0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05

Analysis

max time kernel
80s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/06/2024, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe
Size

78KB
MD5

349992fb786325e13b2d76358c77d1b0
SHA1

34bd9d2674fd45803fb5238b1c0e418825f4c77b
SHA256

0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05
SHA512

5e0485b2deac54c54dfb2aa93ec67c7957d417b119b26670ac87a3f16143dc21ca2e5fcb89a8221f57a35b8095fc05128b97964795a32805db3373e62ce96947
SSDEEP

1536:E168o5mjwupBBXaie3o1IkIggsJVHcbns:G68oUBXaiecIogsDes

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Himcoo32.exe

Executes dropped EXE 64 IoCs

pid	Process
2720	Gcpapkgp.exe
1340	Gfnnlffc.exe
3620	Gqdbiofi.exe
3556	Gbenqg32.exe
4480	Gjlfbd32.exe
588	Gqfooodg.exe
1528	Goiojk32.exe
1012	Gjocgdkg.exe
448	Gmmocpjk.exe
5076	Gpklpkio.exe
3116	Gfedle32.exe
3092	Gidphq32.exe
2152	Gcidfi32.exe
4632	Gifmnpnl.exe
2432	Gppekj32.exe
4832	Hboagf32.exe
2316	Hfjmgdlf.exe
5080	Hjfihc32.exe
4408	Hmdedo32.exe
4192	Hapaemll.exe
2324	Hcnnaikp.exe
2588	Hfljmdjc.exe
1216	Hpenfjad.exe
4072	Hbckbepg.exe
544	Hfofbd32.exe
1996	Himcoo32.exe
3104	Hmioonpn.exe
3348	Hbeghene.exe
1916	Hfachc32.exe
1472	Hippdo32.exe
1600	Hmklen32.exe
3268	Hbhdmd32.exe
4372	Hmmhjm32.exe
4268	Icgqggce.exe
4184	Ibjqcd32.exe
1524	Impepm32.exe
2548	Iakaql32.exe
5116	Ifhiib32.exe
1648	Ijdeiaio.exe
2488	Ipqnahgf.exe
4976	Ibojncfj.exe
4744	Ifjfnb32.exe
4920	Ipckgh32.exe
1744	Idofhfmm.exe
3732	Iikopmkd.exe
4460	Iabgaklg.exe
1628	Idacmfkj.exe
4792	Ijkljp32.exe
2496	Jaedgjjd.exe
2400	Jfaloa32.exe
3088	Jmkdlkph.exe
3232	Jagqlj32.exe
4520	Jbhmdbnp.exe
4932	Jibeql32.exe
4496	Jplmmfmi.exe
3632	Jbkjjblm.exe
220	Jmpngk32.exe
5092	Jpojcf32.exe
2936	Jfhbppbc.exe
332	Jdmcidam.exe
3756	Jiikak32.exe
384	Kdopod32.exe
1328	Kgmlkp32.exe
1640	Kmgdgjek.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hmklen32.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Kjeebd32.dll	0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Gmmocpjk.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Ibojncfj.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Icgqggce.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Gjlfbd32.exe	Gbenqg32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Iakaql32.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Goiojk32.exe	Gqfooodg.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Ijdeiaio.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Gppekj32.exe	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Hmioonpn.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Himcoo32.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Jmkefnli.dll	Himcoo32.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kknafn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5672	5576	WerFault.exe	197

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcglkid.dll"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcioj32.dll"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeebd32.dll"	0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifegaglc.dll"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll"	Impepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginahd32.dll"	Gfnnlffc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2720	2984	0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe	81
PID 2984 wrote to memory of 2720	2984	0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe	81
PID 2984 wrote to memory of 2720	2984	0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe	81
PID 2720 wrote to memory of 1340	2720	Gcpapkgp.exe	82
PID 2720 wrote to memory of 1340	2720	Gcpapkgp.exe	82
PID 2720 wrote to memory of 1340	2720	Gcpapkgp.exe	82
PID 1340 wrote to memory of 3620	1340	Gfnnlffc.exe	83
PID 1340 wrote to memory of 3620	1340	Gfnnlffc.exe	83
PID 1340 wrote to memory of 3620	1340	Gfnnlffc.exe	83
PID 3620 wrote to memory of 3556	3620	Gqdbiofi.exe	84
PID 3620 wrote to memory of 3556	3620	Gqdbiofi.exe	84
PID 3620 wrote to memory of 3556	3620	Gqdbiofi.exe	84
PID 3556 wrote to memory of 4480	3556	Gbenqg32.exe	86
PID 3556 wrote to memory of 4480	3556	Gbenqg32.exe	86
PID 3556 wrote to memory of 4480	3556	Gbenqg32.exe	86
PID 4480 wrote to memory of 588	4480	Gjlfbd32.exe	87
PID 4480 wrote to memory of 588	4480	Gjlfbd32.exe	87
PID 4480 wrote to memory of 588	4480	Gjlfbd32.exe	87
PID 588 wrote to memory of 1528	588	Gqfooodg.exe	88
PID 588 wrote to memory of 1528	588	Gqfooodg.exe	88
PID 588 wrote to memory of 1528	588	Gqfooodg.exe	88
PID 1528 wrote to memory of 1012	1528	Goiojk32.exe	89
PID 1528 wrote to memory of 1012	1528	Goiojk32.exe	89
PID 1528 wrote to memory of 1012	1528	Goiojk32.exe	89
PID 1012 wrote to memory of 448	1012	Gjocgdkg.exe	90
PID 1012 wrote to memory of 448	1012	Gjocgdkg.exe	90
PID 1012 wrote to memory of 448	1012	Gjocgdkg.exe	90
PID 448 wrote to memory of 5076	448	Gmmocpjk.exe	91
PID 448 wrote to memory of 5076	448	Gmmocpjk.exe	91
PID 448 wrote to memory of 5076	448	Gmmocpjk.exe	91
PID 5076 wrote to memory of 3116	5076	Gpklpkio.exe	93
PID 5076 wrote to memory of 3116	5076	Gpklpkio.exe	93
PID 5076 wrote to memory of 3116	5076	Gpklpkio.exe	93
PID 3116 wrote to memory of 3092	3116	Gfedle32.exe	94
PID 3116 wrote to memory of 3092	3116	Gfedle32.exe	94
PID 3116 wrote to memory of 3092	3116	Gfedle32.exe	94
PID 3092 wrote to memory of 2152	3092	Gidphq32.exe	95
PID 3092 wrote to memory of 2152	3092	Gidphq32.exe	95
PID 3092 wrote to memory of 2152	3092	Gidphq32.exe	95
PID 2152 wrote to memory of 4632	2152	Gcidfi32.exe	96
PID 2152 wrote to memory of 4632	2152	Gcidfi32.exe	96
PID 2152 wrote to memory of 4632	2152	Gcidfi32.exe	96
PID 4632 wrote to memory of 2432	4632	Gifmnpnl.exe	97
PID 4632 wrote to memory of 2432	4632	Gifmnpnl.exe	97
PID 4632 wrote to memory of 2432	4632	Gifmnpnl.exe	97
PID 2432 wrote to memory of 4832	2432	Gppekj32.exe	98
PID 2432 wrote to memory of 4832	2432	Gppekj32.exe	98
PID 2432 wrote to memory of 4832	2432	Gppekj32.exe	98
PID 4832 wrote to memory of 2316	4832	Hboagf32.exe	99
PID 4832 wrote to memory of 2316	4832	Hboagf32.exe	99
PID 4832 wrote to memory of 2316	4832	Hboagf32.exe	99
PID 2316 wrote to memory of 5080	2316	Hfjmgdlf.exe	100
PID 2316 wrote to memory of 5080	2316	Hfjmgdlf.exe	100
PID 2316 wrote to memory of 5080	2316	Hfjmgdlf.exe	100
PID 5080 wrote to memory of 4408	5080	Hjfihc32.exe	101
PID 5080 wrote to memory of 4408	5080	Hjfihc32.exe	101
PID 5080 wrote to memory of 4408	5080	Hjfihc32.exe	101
PID 4408 wrote to memory of 4192	4408	Hmdedo32.exe	102
PID 4408 wrote to memory of 4192	4408	Hmdedo32.exe	102
PID 4408 wrote to memory of 4192	4408	Hmdedo32.exe	102
PID 4192 wrote to memory of 2324	4192	Hapaemll.exe	104
PID 4192 wrote to memory of 2324	4192	Hapaemll.exe	104
PID 4192 wrote to memory of 2324	4192	Hapaemll.exe	104
PID 2324 wrote to memory of 2588	2324	Hcnnaikp.exe	105

C:\Users\Admin\AppData\Local\Temp\0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\SysWOW64\Gcpapkgp.exe
  C:\Windows\system32\Gcpapkgp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\Gfnnlffc.exe
    C:\Windows\system32\Gfnnlffc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\SysWOW64\Gqdbiofi.exe
      C:\Windows\system32\Gqdbiofi.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3620
    - - C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3556
      - C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        28⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        29⤵
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        33⤵
        Executes dropped EXE
        
        PID:3268
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        46⤵
        Executes dropped EXE
        
        PID:3732
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        49⤵
        Executes dropped EXE
        
        PID:4792
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        52⤵
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3232
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        55⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        58⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        60⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:332
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        63⤵
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1824
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        69⤵
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        70⤵
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        71⤵
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:312
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        75⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        78⤵
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        79⤵
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        80⤵
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        81⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:872
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        83⤵
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        84⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        87⤵
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3472
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3308
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        91⤵
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        92⤵
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2960
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        94⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2716
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        96⤵
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4752
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        98⤵
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4916
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2900
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        102⤵
        Drops file in System32 directory
        
        PID:3836
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2292
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        110⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        115⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 400
        116⤵
        Program crash
        
        PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5576 -ip 5576
1⤵
PID:5648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
78KB

MD5
ff3c207d6bbd16bcac6da65f280a4036

SHA1
04af0c8a972e6835d66aa1d1cbd5218ffef58f2f

SHA256
605a7c3e15014e48d2ede3a24c8c551c06b4d4a4d75842662bb6777ae928ed5c

SHA512
49590784283778ee5ebe10dec088971032d6e8068661439fad6a2cb51a1c89cb5d6ef65c9663ba7aa4d51f8fd6556932aa479b4aeaedc23fbb846fcd932ba982

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
78KB

MD5
7fa02c8dab8e832995f78ea0a9c2f37a

SHA1
9b66185fafd27cea0128932069fa6c2c76040557

SHA256
85343af20fa13ac6ab5c38b430e7fbbd3017913201a5cf2b60aacda30d261580

SHA512
9de1067c327f97594948791169c2029199ea8869b8b17b86a4e1eead7af67037bb9fd5243721ae9dd693c5b3835935d3c1841cf9e1507ddad4db90b96734d1e7

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
78KB

MD5
a6dc705df43958acd2f5561b26df064f

SHA1
c26c3609466e4eb906c27521b2018ac2dcf2aa32

SHA256
274b0dc859f280b2c330252f4001edf46364bb79b0e5a7d4a1dd40fd4241802b

SHA512
036906531be87ec22c9ebfa97670bca0e1d6952914958b6393897bedb22d360da904d8fd6d0ac82eb88c702ce10de239518746e4685aba080eeb78a1084536ae

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
78KB

MD5
c6a0a247602b375ee1f00013336a3c7f

SHA1
d2fbaf8235eefaefb597e2c313b67e5b5e187ac6

SHA256
35202434d7ef684103bf25c645dbedb50a9da2db1cefd0cc2c5b1939175161be

SHA512
e263c626e3cec556fca4f2580a5c602657d189e721b9f89861c7c03c779dcb6eaa0eb61a25c5d957a37c8ff9d44688645348ff1c900bd8d46466f0173b26248f

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
78KB

MD5
9ef84a3beac0f2dd843e7175d47b368f

SHA1
1fa7f0cb9d699937c33850aab9922bc283f586f4

SHA256
eba3143eab5a3279850738834c6e00d3b0dac4d42e2a6353caaf0f3c1b5269f9

SHA512
8d6313ecb6b9ec4984888356aa6e308d7f8f9c8bc3702759f08102ce4daf044c7d276e12ba98ac6565833207c98a4410b5f0fa89931b712f362e7734be1fd884

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
78KB

MD5
857cbd12ca7136b7dbde868502e107a4

SHA1
f590e45fc17951e4ed96bdf63226d16fd98dd1f8

SHA256
72cbdb2339e7e9a6c20073e5390fb7bc556e236a73a3e5f244241567d584d650

SHA512
bee987aabcb476ad9373dbf752a9709023eb5840768fec2d69b45c1a9119000afd060f5a625e9428a65d48dc7b84cb62baa19d49bc671c2bc2493260384f59dd

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
78KB

MD5
7ff5c3e0a0b47e755864c66c26bfab55

SHA1
439c5a03178db32d3407389f8a42804a529b13b9

SHA256
785b1fc5b9507d028ec370bea0c4c555b59385b80b44dc6baa7b85fa2244972e

SHA512
c4012892e132f5c37ac5992d4dbb40f656f413496f516a639b4665ece02e369e423a8118f58564502d4410832034ab92f884f98cb33d381c68a62272c5c988ff

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
78KB

MD5
ee5c6e657d9658544b55e9dc88cd52cd

SHA1
bffcfcb3aaf6d7c012283174711da320bb73e811

SHA256
8e7e041f5d0c8622970dfc0fb817db91701c85a326246acb9709f5fcf1ad9be3

SHA512
131bc3475150a090c23525b79a23f126ce76ac920f7f2408fb2496107402ef938822250072496745374f74706f112b798e98f85fa54cde4ceb6bd38f2ce62983

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
78KB

MD5
bff01581964d646746ba4e0ecd227cb2

SHA1
447eda07a9395033d9a0d3c71361133dd09efc2b

SHA256
0ef9f3cac049658318a003aecd0b0431f70253d8699311d35b44099b894192d5

SHA512
fc9dcd47e0cd9b257b71b2d9083490cef2b56fc4c5937467f653dc150981163931b91abd0965344e6149aa97ad8f40600f10ff2ded5dd64e46ac4a4fae2f0573

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
78KB

MD5
7a410a9f91a306dccba241eaa85ca4ba

SHA1
9f105fcfcf935476de4611b3f1329f7d5ae9e824

SHA256
699d33136e003d3b8e24a8879e2e9fed64f42127d57207eb42bfec498a7cbe59

SHA512
c14684b9fcb422ada8ea2f20694429619f6b2eb7fb4e648258b9be9550b374394cfc2ea75746bd44ad3071f06e49bda3bdd49ce6ae6b9571f7c80e322cd86555

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
78KB

MD5
cf76759756392f07901a4e48baa5b34c

SHA1
ca0e975026b63e29e8315c8759ebd3c7a1cd5c93

SHA256
06f15dd654b4f06abb5de8109f6579cc138e8376d5e3b99aff63b287f2b3430a

SHA512
7c2059acf987203b1713c354e36a0f91024e8d530c8f343a80032f6de9019ec41132d4b257314aa8e6a7e79abfe4f19db312d31e643ef5b8bf7469d88236930c

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
78KB

MD5
cd78dd3c136f9a25ffe905aa3744994a

SHA1
1aacc61e73c6e63371fd0e60fd0f0b74696398fe

SHA256
c9a31843d57d93b95930d83ac261832b15a418c0899a166cf1259faa5423bbd6

SHA512
135bb341cfb2c4bc41621dcda1cd25dc4e4cb29db5907d3ba00d0da152d06f9b270e3e39ab776df17eb85354f479882ac599616b165ad6ee7aed1fb4795b251b

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
78KB

MD5
4b81d27dfb71e3ab533bd353bc478f5c

SHA1
a6358b97d2e6253e9d4a6cd9d283649d7ed719aa

SHA256
541478df9fe0dd8f27821f0058f99bdcf490873234e5c7b15f9157e13ba94a82

SHA512
9156841ea87c6d9f5fc04fff7aa52ce39ffd8cc7ea3abda7de48de29aaff6da6cd012183856dbdaa53104211b9a63695b066df7643682ec81a24e057034920f4

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
78KB

MD5
2e6d42d7fec56fe8abe6f7508d599277

SHA1
c78dade49f817026a9ba1c74cbfc455472aa7b9f

SHA256
0e9b795847417e244b51045e3a3caa02becde121a2d2733d94acb2219cec4547

SHA512
d90fd63674f7369603c4c8f23fdc89623d25f40dbff58e92b4054136a189ac2d34f3c07f7711f19d58d892ac7a5e5e6eace206106a2eb82e74bdb060d0b2ff8b

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
78KB

MD5
c66abffcf199f2031e7c7e987de9a417

SHA1
8afa8215011e807360a1d1c9f77d503869f9342f

SHA256
72dc07e4a4731f0dbda6483cd67f30fae0b04d493449ce2c49f144f2f6bd6546

SHA512
dbc0823eedf4ae50100e92b106b8f498a15ebba53308bd1cbc8a38a272c60db7d8ee46c4cb3df4b3ec6475f261aa79ff05834ce938f463ba6b8f7f4e2d61f1d4

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
78KB

MD5
49c690c995b2caaa506f8bdb84fd5799

SHA1
77e4c2b304f520664ee4af2c81c23fc4d0cff897

SHA256
d814a28b1b049ea86131128eec497cacc6148e6620bbcebcd27aaf4ae9598087

SHA512
3d6d1c217bc1cf2707cad131a1832061883f2ff900adf957ed05a811d07290560338138e55f641837e030cc6da9dce999db28b0958107ceab3b16c32388e373e

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
78KB

MD5
3df009e105c36eeb83bff075055bb274

SHA1
acb4d026ffb078d93ecca0c6749021bf2653a29b

SHA256
41c45aa15e91985eaa67d6f4748e3f93620d664aa2be59c1c04345eb16ef2508

SHA512
6a66d70f29835d2de73f02ae37102b39b232af41b33320b4cf9bb01ca564578af896705447e4671566ef2c04e9e6fb6d0cf9c63e0bafa1927aa44bc5dfb9513a

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
78KB

MD5
f2862b10d8dc833c940545e9e09a6099

SHA1
91eb61b98ae7f29a2c15b8f7f72468c72292a812

SHA256
d434befc7cd46255f759fc30a9062a18c3aac80ba5600a4e2d88d04d90f57919

SHA512
462b8a722a8606eb9c952fc4ada7438d6b34df97d5b9e5051bcd52c749d507ed3f4b5f571694d77272f7e1019b88b9f8cab0e84131c38d5de0e1496ec3275905

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
78KB

MD5
179bdb268544f5a928c673d054556103

SHA1
8e2f110f75d8e6d191153261d0b3fe2f714d8970

SHA256
76ddc3f50b0ac203f79cca2b5daa2b80792afa73e5fc6b93e6f9ca6b333722af

SHA512
0be3bf15cb4465a2d3a2a2a75a0e876e2bf09bb2d5f313474827abe58474d92d465c9d4385236750be0ab427e64688000b89bce315cb57348181c8abdcc736ea

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
78KB

MD5
1ef571b9e08ce4994376b67b6b7b55ce

SHA1
498167eb35f9974a72bf40a89bd89a86dd2f6a3a

SHA256
c452743c9866b9ff17e1166c7d23156905a099a30929c6d0907df052710f47ec

SHA512
4c29343d82fff5539fc9da1b9a48a4ad890c2d5c86d047ccab734f7c706655ae15031f20a1352b35e910174c4cacd8772eda10c0ecc537716ff2e07a7a3ac356

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
78KB

MD5
72fc37e862694f8e3091448d62fb54af

SHA1
8da93a96a1cb8a107addf2c3e1b8c7385da21954

SHA256
e5d555e71b1e437165f24a0152cd3489ad755241a160e75b16d8d6531510581a

SHA512
6922c683b12f520854e4c90c7613d808e1b343512ebcb4e8ec21b00456982308dc78152d67274c54d4b7fd6ee8bfbb5197d3e37767b35a1815b11bb026110989

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
78KB

MD5
62d12add724c545c8d2a5a2cd45feb74

SHA1
ee4f3b617e85c645d9d2d254041fc9cec0ee61d4

SHA256
fbf1abad91bd81cc3c13a46f38a38170dc4358c3dfcf8b846d414218ddbaa60a

SHA512
4753bf92420c225059287cd79a8b1c5d092f902f47aad7ff1bd1144f5dcf2268ff774281905b61f57dffe55c11d0d724dfd7f7fa959c7910413387bc6be71b87

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
78KB

MD5
2591e2e56b6126e02c5b7184616c7427

SHA1
726df6708e679e173bb0c5f977ebe20fa41694d7

SHA256
0eedb1495ff68be591f0b67f1103d80cc1d3269e0410c9bc6c73f58532f3ae5a

SHA512
9485505624cbcbc22c1cc7af3fc8b40ee233ee8e8c7b74bb01dae61f99fedae23d3e5c53d709876b293eb0e659d1daa41ecaf0f41a5304d228fac0ff9077fc31

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
78KB

MD5
cd80adb89e2df47e5bdcf298c7c99fe2

SHA1
d8a8b3682f66794c2d755b2fd22cf26dcc352977

SHA256
ba26026ae55958b5f5ede86676a555debe7086c4b24dc09ecbe9965f4b2f3fb2

SHA512
174fdf3a4c5ab702d617f2386cd6427bdc51970c9ff4181910ae562acfb75335ee196dd68bc008369ad2998bd59fa3059f198f37073b330617a9ce5b8cd95576

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
78KB

MD5
42d4f3565b1a23201393b85fbd6237a0

SHA1
965f536f58c00518516bc3e0bbad643ece4d0c22

SHA256
e413be863700e3cf689424bd353657274ceb31882a91d7928bb3d32216ffe5ea

SHA512
8a11ca1ea0799b27d5dbbd0ee18630972f981d1b9d87201ef655df1e11ba61182ffef9db6cb4d55bce58f4ebadfd884fb07a6e910bee6b225b9f4a9b38972093

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
78KB

MD5
d63e1ce4d609e8767d8cf296c1c1523b

SHA1
085fd66733df686ae67f731703579e88034bfd25

SHA256
af50a4b5a4b4ff7c791e1f394b69af13ae31bc7392c57e702da5ac70e39637ad

SHA512
b79a341bdbee9e0a7ff1cc26cc172ff8298db5324d8c50062d036ca0ea78bd4f6552a21b1c5a5d1a5b784789c6eae6b48e0e2a92235fad94111094e6df323fec

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
78KB

MD5
28d5e0f5bc913bd05f02eb563e768e98

SHA1
84c1916b9d1f8ab02d1dc1a4549afa911120e39b

SHA256
a51657d1e9560b610f02fc8470f10c4c59e989d0439ad34eccbf1c4cc9d9e1c4

SHA512
a546522b4013b5e02092864ccc5825b139f2c59e8b39a908af42f3dd035106c36e79d48d873543612e4ef3dba6ef131e44df701452ce889517f3c26303485029

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
78KB

MD5
65409e7c5ce1c3efd8bd448e4e0ec5cd

SHA1
3427d00e92493f1a6b984693a165112d4035eff0

SHA256
cc0aa40afdf586da8e8d439cdd2a9b9cb768cef15f519a6a42b7bff467003dc2

SHA512
753ce39395e0f4e0096eb9e0631df8a1bdabad3dd16a6b7f13fdf9c88885f29736c77898540a24ce0931e49e688727c8a5c2c442d1a255f2c23d6f3cff4ce057

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
78KB

MD5
830422d6b5340412f3fbe2f0da5d41c6

SHA1
05ce701dbde547a643aceadf47675b9ab23faadb

SHA256
cbc34c10d3dc2876683ffd20f61c7e3ae327a46ddf98dcc5f4726aa06ea3f36a

SHA512
158e52cdd2d1d8dd8fcfd712595cf89ca4cce0a258f7fb448bc56a0f6ac2fb2487f91e3e4a46886a03ecde1d04ff90bbd2e980bbff5434e0c177fd21c664a71a

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
78KB

MD5
c68a5f8d8ed74832427cebbffa48ba6f

SHA1
370666cbe2e9a03ae03d695e3b427aa09f774753

SHA256
1c448611272a67fc0ffbfa645c8b5239d35eff7fea8e2f268a24fac2e6e1c618

SHA512
96cdbba0554a7a9d44151d23e4e0680cd3b850dee656124dbe64b9e0d335310c27935f7b566464c9696777b316b874667e407b744ade1f177aa838b6937d1cd9

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
78KB

MD5
07ab1ac1294d3994773aa0cee888938a

SHA1
cad395f0d7db5d993d1769a2ee49c4e7f7613a00

SHA256
0c88a02c24a7cb374ffc04c5990ea850f50b75faed558164a63d5732590fc3f9

SHA512
b3fcaf6b0f498761bd819183b202de77410073c6d01759f5bf4f1f08e645b8bc048986f41db18c20499c2cfdbbe000d9a90f051bdcd0edd76789adf6e2660145

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
78KB

MD5
b6deb0369295d1502bd9407b22451e5a

SHA1
826d31276d68a266037d31e623b15533babc946f

SHA256
84262ce29808a886e20d7b514fd1483316a72b6786e8f4467b5c88472563985e

SHA512
56b04954674fc24be3c4548e7b40c5605d55e2625e00c7554f5e0d91923f8756a51b316b927f119f7148e3143b2861f59eb47d6ec55a9aece198d13dfb865fca

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
78KB

MD5
d7803a55a606afa392152904802eaa30

SHA1
5af43be863cead0d4f0fed3e86083813ed0b4cf4

SHA256
bcbbc2648dea0845ecdd2eddb0beb8c3c5c32ed3ab290a0db45a19a6550160c5

SHA512
49898d8dce0f73ca78b4d2bb8b048e60e20984ebc167401e0b0adeb4dd0940ff50c12477544be64c59e6229deb6a0ede8fae2cd7262b5eaef04ee251ec6921f5

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
78KB

MD5
92bc08475ca6bebc6bc5043acf5a9b2c

SHA1
a7ba1d3df201fdc5eb2a840fdb5b9397ae8376a9

SHA256
ef4efe97230463c95f876e7d09950b6fd9d7664daf729d684b793bf1bcce29e9

SHA512
bac7de56482d878033fef40bb2983a322a4c788ce5564032c4fdc3cd20f291fe565a345ba0279b3487e99c2dd63fa3a9ff7962167ae0023611f0bef176adf4b0

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
78KB

MD5
5f720363ca4cfe13ba847c9bc2139802

SHA1
76284d4c1595fa5ecc547d3b20ef9aa68fa90df1

SHA256
fb0a686bbb93cd37d5a85dfa34cda58a741195ae41a86ea6c54c56b5952ef17a

SHA512
e0fab4d7a92644a07082fb95b1c7fffccc724ca511326286930e0da86c700bbc984e6fe6ff79fc165caef25695cbb24920c2084bd528208e0ea25d57408e9d0b

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
78KB

MD5
ef678d0fe6a46c71cfd9e8df1fce4b1d

SHA1
95842b9c071b358fd5c428e1870ab14412753b18

SHA256
8f4ea42e8ab02e4fe975db65586b480d92b601e7cd22e627331ba8dab89e6ddc

SHA512
77e1d72ef82a57818fe6f0dcf1b7a1bcb25403aa4015b3edd913f5a8ea844f99feff6af02292896511ef0da45a0fb83610609cee96d1f2575202dae6212b5846

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
78KB

MD5
d78547dea4450d32e84b2c2667b7fc72

SHA1
216a375388ea4799ca66bfe7a07257c7bfd5e01f

SHA256
4bae2ab0545eddde978995736f187393ef0355b59b2c984b99a4a26ccf33b26e

SHA512
63217ba8fbd28463d9abda74501ddc93c065d9bbf9007d66744f98dceead432e23c8e105227337790743abe198058d716f4a984585728384283b24557dcfad61

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
78KB

MD5
8f1d01b95401827841276b3ad686e6ca

SHA1
ca881e65d8eb94d866aeb06337380d5b84fd2ab5

SHA256
fb1b2a8f0b875ea0b0cf4a229c85d5bf3045a07af70e7dd90b41fc68c8eebef2

SHA512
8f372328b0cb95f3ad95e5aa51761e7441684bb63e841307c5fe563683a1a811ed7115f41f9a574d1b74db26200c2ea4efb37ac4f3dc5d0424588058484758f8

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
78KB

MD5
cf122c28fc1d7c6d7a4c41264f4459a3

SHA1
777347b30c220fa26751b441857f462f5669f4d4

SHA256
3bdd1386057675797e275310b36a37aee62554ad206d4ab565b0c7db4e42593f

SHA512
658047aab6fd36ad487a61570e236bb44cab1836fb43f75b024cca2760563b3d5190d47a80677b2f730473f87ff3eadd2f17332a2d2975c746fa486f4f14fc75

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
78KB

MD5
ae15b404649fb77f9e5f2b84ad97b3e2

SHA1
87b456a971a07e3f03b6fda54ac8ef9bf991430b

SHA256
2b4f9cbd6dd768d2be9e9646c7d6f731bce2342ee6e4766a94451b17ebea90b8

SHA512
60c252b3fdf3b38ae01bea96384907562eddd434e705cc004e84343a5d70894848f4b0589c67d7dc5f1b3754fd9925299be45b580f15ed14b91690669fae324c

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
78KB

MD5
196724388d9db7777dc464b81166074b

SHA1
89e7145aff2504dcafbeccfcc95cf915e17ab6a3

SHA256
868a13742eebe52cdbad264a17847a0b644a77aa92e78ff25429aed9cc845c0d

SHA512
737c74cdda1c0dada7938ebe3837c681124ef0197e5b932d1971b72f669d6da10a9c9b697f921f93530d3279f605893c22420bb0c64112a738d15086f604e597

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
78KB

MD5
ee4b7166c6d3873dbae66abd3d98fa7d

SHA1
2b25562abd105f3c2a6c785ec00d83939675b195

SHA256
e3d6b290683cab61a4ce5e31dc36f81bb7a0b05b1f28ca45290620e0d4905f66

SHA512
7c689311263b74a5ecfcbb4566543ed91e68180a708b25d1bdb32af6491bd42625514f57b94c133347fbc774b78b8e4d63248e22782e3d92a96b982565bde3f4

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
78KB

MD5
de2fa65870d4bcaa426e314f27b46e7b

SHA1
24f3096f87803d28f99f3847d18904896ee4ee99

SHA256
42e7c440a4bcb5910819dc46a2803389f774ba740c57746410da57133763a9d8

SHA512
31ef78a1e34b8e6b85778eeb088cb06c4570972ac25a16ac08e738b66b7b7a57a47ab32be3a51e13a7700abff1f66970d662eec9456eeef07026eb8f844a6584

Download Submit
memory/220-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/332-458-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/448-78-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/544-225-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/588-49-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/588-138-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/780-456-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1012-154-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1012-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1216-307-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1216-194-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1340-21-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1472-257-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1524-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1528-61-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1600-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1600-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1628-368-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1628-435-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1648-381-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1648-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1744-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1744-415-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1916-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1996-226-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2152-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2152-193-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2316-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2324-177-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2324-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2400-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2400-451-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2432-253-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2432-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2488-325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2496-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2496-449-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2548-301-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2548-367-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2588-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2720-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2720-13-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2936-450-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2984-75-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2984-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2984-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3088-399-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3092-190-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3092-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3104-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3104-227-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3116-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3116-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3232-402-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3232-464-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3268-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3268-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3348-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3556-37-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3620-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3620-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3632-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3732-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3732-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4072-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4184-288-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4184-354-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4192-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4192-287-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4268-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4372-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4372-275-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4408-166-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4460-365-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4480-45-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4480-123-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4496-423-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4520-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4632-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4632-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4744-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4744-401-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4792-447-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4792-375-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4832-139-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4920-408-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4920-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4932-416-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4976-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4976-397-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5076-82-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5076-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5080-162-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5092-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5116-374-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5116-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads