2ea289b4ca92069a1ddb75132c7c89756d4c3fd3272434aeb53053c141fabb73

Analysis

max time kernel
0s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 02:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2ea289b4ca92069a1ddb75132c7c89756d4c3fd3272434aeb53053c141fabb73_NeikiAnalytics.exe
Size

182KB
MD5

6da98dec73d8c3411d6b6b355b6780b0
SHA1

130373ee8ec573d15b76fbe4ee81835a51b2a363
SHA256

2ea289b4ca92069a1ddb75132c7c89756d4c3fd3272434aeb53053c141fabb73
SHA512

40e9e1bf322368f315fc4f241f7fff9023a2ad3510bd272426ac645a03799a83fc5b841a777ca11636c31296960792d74959c064577d31bbf6817afc8812f0e6
SSDEEP

1536:dp/YSuWnnezkpswrEqzzVsz2LM7nguPw9uVgA53+RrKJs2zjFS3ldkBOLLaVqI2q:dd/uWne1gXDM7nguPnVgA53+GpOc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2ea289b4ca92069a1ddb75132c7c89756d4c3fd3272434aeb53053c141fabb73_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2ea289b4ca92069a1ddb75132c7c89756d4c3fd3272434aeb53053c141fabb73_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflgep32.exe

Executes dropped EXE 11 IoCs

pid	Process
2072	Nggjdc32.exe
4696	Njefqo32.exe
1664	Nnqbanmo.exe
3016	Olcbmj32.exe
4504	Odkjng32.exe
888	Ocnjidkf.exe
2196	Oflgep32.exe
1412	Ojgbfocc.exe
3860	Oncofm32.exe
1476	Opakbi32.exe
2212	Ogkcpbam.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oadacmff.dll	Oncofm32.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Opakbi32.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	2ea289b4ca92069a1ddb75132c7c89756d4c3fd3272434aeb53053c141fabb73_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	2ea289b4ca92069a1ddb75132c7c89756d4c3fd3272434aeb53053c141fabb73_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	2ea289b4ca92069a1ddb75132c7c89756d4c3fd3272434aeb53053c141fabb73_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Ogkcpbam.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Nnqbanmo.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Ojgbfocc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5436	5260	WerFault.exe	231

Modifies registry class 38 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2ea289b4ca92069a1ddb75132c7c89756d4c3fd3272434aeb53053c141fabb73_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	2ea289b4ca92069a1ddb75132c7c89756d4c3fd3272434aeb53053c141fabb73_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2ea289b4ca92069a1ddb75132c7c89756d4c3fd3272434aeb53053c141fabb73_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2ea289b4ca92069a1ddb75132c7c89756d4c3fd3272434aeb53053c141fabb73_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2ea289b4ca92069a1ddb75132c7c89756d4c3fd3272434aeb53053c141fabb73_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2ea289b4ca92069a1ddb75132c7c89756d4c3fd3272434aeb53053c141fabb73_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 2072	3156	2ea289b4ca92069a1ddb75132c7c89756d4c3fd3272434aeb53053c141fabb73_NeikiAnalytics.exe	81
PID 3156 wrote to memory of 2072	3156	2ea289b4ca92069a1ddb75132c7c89756d4c3fd3272434aeb53053c141fabb73_NeikiAnalytics.exe	81
PID 3156 wrote to memory of 2072	3156	2ea289b4ca92069a1ddb75132c7c89756d4c3fd3272434aeb53053c141fabb73_NeikiAnalytics.exe	81
PID 2072 wrote to memory of 4696	2072	Nggjdc32.exe	82
PID 2072 wrote to memory of 4696	2072	Nggjdc32.exe	82
PID 2072 wrote to memory of 4696	2072	Nggjdc32.exe	82
PID 4696 wrote to memory of 1664	4696	Njefqo32.exe	83
PID 4696 wrote to memory of 1664	4696	Njefqo32.exe	83
PID 4696 wrote to memory of 1664	4696	Njefqo32.exe	83
PID 1664 wrote to memory of 3016	1664	Nnqbanmo.exe	84
PID 1664 wrote to memory of 3016	1664	Nnqbanmo.exe	84
PID 1664 wrote to memory of 3016	1664	Nnqbanmo.exe	84
PID 3016 wrote to memory of 4504	3016	Olcbmj32.exe	85
PID 3016 wrote to memory of 4504	3016	Olcbmj32.exe	85
PID 3016 wrote to memory of 4504	3016	Olcbmj32.exe	85
PID 4504 wrote to memory of 888	4504	Odkjng32.exe	86
PID 4504 wrote to memory of 888	4504	Odkjng32.exe	86
PID 4504 wrote to memory of 888	4504	Odkjng32.exe	86
PID 888 wrote to memory of 2196	888	Ocnjidkf.exe	87
PID 888 wrote to memory of 2196	888	Ocnjidkf.exe	87
PID 888 wrote to memory of 2196	888	Ocnjidkf.exe	87
PID 2196 wrote to memory of 1412	2196	Oflgep32.exe	88
PID 2196 wrote to memory of 1412	2196	Oflgep32.exe	88
PID 2196 wrote to memory of 1412	2196	Oflgep32.exe	88
PID 1412 wrote to memory of 3860	1412	Ojgbfocc.exe	89
PID 1412 wrote to memory of 3860	1412	Ojgbfocc.exe	89
PID 1412 wrote to memory of 3860	1412	Ojgbfocc.exe	89
PID 3860 wrote to memory of 1476	3860	Oncofm32.exe	90
PID 3860 wrote to memory of 1476	3860	Oncofm32.exe	90
PID 3860 wrote to memory of 1476	3860	Oncofm32.exe	90
PID 1476 wrote to memory of 2212	1476	Opakbi32.exe	91
PID 1476 wrote to memory of 2212	1476	Opakbi32.exe	91
PID 1476 wrote to memory of 2212	1476	Opakbi32.exe	91

C:\Users\Admin\AppData\Local\Temp\2ea289b4ca92069a1ddb75132c7c89756d4c3fd3272434aeb53053c141fabb73_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2ea289b4ca92069a1ddb75132c7c89756d4c3fd3272434aeb53053c141fabb73_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\SysWOW64\Nggjdc32.exe
  C:\Windows\system32\Nggjdc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\Njefqo32.exe
    C:\Windows\system32\Njefqo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\SysWOW64\Nnqbanmo.exe
      C:\Windows\system32\Nnqbanmo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        13⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        14⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        15⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        16⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        17⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        18⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        19⤵
        
        PID:416
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        20⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        21⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        22⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        23⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        24⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        25⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        26⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        27⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        28⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        29⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        30⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        31⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        32⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        33⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        34⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        35⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        36⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        37⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        38⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        39⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        40⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        41⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        42⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        43⤵
        
        PID:544
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        44⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        45⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        46⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        47⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        48⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        49⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        50⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        51⤵
        
        PID:116
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        52⤵
        
        PID:872
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        53⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        54⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        55⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        56⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        57⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        58⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        59⤵
        
        PID:412
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        60⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        61⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        62⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        63⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        64⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        65⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        66⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        67⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        68⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        69⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        70⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        71⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        72⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        73⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        74⤵
        
        PID:800
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        75⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        76⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        77⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        78⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        79⤵
        
        PID:720
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        80⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        81⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        82⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        83⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        84⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        85⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        86⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        87⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        88⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        89⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        90⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        91⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        92⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        93⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        94⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        95⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        96⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        97⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        98⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        99⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        100⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        101⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        102⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        103⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        104⤵
        
        PID:756
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        105⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        106⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        107⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        108⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        109⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        110⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        111⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        112⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        113⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        114⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        115⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        116⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        117⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        118⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        119⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        120⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        121⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        122⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        123⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        124⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        125⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        126⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        127⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        128⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        129⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        130⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        131⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        132⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        133⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        134⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        135⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        136⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        137⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        138⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        139⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        140⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        141⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        142⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        143⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        144⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        145⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        146⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        147⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        148⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        149⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        150⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        151⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        152⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5260 -s 228
        153⤵
        Program crash
        
        PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5260 -ip 5260
1⤵
PID:5384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
182KB

MD5
4315308b66152b6cf72b5c2418fb7b84

SHA1
dc863c32f48ce1469e553b4889add77095d69b20

SHA256
10ed40bdc30b082160bc006cebe6bd1dc73be98ece4658fcbc9f9d1dd76ce349

SHA512
939e8e28b0ae43b5ed10959ad2ff8a349ec18ebc6028448a523ff698a6c7484d3d3a5f6ee3e972d7433b40a03b7f75cfbab8b20c0da9dfc539508980308918b1

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
182KB

MD5
72115df60adba251f6e3329dd8878637

SHA1
33b7a59ed9afa6615a42aa00b3f9eb0dcdacd083

SHA256
d198109e7ae9e6ea6bf7c150cabe1e857b7aacf6da7c986a23d02676449de73b

SHA512
d044304aad9f2cdc9c3f8ac0be336d5d9078eb4e2364539b5bd1ec74737df25426f46873a57e9ec32e62963611f2d4b42dd4d7139f9313b7faa062f9215a2296

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
182KB

MD5
f556a95fdbc0e87d10a3ac13ae84d768

SHA1
35ebc689cb0cbd50c9ab82fcc78109b954d7723e

SHA256
ce7e7deeadf3b13dd5081605c808c148aecb37e0fae0097bdb0aa15e91d59be6

SHA512
b69455aaefaf5adf7fbe6f997daf19c1ad5222c17ddc870caceb31adbce6001ebd741684f56ddfd3cf59eda9e81a62369c67606842a7ab2c45b3741568440f04

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
182KB

MD5
08b06740d6c1b61531651f369017a953

SHA1
c3ff8f2e9cca6b356ff47c84f8b820abafc19dd1

SHA256
89582632125c6c3b8989d5a7914571a45c75a485c5d9ba2a9dc5be0ecbf8a6ec

SHA512
10141323a72fc2013280fd5fd48c0abf5f8c3eacc09cc469e02438a22c35c28e932026f7353b781e76f3779151d1f81054117626f28cf2128712498db55b1521

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
182KB

MD5
f3363af3578debfacdde44d0f6003e02

SHA1
ea7e86865e587957c8af2b46aab0cbad8b9eea59

SHA256
e85934fd3e53c0b18174af76d6fb67e147b3c043d8f1e098d3ee35ec8e4abe03

SHA512
dd4034aa54141fe4048de7d57ca1ca6b7fbafb46a5000d9d60d93c4063af1650425ed533d323930f540af8a831680453a4d64d98ee20bb9e36390725066045f3

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
182KB

MD5
4014ed0705cbe02fbde0c0fc812b7f62

SHA1
aa97bb2dbb6f9fb8c180e3ed371ea25323a20289

SHA256
20c71b02668038dadd78c878bdb61745ede42348b5a445fb9a6975c235607e75

SHA512
115588b3ab8381c4c45a134b0332c478e6a8f3ba6dc623b9477d8c00ac74406390bb080a5df0da7f8e9e2b1d0ff83bc8622c9f35b2bd898147f494f932c0fea1

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
182KB

MD5
816b3ca6ef26d9e4f1470c917309fb3a

SHA1
d1806c65e29c61ded8c7999d65eb8ff43bb40ffd

SHA256
db3434ac3d318b28176de91a9688ea28ce8bc946fd658948aa5b01ee1fb3233d

SHA512
ceadf90a8b917aac309a887d6d52f2d58dca8f525a6cddb4e451eca6e3802d1dcab8c3d30742a7488c36653eea881ec1ac4b117080274755cf77338f15c48d91

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
182KB

MD5
a7903fce9f93d73f785d97026a659666

SHA1
aab97082bdc035e4de4a3abf0c580a9ddc6098d3

SHA256
e4b2683f7fd4384211802cb5acb6be459c2dde96fc13db4d83c852cb2c30d700

SHA512
ec44d6b69656870836baeefb7eb0c4c1d25fa05f5a767df5a6de47149711fd1f40ec0ab228f809fa6b9c1cfb2938addb34bd89983681ba93c55840063701c351

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
182KB

MD5
fa8596ba93921e75ab8e4ac01c4e3cf2

SHA1
1ad3f54511760964c613380e83e0598a847ee91f

SHA256
72d25e815a05f6d84c84a92c2b0a63a1beabf4050f1153489be686b64607faef

SHA512
195176c498279e0ebcc59d22dfa0b439f3906925f85e3205d5278c9299d79bf852a1308671162ef8806712f00d8bee1613ecfb432e7df24000da5b20deff066c

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
182KB

MD5
fa1be3adb5f44faee2c6803c1652974e

SHA1
cbd290b11de7986ea3719c589601bed4ecae0d4b

SHA256
6567c40c1abf72fb7359a07935898d0cebee977aeaf4bab4fce20f971e34127f

SHA512
b01288a90eb10dbcf8b76b8bb595ab464fcd6e665ffacff90f85419d0a179a5956a3013040bd329bd37dc57b8798f4faddc46fffba579160bf0dadb0a8d2b2b2

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
182KB

MD5
9827a992d926b30006fe9de59db9f639

SHA1
6835964e64ed08b2e1dce2beb9b6d4ff2d5f63ea

SHA256
8826d79909e7d29e2580a59e08ed772b24f78dd16449994081a38935ed0329c5

SHA512
5a727f5a48ebd644c3782b0c7cf2c979d88705271b2980c395e980ea9a30e06871f79f78c64eee57e5259c67e326e29eeb5b06aeefd88997ff5a2024cd34d749

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
182KB

MD5
9a0b3f123993b13468965ff0206b4947

SHA1
ae56ca2c9b30f76a9969d9e0d736232ccae573b9

SHA256
3e279f81d30ea2d560956c6be72cb5255d7144dc0d3818e8e7440dfb226737b0

SHA512
6ea07e89800e322384f3a8fcc74c262c6726821896bdba7c5b37c9afadc11e23ddd9767a266381512c3691f686d4a0d1876fc8a9ca48800f9951a20d64323b62

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
182KB

MD5
7b8270a5915538e0eafec1e35e755178

SHA1
9cc103d8a91049a1b939be1086c761596df01852

SHA256
7d274935d81b3b6c08338faa525012f3564c730df615d64d12b997aa3fa40238

SHA512
162c3947f102419535e995e16d46b834cbfe663818baf507b21fd274ef46da16bc24fafa55eaa60018e9ba43c37ac8bbc9e7685cba439fc1dffdfae9fc1c2399

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
182KB

MD5
b6d40caa4cc138f552e3f87010ae5775

SHA1
21cc156f995277ebeff761a49eb4b4b0ef42bbc4

SHA256
c72c09e211d08428433a4c5477771126d136528ef7dadd2c394c342c8eda127e

SHA512
f2aa73d23bc8f8e47d79587d6225a1f4bbacfa6d581c2560ee430d624f89d55c1cdcb353b98168d53de99c75c02f66b72f0352c2ae113e5f20a9f0db86a45e77

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
182KB

MD5
eb262156905cf394e1e0624aa97482d4

SHA1
fa6db89bcf0b66d14f6f334bf63cd931dc1eab95

SHA256
b3864cb3e71ea87ab5efdd0317fd44a237aa223dffc3ffc2a4506cbf65076152

SHA512
d7ba30722e266262495bd664604fb795c9e5cdaf0197b33919137f148c5259fd490589828b7d334e121c34dc951398f9a7489ec16dd2c49feef894682cf07564

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
182KB

MD5
fc4e7426c2412ad505996effa5e2b759

SHA1
863ab25ceb28b270f777f17634ebbe22d34d2e72

SHA256
d528480505c1ea12c2efbbe1a40547369d94d9c7bc9f3f4e39ae2beab4389af7

SHA512
10b02199a94a11bda6af431a583c4fb6e432c4a89449947b68be0cd6f0f1a41312a7413f2947e19486b407af122b88c8d3c4abd236b76918fd76734dacf3fa23

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
182KB

MD5
793a5632435e49580a9fbf0e56d88ce9

SHA1
d07c7c4c604a3b06509055ceb029f55ee7d0fca0

SHA256
adf411f00ea268301b74bf571ffc530eba369c1c1cf52c3d9db2d5114d4eb542

SHA512
019c0bcc591a80ff3626cabd690061d9e0e15b30138d0745ebc9392bdb0661932fec919b232e40fdbb8c9e4dd1d6239b64b70aed5a0bff9348612ae35212db2d

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
182KB

MD5
e04ddd2b9e09c03d7ade9ed301789811

SHA1
19c8f1f42687cd5f899f2875d302d03cd7d051bc

SHA256
2bf495dca4420f25d4242714798ad37e6209df0227d9dc3a36cf3e8d2b13b2c4

SHA512
557799ed4b77b116be4bf07df92f37f7c69d7dfcbf94a4ea62961508cad57dbed9540b1b3248c190bc50feffa84efbb8f4a5d2dbf6063f2c414de2af3c200273

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
182KB

MD5
bd84681766337828858bcfa9a18fe2cd

SHA1
12ba212c8e7cecb7e8bc10c59cd75086e416aafa

SHA256
0b72c9bf55013e834f26f62ff1a2a7779c54fc40faf3d34209e58036b0fc7e4a

SHA512
9a67a419eb69c0ca50015883ed6bc4e1fb9a73230de251e7070a7d20941c164174fa869af93a790e1c713d8fcc0ec1d349cd615faa939e47a812e67cce6145f6

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
182KB

MD5
965e8f63def1a2742e5dee74de1eeec9

SHA1
bae7fc0c75adcae8defe632273066913991be7b7

SHA256
104deeacf9ba5c6440afe1c8314f9f5b0ea7057434ff69a0221e9f28faf6ec92

SHA512
815ab4172cb3ea67f7ab6aa0b74e017a0202ce99d57339442d2a4af6f239e807cece3f5b6e5dc187b43501254344597160c2b19c92232d726a032ad35e9b888e

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
182KB

MD5
b7086c4daa16444237738fc997b67f03

SHA1
65aa975e6a44f6917658bd4b2544b91c25c28c6b

SHA256
a9b0f1440d5add3cec494244473e04579a03ebcf8b8bd2cf3ef43a57af364d55

SHA512
420ad2d07fae6dd0cbfdfed7577cacac64a2280bf7826514eb7942950eafd49d2817e620ff41c3fc3980a7017a653421bc1b4db6751c0322a32483ae1fd1cb22

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
182KB

MD5
381d9f3247686ac67d64b7817966abc2

SHA1
4d27ed6bcd682ae092e8a147c536d4c93eff7c65

SHA256
a3754dbd7d0140a525a90de8a6425208ad36b1ad87d8764543234aba9523e33c

SHA512
b5d2223117e7cc5132ef3e3fe26c62c1ac05bbc3c69c219d2ffa6afc39ba702c07f375067c14877a2554a805d4dc13fd6ebe19296942a352d219df6d4f61e3cf

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
182KB

MD5
538a46dfa30b215a561dafae9005bdcf

SHA1
f26375c86f8dcf5127e4cac5e236b67e2296f8b6

SHA256
9c89171fb0ef6715753c09a03e075e48ba456505044d49a121dfb5950e52fb6a

SHA512
c79586b95532443e00cfe9fd01232a9bc7cad6d09aea449b78dcd07804a45252d1e70f1e6371fc672a44b70e8d32ac61752d0b0ece8dcd961598311712586c92

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
182KB

MD5
67fac25fef564a0d05e37862470498ad

SHA1
445d46115468657097decf7902345bc1e82a45c8

SHA256
192dae8f1fcef09d1860d1b61491e676a350a48739975555d10955e3a51d4fb7

SHA512
0a820fbc1c46974e099b1c7276dc7250117027ccb1d3b2b1410a26dc48ddbb823dea058ae2f6843788dbbe41c8a79670ce9be7b1b04ed64de61e8c1e7eaeec24

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
182KB

MD5
6b708e45ebbb5bc42bae5d966ccf4917

SHA1
d178ff8932966e30d73ed174a4a4b6341c1030de

SHA256
e66397ed676786f9d9fcffb6038ee51f75cc9a77f59c837274e0392a86386da4

SHA512
80283be4fab385b011c4c43bf6a4604c7f3ef4144921bf092a7c72458a1778388e877e474f37d353992d829b1a3a6c7140361475ee073a8f934ed4e11a4b3ac4

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
182KB

MD5
0f0677756b6a53172f2798aa87e93ad1

SHA1
4b5d7b87fa78ee12734d7a6692c3fbcefdbe4359

SHA256
04a721bf01e1353a931563535bb5e484a602ffd158cab423800152db421e6260

SHA512
1c24bc55e3492095e5653cc3844bd3aa08f664d8b31f7ccb79a48bc09e9a3a5fd2bec26cec12896096a271b4eda78e974fbd546b0624c1168787a6c6f58ba5f5

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
182KB

MD5
4a03ddeae43a9a33c241195574d54b96

SHA1
a4429070c1053a6e6cd4f35f5036c31687a94a96

SHA256
c5eea7641231237cf9354f7a4e2c91a475be769976f29672f823e43454c2d4c0

SHA512
482966655553e79db8c2f9542c75ee230658ec2dea9380881f635bdea4c49dbd61b421208ff1f7c28fa3527ae981cc282d34d247ef0d12dc8d18e41bbcd65235

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
182KB

MD5
58d5bbd08e7ca98896edfee976d32744

SHA1
175b3f94f2c3826093cbd1c2cb2d8e213353c09a

SHA256
308a203078dea6ef4d4cec53e420f892f3163022da4380ce65865abce220ca21

SHA512
bfed044e3f9316f7b118f578b1ac9901e298f58485354ba9a6740b8a26046b3df453f72a210d3bfe31d620e1053a5eff24b21c45aad05c0148e48d87b3a133cb

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
182KB

MD5
42f9bb0499a7ca0f8e0558b97e4fd635

SHA1
f1a4bfc3ce69119a5da90d7a862027bb0864b465

SHA256
9fc09b58b8fbae23768f37ef73b5f90c2a1bcbf879b7141254e212a06b64d89a

SHA512
daded5b39df255651e39371d1f1732acbadc6acc3c26148177163bdd73697f6d0295b3ff1d310df7bbc3b7d25cf17e421dd9a23f7935f0bebd80c1451f51b844

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
182KB

MD5
22b2c69364d2f7f23eca6520445eb4ec

SHA1
13a14d2b960bad05607a08c838e9ae2d908669af

SHA256
a93fcbbd6949355bc17951ad6774b9118b4c4dcb7354a857bf6017daaee8bb40

SHA512
4ef04f93d10ccb8efdce200a2c67f347448fbeba840f2f68ea4babf7097eaba5f770ed254a537041273805fbb024e62c6ff5a737b932d5cc475de696733c6b35

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
182KB

MD5
67f063f0556a59486589ba670b19d03f

SHA1
129647786c5598ddd626015130a62ee1e073806a

SHA256
9feec176f32153467033b73a96902565218e6559b6882978f40b3a488a13a8d3

SHA512
aab66bfd3270747b40b94c27460eee623011ab0c19827f7056c1739cfdf61e3169d851d6c745e46ff31d97dc14374862f8df76b1bf0412e0e288cef4b5fee384

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
182KB

MD5
1366d0e1d49999ae60cf8ced4880a803

SHA1
1e94d994c0f57318bdd6679f0a87cd30c68b09ab

SHA256
8828cc2b5be2bc70a13739691613af77e8b96cb2b082d9b50d45d6103573120c

SHA512
27056847c0b53f6588a96fef2efd0aacd37007466bec7da326297d0e36a49e42a5184fb39f01c3a6d507048207b018525660ad919e3678b6f80b3396649c39fd

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
182KB

MD5
080143bc87cf61f17f4d870bb86cf8b4

SHA1
f19ed3535f5ad24f459a3f8b49a2a4d6ca15d279

SHA256
64cd23f5c08ac0f511c2272567e47060a03050a367c08c8f769c417a23169e0b

SHA512
ddb89ed25b868e65fb445bd4f889b0f481a75f7682cbcb2eaf30bfe8b2b2a1c503e5d78f91270b41652a0b6d88d3a73620e976ce2fa23d9c188f4daa706c3ed8

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
182KB

MD5
64a7240ab3f4e23101323ae4e2b2c3dd

SHA1
1c75d8d8dbdcd54bf47f80411ae0bddc565d9fe3

SHA256
f5a77a89cc2700286507bd8c485286af442cf0264139a83c933b943e2f6794e9

SHA512
8cb38987893c5676301c5674acf383a04e2f294aedc55b17a7e99f8da26242a962113088717ee7ea93715d83ae144bd9980ce1bb72eac413a25d5789aac50bdd

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
182KB

MD5
3565e8fe0e84ede7ad9b60be5f9d212b

SHA1
fff85d220bf91a95a4dfe88bf967c0e907481d74

SHA256
98549f3f91207ff4f4e1e89d861e82abb86bb703583951c2b2f061b8bde2857e

SHA512
0aa3634d43d110029a58039e49057919fa2e9cf00f54763068732343baef7e91f4e86cabf0f434a288c00ba0d64c294725908eec25535dd9d97b5d051c4999ed

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
182KB

MD5
1cb772efbe99b1f2f3f51e867381d3e4

SHA1
1d905bdbf6bbc8008165dc5d2d429ef213598bab

SHA256
898c818379625c22a731b13714b93f8385d967b71e5b017eb7b645b201481d54

SHA512
8f428a03a7694db370c0d4b33fc4e5349cc61699c9390390d2e587aeb8fa3f5559f8c59c62902af97ffc8958c6dbf6f60d2495c7d256835a125c4a7627fbb008

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
182KB

MD5
f0730ed0e689f32d8f1b24b4a91cc5fc

SHA1
38463e0fd1af124b31cd2fa57a6f98a36893b13d

SHA256
674a297378cf1da4e6ca52da35a16e9433ed1d3f6ac7444b709a2ce29640be0d

SHA512
d1df000035f68d6d212a67a56be7aaa226983fdce2aba02a9e8a3d83b2e31da59832985a0c444576ea4c137bb3513ead0191ec31280af1d30e215d0e75436ea2

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
182KB

MD5
07823fbd37748c175af26867635a6858

SHA1
663c2ba50896e00014551825daf3538c94654292

SHA256
6d3980f80ace1fad157b5a1041c184fa9fed53f0c37127cc25906fb2a753d275

SHA512
0575606c19adb158aece22b3ad1b12ab672b6c0be4467fd105ef5586554166f48fcc4ed35521c69ed7cbc0fb64c93e1ca6f69eb832edaf08695b9e7e62438b64

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
182KB

MD5
0fd60677c26792c62d3297c0b4ab5e96

SHA1
989ed6efe8473e63c8bfbeb739ef9ab5fe563be2

SHA256
fe68df6f657656c6f3f897fcded4e6377f0ab02b03d67e7c7b0cdb606318cdb7

SHA512
3a3c0cfbff8068c3212826cd9ad2dd8b538aa8f03e8b5c8657e3641f956ac6b21e56065b4d1f589d13ce49aaa1b596e134a083cdfdddef396e24b768da4901fc

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
182KB

MD5
26686474448cd8be55f696b38b2e853b

SHA1
624b2716de8f062fa9e5a0ec2e90a0061af9c21a

SHA256
0bbe159d57d6339961b7d5448f7b27c2199f3252f2ed36ff811fc3c3af03c01e

SHA512
8e491ccec994863cfca1a9f1806ffcd642e2db040704124ae5edb8dc0087e22a50eaf67cad1c13444cc0bdf00a4d5f5a9fbeb1a13b14cedc97cb4b19256ba56d

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
182KB

MD5
27d39f0c9b49b1248b9dd19ebfaa4501

SHA1
f017634a79cb2acb307d317ed3444e357bdda099

SHA256
7b685cb1dcbb108ca1db8184e633e966bd0cf95a6a93615de289a8ad1ba8b484

SHA512
c6c3b1a61a126e8c44e4481d1cbff76182983e3d2f8c30aee1dbe0075fcbff9b9e5914aba9573064e9d777af42068313ffd27e230677e914bab76d21f66ab59e

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
182KB

MD5
dd0f42b29c76f4052829f34d1b3fdcc9

SHA1
922c05e3486540b47b774a73c0a9dd8d58773488

SHA256
b45ede1f373e8fe7101ce4403c5423a1da907ff315b950c53e068b9535fdabf5

SHA512
6b4f40b5257d03578417e1083ded1edc4154aa67e8bd09846ead0fab7a432b4f998c3be9e7af5b930615c9450508458b0e3cc6a08de5a1fe9f0b344c7fbae023

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
182KB

MD5
17d3a74445973143f879bac8c4e55f55

SHA1
0ef5988d5f3e1dbed796f2c1b05343f6fd8e3d6d

SHA256
259696a45dc1cef31699ac747f107d7186a00afb8683ebd88b1dc880e7274063

SHA512
1c31013408e91a1c4c4dcf2c928d9c2b9e91b2446c5e3e772b535bdd14433d6cb8f62e011c73754a0ccaadad62955ed229e90e60969f498df72b7fdb6d092d52

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
182KB

MD5
62ceb857366e142fbd59e8d42ad0dd64

SHA1
25b701c8e207b7ea98f40c01dc662abd9de208bc

SHA256
71c23eeec433355e3bcf2ca2cbb2e1db8dc283b9332a413e4dba40c15f432cbb

SHA512
bcdaa2531fdc7449650993c9e4a278eed2bb4edec81b9cbf615fde9e4a4de200bc1eb2b15ea07138b24f62b83a4b87203a23da30e5b27f1278cf3e9ba2efa549

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
182KB

MD5
ae47cc343ddd3ade167568c6eb42b538

SHA1
75549f6fbace489a3763625f4e349d5ddcdca00f

SHA256
8ae258e9b8d9f9e6a8b7b4ff8afe29839825b65cd7a749d2dbd05c140216e245

SHA512
75874cd1a329dc2bfe256960acefefb15c555bf8ba690ad460636de06d41bdecb8d67418acded3d3c8d54d307aca8adc2093e87e55238fcc75e3301ffa0ed1b6

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
182KB

MD5
c8bf4f2ae2fe8b45b794ee3cbc923798

SHA1
314b83bc67d293ce450a2a607c0be2bbb09f2a78

SHA256
61b7bb95f29c40ad514f15beb6906b11b4ee926c24cea49b0ae3f208fd2a0428

SHA512
cb23fc0c10f632332ffbc0df7ed32a961876b11ff29196e247f5206d940b4ef5295f1ec5dd7fbec501e53e21b79301d304be0559f831782073c3ecbfcdfa9496

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
182KB

MD5
25198da0565ce7c10d2e376288d34b1d

SHA1
bef665b14c5c19679d70984fce91d95635ef9450

SHA256
4a9b230d8412572fb2feef5fe8826b815688c51a1a6b2fd0ef47e3904189a7be

SHA512
585ddc4e56142cc0920b2d0ac2d9adb7c71a38c3fb2836e8d3aefe2afeb8a40687d2ec742a47c0f912ccdcdf9c887ce8ada6c945997111b46077f1dce62c93c4

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
182KB

MD5
2be67776a3350113b185ab515d1d6578

SHA1
84a8bee4c829de3faa09c0b8709ff9ca06f2c650

SHA256
994ac1b54bd76f9d8250f00e53530d390936f3c137f59246ee988cf74990088b

SHA512
de015a612d082cb55758529129908f99d97f47dafebfc2c803c2a40df691fc0ee75fecf7dbeae4ec2365a7632748889d69835a62a9ef94c9db2247745cf7003e

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
182KB

MD5
0d30ecf78e80f17c80293606f1f3f8b5

SHA1
9af3c339394b18c78a77c5ad1e823f8802b9e299

SHA256
0a8625e36cee5081c854f15a5900ac210365bcb88beba110c185983b2af1b819

SHA512
08a8940c4b297587661608bc795888e266aaba6f85034915833044ded74e59c6a8587f86c6ddcac186a26b73614fde95d4fd0fd42a9a41c1d4690de8b791eb98

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
182KB

MD5
8077391a1c227d40d04294730b0f9118

SHA1
ac719a31e2f1065edee5a4dae4798e5523c0adb3

SHA256
68d127c00158e4d1f0b9b9ec4c31eb6dd9873f24393aa165c33cebf8a147ca23

SHA512
56e2f1a74b0f2f14ff4f2435c6d74dc43b448d53ed5988e281095c9732b9cbff656af41872192ba85b98c135aba42ad965b762bf3eec3a013598da0fd93b551e

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
182KB

MD5
957ade56f72e66dbdffcaa87ef6bfa3f

SHA1
32b87a6f1a24c28ce18a1a1b5d0a776943d5c6c2

SHA256
5e3b6e0a0196abbad2d18dbeeb08df680af0cb46291570af7b37a7eadc70e965

SHA512
a94585894e6d4ccfd357b4baf0df74377914cc9ceac4c88c663e3d4f5d9b24c6a4577d26da6e6f6e289b084e5c4556abc55ee382db176d2665d048567c294401

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
182KB

MD5
00fc10ea2a35cdf6e0cd49cacc79f718

SHA1
c92b9b04b4a93c8bd4571a700f4497daed1276e9

SHA256
a0bc1e0dd5e163aa9140beac98ad65971ee5e49940d10cae5bb15331712c6f01

SHA512
bfb40b4229e5c205d03b52ef717bbf08a41e05e9eb29009b22fa0c86d4baa3047b5ff1ee8434f5eeb90610b22840a53e544324113d2bdeca6d6a10f854ab9981

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
182KB

MD5
344d3058eaf672ff4bcb9b04928d36a9

SHA1
69bdf376f8e00d8c3a19a04f91e5ff211a53ef85

SHA256
441016907cfc984edb1d553cedc2dd8791bc144e39a6e82f4e224192878b3d2c

SHA512
4af2e5e9d5d64a4190f8bcb6cf0daacc5d1b79eccfcc0587c96d231b7e6d7735b79e73827549de24dd8785229a3cc2ec10fd4958921c67e2f2f6a23dd613bb6f

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
182KB

MD5
aadf6740822248171d28cae77e136b21

SHA1
ad58c19dd051a231055ffd1fb6396d52457706ea

SHA256
e3efb07617f7f7359ff13fbe26a4d92a5dc4160eed6689e81d06ebf8123199c0

SHA512
d134fa9f3359397d96afd8abee039c6b5eab8eb92f23c1adc53e29e1a0d720b09c37f4d50236dfc0a0244711d7beb4b3f7615868a41e0145f5c0f074bb08dd36

Download Submit
memory/116-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/416-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/416-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3156-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5156-1074-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5260-1073-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads