dc4288627905a500cc8412cba84e7efa1963ba21a55074c50193741e3e2c3de0

Analysis

max time kernel
140s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89bf130e1f3e7b3ac0c89c4a02d93c90_NeikiAnalytics.exe
Size

1.9MB
MD5

89bf130e1f3e7b3ac0c89c4a02d93c90
SHA1

7e0c36ce2da882ff68f9a45336a4af80de51791b
SHA256

dc4288627905a500cc8412cba84e7efa1963ba21a55074c50193741e3e2c3de0
SHA512

c76809112e1139d1cad172cac29238a1b21051f705e506f44831f6ecab2e638583d2d1a3a5cfc8c734728135bd03bd54b10d94b99584d56eb21ac2f9c0f71375
SSDEEP

49152:QDPxIxixIxDxIxixIxrPxIxixIxDxIxixIx:QLxIxixIxDxIxixIxTxIxixIxDxIxix6

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	89bf130e1f3e7b3ac0c89c4a02d93c90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eleplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	89bf130e1f3e7b3ac0c89c4a02d93c90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Diihojkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibccic32.exe

Executes dropped EXE 64 IoCs

pid	Process
4036	Diihojkb.exe
1660	Dpcpkc32.exe
3980	Dcdimopp.exe
4040	Debeijoc.exe
4544	Dllmfd32.exe
1648	Dokjbp32.exe
4940	Epopgbia.exe
4088	Eleplc32.exe
3336	Ebbidj32.exe
3996	Fbgbpihg.exe
5020	Fmmfmbhn.exe
228	Fokbim32.exe
2916	Fjcclf32.exe
4492	Fopldmcl.exe
4636	Ffjdqg32.exe
2416	Fqohnp32.exe
4480	Fmficqpc.exe
4856	Gbcakg32.exe
1048	Gmhfhp32.exe
3944	Gfqjafdq.exe
3220	Gqfooodg.exe
2264	Gfcgge32.exe
3484	Gqikdn32.exe
4008	Gcggpj32.exe
1556	Hadkpm32.exe
4868	Hfachc32.exe
3968	Haggelfd.exe
4656	Hjolnb32.exe
4864	Ipldfi32.exe
1108	Iffmccbi.exe
4556	Impepm32.exe
2968	Ipqnahgf.exe
1608	Iapjlk32.exe
3032	Ibagcc32.exe
1584	Iikopmkd.exe
4396	Iabgaklg.exe
1224	Ibccic32.exe
4448	Iinlemia.exe
1728	Jaedgjjd.exe
1984	Jdcpcf32.exe
1656	Jjmhppqd.exe
4176	Jdemhe32.exe
3400	Jjpeepnb.exe
4000	Jaimbj32.exe
4012	Jidbflcj.exe
3536	Jpojcf32.exe
4680	Jkdnpo32.exe
4808	Jbocea32.exe
2420	Jiikak32.exe
2232	Kpccnefa.exe
3304	Kbapjafe.exe
2116	Kilhgk32.exe
452	Kpepcedo.exe
4732	Kgphpo32.exe
832	Kinemkko.exe
3904	Kmjqmi32.exe
2640	Kphmie32.exe
2568	Kgbefoji.exe
464	Kagichjo.exe
3496	Kdffocib.exe
3596	Kkpnlm32.exe
1012	Kajfig32.exe
3792	Kdhbec32.exe
1328	Kgfoan32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dokjbp32.exe	Dllmfd32.exe
File created	C:\Windows\SysWOW64\Gqikdn32.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Iapjlk32.exe	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Dakcla32.dll	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Omccgkde.dll	Dcdimopp.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Gqikdn32.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Fmmfmbhn.exe	Fbgbpihg.exe
File opened for modification	C:\Windows\SysWOW64\Fmmfmbhn.exe	Fbgbpihg.exe
File opened for modification	C:\Windows\SysWOW64\Fmficqpc.exe	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ebbidj32.exe	Eleplc32.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Oeahce32.dll	Gqfooodg.exe
File opened for modification	C:\Windows\SysWOW64\Fopldmcl.exe	Fjcclf32.exe
File created	C:\Windows\SysWOW64\Fqohnp32.exe	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Fqohnp32.exe	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Debeijoc.exe	Dcdimopp.exe
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Bppheeep.dll	Ebbidj32.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hfachc32.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Gfqjafdq.exe	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Hofddb32.dll	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Hjolnb32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Epopgbia.exe	Dokjbp32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5104	5800	WerFault.exe	197

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	89bf130e1f3e7b3ac0c89c4a02d93c90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jehocmdp.dll"	Dpcpkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjebnamp.dll"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpckhigh.dll"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dokjbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dllmfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Debeijoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	89bf130e1f3e7b3ac0c89c4a02d93c90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epopgbia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjbmnlq.dll"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	89bf130e1f3e7b3ac0c89c4a02d93c90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdcae32.dll"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhmioko.dll"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Iabgaklg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 4036	3272	89bf130e1f3e7b3ac0c89c4a02d93c90_NeikiAnalytics.exe	82
PID 3272 wrote to memory of 4036	3272	89bf130e1f3e7b3ac0c89c4a02d93c90_NeikiAnalytics.exe	82
PID 3272 wrote to memory of 4036	3272	89bf130e1f3e7b3ac0c89c4a02d93c90_NeikiAnalytics.exe	82
PID 4036 wrote to memory of 1660	4036	Diihojkb.exe	83
PID 4036 wrote to memory of 1660	4036	Diihojkb.exe	83
PID 4036 wrote to memory of 1660	4036	Diihojkb.exe	83
PID 1660 wrote to memory of 3980	1660	Dpcpkc32.exe	84
PID 1660 wrote to memory of 3980	1660	Dpcpkc32.exe	84
PID 1660 wrote to memory of 3980	1660	Dpcpkc32.exe	84
PID 3980 wrote to memory of 4040	3980	Dcdimopp.exe	85
PID 3980 wrote to memory of 4040	3980	Dcdimopp.exe	85
PID 3980 wrote to memory of 4040	3980	Dcdimopp.exe	85
PID 4040 wrote to memory of 4544	4040	Debeijoc.exe	86
PID 4040 wrote to memory of 4544	4040	Debeijoc.exe	86
PID 4040 wrote to memory of 4544	4040	Debeijoc.exe	86
PID 4544 wrote to memory of 1648	4544	Dllmfd32.exe	87
PID 4544 wrote to memory of 1648	4544	Dllmfd32.exe	87
PID 4544 wrote to memory of 1648	4544	Dllmfd32.exe	87
PID 1648 wrote to memory of 4940	1648	Dokjbp32.exe	89
PID 1648 wrote to memory of 4940	1648	Dokjbp32.exe	89
PID 1648 wrote to memory of 4940	1648	Dokjbp32.exe	89
PID 4940 wrote to memory of 4088	4940	Epopgbia.exe	91
PID 4940 wrote to memory of 4088	4940	Epopgbia.exe	91
PID 4940 wrote to memory of 4088	4940	Epopgbia.exe	91
PID 4088 wrote to memory of 3336	4088	Eleplc32.exe	93
PID 4088 wrote to memory of 3336	4088	Eleplc32.exe	93
PID 4088 wrote to memory of 3336	4088	Eleplc32.exe	93
PID 3336 wrote to memory of 3996	3336	Ebbidj32.exe	94
PID 3336 wrote to memory of 3996	3336	Ebbidj32.exe	94
PID 3336 wrote to memory of 3996	3336	Ebbidj32.exe	94
PID 3996 wrote to memory of 5020	3996	Fbgbpihg.exe	95
PID 3996 wrote to memory of 5020	3996	Fbgbpihg.exe	95
PID 3996 wrote to memory of 5020	3996	Fbgbpihg.exe	95
PID 5020 wrote to memory of 228	5020	Fmmfmbhn.exe	96
PID 5020 wrote to memory of 228	5020	Fmmfmbhn.exe	96
PID 5020 wrote to memory of 228	5020	Fmmfmbhn.exe	96
PID 228 wrote to memory of 2916	228	Fokbim32.exe	97
PID 228 wrote to memory of 2916	228	Fokbim32.exe	97
PID 228 wrote to memory of 2916	228	Fokbim32.exe	97
PID 2916 wrote to memory of 4492	2916	Fjcclf32.exe	98
PID 2916 wrote to memory of 4492	2916	Fjcclf32.exe	98
PID 2916 wrote to memory of 4492	2916	Fjcclf32.exe	98
PID 4492 wrote to memory of 4636	4492	Fopldmcl.exe	99
PID 4492 wrote to memory of 4636	4492	Fopldmcl.exe	99
PID 4492 wrote to memory of 4636	4492	Fopldmcl.exe	99
PID 4636 wrote to memory of 2416	4636	Ffjdqg32.exe	100
PID 4636 wrote to memory of 2416	4636	Ffjdqg32.exe	100
PID 4636 wrote to memory of 2416	4636	Ffjdqg32.exe	100
PID 2416 wrote to memory of 4480	2416	Fqohnp32.exe	101
PID 2416 wrote to memory of 4480	2416	Fqohnp32.exe	101
PID 2416 wrote to memory of 4480	2416	Fqohnp32.exe	101
PID 4480 wrote to memory of 4856	4480	Fmficqpc.exe	102
PID 4480 wrote to memory of 4856	4480	Fmficqpc.exe	102
PID 4480 wrote to memory of 4856	4480	Fmficqpc.exe	102
PID 4856 wrote to memory of 1048	4856	Gbcakg32.exe	103
PID 4856 wrote to memory of 1048	4856	Gbcakg32.exe	103
PID 4856 wrote to memory of 1048	4856	Gbcakg32.exe	103
PID 1048 wrote to memory of 3944	1048	Gmhfhp32.exe	104
PID 1048 wrote to memory of 3944	1048	Gmhfhp32.exe	104
PID 1048 wrote to memory of 3944	1048	Gmhfhp32.exe	104
PID 3944 wrote to memory of 3220	3944	Gfqjafdq.exe	105
PID 3944 wrote to memory of 3220	3944	Gfqjafdq.exe	105
PID 3944 wrote to memory of 3220	3944	Gfqjafdq.exe	105
PID 3220 wrote to memory of 2264	3220	Gqfooodg.exe	106

C:\Users\Admin\AppData\Local\Temp\89bf130e1f3e7b3ac0c89c4a02d93c90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89bf130e1f3e7b3ac0c89c4a02d93c90_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Windows\SysWOW64\Diihojkb.exe
  C:\Windows\system32\Diihojkb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\SysWOW64\Dpcpkc32.exe
    C:\Windows\system32\Dpcpkc32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\Dcdimopp.exe
      C:\Windows\system32\Dcdimopp.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
      - C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        25⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4864
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        40⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4176
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4732
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:832
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        64⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        65⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1996
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        69⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3636
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5056
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        74⤵
        
        PID:320
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        75⤵
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        76⤵
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5012
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3668
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        79⤵
        Drops file in System32 directory
        
        PID:4648
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        80⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        81⤵
        Drops file in System32 directory
        
        PID:4964
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        84⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5640
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        99⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5960
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        108⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5476
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        110⤵
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        111⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        112⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        113⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        114⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 400
        115⤵
        Program crash
        
        PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5800 -ip 5800
1⤵
PID:5908

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
1.9MB

MD5
a41ace1bf3fa2df245bd24edfe539fdc

SHA1
ba9f36f61c4f0ac1231c78456325992bbb7b9ca2

SHA256
2920bc0f179e04bd92c422ea312524a603a917ad3ce9941ed572187f624a3a2b

SHA512
54cd80a38f6418a98e5aa8aeccdbd829048d91b5bbbd64e13a173e3b3b0accc7ca65dfabb9cc9e4a97ccec98dec7445790010bb96e61ad3e3151c77b3c3df9c8

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
1.9MB

MD5
aa77fc39434fbc92588d82227f741184

SHA1
20993998ec0fbb6a71f22b232365e2226e957d20

SHA256
4b0636a376aaf465117c82077f05f6f86e22bcf470001052c57641b3d1925348

SHA512
5e74f4c8805c4b61f49229da4f9457ba9ea5d2e81d7e32484fbe34bf12eb625238eb78176d428cd73474973d215797b84a1ca207ab4bc8928bbaed0764841cbd

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
1.9MB

MD5
713e2723fa20f98ce4e8ab2125a05707

SHA1
3b6d3eff9f7bd31e20933514faeb0f87c5714972

SHA256
fa907a4459762dad98476aa73d7909a48d3df7220c98c25132b6745954344bb8

SHA512
39a4eefa5eb50036a209278e09c17db5b0cc3dd56ee17e5b022b4415672c4d251a5b92e126d603c71548538f0d17dc3b200919f3afa778aa938f4c4892b970e7

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
1.9MB

MD5
5e3fe80c999573298ccd9267710ce89f

SHA1
352bc8a88c0238b41549bf5dbc8ac6a23def0f63

SHA256
dc13fb1d2ad915107f726a72064aaaa2b7c306bea23168d334e62f0f8245a0bb

SHA512
4da91440ec8d9c869f2a6d2af396b15ca28a9a8631724692f968142e59629afd3250e8384e84a961f0ffa793190ad5f7f8eb057b623bc78763eaf8a836234af5

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
1.9MB

MD5
43fe52ba2cdb189b3cef48e437065475

SHA1
7a5c74d596b06323de08139e3d16e452a51fb32a

SHA256
7cfb5493994ba390f175203e4f8be4a3598b98219d00fc01359b8e67499a0da9

SHA512
893ae6c3e3255da13669af9edfcd27236b9dfb983269785264aca6c9f95a24dc6c3d93a9a99fd6f3bd94bad55137749803a9a372c04fd5859eedbcf86fd2e286

Download Submit
C:\Windows\SysWOW64\Dpcpkc32.exe

Filesize
1.9MB

MD5
e721f4e2d628398a46c439680978590d

SHA1
cfcd3f6898d1a6c55f807cee8b0d1697bb7cfb2f

SHA256
28009419c0e02b6dcb92d16874ba504c537c642202e441d4f9b3e1ea850c8a03

SHA512
92f4d0f5f551ff4ac9941ed8ecc91879a4e59b40d6b05f4b2fbbff93892cf4de1473f4f42c3a48ea95ddfbbdf8eeee78f88c8f0eeef922f047c8fc57e5487818

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
1.9MB

MD5
9f9a2a355b2464d570f1d986db0e8068

SHA1
c22429ad94dcc494504fda35a4eb0d77318dee8f

SHA256
c4cc8d79817bbe48f2e2d7456434dbcebfa0f7f583bdf35e202e083c75d3960b

SHA512
74cb89d0f69abcf422892412772fc896a451447d3e3fe5eeea95009bed0bd439f18cc44ff2ae371a170a7967964d487d85d88a0032f5c620b97cc0063999adb1

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
1.9MB

MD5
355af363d5f5b8bbaf9badb4a0245f7f

SHA1
1720ef47fe839997d61baad1c74900e523c5ad41

SHA256
24a7cba6e028ac677d8c335abffdb1b0ee9dfbe756b8e001aeee4370f9f24d6d

SHA512
df7c32b23a9c4cc064b219dc67d4b5e7501897039abbec71a610071b023aab62ab18146084adc1835fd18910795d416d95b728c548506d1f4b6c9298dbeceb8d

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
1.9MB

MD5
a0474472913a15c04d5ef0e4313f8f7a

SHA1
6e3e90727e5a98e4ddbcfe685c24582d9d1fdb0c

SHA256
a249e6fbf0e28c9d9eaa6ee1b819a2973c74629e3d91ed2f31c2156d4d703a4d

SHA512
136a1e597b79b5357e8901df35f3f2bc5fdc2849f749e0c896983e45289a08c23d67d4deede9d3a5b85b5e46d6477f515569131534362c9ad44530746e64525c

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
1.9MB

MD5
21f7de1f4cfb564c31ad067e4e052393

SHA1
04bd7ed47cc35b71701c43f15ae73ff9b4094b3d

SHA256
75fb8474637c82c8b1c63a2f4e80ea4b539c2effe011aa4397bae2893ca20d4d

SHA512
a1d838c670102f0f9ac706cd57818e32058f60069827e9c1c5151fb1b8ce1761b591168ec0e2c8db476a7f1f79889fedc1426a14a8bdea4e2af26d06a0a0ea03

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
1.9MB

MD5
2bae4db2d3f7aeadd7e8479028986050

SHA1
6093b3fdb2ff2862340953e16648ef26f439758b

SHA256
3c35746b7193da261e00eff3e9704d9c21ffc953ca3ba2d3087ca8c837da1d9f

SHA512
411a7af8b6a6e450f8c303535404502367a15c64eec7227f2354e668496cfc74081dde8b89704e7446f2572d4a98a4d44846e8c0a0fc972fe04f23cb58b227d1

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
1.9MB

MD5
6189b838f4ea0de6ee65f0ec0ed28e0d

SHA1
79c2cb24994d0c2a017b7231934027a8966eaeef

SHA256
5eb7bc1e53ccb6b675336bed544d9c871e0a53b47f503c359763eaad10637e6b

SHA512
634e61c8debd80f5a96ca8166ff56a05c64320ec83394a472ea2b51a7286e2438fc070a6cdd45805fd18edf0b0665e9f33e0ef5ce683f02570486937d8202719

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
1.9MB

MD5
d0a9073ba0de247d43ead4ea63e41cef

SHA1
c448fbdcf1f9683e768e382b2dfc56558541dc82

SHA256
cba2393d040da206bb981833c6335c3b90e348e263f1f546020336d2c1020c72

SHA512
8849f2f8839c0d68dfc03b79bb7fc6a8d7aedce5786db0ff1d057c98e76fcda12d29e14d6781c4c5163ece9d2ecd75b6c95b72803651002edfee263973968bf0

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
1.9MB

MD5
3514e0d05c4cce2cc8aa617f7c446b6a

SHA1
738fd2e0509b7faa26b8db98abdfd81f8e889123

SHA256
1d4cd590fd4ca4c50bc5955a5b6600f3d3d0162b5d422c38479cee4e82e9e975

SHA512
f31e1970cde643681ed7af2615e03e1340a9362542e84b66b8c01760464b16ec45ccfd4e3cdd29b684d44e039fc5cc79f25ca9d12bf30a06874e2d523a18d963

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
1.9MB

MD5
6c42abe5dc0f773f542e776868be065a

SHA1
3df9250ffbc06a9c8e4c56603274cfbff6a2fa71

SHA256
b6339f9afa326cedce81a26de8ce6ea80dd6ab128af81dfda5cd597763652f83

SHA512
3f5ccd74e8888911ab993f44f51ae52cbf203700bcb39260240153a1c1a5e483694a301511f74d72c5df3986b9c9a078df37d6d1baaf1d1cef9ec6c2f384813a

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
1.9MB

MD5
3e3d3254d5e0efbdf1dd85218ef39bce

SHA1
fca5a665961fc0518946e32127cbbfbabea511d8

SHA256
894e957008ef5a4f8cba1e3523efa62150b51aca018512a2f1f40c62526a3b86

SHA512
92da41c526f20fca7b825e93e9842aec1919279c5c2241898c9912300c44ad4ec4f0cdeaa9ea9e1ec52f05bbd19fbe7bf024fb962d6ca4dab561bc547f156a82

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
1.9MB

MD5
e4d636ab52cc9e3e87b02508d10f31fe

SHA1
c881fb2e5031d96d7425870dedfdfea39d033db5

SHA256
cea0a0b95f1d09e1339531d6bbde40d7e2bb5f9abb9340b185cdd5396e046f30

SHA512
63759fbfd4d5346cb40c4210dda331e05f8507f49f1a5478152b9b45476fa0ee383d9ee657d4fa1645dfc289990869ed039f3032a2a3bca5830aa67ce7f68517

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
1.9MB

MD5
2e584bc8484758f13dbadaee084d9154

SHA1
43670194dbb060db614bdf0cbdfefc09215eb89c

SHA256
7daf150335ff512462f09643315f279ad79613d12acd186ab730b9be256a6c7d

SHA512
14ac16979735bcdf705a70eb1349974585e70b3c022f5217c5381ee9f3af41a3d27e16a50e7eb9645b449a1d656e7d8b543b74bb43da56b176f8f7133799c9f3

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
1.9MB

MD5
660b004d922d542b4832fa9f1740cb10

SHA1
7ded3ac26ba25ee9ea56b1501ca007a6c1f3683b

SHA256
7f2feecc25e00a088253d821e9e0c1a23ab3e912d95188f24ff1d9914e2b8622

SHA512
cc41407286d6cd3270843a87ff0d695be223575fce4c296652dbe92b73f386f235d941e30f8c6402f7fc85e6e97e266fa885f11a6fb0007b9a7801fd622819bc

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
1.9MB

MD5
af02265c7a6795661ec8a87612fe71aa

SHA1
af3c26be417c422ae7ca6bb8c6e2e4a5af2d22e0

SHA256
22c5f47d300b0cdac05aa57f0ad8e4ebaed846d91bad10e1c80350650a3965bd

SHA512
274e7bd7d104647673be5afd791aa969bb38ef277f51e65ee7ec4837e5a5c7aa821b0cbe3b0cd715bbab05256e7bb0e7151992bff7cd4f23c3b014be3908e96e

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
1.9MB

MD5
45e01523df0f84ca2983f8ab0b65cfc8

SHA1
b7483aa1b1490f6fa264e744424e061efb479c41

SHA256
167e936202959a2f8b1e8279fc7364d86c358e427dfe540b974ef19dc90aff82

SHA512
21ad5a91ade316715058d854e1a281201c6226e81d13ed9fc359a111c81a1f0e4e090a78feded5f50822bc933abb751ef067e61a92348a4e5fca2134fcba16fc

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
1.9MB

MD5
4c26b94f820ac6c8ff61196e12a39c0a

SHA1
1d5050f94d0c6d089912b6d9b02894e9ab52d51b

SHA256
279e64fc1d3257accc33bad26f22b988df874bb3674e20bb66390c746ced203a

SHA512
33a596dc4bf21240f127c69992482e5566781a1bd78722078de7e1627c1fb9b0b238fd2d29c0e1d1df0f105ee2e8aa54523eddcb0260f1ab76d9ac9068d01e8b

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
1.9MB

MD5
42272116c4615c2af4d3c09e43e0ae85

SHA1
7b95db1a2952a290cb1e8979657a8d1ce27bc773

SHA256
7a2fd624bc3ee5acd002300aa3e8e039c93340d4af312469a4c5c400853dbe0f

SHA512
c48459bd3d7c663e2fb2de1ff24a1a464e37acb142f2adbdb7cdaf0fe9e9e9787e798e63de0f27f14427b647841b03f490bfbeefdd615710068ff81809075715

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
1.9MB

MD5
88ddd3e830e78987937d3c3175ab7b1f

SHA1
39cad1539e8c6e53a37a4697d32eac8cb00e1b8d

SHA256
24fdb77fa7cae315dbf120a6c9bab577c259970020c91d4e0928fbfb825ecfd4

SHA512
70e5f8fe2734c944bd7bf1ed8837a4d0b68467acfe3ecb74537784f563f25fca80d8cd28d25d5536a3be87445503137c425230797f9a6b9709cb806dff736591

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
1.9MB

MD5
86ad32168138fe9205262aec81ca3217

SHA1
7ecabef3e854a7139c25af7d592b5a1fbdb6f794

SHA256
4f7bcf611eebf16bdec9945b7f0259e007ff0216ded109614ddef4ebbffa8ebd

SHA512
4440def05a9cd21a414b2357c8a1952a6618bc9f06813377121a0d6ae03032943ad6bac176ffddf23f206c943da04be1905d802ee94121a5d62811b7e45f0bff

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
1.9MB

MD5
eac5d38b76b9e02768b2d6af712006f2

SHA1
b55c305b9e9ae6144f590ff1df1d694e4374d296

SHA256
53b41e58beea0624ec75671b9089d54c62b4a31588d3e9afa6aebddb2c36a914

SHA512
c67bfb1d4f23717a82765b62e83c81a1b1d23b0b891a850995aa1096be8af22a6440ecdfc90d2076a7c6669ec714583a5dfff779c57fae890df7148a26f55c6f

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
1.9MB

MD5
d7c95c9a4a949b8a6ab0ef8e9701dd27

SHA1
75479e4486cca754dc6e5c4c7533c6543bbcca1d

SHA256
4eeaac772e57f280a47eaeab4a00a9604b57f238398e32f6ca1b6db8505c42d3

SHA512
c347750252fa7e9cbc6620cd589756d05b5cf9a982ef666d6efb170430c51648d49c31c733b14e177af135ce9b18241aac22272d16ac0f3446f210bef408e6c9

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
1.9MB

MD5
0b579eebddc15031739acc7144a5f159

SHA1
9ac784281124affd2c10b138defaa2af1ebbaaa6

SHA256
4d69dc8db9cab88209eb4a58927d71e428c192721b0db4c9aeb4192e2283f4ae

SHA512
0168033b3935ba9ff36e0a5f92707893ebeb12cb63ae0fca746909c305c4456e2e4ca1a826a11e8884d35d971fa47c1db65790384b088d73aaa2e77866ee9e2f

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
1.9MB

MD5
15a69039b16d515c9cf6fe1fad2cc9fa

SHA1
f89b6290f07b82caea74b992a3fb1b13ffdd9e8f

SHA256
071b063e68b7b1f4f2a16f54fcf1a4f7b06962f4de087a2ca8f43d51ffeeadb3

SHA512
455bfeeb0c0f81ef3b1488cffa6d84fc180277e04a78b92ea9d5745d7b02da7d4aad0517761fc88f1a5377e9394eac0c96bfdc100c804917ded739e103b9d9b0

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
1.9MB

MD5
ddd93eb40c33c9cf543fb0250ee89f3f

SHA1
709f550e2fb87c66d002f989609af717edb82cde

SHA256
99634f5d1c29cf30d0018de76fd8718b0b8a9e584c72dd759022102a8665a9cb

SHA512
35fa45bff223c89cd243015ce4cd33ae3ceca5f9dfac4f7e6e063ddc1b3d17e63f6693ea1b4ffbc0abccc6acec9b81ca8b28817a3e55d4f867002b8d96daec32

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
1.9MB

MD5
3c8236f76d621631d927a6a17106e04b

SHA1
d2d0719e0178c07a39e45986071c7f8816633190

SHA256
f4251af379696902f98692680c4a97f10df11bf4bd626569c7fddb0419803b76

SHA512
ac5a9b62cd8ca79e34a1b3ac4d323accdc634120a415f8fc00e9cc9c0ed2879e96d85cd97c0ee6e3b512cd5db88e197759a5e3a2ed659ca7d37e24eb8b8d53d1

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
1.9MB

MD5
88dd8898f976eac53eaedc657056d208

SHA1
f7d11d5583b1b0991776bb8ddd923465b64c5d08

SHA256
82fbbae1e6e827f2ba1c3134eb94c1596f8b281cd149372528010039f7108e2a

SHA512
4e0ded3008a678e51c24b80c786d075a3e40221eb13c06333d90bce8bea947541c16d43341a98700c03e2ce5769ad5941fe40a2147a1d179c5f2f2b463202aec

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
1.9MB

MD5
4ffbcda09f0ac02f96936980fbd91d06

SHA1
66406c6675f34bfb47b2fb1f11ff01ea21303a5f

SHA256
185590d5d2f921211f71d8c5589d248b3b6872035c7f02d32b24bf821863e274

SHA512
53adba19aacfcca01c9f4034c9fa1a02a5f4e69ce846bb7d1b3035aad988532c3361821e66b810ac923bd4d0e33291544157ebf01ac9ee308e5efd0b7b71f7f0

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
1.9MB

MD5
891126ac7cc4c166865f6e27ea28573a

SHA1
78b5fbb317a80a39704b46ead5ff47eea4af9b9b

SHA256
3c5c592d51460e55434a3477a4f43e9d339b386931354e9a1d750829db30b84c

SHA512
6722a2fa868aa9c3734c37e7ee6ee355010d71bbc3759426d848eb4f1326920a57b3f9de813894b7cd6f36781423a9e9fb4182786998848dfeb955bef5ce7c11

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
1.9MB

MD5
c7b0db94ee961b5ea389212fe8a4543a

SHA1
89d65c56fa1f242b365caf2d1c1d648c0ebc0b65

SHA256
24db09f3e4f02a39942742706c9cb7f6d9e95b78364eda5d4deb6b0cc7dff861

SHA512
a1140f2ee6b70ca6937c8e10bb1512774d568a16d8c9fc136e13c9e612bac64f591459ba819863b602a6a849da1a34acf0c2a3be9ee026a3f2e34a9177b50892

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
1.9MB

MD5
fe72354f02b78008478c88db7f8c5a33

SHA1
8e47ebe5c6692c903d733b8b1aa9d1569fabfe86

SHA256
652e1a7553b4619ce2591e141e391f5bdf05ef49f4f780fcaca23e0ea639002d

SHA512
b8344c6fa0594cf6f97e5f86073e9f3b11c07e6f5e0b6b56333a494a34b135c5fcd4db1d66e08f00bbf0982089e75b4e03a8d6e40a8de7b087a6a4caeefb40d7

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
1.9MB

MD5
9ea315427ec86485441f8cae756beaff

SHA1
b5d8b856aff2cb8bf994375f064684e4f951aa18

SHA256
1c878bf276ec1480e41d0f8ef3de5c4bcd6147b511ba19a267a2cf3812c571ba

SHA512
4b0223de7587c36027aaf76389b625b438d67649ced54e50db189430e2504c6f132d4976a3f464324cccb040b637764a4502d65b412a374dd525f0029c749c5c

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
1.9MB

MD5
f24777b18b302f9c0aa091d613f5b93e

SHA1
bae2df42c0b569d358256dea73fd38ee09dca4b3

SHA256
0bad6d0cf9c3bf870d79b7900a46bd08557d314404328dce0cf9e35739ef6c4c

SHA512
cddea1ab860d18b78a4b47667b15ec65fbc4dae032bfc4db8ba2d6a52ad39723066140c38401436795ca22462ea6dcd4672f9025cef0a40123978ef187e2b993

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
1.9MB

MD5
af989367f53046766ff85f98a0324c43

SHA1
1ccd197bb888a1e25db420b522595733f9075df6

SHA256
991b036d0de897bc66723186f93d1000c9efb55c97b8b7d024a7b088639930d9

SHA512
320b9ee1a3f3aa1bfa1258855d56ab30d98602f0e3b64168156aea4c21eade560ea2460eeb8e1856d6a43a7639904e2db03b73ce46170728d15fce94e00aaebe

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
1.9MB

MD5
d32739174085f95de369453e30bb3398

SHA1
ba26250c4fcf720b3c495f6c703cf52b571a6e4f

SHA256
2f85cda7da55c41c1c3d690666b519f96cd07e9b42e2b4fc0549ae9a57188f5a

SHA512
56aac997435582c2e2ef7c0795f6855f0ae19ccf391494dd1aa16d4554e0aeb481d44ab85e7c2e818355831f8f3a2394296dbe0864a805e30fa87f5b9bf46af9

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
1.9MB

MD5
21d2c1ef2908144e69880946fd535800

SHA1
69901acc3c4b48002f652effbc2693c729943842

SHA256
4a32d4a47c7d398b7a5bc0600f14b69701a914805979af7d884bcc1115ee71ea

SHA512
09ebd5dece8c6f37c77be9964e9e5a6a81e97d99a373e29f519a1b46f181af1845e0944959fd5af1b820f571e7a5400650342f4c896e8b6c6c25a26057413d0b

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
1.9MB

MD5
176796201f7c8ff3e6454538e8e3899c

SHA1
f58a26fd9c639ec3b660a0f170287ee3c77fac48

SHA256
6ae027f0b81dd41a1a7866a1009aaae7b65fe892f3d3af5edbf330bff5d30dcd

SHA512
926201ad08e831e98a89ec0adc1baf64eb6518c095f9157502f483ddfdf7b7f7c998762b47c085bc7a7073a0e09bca2f1fbc1a1baf512af827bd50ff8d2c2e95

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
1.9MB

MD5
18b2b498a288f235a2abc0c7d3963634

SHA1
be60fdce30597397fe578e33ee5214e65c7b47b2

SHA256
586691d551cc76d0fa7d05b91eca4e54bed5abef4dd938821961a96bd21697a4

SHA512
0898a60e3fb0b602b7fda96a597249b795ae8ffd982a6c287728cf3a5c75e61a5fe85e48302e3c01d9d5b153c4daea88a72f140280f4522dca47dfe3836fbcf6

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
1.9MB

MD5
d4f1fd880fa6f233964feae4a80a4f1c

SHA1
e7e569fe771ef8d1598395fc4b0b08b83de4b97a

SHA256
a095a69690ca75c523186b1f3595d75ac1a5fda77e731ba30cb11098b9835705

SHA512
252bf3d75e705debbb98679b9df75c98ac3cffc1eeb61d8fad82d729bafc7df5f7a0bd026079fecda061aeabe1ad6614e3fc6305110ec2fe4fbbec1b2216cd7d

Download Submit
memory/228-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/320-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/832-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1020-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-858-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1556-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-517-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-543-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-3-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3304-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3336-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3400-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3488-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3596-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3636-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-528-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3792-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4000-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4176-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-537-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-486-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5144-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5192-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5244-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5288-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5332-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5380-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5960-798-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads