHA512
8792df43d16fe9321784036791afa3e9d10533897fa1a1f37d26d8355fb6363db6e8f14672f57b177f4491315a8a45fa46f83598241733f0755a164b71477d11

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
93KB

MD5
34ce8d151cdb2fdc1b90dc38460fc663

SHA1
7e5f30bc2120c83995f4f40f996b51e8eaa7f1c3

SHA256
170b2b4ca7add671a790dfd4a7544dba28674eda5b08b300cffeaa2e582729f6

SHA512
5057609497c675ceaa5db41b5db6578c3f2f4d78000b48dba0a63ec571dae78eeea098defdb072a3099b2abe0b705098e2f61ea7e57475baca69133b6f184136

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
93KB

MD5
a362658cfd4426dae3e66ad96969859d

SHA1
984622fea622a221adb7bcff52cead33ce3b060e

SHA256
9de2df97e297b0f3d53da539a5ede551ac1a44ad90752256350c9fb87a0804f1

SHA512
8c1d1d658785482e03bc6d240fa0dfde02454a0e5864cef27ee7aeecd21dd7027f5013d8a1e7a1e3db89123b7bdcfc8dca7c0b2a94aea2c9aedbfb1d33f62ef8

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
93KB

MD5
a4060e1d02ac982a05cd7ed5e166fef0

SHA1
831e7bc2e0de716d26d6d84abfe34631bfc12cc2

SHA256
f58757e0f968b960d2ef0fface5b1c35499695e578abf86ad5fdab8fa0e8711b

SHA512
bf0dfc167baec2fc320866373f39a61d5840abb0794516ee887d5e1cb57d0f1251db6b1a47c51447a79a5731868433eaf99d26caa901f70756a8c8ae54d36336

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
93KB

MD5
367ef96a12b0c3fc4de07220cf871a69

SHA1
734d3b382f293ee708fdb46dd51fbcebf1715a86

SHA256
d84574827d61959c5bb9b524da99e88d02764e4c47a2437eaf6b467bf5e1b9bc

SHA512
d45f09d087709637a4360e0556250e5a00ced78aacec074212043ac4e011848cfbf25fbd58e7b03db67e179115e9f721c4582fe332c7b82c090cb03928aea2d4

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
93KB

MD5
16c329b035b0e18c8092156440683ecd

SHA1
5dc14a686dcbc34f282b43e4ea41ac4190566a09

SHA256
79a58544c1df98afda075138a0fc716213740ba0352dce2f53c24928a7be54e1

SHA512
dba4e58b02a9706527327f5b41c0ccaeb0e6990ded8e8dde031a7216345fb2c45c69e1f78907ad8bc7441c20b2502ed12cd1762257e2faefebf849d36e738f7c

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
93KB

MD5
b210edda8e6dd7e67118c36401b04fc8

SHA1
0d9901e7a63c14fc1d3afb3249bb95b17d09c389

SHA256
ff3878ff475af6673166375b7b62a5acc5bd6d0c46c1299c639035dd2c03a396

SHA512
d4d85e789bac1e725802c4964a0d02d8d5ce9e828635cd330229c1c1a854ef5b93746544847a8364f288e77c195643f65d1493bc4decf02f61fcfd7e2f8e954e

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
93KB

MD5
f1efbf47aa6f6cda5c09de5c4294d0cf

SHA1
1e5fb1af2de4c8985c188e3912faf8d534bc70a9

SHA256
b06a21b90d3ca585dcce90533b18b10046908c899dfe9a375a1f5c63dd95ac70

SHA512
b10d769005f282011332d9ed7f8485ee6ea0416786b7d7dc86e4d6541c56e69daa4f1ebc2320947c974b892e83f0122aa394c5420ffa63d1d209d9c2f102cf3c

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
93KB

MD5
bb00665791b259f04ef1d6aa7940d7e5

SHA1
ca60d570a5dcd3a66b7e28a52ff020e09d234005

SHA256
a6dffb42a4b868ae3fea0cd1d17a5aeefdeabe11ed88cdb5df8f64b93418dd58

SHA512
cc2fe215aa5e36058dc79a9dab919b782937a8d1dcc3d81efbfc59c1ddc32648730328d5470f67cd18b586ab1c58d27d4a8fffde8024457562316f9b973eade7

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
93KB

MD5
a937a31245411bd517c9a15fcad1fbb0

SHA1
f715d66f083ca5d1da6d46bab96edb5f193ca103

SHA256
9bacb4666c6fff281dbbc7297aed0a4ff25a1db30d078ae9f2f5dcdaba6f0d9f

SHA512
d519d01e646346cb8eb8cb3dd9e78df36c216f8790ea7cdfc20584fed19c665e1ff2c2d41baf305fe9d2b0dd24ebf2f592aed1662c7749e60d7871fe1b27b530

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
93KB

MD5
4eea4a61d4ecf8e19993382f00c0ad82

SHA1
d936ce043d22b2696f273e9b14ab69973c129e3d

SHA256
396eb6f7a1d1c2e15d94b7de8811c3ab0085574860948eda4cf1499ee660f673

SHA512
a7bee245e9b2637774c8695a4895d3ce6a8104cb3ed0fbeccc1d413dda19e0b983c3522cc0bbe5f80cc6356a9f3a2a92b9c38f6b1edc9706ba6399211576df34

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
93KB

MD5
1591a1baa22e0eed2d000a2f3ad8f989

SHA1
4bdb26250d0e2743347a7ab6615f0455ec02923e

SHA256
c37067e6123acd495d6b54739b021f60984e409a167d06ee1de1027e7002c846

SHA512
82abf640ae3e1fce236967023ad0ff412743a07d981af86d58d8c76a747e30f1f2d87b14f16085a9828ad8ebbdaa12d42b75ad759ac110f403ee1242d802a9ef

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
93KB

MD5
d15dfa83632f66fd09ba493eaecb9ba2

SHA1
816ca756bb2f9a3398e82e7783c80f90183b3dc9

SHA256
5430ce54fdce80f7f250205efb5e2d2c941788792e0e0f6240c865ce4e9d1e67

SHA512
47243908a02fde77ff122637cb44fec10f11664222af6fa668de39e7781374b23a56b6b2f26ed5db75b4da6be99aaf818a69de87af00e0251ebb6edd59bf2859

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
93KB

MD5
9ca028c99fb3fdcfcdadeec74585ae88

SHA1
d1ec89ed01ab2c82d91475829152d9058d4a1db6

SHA256
b712fce12db04dd6810923455331ffa039585b4b9aba3adc1d354f4eeaa3e68d

SHA512
f41b4dc8988fceec270c0048e9328e0444c1212d1d922b4cf729811bbbcfb5963ecbe05ad8bd632b2935b1987def7a2ee64f13bd7a316d3d1b6dca2a73795288

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
93KB

MD5
e098664fc1aedbc8bc9c32d62e1cb80f

SHA1
5d94df48995f192552a49c10bc66b919f572fb67

SHA256
7770fa6adaba4bc144cf832315e641357d41ca27664a81a882405f2107dcc12c

SHA512
ff70a8e00821090fd5dfc78a10ff68f9ac9c5af4be060a68ac7fca2f70f8866f3a1095829b369dd48b205e721a3c66c6b48d8f65e8621bdbf39eab4610d46e05

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
93KB

MD5
d0b802e8a72273fb45359501ec0f30fb

SHA1
305f2c19df3a1ddeb93475a82d117e5881017fba

SHA256
1e67aebc78f0254f37b96a0e1ae0351f1b7d9d5877de6c31a7499ddcbe269718

SHA512
3904c159a81fd36e3c1a733f2b2b3b43cbbe86f778e702592c6b638c659b5d1e4354a1cc2d1ea85e85a39452ffd828c63f515bc8da99c34fb72708db057d0b60

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
93KB

MD5
f2d91cd1c4c30dc8415474f3300214e8

SHA1
62e1c24b4207f0b47cda6eaa4510ae549f117372

SHA256
4e615b7869c466bb8031f38e0a08b7b645b672473568efd61533324fcc70ff5f

SHA512
908d5b256c6c7709ba04ef7d652fc75906d7a87925ecbe0b8b2f3067344fe44f93f98c89303c67db2d911d9eeec6d0695eef6b258df2d51e6e3fdc13d2f63cc5

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
93KB

MD5
a0ca8ce5925c5f83d27c069e8e714b78

SHA1
8a4bff095a2c8ac138edbdb06ba09420ca23d382

SHA256
586c73cf91fc664b6627ef6ff78933d2f8ed5bc8bf398b542cfb95234fafdecb

SHA512
9013f51d9617c7b52d90a2135041c89bd1dbb5aa90d18fc3a454edee0252b85f89b99813a638fe947b366e9dad12c540a17174780104a34b1144d6743f46bd30

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
93KB

MD5
3a98e5476d9290719ff7b06014ce5769

SHA1
993d8d47b611a6c9ce00cebef0a5fa874928562d

SHA256
88c702cee72479fa12cd77e6ee2c36a4b8aee6aec14da6c88920dc3756e3357b

SHA512
6b6732397b6ff9405e401ddab2e99a4f8858941740548f0ffa8843c401df17c46750256c9a43fb3d848c4988609b23ab767b9801c62b23ed972ecef919a8a982

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
93KB

MD5
a02b764963e3d24510036c40028008b6

SHA1
a04c0b82a2e967e04c087213cd69efa88bd9ee0b

SHA256
1bc54fc628d8c6e972673b798f87a21a561865cf8c3f9c9d2a4cf61738557e43

SHA512
b10a9d28620b495125770e007b645133e93740e3a69d5764b53af86fc100acb73300e5840bec6ddf101845c27b2171e71b347081d31947506c643337af949907

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
93KB

MD5
e9aec2ea146a98b8e9a3970a24fb8ed9

SHA1
f6d40055d78864c7c64f031ac7a278b5361d0399

SHA256
1fde563e92c22fc133f6d328ded7b5f71947d306a9786f0890976ba65b811b18

SHA512
8246ccf89fcd6b078ec83f00d59e25c2788cb494e25a3f1eb51de02ee2d172e53398dd5162c8ef5222ed2d4816ed8822ad324dbeae146d38c9344ea158599e52

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
93KB

MD5
a8533d7b097a01d7a8c710321b0d7f85

SHA1
88f0c1ab3ece85ee771bf93cfdfd22875bda69d7

SHA256
5e720bc86dfdc207d2cc410fc1fa1fcfa4f95a7e3ec7214c430cf162b353da72

SHA512
819976d5271d645c22a1bf80299679aa6d0d3b5ce2fac831411c5f4d58f6f240790987ec001bf31e65cd361e347c396638ec9f220602106de41226d54f47da3b

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
93KB

MD5
6aef7b232678e08043ed33a0300de734

SHA1
25efe3bb2fa6c085af490322540886cfb3f0a9b2

SHA256
305c3d00f5c89e66c01fe5728d54a77f3b39d9eb8a47f0922466e055a228bd99

SHA512
9abc06ff1ee391066562ba038da6f6e58b586507f20050ee2636b2a01a12ea0d5a29a332f9f886c7e88448d8a42f29c05a29b46271b2d1d5c4bbe6aa3c8db5f3

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
93KB

MD5
eae4be20b8519e65a255c8bc45df1e06

SHA1
3c736ea1efe0cf808122317ac39328e8f1a43653

SHA256
f1fcb9f89816834a760a6c6ae37bba68ccbdc85af0746f7030f4101e1eb4f7e8

SHA512
b6ab4e17db75fa0ab60676d614c0fead703f49314bcdf753e20e95e85448c309e34a12231812a16458b1d2dd81205c6ec37227bcaee9c38a36a6d755914be4f9

Download Submit
memory/32-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/32-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/116-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/116-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/384-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/384-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/440-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/548-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/548-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1264-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-4-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1616-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1692-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1692-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1776-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1776-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1936-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1936-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1944-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2064-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2064-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2244-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2244-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-150-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2816-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2816-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2900-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2900-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3016-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3016-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3212-284-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3212-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3308-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3308-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3340-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3340-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3420-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3420-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3436-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3436-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3448-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3448-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3452-123-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3452-44-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3480-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3480-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3516-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3516-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3540-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3540-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3548-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3684-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3684-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3728-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3728-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4024-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4100-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4100-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4144-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4144-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4184-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4184-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4196-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4196-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4276-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4276-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4376-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4396-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4396-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4492-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4492-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4516-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4620-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads