f5815d9a55f4fb724f517d9d969de448bff007937e329f66452419c91c7cdc60

Analysis

max time kernel
144s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 21:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04b637528147e4bf7a38e4b415130100_NeikiAnalytics.exe
Size

163KB
MD5

04b637528147e4bf7a38e4b415130100
SHA1

12a937acd2d30d577d371d7c32f7fca700d383be
SHA256

f5815d9a55f4fb724f517d9d969de448bff007937e329f66452419c91c7cdc60
SHA512

6cf6187bb4f48c08d299cc5b617f78b113caac77a0428e011a8e00ecd3a6ba4e2570bddfe64369a130703ded807290f61a4371e121c3e1ec702106b317a42a46
SSDEEP

1536:7mjnssUEOJKJ2qaGOz6S+kSylQtfeX90AtGRhKW+jujAEjh8DTL9GIvg/SylQ7ao:7yssUH6GsS+uYgnWAUjWDUIwLyc4F

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	04b637528147e4bf7a38e4b415130100_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe

Executes dropped EXE 64 IoCs

pid	Process
1456	Lpnlpnih.exe
640	Lfhdlh32.exe
4352	Llemdo32.exe
5000	Lboeaifi.exe
3752	Lmdina32.exe
3784	Lbabgh32.exe
4908	Lmgfda32.exe
4864	Ldanqkki.exe
4420	Lgokmgjm.exe
944	Lingibiq.exe
2240	Lllcen32.exe
4792	Mbfkbhpa.exe
4172	Medgncoe.exe
3560	Mlopkm32.exe
2780	Mgddhf32.exe
2712	Mmnldp32.exe
2900	Mplhql32.exe
1140	Mgfqmfde.exe
2924	Miemjaci.exe
2844	Mgimcebb.exe
2376	Migjoaaf.exe
4060	Mpablkhc.exe
2472	Mgkjhe32.exe
4108	Mnebeogl.exe
384	Ndokbi32.exe
1492	Ngmgne32.exe
3296	Nngokoej.exe
3352	Ndaggimg.exe
4324	Ngpccdlj.exe
4244	Nphhmj32.exe
3572	Ncfdie32.exe
1280	Njqmepik.exe
668	Ncianepl.exe
5056	Nfgmjqop.exe
5032	Nnneknob.exe
3004	Ndhmhh32.exe
4752	Nfjjppmm.exe
1292	Nnqbanmo.exe
4312	Oponmilc.exe
4560	Ogifjcdp.exe
2632	Ojgbfocc.exe
8	Olfobjbg.exe
3092	Odmgcgbi.exe
3536	Ogkcpbam.exe
2128	Ojjolnaq.exe
5012	Opdghh32.exe
4296	Ocbddc32.exe
1536	Ofqpqo32.exe
4248	Oqfdnhfk.exe
540	Ocdqjceo.exe
4988	Ofcmfodb.exe
1864	Oqhacgdh.exe
2236	Ocgmpccl.exe
3488	Ogbipa32.exe
3740	Pnlaml32.exe
4408	Pqknig32.exe
3224	Pfhfan32.exe
1136	Pqmjog32.exe
396	Pclgkb32.exe
1812	Pfjcgn32.exe
976	Pmdkch32.exe
1076	Pcncpbmd.exe
4620	Pflplnlg.exe
3172	Pncgmkmj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Mgkjhe32.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pqknig32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cbeedbdm.dll	04b637528147e4bf7a38e4b415130100_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Mgfqmfde.exe	Mplhql32.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Lfhdlh32.exe	Lpnlpnih.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Mgkjhe32.exe
File opened for modification	C:\Windows\SysWOW64\Lpnlpnih.exe	04b637528147e4bf7a38e4b415130100_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mplhql32.exe	Mmnldp32.exe
File opened for modification	C:\Windows\SysWOW64\Mgfqmfde.exe	Mplhql32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Flfelggh.dll	Mplhql32.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ingbah32.dll	Lingibiq.exe
File created	C:\Windows\SysWOW64\Bbjiol32.dll	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Mlopkm32.exe	Medgncoe.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Nnqbanmo.exe	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6376	6284	WerFault.exe	228

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfcej32.dll"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	04b637528147e4bf7a38e4b415130100_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjiol32.dll"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qgqeappe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1456	536	04b637528147e4bf7a38e4b415130100_NeikiAnalytics.exe	85
PID 536 wrote to memory of 1456	536	04b637528147e4bf7a38e4b415130100_NeikiAnalytics.exe	85
PID 536 wrote to memory of 1456	536	04b637528147e4bf7a38e4b415130100_NeikiAnalytics.exe	85
PID 1456 wrote to memory of 640	1456	Lpnlpnih.exe	86
PID 1456 wrote to memory of 640	1456	Lpnlpnih.exe	86
PID 1456 wrote to memory of 640	1456	Lpnlpnih.exe	86
PID 640 wrote to memory of 4352	640	Lfhdlh32.exe	87
PID 640 wrote to memory of 4352	640	Lfhdlh32.exe	87
PID 640 wrote to memory of 4352	640	Lfhdlh32.exe	87
PID 4352 wrote to memory of 5000	4352	Llemdo32.exe	88
PID 4352 wrote to memory of 5000	4352	Llemdo32.exe	88
PID 4352 wrote to memory of 5000	4352	Llemdo32.exe	88
PID 5000 wrote to memory of 3752	5000	Lboeaifi.exe	89
PID 5000 wrote to memory of 3752	5000	Lboeaifi.exe	89
PID 5000 wrote to memory of 3752	5000	Lboeaifi.exe	89
PID 3752 wrote to memory of 3784	3752	Lmdina32.exe	90
PID 3752 wrote to memory of 3784	3752	Lmdina32.exe	90
PID 3752 wrote to memory of 3784	3752	Lmdina32.exe	90
PID 3784 wrote to memory of 4908	3784	Lbabgh32.exe	91
PID 3784 wrote to memory of 4908	3784	Lbabgh32.exe	91
PID 3784 wrote to memory of 4908	3784	Lbabgh32.exe	91
PID 4908 wrote to memory of 4864	4908	Lmgfda32.exe	92
PID 4908 wrote to memory of 4864	4908	Lmgfda32.exe	92
PID 4908 wrote to memory of 4864	4908	Lmgfda32.exe	92
PID 4864 wrote to memory of 4420	4864	Ldanqkki.exe	94
PID 4864 wrote to memory of 4420	4864	Ldanqkki.exe	94
PID 4864 wrote to memory of 4420	4864	Ldanqkki.exe	94
PID 4420 wrote to memory of 944	4420	Lgokmgjm.exe	96
PID 4420 wrote to memory of 944	4420	Lgokmgjm.exe	96
PID 4420 wrote to memory of 944	4420	Lgokmgjm.exe	96
PID 944 wrote to memory of 2240	944	Lingibiq.exe	97
PID 944 wrote to memory of 2240	944	Lingibiq.exe	97
PID 944 wrote to memory of 2240	944	Lingibiq.exe	97
PID 2240 wrote to memory of 4792	2240	Lllcen32.exe	98
PID 2240 wrote to memory of 4792	2240	Lllcen32.exe	98
PID 2240 wrote to memory of 4792	2240	Lllcen32.exe	98
PID 4792 wrote to memory of 4172	4792	Mbfkbhpa.exe	99
PID 4792 wrote to memory of 4172	4792	Mbfkbhpa.exe	99
PID 4792 wrote to memory of 4172	4792	Mbfkbhpa.exe	99
PID 4172 wrote to memory of 3560	4172	Medgncoe.exe	100
PID 4172 wrote to memory of 3560	4172	Medgncoe.exe	100
PID 4172 wrote to memory of 3560	4172	Medgncoe.exe	100
PID 3560 wrote to memory of 2780	3560	Mlopkm32.exe	101
PID 3560 wrote to memory of 2780	3560	Mlopkm32.exe	101
PID 3560 wrote to memory of 2780	3560	Mlopkm32.exe	101
PID 2780 wrote to memory of 2712	2780	Mgddhf32.exe	102
PID 2780 wrote to memory of 2712	2780	Mgddhf32.exe	102
PID 2780 wrote to memory of 2712	2780	Mgddhf32.exe	102
PID 2712 wrote to memory of 2900	2712	Mmnldp32.exe	103
PID 2712 wrote to memory of 2900	2712	Mmnldp32.exe	103
PID 2712 wrote to memory of 2900	2712	Mmnldp32.exe	103
PID 2900 wrote to memory of 1140	2900	Mplhql32.exe	104
PID 2900 wrote to memory of 1140	2900	Mplhql32.exe	104
PID 2900 wrote to memory of 1140	2900	Mplhql32.exe	104
PID 1140 wrote to memory of 2924	1140	Mgfqmfde.exe	105
PID 1140 wrote to memory of 2924	1140	Mgfqmfde.exe	105
PID 1140 wrote to memory of 2924	1140	Mgfqmfde.exe	105
PID 2924 wrote to memory of 2844	2924	Miemjaci.exe	107
PID 2924 wrote to memory of 2844	2924	Miemjaci.exe	107
PID 2924 wrote to memory of 2844	2924	Miemjaci.exe	107
PID 2844 wrote to memory of 2376	2844	Mgimcebb.exe	108
PID 2844 wrote to memory of 2376	2844	Mgimcebb.exe	108
PID 2844 wrote to memory of 2376	2844	Mgimcebb.exe	108
PID 2376 wrote to memory of 4060	2376	Migjoaaf.exe	109

C:\Users\Admin\AppData\Local\Temp\04b637528147e4bf7a38e4b415130100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\04b637528147e4bf7a38e4b415130100_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\SysWOW64\Lpnlpnih.exe
  C:\Windows\system32\Lpnlpnih.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\Lfhdlh32.exe
    C:\Windows\system32\Lfhdlh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\SysWOW64\Llemdo32.exe
      C:\Windows\system32\Llemdo32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4352
    - - C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5000
      - C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2472
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        25⤵
        Executes dropped EXE
        
        PID:4108
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        26⤵
        Executes dropped EXE
        
        PID:384
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3296
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        30⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1280
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:668
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        39⤵
        Executes dropped EXE
        
        PID:1292
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        40⤵
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        44⤵
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        45⤵
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4248
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        59⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        61⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:976
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        66⤵
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        67⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        68⤵
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4680
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        70⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        71⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        72⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        73⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        74⤵
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1028
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2144
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3108
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        81⤵
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        82⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        83⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        84⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        85⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        86⤵
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        87⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        88⤵
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        89⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        91⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        93⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        96⤵
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        99⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        102⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        105⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        112⤵
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        113⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        115⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3868
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        118⤵
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        119⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5892
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        122⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        123⤵
        Drops file in System32 directory
        
        PID:1876
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        125⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        126⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        127⤵
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5940
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        131⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        132⤵
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6196
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        137⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6284 -s 396
        138⤵
        Program crash
        
        PID:6376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6284 -ip 6284
1⤵
PID:6352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Andqdh32.exe

Filesize
163KB

MD5
346ed875f71ade1a64dcbfe7571aa219

SHA1
2753fd970eb0420f44facddf4c618a2251c01121

SHA256
593d26cfc4a3c18a0971aca58875280f65b4e4cc8e03aa67ec52009e94a101fc

SHA512
3bb97ca1df26af96c72a7d9545ad01f73f19dca7d44bdb1eb105b1230c90721c42e07dd1a85963df75cd7a2e295675f6136ca44bdd3cbfa86fc38a2ced4692b8

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
163KB

MD5
a68f9c1a4025e19d3f0fe2d4bf76bc19

SHA1
95a378da644a52fac3067595351930ab1810bcf5

SHA256
bbfea1a39389e4b8df3081daca316446597b79413d15ece3ce203d8d5a2d0649

SHA512
837ef93d5c5f56647cd9db3cf6f23fa9ebaa9b0ecae42fb6da824646db9777b4902a9222132d7606fb69a6ab0b92b1cab93001475c902e40d5d3436e37623538

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
163KB

MD5
3da341e38eff61a117969bb83d062b51

SHA1
6984e511dbb46f471b0791e0b9a7146508294221

SHA256
caff183cae7551362b89c4377ed3cf189bc2e85d2e8bd65bb7753b37842c0697

SHA512
5ef360fc63539c6e93eafdf52556c374a41ba5e5f8ff3d80690e27b011c08cd09644ebd484423066de38588e32506c9d2d52f3d43c8dc4eba7796c8a0e54d572

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
163KB

MD5
ce0d118bd49a197789e487c800140d45

SHA1
2c0cb24d5c895f6e44f237e0c2f3ad997385c86b

SHA256
661085f86d7fdd685748c8e0ccce8f93d06bf1750d2567e8932ae1566615b3f6

SHA512
08bfe4d96442eb94ca6efc50337e381ddf1e6c4b2ec1a94ab82e261338c0cac1458a9f19c6827316df2352f8d13e5e21fc2670dd4687231564870c8227aaf6a0

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
163KB

MD5
e3d15a90d28de3518138cd87b7164a6e

SHA1
2df2ae9cf477fd09244e9769514ba1837e9d009b

SHA256
5c0f77dae669845703d00b39a0ff618e58711efb9658a7afede842458d3f7ddf

SHA512
61122b703c66c3f3c8f4a49c69a7691b52ab33806691289542c6a6d3440ccad81f783e3197ad3d0e0abb20ac6f4004955aded8adf63dcb58dd367043e4797d0c

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
163KB

MD5
f2d10c8d16ee14068112b9d8dd1e7a0c

SHA1
1a233ee6214c24aaeda22eed36509697cb824863

SHA256
998c93f1f049cbbcc05b0741159574b0917952338ae27b343da723789683012f

SHA512
ce28a4dd44103747d01a0674d4179abb3545706b41beadbc18b62ba49f0f2f21134f61b7c4c1918fb412ebe2b3a8610616f02465f15bfbb0551f6e5919af8717

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
163KB

MD5
83013e6f061c9a7cb724385fb6b966ff

SHA1
5402505157f429f6386707102b51b8c801471604

SHA256
1982a65084f40b559c76de1f5aefce767577f5491c051fb2582f84d6c4520084

SHA512
fa682ec4f6db8fdf3c44791ad0c64839f0c73da8d2f1239dff80b0dd6383da79492cc6264654b1a72be202cb17e23670305dba6689241f402b56359c6d2a59eb

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
163KB

MD5
382e430e48b379ff48c8b52ae43ee240

SHA1
926f1326eed6886617a82f860cfe01a5310827e3

SHA256
e7598afa7348ce760cc63384ab3d96acaa02db066d213995dd0ab81b65d09d20

SHA512
40fe97b406281736b02bf464883ac20d4bbe27049cbb050ec2db751e36db3901f4ad6b4c3edc8168ca7e978f4e04555e745c5a4c2d0a6674115d82b505a0a72b

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
163KB

MD5
e56484864f98edf75b51f9439eb648b0

SHA1
a0d36240dc1d0d1f5159d9a4bd7405dcde14cedc

SHA256
ac0b3968adb13f0813bd9f5afceee959c92964caa7d4479f66a0b3ee89d77e7b

SHA512
658078e3d9c4a422c4e9284cfc3594aa514f0b4f896cfe69e02fc17d4c6540f9339e6402311aadb158cb0314a1443aa90b43060feba8de735cd78373ff05a5e5

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
163KB

MD5
1a4207f0ab693e206392d72de079fc33

SHA1
98c8ae13a46bb25847427e163edc09747e716ec0

SHA256
57657506cab6604fccec80000b13957a501fddae7ee92ca8568534d8e225be50

SHA512
082b1b4144886d10bcbdaa60e687857616705847b77967b90f88d3039cb8364fd70de088550f47f6311682ae9aa687faef7b68e2573af9c4ae1599e591fd19bc

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
163KB

MD5
c445cf40e346aa6dcf2b132965fe4d90

SHA1
ae0e9fbbca4892f495e5100e867fa34693369a11

SHA256
8cd1896fb7cbb9ae27f3a4bb841e2c1982861ce7ba7ee94566d7e0eca6c6f376

SHA512
9cc6c57281e49614ea86688095a41a37a3520fff8375d20cf9905aa520c2cf3d14060b9d44b123eec20ff2ae0fafc1538384da9483cd0dfdf57bb9ba2b9d2888

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
163KB

MD5
05acebb34a9dba3a0e4a82c0b08a9064

SHA1
6fe3c30844c3bd7b6a61794272e3b39ca306d0ac

SHA256
7e04fab8c121382768fbbf5ecd27eb7596bbc6eea0d0c3e1cb30f55d1e5bf4e1

SHA512
d4c0bb2cc177ca66597ff174f6be9d8730015eb59be6c4c33163de2b8ec8741203bb3fd6833e4764010132976da8007dd18d82f031aaa9a338381da849891865

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
163KB

MD5
6d4c4bd25cab4666089731065a4e871f

SHA1
a35336a85d47d1065d9c7b8a67990c33c110c0b0

SHA256
3b366eee7c8254cfaf8607f83f83e42fb0b2fffc9a479b8fcac9ad1a52e47147

SHA512
4284192ff049e290b1a9449a55672c08c67ad9688d00311e20d5264dc95eb4418141291a65acd88b6f715f8e879d18d8d23adbae3d506893de4b97cb942881bc

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
163KB

MD5
d4b1c2373e084e1ce8c7d50a01690a80

SHA1
e12dc5068efbb29b09e3b2ce17948b23c37f6b51

SHA256
804a289179ab29dc25daf9af3f97d4031c96a912acbe4ff06bad1d4bc724e6a0

SHA512
387ff887ddf111c7ec583e6913c20678265df2a64adbd063a4710606cf4f5fa23b8b1d5b67b71f04178724734f172f2308d31cb93d5197276f4bbaf75bc0abed

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
163KB

MD5
02108eb8fb7934d2eaef30d1a6a6ba03

SHA1
6285d123dcfe0f3b101d6922188a54a2a5243b50

SHA256
5cade56e1bd0c14046caa29fe723536aeb09124edc73d045524bff77e7b5f3d5

SHA512
33f083eb72a5fa280289550a4900b1803e1776bb97d148d41c03413d56f6d658c9f93634ae9d6cd2a1ce433df0800bf88952fccee5504ad7626da701952dd7b2

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
163KB

MD5
0a237c7e1daad2913cc1a03288d39b98

SHA1
cbac051e522602d80d84437c306887213c7ac936

SHA256
25c627f612bb130c1519cfd24987eba4ddb181c8df4473c34d626035c188d2df

SHA512
320c73c3097bea09dfa961bb131546d1e92aed8da9e51a5914f4578e56b71ab4b2e5406a31e3a64ccee1d2e18d2f4ddd0d1ea14d28779b68319e51e845c943d4

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
163KB

MD5
115f1f4ae850f268faccc8ce33e07847

SHA1
a00f864a612019adae3ebbb57d6de390f7eb9806

SHA256
23db3130f1053952079ae7dffba036b7d1b5a640ec47ff06f2462f13de63d7a8

SHA512
db3ed37df5c1fba7801784a5ddd51078278b313a0ce05efc214a5d38beca682f96f4692460a1314f2ad5705c1a8afd77bcac9204f132ed253877ae9d148b08a2

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
163KB

MD5
fad62c0307889c0dcd73174279367e55

SHA1
5879221d7f6d44d8b48cba051ad2733a5e38936e

SHA256
e4679017f15b4a95ea6c9c63a87457e9db5a2f34c3d06f84fc637dd638883f1d

SHA512
7bcfb0434bb161656871b3901958c32209e516d9b6f6c8fdaf88eac6aa5d6fed32c8368e3817dda66e874209c785c2a17bd3d708e9338eececdb5a1df0db0140

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
163KB

MD5
4c016a0866a41c297ac8497fe7464ba5

SHA1
648f400f8f9d1f2bb28c05f6dad4c1b3d213965d

SHA256
21b5b70a4fa3d8e1f2efb394771a126e0339f75f9c6c48ac7f2c1865db6be5f6

SHA512
3a44b21ffcd03c0c6fddd7dfa694f6d47434728f54cf647b00ed7c11b3cce6ad08e19ae991bd80719a335e375aa7799c32277004a718b95cab295512ee999500

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
163KB

MD5
2f756f270e5b2f2c8d37a5e0f749129c

SHA1
cca5b8dafcc4a0c7f3926b5ddc603ce1b1504dc7

SHA256
b813a85286bdcff039586e85009a70649e880d7ba5dcd1e9e4afe4d4c22dc5a1

SHA512
d772e35c365895bc813691653c20111d8a9e1a5da57eab820b05eeaf75e57429ef7b482dfaac159a6e8ae48cfc11a1ac9ecd6b3f392ceae862b41dd102840b58

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
163KB

MD5
61c2365adf5e01a90477317ff4d68bf1

SHA1
5d1cab68a9800e6f26b58e372305c872698aad85

SHA256
23de0ec0ccd1fe2edb203ef7fb8b692f138bf4b7d39289c7ce2655ab60966c7f

SHA512
c1f7ff522a7cae2a53e4240edc160de1c6922c2773419fc27aa760542d932948036933be14ed3348be2914ccc15d852f12f4b120e4f3da8b1ebd490860e41b4a

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
163KB

MD5
a6141cf3f1f306119d127b4223fa9e2f

SHA1
ae9ef3d16baeb484557468431f3276539caa402f

SHA256
d11e1236eb099aeee937696628933de531485bdb3a4f53d1907944e4368bbd0c

SHA512
ad5274c5e9efe5d356229f82e207c2684816145da583046e67e5642a979b1aa809ee939af9333924a45682f212babdfd6349e9658456579ab28d24932601bfb2

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
163KB

MD5
db72b1b8acfc695ec57a47896fca01bb

SHA1
ae27d7da08be9a9582ead02ae2d93fffe4635aa7

SHA256
24a52979391eca57d9a7f6e5e2e688051e05792a5ae87b1ff509ea99fbf26141

SHA512
61b1ae1e3e1f62a56071c694b5154b1a753d99e46513aaf4b3b20120a85241e89e365bf3cdf011c9eb9c2ae3ae757c14e8727707034a85370c95d3804ee372af

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
163KB

MD5
10fb22d59837fd8f87a604cb7e05fb55

SHA1
9d2d3c3e991ba5da9d71001022c51a48a1e81985

SHA256
896dcb54e6706126d2c9a6be03255e79a6036f9a56f08e21b61c68782e0d563f

SHA512
1ad4ab73b2d23adbdb73c421f137fcd7133085605d9ecb1e5cfb732bb7c8121a286caa4900b63986b505ae2758d8d40886556c07b992e40301579a764a82c59e

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
163KB

MD5
57a69d70c7496d222df6e5cf140779c9

SHA1
704bed35bb6121e0d792aded40f5d1f99ff14d57

SHA256
365f13a9dcb27b90353cc1dda25b1d97cabab93941afa75c20029383659580c9

SHA512
60cdebc31de74551f7eca8ce6694865ba89358606657f5707aff647ce7189926acc2aeeed09ad6ed57251ad9a842310155f1bfff0379832414a614c6dc9ec25f

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
163KB

MD5
938348f2173fd9fb036853ddb6753b5c

SHA1
92f402951d61e52616e868e4fa750a8a89469cd4

SHA256
64438fcf3bc0ec74a5cc7584c02d8415b187b870387f820e142676dcd428e6aa

SHA512
736fe056af85a1c8c39c41dccd87e0c7b5719dd17f33b4aaa2054f55f4a5f2c10d371bda3c14001d95f2eda31c30cdb0df5686c0eb8a06e824342772e45ca314

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
163KB

MD5
9d7f0d9b34a090fe34d26edef6ee4960

SHA1
2ee153d15e9263d942e203930c9cda032cc8cae7

SHA256
e321dfb14b85562e3fe77cc5b85be0f46b93cf5347c5ae3ef03dddf5840e20f3

SHA512
1a122bf60b4f0b7a55020f582dea5a9594b99711c83acfbdd4e38125c3f64fbf0b6801031e8e7489160f4952a165dd45417ce2711c139a0921a4ed6ca698a538

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
163KB

MD5
520d726df0ddf9cbda5f7e54e2a79b21

SHA1
c9239b76184571bd0590df00053c798303551cf0

SHA256
f628ae9b41a4a80cf62ccd1ecb34a553113c0f85d5bb6ced3a65bcb26710c0f3

SHA512
965c6583e87f54276bfeaae92435f53cca64803fb89a434c1d7f23bd8d7c9d27b4428a641a423369f30f455774e0f2c2954ce33a288d72aa56aa656f5d8232f4

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
163KB

MD5
dcc2d0a26a033d5b390c6e84ea2b2fce

SHA1
da136aa1489312becfd87307809d39a940f4e869

SHA256
0787fbec2b80e27f94626137f4829cfb583d8197a58c55ef7d7608a31b358247

SHA512
cfe76e5ec39afe0bcbe5e872603b26dc620d312090cf4780f387ed842f0a71c0e61d7fd3e70bcd516959042f915bf8e5bd4a65a57b5abb2b9d60d0c95ca8dab6

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
163KB

MD5
17f699cf56cc9f004e35cb2c355b970c

SHA1
5efc56d25e2fa163eef6ee82ec063fa5d1015c22

SHA256
66946e5fe0c07a0478ae030e1cad7214361c3f1213843898df2dc3dd8844c18e

SHA512
0092cf84c210b86877f87e77a4570e7800a4d0f3a7aac4d016e21cf8902d5d2910ce1b1246540d135686a7ded44f1c322c05ea7c60dfebb50a391c61aba0d47b

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
163KB

MD5
a0e1205d13602ccb43474b9685c3550e

SHA1
4aefead729a4f8ed56c9a73f02a4ee9fae4bbbc1

SHA256
39de2e69f552045868f5156d31b816162c240aabfc5787a28ac236b13dc49f26

SHA512
790b8e1d5102c51f78a8d75684f657f72ca686f99d1219a3a7828fc04a2406efb3b16e39ff1ac6c7831684ef1c6b6718a2b05cf83473f0c18b4a6c7a9707f8c8

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
163KB

MD5
93d1819be02c29f0d81a1cc47eac8b5a

SHA1
c71842a3c6d38200645790a00cf206ac6e1c4acf

SHA256
818f497da3e56927d5851104b266ff479ca9840c4ecaf2c33148289316fc1b5f

SHA512
1ec6c070a255a1b2a0d86d20df502a8a97d3a0d2ee84a2a7c6bdefb5ec7aaa78791d18aec9e91de217319c4ce61382047bed3645fe8b74bfc2d7496be5184cc7

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
163KB

MD5
f65ff08470ac93d664be509da241bd15

SHA1
a5bb8cca9f4ea14bcdc95d95595aa24d9be10c5b

SHA256
d4598f494aa4e569a43623715cdb7d647f0ac2d97a2c35f124269d053f903ebe

SHA512
801f9a6f89fe402999b6ae8aafaf1c5d505e0c176fc74d60268fefe270c9567a68d13ab18807bffeda6fd357e13490a1c7b5d7df18d102c2ed8407db02b143c4

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
163KB

MD5
5c71726e6aa3b3a07c67fd1b314a21d7

SHA1
7f33e5943888d1d447127f21df29c20b5d04ebbb

SHA256
6fd75571cbc357d5d2551ab496d47fb2a0dcdbe87e4627f6e14c6f39dbc950de

SHA512
4582842554cf790f9fc3be77b0e0be46009ef94595fa2eae3dde8850a9957c5f3df49fde6ddf2494e11fc32a9c0d1d6dac98f9f90eb34a3d25ad72fb1c85d557

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
163KB

MD5
c9d50b540c97e371918e28dad1641013

SHA1
fa5689f010133b5f3824ba41a32c20af39dfc47e

SHA256
230c9beb77f0eb660fbddd10828313bc89cedf0e11064713ab2609d15adfa962

SHA512
d7565d320dbce0709986fb3176b76d7cb3ed065d82b611fb80d0c00f57557072a44807ec0314d9036822b19ef1d1550511d9fa3d57eb97772e2feb8d316954d3

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
163KB

MD5
479d776e63b849bb533766c435c23372

SHA1
755d55a76c7bd912ea2114f437cea1bbfacffdd0

SHA256
7a474622c676ac4b3dbfbcda189ac6f99a6c58892e80e5991c6ffe00cdf2dbdf

SHA512
87f1a3387b9924cf3fab98958e54b378539d576f54daaa773fdc2dcba8d759e47763b3f376ee5879d245cae2921c7bad995dc383b24b9aed3442a280cffbf553

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
163KB

MD5
0f34fe7c2b910b49ca67cef6fb7fe1d9

SHA1
f3d7c8f6aa53ee0f2f4a674fb0c3ef25d7307852

SHA256
689858fbf192575d53dff4f8132374a74349a0576ee5504d7f7695ad6d9ea7d8

SHA512
6be5d18fa0331faeee6f81c88d12de5bc5df6b0242108a6ecac53e9caadda06cb00b57edc8b1efd15f9cef95e809e30b6fccdb90666018cc495d6860fee39e45

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
163KB

MD5
4afd53ba201ded674cb2652b0318d60e

SHA1
28b3207b83ebd8ea4a7d4ff1ac082601c76dd402

SHA256
e2bcfd8680df680d196ee7c8d58ac90d21ce1425cd4cc776c6c6c90ee2cbeccb

SHA512
fc1066b5ad9ada08606844d3e839fa57ac99448a122cf03748bb3cc5bd6a3fbc838cee910c45095a114b406d29b054b05f3b46854ff544846f754d242c1581f2

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
163KB

MD5
34f7f20ef770f206b83092c78758a51e

SHA1
98e0b722cafd79556e539d03c3ae345fbc988e3a

SHA256
1e6d0064250d081fbd063c8a221b96750f9ecf32d3c9ba652c7cb3b1c98e7584

SHA512
5302c99841ee8f24b77407cd5c764db0f4f3dd1158bbda8e8fc953d41104d98762723ee4848347572b6874165793726c2d88ff67258343353bc585b97dfbda01

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
163KB

MD5
88fe97c3a4ae895bd97c632b2421bbe8

SHA1
6af8ea1e9b75483847a5c5e1f97f76780297ef79

SHA256
ddd1d9b7cd80688bf9a61266a950991aca6ad4b9b37893909398842ff355161a

SHA512
9176c16538b5a2532a6cbff8fcb3bbfdf436ba26ca5efd5451c436ec9d07ff3bab8461441b80d6c63e2ab0a548e7efc5b120548298f1948e9526bccd7fc376a1

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
163KB

MD5
95092c4a8a4ebd16bd83b6c20123aa24

SHA1
49886162ad318e311a627ec894291e6dc82ca072

SHA256
c00a096f16df08e2c03280fcdc173fdfacda3a182dfed05e1aec152954496e8b

SHA512
403cb4c3ec922f54aa0b571408bac66ac6aba84f6f39723e134dc0e56c32542a735d365599734c03dc27ed196f4e968b18563bb9699a485f5882e24d1d122a9b

Download Submit
memory/8-312-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/384-198-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/396-410-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/536-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/536-538-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/540-358-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/640-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/640-546-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/668-260-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/944-607-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/976-427-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1028-497-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1076-428-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1140-144-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1140-1142-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1280-253-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1292-289-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1456-545-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1456-8-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1492-207-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1812-416-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1864-1074-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2128-329-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2236-379-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2240-614-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2240-86-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2376-167-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2384-539-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2472-187-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2632-310-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2712-127-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2780-119-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2844-159-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2900-135-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2924-151-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2972-520-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3108-514-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3172-439-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3224-404-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3296-222-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3352-223-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3488-381-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3536-327-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3560-110-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3572-250-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3740-392-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3752-39-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3752-572-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3784-48-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3784-579-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4000-452-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4060-175-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4108-191-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4112-474-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4172-628-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4172-103-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4244-243-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4248-355-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4256-1026-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4256-513-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4288-490-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4296-341-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4312-295-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4320-445-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4352-24-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4352-559-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4408-393-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4420-72-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4420-600-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4420-1159-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4444-491-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4624-526-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4680-467-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4752-287-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4792-95-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4792-1154-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4792-621-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4864-593-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4864-67-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4908-586-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4908-55-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4924-1018-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4924-532-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4988-364-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4996-472-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5000-565-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5000-32-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5012-340-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5032-272-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5056-266-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5136-547-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5204-553-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5288-566-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5332-573-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5376-580-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5428-587-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5472-594-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5512-941-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5516-601-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5564-608-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5612-615-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5664-622-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5708-629-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/6116-974-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/6196-910-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads