1522ae17381894ed415df5b7b449da0595d685e8128a13aed88ffe024287b952

Analysis

max time kernel
141s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1522ae17381894ed415df5b7b449da0595d685e8128a13aed88ffe024287b952_NeikiAnalytics.exe
Size

168KB
MD5

5ba67806c0c568a44e5ec429c336ba10
SHA1

8b65461ef1b7e669e520ec729306332a0202bc14
SHA256

1522ae17381894ed415df5b7b449da0595d685e8128a13aed88ffe024287b952
SHA512

882c73ba18ee40fa25921fde0e391a38f86b523afc96b29f5790f3b9b9f836f03a6acadc635130e3ce6851042593afa376747d39ff6a87d663bda14bb3bb7d50
SSDEEP

3072:b1EUUY/RQ04dVqZ2fQkbn1vVAva63HePH/RAPJis2Ht3IjXn32HaJt:b1U+b4dg4fQkjxqvak+PH/RARMHGb3f/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1522ae17381894ed415df5b7b449da0595d685e8128a13aed88ffe024287b952_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfofbd32.exe

Executes dropped EXE 64 IoCs

pid	Process
4224	Gjlfbd32.exe
4544	Goiojk32.exe
3472	Gcekkjcj.exe
1532	Giacca32.exe
4704	Gpklpkio.exe
4604	Gcggpj32.exe
2708	Gidphq32.exe
1284	Gpnhekgl.exe
640	Gbldaffp.exe
4944	Gifmnpnl.exe
2588	Gmaioo32.exe
5088	Hjfihc32.exe
932	Hapaemll.exe
2416	Hbanme32.exe
3408	Hmfbjnbp.exe
3764	Hpenfjad.exe
4200	Hfofbd32.exe
3628	Himcoo32.exe
1832	Hmioonpn.exe
2664	Hpgkkioa.exe
440	Hpihai32.exe
4884	Hbhdmd32.exe
1088	Hjolnb32.exe
1360	Ipldfi32.exe
4252	Ibjqcd32.exe
3064	Iidipnal.exe
4336	Ipnalhii.exe
1004	Ifhiib32.exe
664	Iiffen32.exe
4416	Imbaemhc.exe
4460	Ipqnahgf.exe
968	Ijfboafl.exe
4804	Iapjlk32.exe
3596	Ifmcdblq.exe
4464	Imgkql32.exe
4364	Iabgaklg.exe
2584	Idacmfkj.exe
2280	Ifopiajn.exe
4716	Jaedgjjd.exe
4352	Jpgdbg32.exe
4992	Jbfpobpb.exe
2484	Jiphkm32.exe
4152	Jagqlj32.exe
4824	Jdemhe32.exe
5068	Jjpeepnb.exe
2852	Jplmmfmi.exe
4472	Jbkjjblm.exe
2288	Jmpngk32.exe
3232	Jdjfcecp.exe
4076	Jmbklj32.exe
4760	Jdmcidam.exe
1880	Kaqcbi32.exe
952	Kkihknfg.exe
1208	Kilhgk32.exe
432	Kpepcedo.exe
2156	Kgphpo32.exe
4840	Kmjqmi32.exe
348	Kphmie32.exe
5064	Kgbefoji.exe
2200	Kmlnbi32.exe
1676	Kdffocib.exe
2216	Kgdbkohf.exe
4980	Kkpnlm32.exe
676	Kmnjhioc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ibooqjdb.dll	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Hiaohfpc.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Giacca32.exe	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Gbldaffp.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Ipnalhii.exe	Iidipnal.exe
File opened for modification	C:\Windows\SysWOW64\Imgkql32.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Jpgdbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hbanme32.exe
File created	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Hmioonpn.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Gpklpkio.exe	Giacca32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Fojjgcdm.dll	1522ae17381894ed415df5b7b449da0595d685e8128a13aed88ffe024287b952_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hapaemll.exe
File created	C:\Windows\SysWOW64\Jmkefnli.dll	Himcoo32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Imbaemhc.exe	Iiffen32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5664	5540	WerFault.exe	202

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1522ae17381894ed415df5b7b449da0595d685e8128a13aed88ffe024287b952_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1522ae17381894ed415df5b7b449da0595d685e8128a13aed88ffe024287b952_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1522ae17381894ed415df5b7b449da0595d685e8128a13aed88ffe024287b952_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1522ae17381894ed415df5b7b449da0595d685e8128a13aed88ffe024287b952_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phogofep.dll"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 4224	3296	1522ae17381894ed415df5b7b449da0595d685e8128a13aed88ffe024287b952_NeikiAnalytics.exe	82
PID 3296 wrote to memory of 4224	3296	1522ae17381894ed415df5b7b449da0595d685e8128a13aed88ffe024287b952_NeikiAnalytics.exe	82
PID 3296 wrote to memory of 4224	3296	1522ae17381894ed415df5b7b449da0595d685e8128a13aed88ffe024287b952_NeikiAnalytics.exe	82
PID 4224 wrote to memory of 4544	4224	Gjlfbd32.exe	83
PID 4224 wrote to memory of 4544	4224	Gjlfbd32.exe	83
PID 4224 wrote to memory of 4544	4224	Gjlfbd32.exe	83
PID 4544 wrote to memory of 3472	4544	Goiojk32.exe	84
PID 4544 wrote to memory of 3472	4544	Goiojk32.exe	84
PID 4544 wrote to memory of 3472	4544	Goiojk32.exe	84
PID 3472 wrote to memory of 1532	3472	Gcekkjcj.exe	85
PID 3472 wrote to memory of 1532	3472	Gcekkjcj.exe	85
PID 3472 wrote to memory of 1532	3472	Gcekkjcj.exe	85
PID 1532 wrote to memory of 4704	1532	Giacca32.exe	86
PID 1532 wrote to memory of 4704	1532	Giacca32.exe	86
PID 1532 wrote to memory of 4704	1532	Giacca32.exe	86
PID 4704 wrote to memory of 4604	4704	Gpklpkio.exe	87
PID 4704 wrote to memory of 4604	4704	Gpklpkio.exe	87
PID 4704 wrote to memory of 4604	4704	Gpklpkio.exe	87
PID 4604 wrote to memory of 2708	4604	Gcggpj32.exe	88
PID 4604 wrote to memory of 2708	4604	Gcggpj32.exe	88
PID 4604 wrote to memory of 2708	4604	Gcggpj32.exe	88
PID 2708 wrote to memory of 1284	2708	Gidphq32.exe	89
PID 2708 wrote to memory of 1284	2708	Gidphq32.exe	89
PID 2708 wrote to memory of 1284	2708	Gidphq32.exe	89
PID 1284 wrote to memory of 640	1284	Gpnhekgl.exe	90
PID 1284 wrote to memory of 640	1284	Gpnhekgl.exe	90
PID 1284 wrote to memory of 640	1284	Gpnhekgl.exe	90
PID 640 wrote to memory of 4944	640	Gbldaffp.exe	91
PID 640 wrote to memory of 4944	640	Gbldaffp.exe	91
PID 640 wrote to memory of 4944	640	Gbldaffp.exe	91
PID 4944 wrote to memory of 2588	4944	Gifmnpnl.exe	93
PID 4944 wrote to memory of 2588	4944	Gifmnpnl.exe	93
PID 4944 wrote to memory of 2588	4944	Gifmnpnl.exe	93
PID 2588 wrote to memory of 5088	2588	Gmaioo32.exe	94
PID 2588 wrote to memory of 5088	2588	Gmaioo32.exe	94
PID 2588 wrote to memory of 5088	2588	Gmaioo32.exe	94
PID 5088 wrote to memory of 932	5088	Hjfihc32.exe	96
PID 5088 wrote to memory of 932	5088	Hjfihc32.exe	96
PID 5088 wrote to memory of 932	5088	Hjfihc32.exe	96
PID 932 wrote to memory of 2416	932	Hapaemll.exe	97
PID 932 wrote to memory of 2416	932	Hapaemll.exe	97
PID 932 wrote to memory of 2416	932	Hapaemll.exe	97
PID 2416 wrote to memory of 3408	2416	Hbanme32.exe	98
PID 2416 wrote to memory of 3408	2416	Hbanme32.exe	98
PID 2416 wrote to memory of 3408	2416	Hbanme32.exe	98
PID 3408 wrote to memory of 3764	3408	Hmfbjnbp.exe	99
PID 3408 wrote to memory of 3764	3408	Hmfbjnbp.exe	99
PID 3408 wrote to memory of 3764	3408	Hmfbjnbp.exe	99
PID 3764 wrote to memory of 4200	3764	Hpenfjad.exe	101
PID 3764 wrote to memory of 4200	3764	Hpenfjad.exe	101
PID 3764 wrote to memory of 4200	3764	Hpenfjad.exe	101
PID 4200 wrote to memory of 3628	4200	Hfofbd32.exe	102
PID 4200 wrote to memory of 3628	4200	Hfofbd32.exe	102
PID 4200 wrote to memory of 3628	4200	Hfofbd32.exe	102
PID 3628 wrote to memory of 1832	3628	Himcoo32.exe	103
PID 3628 wrote to memory of 1832	3628	Himcoo32.exe	103
PID 3628 wrote to memory of 1832	3628	Himcoo32.exe	103
PID 1832 wrote to memory of 2664	1832	Hmioonpn.exe	104
PID 1832 wrote to memory of 2664	1832	Hmioonpn.exe	104
PID 1832 wrote to memory of 2664	1832	Hmioonpn.exe	104
PID 2664 wrote to memory of 440	2664	Hpgkkioa.exe	105
PID 2664 wrote to memory of 440	2664	Hpgkkioa.exe	105
PID 2664 wrote to memory of 440	2664	Hpgkkioa.exe	105
PID 440 wrote to memory of 4884	440	Hpihai32.exe	106

C:\Users\Admin\AppData\Local\Temp\1522ae17381894ed415df5b7b449da0595d685e8128a13aed88ffe024287b952_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1522ae17381894ed415df5b7b449da0595d685e8128a13aed88ffe024287b952_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Windows\SysWOW64\Gjlfbd32.exe
  C:\Windows\system32\Gjlfbd32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\SysWOW64\Goiojk32.exe
    C:\Windows\system32\Goiojk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\SysWOW64\Gcekkjcj.exe
      C:\Windows\system32\Gcekkjcj.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3472
    - - C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1532
      - C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1360
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        28⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:664
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        33⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3596
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4152
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        50⤵
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        52⤵
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1880
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        54⤵
        Executes dropped EXE
        
        PID:952
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:348
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        60⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2200
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        63⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        66⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        67⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        68⤵
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        69⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        72⤵
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2060
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5092
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        75⤵
        Drops file in System32 directory
        
        PID:3520
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        77⤵
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        82⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        83⤵
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:628
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        87⤵
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        89⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        90⤵
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        91⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        92⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        103⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        105⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        106⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        108⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        113⤵
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        114⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        115⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 224
        116⤵
        Program crash
        
        PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5540 -ip 5540
1⤵
PID:5644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
168KB

MD5
eb33d8729be7d23e0e20f549a26acd26

SHA1
537d682d894c32a44f1ea5f1b39bccdd361b1333

SHA256
35ebc1859487f4b2ee9ebd3073eaa478b2c82b81b19518ffa7f9a9c87d4c3a82

SHA512
91af6a3ca822039eee01d4ab29ef994c8798843bc1d748faac3a7490cba7c8cbf5e22a6bdff9e3ce838a8625bf6ed83bf65490031dcb177872ee2d1ecdbeaf96

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
168KB

MD5
aab30f7dc0a21fcffad63b0244f4be6e

SHA1
bd19ef80d2131d078285a46d2f8e8987110064e9

SHA256
2f08d1a0cec892c092c96a4ebe42c0abc594855671e8a5b82230dee2ba30e49f

SHA512
063a08ccf5c46a6bff1998df5f828c3bcc7b2e34c9cb8dc381fe096c5ccda4d91610db08444d86ae18a6ca815d37e7aefc313dc775d65903e0f7b809716ca91e

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
168KB

MD5
acbd2a82338a29274292fd04ae9c79b4

SHA1
dd0a8ab1e765f3d094c92ae7607b6d2e20c88f2a

SHA256
93c98e2825fea1cb62c62a41e849ad79b5867233e84608188009bf5551173c09

SHA512
8742d6d8e6102d85bf41a6e62c31ec7d9e0b2ed4de86c7026cf721f644b801d007c860f27fbade31462b46853b72ed7f40ad42918014b00f1a4090ceacb445a0

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
168KB

MD5
ce3c15d9cbcb2b61a69b783ce77c0ee6

SHA1
6102692a7c60ca43f562120d9ff595e494f08dda

SHA256
88bc6bc633f95e8f5914f1ed2ce14321c116dc652255334f4272475dc1d54b38

SHA512
2a3a1998c509d2b3048702ec192260f797de416e0474e24e812b3a2228e4503680b9730a1631c686293901b529065549b50344b7ced8e31bd9c438740bc8a13f

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
168KB

MD5
bd10c50d1dfaf7132fd248817c29e252

SHA1
0fe5b9deabd7d5960ca9b073344f90a25dd142dc

SHA256
ce60f74bcfc9eac850348af1a69dcba1f1339baba464bbe0eca6be50f6adea74

SHA512
33cebbcf7e555a249d556c2a13e41f6c1f1c82eeddf1d811485103b374c34a54f2afca140e772c3ecf5b011f120c0e433e6b1b038f3af8878a060e02ce41b632

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
168KB

MD5
13b47b2fdc728198fdc9d6bbd3f726b7

SHA1
d94d5f9f3e252cd9e52ef2c45ddf6741ae7eab3b

SHA256
f084ba57dea519e4f5de3c2ff8c61a1f56fe0912994bacc5619a3a7eaa1b448c

SHA512
a6b3e4dc513871453cfc552995b9bbabe9143bef47f5174c0c84a5f8e67e2f5d666039e45a3b0a14401f5ed229869d7dc92b25c9c5a795252aa04bd127980b21

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
168KB

MD5
673ed8b89b9853238bd6e4a3312930ec

SHA1
bd62f7e0b4f4873a60bb7d58af8d2c322e1be01b

SHA256
74700e37401cbc2e29967cc3fe43b73ef07c6d3b8df133e661fc174ca4fc0de0

SHA512
6847348f0113e2e595eda8eb564d9abf9e92fb5f747b91f5dfb632103092786561baee24f5b97a923e4be0063f1d63d8f8fd37aac9aa9066d3e1100710d089aa

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
168KB

MD5
557a31fe338b52f44320d8c2df7630a9

SHA1
d7fb72c9c2b38f14fe80270d1f0d59b87fc8d17b

SHA256
405c475f882d14699b94be924c93cbb7204b28152e27349a0f7a24cbb16f9a02

SHA512
2d300e2fb0b945caa3d758ee3507202ac95fcbeaba42f91a89533a4ae6b4f50019dcdbdc4a2cd000d77d4a9ae02e306aacf98250901eb156e4785be924cd6915

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
168KB

MD5
ee7575c44f11c2b9705a65f346a06f8f

SHA1
2a80ada806c617376fa172dcb4a91a40f532c4fe

SHA256
db0036c64399ffeed6d817258a267da0b24f9e4a98bdfb20b41dd6df86e98fb0

SHA512
f513bec65b4a52a96402c7171c7d45886a493a5e013cd96c29bec279bc9212cd0ced469bf5601559535f78bf022562b890c2243bde7b27f70dc680966ea6b94a

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
168KB

MD5
5006a73c55c930db257f8760315f8bf1

SHA1
eb1330641dfcfd6d5c94d7863802076cd367e84d

SHA256
825153b94919519acd9a14dbb629a7ed27fd4f2c0522ed9095c5b5d76352c653

SHA512
1480628d350099f2763ca632a70fcd772b23db8cafaf07fa486e20e885ae0741e9ba72f57307b464fa4de97fd524b5f4b5d8ee4c38d74106594ea57be0bc11ba

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
168KB

MD5
82d06e63db15ade3d805b5de3d0efa9c

SHA1
e8aba39b36b9b87f41509819335a3623ada3bc89

SHA256
fa827c8d9b34995add049730174600169daef8d2da429dd7c8f647e78d0e5531

SHA512
c7f02f7542f1d93fb5b493cd7bf66a1717a039d03730c9fdfdce0db0e8b6b2a7b0c43e011ced88e454b86fe647799fecf74a471f3844325a46183c0c8f5ea459

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
168KB

MD5
fc3b48ae06aad36925390f1d48547722

SHA1
cdf4a3f0e885d49776edd004d7368395c1e20f85

SHA256
54915a0d4113271f7fc628b5853cd620afadfd585d200cd7fbf5f1cf62a64ece

SHA512
613f45d5169951c6dc25360c359791b988abf763d4b83998bf525a6c5ee9a5bf9e6a9e3f6a6e224ed026775a55c17ebaa2e614e9528924ed2ded8107fde410ac

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
168KB

MD5
896888aefa1edebe1e635b325bebc92a

SHA1
63cc5c29fbe641e370e19f0af3116afa159d2a4d

SHA256
b5185eb359a5ec1451f2c1267d6e09997e783f11515ef01ca8293c92dd7db26c

SHA512
f2ec18b4b7c80fb23aea39ac5680726a5b55ab5cb9df0f76901317620dc8417953956be9ceb9574d71c7b0a3de64e24716cf980e50d614ea4c49e609c03aa3a5

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
168KB

MD5
2c462d359e72377f80856918f26b0c8c

SHA1
6d0ed39d0b7979a2e9f56845a37a89b284509250

SHA256
6baf4b49bf215835b94760631f5b160e581701734911ae5ec871b5f422753c3e

SHA512
c45597df4158c67771f245c542496b25f403ac5c8a195dd6184b0238c2db6b65304e83166bf36edf8c97ccc178e31b35bad0e5809ac975cda99e489a4f6ffca5

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
168KB

MD5
a7ea7f6bd8d9c9ea540303d6eb186923

SHA1
8534f078ad312d140ce113ffcb682586d87ac13e

SHA256
dbd9f360816aa92df29cf8374904228efa3af696c29c3d8c4d3ce80356eeb162

SHA512
21cf35613d85863e7994eef12d3dcc2fc181778ce6e9ca616028b2981b5167c20f5d7ffe605fa11e0371e8118f47801a81b3559ca4e8461cb474f7b8cfef7960

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
168KB

MD5
73dcad10830c8aa36c2dcf2980ea77ed

SHA1
5ee3b4bf2afba1bf95c6758eb80a0bada33f93ef

SHA256
c6a7b7e119728a5d256bbe46ab6d89c071a4376e3a03e4c1f390fb9dd1829d80

SHA512
9eb358bd063b926c9ab6fbb926a5435de3f7f5296816906307c44fc2ac45c2c012eb70b803fb5fb33287a7211a2b7d028bb6680d76fa90f5b3031b762d9663ff

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
168KB

MD5
e716cd7175c9cd086ce8087ccaf35247

SHA1
5081f58e6dc46fb894be9caceb63710a27988565

SHA256
01bb6d197bb1f7bb967fb48a92988bbf42ded9a1aeb5b5a1f9ce244d9d257b1c

SHA512
37dcdc0b9bd770bdcec693a5b9d260249a51a916ed8e321b506409559bbf9d3b10f939421ac275ccccc28a8c5ee6fafaa53f9a60552fb0641ec36a709c0446be

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
168KB

MD5
7438a4e530214358a7688da28f657d9f

SHA1
d26c945940e9548833f0c9214c2cd3fdbc48c3c2

SHA256
f2af89f839575561b8d66d677606647fb51c05701e1e37017a9ca10f0394d069

SHA512
e2e592c21c3a4fb6abaa2da7fcbffa943c76d281351c3a1694e7970724e73dc8cb8ea859bc8a4077ba90d2eeaf9ee850b9e4081016348a3f49e55ca0d8a77429

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
168KB

MD5
e7873af234667fa25cc8600d2b1d21e4

SHA1
f54c5fc9b430f045191cdad625892e8daf03bdd0

SHA256
bee3ec68c0ab6a2ecb6051c2427d2529f9f891e6d5ec72c42360423c0255591e

SHA512
929260ded80609e67947e54cb210356ee12572f724a319ae1039805cb563bd135da36e8e6ef4e233d64f854d5b95fa82dd3b9bb1e1ee9f3754d4fca72188e8b2

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
168KB

MD5
5267988e6ad43f4ad637b5323cac27c0

SHA1
2e90b32f5b496c86dd0e5abc020c4acea157619f

SHA256
ab93740f5bc531c87699566fba2679e923ff313e0f6a76373197a45e609c47d4

SHA512
60ca66b2cc08e3e19d3e6126c4961b2ffba65ea3b789b52c940026465b0b0a47d4b66ac9374dfd588a07b8b50fe934d87c1b6433bde53f08b00509fbd5e0260a

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
168KB

MD5
342d6267270c005a78840725914f140c

SHA1
71fa99ad4f40c8fe61dd093089f857240bc92a15

SHA256
94e7fbef91594ed4e8c3cb393652c335e8ba82fdad380104c6de08dc889664e0

SHA512
a948f23955875a9c0c9feccc1815364fde92ab47b23b718bca8a72f49d3c069e61de373988c6c9a592b12ff498bcf89424032be400265d9dcc9d58d18607bf55

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
168KB

MD5
1ffc6cc39476d47b532ea3bd2fe4d32a

SHA1
489f64c0369356adec847eb9b3c648f3f41120e7

SHA256
649128ecb99a2e5ce545ff0bf612edb8d830ee7ae54e04580ece649c14aac895

SHA512
ecbc56fe4f532c4245a1241fa395fd2287e0eee45dffd18d639ec709cfd541bc14f7d927208b1aa45bd1ebda6e69b4ec161128dd0fc1a438d19c2d0ba6b798d8

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
168KB

MD5
47e345dfa96ae4f0832ff1c15e46bc35

SHA1
a217e1d315f6658cd4c156bcdbef4733eec208c7

SHA256
deea74e69ed8fbb2b0e10f2464d81d3b5c188d369868755bd84618cb04d3ad47

SHA512
0e0beeed0ff8e632dbc517b90be1706d25eb1a0808be1cab83e483a916d1e6ea0c7fea3228409e4cf1942d5355a3685304e0cbd08c57be91e31b9d70eb0bf95e

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
168KB

MD5
08ac70db96cade7025ed7934475f88b6

SHA1
3d5d928e2407ec0d5f84e8df3213c7322521f02d

SHA256
28cf2998e3d1fb3a09a64eaf9c2b93c4d996394d507c8c0c749f069667af12f4

SHA512
42b10e3b8a3e20ffd22d4a41ba898176a6a5be6be80f8210a3dda0a4aff0bcf3482d43b53d88f4ff53251f76a0cf48d94970e34224e364003b87e64badb1c3e4

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
168KB

MD5
f51dcf536e59b07dea8cf6b344d42795

SHA1
ac4edfe16f1392c245a611e5735d3b3f08ac616c

SHA256
1210104fbf5e03f4f061d4d62127b2b80820eab985c183873ce14e92926c9bcb

SHA512
785cf89c47f61891c95e1657af6ca8f3c9ab0f9d71dbd3a2bec20e8c27d67992d0530e76b2acce47cb453f42a1b21abd06e792087b2ff37319ba34bf1ca07a9e

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
168KB

MD5
78a32009ac73d0aab51ef98c56ed4aec

SHA1
e92bd4145688b203674fa66d5c5dd79ac2432407

SHA256
7ae91f989730b30caf699c9bbef62d43050db1a41f84038ab73adf3bdbfa3e80

SHA512
ebcedd405eec6e628ea75f78e5ea6752bbca83878c9c088f2183a7a18a9fcd793c6c8de3873e19fa46a6f045840e01d3db7ea25a47582e0bdbc34b083cf8ae31

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
168KB

MD5
4844c1e6b864ccda762fd50462d19a5c

SHA1
7db144fad3844e3c0c29b90d941c51b901022b21

SHA256
78c7e4e9e8bfb947748c42cca3e0bcc3899df4994f3fba3168cd52067c51affe

SHA512
cbba2a63b20a5416a9c1d6f4a242e6538714178581825ed28356660d7397635e8a4d5146b360f225579615d14a09de6df815321bc4e4dc974ea9f0ae341011ef

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
168KB

MD5
fa3cca7e73a1ca06a852ff61285c423d

SHA1
19a10cdd1e6d82cf674be2c056c681945811f178

SHA256
31028b3b667fd55dfa9f059488f0b4098745f984c6395e45a059328725b6854d

SHA512
cfea2c577a9bcc7ee2ac3331bf58e6f247e62e4c088209081af8669d60f0bcbb7d48aeb9b5ee93fb977390fef13a40a2fea38ce3eba881b930387f6f53384a1f

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
168KB

MD5
c16d95071efb4212366ac86ffc21d26e

SHA1
e16ddc64cc640826a8782e7811cc6b94d0685f2b

SHA256
d33419619305ec15744e635c5a29945420b852d97c8b2b3520ddc8ee4f8bf230

SHA512
986088981337f9cdb3b173436cd40168593163f76485cc5242359404720ea9b9041bbe8b15b2c6345e7a2520076b2b296ad030038a94337b8e4a00b390387393

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
168KB

MD5
89cee1d79d05a8dabda538f637510df1

SHA1
7a0f06c0418da19331329b140c6d3af00c7b69ee

SHA256
ada1b02dc7af7ee3e0cd74023aef7033647a5674ba46405b17e0de8422db2657

SHA512
3fe6e97fb531e896dd13faa314e0fcd997a079f515cf87cab4883369664de68cf5304c5de1259504986b02acf322e94a37131c996e3be846819de6bb70568438

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
168KB

MD5
c9df4e6b239c1e700b736c4a75df133a

SHA1
c07fc2ceb8d275a4dc5b5e10f64ad236fd909284

SHA256
b75f22b594b757b77a5185513712bed8b1e1d9589c1a09ee7256562909f6f156

SHA512
43d05cf140224e9a20fb74fdc0bc92816ab06480561601a3b548481217100a0ee05b987af9b6ad3acab59e737e9327edcdda1d11a248fe80ce3f497a87bbb153

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
168KB

MD5
2d553802837b10168a213f30354eede1

SHA1
1c28f22945c24af2e319ee5fc05b1a234056889a

SHA256
4e0f146aa7cd5ef4ac1ee37acff0534b0900fa73bfd082a9c570c78208eca881

SHA512
88390429870dc1471aeacadb1680bd023ba00578c09671517ca5dd7b3e5a7e10a667dfc4546156f092bc713193888a0a5167b643c288dd443d1be1cdd9766fed

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
168KB

MD5
33580c57acbe06da5e94ab18fc297925

SHA1
c58e93160fa281fcb00c16099e275657c3d23a60

SHA256
c95870bd08d7303e4ee0a705d4dd8dc6a1374a5556538ddcfb0f3b1030f363e5

SHA512
07040ad438f842ed90a5699e2d4984cebdd9cb80d6a78ade38e6db56c8de4447c2fbb8abc2334680a57830d1925c993107c6f8321f2fed1ad17d55a1be5712bc

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
168KB

MD5
87c1023b3831c246caa8c81ef1f66585

SHA1
c0234b84596cb549946dad3a8461d14fc29efbad

SHA256
17df5263ff2de491c8580f2bd02d6e3c01c56dcfd1e3e3c53c3ef43343427400

SHA512
5e57a7155b1c3dcfb6fd7abd3b099bf995428dc6631aa4df5d767c9aedd6002911ba99343157cad4c489c14efa695bfaa598d7d167fdccc6cf78abc7094defe0

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
168KB

MD5
40a57ab5f08a5a6b030017e4e43a32f4

SHA1
7298aabdf41b3982341488f8a6d4a9e175f229a3

SHA256
9dad1795c974c2f64fba2f4ede5b641858ed6b07a27efb968dd74afeb0cf795d

SHA512
264db279eb176730da7a7dcc42b8039bc763a7bb88a410cdfead0b2df6a61ea04a9fdb96164087192a2d296e3875a0d2df80b229573fa0170775f225e7a3dd39

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
168KB

MD5
ec9bf4a8ce022fd2ff26dca914f2ec3b

SHA1
2f4bb1f39aaf618c81ce80ea2e0cccf90a1dbf86

SHA256
78ab7f8dc0fa59dfe0e1f0b5d308910d3643bcf0a6646f6a2b6533e76428d3c5

SHA512
29406823e8c2576c0a3538df23896321ed8959fecde2cf33989ee96169bf2e22edd06ea9b03c66dfe6f7ec283c5c7dba3fd5e46aa6faeea5d630bc0728a24212

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
168KB

MD5
544f08d653664c6e1e6216e8e562a1f6

SHA1
3c3b881b3f36bbdfc90716bfdd69f7305b9086d8

SHA256
1592beebc385fa64d8b2f101757bc305565e3fabfa6f617947bdcade67141d77

SHA512
864b4c51202262429dcd94e19e273f73abfa4172ce0f4eae0b826ca86f6adb1170f944a4584ede9ddb950edea31c7dae7225711de6fc9a664d6111a32ccb693c

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
168KB

MD5
56d0989c73f9e6ac7e8dfd84f427de5f

SHA1
78d7baee939294aafeb49efb27de593ad9b84e1e

SHA256
70c94348eccf867bb70f3aaf82ce8eacc92bfeba76fb90fe9d0fa687249b3f8b

SHA512
ba6a6333cae7018432427417548e27407647694747d56bde8a0ec13528b8c718565877ef630c603bb3084076471fadcff2b617d22a53b0c225ab9820ddb61f0d

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
168KB

MD5
fc73fe46ebb50623796ea164cc3290c2

SHA1
3a1a3a66a7a0a79080bc54feab12db754c8d3873

SHA256
dfaf610fd5790442b7d18661ce87227f52bedc504f3e839449a1cf93274c53c6

SHA512
a6ece8665ed15cc16652f2dacdfea4bd576f9647db8f85fd8092773031e144f8de097940328fbf102fa948e093c32cd7b4da522862b049f5e1535c4fb6ae2d0a

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
168KB

MD5
03f2c0dfe78d73ac9c5c02da1060223d

SHA1
ccf7059bfafec348a3201d614dfe704db0c3bc5e

SHA256
dd9f949d319c8863e94996df9b07d51c8db2ef5eed69bf90c8aaf7b66cbbb0ff

SHA512
70eedde49015eb260d299f0d36b7fb9debb1347d87b379e7f9714f3a99a75c39fed8e27504394847f6abcb12dcd3cb803b6400a8af0495b6f2e8a7d9067eacb7

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
168KB

MD5
767ed7f87fb58edce59825bd5dadf6bc

SHA1
d2f160a12fa30a088aa324d9cf5cf2696e342147

SHA256
76b0e56520ae9fd8defbdf04483fd5b0f0c2aaf261b1c8491d8ccebd39f900f7

SHA512
11725068afef0395cdcce125615cc70349f2e570b83b3390c1625ba0b38c2020f1534c264a5ca5fc965f24f28d1c59d643b0dd68e4af374de07bc66e196bb0a9

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
168KB

MD5
02a4fbecc63bfaad95dc51120f8021ef

SHA1
37ddc3b9607199fb76ff8e063825ad1dc1ddee90

SHA256
1e6fad4c949489a4100c9f692ed33c9c27fa221f7d39c4337c51599641f4c52f

SHA512
029445f724abe221f51361221b4e93c1b560ad6e59a1eeea82764087287d916a68461f86435d17097b96d4612f804648df19a8da329431d9fc256037693597e3

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
168KB

MD5
1354b68d3368b570924553f44a81ba1a

SHA1
c44a53e76d461c63e2172c3b82cd19b25cb36ecd

SHA256
2f3dee6c95f8f9a3d543822f3270045014f91e87798287052dd4f44a8bd843a5

SHA512
c822f7393b3aab842cff3091df876df0d7e16aa07980f0940229f771a1a59b8ecc681d61e208a64e9aef9f06e655a8a27bfb68d2fb22a1d8cf5881472212a1cd

Download Submit
memory/348-447-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/432-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/440-179-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/440-270-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/640-164-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/640-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/664-253-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/932-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/932-196-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/952-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/968-279-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1004-314-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1004-244-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1088-281-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1088-197-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1208-420-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1284-155-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1284-65-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1360-288-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1360-206-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1532-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1532-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1832-165-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1880-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2156-433-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2280-379-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2280-315-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2288-384-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2288-446-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2416-117-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2416-205-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2484-343-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2584-372-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2584-308-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2588-177-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2588-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2664-170-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2664-260-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2708-146-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2708-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2852-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3064-228-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3232-453-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3232-386-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3296-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3296-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3296-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3408-218-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3408-129-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3472-107-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3472-25-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3596-289-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3596-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3628-156-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3764-134-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3764-227-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4076-397-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4152-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4152-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4200-147-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4224-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4224-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4252-219-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4336-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4336-307-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4352-392-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4352-327-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4364-301-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4364-369-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4416-261-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4460-271-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4464-299-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4472-373-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4472-439-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4544-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4604-133-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4604-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4704-46-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4716-325-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4760-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4804-345-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4804-282-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4824-419-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4824-353-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4840-440-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4884-278-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4884-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4944-169-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4944-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4992-399-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4992-333-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5064-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5068-359-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5068-429-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5088-98-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5088-187-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads