108bd9b7f0e9375a0e3470fbde81db5bc73cd6bd9f0d6620e7f73b276ea58a34

Analysis

max time kernel
142s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da19a4ccbec34c6163d493646438d980_NEIKI.exe
Size

89KB
MD5

da19a4ccbec34c6163d493646438d980
SHA1

9ef8295e14d6d00ee17f32adc7bb3303dafb75c5
SHA256

108bd9b7f0e9375a0e3470fbde81db5bc73cd6bd9f0d6620e7f73b276ea58a34
SHA512

442f5c167f383e1e4e394b70826c02f548e657d88de37d24864eb0323101727769eba0e5b8dd3724b81a99c9f3885f4db77421d8631aa82a16f2f4386e563b6f
SSDEEP

1536:UpqbJGEHbL7aD6tJgJ+XtHRv9MmXc/xx/lYuYp83cFylExkg8Fk:UpqhGDYXtp9Mxx/lYP83cklakgwk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnoaaaad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apaadpng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjola32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngndaccj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfdjinjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnoaaaad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nncccnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojajin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofhknodl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ondljl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afpjel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	da19a4ccbec34c6163d493646438d980_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngndaccj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjola32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojajin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofhknodl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onapdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aagkhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apaadpng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	da19a4ccbec34c6163d493646438d980_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onkidm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmpolgoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjiipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjiipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnjqmpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnjqmpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bobabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onkidm32.exe

Executes dropped EXE 37 IoCs

pid	Process
4944	Lnoaaaad.exe
4016	Mnjqmpgg.exe
404	Nfjola32.exe
2240	Nncccnol.exe
3404	Nfohgqlg.exe
4068	Ngndaccj.exe
3076	Ngqagcag.exe
4020	Onkidm32.exe
1264	Ojajin32.exe
1432	Ofhknodl.exe
2884	Oanokhdb.exe
2984	Onapdl32.exe
3528	Ondljl32.exe
2116	Ohlqcagj.exe
1576	Pnifekmd.exe
2604	Pfdjinjo.exe
2592	Phcgcqab.exe
4224	Pmpolgoi.exe
2852	Pnplfj32.exe
2408	Qhhpop32.exe
2300	Qdoacabq.exe
4528	Qjiipk32.exe
4288	Afpjel32.exe
3932	Adcjop32.exe
1448	Aagkhd32.exe
2180	Aokkahlo.exe
1412	Akblfj32.exe
1932	Ahfmpnql.exe
788	Apaadpng.exe
744	Bobabg32.exe
2904	Boenhgdd.exe
5064	Caageq32.exe
4872	Cdbpgl32.exe
4568	Dafppp32.exe
1628	Dgcihgaj.exe
2912	Ddgibkpc.exe
3368	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nfjola32.exe	Mnjqmpgg.exe
File opened for modification	C:\Windows\SysWOW64\Ondljl32.exe	Onapdl32.exe
File opened for modification	C:\Windows\SysWOW64\Pmpolgoi.exe	Phcgcqab.exe
File opened for modification	C:\Windows\SysWOW64\Apaadpng.exe	Ahfmpnql.exe
File created	C:\Windows\SysWOW64\Gabfbmnl.dll	Lnoaaaad.exe
File created	C:\Windows\SysWOW64\Hodbhp32.dll	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Pfdjinjo.exe	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Ckbcpc32.dll	Pnplfj32.exe
File opened for modification	C:\Windows\SysWOW64\Cdbpgl32.exe	Caageq32.exe
File created	C:\Windows\SysWOW64\Dafppp32.exe	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Ngndaccj.exe	Nfohgqlg.exe
File created	C:\Windows\SysWOW64\Kofmfi32.dll	Onkidm32.exe
File created	C:\Windows\SysWOW64\Kmephjke.dll	Pfdjinjo.exe
File created	C:\Windows\SysWOW64\Ahfmpnql.exe	Akblfj32.exe
File created	C:\Windows\SysWOW64\Qhhpop32.exe	Pnplfj32.exe
File created	C:\Windows\SysWOW64\Hbobhb32.dll	Akblfj32.exe
File created	C:\Windows\SysWOW64\Ifomef32.dll	Ojajin32.exe
File opened for modification	C:\Windows\SysWOW64\Dgcihgaj.exe	Dafppp32.exe
File opened for modification	C:\Windows\SysWOW64\Aokkahlo.exe	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Dapgni32.dll	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Ofhknodl.exe	Ojajin32.exe
File opened for modification	C:\Windows\SysWOW64\Oanokhdb.exe	Ofhknodl.exe
File created	C:\Windows\SysWOW64\Fidhnlin.dll	Ohlqcagj.exe
File created	C:\Windows\SysWOW64\Qjiipk32.exe	Qdoacabq.exe
File opened for modification	C:\Windows\SysWOW64\Qjiipk32.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Iocedcbl.dll	Ahfmpnql.exe
File created	C:\Windows\SysWOW64\Eekgliip.dll	Caageq32.exe
File created	C:\Windows\SysWOW64\Adcjop32.exe	Afpjel32.exe
File created	C:\Windows\SysWOW64\Aagkhd32.exe	Adcjop32.exe
File created	C:\Windows\SysWOW64\Dgcihgaj.exe	Dafppp32.exe
File created	C:\Windows\SysWOW64\Pmpolgoi.exe	Phcgcqab.exe
File created	C:\Windows\SysWOW64\Nhhlki32.dll	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Egilaj32.dll	Qjiipk32.exe
File created	C:\Windows\SysWOW64\Bobabg32.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Enjgeopm.dll	Nncccnol.exe
File created	C:\Windows\SysWOW64\Ijikdfig.dll	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Caageq32.exe	Boenhgdd.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Ddgibkpc.exe
File opened for modification	C:\Windows\SysWOW64\Nncccnol.exe	Nfjola32.exe
File created	C:\Windows\SysWOW64\Kpibgp32.dll	Ofhknodl.exe
File created	C:\Windows\SysWOW64\Okddnh32.dll	Qhhpop32.exe
File opened for modification	C:\Windows\SysWOW64\Ddgibkpc.exe	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Pnpkdp32.dll	Ondljl32.exe
File created	C:\Windows\SysWOW64\Gelfeh32.dll	Dafppp32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Apaadpng.exe	Ahfmpnql.exe
File opened for modification	C:\Windows\SysWOW64\Lnoaaaad.exe	da19a4ccbec34c6163d493646438d980_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Phcgcqab.exe	Pfdjinjo.exe
File created	C:\Windows\SysWOW64\Qdoacabq.exe	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Lnoaaaad.exe	da19a4ccbec34c6163d493646438d980_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Pnplfj32.exe	Pmpolgoi.exe
File created	C:\Windows\SysWOW64\Akblfj32.exe	Aokkahlo.exe
File opened for modification	C:\Windows\SysWOW64\Aagkhd32.exe	Adcjop32.exe
File opened for modification	C:\Windows\SysWOW64\Mnjqmpgg.exe	Lnoaaaad.exe
File opened for modification	C:\Windows\SysWOW64\Qdoacabq.exe	Qhhpop32.exe
File opened for modification	C:\Windows\SysWOW64\Bobabg32.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Bghgmioe.dll	Cdbpgl32.exe
File opened for modification	C:\Windows\SysWOW64\Ngndaccj.exe	Nfohgqlg.exe
File created	C:\Windows\SysWOW64\Nkgdfb32.dll	Onapdl32.exe
File created	C:\Windows\SysWOW64\Ohlqcagj.exe	Ondljl32.exe
File created	C:\Windows\SysWOW64\Lngqkhda.dll	Phcgcqab.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Boenhgdd.exe
File created	C:\Windows\SysWOW64\Nchkcb32.dll	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Akfiji32.dll	Mnjqmpgg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3740	3368	WerFault.exe	128

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpkdp32.dll"	Ondljl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfiji32.dll"	Mnjqmpgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nncccnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfdjinjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ondljl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpibgp32.dll"	Ofhknodl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqceofn.dll"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekgliip.dll"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	da19a4ccbec34c6163d493646438d980_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epopbo32.dll"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	da19a4ccbec34c6163d493646438d980_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfpnk32.dll"	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmioe.dll"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelfeh32.dll"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bobabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caageq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	da19a4ccbec34c6163d493646438d980_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofmfi32.dll"	Onkidm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgdfb32.dll"	Onapdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okddnh32.dll"	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnoaaaad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidhnlin.dll"	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfjola32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	da19a4ccbec34c6163d493646438d980_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll"	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgomdnj.dll"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobhb32.dll"	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngqagcag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfdjinjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjiipk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	da19a4ccbec34c6163d493646438d980_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onkidm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egilaj32.dll"	Qjiipk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfnba32.dll"	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lngqkhda.dll"	Phcgcqab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 4944	3176	da19a4ccbec34c6163d493646438d980_NEIKI.exe	92
PID 3176 wrote to memory of 4944	3176	da19a4ccbec34c6163d493646438d980_NEIKI.exe	92
PID 3176 wrote to memory of 4944	3176	da19a4ccbec34c6163d493646438d980_NEIKI.exe	92
PID 4944 wrote to memory of 4016	4944	Lnoaaaad.exe	93
PID 4944 wrote to memory of 4016	4944	Lnoaaaad.exe	93
PID 4944 wrote to memory of 4016	4944	Lnoaaaad.exe	93
PID 4016 wrote to memory of 404	4016	Mnjqmpgg.exe	94
PID 4016 wrote to memory of 404	4016	Mnjqmpgg.exe	94
PID 4016 wrote to memory of 404	4016	Mnjqmpgg.exe	94
PID 404 wrote to memory of 2240	404	Nfjola32.exe	95
PID 404 wrote to memory of 2240	404	Nfjola32.exe	95
PID 404 wrote to memory of 2240	404	Nfjola32.exe	95
PID 2240 wrote to memory of 3404	2240	Nncccnol.exe	96
PID 2240 wrote to memory of 3404	2240	Nncccnol.exe	96
PID 2240 wrote to memory of 3404	2240	Nncccnol.exe	96
PID 3404 wrote to memory of 4068	3404	Nfohgqlg.exe	97
PID 3404 wrote to memory of 4068	3404	Nfohgqlg.exe	97
PID 3404 wrote to memory of 4068	3404	Nfohgqlg.exe	97
PID 4068 wrote to memory of 3076	4068	Ngndaccj.exe	98
PID 4068 wrote to memory of 3076	4068	Ngndaccj.exe	98
PID 4068 wrote to memory of 3076	4068	Ngndaccj.exe	98
PID 3076 wrote to memory of 4020	3076	Ngqagcag.exe	99
PID 3076 wrote to memory of 4020	3076	Ngqagcag.exe	99
PID 3076 wrote to memory of 4020	3076	Ngqagcag.exe	99
PID 4020 wrote to memory of 1264	4020	Onkidm32.exe	100
PID 4020 wrote to memory of 1264	4020	Onkidm32.exe	100
PID 4020 wrote to memory of 1264	4020	Onkidm32.exe	100
PID 1264 wrote to memory of 1432	1264	Ojajin32.exe	101
PID 1264 wrote to memory of 1432	1264	Ojajin32.exe	101
PID 1264 wrote to memory of 1432	1264	Ojajin32.exe	101
PID 1432 wrote to memory of 2884	1432	Ofhknodl.exe	102
PID 1432 wrote to memory of 2884	1432	Ofhknodl.exe	102
PID 1432 wrote to memory of 2884	1432	Ofhknodl.exe	102
PID 2884 wrote to memory of 2984	2884	Oanokhdb.exe	103
PID 2884 wrote to memory of 2984	2884	Oanokhdb.exe	103
PID 2884 wrote to memory of 2984	2884	Oanokhdb.exe	103
PID 2984 wrote to memory of 3528	2984	Onapdl32.exe	104
PID 2984 wrote to memory of 3528	2984	Onapdl32.exe	104
PID 2984 wrote to memory of 3528	2984	Onapdl32.exe	104
PID 3528 wrote to memory of 2116	3528	Ondljl32.exe	105
PID 3528 wrote to memory of 2116	3528	Ondljl32.exe	105
PID 3528 wrote to memory of 2116	3528	Ondljl32.exe	105
PID 2116 wrote to memory of 1576	2116	Ohlqcagj.exe	106
PID 2116 wrote to memory of 1576	2116	Ohlqcagj.exe	106
PID 2116 wrote to memory of 1576	2116	Ohlqcagj.exe	106
PID 1576 wrote to memory of 2604	1576	Pnifekmd.exe	107
PID 1576 wrote to memory of 2604	1576	Pnifekmd.exe	107
PID 1576 wrote to memory of 2604	1576	Pnifekmd.exe	107
PID 2604 wrote to memory of 2592	2604	Pfdjinjo.exe	108
PID 2604 wrote to memory of 2592	2604	Pfdjinjo.exe	108
PID 2604 wrote to memory of 2592	2604	Pfdjinjo.exe	108
PID 2592 wrote to memory of 4224	2592	Phcgcqab.exe	109
PID 2592 wrote to memory of 4224	2592	Phcgcqab.exe	109
PID 2592 wrote to memory of 4224	2592	Phcgcqab.exe	109
PID 4224 wrote to memory of 2852	4224	Pmpolgoi.exe	110
PID 4224 wrote to memory of 2852	4224	Pmpolgoi.exe	110
PID 4224 wrote to memory of 2852	4224	Pmpolgoi.exe	110
PID 2852 wrote to memory of 2408	2852	Pnplfj32.exe	111
PID 2852 wrote to memory of 2408	2852	Pnplfj32.exe	111
PID 2852 wrote to memory of 2408	2852	Pnplfj32.exe	111
PID 2408 wrote to memory of 2300	2408	Qhhpop32.exe	112
PID 2408 wrote to memory of 2300	2408	Qhhpop32.exe	112
PID 2408 wrote to memory of 2300	2408	Qhhpop32.exe	112
PID 2300 wrote to memory of 4528	2300	Qdoacabq.exe	113

C:\Users\Admin\AppData\Local\Temp\da19a4ccbec34c6163d493646438d980_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\da19a4ccbec34c6163d493646438d980_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\SysWOW64\Lnoaaaad.exe
  C:\Windows\system32\Lnoaaaad.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\SysWOW64\Mnjqmpgg.exe
    C:\Windows\system32\Mnjqmpgg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Windows\SysWOW64\Nfjola32.exe
      C:\Windows\system32\Nfjola32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:404
    - - C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        38⤵
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 420
        39⤵
        Program crash
        
        PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3368 -ip 3368
1⤵
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3696 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aagkhd32.exe

Filesize
89KB

MD5
6fd4d395337893d086f52246f5fe5fe3

SHA1
f6d642b9929c646d0e29fd0062fb42d2fa8834ba

SHA256
470893e3be45ab581c36ea617cd8a6b4bcf91c62cfa27cffd91f2fb5a997da99

SHA512
cbf224ea05879c658eefecec3a8d579967b184338fa2768b96e50968a7dbed550a645340c3bcfea78a172c0efbddce21103290a4a7369230deaa93f5d44255ac

Download Submit
C:\Windows\SysWOW64\Adcjop32.exe

Filesize
89KB

MD5
6a964fe3d223d566bf0265fc61386fbb

SHA1
f1826b5025235d46ab78dfb7b119365be726ffbe

SHA256
8093068f1049846b27e639c8a49a46adec2fad2aa1fc0f7715237541ba13f3fd

SHA512
ef14a7b454ef0c4dd8830ed9c01764f004e91fe7b587a839dd265bf3b0e615a6c17f1088eb79ef893d3831c587574d5481578f34fbd70465bcf2e98f107307ac

Download Submit
C:\Windows\SysWOW64\Afpjel32.exe

Filesize
89KB

MD5
36baab603a11d498bda26a4bf6f5008c

SHA1
4fad46a944312d0f261734a5c0c7e155bb99fbda

SHA256
b465231f0734a3d3256045ff2a2703c49d61afcec5246e4ce549345187b08052

SHA512
bcc17c23f56b60a1aa166aab103366a639032f5819b2d17417bead6d9074c91a88b97e15c30f430cb56cceb0df4ffbedaaac7b18e782cb315a160b357f4c55c9

Download Submit
C:\Windows\SysWOW64\Ahfmpnql.exe

Filesize
89KB

MD5
a8e1103137624113a2fcee03f258b6f5

SHA1
c87e8d4d67ab6cfdb16e68a80211e10bd91324b5

SHA256
ba9668404198ea446349afbc8d0fd7b8cca12123022445a4c744301fbac6ed26

SHA512
f8e9bf8f1233431b3376a933e9c3c0f78978c63403b763ab54af6146b8b91430c2ca3649767cd486f01c85432da9ff15957cd4584a20c2feba6a5fd761c830de

Download Submit
C:\Windows\SysWOW64\Akblfj32.exe

Filesize
89KB

MD5
6a44ff2563178b266c078b83fc39d6f1

SHA1
68d3731a7b29a59c2fe9085fd76eb062015f3c2f

SHA256
393e2debeefd8112fe292802d2f45daa589fe8fb752d95b631cc7dda3a876347

SHA512
b7a546d77293f1e2d04ad820eb131b8dee86b46f5242c64dd447010d40e7d8fa3b67d96ec508f120773075ecdd1adbe63484f3816eb842ba275d41e5ee7320ed

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
89KB

MD5
4a2894f5a60626a989c1da9a9717da78

SHA1
51798c65df2c250521d3419bddd4d73e0f4c4317

SHA256
4db1d951d0c9751a812b26174a4250d734ddc029e13f79b5cfce2bffda871825

SHA512
ad80cdbfb785e7d96b47d9ae86d96541dbf46e6a1d9cc6be64544f57eb11dd2406768636f61efcf9331d3f6a62d88d29c7dd421286ab654c78ac0bc37307b27d

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
89KB

MD5
0eca88d0d0c9fa2095cabdb1125c8df4

SHA1
12d028bc5f1a4cf5a596fce4fd0eebbbb46193f1

SHA256
1e27881542de147892e9c628b745fb3b3a421edc039e773342e8786c34e97cd1

SHA512
50dd58718e72d2ad108e962f47f5ac5452e337d91a2e31e13426e16a4b847779b9f87378cbe6a1cf36d1940320cef70593a7caf9219fbccf140abf6a206b4031

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
89KB

MD5
a4dc780cc11849ccdf41b8f7b4df6d04

SHA1
1ec602e128a93eacaaea1f834149bb24bc791bcf

SHA256
302ab16b476527e6a8a71829dda4d9b3a1cbb6ebf7e5d87fd02ad817713e1e08

SHA512
9920168fb99d6627169c5c6a89b267c9fbf94f9433564c9c002ec9f1cd846f479506dec6888ce8ba71de3a5cc3f1e240e5680a7f592c5df0a38d33b151a25e8b

Download Submit
C:\Windows\SysWOW64\Bobabg32.exe

Filesize
89KB

MD5
844db29ff9b920f10f8333d464487a27

SHA1
7f2bb2442929f84682cdb40942b584bcf1e19d4f

SHA256
32b65ec1371036892cd6100c0084c344f73d3c6a1bdc41169c23880da6c7a696

SHA512
e4557bd265fcc39b7ef860f7a758b7d7eaf0578d082074e7063f743e031be12d72625bb7e12493fd92aea42a813d9529a732507a1d493d551093d7522759ecf2

Download Submit
C:\Windows\SysWOW64\Boenhgdd.exe

Filesize
89KB

MD5
71c8f0b303763d35311ca26bf0620652

SHA1
51f12bbdd9dba8118a112c81bb6f3ec4388e054c

SHA256
38d07e8a67ed972cc3c5fabc011a6ba9c79d78a4faa474eabc97fa48bced532f

SHA512
4c5747c4c78fb05d82b0d528ca75fa9f6a6d21c48ebdd5e499c293b7d813a5cc3a95212a2003349a7b5582815a91125b5dac1a9f8c5de4f2953eb47e4cbcee17

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
89KB

MD5
839fa152d72c25babd73ecc59e42fd20

SHA1
b71d03ee4518983d19b71c861fa5b13a749a8aec

SHA256
717eee31400187c97f86d5cfb004983ea1df93ce5455228c4ae6bdc15a3a36c9

SHA512
e0153dd2385e8c1fa0fb3a072e58329c5949cf58dd33eca7cff8c6a9947b6337880278ad275e58003f5502a28556e79c9075e2b0c84d74e2923732954fea8417

Download Submit
C:\Windows\SysWOW64\Enjgeopm.dll

Filesize
7KB

MD5
4615276a15733ceab156980d402d85ae

SHA1
06c9c6bf44d42a820619799f5238552697dd4cf7

SHA256
5ce6f6e6baa35d7cea27bd939ca8ae60d183d68f01c7b657ab596af636a492f7

SHA512
621ff4dc3029e46fd8a5666f7bd8d748861ba1b0825ed14054473e0732783b4e38450d7ea652cc3a8d44ad51de538e93e79a8d1f5374e2852e845817c967cd5f

Download Submit
C:\Windows\SysWOW64\Lnoaaaad.exe

Filesize
89KB

MD5
4f6d501d375f16dd62a40fa5ed04675f

SHA1
51870335d93f431d435e485ec0794a0ccfb9461a

SHA256
758be8a2bbd8af10f0462d3b49e2584516363a398cd022200f6af8a02d965aef

SHA512
c852b4a2aaba846f8db72fa7f4a97d3ab4a60e48f9ca5c0bece1dd74f67e68475bfdb7add43498db9c4d9aa8a8d094b010bf2201f4b13906893ed0f99eca5d58

Download Submit
C:\Windows\SysWOW64\Mnjqmpgg.exe

Filesize
89KB

MD5
d4a5ea0d8677b6124575302feb83abc4

SHA1
a438d7d949b930bacb415354d4fd20671721d453

SHA256
f6b9264a626b9c26ded6c3df61b1e7443b1c0495256fcd4426011d31d21c5693

SHA512
19b8ca9714bfbc16dba470de7a6fc44a6b7892e43dbd9817714c18159b60ea6065d6fb78e8634c8f13113ef22fa421b77aa927665da3208d861e7b937e84e89f

Download Submit
C:\Windows\SysWOW64\Nfjola32.exe

Filesize
89KB

MD5
db90869831dcc2acc9016512bf71ca51

SHA1
442f4fa727bc535f561bf50646d7b00c86d55985

SHA256
f292b69c6645277d29b28481c14344c7e6ff736cde9b0b7333b1020f51e53f7b

SHA512
81857aee359a1cf503659d8c2e7127e204a2505636a64317dd0f94a2f331ac50f234e551349c8398dcec884b670007d3e7bdcaea24e07eb0aa3a2e81cca81cd9

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
89KB

MD5
4d0c78c3b6e263953005937ecaddb65a

SHA1
3607e5cc4e614986d176ef2e4fe22000e26a93db

SHA256
fb769e4eb3e3840a7550a0774808946e2d5218ccd0dd57504bfcf17d38e40db4

SHA512
997cf07a022d0877af519f21563c599aa73c07c6307d867383c148ebd3380eb8a656da0c5985eead92e2cefa242e9980354cff8303f4221f4777240c4db88e59

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
89KB

MD5
e7017204c4709019153be9a576693cad

SHA1
ecc7b4cb9e7620824ddff0ce25d641b94c05e58f

SHA256
585083af842725a13c92b3ce095f8e10f8dea7e0ec1ed53845fa34c8fbd812fa

SHA512
eb3056f5c4fe685129135334ddab7cd353bfcbc2aafad85ed311e09bf359d20c0916579487ea48dd45cc30c05eed13a0ad3743509fcd9bcbadc6c77bb01a62b8

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
89KB

MD5
be3f1a3d9588fe686095de32947d1e00

SHA1
df80269ebcbbf6989dce15333a1f146bf918b8f4

SHA256
4ffbee0490a032b29608d519caba5f34b665c40e4c4eaa518183841ae0a42c44

SHA512
9e0eb3ec689e72d10ffbc04edac97db2bc0c14dcfd54747a4f291fb0d88643cfe296473cc44f9c174f3662b31a0640bcaca38cb98fff557795b1494c468aeea1

Download Submit
C:\Windows\SysWOW64\Nncccnol.exe

Filesize
89KB

MD5
6ace53a487f0661d2f249c82c468aac9

SHA1
7c01b15d79f4bee1a92a7256cb1fbd164fc2bb44

SHA256
23885c92ea0bb5756982ade3941ba49d55ced56cdd14b7adce38ce781709b03e

SHA512
c09ffbcf01a23c46f4a3794edf00fe156d8dc96c31c5a83a73303e07ff6a03f99dbf0592944d8b7134c4e0b2d4b3571336f5db588731af9a32ec3a9020620501

Download Submit
C:\Windows\SysWOW64\Oanokhdb.exe

Filesize
89KB

MD5
8014b1ab38fea818400b2575c076bbab

SHA1
0623c66fb5aad4723cc29b60aad3f6389a14ae19

SHA256
6fad10d84f276240c89fe1c100df05ba4edf189524778858479f67955fdf1305

SHA512
0f5aedb7c9d6d2ab6b5e1261690ba31c9dd0a4f57132097a639b421e4c1db79efd8f406cbea1bf4b30e9871ddd1561937dc92e1baf6c2bf5a41236f319dfecd0

Download Submit
C:\Windows\SysWOW64\Ofhknodl.exe

Filesize
89KB

MD5
ddde6cb939a45bdb33c49b6e64044d95

SHA1
618d0f59776f406707a7018bf83cc78f08400c9a

SHA256
faea8cab3ded973187f9707a125743e26f0871cdd7839d808e4f292967748470

SHA512
b0cf596c4fb2af8b7e880b3ec5f756d75036dff22f66455ef8b722e0a8a458d1745bc384f830879604038c595276330cab46e7d5d089cd66b15011db9e1c0271

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
89KB

MD5
cad0d17d6940b273ef81b9bdf0c52d6f

SHA1
11fbc91a832056813fbffde9f33fc62225246b68

SHA256
e65531eafa4b1b7c946df3a4c536c720ecf04bd757c8ece69f4c9bc8c77a7d1e

SHA512
b37d3698aeea8957e86e6733c7af67a26a9df5f987e494ceeb1cbe873ced5f03ee5c9c984a9bb1ce6e75be8995a4c04d7e1fe51c7d3038e4635b2b07ccca57c8

Download Submit
C:\Windows\SysWOW64\Ojajin32.exe

Filesize
89KB

MD5
fb4b43f44d8a89ad282f881d13f7b093

SHA1
aa4003b4167ed3a46fae7f943870522cb6aae27b

SHA256
1651c638a5a827400bfa850df377c5c91894a9aad81fffd48908cfc66a5a8a65

SHA512
0dbedd4681fcdf1eb7d872b2a00c3759018b0bdfee2d98c06e5f50391afd0e11e72d2e82b8c4d2ee1e5a8e858465734c59eb200469d2f5c73cdb383429857dcf

Download Submit
C:\Windows\SysWOW64\Onapdl32.exe

Filesize
89KB

MD5
7f663b34954630ec6ee15841b8ddb736

SHA1
9b69900430cef3e2669dfd55d74a554ce22eca7e

SHA256
fb5376c81e956b9308d945f28d78b6c00fa02886f4ccc86dd7da59fb0c696197

SHA512
f8de95e0f4368bc8ec5c2274c48cebee2cc90c0e464ca8720e13a198b3cb0a77b1a4d9a3a51a4f207e921ddda344daa5bc330fc318e21ba13acd94dc2e5e1848

Download Submit
C:\Windows\SysWOW64\Ondljl32.exe

Filesize
89KB

MD5
3c9e2aa9c5e0a7bbeecc5f0feb19e32e

SHA1
543cad0d8cf972d71d7bf655e26915ee2f2b3d8e

SHA256
3d59fe211b17a9a1ea96839b990e0c53014df4b7cc3ef523f8dc2eaa077f8742

SHA512
12a9fbac9eff91b707d1f9e9239f89306d90946d26d834e4daa8d72fa89e43dd5a7104c71aec32ce4c992f0cd5767657b2777371d81aa2d7a14a333547b4b3e1

Download Submit
C:\Windows\SysWOW64\Onkidm32.exe

Filesize
89KB

MD5
16d5a4c470ac6d2731bf022887738dee

SHA1
9f31cce2e74ff8a8e4f720ff15ae434b0683215b

SHA256
f524c3dd617f9e98255ad3a05b67d1a7e03bc86ed612ce25e7c54ad04886d11e

SHA512
693dfea4fc42015eee32e345a10495eefdc52f1a6d57c4d6b1c2c43b0500951f4acce26273ce35944ea22ae6ff388b9e41237b1c14de62e1fc833141dc12b98a

Download Submit
C:\Windows\SysWOW64\Onkidm32.exe

Filesize
89KB

MD5
0f7979f103280552cc39a5a899b485f1

SHA1
786307e300f3bce80e488d8e2e0ba08632625377

SHA256
929916f978236d4633d0792341caf78566c015d2529b8defbb35e1e8a65a4a78

SHA512
2ff389ca1ff9928be8b0c579fea060c4fd3aa9f479f1cc0bf01a70ace2c37b5d57bf5bb33770e03f8b1f32af85399921e3a70c4386a6a74b4be0772bc4eaacf5

Download Submit
C:\Windows\SysWOW64\Pfdjinjo.exe

Filesize
89KB

MD5
7cac76e66215e0645abed3d29d0a811c

SHA1
f7f3df47f3f3abe2c097b0c4acc50469371f866e

SHA256
04188edef2eed901ff629e676145485aa944db7ea18e62a022670975100a1bac

SHA512
59d5b6b40d4930e60b3957c6b8084ce2bdd23e17bca26159bdf9f8677b37b266ba95a8aa09c5ff4c30cb0f238804272170c03acf04d59ecfab5502293dac91cf

Download Submit
C:\Windows\SysWOW64\Phcgcqab.exe

Filesize
89KB

MD5
231ecb4ac7421f2f00056e5bf17447fd

SHA1
414a1612e4be68471a5d24f11d23028971daab26

SHA256
2a4fe7da6fc49a23908a328c331df9b76744709beeecfbed82bd7b1978dbbf14

SHA512
5ec05924df55e2d0857b438cdee1e1cffaee2ea25f0ecc6291a233ca2265e8d9c3d37b477e85fc0bbe9c8db99aead32c3aaa243c518909f5925e8dd38aa965cb

Download Submit
C:\Windows\SysWOW64\Pmpolgoi.exe

Filesize
89KB

MD5
14fe9779f0f4233cf56c4f41bb32d641

SHA1
c6fa2dc2278d3f8f86aa685046276c59d06c04d4

SHA256
b5937e25c3121216c5aad7292f37b12c3a3bcc9f8bd0897b5a892d95fe141027

SHA512
243682b46c1577d21240630733cf92ddfd76c0f811834eabcb1dd3433d5602abb87c5889236e90ebdca9d0667026c78195111e560b890a48e36ab17e2ba2f3c5

Download Submit
C:\Windows\SysWOW64\Pnifekmd.exe

Filesize
89KB

MD5
4fb3777f5a68a46d372945a929ed3501

SHA1
b70b522f6e61a1665bee64e72a5a7ad2184c5252

SHA256
209927efc52fcebf02892468092f51cbbb4324ab368a490c04080da798692c76

SHA512
147028903c270763217fd3e5c4e0b00c8b53b85b64353bec877f7cf1ccd078ead56acd18cc3997b22a466d8b8d8b7b861a19e51ab1cdb9e63460541672ee9ed1

Download Submit
C:\Windows\SysWOW64\Pnplfj32.exe

Filesize
89KB

MD5
1b09b36e2bb9c09b8eeea6ed072ed6bf

SHA1
95b1c54b9d0fb86e8736705569d081df24cdafad

SHA256
c0b05287bd225fcc8d44cc2a0cdc7610c62a8d35ec08ba4e0de42c821d3206da

SHA512
92a9b19533a804287342a77b83fc36544a9cbd9365a42b3325ed8c4fcfc821ee5882621435f9b5f793695ce39819fa60dab2b6e17d5cb2ee17c8c45530e726bc

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
89KB

MD5
5028372634db07d5613faee343d1bc97

SHA1
2f1c54133f9a520ba41015b22a53482d38e6d518

SHA256
19b43d5950d4e1a502112e535e2104d1749f789a87813d2ec332b7e45f177e2e

SHA512
cf155423acc3b001055ed8c9109554f9f75e86c896c26235270181bf18fe8b52784761e0da7523fdf3e627da80dec32b56d5c50e6326845108ae99f5fc0da068

Download Submit
C:\Windows\SysWOW64\Qhhpop32.exe

Filesize
89KB

MD5
42f08c88c840bdf5e65294d4353adc5b

SHA1
c749731f72891a317661f007829ac6b4d422077d

SHA256
3fe33e4018bd77a594452996977ef797a133f195bad1fcf78e453c2aaf1eb566

SHA512
ee8e179476f4506d64fadfce0f2b7f3a1425c8bbfc2e85b876509d09c8ef60f779b024d46ecf7387bf0c481631e8010531a24a5cb830cb082b3482c8000e38e7

Download Submit
C:\Windows\SysWOW64\Qjiipk32.exe

Filesize
89KB

MD5
aa7bb5e7a98b393b904c2f430ae5b242

SHA1
facb63e9f0b0642fc8f17ad36d481264a374fd98

SHA256
cc8d523ca7b4e49b7cc06876ff82ca6fd0b118c73929c0fa53fbe7e4dac9af2e

SHA512
a509bd8fc02cb7a6e07d8d9e12bdeb907cd8a8120efd0b34c76910d85c293cab15bdcd8f426515bc829062cab07eee433bbcfe5932de3ea1ebed321d51b00b32

Download Submit
C:\Windows\SysWOW64\Qjiipk32.exe

Filesize
89KB

MD5
2646bbfe79acfa3ba16c536bf7e35186

SHA1
416c49946f04da29bdc04d1d8f7f130c3359fe97

SHA256
f576b3da23e12a9684063124989efcc063fddfc4670790db05d316b6013abd01

SHA512
252bc2fa1431f631964294410b99e4350f648251486283ee2e9e951022526a6911a24045dc391e52022d63470a74700b022ea6e5616a87aa085a149f4c5e234f

Download Submit
memory/404-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/404-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/744-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/744-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/788-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/788-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1264-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1264-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1412-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1412-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1432-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1432-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1448-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1448-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1576-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1576-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1628-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1628-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2180-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2180-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2300-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2300-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2592-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2592-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2604-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2604-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-284-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3176-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3176-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3368-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3368-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3404-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3404-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3528-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3528-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3932-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3932-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4016-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4016-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4020-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4020-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4528-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4528-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4568-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4568-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4872-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads