de60353d0709ac9dd00abe8c4795f9990d8943f9653b3d81e702953fb708a653

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5b2d471bb79394fb383823f29d48fc0_NeikiAnalytics.exe
Size

74KB
MD5

b5b2d471bb79394fb383823f29d48fc0
SHA1

6973042e1c359d9d1911ac6ad3ca4da94e02733f
SHA256

de60353d0709ac9dd00abe8c4795f9990d8943f9653b3d81e702953fb708a653
SHA512

fd78a75b446eca75076943e8f3e5e131bd264de85ea768dd48e33bd57c0e1555d0479d12f5d729ed6afdf68e501439a96d69f61d9d9b6d5d37e035ddb867fd3b
SSDEEP

1536:7cTIb5T160oGTQ0X9b5XGZLh3RTcmZPVYmlAmVEpG:YTmn1octQZXTcmZS9hG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe

Executes dropped EXE 64 IoCs

pid	Process
2996	Lmgfda32.exe
3908	Lbdolh32.exe
4324	Lgokmgjm.exe
4356	Lingibiq.exe
4344	Lllcen32.exe
1736	Lphoelqn.exe
1152	Mbfkbhpa.exe
4896	Mipcob32.exe
1556	Mlopkm32.exe
4804	Mpjlklok.exe
2628	Megdccmb.exe
2556	Mmnldp32.exe
5100	Mdhdajea.exe
3156	Meiaib32.exe
4588	Mpoefk32.exe
4212	Mcmabg32.exe
1508	Migjoaaf.exe
644	Mlefklpj.exe
1304	Mdmnlj32.exe
4192	Menjdbgj.exe
976	Mnebeogl.exe
4808	Npcoakfp.exe
4040	Ngmgne32.exe
2632	Nngokoej.exe
3356	Npfkgjdn.exe
2172	Ncdgcf32.exe
1724	Njnpppkn.exe
2856	Nnjlpo32.exe
4768	Ndcdmikd.exe
376	Ncfdie32.exe
3916	Nnlhfn32.exe
3160	Npjebj32.exe
1400	Ngdmod32.exe
4788	Nnneknob.exe
3516	Nlaegk32.exe
4388	Nckndeni.exe
2220	Nfjjppmm.exe
4932	Njefqo32.exe
1696	Olcbmj32.exe
816	Odkjng32.exe
2612	Ocnjidkf.exe
4444	Oncofm32.exe
4104	Opakbi32.exe
2604	Ofnckp32.exe
4080	Olhlhjpd.exe
780	Odocigqg.exe
628	Ognpebpj.exe
1764	Ojllan32.exe
2572	Olkhmi32.exe
432	Oqfdnhfk.exe
1128	Ogpmjb32.exe
4952	Onjegled.exe
2664	Oqhacgdh.exe
4016	Ocgmpccl.exe
4508	Ofeilobp.exe
3792	Pnlaml32.exe
912	Pqknig32.exe
3316	Pcijeb32.exe
4396	Pfhfan32.exe
4940	Pqmjog32.exe
3140	Pclgkb32.exe
1332	Pjeoglgc.exe
1148	Pqpgdfnp.exe
3484	Pcncpbmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Mdhdajea.exe	Mmnldp32.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Nodfmh32.dll	Mdhdajea.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Deimfpda.dll	Lmgfda32.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Jgefkimp.dll	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Mchqfb32.dll	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Ahioknai.dll	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnlj32.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Ngmgne32.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mipcob32.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Mdmnlj32.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6044	5788	WerFault.exe	223

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodfmh32.dll"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Megdccmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qddfkd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2996	1652	b5b2d471bb79394fb383823f29d48fc0_NeikiAnalytics.exe	82
PID 1652 wrote to memory of 2996	1652	b5b2d471bb79394fb383823f29d48fc0_NeikiAnalytics.exe	82
PID 1652 wrote to memory of 2996	1652	b5b2d471bb79394fb383823f29d48fc0_NeikiAnalytics.exe	82
PID 2996 wrote to memory of 3908	2996	Lmgfda32.exe	83
PID 2996 wrote to memory of 3908	2996	Lmgfda32.exe	83
PID 2996 wrote to memory of 3908	2996	Lmgfda32.exe	83
PID 3908 wrote to memory of 4324	3908	Lbdolh32.exe	84
PID 3908 wrote to memory of 4324	3908	Lbdolh32.exe	84
PID 3908 wrote to memory of 4324	3908	Lbdolh32.exe	84
PID 4324 wrote to memory of 4356	4324	Lgokmgjm.exe	85
PID 4324 wrote to memory of 4356	4324	Lgokmgjm.exe	85
PID 4324 wrote to memory of 4356	4324	Lgokmgjm.exe	85
PID 4356 wrote to memory of 4344	4356	Lingibiq.exe	86
PID 4356 wrote to memory of 4344	4356	Lingibiq.exe	86
PID 4356 wrote to memory of 4344	4356	Lingibiq.exe	86
PID 4344 wrote to memory of 1736	4344	Lllcen32.exe	87
PID 4344 wrote to memory of 1736	4344	Lllcen32.exe	87
PID 4344 wrote to memory of 1736	4344	Lllcen32.exe	87
PID 1736 wrote to memory of 1152	1736	Lphoelqn.exe	88
PID 1736 wrote to memory of 1152	1736	Lphoelqn.exe	88
PID 1736 wrote to memory of 1152	1736	Lphoelqn.exe	88
PID 1152 wrote to memory of 4896	1152	Mbfkbhpa.exe	89
PID 1152 wrote to memory of 4896	1152	Mbfkbhpa.exe	89
PID 1152 wrote to memory of 4896	1152	Mbfkbhpa.exe	89
PID 4896 wrote to memory of 1556	4896	Mipcob32.exe	90
PID 4896 wrote to memory of 1556	4896	Mipcob32.exe	90
PID 4896 wrote to memory of 1556	4896	Mipcob32.exe	90
PID 1556 wrote to memory of 4804	1556	Mlopkm32.exe	91
PID 1556 wrote to memory of 4804	1556	Mlopkm32.exe	91
PID 1556 wrote to memory of 4804	1556	Mlopkm32.exe	91
PID 4804 wrote to memory of 2628	4804	Mpjlklok.exe	92
PID 4804 wrote to memory of 2628	4804	Mpjlklok.exe	92
PID 4804 wrote to memory of 2628	4804	Mpjlklok.exe	92
PID 2628 wrote to memory of 2556	2628	Megdccmb.exe	94
PID 2628 wrote to memory of 2556	2628	Megdccmb.exe	94
PID 2628 wrote to memory of 2556	2628	Megdccmb.exe	94
PID 2556 wrote to memory of 5100	2556	Mmnldp32.exe	95
PID 2556 wrote to memory of 5100	2556	Mmnldp32.exe	95
PID 2556 wrote to memory of 5100	2556	Mmnldp32.exe	95
PID 5100 wrote to memory of 3156	5100	Mdhdajea.exe	96
PID 5100 wrote to memory of 3156	5100	Mdhdajea.exe	96
PID 5100 wrote to memory of 3156	5100	Mdhdajea.exe	96
PID 3156 wrote to memory of 4588	3156	Meiaib32.exe	97
PID 3156 wrote to memory of 4588	3156	Meiaib32.exe	97
PID 3156 wrote to memory of 4588	3156	Meiaib32.exe	97
PID 4588 wrote to memory of 4212	4588	Mpoefk32.exe	98
PID 4588 wrote to memory of 4212	4588	Mpoefk32.exe	98
PID 4588 wrote to memory of 4212	4588	Mpoefk32.exe	98
PID 4212 wrote to memory of 1508	4212	Mcmabg32.exe	99
PID 4212 wrote to memory of 1508	4212	Mcmabg32.exe	99
PID 4212 wrote to memory of 1508	4212	Mcmabg32.exe	99
PID 1508 wrote to memory of 644	1508	Migjoaaf.exe	101
PID 1508 wrote to memory of 644	1508	Migjoaaf.exe	101
PID 1508 wrote to memory of 644	1508	Migjoaaf.exe	101
PID 644 wrote to memory of 1304	644	Mlefklpj.exe	102
PID 644 wrote to memory of 1304	644	Mlefklpj.exe	102
PID 644 wrote to memory of 1304	644	Mlefklpj.exe	102
PID 1304 wrote to memory of 4192	1304	Mdmnlj32.exe	103
PID 1304 wrote to memory of 4192	1304	Mdmnlj32.exe	103
PID 1304 wrote to memory of 4192	1304	Mdmnlj32.exe	103
PID 4192 wrote to memory of 976	4192	Menjdbgj.exe	104
PID 4192 wrote to memory of 976	4192	Menjdbgj.exe	104
PID 4192 wrote to memory of 976	4192	Menjdbgj.exe	104
PID 976 wrote to memory of 4808	976	Mnebeogl.exe	105

C:\Users\Admin\AppData\Local\Temp\b5b2d471bb79394fb383823f29d48fc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b5b2d471bb79394fb383823f29d48fc0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\Lmgfda32.exe
  C:\Windows\system32\Lmgfda32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\Lbdolh32.exe
    C:\Windows\system32\Lbdolh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3908
  - - C:\Windows\SysWOW64\Lgokmgjm.exe
      C:\Windows\system32\Lgokmgjm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4356
      - C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4808
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        30⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:376
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3916
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3160
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        36⤵
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        38⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        47⤵
        Executes dropped EXE
        
        PID:780
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1764
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        50⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        55⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        56⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        63⤵
        Executes dropped EXE
        
        PID:1332
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        65⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        68⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        69⤵
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        70⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        71⤵
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        75⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1576
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2468
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2524
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        85⤵
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        87⤵
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        88⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        89⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        90⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3644
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1536
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1572
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:204
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        98⤵
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        101⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        103⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        106⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        107⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        108⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        109⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        110⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        113⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        114⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        115⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        116⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        117⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        118⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        119⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        120⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        121⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        123⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        124⤵
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5864
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        128⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        130⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        131⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        134⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        135⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        136⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 212
        137⤵
        Program crash
        
        PID:6044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5788 -ip 5788
1⤵
PID:5984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
74KB

MD5
f50cbe180fa49192b55f3ca2da2131d4

SHA1
319caccff285bd13fcc35db80409763fcef263b5

SHA256
e02c1bb6748dc971ad5e630ea696716fcb38a33913ad655fc13dd8567083de4f

SHA512
8b01bae7d3ec55a0cd2f9a0cb6d99ab300832845e22dfd8516d6f36fd98fcba2dc13d0e7fe7a964fc0064d817596493405513aeca966d3fde05e9308a95d8abe

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
74KB

MD5
4f227561f5e9cfc0270a3fac673398ba

SHA1
fa8ddb632da506f31dcd41432738cce39b5f6645

SHA256
8d4107c4f84fcc3e3f2ace9d19a96e72b9adc1ae9d9468e06505699508294ef4

SHA512
5af165c9c6a87f22d308fb60448ddd637d25c802ee224e6ed3b9bd4057c99868d950c4bbdb8c5205c756c8db43a9e6e362e67101d9f7d13a4c633950ae625cc7

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
74KB

MD5
7132d5ea004e9d03234b0c248752a6db

SHA1
577dbdada2da73c5b4f7bb31e875e7529058ff1b

SHA256
512fd55787fe89dac2dae01f94851bc3366a53305568491522d522137cb0ba30

SHA512
a5675da7fce76b5b5a329ff5325afe2fb44eaa07ecf50215476f16626e0a3f0c736532b36ef703a3ce62f8e02d3b029c4f0ff6e2e06591b6b8e900b71d87560b

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
74KB

MD5
6fe07de1d9e2613acc2ef9b6bcf70d9d

SHA1
eeabf45e34f1ba90e665dd29b92cc08bea050ffc

SHA256
1ab51c8a7b069b2a7ea5f79a8bd8d59fa47a074a1adbd875edcc4a7e85c2c879

SHA512
05da9198c043fd8d3aa9aeda72b53228917b9eb92e7aa16250a1bce6382850a9b1344735be222bc13b5d24a58290320d3e4381b13de5ef3663ef343fcefd0c2f

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
74KB

MD5
50b2257316a758c85f2e0e2c63606f42

SHA1
e97dd3d098227f167ca8f505d294e8a58842a26b

SHA256
8f126986f2081b929e8cbdfdc3fe6ae3dc1ac7cbe9ac0555b30cb8a26b78688b

SHA512
6940f8eea453b6944b98446e34628f965ed6d79f296c7c84380c4b952f6f33d14973b89a9ef3ac6835144e44765fd1526d813df6443437e9fa51d39b46853edc

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
74KB

MD5
49a7ca1532e70e3e4d9ed396c4276671

SHA1
a7243dbcd3d4d76ed839ff4bcb749560e9c9db8b

SHA256
2a6a1094e1d7a2c5e3c00f98a61ba9c783d5c9a982ecf1c85aee75c48e120958

SHA512
02abda9fa78c2fef7481f3b06939366d85cb2310926d10c6d5aa8e5563f62ca6abfd2f46eecfe4b051abd56b2bc3ffe5acdbb19a1cf42f981f88b2d175859210

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
74KB

MD5
ec3b6ff39c4febab438b72b265525c0e

SHA1
7cfceb9b3eab6a875698c60aef7ded7a7bb2b31f

SHA256
9d0a36b77c0597881dd705b209996b2363ed7f5d037fde94873057611e28b40c

SHA512
fd760db6bce99a8fb48f746031a0794c825066902b9d843da56be9334b86ec17a570945e3b5837817f9f707e815dabe10de836759d3560fe884404c9292e8d6a

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
74KB

MD5
1c5f190b76c31be7fe4af964cd86acf2

SHA1
4fcd2e08214bf42f314e51997855ea71b6f0ca23

SHA256
927147c914b5e595fb16ef60d2b238b13dbe237aaed9515267ce2b48084f4e40

SHA512
5b5c13f4e6f573e1422fa36742f12073dd79da5313115f32fb709e9c7260e361abedd12e57412e57754a3e365bffcd9ba75804cdf6d6cf0912c0d600fe8cf2b3

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
74KB

MD5
af1336def392bd694cb315974d37b08e

SHA1
13df14cab762531cc5a925d2aa5ebb67303dcf86

SHA256
d191ddebaee671f8762ab014674ca6aec8a0e39ddcac3fd4b4cc6a3e106a64dc

SHA512
1ee8db018fb46f618820bf5304ef12a7ed9281f33f658374ec62412fb17374780efaa62aaffcbe6c02cb9d115d91c2a61ea08f2da1c55b0aafa7e025684a859b

Download Submit
C:\Windows\SysWOW64\Ingbah32.dll

Filesize
7KB

MD5
4fe158f14a9c3ebb51cd5fe816476209

SHA1
ad8b7c395ccedd30abeb79d7cf333d57a4513f0e

SHA256
0d5fcfed598b69a9d376a758fc4c6a2921df6311da2c21fd03af153283103edb

SHA512
fd4665caa0e4163648cf247ece04af212bcfced7c46dbd6dcb6abd1cfcf0bd629ccfc08f130c176810ee345c74e0cead7a7cd803ca8962eed8d1f1ec3f17505b

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
74KB

MD5
f50a111425d217d00d6178dbafd86537

SHA1
2a54963dc7b22ee203a5edc23c6cddcccc150fd2

SHA256
5c4a50d0e877fe1a51dc0f4f9d8de510ed44307c3ae095831e3c2960f0eccdbe

SHA512
4084aaf8e8444e97535bb90561212c62c7d44d1a8316387bf6535e139ed64353ebf9d8e0c9f95ab2594dae9faeead4bc2da378801963c302187bad125f5f9e0d

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
74KB

MD5
3e61719897e1bf20ac61ccf36265d9d7

SHA1
99d7b44658942cecc5e09f8b4a5a3e4b03de0d3c

SHA256
9fb2488b3169052de5d93e94720637ca5491eb634bbd5e13ffd494ab8d7ee62e

SHA512
4dc017b581a62b165f0467c064aed09fc7a4992b6cf1f33d28073c63af7cab2a6d66bdc25f61ade9182ce32491f2cbe365ee8fc0a8c5553a2c6bf155d0f1a82b

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
74KB

MD5
f7359062f21536c4970d432e90b9bd07

SHA1
9ce43836ba424b1e72c1cc98b0e5204b8e0566f7

SHA256
a903247f6cacecd3869ae2f37ae9d7f5be601ce2ef57d1cd3448b37b598f0e3f

SHA512
0472629dfcad2a1aa6184f4d0704ab088287ec40c4f44a38448d09383a53ad2e7ef7720322f32c92776cb5f703b79d2b8211af405dfaa17e30c60951053b2be1

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
74KB

MD5
28eabf7251b407a3501f56cd48824d27

SHA1
9229cc4964054cecdfae7c7e22bfd60046885ee2

SHA256
5711e45af19e3712ffa3c7125216ef9f6b4182db0c8a55703e10d783e147e815

SHA512
b4b38e0a2b80d82f3e23f85d3b8938b3ae3f3ab51c7a2dca40d4faf874201cd4f92d767312eb45eba2d28d872451f3da89c24a1115e8341bfa96f427ca3f36a4

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
74KB

MD5
3b52ab6cbfd6b3cf78912af0b1e784d1

SHA1
68c6eb97c8e6aacaa5fc2ceaeef7dd78112daed1

SHA256
3f4b3caf79d2b0f87812937ae3423c8b44b352802d7835d4b43e793d829137cc

SHA512
1669b0503b183ac6892a422288ce2b96c30f7e5a8dcc089bbb168da99b1b6a74210de6a085c9dd1bac9f7b1fe63b6ffbc187da8e6374f25edc73016e2363eac4

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
74KB

MD5
993c907c080bf8a49a3a38174a7476be

SHA1
91db3078a7bfc6eef8a45427d685f7ae36caba48

SHA256
625850b8c74cfdb9efc94786b727c66c661e42dc4fe38fa96d46541f2a916876

SHA512
b45015f323978f09fa7045ae156691ff8d63247fc7abb31c414ef23ed6d35f544eced96566ee104e7e080221d76c6c6352dc29ddf074893365ab0dfc0480642c

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
74KB

MD5
919a641624c3ee393823cbff0e61f1c7

SHA1
7d6318984c7ee0efa098160d381f0e9d10da9b8c

SHA256
7fa75ca4657d70fe68cfb11e582021bdcb8d9fbce68b257fe92fb40caf795492

SHA512
66ed863d14b83855a68b5085e62185d2b2190dfe0b8233bb5f09595482321e9042a22f5356a4bbacb0bef4ce7e0f38a06df705be2930a971d6717b7d85cb40ac

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
74KB

MD5
97172b1f660a47856488e1e0875eb3a1

SHA1
af224f4f98a305543abfd975d1da6f5a13cd39c3

SHA256
0b15e8e6f3e4f1dc6b8c039c651561270a2bac290c0a3ae9c26cc6b7c8664d54

SHA512
16aeb22d806a9ba5ce2aa0781317ce9902675ab8f4c178eb184718fedf7e0eae7744237a81783e654ef43498aeaec50215371f360609de8bab8f1bd3238b99ba

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
74KB

MD5
42ba95402d93ec3ca8827d065bce34ac

SHA1
1ba3a08105628d294af2f81b278eef0ac8b1b958

SHA256
e615b393c57df54e83b358667230523f9bcc6c305c5af8c158fd45808b697dcc

SHA512
94186531f4112d0cb228b7111c7a2491d71e416bb326a687cda4aba083c2b4221c751d88b834c5053a50213ae3376a9f3764f7f4d66fedd0afd997173a9dbeb3

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
74KB

MD5
2346553ef8554de1a65d45249024fb18

SHA1
1af8bf7d01856a532826f920b6f5d5f008488546

SHA256
099a0dc4fa5f72407644659933da716e9b691b654433dac8ee4e12d1bfff7f24

SHA512
cdf3063653c6f8873bf7939b5a95d2777c01c256f72d3beba60c1b70aee971260bb5d185c23c5a41a80d7ec919f3b2717b9e7d084bdc569c355a68b5d367e176

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
74KB

MD5
d59f814b5f84a27cfdc080c230457b4d

SHA1
3e2a0b9c7b3a871dcc432ece5bf62a0f10c79771

SHA256
55765b5087dbbc830d6d18d4d2ad8226dcfc0da7a688bfe0bc9c902c84bcdfb0

SHA512
eef4052b8a5fdf4cfc1ff66d71b477b6bb6b8415aa4e8a8464aa39cb5edbf97d0521d1f31a8ebb70d039c1750a65d3d02f3b7f9788bf9b5262e3160056435e1a

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
74KB

MD5
da6b9fb389395319071e2fc732517144

SHA1
2cdf535481212887aff0123a390744a8751c9dd0

SHA256
a64e5399f9e7d5351c52a6f9415d85ff23b103225d59350fb7e2aa54ccd8ef26

SHA512
f51a835126de83d61c6e18c1fab7203f0bcac5932835d10b680a10fa94a37a332231ec929285209b3ef366766fbe1f01712238ceff90317c0e4704c0838dbcd6

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
74KB

MD5
06edef976d03d8e625916d6562a05584

SHA1
5e3558fb049fe1118b0700e94dd439acac77ce9b

SHA256
ff19935d03a7c944fd5ea9ca63a7d9bd1265eafb54c9c97452b706c7b10d02e0

SHA512
9f161217203a09de9c45aa1bad653993c9957abbae9bcf482368d18dc839ec6237f03b8f8cff8eca2a5614c56bb7ec7192104d5e93cc32aa188617e00575032d

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
74KB

MD5
ca2711f644cec733dba553f57c25b926

SHA1
c7965d1db46efee769b8ae5a39c31a520e710339

SHA256
252e01d3ad72b900064496ebdb8479badfbd0f963d4947c3c47132a7dfef132c

SHA512
7f32cc41c5c698f828e393dc2ff7d3741f986cabd9a5f81958733501f1df64f6a6cbb154331d40e7b9ac375dc9279aab42eb4f92974ff9c0dc3e28b37300e024

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
74KB

MD5
6093ae30ba29c7d82d5415046cbf9163

SHA1
ba157d550d593d28be63d0de50b81920fcba49fd

SHA256
e8084274b78ff668235e038b49ce86932f391637e1d5b5319773cd0154027d11

SHA512
455f6295a42cddf0c8b429f033b348c8b8b267c0639c663a6b03d97078e3656a4616905abacd3cfb85a28f6c90f36d0689a5dcd9fcfb49f0456b6947788697ce

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
74KB

MD5
8101b1ab425a1b52c89593eb8a08a046

SHA1
ad66f47e734d1661cf036cb76583e11126c15d7d

SHA256
b0e31e662a8dd8dc706ce78f2d49916da89d01d1be4137d60cd1f6b062e55c3e

SHA512
f77b94a5d42056179911a586331c8f9acb4a9a509dc87c67d9794942bedb5327640b9a708e2bfa920568630cfdc4afd4fa65a806949dc722ba3f770a924275dc

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
74KB

MD5
5875a23e5b9070fc1d0f0fe2b36c63fc

SHA1
6a087f254119002ae22463039cdfc2e315f1a364

SHA256
fa3f452b88168b6afd9de1fd5882e75abfc2619f38fd67735b78a26c17dc37fb

SHA512
b252740a1f90606bf912719216e6ab87c1e1f37f6e663f0245fe0ef972df03d677491253a44db651e7fb2a5be23fd4ca5f418ac02eeb16d2269aba52da7762d1

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
74KB

MD5
765e8ee96a81ec99f7512e6600c0293b

SHA1
e348c5e9c73464f2406e9c57abd33ff2d1f4ea9e

SHA256
54ecfb0f442a673828456cbda783b3232aac0d692d7762538735ca8a37228c80

SHA512
3542ad8339abfe039c9c4e410561c327c70c5d467f9e1ce662fee3d19fcf1f7f5f9f63675a647c3e140e495f14c135553f9d15276f194a0f6aa6d74633a5544f

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
74KB

MD5
7961e889a1a57fdff986a155ac5a4a35

SHA1
5a8b848451512b52d9d7d488603a690fb8902a4b

SHA256
23e93ff2195531076324926c7f4ab6623cdd587aebfd2a147ae12f592eae79c2

SHA512
cc61206932c44a788e775ee11fd705f03737df7a83416ef7d8214459548e5ff3de9d768685814c5608827824693d51c77fe4ae252516a404d1ad883d134dfcfd

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
74KB

MD5
8bc0a52dc27299096260b7d46c628526

SHA1
658ea9b99bc2c0afff64731348f6ab53f574e4de

SHA256
79b227141414fac2cb0018dd34086a814770e1b8f991b984be66bbcc5db6cc94

SHA512
4be83ea090490d3e2d045d41f6f83876cfbc1c427752174456db4d1d2a562825c4c510c98ac5cc8406d9a448b3581cfc5fc22174e6e1af233bf24ada4440f60f

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
74KB

MD5
41c7b8c339254fa3c31754f424b7641a

SHA1
0c10817d62866c3732a310dc128867a724020ead

SHA256
e730dc4e0f6b8dc1cdd167eaf5e278f11e0970f6cdfb6ee70621d2e05b397fd2

SHA512
4b0cbac1ea01c773dbca198a936cc7a39eef3ede376e40f89dd4692f31c971579c7264b3ddd92d7c4953c45785d49c3570cce2c543b2174723e0d6603472f82f

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
74KB

MD5
81507de49f14c90db5a0380ea26ea5a9

SHA1
d3a1a3b5ab7a926074692e86110027df43549e8d

SHA256
6dab60cbfa9b3e3d106ee8af2f55ed8a15df72c31513debdae8f44e9f36efb65

SHA512
37a952cd895d75c25773cac83510b9675d06ad563219b50d1e42146aeaa0245a04b56120ddae3d152a3defc57fc39831afe955b6aa4c87ada628529160913766

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
74KB

MD5
679f3badfc3f3266ae73f39c5ecbb18a

SHA1
804de2719d08cdfc82cc2cec047ff8d648db9b2b

SHA256
187d0907defe9b76f4aa83bab7c81bdd527aa54688cac86d0ef5607cdcc05726

SHA512
7e6c44036c2a10e7ce6ec726c03f359aa3184eda918b31478485e94987edf2a7899324f3a4b0654fa2aafcb8816c0fb84e64d183fab236ed231a8bcad8a3bc8a

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
74KB

MD5
03222be941ba120004209c09b3b24c7d

SHA1
fe647d2a003ba55d5e1ee290b1c60283fd6bfbd2

SHA256
52c5cc4dd1be61019f28379987b10025440ee8a30e7f108ac477ff2539e2eb9e

SHA512
321bc44f4a6c3a5c158b664fb472632da821f03b1edbeb69af7e0d9eb849472a2c784e87403bd11a0b6ee6dd484984c5a2dcfb0bfd103001e9b4196c12f872d2

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
74KB

MD5
e477b69831d7260f40cf87d32a5ad274

SHA1
d1936e4e5bbda8727c6724fb2a072d6d67634a11

SHA256
695f09e57059ac36d6f1b5d51188287d848c1cdde3fe4a53bc26199f2a2bef59

SHA512
01b4de80ac9394fd0739ff3f42533816855f437016ffd1be6afa9a328db19e00647a9e5ae139ae500ced49d7ec2131d7e21133a1739b8da2c6d3654f2d4f4be7

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
74KB

MD5
d4fd5816181f10f42531edcb9934eafa

SHA1
c08ad8484065ed5e667c19d6c183624ef0d905e3

SHA256
14ea501eccb6387bc7b298ce040b079c27d5b32e8fbc6704a63501b66780cee7

SHA512
4bd8adc72982e2441a702fb141cf4d7ff2cade0d3cdebf55dc6d5ff5265c626af6ef6c0c521e94eae6251afa053b57aab8b6ef8c3e3162199dd53383e3e313c0

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
74KB

MD5
b57181c47888208e70249389bf95de21

SHA1
ae96c25d8733addeae57880e0a98a7ef1fe6b57f

SHA256
bbcabad8ca6f38e4e5494399658d7f68d2538f3490a9e81b5364dade66bdbef3

SHA512
d7658ac7cfa4b30c802c5b562f7846cd06f8211af5cf1e2a7a00a6999dfa058990e57d9cd0612cfba1791b42f2d8ddea696e9af3b9e29c99e5a3abc361ccfbb2

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
74KB

MD5
325076fd352705cb4afabbfdb9297bad

SHA1
ba2f10ee74243edfaadc635dda356fd3798412aa

SHA256
ac4f12caf6f2563dc1317a5424efb3c33c81a3466e7c092efea17c9d8de3f752

SHA512
f2e6f64bf34638fd0827074da9092aedcc26f2fc4c7defba31eb747e6ae9fad39fe678957a6b700c1888eed62b281a775ab5c4df3ce1cbe9c6d439fa67505fc2

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
74KB

MD5
1a19a358e16576e00c4f17b8b86c7299

SHA1
87ea621bc23c3f77ba04b57d9801db8a9d332602

SHA256
b8fe7441feb82e065cb771bd058def15acdfe09fbd6eab530ecce0e824d11326

SHA512
162168104db160e7fa148bf3e8a3c801a0b5599f09092bd92d0fdba7c6dd66aa67db4338464065c121ec542b25fc561ecda1016e28d98bc1c6428c343e1bf5b0

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
74KB

MD5
dff17875b81b3b5e38448bed4ab9a888

SHA1
95a639576a91d311226e479152e781fc505e74bf

SHA256
12cfbcf424c75d865bbb076091e3567099d2059c2eedca896c1b42c60d5ca9fc

SHA512
19db7516cf289f69c57652af2420825527185a2b3738c9660a872ca8ac80ccc8e6ef2df6c14d325dc7b3468615cf7db2d545e4e620776bead86dbab92ba7187c

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
74KB

MD5
bbe451bd8fab7fd41a0d7593f7427c71

SHA1
ca8bfa5b835bad3e76f3605d5fd1f41d2a076d54

SHA256
a510b7089c159f41a13fc118720360b566cabcd78073ff201d1394e49864c4b8

SHA512
d85d2dd319ba162d1b11d62e4bd2838a058770ce58ef1cbc8e3867100de6e9eb381e7f202b5d6bfb527cbf4d8a1627bb131ded0d90346fe35ad94c9990220195

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
74KB

MD5
941d05f7603102e8dd38c91aceb4aaae

SHA1
6ef58969797b21438ad4e3b9e93176d98a6d762f

SHA256
bf4513968dabd023da5ae9277bab2e20bccc6fdee3cd8684e2aca5011d9f0b6c

SHA512
99b9a10b31b626c1d43a92f08e7b046f39f88a9229a28b7e0de07012890e16917915cd70e9fc909c6e244baf9a5681e218301f2de8e0700347da7f96fe985e0b

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
74KB

MD5
c581e850e78cdace418eb3aa167ad6ba

SHA1
1adfad1c89aeeff4fc0e8182cf233d37651f7fb8

SHA256
bc25fbbab842f7c751a4505d521773fce19ee531457fb230fe2564961a86d899

SHA512
07aa4ee1720f5cc54af0cbf2dcec5b62cd06aed5674b41c64dca95a491f3aabe3b7d0e5d2b33fb4e712f3c770f5619355915021a2cbd91bdccf78d16be7140f6

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
74KB

MD5
0d6bbba0c4d8db1b5e85ee577c38b2af

SHA1
d019c6559fb8789c2df31283f402c481ae5fea37

SHA256
4635f3d6b9cede9435dd8c8d8e84fa092dd1272ae24287636529c18a512d6aa7

SHA512
6340f66450152d8cccfb47550ca3c82b4efece62fe1c94a9c94aa8a4c01f7e49576b171933ce89bbb3ef4799a4ae3b5dd1c2bc86c73da6f6b1d0c45f6ef44d23

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
74KB

MD5
7e7723c58b6ce8b7832bef4f8e1670de

SHA1
a959959502b10a439d8a1488409a04ba4bec05f4

SHA256
9bdb633b773c7843accdf92cc4f2295b3ff47ccc3a1886e3c26a3dbae4eb285e

SHA512
7b3233533012971f3e92bf351a99177cf3d1b7dbb504ee15223ce3d641cd59366c66494f6ce2baa881bdd3fb1560a896f9b3b67634304002fc3b49dd4bd0cb72

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
74KB

MD5
61f41c216c592cd2d4ea09ac44535d88

SHA1
1de4012271fb418b06b1e68a4d81cafff9237e44

SHA256
a7602aa0c45f55ade66b6faab3dc4b2e4f6ed0c3c2808380fcb4a78ec4f54edf

SHA512
d5c80e18c7a2d1c67077ce07224c104ec9582c3046d24d51e862b0b1b5d44873295727a0a6961095ccd926c1c9f6ecdf30077332b1c678f07b47ce068f6af132

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
74KB

MD5
efe356aaa0b1bd36fb936bd63306e602

SHA1
83b397c851cedc621e6afa70b661f50b6b55ddc7

SHA256
7c8737325ea7a02815ca5982b337f4f2fd8c5024ec77d4a228759b538b7e1b9e

SHA512
80e66c9a5c17b565a1e832be04d592effd49f424ae9e60fdd3641fe25155087c8e98cd4c6e567ef2f2f079cd2ff5cf1232bd79c0112f46bf3c405a82871fa36d

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
74KB

MD5
d40a4ab35f3455685f30f78d69e7a5e7

SHA1
e8fdc7cacad66bc1ae7dd0918ade4b49b4cbf993

SHA256
212a8799b22f46c03a5f02123e3ed98b052f38342007db0b60edc742aa0861fa

SHA512
831723f53c06bba02bca57d4aa9ee0e3dda8a8ef42b7fe24fe0dbb6c254571133ef7a8e962f9e432def10013a0e933af91aba8032bf7b2bec0d39b93a575091f

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
74KB

MD5
c9594bc9810f2a08c72501afa94519a3

SHA1
9924f0d637e1e048bc26dd64aa9961e146d0495a

SHA256
d59a51b4dfc97dda26de185db07537ccaf68224649adc90b6551d180e2668190

SHA512
5d607df05c6b0236ad80ff198ec8b32b123d5a0daedea04b61e44263cd0283ee3eb52003cafe67137361d44ad5f04ee7ac5590b42616d8de95287a86ae842b8e

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
74KB

MD5
5ab5fd2855d6fe40330ec341e78b634c

SHA1
b75d37500f70cda78e137098a1cf37aac9dd74f1

SHA256
fe893bb2de0c3687cd66093c6b8184a1cbb3245c12f64014997daef049c5e010

SHA512
136f38db0eca6517444f380fb96ddb65076b75e1c969919efb6e2d510a4200b1cfe94cbe7883656a6c31d3b27a7fa2393ddffb37733360a6b6fd5e283ae9f168

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
74KB

MD5
8ae75c685519e30a71fbb24f810540c4

SHA1
52a86488a0c729a4dd1ef2a79e8940d2a4f4631e

SHA256
9511db0fa3572957ebfada49dd023b05d7ebbbf553f9231f8b28cd4e666b7cc7

SHA512
537049856c2c59e563a87b380b5fbdff92f9fde01ae644120333bcd49d7960f545cfc24e2a2e8a595067de15bad9c42c0051bb2f1ac62dda74cb2f57c1bdda7d

Download Submit
memory/376-245-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/432-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/628-346-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/640-541-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/644-148-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/780-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/816-308-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/912-406-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/976-168-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1128-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1148-447-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1152-56-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1152-593-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1304-152-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1332-436-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1400-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1440-580-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1508-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1556-72-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1576-514-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1652-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1652-544-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1664-594-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1696-298-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1720-478-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1724-220-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1736-586-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1736-48-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1764-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2004-587-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2084-496-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2172-212-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2220-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2260-559-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2464-472-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2468-526-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2524-552-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2528-512-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2556-96-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2572-362-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2604-328-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2612-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2628-88-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2632-192-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2664-386-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2764-459-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2856-224-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2952-484-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2996-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2996-551-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3140-430-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3156-112-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3160-260-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3284-460-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3316-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3356-200-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3388-573-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3484-453-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3516-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3704-490-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3792-402-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3908-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3908-558-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3916-252-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4016-388-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4040-184-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4080-334-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4104-322-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4108-506-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4136-545-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4192-162-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4212-128-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4324-24-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4324-565-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4344-40-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4344-579-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4356-572-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4356-36-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4388-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4396-418-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4444-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4464-466-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4508-394-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4588-120-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4592-532-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4768-236-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4788-272-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4804-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4808-176-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4896-67-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4932-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4940-424-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4952-380-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5032-566-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5052-520-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5100-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads