607ed1803a64a5481502ba743c779229ad2c59f8427e947b2c0f8d7134e38f56

Analysis

max time kernel
138s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9c5830d3dd5bf5b49e91d92870c68a0_NeikiAnalytics.exe
Size

1.3MB
MD5

e9c5830d3dd5bf5b49e91d92870c68a0
SHA1

aab10aa06f665a91a4a7badec24ed9fd759ea744
SHA256

607ed1803a64a5481502ba743c779229ad2c59f8427e947b2c0f8d7134e38f56
SHA512

fe573eeab673da4693673de28448183f572d3344f7dacdcdf74d14942751bd59eaf764dafa16ede1bdd78d9bdc5c713252853808dda4df78819308424b37c2f3
SSDEEP

24576:WH60wsjbPRIcXV125IjsaK2cWfVaw0HB48r8ABY:WH60wsjbPRIcXV125IgaK2/8r8YY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e9c5830d3dd5bf5b49e91d92870c68a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe

Executes dropped EXE 64 IoCs

pid	Process
1152	Fbqefhpm.exe
3800	Fmficqpc.exe
776	Gimjhafg.exe
4732	Goiojk32.exe
4952	Giacca32.exe
4532	Gqikdn32.exe
5072	Hclakimb.exe
3884	Hfjmgdlf.exe
3668	Hpbaqj32.exe
4764	Habnjm32.exe
2228	Hbckbepg.exe
3112	Hmioonpn.exe
3928	Hpgkkioa.exe
2700	Haggelfd.exe
3268	Hcedaheh.exe
5100	Hbhdmd32.exe
1056	Hjolnb32.exe
1060	Hmmhjm32.exe
4656	Ipldfi32.exe
1000	Ibjqcd32.exe
3908	Ijaida32.exe
2820	Impepm32.exe
3012	Ipnalhii.exe
3996	Icjmmg32.exe
3480	Ifhiib32.exe
4944	Iiffen32.exe
2024	Imbaemhc.exe
4068	Ipqnahgf.exe
4324	Ifjfnb32.exe
1668	Ijfboafl.exe
116	Imdnklfp.exe
4008	Ipckgh32.exe
1960	Ibagcc32.exe
976	Iabgaklg.exe
3960	Ipegmg32.exe
2640	Idacmfkj.exe
548	Ifopiajn.exe
2184	Ijkljp32.exe
1968	Imihfl32.exe
5032	Jpgdbg32.exe
1676	Jbfpobpb.exe
432	Jjmhppqd.exe
1108	Jiphkm32.exe
5008	Jpjqhgol.exe
4580	Jbhmdbnp.exe
4632	Jfdida32.exe
344	Jibeql32.exe
2408	Jaimbj32.exe
5060	Jplmmfmi.exe
2376	Jbkjjblm.exe
2236	Jfffjqdf.exe
1132	Jidbflcj.exe
1492	Jaljgidl.exe
5028	Jpojcf32.exe
1224	Jbmfoa32.exe
2364	Jfhbppbc.exe
1928	Jmbklj32.exe
1436	Jpaghf32.exe
2012	Jdmcidam.exe
3992	Jfkoeppq.exe
4552	Jiikak32.exe
1952	Kaqcbi32.exe
4092	Kdopod32.exe
1588	Kgmlkp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Ijaida32.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hpbaqj32.exe
File opened for modification	C:\Windows\SysWOW64\Imbaemhc.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Ekmihm32.dll	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Hfjmgdlf.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Imbaemhc.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jfdida32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Jmkefnli.dll	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Gimjhafg.exe	Fmficqpc.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Imihfl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4972	6052	WerFault.exe	202

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	e9c5830d3dd5bf5b49e91d92870c68a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phogofep.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 1152	5096	e9c5830d3dd5bf5b49e91d92870c68a0_NeikiAnalytics.exe	83
PID 5096 wrote to memory of 1152	5096	e9c5830d3dd5bf5b49e91d92870c68a0_NeikiAnalytics.exe	83
PID 5096 wrote to memory of 1152	5096	e9c5830d3dd5bf5b49e91d92870c68a0_NeikiAnalytics.exe	83
PID 1152 wrote to memory of 3800	1152	Fbqefhpm.exe	84
PID 1152 wrote to memory of 3800	1152	Fbqefhpm.exe	84
PID 1152 wrote to memory of 3800	1152	Fbqefhpm.exe	84
PID 3800 wrote to memory of 776	3800	Fmficqpc.exe	85
PID 3800 wrote to memory of 776	3800	Fmficqpc.exe	85
PID 3800 wrote to memory of 776	3800	Fmficqpc.exe	85
PID 776 wrote to memory of 4732	776	Gimjhafg.exe	86
PID 776 wrote to memory of 4732	776	Gimjhafg.exe	86
PID 776 wrote to memory of 4732	776	Gimjhafg.exe	86
PID 4732 wrote to memory of 4952	4732	Goiojk32.exe	87
PID 4732 wrote to memory of 4952	4732	Goiojk32.exe	87
PID 4732 wrote to memory of 4952	4732	Goiojk32.exe	87
PID 4952 wrote to memory of 4532	4952	Giacca32.exe	88
PID 4952 wrote to memory of 4532	4952	Giacca32.exe	88
PID 4952 wrote to memory of 4532	4952	Giacca32.exe	88
PID 4532 wrote to memory of 5072	4532	Gqikdn32.exe	89
PID 4532 wrote to memory of 5072	4532	Gqikdn32.exe	89
PID 4532 wrote to memory of 5072	4532	Gqikdn32.exe	89
PID 5072 wrote to memory of 3884	5072	Hclakimb.exe	91
PID 5072 wrote to memory of 3884	5072	Hclakimb.exe	91
PID 5072 wrote to memory of 3884	5072	Hclakimb.exe	91
PID 3884 wrote to memory of 3668	3884	Hfjmgdlf.exe	93
PID 3884 wrote to memory of 3668	3884	Hfjmgdlf.exe	93
PID 3884 wrote to memory of 3668	3884	Hfjmgdlf.exe	93
PID 3668 wrote to memory of 4764	3668	Hpbaqj32.exe	94
PID 3668 wrote to memory of 4764	3668	Hpbaqj32.exe	94
PID 3668 wrote to memory of 4764	3668	Hpbaqj32.exe	94
PID 4764 wrote to memory of 2228	4764	Habnjm32.exe	96
PID 4764 wrote to memory of 2228	4764	Habnjm32.exe	96
PID 4764 wrote to memory of 2228	4764	Habnjm32.exe	96
PID 2228 wrote to memory of 3112	2228	Hbckbepg.exe	97
PID 2228 wrote to memory of 3112	2228	Hbckbepg.exe	97
PID 2228 wrote to memory of 3112	2228	Hbckbepg.exe	97
PID 3112 wrote to memory of 3928	3112	Hmioonpn.exe	98
PID 3112 wrote to memory of 3928	3112	Hmioonpn.exe	98
PID 3112 wrote to memory of 3928	3112	Hmioonpn.exe	98
PID 3928 wrote to memory of 2700	3928	Hpgkkioa.exe	99
PID 3928 wrote to memory of 2700	3928	Hpgkkioa.exe	99
PID 3928 wrote to memory of 2700	3928	Hpgkkioa.exe	99
PID 2700 wrote to memory of 3268	2700	Haggelfd.exe	100
PID 2700 wrote to memory of 3268	2700	Haggelfd.exe	100
PID 2700 wrote to memory of 3268	2700	Haggelfd.exe	100
PID 3268 wrote to memory of 5100	3268	Hcedaheh.exe	101
PID 3268 wrote to memory of 5100	3268	Hcedaheh.exe	101
PID 3268 wrote to memory of 5100	3268	Hcedaheh.exe	101
PID 5100 wrote to memory of 1056	5100	Hbhdmd32.exe	102
PID 5100 wrote to memory of 1056	5100	Hbhdmd32.exe	102
PID 5100 wrote to memory of 1056	5100	Hbhdmd32.exe	102
PID 1056 wrote to memory of 1060	1056	Hjolnb32.exe	103
PID 1056 wrote to memory of 1060	1056	Hjolnb32.exe	103
PID 1056 wrote to memory of 1060	1056	Hjolnb32.exe	103
PID 1060 wrote to memory of 4656	1060	Hmmhjm32.exe	104
PID 1060 wrote to memory of 4656	1060	Hmmhjm32.exe	104
PID 1060 wrote to memory of 4656	1060	Hmmhjm32.exe	104
PID 4656 wrote to memory of 1000	4656	Ipldfi32.exe	105
PID 4656 wrote to memory of 1000	4656	Ipldfi32.exe	105
PID 4656 wrote to memory of 1000	4656	Ipldfi32.exe	105
PID 1000 wrote to memory of 3908	1000	Ibjqcd32.exe	106
PID 1000 wrote to memory of 3908	1000	Ibjqcd32.exe	106
PID 1000 wrote to memory of 3908	1000	Ibjqcd32.exe	106
PID 3908 wrote to memory of 2820	3908	Ijaida32.exe	107

C:\Users\Admin\AppData\Local\Temp\e9c5830d3dd5bf5b49e91d92870c68a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e9c5830d3dd5bf5b49e91d92870c68a0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\SysWOW64\Fbqefhpm.exe
  C:\Windows\system32\Fbqefhpm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\Fmficqpc.exe
    C:\Windows\system32\Fmficqpc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Windows\SysWOW64\Gimjhafg.exe
      C:\Windows\system32\Gimjhafg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:776
    - - C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4732
      - C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        24⤵
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3480
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:976
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        43⤵
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        44⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:344
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5060
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        51⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        52⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        58⤵
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        59⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        62⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        66⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5104
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:964
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3524
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3248
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        74⤵
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        75⤵
        
        PID:916
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:516
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        79⤵
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        80⤵
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2808
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        82⤵
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        83⤵
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        84⤵
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        85⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        87⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        90⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        101⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        102⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        104⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        105⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        106⤵
        Drops file in System32 directory
        
        PID:1396
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        107⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        110⤵
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        113⤵
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        114⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        116⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5972
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        118⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 420
        119⤵
        Program crash
        
        PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6052 -ip 6052
1⤵
PID:6112

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bkmdbdbp.dll

Filesize
7KB

MD5
7f339a440c4b2d3bcab47e7396b8a9ad

SHA1
60d3ab38bc58c0227dfa2a7575b5d48b942c9634

SHA256
8cbef2a6cfb5dcc6f6fa81c0145ec181a6265160dc06c8812ff79b6dc7792a51

SHA512
e5e3c1073834b9088a988b6c8a7a31cd1b4a35dce1cde66d2931ca56dd8dbfaa5ad0dcdb5090bd480b9148208ef00429a178760b65135d96e547bbc0cebfd4ec

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
1.3MB

MD5
f37631e33ab706915aec11740348dd44

SHA1
a9cb1cecab326b7f5d40d448a86c408cea09a0dd

SHA256
cc51e48ed837046ee772c12e2a01657abd8ecc666866320e20b151022066c881

SHA512
dad17e6437dad04b16a8ce7ab4594bee76ed5e4da02d13adb7e3385bb1ebaa44922bbdcd7643502cdd21730dd555e0e24437de1ce70f3041550a8b4d67665d2b

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
1.3MB

MD5
b988f8e4d92a7db657ef9e017e2d3078

SHA1
28f15a8a22583fd0bc41478e9c334fafa8fc4ff9

SHA256
357476c2d1fab1718976466b50d1e5a612c85c16a850550c5e3f5cf649ed1629

SHA512
9bc81de6f81f81414604b56f474ee49b2aa437792adcc4d69dc0d753cd9f981435c5db77ace2e50f0755ff4dc6310e8240366ed343b4e6808311518147470a33

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
1.3MB

MD5
a6608f2ac9621626db4c471aa1da2a23

SHA1
fdbf9e397b261238589c9291922988d3c8c48686

SHA256
0e8b61c9967ac90ebd57064d5b965d14ca27a4fb3d36ace0d9edca8c50bfd411

SHA512
413e4321ab0e0ee7e04512689102d2c55082c4964800ca6f8b33384017208d62e7397eb08376d7d0dac42b4a6d5903c2a3e3e2d180a8f89a13a733d102fbb445

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
1.3MB

MD5
e82d3d99856175075f6c8a593ce776df

SHA1
bbfb855fcd409c2afd82f8360a8f457359ec087f

SHA256
3b7b2cb34bef75a37cdb63aa32e00f7d35e063e20ce8167399e40f25b155b60f

SHA512
f7511c6d4b50711cc4ea2f6e181c5bceed782dfd1b1eb63642f709012b9553966b153a35af55260db6dd1cc35f99595aae42250781929f897e6cdf8e0bbeb3ce

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
1.3MB

MD5
e11f5ed10e84302db053cf3f65890bb5

SHA1
5dd61446f456627a97f6cb469c978f1e37c77726

SHA256
3e97246e7752534c0165fbc5c38969d47880e91316b477ce3dba5b013ff1ce47

SHA512
518fee1a75e29ba1a342fb9e70dde16ab05cb8e5e1fac0e989e2f5a5f8d9b142e8927a904317b3c4d5991eba45e0c035affc1b2376b96e542eecc5b7a3f31b59

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
1.3MB

MD5
a6a5a6fe7e879491c7c1cfd3bcd0efdb

SHA1
73694e54e59bf122d79505dcd3a22b0c0f6b1cb9

SHA256
fda3bfb6a4947d924ed7035df5adb57d664830e49f66b6ba2f03addbdf2d5482

SHA512
aa6fcb0bca2f65f21fc9c6acb25e53260e8aad1ec009f6c765ad62f3a6ba4e88c4188889611cd029ed3568895cbcb78d4cd8eb3e17eaa6c85d3ea9d948b754cc

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
1.3MB

MD5
5651bb814ae1f517ff44f3cf9706611e

SHA1
682c875e867416f191c3e6e4aaafc5206b5a955a

SHA256
69cfbee3ff8635f5a73f8ae186f6bce751608e7083ebcd70223a9a8b87bbb0f3

SHA512
796560bb572448e32fc9c3e9c7b76ff9af5443e716a923858b47b3f1bcb41271e424ac1360ff7d4f10dbbdd194a8fcd394aed227c196046c2c16fb36d1a6b912

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
1.3MB

MD5
0cf73c01d1d3f8bfdaf7f8b37bb349ff

SHA1
5a3a373be595cf260cec60d23ab25d5c896668f7

SHA256
481295c2b04e7993d0869e70d213938717011db7d7b81ab1438d9f838e6078a3

SHA512
167bec20a0080e0f6d58de85c86e532a57ae69451f4bc40210ea04c424a22d9dae0921aff72985eccc638c35e27c71c6dcaec21ad836bdb1ba680974075d68a6

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
1.3MB

MD5
73cb4cef99968ae81a5dd715f805c600

SHA1
0ea7aa580d09300f2a3a325790b578dc1dded82f

SHA256
cee591196e9e7fa14e16865333d1dc1d9cadcee16706c8354cc4289c5bc1fe49

SHA512
6755a8ef4d08c318166abc38ace9aedafdcdca2d687004d97acdf8da1c05bd09dbaa64a3e94458917a18e02a400c3c9e6de29af7e5b649a289c0d9f277373590

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
1.3MB

MD5
77238cc59e38f0befb0f55c26a181a33

SHA1
472322d00222b4e20d91573355f01b1c0e88d0c5

SHA256
8b67058dafc9cd5c4c7a10636952151a18175ab0c05a290b2621653a85ff41f4

SHA512
3b2a151baee48eabb6d8c838f6605b3a59e3cd8ef0866a4243595a5a78ee497da0cba70c17b34a6fdec8a63b57a7820a8d98353b3de75aa1e3d7a3bcc99e0751

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
1.3MB

MD5
011b7945278a2cbfcf874bf97de8b034

SHA1
a80ef49e855c6a3574536e7bb1ee9e976e8ffc47

SHA256
c6995ecb3cfc3ec61842bb002d896b4618d0b43d42e591a74410b1b2b42aa515

SHA512
2154e04da344f576f3f193f2cb8af7d7b5b9fb0d1e77820790f53e635cb2902f76689a702d8b21acd8049ad958651c572409deb36754992967a915abc83b6116

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
1.3MB

MD5
9fb22b0e6575ccfdb4ee804e0dec0ada

SHA1
ca00f198b9af0d38c7a16954659e1b82f113ad8c

SHA256
46b99ae4ef1ee1cbf9f9b84e35a4675b110b5ca4402e495ef6ab722c80ee0818

SHA512
4328c32f487abc615121fdaca0b671a0ac7fb50ea0f87d9d2f6cd76dfafde6e6755275ac0743fe4d071a22be8174525f3fedf63a0e69f4d2bdace61a79b563cf

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
1.3MB

MD5
22a80c7a922cecaaff907ec6957cff14

SHA1
b9dbc1cb4ede150f0ef5d624b758ce23fb3d7341

SHA256
bd02a40e26233b78adf98f4a92ab0cf38acd59e759e1933a38540a93079288ca

SHA512
512d586b81989bbe725c12e88f22fc27880be8511372e933e0b7ce85c1c1a703731d4bf1eb0febb8d10c8156a6d6041819102d5836eba8d7910e94a07c0733b2

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
1.3MB

MD5
d09caf86d9e2af5430a5caf801bb9849

SHA1
cb52da9c4c2d5e6cbf6ba858b3b4dfbd0159c448

SHA256
54245ffc9a8e1d2e3bea7b3bd5c9a79933df5a9f33d4b0e3cde7c6659c8970a6

SHA512
0c12f3fde8b2815f278377188f0cfaf7cd6ce4680b16ce63237e220aa660898ad54bfcb76cdc3eeade931d8ec316503e73beb53d0d9a6c5377ad00901b6f18c0

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
1.3MB

MD5
2d0503b6b07cc3f67356265ba15cd72a

SHA1
38d1d58be9b0bc0adc6798d1e56719aae4fe76fb

SHA256
5f4d445447f182b5ce3078ce6416f48ede6c0c12243c346907924c03d6afd407

SHA512
ddc0ed286214a219ee48a110b7f6e9cceb065d5ce6d3a585ffe9cfec6554e5b1a04f453c5312ae34fe92927bde0a094d01f80d8e092de34625f4168a1943c3aa

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
1.3MB

MD5
3a00dbf49462e1af610c298f3a7b4f64

SHA1
034d6ad95c668440b9dde116b3ed1fd8d3ffbd8d

SHA256
6db2323ac106ce0418dd9442b8db593009bff450290f01f1f2b09ed984088c3e

SHA512
6508e9db8284bf63b758c5fdc39350d2ee735b05213357cc23e274058302afb7ba634f676df21bd9c97da7c83cd5b78daed99ae73d08f5ce60e6ef03cb04a47f

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
1.3MB

MD5
9202bdd8eab6606628ad6122cb1dcbff

SHA1
12ee63b2e89815e3294bf662a3f37041101e1808

SHA256
d0ac60ae559bfa110f7ac43b7199264127bf97780d2c766032e69baa1b9d7ed6

SHA512
9e499ec82090413a625d09a86f388bd7f35414ce300c718d7c2136005dc229186b4351a3c34b2be1300583ddcaac683ef408415bdd6708b49f40c3547c05f5af

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
1.3MB

MD5
6313793e8df3f1e89b59375f0ad5e33e

SHA1
61ecf9bfcdfac5c9fc807caa247431e9c043903c

SHA256
56ca03d7ab74369fa88d2fd9ead6fd6d626a578d949050762f9d27f6ef26f60d

SHA512
fd77401862193359fcbaeef403a93731fa46b414a312bc3c469d5537227a1167ecc4b399248023dfb040f7231bfa9c3affea69be239996bdc7f0ae1d4cd0fdc2

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
1.3MB

MD5
0a9ad9adde12812fae0e81149cc69dd5

SHA1
73e812023449e146063a1bc057a6a1a27fe0c386

SHA256
9d9e0e46523dbe1b9d647f9d2b9e50948859a1417edea1848209a14e6996a617

SHA512
47fad0fde9a70add662081bb1eb25d20e2cbe65e10b5837e40d05fec66eee22162513ce12b7ac3aa5c01edb487fe255e53723b4f2f56830c2c716d3a7debbfa0

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
1.3MB

MD5
fa433b07101e3c1759b2e072db0caf4d

SHA1
a1a42804763dbd3404eb9d945025db641fbe1fa6

SHA256
6f69d723a13fbe733ef7229deebba3b2a55976cc38f136c3ec6b8ff4d3144aec

SHA512
e46bd37258a559347e1299ff93e6d4df6d77e45f7bbb1c27c4a050373ba9acf35c4587a7630f1f889dde015f0d4ac82d281c0c000d53ac0f5370741cb7500761

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
1.3MB

MD5
0206a59a5621b525398a909a634fd0b7

SHA1
1727f05f218c2fe5251a5a75922bfdbcb34ff5da

SHA256
fdfd90493bb6664eaeeff3d16e0bba54a780db2236e3e9a5b2e9fca0faaba382

SHA512
955623a05ffa6efb893e3f2cf34ed05470ec4acde439c290de953b2557f37ffc78bd4916df49004455e958ce7b60397727f04034d4dfd332df3708294fa8894c

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
1.3MB

MD5
cc87f5af33c8e25e5b460b7df81d6a14

SHA1
04860d9ae7125b45c36799b1bc0b9383d0eb1e90

SHA256
e6411a16f61c1fd52ae10d31be31b31b82118d03c081ba1458debdd34748f3de

SHA512
301110553538a9a51273afa1fdf10a07e8680099d43464b25be78950dedfc379d46523f3b0544f75c3da642df960078133f8305a2ca56ce57213d5280835fa28

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
1.3MB

MD5
886450c7c27248fa6223f82bff47bff1

SHA1
5bf2ba95bd78fc1efd97ba11df6e01b22f0d6bf8

SHA256
db7398aeec8cc1f459eb52a449e0a50742923ddb543240b8f71a617b0530ad43

SHA512
7ab9e9f1ba7b7aeb6f5b106941b931039f3bbb0dd405046c1ed64a702fd4554484c1c0c10a24029157c712c9a76a26685ba3b6e1bb65f3a9ae4153bc6716285a

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
1.3MB

MD5
618bebab354c6e106d35c4b6f7038cbb

SHA1
bc63d00011308f59a5dcba670dc0000064a51186

SHA256
55384ea51e4bab42376342d129929e49e532433d6eaa7ce251da511be894524b

SHA512
a3bd11b656faab2ce20c5b7182bd648b919d035f1efaea7fdce46e5d4f0abd8fb90a594f0cb3e3bed774f05247bf52b6495c3df90308313f910aa4f5e6099e47

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
1.3MB

MD5
d959d3b0de2419e92577c45dbabd5824

SHA1
b9c244260c6797e5122a1913dc300a537bfe8bbd

SHA256
0f984cddc6e5c6ab24cd058f2b826db90ec9e2d71df859b8f36fde91824b005f

SHA512
8b2c314edd2414adebaa1468cfbab5346c8e1f8ed76967f8df7960432cc77a9102eb150e96377aec3e6365c046afad84ea12402063d81477240667d26750552d

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
1.3MB

MD5
378e7aa4b464a5301a49109ca91fc471

SHA1
cc67da069a993e7b371bb0600ed5e585dccb6ec6

SHA256
585e7fca915ce8ae45a824c888a9df5ef212ca84c4e0aadc5775151acfbeb514

SHA512
69b124d61d0f667c7f0a6bd70522d5f54a41c81e56b037194e63ed6117685d0259db28fd69ab3f8e94e3edb97ec5717b6f3a7bdf4d9cca8be8ff9dffbdf5b6a1

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
1.3MB

MD5
03162012f7318718c720c4a1e059b5c2

SHA1
c53c55f4687d9ac6d5e4f5646c9fc48c36c32079

SHA256
895361b86b6c8538bdfe402f72c2bf21e66b69fe8e55dc2aa11e3bd28aacb35e

SHA512
35594dedeb516f8c82a7021e0df0db5e60d38c307f6782f5c7da035a1bd754a01f5bfbd7e66684db46f18da23146592559c44ea1622d9961cf6318d3beb0a9f3

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
1.3MB

MD5
e4fc8236c6e9d48164f11d9e88c4f55a

SHA1
c62ae0438b78517c202dfe2abcead1e692e692d7

SHA256
9c31a04e41a7537a5bdfffffe1fe9c53cad0c25ca9022c4ad0bb77aee4a0004e

SHA512
96027605acbfcc19d9a505f811886345046105ed07708b260b9a3252afcc3fec013e028622c1902f38106f8ab089d9784b884f72cdb499eead202fe386fd0918

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
1.3MB

MD5
97e371975d66b4ca9fb47869df241181

SHA1
5b2049c5f37d963f117d969f659f333cbbfcdc54

SHA256
4850a90a9d4bd4c2c9c416fef66a7356da9a906b702e43619b5fe049e0895ec7

SHA512
9d92e5f26c508b4cb937481fa8f47c940941fd4b3db4ea9f8080d85fde70b0286142c2c9111680527d84764034733245493975b27f24bbd7f7ca2a9e79621f83

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
1.3MB

MD5
08a0d559e58a032cf49e410b872a7009

SHA1
ac873f40f7ac75c869380d82e0774aee7347ab28

SHA256
daeef9920e36128491e5b745a45b60a67f524598071d279706df365a791d7633

SHA512
bc64b94a2365a8d77dad329affdca9132cfb96c75fff88e256f448e2655cb8aab6ec269762da845749d466e9e98f400a47a6148bd8923396c3b5736774fe0593

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
1.3MB

MD5
3b3e1a29fcea2c240a5dc03f63dcb9e5

SHA1
fcdd78edfb384c67a8884e15965cd4351587ce8d

SHA256
e5b24eda688b1f4b57f5fbdc8a18c95263bdb9174b0e88781d5f2c19a02f1309

SHA512
70d786c9f5b5ebfff9f2fe82698dbcc22900a2bf7e48a01dc33c4a87c8ea45fd643cd19978c44fe93444f11763611965ab6ba56f58753462393eb22423c6ffc1

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
1.3MB

MD5
212a7faec314129694db098ab21befcb

SHA1
04f8c2fa68452bbdae882fe2cca750b5acc37e4c

SHA256
ab1628161d85b03863da33184dba2ed7f50048d44b90ed69db4a428ca054eb14

SHA512
eeac7c9b3cbdeb9632a7dadd26037abee14a99ce49c08365d9d056eb4beb3091be43e1663523eb8167b96fa2333b5eae2c693deb0606900fbd838a107eea68c9

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
1.3MB

MD5
be5221c84bc41b59ca6f76c761317000

SHA1
2c9f6eda61d210b7d8231acf72426e9e745fbe34

SHA256
8de1912e0224e106e5e9af981b055febb0a48ed320a091f458e2a240aa3f28dc

SHA512
24fc217e200747a37f58da1b0a8063e085f632685e010f6c8966fb766cbfef7a2ea904997ae7f4e1cd0b128e0b179e3d629a717762c827040ac6757ed4f8697a

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
1.3MB

MD5
bc7a0705c3966de772366519de5957e9

SHA1
99dbaa1ad32d7bf2cddc08aa0c588869df904ba3

SHA256
56a1f098be0dae62f87fb486116c1334bf2c3cc655674f7f58b7acfbad8ff100

SHA512
688155de9b97c433edce54fa834b0b19272d92bd68b82d2056f493de343952dc7dcf3179c7ff076cefb5ed32a836748e3282dffb457ba037a9fb264f3ba8c401

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
1.3MB

MD5
5c9b51cee908f6ed720d4795dd4bf02b

SHA1
42cd627a58d50b126c35c9a61db8edd5fc8e409f

SHA256
c7824d6969b7e8fac0eae93ef2b3c265b1bae17005f9c175c2e181a2e8e102de

SHA512
12e0e231d53b34a6230a8c40e4d12c628e14f8bb2719a8e68f3cad22cd8f57d931567444b4ffe81fa6a257dbcfbb7eeade4512d439876232a6595a54488088f7

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
1.3MB

MD5
e3295e262628d62677605a46e0080616

SHA1
11e41eec865c2095fda9d55816f341705054773a

SHA256
08a93d6c59f78727294f30aa78b6dd6a9487c206c8f8f027b2f7d4f11109c079

SHA512
5c76379abc885cf8cab17ba561823fe0e5961f84b8fd67a899856522691e876137871e73ab664c854c4ddf6fd66470cd8e04e66a4c01a48e37907b804a69b428

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
1.3MB

MD5
e6645c97605a1c4e8729f6e1dab92363

SHA1
89bc45d2e17a8e3471238d0a7068a196c97708b7

SHA256
e7ea7e72a5bf3e75c7befdcf574e4c171cbf59086fa9d8d73f31368ed6fee9de

SHA512
3b10e494bfc0fe6fa45f644e5d6452e0171abb34a38e31f7ab9f3b54ba98971d5f5749df7a35f8290ddfc7601bfb8dc607a53fefc1e7da895b2593297db8eb6b

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
1.3MB

MD5
0ab3ede82798ceac0caea69661aaefe2

SHA1
17bf9c63dbebace923beed4182b8aa90affb323b

SHA256
9b8e3d5eb7f9fc0de4f8cdb2e51da7c0b97eedb34901c23bda21835de280dbfd

SHA512
f4a4adcaa6a56655f12e3e6c2a15c7f06d4380947057a6c8f7149f84627ba2759c4b099e11b67aa2daaff333779130c638fa151559c988124bb24e18c1f855fb

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
1.3MB

MD5
c07a7c8171f016202b70f8e1eb8e088d

SHA1
36610e888afe024118febfb8da606b25eb4e6296

SHA256
60ca9ff3d847a958610ef359b210f879fd459d8549b341a4859550251168fbca

SHA512
fcce0b635568ea5d8a06cfd243c3ad571527615553379b5cbe3ee742cf1bc082edced96c3197c7941fa5f5cea2051864377afd36da53144f7cf814ce50fe5cd8

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
1.3MB

MD5
1bddc76891ff8c1bac5fa8f0221610e5

SHA1
b4b9141c95b5f7067e9e93648dba748ff2f1e883

SHA256
5d0a167494923a57391a5acb8f2559e883fb074dc3c5a2eebd39053902e20546

SHA512
f24a3b89c6d794a72dc2b4a76e750add752e58694484f000468bf3a8bec6ccb377a16e161f71630e3923001b18452055974aa12bc98899824fa91638d6d6d262

Download Submit
memory/116-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/344-536-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/516-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/776-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/964-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/976-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1000-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1056-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1060-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-543-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1436-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-530-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-528-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-537-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-498-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3096-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3112-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3228-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3236-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3248-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-499-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3524-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3660-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3800-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3884-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3908-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3928-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-523-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4532-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-535-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-529-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5100-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5152-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5188-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5244-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5368-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5500-584-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5680-775-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5684-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5724-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5764-601-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5808-606-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5852-615-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5896-621-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5932-624-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5984-634-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads