5310fb2bb62bd2f68798127edb5f6c02104cd8e22b796f54e52e908d57bec3a4

Analysis

max time kernel
137s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0c3ecbdfd34a24a525643525a9ec360_NeikiAnalytics.exe
Size

76KB
MD5

f0c3ecbdfd34a24a525643525a9ec360
SHA1

7ef3fe57b6793c19b02e96883f9fae13eb66eea1
SHA256

5310fb2bb62bd2f68798127edb5f6c02104cd8e22b796f54e52e908d57bec3a4
SHA512

d7f4757693b7dabd556e41ef8b7eae575162027e68a0dec8cb085d2e186f50bc614645f7da8a197c9cd941a8bb962ff42d635aeb5d34263cab05508c51dc8215
SSDEEP

1536:Lj+p4wYYkFos3PFV8dlQ8vbQPpkVfObuHioQV+/eCeyvCQ:v+NnEj7WVfO6Hrk+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe

Executes dropped EXE 64 IoCs

pid	Process
740	Mdmnlj32.exe
3444	Mgkjhe32.exe
2828	Mlhbal32.exe
4844	Npcoakfp.exe
3820	Ndokbi32.exe
1280	Ngmgne32.exe
5044	Nilcjp32.exe
4456	Ndaggimg.exe
4420	Ngpccdlj.exe
3580	Nebdoa32.exe
968	Nnjlpo32.exe
4072	Nlmllkja.exe
556	Ncfdie32.exe
1784	Ngbpidjh.exe
224	Nnlhfn32.exe
1516	Ndfqbhia.exe
2860	Nfgmjqop.exe
4536	Nnneknob.exe
3492	Npmagine.exe
2948	Nggjdc32.exe
212	Njefqo32.exe
2208	Oponmilc.exe
1536	Ocnjidkf.exe
2516	Oflgep32.exe
1224	Olfobjbg.exe
640	Ocpgod32.exe
4244	Ofnckp32.exe
3572	Olhlhjpd.exe
2984	Ocbddc32.exe
668	Ofqpqo32.exe
3196	Olkhmi32.exe
4752	Oqfdnhfk.exe
3700	Ocdqjceo.exe
4340	Ogpmjb32.exe
4996	Ojoign32.exe
1140	Onjegled.exe
2924	Oqhacgdh.exe
4744	Ofeilobp.exe
3172	Ojaelm32.exe
3032	Pmoahijl.exe
5104	Pqknig32.exe
976	Pcijeb32.exe
612	Pgefeajb.exe
4852	Pjcbbmif.exe
700	Pmannhhj.exe
396	Pqmjog32.exe
1560	Pclgkb32.exe
4280	Pggbkagp.exe
2296	Pjeoglgc.exe
4936	Pnakhkol.exe
4336	Pqpgdfnp.exe
2396	Pdkcde32.exe
5008	Pgioqq32.exe
3016	Pjhlml32.exe
2664	Pmfhig32.exe
3148	Pdmpje32.exe
1520	Pjjhbl32.exe
548	Pmidog32.exe
4572	Pqdqof32.exe
4520	Pcbmka32.exe
3784	Pgnilpah.exe
1984	Pjmehkqk.exe
2464	Qnhahj32.exe
3660	Qmkadgpo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pqknig32.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgne32.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Ndfqbhia.exe	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ndfqbhia.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nlmllkja.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Mgkjhe32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6656	6512	WerFault.exe	251

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	f0c3ecbdfd34a24a525643525a9ec360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 740	1524	f0c3ecbdfd34a24a525643525a9ec360_NeikiAnalytics.exe	87
PID 1524 wrote to memory of 740	1524	f0c3ecbdfd34a24a525643525a9ec360_NeikiAnalytics.exe	87
PID 1524 wrote to memory of 740	1524	f0c3ecbdfd34a24a525643525a9ec360_NeikiAnalytics.exe	87
PID 740 wrote to memory of 3444	740	Mdmnlj32.exe	88
PID 740 wrote to memory of 3444	740	Mdmnlj32.exe	88
PID 740 wrote to memory of 3444	740	Mdmnlj32.exe	88
PID 3444 wrote to memory of 2828	3444	Mgkjhe32.exe	89
PID 3444 wrote to memory of 2828	3444	Mgkjhe32.exe	89
PID 3444 wrote to memory of 2828	3444	Mgkjhe32.exe	89
PID 2828 wrote to memory of 4844	2828	Mlhbal32.exe	90
PID 2828 wrote to memory of 4844	2828	Mlhbal32.exe	90
PID 2828 wrote to memory of 4844	2828	Mlhbal32.exe	90
PID 4844 wrote to memory of 3820	4844	Npcoakfp.exe	91
PID 4844 wrote to memory of 3820	4844	Npcoakfp.exe	91
PID 4844 wrote to memory of 3820	4844	Npcoakfp.exe	91
PID 3820 wrote to memory of 1280	3820	Ndokbi32.exe	92
PID 3820 wrote to memory of 1280	3820	Ndokbi32.exe	92
PID 3820 wrote to memory of 1280	3820	Ndokbi32.exe	92
PID 1280 wrote to memory of 5044	1280	Ngmgne32.exe	93
PID 1280 wrote to memory of 5044	1280	Ngmgne32.exe	93
PID 1280 wrote to memory of 5044	1280	Ngmgne32.exe	93
PID 5044 wrote to memory of 4456	5044	Nilcjp32.exe	94
PID 5044 wrote to memory of 4456	5044	Nilcjp32.exe	94
PID 5044 wrote to memory of 4456	5044	Nilcjp32.exe	94
PID 4456 wrote to memory of 4420	4456	Ndaggimg.exe	96
PID 4456 wrote to memory of 4420	4456	Ndaggimg.exe	96
PID 4456 wrote to memory of 4420	4456	Ndaggimg.exe	96
PID 4420 wrote to memory of 3580	4420	Ngpccdlj.exe	97
PID 4420 wrote to memory of 3580	4420	Ngpccdlj.exe	97
PID 4420 wrote to memory of 3580	4420	Ngpccdlj.exe	97
PID 3580 wrote to memory of 968	3580	Nebdoa32.exe	99
PID 3580 wrote to memory of 968	3580	Nebdoa32.exe	99
PID 3580 wrote to memory of 968	3580	Nebdoa32.exe	99
PID 968 wrote to memory of 4072	968	Nnjlpo32.exe	100
PID 968 wrote to memory of 4072	968	Nnjlpo32.exe	100
PID 968 wrote to memory of 4072	968	Nnjlpo32.exe	100
PID 4072 wrote to memory of 556	4072	Nlmllkja.exe	101
PID 4072 wrote to memory of 556	4072	Nlmllkja.exe	101
PID 4072 wrote to memory of 556	4072	Nlmllkja.exe	101
PID 556 wrote to memory of 1784	556	Ncfdie32.exe	102
PID 556 wrote to memory of 1784	556	Ncfdie32.exe	102
PID 556 wrote to memory of 1784	556	Ncfdie32.exe	102
PID 1784 wrote to memory of 224	1784	Ngbpidjh.exe	103
PID 1784 wrote to memory of 224	1784	Ngbpidjh.exe	103
PID 1784 wrote to memory of 224	1784	Ngbpidjh.exe	103
PID 224 wrote to memory of 1516	224	Nnlhfn32.exe	104
PID 224 wrote to memory of 1516	224	Nnlhfn32.exe	104
PID 224 wrote to memory of 1516	224	Nnlhfn32.exe	104
PID 1516 wrote to memory of 2860	1516	Ndfqbhia.exe	106
PID 1516 wrote to memory of 2860	1516	Ndfqbhia.exe	106
PID 1516 wrote to memory of 2860	1516	Ndfqbhia.exe	106
PID 2860 wrote to memory of 4536	2860	Nfgmjqop.exe	107
PID 2860 wrote to memory of 4536	2860	Nfgmjqop.exe	107
PID 2860 wrote to memory of 4536	2860	Nfgmjqop.exe	107
PID 4536 wrote to memory of 3492	4536	Nnneknob.exe	108
PID 4536 wrote to memory of 3492	4536	Nnneknob.exe	108
PID 4536 wrote to memory of 3492	4536	Nnneknob.exe	108
PID 3492 wrote to memory of 2948	3492	Npmagine.exe	109
PID 3492 wrote to memory of 2948	3492	Npmagine.exe	109
PID 3492 wrote to memory of 2948	3492	Npmagine.exe	109
PID 2948 wrote to memory of 212	2948	Nggjdc32.exe	110
PID 2948 wrote to memory of 212	2948	Nggjdc32.exe	110
PID 2948 wrote to memory of 212	2948	Nggjdc32.exe	110
PID 212 wrote to memory of 2208	212	Njefqo32.exe	111

C:\Users\Admin\AppData\Local\Temp\f0c3ecbdfd34a24a525643525a9ec360_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f0c3ecbdfd34a24a525643525a9ec360_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\Mdmnlj32.exe
  C:\Windows\system32\Mdmnlj32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\SysWOW64\Mgkjhe32.exe
    C:\Windows\system32\Mgkjhe32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Windows\SysWOW64\Mlhbal32.exe
      C:\Windows\system32\Mlhbal32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4844
      - C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        23⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2516
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        28⤵
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3572
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        31⤵
        Executes dropped EXE
        
        PID:668
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3196
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        34⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        35⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        41⤵
        Executes dropped EXE
        
        PID:3032
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        44⤵
        Executes dropped EXE
        
        PID:612
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        50⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        56⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        57⤵
        Executes dropped EXE
        
        PID:3148
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        59⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        61⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        64⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3660
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        66⤵
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        67⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        69⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        70⤵
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        71⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        72⤵
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2240
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        76⤵
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        79⤵
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        80⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        82⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        85⤵
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        88⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        89⤵
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        92⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        96⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        97⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        98⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        99⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        100⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        102⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        107⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        108⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        109⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        111⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        114⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        115⤵
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        118⤵
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        119⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        125⤵
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        126⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        127⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        129⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        133⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        136⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        137⤵
        Drops file in System32 directory
        
        PID:6216
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        138⤵
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        139⤵
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        140⤵
        Drops file in System32 directory
        
        PID:6392
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        142⤵
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        143⤵
        Drops file in System32 directory
        
        PID:6524
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        144⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6664
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        147⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        148⤵
        Modifies registry class
        
        PID:6764
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        149⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6852
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        151⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        152⤵
        Drops file in System32 directory
        
        PID:7120
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        153⤵
        Drops file in System32 directory
        
        PID:6148
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        154⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6284
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        156⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        158⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6512 -s 404
        159⤵
        Program crash
        
        PID:6656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6512 -ip 6512
1⤵
PID:6600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agoabn32.exe

Filesize
76KB

MD5
5476543867b3b21d617800379cef5abf

SHA1
d439d1e7007ecd7ca77cbbb42c1822929e9be5a4

SHA256
5d7ab61d6f0f462f8e175d921dcf40b334b13560aa71e3567d37978709e01c1b

SHA512
78d453fff4b652222c86ca0f1f184dae43f4e94c9748c5d175d05cad4753152ee21238ea78d0ba863777f5983b9ea92a39b25d225f06e316970b9e961f2002c9

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
76KB

MD5
198f2a8f9a5f6a981f3997efe41a1660

SHA1
e58ae9f606d7c12f8c24e9b2c8a6cc82522a34db

SHA256
d6e2f3f7419f742cd80d6426ecf1e4462a1faac0f3dd8494db81b2e70b3ab129

SHA512
446b485ff9cd88bbf97762899ca42c7ebebb1c0d1415de1681a77bfa5657e3b4c4f219ce6585563e8797fd4cd7a1b1f993be80d60f21f144bccaa1a2d979b113

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
76KB

MD5
67f25bd481470e945c832ccc43f37d53

SHA1
0689658437df19c776809a887b34c8e255d46c67

SHA256
21179cee30b5a82bb0b36de1e38b82a2cc412e09fccb908df51e199572615977

SHA512
a368cf04d8a36adbc5429688d79a5a783566195884dc796939be1226015e620c9d8811fba5024e045271ce71e3714ee60f91685723b4fd3dd237f42c15e900f1

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
76KB

MD5
8a3706462e9be5bf9c8f9aea110d45ce

SHA1
fad75980178f3279e66efd8b0b84c2dbca00728b

SHA256
f5c74119a7e5b836046fa66e7c07ec00b015e82f646ce8eb546cc4a77b41c05a

SHA512
adca811bf50833e078d2551ac7d28e54864b91b13a6e84834707b02469a81047c6f39b15e0aa8ef3dc892888c6135ad4c4350a4d4a7b597d343d789c4cd246b8

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
76KB

MD5
ff836906144574c4d5ca920529cbde6f

SHA1
c6e451fd1add5fc6882c1f71bd31fd08be587d5d

SHA256
4e42c790f0092a5c86259725ef07058dc51a772c041ec5028640700752a48f13

SHA512
0a96c3fae4add9133b5e066a090ae8a599aab9ef6bdcfe52ab6128cb6932aee9a01313c259e786aba88a93a7715201a77d528057b6fef4b60d46b0de98efda5f

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
76KB

MD5
3aa88a6b26471f2717cc155eac5c6430

SHA1
4cf1c90ad9a59967059bc670ab60486a24c7a55f

SHA256
fd3157aa6793cfe79d765061a4deb36a8269210855bda9570d8618a6229fe3b5

SHA512
958e21c00f8a255f9d1c5ceb71e1cad88a2303ae1b6f37051990ffb710eeacb8fd73e72fda5987548d9e95da4872c32d1f8e8edf5e3a658729412c63b975dfa6

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
76KB

MD5
9588db34d1d779c91c75d54877f3cb27

SHA1
4535aaf233c4c06b289494a83ff070657494f3bc

SHA256
502c2bcfee6716867718273c2a1c52ec8e2b02dfafdfbda56c9aeb445f7b71a1

SHA512
8b668cfa91adaf4b0b7fdd214a424878d1fec829c2dc5b3806f574854b4cd69778d714362db43fe273e54779f1f6119f15b8cf2e3b67411e0a7f98f56721286b

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
76KB

MD5
cebe94df456bb744c0919e547b435f97

SHA1
8ec50a7632784ed8380a7a31a1128747f127e30e

SHA256
3c5b73d8c6d84436d48c2319d8083a6f28e868bbaf4ac0b3b748c38bc396c9fc

SHA512
c3e3e901cedc8cc46ba89973e93879a155e7e414346d532d5b6cbfbb1e5f11854e5e6ddea9414f78e8e40991fdb521786de61bd8155cec59448345639a4504cd

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
76KB

MD5
f70d934fd04584ddd3f7ac86f08025cf

SHA1
8f0ae36f69b2001679ffc5f13a6b3cb18eba1ac0

SHA256
e1451e7a69410d99a0032350f365289abc00c5ce6cf9a4b7d84a9e65df6a55c2

SHA512
528a415d033ffac452ce9916841d5bb25699c200aa4b658c469b516e0002e065a4380f15b93b92f5540fa75a0229b5f652455713f0c9051eaef35eae9a1d02dd

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
76KB

MD5
cc18c6e791ff61170ae4d284858e832b

SHA1
6809ac499d132d12a506c5eb2985a7e17777486c

SHA256
8d7eee59c25fefa35d453c7dc051ad2560ff380b9331824e0e020a7de915736e

SHA512
85bd0cf01bd27a9c1a7940ffcb0ff2067ea96259b41d0c40278115fb50b13084a3ed22bfbcd35b4e82d08d27b35c6ffb3a99038fe344827d33d31acaff4bdb94

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
76KB

MD5
83bce2851ab4771606b31354a83a369e

SHA1
55372107eebfcf19f3212cc7d14020f35c47846f

SHA256
7e5c9b5fd2c2f542dc04fc37517245c9fe24b9d574b74a25ba656a243aa0828d

SHA512
dff5f4b8c2c77717902730ab99d75d35ec4108f9c9d85ae809bda812094ab9978a2eec80a8cbb1d2f400a2c99c339c6cd6a7e99a9993702cab46806445242171

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
76KB

MD5
8f82c09eba564baa38758b1ad462b003

SHA1
60ed9e36b5830dbd741f6980e0b5b959ac47ba90

SHA256
abe7549829ff1ab7c7942a155ddeb38d4ceccf9f3c2192eb18aa8cfe8a48d777

SHA512
9f609bce6bce5810d20636563883f9724c2be06bfda401b2cb0c3c4d1a04f2fb22554790536f88470da49403ce296936044666205d544ff3e25a0b31947ee7c2

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
76KB

MD5
bae285f5928db286ca1c8eb156565593

SHA1
cbf6de27fa8e5d0fc3f152d090e3be8ec5315516

SHA256
57be1e311c60e79c8e4bdb0d7d3fbc51248aa18c0a08434872c15e8fc7e6b494

SHA512
309dd3e493afcd8305eaa1abe6180b7fae7c5098deeb24e3e9d905ea89c8f5a9e146267cd7d5f2dadd4a8f267dfd5806d4f6347aae370a0efdb62056316cc43c

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
76KB

MD5
ab5bc2171b12e3220c73ea9216522720

SHA1
67b0d1d01b8b12bc11af78a570c8780c7cf420e6

SHA256
839498c54dfc757728022996d9bbd53f7b65a22d20d7000010475d7eaaf8a2c1

SHA512
211d256829cbbaeef3ddaf84128507dae1ab5e0c597c6c2fcec43cb84ef0adb9f05834e51799cf93ab9cab5bf13a50da2424e160c5f3f4d97395ef4bd2e147b8

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
76KB

MD5
c538b5925ed06a143902bfc5263384af

SHA1
8216882c5fa3305ad3f289e2c610777be35bf9ed

SHA256
86c1b329f576c88321ba8077c33815867e602e26c3c4569582c1587f31f98c36

SHA512
0e9c069990bde68b709d65dc12bd2745cc3ba96b6dfb9b6cf3d93b9e407a4d209d5ad30cbbcc49a54252366d6d4eb68d8a2fbe82b1d558fa03536d6a4d9c07b8

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
76KB

MD5
8ed6511e36b954370e5184fbbb0cbe1d

SHA1
05bb176ab1af298cef38e50395e7e028452bb04c

SHA256
ca2d7d1aca32881facd7e791541d92e7b8d9278a6e9ba8889796caa25d403b84

SHA512
873b303502c5311a2db43e5ab5bb9608a03554a87e38195557cb94986ae798dc5970a7f5f29a5b6a2369ad339f0f48fbb68a959ac690047ff4c9ffb92ca3e2f2

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
76KB

MD5
7dc49b310976ff20793bd1058a732c4b

SHA1
e11a5b632a03f9e3bf8b57d55c4891a869390bca

SHA256
0eb251ff37f0f70be1415fa920a45be9128269bd987f06757438fd0a0efe4431

SHA512
487a7be3f73baaec5892679f34f88b7ed6b0f1581c751b23a7800b5bbd44a749166bfa178b83a55fd6d287adb81d3b3eb5f5ffb3bc7fa1b3c7b864b49eef1dd8

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
76KB

MD5
6993ff296a9b98d59c236ea2d7b73c05

SHA1
af7bbb56f119fd793c346e467943db608e230825

SHA256
2a2cb940b8589f2efa8b9913e87dcd65950946deffb675d5950672166fd0d789

SHA512
4858db65f81d4090b5b4002dae6d19067ce3d1c106e1695d49745390c893d10698809bab2458b4cb447001bc365049a947d2efe1bfe6a82fc04759c1cbb23ece

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
76KB

MD5
8da773f18bf13eccae2d118bef74ac4b

SHA1
29e589a53426dd797945ae7b3b10b0886b5989f0

SHA256
a93675f06c12fb8369e18b0d1563de026bc8a494bda1f2107fdaf9a6e4f37844

SHA512
9691c52a8c1dc1df251e8a9a00e7393ceac3b8e0ce37af6ed2213e3ed73fc51df8cd8ce4025a42463df52b59731b592f8ec15c82aa64a65d9737fa657802250d

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
76KB

MD5
d99fdfa40e2b6632f6c2960bd9b78b54

SHA1
736e454d6cd927d73701a7c98b7ee2051282461e

SHA256
1ec94b4df25c25fa2f5ca1cf82d139aef68d6009dd8b15b5fd262474eb8d468c

SHA512
d51f9f2f8b47c472a82eef04adf7e376de7aeb430e7c029a3dac6b7e53f8780423f1cf43f75e51e0f305de870fa086e5466e23b1d12445666ffb85e1d68d8d77

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
76KB

MD5
12307eb15ced54c4cbe61633c5342194

SHA1
ba5691fafd8c1f376b06f991f8b934b6f4d3cb6c

SHA256
08aaea3d830a67822291c9ccfcb4f11ec8ad278d525ea874ae30ea118912d2d0

SHA512
55536bb50f9fe3ad40b2e7e806fc03b29eff027def62766175082ab41d2ed48fdeab716a6df4e60d867a6f4c1f89c53a06c0c6fa63d91dc33d094b8e4c12aa72

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
76KB

MD5
14b96c2fac93140fe607bee9e587f17d

SHA1
2b88c43688aef3752ec017264dfb5684bcf2fddf

SHA256
3946e2117e5969d5a3aa72cbb7044e2803e4f58dce2937915595fca8dc52cf14

SHA512
a8a94ed913c7ccafd67ec2f8ea1f824befe9935ba90c99844fcd584c45177601eb66816519b020c5840340ae33979cede6d6af35e6be1009b5ebab87a73a7bbe

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
76KB

MD5
702e02f96ff4810ca9c9d782663c04a9

SHA1
3c91c0db6f318cb7a6a0739af7ed2b5d6031fe55

SHA256
fe00e4fa1e9e1c0cbd025d5865ab4decccc68cbf2d4901da7b079ec6e27f6fcb

SHA512
d0c63125b72c4f339dc12304133f30949ca2266d5bff83634933b09671749e6ab2739a314f7547af3896eeb5734b9ca19b05889b5e4662bf5169bce810758f1d

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
76KB

MD5
914755611781919cf7921aa0e1a60454

SHA1
26070cd5ec1422b3b9ac99bea36ac76364fa0284

SHA256
47f1ca474a4a779e4b2a47befb993b151a5dab36a0e8622f88d04f19bf874d00

SHA512
68315f8543aa390e5cf765e3ff22c40964e1d4a683ae330bf6a14318e86948be542b1069f7fb02c43bc8ba4d4273d3a7ee761d7ce354a22496d5f008818555bc

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
76KB

MD5
80560b44c488c14f88290d807686f53a

SHA1
c81d2b92ff75b8e43e3c4a09ec20d0e935443141

SHA256
4be6d5111b6bb6aff1049cd047faa39adfd6b632b125a8bb260c365a8290e64b

SHA512
73824034047201bc0f8201e676cc9b52c8dd8210c27f86ab80b3df7434af3e50587bf94f116c27132c0f8d65231907a90e8199878e354f62606377484b5cfde3

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
76KB

MD5
ce49e28a43cf860e91b1db207fc100b5

SHA1
5a657bb9f39f00f10168e70174279c96fa71fb9b

SHA256
8a6393f7192b1311675e341f8223d1d3adbecc9ddfc24624cac5c634a4aae650

SHA512
4250cd66b26d5b01d38ac2a773e401760bfa44033f531280c112bac551c2d21d92cb4747e7567da454a5244fd2135922a2f71c48a073a8a1db75ddd672989193

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
76KB

MD5
2f618252438fe0fdf12c68b961ef2e25

SHA1
094a662401781f4e5dc3881d2ca20c196bcafe95

SHA256
4418929751e240ea2666e6826f512e0554694f43a87a657c6090e65813953fa5

SHA512
6dbcde7e21432b550530ebd885e4898cb4cf0f33bd051351bff26578cb8d1e1e165e1ee02ffd60e1c925bfb666639afd34d0de0db02683cbb343b6433781e5cf

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
76KB

MD5
0da8fa50aee9ea46c4e92c93321e9f2f

SHA1
ce111ce8a76fa8699bfbdc7f8bfa3994135c22b4

SHA256
e4ccb1c63f20a847a415d59e160635c87bb8b871f981a9042cc9770022cf137d

SHA512
e1e862fe0a099741957f8889d3d4545611a3a4b9cde0bcfcb965dac4c77037456b3e3f8530c45569ee248aaaf10c749ad8a7791c9766c9556f244186483935d4

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
76KB

MD5
b4b9ef9095bb79e9e97762cd85736de1

SHA1
7f8566a457588825328b02e7bfe7db7a4d07ddbe

SHA256
b25efbcdc4d56bc086658639a763b6bf36738f5c8412997e2855a63538308624

SHA512
d14f5f255adf8d2d8f6af32d000fe3ccc2eb46cc7553f43431369f0a4302b204681d5215d52d044a6894c5a403f62cd78a27bc0984157db89ed5ba15ba05faa9

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
76KB

MD5
6cd9f5f4530b7af4c7dcc04a565a0f24

SHA1
4855692af444d6627650fbd11e55e9251676599d

SHA256
b7e88734f8a39dba7de61337f3a29e4798d4b7723b781d3c1e9242c9b5267ef0

SHA512
d4af81600111c9bfa49c5fecc31dffc8eac00ef9131ea16ccb1dada874ce2eb627108815976c2491ad264b3774aaf62d180320ec7dd27cf83897eefeab12a8cd

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
76KB

MD5
71da41f6b7fed6c6d0ec7651f00f2a32

SHA1
c1f244fcb59016819e07a3f02ff9021d7fb43609

SHA256
29c3da7e85a9e487a1ff3a190c8e29d97b0f3e81d8f46f089ae9794def2809a1

SHA512
3537fa9510edbf7198bb34e5e3148fbdeef787b68e99c729ab14de6db77656e9717beb318dea3e886b5d36b164d3573c41a25f4b39706c7783f178a4afd68ca9

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
76KB

MD5
67919e93f40b50c38b0bfd0c95a798bc

SHA1
0fd25116dc38ea5ad3c4dcace0f899d54d06acd0

SHA256
5c49a5bd7ae1aa74c0b81080fdabeda6c91ad9ffd795cddb5330cb6ab1d5001a

SHA512
4b68f4956ea43e6cd7f00dbe8fefec92793ca4415d2139cdc7197507e547b1e54c43a9ec7aade2c643b9cf8440d161e3b9120b88f0c3c8f211d291c5a5014053

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
76KB

MD5
c039af902ac9eda561d3935e6fa0e753

SHA1
4a37dcb4fe3537d0f30b292223781b90a210863f

SHA256
5dcee61a5d2b7880c844525c9bb157ed3e172d3eebd50af2b7cbfa5fff2ca834

SHA512
fc1d0add563727db661fee30ab37a71645c14ab76faf64d912451d607170837254718a21ef2a54acf1af7f73d495c1e6fd8bea9cd73ce2340d4441bc65235c2c

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
76KB

MD5
4af60f4a57277879a86086b4e41f65eb

SHA1
9798ff97762f207d16e73c6d4e3c529f8878703d

SHA256
64bd754c2172f3e8bf3db23c651f97a9725e038758493382b729f857d1c57e72

SHA512
ec316272d99888896ed08ca0fd4e998083d4fd8561eb7b4824a664e4278f800161ab5486eb29f673e932fba7f2d27f71ce99ee7d7e80ed64f2d82d623fb293ff

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
76KB

MD5
02b5a2d8c22c03f2b455c43623b7dcfb

SHA1
12cb1c0c8d7e6b1aaa72a48f768e2d08a0bb6d65

SHA256
5b6bb4663efd265e640d9e94063afbf61b143c359aa7c8af9f6358c706592d91

SHA512
162634563054ebd45ac1efd8fd95813557d9947c5f669f65b3692f3d15ab83360b3087d69d4a2d780817b20d01ff4d5c7a5ee13743d96d69b53fad2db99e6cc0

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
76KB

MD5
68cc68ed4ccda9769d16243b9eccd004

SHA1
221471f05c2a137eb8418be91a59634808db05c5

SHA256
a26a102b223312cbf847244574f6ac20acecb3686f84172eb37930e1ebf30f15

SHA512
9c2c3d9b745110a0a282611c0a445deddfd01b1eb9c8e739bec0c37405e7740f4f79c9bc07613e4effd460835a2a0a79a20e6e46078c351c22cb0d409011cb09

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
76KB

MD5
03e588167c0783cf6dabafe5e266fdcc

SHA1
70d078c5b8abd14850a67826c3419f20bddb11b1

SHA256
535ee43a924d9f24a618564dec4ed4ca6adb57d0575d373613340231584b7d09

SHA512
18aee64de752832ca400d33b68085cbb1e0eaa78c948afd8b867ce5168815b9924c6896949755e4864def6729044245af982c7232dffa968ed4476128aae2be8

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
76KB

MD5
388b68ee06ee2f436e43b41fc6b48a9d

SHA1
cdf181f46d37dbd633afeed19518db577ffa60b3

SHA256
c9aa0fef0383ddbeb1138d60667671ba8abeba08e2660a58e7dc095277677c9f

SHA512
a596bb3ce9605f3047557fd329e3efb23b18975444ad799fb51361618fd68b3fc4fce5e048b019d012e9646065bf76adc29cf9146006111c4be25317c9afd8c9

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
76KB

MD5
9e693b269f1da1994a7634cb0ca0dec4

SHA1
cd9005333482c61c5af7d79fb0e1aa7e900f496d

SHA256
7e3557014b04149671e73089c51aec367b005ca8e4ae84c52ac5b73f98934633

SHA512
3eaab1184ece94fb7b415e031fc255ea1e2485119158552e88a515ebb71cb7e2f58182d2585f104b97622d957f3da34884ebd7db0a65ce9de0c04f165b9a6789

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
76KB

MD5
fa33674a42cb4e41479b27e42ec4b793

SHA1
76bb9f8754f6976033a511d21b622246b9f9a1b9

SHA256
306b71bc0121ba291e71c548076e8f24da6a3d41e8b2ab14811bd3327f6ab518

SHA512
28a8ac23e6ad55c7d6e1f68f8b16a6a0ff0f1554ecb2a317f3a413e7affc71679f5ea90fa8aa07e578e10f1be3b3f1c367b95e32edac3f0439caed67db14f976

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
76KB

MD5
ae2f73c3a5b0384611008292cba6c858

SHA1
795965aee3445838a15ef21d030e27851cb8d9e4

SHA256
16800ef51677482d720ed8607a77e176ad4f23b94fc707a77b6cbd688cbd8553

SHA512
6dabcd15d134fb47be0fb791e4d5a2430ea31e4a168f8717091d06c8620abe90a8624bd681c018471332af0b7643081fc1be7d132a8e364c643cac5fcafa706c

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
76KB

MD5
04851a8d7ba3995a96658c36bc2b8ca2

SHA1
bb638a0644fc1d701306dabf8638fafa438b2c91

SHA256
28d171f990b7407ad88bb42eb25378b2c74ee15e26a88135dddedcaef63f0531

SHA512
8afda1833c70d25f24e2690955a8f3909e9951bb2b58a574e97ee0cdcaa056bae07e2cff0eb9fe29483d62d58a33ec716b28ad6205e4c48d89e874b4f94e9111

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
76KB

MD5
b17ac21d2a04fc25a48bc187ca217e0d

SHA1
11a374cfebaddeae9b006e1813d3e512bf549819

SHA256
e50ca71ac96c0927665e05da1091dd839820a1d04aadd95e25b511a36a85da42

SHA512
4a114d7da9d23a51b8bf8efd68565310b19d42a96c36b281328b8f4310287cfe47fcb62db37185c810442076251e8f8b930adfb3d41b83ccfba0f0f1536b9063

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
76KB

MD5
5c5e2db99522f0e1bb0e2e8eb22f8a1f

SHA1
e86b98913fc50a9fe2fe76d50a22f053518440a8

SHA256
0ccf57e7a5f61e420f00194f2969a8ad28c11498288955fddf484e7616b3c99a

SHA512
0ece7370a295c1d4fe1edf1023fe622dcfa40d0dc3f901019ae65792dd1b8c2137d15338a0f147c78dc18af951d6b4021c0b3d9ae0ae8d1c4b26015cce9addab

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
76KB

MD5
a5a44b649f1925457dcb7e657fc2a7e3

SHA1
bbce4057a7d443da9a50d0702c9de9e95e9e6e8a

SHA256
2f4812f2aa486f1f716124982f8f72bb0d4835147fd0a70fecf14f714c247bde

SHA512
bfc035a44aac12e523a09b1fa788965962a2e830a68260677cecbb9b8acb3d15810dc4d951e789fc29aa3d1532b3ed9a68ca271444f8d012b37158d14a9b2b53

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
76KB

MD5
fb38afcbdbf9c33992fdb8e269d03819

SHA1
2fba3732884e78d80c2a2d8af5ae51e21fe47356

SHA256
ac20c3727c6bd80b314b2f9932a61903f55bfc922c3cce776ba198e490f055f6

SHA512
8fc90352ee8644859e3b6cc8407fcdd4c0e52fa27d2b4a9e40d404416c03f5625220bbe9125233d78003cc052f02b3f709ccb26cf2aa2242a84432f344077e80

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
76KB

MD5
f6678844d6d214b9771b882fc12938c3

SHA1
ed34b1ebd00d0e31cb7ba267d544d6ad8ad1bafe

SHA256
9fe37c68db0fe686e3cbc32296aa2804f37b6071c0a42583ebecaf9b352cabdd

SHA512
cd67de52526554754ed01270583b70b4a9bf38727eb25ff1c4d53134dbe27fe62bcabdb045dc6265a05442e40772e0f0e16fc36d8b3f079ea3bd19bc95afc3d3

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
76KB

MD5
f6231825cf0643dcd0c8d13a04ee0a53

SHA1
b536adb325f742bc3de605158c8c6575c6fe526a

SHA256
18bb29d54d501a0a37bdc5855b4df177e4d37b166a53a1d6988d4452596a5635

SHA512
2a81fbdd5251f289078b733b9cc5dfa2f22d07af81cc511054d4aa4ba3441e3ae96e8de9340d7e895f5230ffe5760928684d800816af1f72802397ce184f418e

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
76KB

MD5
1484128459f779bf39ec8d2cab1e7dba

SHA1
6d7cdd692d53daa849d32a522329effc3bff0674

SHA256
69c693f75de5ee5890b99eb1500f559fd568b8f4bcaeb8a6b76084156d58fbae

SHA512
cf062c4584776f973f839a5d14994e005147ddd0fd2a38e2e81b4f8ceafdef2b51bf3c015af44865d77e26f5ac48fb33d8bea861c7efc29b490e0bbf41bf5f41

Download Submit
memory/212-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/212-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/224-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/224-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/556-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/556-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/612-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/612-421-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/668-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/668-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/700-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/700-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/740-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/968-94-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/976-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1140-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1224-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1224-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1280-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1280-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1524-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1524-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1524-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1536-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1536-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1784-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1784-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2208-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2208-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-391-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2828-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2828-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-148-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2924-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2924-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2948-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2948-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3016-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-337-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3148-438-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3172-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3172-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3196-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3196-272-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3444-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3444-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3492-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3492-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3572-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3580-82-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3580-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3700-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3820-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3820-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4072-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4072-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4244-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4244-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4280-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4340-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-74-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4456-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4456-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4744-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-350-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4852-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4852-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4936-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-146-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads