cf0e91cb493c806e1015ef9a120edb71c2fd49b96346d86342a758c0c7e57a39

Analysis

max time kernel
136s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc0346ba9fff603602c58c4f046914a0_NeikiAnalytics.exe
Size

59KB
MD5

bc0346ba9fff603602c58c4f046914a0
SHA1

366c8a406d1234bec40f129175c338de45303e7e
SHA256

cf0e91cb493c806e1015ef9a120edb71c2fd49b96346d86342a758c0c7e57a39
SHA512

6ae790eb8720e7afdc403a659c28e568fdcf51a5d489ebf5d70cf9cc6cebad3acf5c54b9cf874d7526c2569e452cdec6fd6564e50c1cc99aa3159630534d04fc
SSDEEP

1536:MUgn4rTOB+Uj+y4/GcwY1orbLUsQWDoBDBGjNCyVso:y8q/cJaIVWDEDwEeso

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bc0346ba9fff603602c58c4f046914a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bc0346ba9fff603602c58c4f046914a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe

Executes dropped EXE 64 IoCs

pid	Process
5024	Jfdida32.exe
4380	Jmnaakne.exe
4376	Jdhine32.exe
888	Jfffjqdf.exe
5060	Jjbako32.exe
6100	Jmpngk32.exe
5428	Jdjfcecp.exe
5712	Jfhbppbc.exe
556	Jmbklj32.exe
4556	Jpaghf32.exe
5232	Jfkoeppq.exe
5384	Jiikak32.exe
5072	Kaqcbi32.exe
3112	Kdopod32.exe
2376	Kkihknfg.exe
2596	Kmgdgjek.exe
3116	Kpepcedo.exe
1852	Kbdmpqcb.exe
5092	Kinemkko.exe
2852	Kaemnhla.exe
2292	Kbfiep32.exe
3368	Kknafn32.exe
1924	Kmlnbi32.exe
4672	Kdffocib.exe
2696	Kgdbkohf.exe
3364	Kibnhjgj.exe
4912	Kajfig32.exe
2236	Kdhbec32.exe
2872	Kkbkamnl.exe
3356	Liekmj32.exe
5268	Lalcng32.exe
1836	Lcmofolg.exe
428	Liggbi32.exe
5184	Lpappc32.exe
4936	Lddbqa32.exe
1944	Lcgblncm.exe
3964	Lknjmkdo.exe
1116	Mnlfigcc.exe
4872	Mpkbebbf.exe
2448	Mdfofakp.exe
1892	Mgekbljc.exe
2672	Mjcgohig.exe
5696	Mpmokb32.exe
4704	Mdiklqhm.exe
5160	Mkbchk32.exe
5568	Mjeddggd.exe
3724	Mamleegg.exe
2908	Mdkhapfj.exe
5348	Mkepnjng.exe
2864	Maohkd32.exe
4828	Mdmegp32.exe
6016	Mglack32.exe
5796	Mjjmog32.exe
3108	Maaepd32.exe
2648	Mdpalp32.exe
5116	Mgnnhk32.exe
1568	Njljefql.exe
1272	Nnhfee32.exe
4988	Nqfbaq32.exe
1064	Nceonl32.exe
4572	Ngpjnkpf.exe
4688	Njogjfoj.exe
3428	Nnjbke32.exe
4092	Nqiogp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jfffjqdf.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jfdida32.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6132	1304	WerFault.exe	158

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	bc0346ba9fff603602c58c4f046914a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jpaghf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 5024	4896	bc0346ba9fff603602c58c4f046914a0_NeikiAnalytics.exe	83
PID 4896 wrote to memory of 5024	4896	bc0346ba9fff603602c58c4f046914a0_NeikiAnalytics.exe	83
PID 4896 wrote to memory of 5024	4896	bc0346ba9fff603602c58c4f046914a0_NeikiAnalytics.exe	83
PID 5024 wrote to memory of 4380	5024	Jfdida32.exe	84
PID 5024 wrote to memory of 4380	5024	Jfdida32.exe	84
PID 5024 wrote to memory of 4380	5024	Jfdida32.exe	84
PID 4380 wrote to memory of 4376	4380	Jmnaakne.exe	85
PID 4380 wrote to memory of 4376	4380	Jmnaakne.exe	85
PID 4380 wrote to memory of 4376	4380	Jmnaakne.exe	85
PID 4376 wrote to memory of 888	4376	Jdhine32.exe	86
PID 4376 wrote to memory of 888	4376	Jdhine32.exe	86
PID 4376 wrote to memory of 888	4376	Jdhine32.exe	86
PID 888 wrote to memory of 5060	888	Jfffjqdf.exe	87
PID 888 wrote to memory of 5060	888	Jfffjqdf.exe	87
PID 888 wrote to memory of 5060	888	Jfffjqdf.exe	87
PID 5060 wrote to memory of 6100	5060	Jjbako32.exe	88
PID 5060 wrote to memory of 6100	5060	Jjbako32.exe	88
PID 5060 wrote to memory of 6100	5060	Jjbako32.exe	88
PID 6100 wrote to memory of 5428	6100	Jmpngk32.exe	89
PID 6100 wrote to memory of 5428	6100	Jmpngk32.exe	89
PID 6100 wrote to memory of 5428	6100	Jmpngk32.exe	89
PID 5428 wrote to memory of 5712	5428	Jdjfcecp.exe	91
PID 5428 wrote to memory of 5712	5428	Jdjfcecp.exe	91
PID 5428 wrote to memory of 5712	5428	Jdjfcecp.exe	91
PID 5712 wrote to memory of 556	5712	Jfhbppbc.exe	92
PID 5712 wrote to memory of 556	5712	Jfhbppbc.exe	92
PID 5712 wrote to memory of 556	5712	Jfhbppbc.exe	92
PID 556 wrote to memory of 4556	556	Jmbklj32.exe	93
PID 556 wrote to memory of 4556	556	Jmbklj32.exe	93
PID 556 wrote to memory of 4556	556	Jmbklj32.exe	93
PID 4556 wrote to memory of 5232	4556	Jpaghf32.exe	94
PID 4556 wrote to memory of 5232	4556	Jpaghf32.exe	94
PID 4556 wrote to memory of 5232	4556	Jpaghf32.exe	94
PID 5232 wrote to memory of 5384	5232	Jfkoeppq.exe	95
PID 5232 wrote to memory of 5384	5232	Jfkoeppq.exe	95
PID 5232 wrote to memory of 5384	5232	Jfkoeppq.exe	95
PID 5384 wrote to memory of 5072	5384	Jiikak32.exe	96
PID 5384 wrote to memory of 5072	5384	Jiikak32.exe	96
PID 5384 wrote to memory of 5072	5384	Jiikak32.exe	96
PID 5072 wrote to memory of 3112	5072	Kaqcbi32.exe	97
PID 5072 wrote to memory of 3112	5072	Kaqcbi32.exe	97
PID 5072 wrote to memory of 3112	5072	Kaqcbi32.exe	97
PID 3112 wrote to memory of 2376	3112	Kdopod32.exe	98
PID 3112 wrote to memory of 2376	3112	Kdopod32.exe	98
PID 3112 wrote to memory of 2376	3112	Kdopod32.exe	98
PID 2376 wrote to memory of 2596	2376	Kkihknfg.exe	99
PID 2376 wrote to memory of 2596	2376	Kkihknfg.exe	99
PID 2376 wrote to memory of 2596	2376	Kkihknfg.exe	99
PID 2596 wrote to memory of 3116	2596	Kmgdgjek.exe	100
PID 2596 wrote to memory of 3116	2596	Kmgdgjek.exe	100
PID 2596 wrote to memory of 3116	2596	Kmgdgjek.exe	100
PID 3116 wrote to memory of 1852	3116	Kpepcedo.exe	102
PID 3116 wrote to memory of 1852	3116	Kpepcedo.exe	102
PID 3116 wrote to memory of 1852	3116	Kpepcedo.exe	102
PID 1852 wrote to memory of 5092	1852	Kbdmpqcb.exe	104
PID 1852 wrote to memory of 5092	1852	Kbdmpqcb.exe	104
PID 1852 wrote to memory of 5092	1852	Kbdmpqcb.exe	104
PID 5092 wrote to memory of 2852	5092	Kinemkko.exe	105
PID 5092 wrote to memory of 2852	5092	Kinemkko.exe	105
PID 5092 wrote to memory of 2852	5092	Kinemkko.exe	105
PID 2852 wrote to memory of 2292	2852	Kaemnhla.exe	106
PID 2852 wrote to memory of 2292	2852	Kaemnhla.exe	106
PID 2852 wrote to memory of 2292	2852	Kaemnhla.exe	106
PID 2292 wrote to memory of 3368	2292	Kbfiep32.exe	107

C:\Users\Admin\AppData\Local\Temp\bc0346ba9fff603602c58c4f046914a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bc0346ba9fff603602c58c4f046914a0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\SysWOW64\Jfdida32.exe
  C:\Windows\system32\Jfdida32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\Jmnaakne.exe
    C:\Windows\system32\Jmnaakne.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Windows\SysWOW64\Jdhine32.exe
      C:\Windows\system32\Jdhine32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4376
    - - C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:888
      - C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:6100
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5428
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5712
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5232
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5384
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        26⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1116
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        41⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        45⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        46⤵
        Executes dropped EXE
        
        PID:5160
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3724
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        72⤵
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        74⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 400
        75⤵
        Program crash
        
        PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1304 -ip 1304
1⤵
PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jdhine32.exe

Filesize
59KB

MD5
4f81408b331478ff4a54feb7f357a066

SHA1
63f4d2647eaccad15b6a44b7636ea52d6a02c44e

SHA256
441829918f30a3d6d22f6e29daf936f7e4ab596bcb4ecc74cb81adf3210fe5d2

SHA512
be17ec3bb2a789a3f7217d264ccbedaa56988cbdeb7a154bf986c676c28a534702f49a9d188f529f6671a9705ad71879f7b413c975d8aa41ab3e22017e235e64

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
59KB

MD5
f9d9f3597cc7df683ff67b6bb847ff0b

SHA1
1cb9eea1c527a476d0fead1634c4996f44f896ba

SHA256
a5361e42ac1270570bb082cbe58784ee7ce20e43a31321b848b11ea0c45e5b8b

SHA512
465edff0720527d0fc06297b790379c767f9edb28172ce31e0a2fef359d0b16427414768ac42474c20c25007328108483ccb4858d0ace6927d1e5c12f6a21eb6

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
59KB

MD5
f9f41085bd2def6da120fea68c7412da

SHA1
f8f1767697de49c6fc17d7108a968f5169e5f91b

SHA256
2d6d559112f8dee4463d4c7116781480055c6a59df87f5fb9c4d610718f80907

SHA512
6b2f82be0a08f4f9370da5a1cd0a77f9741c596918ba4b225ae9385c571037bb04471fb1b66eed0dfa6d00dd8b747034d2b49809a0b7998f0d58781a2ae2f559

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
59KB

MD5
c22f4218f3fa8bcf594eb74d376c7638

SHA1
c65d2b57ef04ab9ef2b19efde33173aa5120b953

SHA256
687a7fd0e43b7289b7dc56c9f8bd9ca06d8063c95272979b720349039f841151

SHA512
1eab5471713dfe921e97fb07b1d58a91e4e0d5c9238edef2f4de5d8d657a3f7d04958535382a9a61905597619f6057cfcc41f4f6c9832a02c074df26a937f628

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
59KB

MD5
9e1d994b67c973b8bc1db32af98655a2

SHA1
e0c6592ee1e85bd1d62376e1b864389d53451c1b

SHA256
2850f2f55357a53d287cbf196e6734a388ec5626a6cc500039f4235573b935a4

SHA512
5875d14c933eb882bf9ca11b3f4a83bc7bec2bba9059ec055351a66ed3ac123cd2c113253330bc8ca54a7c05f7b26be4dfbd8e5357d8661ea1b5ac006132e4e3

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
59KB

MD5
14fed6a1106a0d9454b0d1e630a4801b

SHA1
4e8e82778ca443628845860bbc434a998f66072a

SHA256
6a14cd28ca7510de92bfccdbb0900ae0433e47de605731013df05d587e24b0d6

SHA512
028b16495584f8ddf0f465ced75100468389da03d858f7ed5a4e6d13129dc81fea1397b7a7dd6c5074e78de42f0e02e6d5987268177101f8cdc4047932e8d9de

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
59KB

MD5
c19b858601445381739b9b7b16f10d21

SHA1
314e7bf4adc466d7a0d7cf360412a063a00b9a06

SHA256
89f86538cd3cd34e884c50cdba78ee3806a02483c77568c83501e2aab0840c70

SHA512
099f5611bafeb7ca327ffd69e36b2bc44c8112ff57c03eef0cc5a906024cfa5f40de3eb92f4a98fda4f338123e92c5abde7062402a98bc00fbefba7a1a646961

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
59KB

MD5
0b0286029546fd6757a27dd4fecc0242

SHA1
20ab412f6931cbd4c024a97263d8b3cd0f6bdd80

SHA256
279d0fa705576263e7dd4f58564f3029abd7c3ab53cf74c24bd4050adea6906d

SHA512
1cdbafd960d23a4c55c0e92c767d21901feb8a1f5584adb46af4a74f3c6acac4bab6a0d8c5f9320d09339cc8d5377aa27b192db1fe81c5156b318c187372467f

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
59KB

MD5
1b41d08ddadcc6c00c6efdc7bd044687

SHA1
1c759ae8abf3e6f362bf2c3f30f69f44b5100dc9

SHA256
bfd4fb09881d47348528a7e8b4a770b9a037045b1b8c6f4fa66023a2288542bf

SHA512
293f93456edc76886e7c9ab723c015ab9d23e5ae715972535731abeaefebcadc1cdd6665f106a4c9b36d489556bdcb4e208c5f1965576c23989697a5ec131488

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
59KB

MD5
5d8ffa2c8f95aa1a311e3e2502594f0e

SHA1
07dc458297e54639723c7b689b72bcf855c1c463

SHA256
d12d8f30691cacd1f65d9dfdc2f260fdcda8726b54438de51741e000d3861e35

SHA512
e16d529290e59e654b59de744f09ee243c2ee6d42f54e044f0d78feefb6a000d096ff3d0afc06a6e5e4152e0e0fdc8de77de9baf517d2113c56f52231672397a

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
59KB

MD5
b4b747d39dbd58b87dc16f46bff95639

SHA1
00e1a756605e3cc72b4d3c3a881df3f1b3a85dd3

SHA256
ce648cbce8e67283cfa4e025310378962e9f3fe81c0f4afb02d24b4d9483b977

SHA512
d76a84e8f2d843e1091ee466ff0b07076d36c02c231987d2fa864763a7c8dd493fd4e921a951ddb0b261a256c43551459c802de305a0ac037a658b8b403b622f

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
59KB

MD5
4f42f5a8944b6cd637fb476ad95ee7a3

SHA1
1b08036400012d9fe1c7c52213f9f2a595424eb0

SHA256
08cd96915adfcd2bacdb15bf892a0a74fb468d39234df9582b2c4dd1627006ed

SHA512
4b929696cd9dd0868368d9c4de55fa262c00610035e9e68c99325340575e09e83d9d9edcc23871e3a86ce8018edeaaa06acff4befddae433793f8e3d40b54d11

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
59KB

MD5
34596b7f772e7fc9dab2a941be955441

SHA1
402bfa80a19648d2b3b2acfbbac312922dbb630e

SHA256
bd69d28d9b1c82cb6c0d388d6cf46da4c3621bd48dc106effccccaea775e36f7

SHA512
2961b7e168abb41f2f4bbadd994224029a30092335a2908092425f186502a4f0a8556d5c1d6d6e555d49c38b724584cb98b9c4f494d1df1ff0dfcad767fa54df

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
59KB

MD5
05c77f18c9c1697e1f399ee41e1f605f

SHA1
0fdc8140cde4c2d5ad16e22e1549569ac44922c8

SHA256
35e7abbf3c955abea73a59796eab1ee2923b96e39145e279972fcf5bca4682bb

SHA512
92ff453ff78e829610c3e6428be391eb84397bb690ab281777c169fee65b86af0e7d05f60073d048fd7d1255af347bb36aed6a2638b3472690123bf4ea96a993

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
59KB

MD5
fcfb2e77a9fe6c93b04afd73fcde56c6

SHA1
350c156b008e71e8eac6e1ce7b32ec8cbf8d6534

SHA256
ee09a31f4aa24e0b86d6a350e299d19184177d42c840c9be351615e241dbe1a8

SHA512
da79674ed5555b7a6fde4ef5ec7d1127ba6946d0c4596d0a5bb3138e4825cb04a331b6695503f6e0eb9b87b6ac10c09c95d7e59bc4eaa829a171e8bd8d3fa16c

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
59KB

MD5
013d226616351e5e1a9a4be73275c4b7

SHA1
3774f188443dac3a9883cebe548e7476cda65c8b

SHA256
b10e843b1ff69886e0f7a722f31dba6d7cbe65eec45078fbb97cbcda69ef9b88

SHA512
b0064bc8cb2bb599a1e7b7c9db8160ab34c75fb4f57de6f8016f70b24eb734d70ceafbde70f7c218d5c92680322f9a35c8ea1cb3c55d465f477ed3d05af2e840

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
59KB

MD5
9d9a9206ae53d8b40b79693622be935e

SHA1
856f23a1f807f1f0cc6a08585ed9c4f393087116

SHA256
9b13c6364fdb6101331f982fc7e001f57503f789e675400c7b65196bc5d9dc00

SHA512
043f5f3c0878aacf82dbe6fa748de7cd476ba943f2c8f33b1260632d3b08e16642924d8ec0b81537f8acf0669f803ec90f6cfec59f38ef8b3d79307866cde3f7

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
59KB

MD5
706a7f4ec02436677ce358062e3b45b6

SHA1
cde379b359cfa7c99ad6486e71a83aa9feb2b9eb

SHA256
bd3471b948ceb221f847a71dda4d989376863ffaf30ec70b95a7ff8fe57b16b8

SHA512
fbcb64c68753f0a04a33b7b495cb0ffa5fe18842e47e9015352018606b06319ff449b8a8b30246e9c6b1530c9d366e4417f4215cbca8ecea618e03d1536304e6

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
59KB

MD5
c1cb57df515fa46044860f1da1ec26a5

SHA1
617231e412fbc111de9622685fe70f55ca573964

SHA256
92d3e23300090f66d19efdf65eab7eee3cf120cc89462eba53606bff5ee09f05

SHA512
d13fabbb61d81e5140386a0ea339fbad14b86c10e192ed87302304ed564297372b7c15258f220ae1a9ef312dd08bb33a3ccc616f12ec7b0fb844bc4ed8d31d11

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
59KB

MD5
8e7c1e2dd98886411475bbe8fa480a96

SHA1
65a35715973a6f6faecac06c0294435dff6eaf64

SHA256
a8b058f21f6a8bd2ac1b773a8d75a5006338355a524cdec145a46b1b1c9bbb12

SHA512
86a145ecf093cff563797d2985bf05f6949c2d7121eb4982700d32138486658110c7b0ab638a979d8e8b7b5edd559c8a22b228778051181368c8b5a8ee029dc9

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
59KB

MD5
9b9750041083298b4d42fedc61958e7d

SHA1
b33ea704d1e8baa150addf8f2968dad9f3b07958

SHA256
bc48f8800d648e30363939360b0b9bb70c6f598b15db26a41ab85671d32aa239

SHA512
ec9f5d1e769f826753a8f8aa110af160038c729cc117b1b87b203fbdaf3763dfb455b9ff1243ec586f7dbf4dfd3890de22fd43b4a09e9025dad7ff19ee94db65

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
59KB

MD5
6d4af9b6fbd143ea329e0ce68ce67b26

SHA1
05c4cf92342ccbcc394945064249a8e6db9d6428

SHA256
dffce36b59bb36339362d2935cbf4a402303fb504a15ba48db8ef161046ae520

SHA512
4deb6eb458539464c19c0289c30788c37f3d31f9a0277e2176063babcc379cd0927f380214c7a3e19a016345a2f0bbca3bac928191344fa75994b8a47d0312b6

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
59KB

MD5
04170e24a10c868ff7ccc6c79dfeaa46

SHA1
3a69858f21205881be2f66aeb4216898e1cf4d26

SHA256
fcb66abf3d1bfe90110e68bdb62670c7185147287ac3b73075c540f2ce7a7533

SHA512
25c68536350e4a69855ea15bdc30775837640ee78b8effd48be7d27743f2eebe2d24d4df19fb7e022ff701cc9fd12ced931e9c1bb925298e9c7201433c2ca714

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
59KB

MD5
ce79558eedc58d4c22379fba4286d80e

SHA1
675acabc77718d3b2207d133b76f882f5e930904

SHA256
e7b261ff9b45423e77c1ac42aaec5877a88cfd297ba9058f0f909182a5897421

SHA512
d2446e92059f19a8a8b1c64aaa3149e1734fb2937b3e6d2593478fef0838071bc88165a40a743c4ac548e5b2ba7bd5c407d4b571d18d5a4010e76bc0a133a6b9

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
59KB

MD5
3f71343ad7096ca51bd4aaa9f496de4d

SHA1
8332102a6026facd0917c4093a371e3e1a32c422

SHA256
d29e2f89fa756842c12e5552b9ea782b0afbe52e1bbb31439debe4b7958438b3

SHA512
c65be816a1567dc200438a0d78c8cb90d94f2db7183dbc5022149f59a0629db7051cda0608c5b47ae9044168f12d768e685099da0777f08e93ed04a330977111

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
59KB

MD5
d220f1c94f6d615d27a0fa7da678acf6

SHA1
165def435f70df269813d6b77cc74bfdc7b2294f

SHA256
f92c1c30c2afcd4a7d44a152f25719c654f75a1ff696f815c1062c91dfcb4c2c

SHA512
f881a23424469eb7935e3ccff60e7f34138fa6f9bd3ae2d29531b8db08058fa6e49704d5d68ca7db9b4b7cb9ce9b4a846ed3771b20d2449ef1eb8e67a54b2e90

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
59KB

MD5
fac8b1b1040ff188c42a057ef1c429b7

SHA1
8ba54b11f59a0f86804f578b6733d0d5a28481e6

SHA256
c571c676c6e3654bd125061e07be3da2949fd16527f82889704004c940a63ae6

SHA512
98c3991a494e7847dbe2515e51de14c6f25366c3fc24a78e87fb28e1ba94a704ed23f1e4809cc904ecabb1361d89efe9e824bd27b7d45ed72e394a83796e48e8

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
59KB

MD5
d8c063eb334effc34868c4678c2b38dc

SHA1
4c088236bc3ff036dca94a847501777b9b7930bd

SHA256
52e0668541672abea88fa74103eec3cd0fccc0ce939b18182cba438f1315cc70

SHA512
afbc970f1d54c93ac58e6834973ca51731f12ad1b3ccefca47755ef15ec3501c1f1b4b4a8661523eda7403bb247e9d7d2b4db5468eb1a0b7b76910ce8bf81c70

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
59KB

MD5
f9707083aa5c6575e9d35913276728b6

SHA1
0278e39cfa1c9c364044226bec921fa4e8944e7b

SHA256
6feb5f1b86c2bdbc7804c9f6b29d0c1c8e85828158ba848bddfb12112807667d

SHA512
80e85aabb01e2e58cb88d6cb5b9a19157b9653458af333d7cfc3579420be85a31913fc0d3cbf4a59d5f2c4b55b742d86237d8e625d3d2e8c6543ff799cf2daf0

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
59KB

MD5
710806d7b883996b65e412220836b466

SHA1
549ad49939a1b636c9f8f6ad711e31e1deb6eb22

SHA256
253b19c86884d838109b78ba729ee97c4f76b41c196f49b9af492ef6f9d3832f

SHA512
875decfd56355c6cb3fab1a181b905d6fff7cb7ddad059e5a60ec4bade3ff309e6be9b1427b3b5fed5fee05a02b1d166dfd7c28d6418d40411bd6087f8be47ef

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
59KB

MD5
070f521be93a6f19125b91d71eba2269

SHA1
1d36522dd347c0887a87cc8657b81b60daceb371

SHA256
0f85537d791dacf89ce7b371adeb9d4b198148bb587237a79b2a4d7b299208c4

SHA512
d4717c81426d9791e032727f065d4f8fff52bd68634268c574d31ff6666d72771066a36a1fe35aba485bf98738328039062f39bea02855646508007a1eade261

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
59KB

MD5
7696348ea3cc39cf52630025de67c175

SHA1
38550bd4df9337c39cc76b5dd79a94025b3b4a5f

SHA256
da3ebbe141dbd00c5d05b4bc62fdc36cd1a1c524d346d48bfd74bbb5b20e9c30

SHA512
f19ba9c93b1f96ce3f51869d9fa8765b00164bb68103667b900fd96530d8dee9e30a424b68c5ae9094d532d94c6d9e78b25c4ceee86110fb516a9aeae2a2e4be

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
59KB

MD5
8752d4f6bb6c952455501dc43b402fe5

SHA1
000bbad76c45088c5856652795d688d610e9113f

SHA256
8489aa7b395b52a476c0467687ea90e84ec422d2d7744ceada310c35f6c9c87e

SHA512
5c08bca096a76229a508c50993cca368a33898d7250a3e4e10ae6e9aa0fb9ad2fcd3f1b3144654715980742c0f56b0eba8a55cac2a95c4eb5eba33a820ef4629

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
59KB

MD5
15c12de13c7294d3b35c00a0b9b2e6e1

SHA1
f2e22148b41e66fa7c1fbe0c82d1a2c9f92e03ce

SHA256
8d4268558b9170c3a16b04f2faa4a204856deecbe8a3e42886e18e3f975c77c4

SHA512
f5ee7e58e57c1a7d7b44901aa30ff865e8461c7cd34070c9ae60b0883ffa8085057d615b6ff34dad904002c22e28491795b0bcaafa91dde424182523bf74228d

Download Submit
memory/556-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/888-31-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1064-506-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1064-417-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1272-406-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1272-508-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1304-494-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1304-493-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1568-509-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1568-404-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1836-254-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1852-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1892-307-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-184-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1944-278-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1952-495-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1992-480-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1992-497-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2292-168-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2376-119-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2448-301-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2596-128-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2648-511-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2648-389-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2672-313-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2672-524-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2696-200-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2852-160-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2864-516-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2864-360-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2872-235-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2908-348-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2908-518-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3108-512-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3108-383-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3112-111-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3116-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3356-244-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3364-212-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3368-176-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3428-437-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3428-504-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3724-519-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3964-284-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4092-503-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4092-446-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4248-475-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4248-498-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4376-28-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4380-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4556-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4572-423-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4672-192-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4688-505-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4688-433-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4704-325-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4704-522-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4828-370-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4828-515-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4872-297-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4896-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4912-220-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4936-276-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4968-482-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4968-496-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4988-507-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5024-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5060-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5072-104-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5092-152-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5116-510-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5160-331-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5160-521-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5184-266-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5232-87-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5268-246-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5348-517-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5348-354-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5384-95-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5428-56-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5508-501-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5508-457-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5568-520-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5568-337-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5576-459-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5576-500-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5680-502-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5680-447-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5684-499-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5696-319-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5696-523-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5712-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5796-381-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5796-513-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/6016-514-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/6100-48-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads