9c48dc6b47740a0f03dcb5e5bdbc16ee4c6ac3aadfba74839b6350b7e004810c

Analysis

max time kernel
141s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da3fe00514fdb461cc43f23179108760_NeikiAnalytics.exe
Size

582KB
MD5

da3fe00514fdb461cc43f23179108760
SHA1

71ae6cf13bccbba292ebf506aea7863c66780cf4
SHA256

9c48dc6b47740a0f03dcb5e5bdbc16ee4c6ac3aadfba74839b6350b7e004810c
SHA512

6419459aae8f65d47904288b9268e212ab67ddf7e59554fde8a7f1f1267513efb1a2ab7b4f18017463eb5c89e9a9f392d49dd4e136bb094e7ca8801d775284cf
SSDEEP

12288:ZfmgVUYNrekcPYNrq6+gmCAYNrekcPYNrB:ZvOakaF+gqakad

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	da3fe00514fdb461cc43f23179108760_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe

Executes dropped EXE 64 IoCs

pid	Process
3976	Pdfjifjo.exe
1520	Pjcbbmif.exe
1904	Pqmjog32.exe
1060	Pclgkb32.exe
4468	Pfjcgn32.exe
3336	Pnakhkol.exe
4592	Pgllfp32.exe
3704	Pfolbmje.exe
2276	Pnfdcjkg.exe
3244	Pdpmpdbd.exe
4444	Pjmehkqk.exe
3588	Qmkadgpo.exe
2016	Qdbiedpa.exe
4256	Qfcfml32.exe
4012	Qmmnjfnl.exe
2224	Qddfkd32.exe
4868	Qcgffqei.exe
3144	Qgcbgo32.exe
4404	Qffbbldm.exe
2940	Anmjcieo.exe
2408	Ampkof32.exe
5092	Adgbpc32.exe
896	Acjclpcf.exe
1620	Afhohlbj.exe
4596	Anogiicl.exe
2168	Aqncedbp.exe
1376	Aeiofcji.exe
5056	Agglboim.exe
2624	Ajfhnjhq.exe
2248	Amddjegd.exe
4980	Aqppkd32.exe
4620	Acnlgp32.exe
2284	Agjhgngj.exe
3404	Ajhddjfn.exe
4312	Aabmqd32.exe
4408	Acqimo32.exe
2148	Aglemn32.exe
3148	Ajkaii32.exe
2640	Aminee32.exe
2484	Aepefb32.exe
4400	Agoabn32.exe
5088	Bfabnjjp.exe
3272	Bmkjkd32.exe
1796	Bebblb32.exe
1380	Bcebhoii.exe
1716	Bjokdipf.exe
4376	Bmngqdpj.exe
3876	Beeoaapl.exe
4948	Bgcknmop.exe
4240	Bffkij32.exe
4560	Bnmcjg32.exe
2892	Bmpcfdmg.exe
4356	Beglgani.exe
5096	Bgehcmmm.exe
2420	Bjddphlq.exe
3600	Bnpppgdj.exe
2968	Banllbdn.exe
2952	Beihma32.exe
924	Bhhdil32.exe
452	Bjfaeh32.exe
1300	Belebq32.exe
5068	Chmndlge.exe
60	Cmlcbbcj.exe
2324	Ceckcp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	da3fe00514fdb461cc43f23179108760_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
648	3164	WerFault.exe	151

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	da3fe00514fdb461cc43f23179108760_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	da3fe00514fdb461cc43f23179108760_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	da3fe00514fdb461cc43f23179108760_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bjfaeh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 3976	1552	da3fe00514fdb461cc43f23179108760_NeikiAnalytics.exe	83
PID 1552 wrote to memory of 3976	1552	da3fe00514fdb461cc43f23179108760_NeikiAnalytics.exe	83
PID 1552 wrote to memory of 3976	1552	da3fe00514fdb461cc43f23179108760_NeikiAnalytics.exe	83
PID 3976 wrote to memory of 1520	3976	Pdfjifjo.exe	84
PID 3976 wrote to memory of 1520	3976	Pdfjifjo.exe	84
PID 3976 wrote to memory of 1520	3976	Pdfjifjo.exe	84
PID 1520 wrote to memory of 1904	1520	Pjcbbmif.exe	85
PID 1520 wrote to memory of 1904	1520	Pjcbbmif.exe	85
PID 1520 wrote to memory of 1904	1520	Pjcbbmif.exe	85
PID 1904 wrote to memory of 1060	1904	Pqmjog32.exe	86
PID 1904 wrote to memory of 1060	1904	Pqmjog32.exe	86
PID 1904 wrote to memory of 1060	1904	Pqmjog32.exe	86
PID 1060 wrote to memory of 4468	1060	Pclgkb32.exe	87
PID 1060 wrote to memory of 4468	1060	Pclgkb32.exe	87
PID 1060 wrote to memory of 4468	1060	Pclgkb32.exe	87
PID 4468 wrote to memory of 3336	4468	Pfjcgn32.exe	88
PID 4468 wrote to memory of 3336	4468	Pfjcgn32.exe	88
PID 4468 wrote to memory of 3336	4468	Pfjcgn32.exe	88
PID 3336 wrote to memory of 4592	3336	Pnakhkol.exe	89
PID 3336 wrote to memory of 4592	3336	Pnakhkol.exe	89
PID 3336 wrote to memory of 4592	3336	Pnakhkol.exe	89
PID 4592 wrote to memory of 3704	4592	Pgllfp32.exe	90
PID 4592 wrote to memory of 3704	4592	Pgllfp32.exe	90
PID 4592 wrote to memory of 3704	4592	Pgllfp32.exe	90
PID 3704 wrote to memory of 2276	3704	Pfolbmje.exe	91
PID 3704 wrote to memory of 2276	3704	Pfolbmje.exe	91
PID 3704 wrote to memory of 2276	3704	Pfolbmje.exe	91
PID 2276 wrote to memory of 3244	2276	Pnfdcjkg.exe	92
PID 2276 wrote to memory of 3244	2276	Pnfdcjkg.exe	92
PID 2276 wrote to memory of 3244	2276	Pnfdcjkg.exe	92
PID 3244 wrote to memory of 4444	3244	Pdpmpdbd.exe	94
PID 3244 wrote to memory of 4444	3244	Pdpmpdbd.exe	94
PID 3244 wrote to memory of 4444	3244	Pdpmpdbd.exe	94
PID 4444 wrote to memory of 3588	4444	Pjmehkqk.exe	95
PID 4444 wrote to memory of 3588	4444	Pjmehkqk.exe	95
PID 4444 wrote to memory of 3588	4444	Pjmehkqk.exe	95
PID 3588 wrote to memory of 2016	3588	Qmkadgpo.exe	96
PID 3588 wrote to memory of 2016	3588	Qmkadgpo.exe	96
PID 3588 wrote to memory of 2016	3588	Qmkadgpo.exe	96
PID 2016 wrote to memory of 4256	2016	Qdbiedpa.exe	97
PID 2016 wrote to memory of 4256	2016	Qdbiedpa.exe	97
PID 2016 wrote to memory of 4256	2016	Qdbiedpa.exe	97
PID 4256 wrote to memory of 4012	4256	Qfcfml32.exe	99
PID 4256 wrote to memory of 4012	4256	Qfcfml32.exe	99
PID 4256 wrote to memory of 4012	4256	Qfcfml32.exe	99
PID 4012 wrote to memory of 2224	4012	Qmmnjfnl.exe	100
PID 4012 wrote to memory of 2224	4012	Qmmnjfnl.exe	100
PID 4012 wrote to memory of 2224	4012	Qmmnjfnl.exe	100
PID 2224 wrote to memory of 4868	2224	Qddfkd32.exe	101
PID 2224 wrote to memory of 4868	2224	Qddfkd32.exe	101
PID 2224 wrote to memory of 4868	2224	Qddfkd32.exe	101
PID 4868 wrote to memory of 3144	4868	Qcgffqei.exe	102
PID 4868 wrote to memory of 3144	4868	Qcgffqei.exe	102
PID 4868 wrote to memory of 3144	4868	Qcgffqei.exe	102
PID 3144 wrote to memory of 4404	3144	Qgcbgo32.exe	103
PID 3144 wrote to memory of 4404	3144	Qgcbgo32.exe	103
PID 3144 wrote to memory of 4404	3144	Qgcbgo32.exe	103
PID 4404 wrote to memory of 2940	4404	Qffbbldm.exe	104
PID 4404 wrote to memory of 2940	4404	Qffbbldm.exe	104
PID 4404 wrote to memory of 2940	4404	Qffbbldm.exe	104
PID 2940 wrote to memory of 2408	2940	Anmjcieo.exe	105
PID 2940 wrote to memory of 2408	2940	Anmjcieo.exe	105
PID 2940 wrote to memory of 2408	2940	Anmjcieo.exe	105
PID 2408 wrote to memory of 5092	2408	Ampkof32.exe	106

C:\Users\Admin\AppData\Local\Temp\da3fe00514fdb461cc43f23179108760_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\da3fe00514fdb461cc43f23179108760_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\SysWOW64\Pdfjifjo.exe
  C:\Windows\system32\Pdfjifjo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\SysWOW64\Pjcbbmif.exe
    C:\Windows\system32\Pjcbbmif.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\Pqmjog32.exe
      C:\Windows\system32\Pqmjog32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
      - C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1376
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3272
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        45⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        47⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4948
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        67⤵
        
        PID:212
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        68⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 408
        69⤵
        Program crash
        
        PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 3164 -ip 3164
1⤵
PID:2948

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 9882f6f70d6284438c81248dac623c23 8iLAABBIMEW+CiztZcrP5Q.0.1.0.0.0
1⤵
PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
582KB

MD5
e6b8e8b3b0bc736a69228d6974659431

SHA1
044091c57557c3a26085bace9f496b342a24b78e

SHA256
59f7d3db069a202c64cd2ed9ae2570713ed02b0d3998287e1718648e324bce4d

SHA512
6f11f9defc0a957b49165e02fa31da3f06a5843bfffd510870da86b62aeca5dce19c8f51eb54ee7fe0fba1028b6a28914f93f3ffc773408dd8558e43771c758d

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
582KB

MD5
f1db72f4ab939b6106db06ed315e98fc

SHA1
3b4db5809d84d890de4a0714ebac7b021148bcb6

SHA256
af6070cdbe5f4bd58c43bb74a403f4855112119889a3b8dcee855a2736f68098

SHA512
d52c69ba0a710678af2d6348da0ec95cd87e68cfa2219e3e3759483a6dd0afcf91d2c3a2fad226ca707289882e6e43f50a56415a98dea1a5c8669a11244247e5

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
582KB

MD5
edabdd841f52c092be16aff80aba1083

SHA1
8f4c422c47270ce95d038533cb21fe8e74e144bc

SHA256
d0d4239d679fdf79ff50be1352ce3b6501a3b74c701ee7ae6b3fb9cf2e5aa687

SHA512
48ace7987739fb83ae3554c10417c615c49b99965e2b9f2c157d9d4227f527873a80db602e2f2d09aac5451d3ec028186e5521787e98e6925d1b0ccd6216544d

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
582KB

MD5
0446cd5ce46eb0a6701fcedfe7d7147c

SHA1
b28b7486b4da3b786442b0ba22df5364abc29b96

SHA256
206ee4de2154a9c90ed4db09259cd01d2cf546908cd92db34ed1e1aabe2781a1

SHA512
ccad58f241a957ae466dde4703645912b0deb7bab846bc8012a65463baa3afdcff076293cc974876ee4fed630b377646addaee3569b7bed814f7080db1d09df7

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
582KB

MD5
aff6de3923abb4f3b7bdc0d912f7ff8a

SHA1
e3012ce934192aeebf6c719946ac420f76dead72

SHA256
40e464770a32ef8b2243c5db379018096ea29327d79db2de9a9da345e8c186da

SHA512
aeefbe8bffabd82e62d880be20dbe493b727e782acdd265439cfa2bdcbe322edb74a6627cebbc6c61df207d302114cc93d6bb42837681bd23ddc7406942b5c0a

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
582KB

MD5
4f626743e3b524de1020139ebcaf87f5

SHA1
7d23ab93cdd92ed6e8a92ced719d14f3ae6e4d4a

SHA256
64a26888eb5ee1e1ab73adb1c96d21a2413d8c6a7660b97666c4e4be8a9c298f

SHA512
a6a626905e2fc0079dbb6973768f9363c81bb4eaf95acf6ccfdab844ca8d7b1952a13f2226b073b3c8bb7c37a79cc26dd54fe2324bb1cfbd4a1b3d0a53978834

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
582KB

MD5
cb4443bf552e6e33906d2f79f767d35e

SHA1
af0485a508686afce43fa97c07f4f6ff2130a180

SHA256
f869806c958324651bae939f876390c7ed459a676d3a32035e93aff91992920a

SHA512
14a957db3a6a17b2c453bb27d952a78a314e6fb50f68c6b7a68addaa617cd44be3457c857844c0c681ad83d8a29cefb60ed3bef6da88283aae9966aa63ea1723

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
582KB

MD5
9f9672c8d29d98831c5e3ff4dd85e154

SHA1
9eb7f80bc7a95fcca8fc407826fe9bbf7a0d832e

SHA256
44744b1b3bf4edf7cfd6033537613c79f569b1a57344acabfb67fe2531219def

SHA512
a29800dce4a09893e6237b20b8c381f7b3edc0ebde6a803440c6733f5ed2242c3e7c637a2fd447c98792cf33e99b183f90c4be729fc4f29b8a0fe7f145511c65

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
582KB

MD5
52d0e0f815f028cdacc283937fd182f4

SHA1
835259e4b0777ebb0d216abf9563eb854b0ba325

SHA256
1d5dc13da3dfc39df68123ddd7807538a8100a574fc1feff74e3f08df67f4098

SHA512
8b10f9c8355fa7f106edf5a0a7cbdc6bfa2e297d1d008d2825119c10efd6c8293f4a24b67d25de187d9f823696a2fb9716e3dc691348998dd185a18d849152a9

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
582KB

MD5
c0b44db1193d247d0853d1207bffb976

SHA1
be05cd017469621b01af003c636555c8e937ccac

SHA256
8acf39592d9b6e246a95d810bc393e016ed73b43a0fd1edc345fa9f61f4e362d

SHA512
787853b20147d82116905936f3de24015e47a31c607b302acdf34b85e066bd7316ecce8c1b82ef7294027ea6e7cda5f918d05166a91b984302f3ce6e577b2bc7

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
582KB

MD5
bf6c8f452a32b7751aec19a96765c454

SHA1
1f39cb04a729144f29a6563347b43ec2a7062126

SHA256
4171554422554fdf82112552b43a094f27b52eccabf1e155cd7237f4774e6605

SHA512
a1228b7ab4affe65d8a1f7ff47db0475c0ae25734dacf4a01a6cd84ceb2100de3b7ca2196efcbba91253f925aad3969c25038c642c6196841b2078d6bfbaaee6

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
582KB

MD5
eb6eaf7645ac58b4fcf81950ad23ab61

SHA1
9be6f052e288d0034a41a9696b0aebeed6f0e6b5

SHA256
0c26b644fe13b4ed399e193519e9053b8f89e1ab56bbc596c08222f54ac4fab3

SHA512
b9793ffb9fa600d1137cec63af049a574a604505f0de64312f984734b4e31d9af875c53a8faa065d5bc87c3de9e044fb66298f48b945e35ddebc3a0a6ac417d2

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
582KB

MD5
3bcbccb8efd96bfa1e53590467cc3278

SHA1
baed1b129efe324a03db0e6de2bbfb3fb9e6708d

SHA256
f9a2273d75ff86d76debc062785205f6bd7899669b4fcfb78bcc3b83209d6df5

SHA512
19c6f3e9a69e773922c523585863ee0ee8441c82ade02cb987886b4ddbf3859a02dd4f8ea41e5217b23f83b54888f9f02778aaa43a5e8726b77e6b00430c49d2

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
582KB

MD5
5af97c44a626d7ff47aab386db055f38

SHA1
a670b93b3020f6a8d77b0f6803ebc5a6b6c76df2

SHA256
760a794c1cc0a50ee4fdd89ee1b17ec67259d594798b89450f8641b06edf3907

SHA512
d1cb4023b6a6e4078bd2e2d96917166d5f7958a2b9d7d49974d44672c425b1ec52fd42ebfb294833204b7fb352487208253d413eeace8db48af8635dcc56949b

Download Submit
C:\Windows\SysWOW64\Ekphijkm.dll

Filesize
7KB

MD5
979a6e8395054b328a1e9f1e9016b55a

SHA1
798605a7737fd2135ad4894a5d305f5792a4149b

SHA256
280b1785eaa05f8089b518b5c36929353daad2d5b4677dba46da5ca368a633ee

SHA512
6b68fee8a87ed049197568ff0f2f65e915660f60720e85a0f06dbf1c0b17a718978554ebbaf3ef7e0c55bab406ac1a57320a6860391c4fc8926394bddc786f29

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
582KB

MD5
51fbfadb69de1c0948e8f983ea1e3fae

SHA1
89c3a864ecfb896faa9e9e57f5ebc4c5ba55bcb2

SHA256
ae8db2a1288dac4b426f26d66a29fb27970eae8f46157a03ff32d4b671aaa376

SHA512
cae465e5e35d33666aecc28352752b2d7607e6318625d77acecd43cec369a7bb13d38ab3c80eac4ded4efd304d571ff3b8d9d920a40b69c0d6697b7784b39e43

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
582KB

MD5
55dd478af77eef0d46bc6a9b765725fb

SHA1
feb50af208f4a2550dcd3c818fb0a64a49f38d7f

SHA256
bff9f231127f8cace710470183a1c803eb69524ba84c25484f5cf14b0b3dbc23

SHA512
ea5b890b2a7f8c83b0ac36630367f602f417dc448ed0d917457da0c987dfb79eb3e7959b620aaefe5ca9e39baa741e88912fa29db61a037c95b376c2ad5da9a0

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
582KB

MD5
c87812215d4909edcd1e4f3bf95b40e9

SHA1
c0a869e01c997bbfb075c711fd27058c7efaec2c

SHA256
b123e4f2730de90c78e49b408a98a3b9af2fe9a111f380ef9e2f3062d5b2c91d

SHA512
d6360a533529035c8814044b48b0efdf0d559adf9e28000bacd6792e1189744ed441d1fd465cce57866d70a3ddbf46b0c2d767cb2b57a6f02ac1c46644d46e7e

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
582KB

MD5
ca40371f8a62386eed0860a1fcabd926

SHA1
0056a2ddb91c146df8e58a05e919c1f75abe8462

SHA256
ca90aef3a238a50b10b06e79fa88c4f221bbab0278f128cffcc81aff3fb10315

SHA512
060abf7a454629b6aa523e9619c0867c1ddd42626470bbcd954f275a1d4113702bf6ef705271a55709e1b8d36cefa759363b9bfb36d0ee3b6a93ebc6a5b04027

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
582KB

MD5
63e3eb4e2b4a34f8393729a271b15089

SHA1
60fd0ed6f17e23b5719133077eb9828740600344

SHA256
dd026d572196a5d5be7ad6b024531bc2d6bca57e4ed6611e610f3402b1ec80a8

SHA512
ca0aa3c665d51b11de31515c8f63a4ef46c5a059376eed511780ad03c154ece331874e3f82e39a72665b70f39d77a1b765a53a6dd8b1ea00bb0249ed37a26696

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
582KB

MD5
f7d628cfa0f0ce3668167dc612c3f2b3

SHA1
929292c96f1a61c793d758c25600eed9133817fd

SHA256
e7166fe6e141334f31b089326338754c9dc22846fb4e4eb59ec3c91c45e9c207

SHA512
6e853172929aacf1af7e742bccde719f55cef0de55b7cbb9b1065b5297b0c48ce4ef1139b52cf08e5f53e06b0bd57ed48fddccc886128fd4451d8a119e0d610f

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
582KB

MD5
c7f6feb935cbe87423c3c0cc5eaca6d9

SHA1
c1d06c25f679ae05d23ef347c40b3bc67c30bdde

SHA256
b827d4894c30cf0b9d82391f99d2547935e3a8d7e0e76a5d66e2e3f524f2b163

SHA512
43a1e46dc3403b34c061a587ebead651d9b453f1565b0bf28dc61586340a57f518eb31ffdc69e178d2dd227c95459e00985d02322500b3be8cff05e5c5205c38

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
582KB

MD5
6aff232d01bdd429bdb99e6d0c0e2799

SHA1
da59f854d4a2ed68f73d4eb4fa4efe3750c3ae47

SHA256
2f1fc53f1c988ca60586cf93ace4f8db8bbf529663763bfaef4918098d0935ee

SHA512
ffc2008ce93a7967bdfa4d674d9b48d02e31a9fff864d60ccfac245827a52e7c5899e2163b968d23b9cdb17a49d03d0db45ee30f53cf61702f08e38e51728930

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
582KB

MD5
59a6d960819f4bdc8b030d301a4daa08

SHA1
72381497358405541cd69dd842fc3ded4a878665

SHA256
48793207de349169657973fc4527e02138ee635823273c21f5f77ce9cdef205a

SHA512
8cd3cae42b28317f9e0bf4647990d83319abd5b7417e66bc9354fa63f6f7aff012625d37aa65b3b8fa9c5cc5ca22d76403ab68c457a38d47732fe2148355729f

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
582KB

MD5
cf2a1002ed3c5e97af0cc220b087fa2f

SHA1
009b597aa431019bd2c122ed53df76d41eac2703

SHA256
32686382be7f5554a98077c4282589b346d3e01326eef94c3e904d1a545e78d6

SHA512
4ed23015ecf5ccd494d630b94885889b81b78a1ae65dac65541c3eaa9e8e1318e775af7fa4edb52849802da00c3b68c644c3541ebd87ea3767b22db0df48ec0f

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
582KB

MD5
f653695e028ba0452c7c5b46ebf88fe4

SHA1
c7e60fb6b51db07e0929ab29833538602c882b9e

SHA256
7de112245fd5f590d8326d01c9312a11f7aef2fd6f69751c70da564a083b2968

SHA512
a0159aad0f22a7f9fd12b8aefea4a0685bb6e1ee31adf8c25021a589e426917247108e52b34af916d66be63a7cf144db5a629b01650a0ef0b808b35f888c6c34

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
582KB

MD5
c1e31ca3dd85df38a50358bbea102a15

SHA1
12b3f48c4aa9326d18ac2398abcf5bec53a59419

SHA256
668a2561fdf07eb1ee6a863760504ac3708de3541428427409fd66c780935655

SHA512
5ea2a39fa141c53f6245ffb86ceccd97e923e75f7df2e318046b2fb1872ce7e515b6275124d2d2c5416d095da87e92a96ae504ae681a00bd590a49d3f685a43c

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
582KB

MD5
d4a98a52b6301ba2135e4119c8c010b1

SHA1
6dd68791e63a688144f83a7fc7921b91444bf465

SHA256
f0cc0298b9a474b70c8295774d37728ce505797ff788f4d727b1d61c0bc7f86a

SHA512
fb93b91a629d034dd0e731a1e7e920466dc10c36542226abe1cc617ef87440550997f781b4fc8543f44f19f0349fac702d89c6027fa127546a743b16269fc111

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
582KB

MD5
711869c44f48d64e4718894f6e1debd4

SHA1
09ea1009ea92e609da7c5401b89f186245621d0a

SHA256
a6dc55cd6596b055be54e84ba137b1f0788cd376aca41316ccda1f3611b4c284

SHA512
52d6e997f42b04b5c9b3a92ba08b4e64db4a84e447dc9f1af76b4b282e06996b373bf75830d4abe3d1a1c6bb787238852707233bfc99f54d3d448645f4b63dc9

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
582KB

MD5
06f9795897b45c1cc86da2e08ad6b9b4

SHA1
5da318fec6aaee9dd8a711664c2c1c022209c441

SHA256
df106483c59be3e29b80ffb606e5ddd20c8968d5501ca9f28d7dc65178ec1d31

SHA512
9c5a438d3fb2dd1a931fb9eb86b283f55380a0e435e83273394eadf798048f941a7f893eade8b46988fe9996b1c24ee22857b2f1a534f79e71624e3859d5e796

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
582KB

MD5
47bc4b8f5d5a7842d4bf3687f0ba2a73

SHA1
7c99aa37b309ead961804fad425551f550e0da1b

SHA256
a4295307a6083680e883e38772ebfb0708aa050f4ccd13f059b1d0be5d5a0744

SHA512
f94e9022e1a058c6aff6492994d6f1f1bdda16aa937e8d8dfba09baf3736072c4f283f8a2885f4c78a75dbdf42b2f8c46c19252107149977de58f16f2d30b922

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
582KB

MD5
00b69f3ea59a102cacb57187489b33ef

SHA1
c612ea0bd9b65c9014500f53307d855f052d1972

SHA256
f08d445c93212e210be4027fe8504afea62385884e1ce36efd2dc3ae2148d654

SHA512
7c73460084fac2dd9d41394e85c27dc714a9cbf1c2a1672d55d4d807bfcf5562f042bbee1b005988cebb725bd7d4106f3bb002a41624f09cdabc892e8eb2affc

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
582KB

MD5
74ba0fb618a0f50ecd774ca1fecc21f6

SHA1
621f932e11e16ea3b9828bd4e05d021a81bd4052

SHA256
0d9c78dfdddbfaf3ac53bd89f440a0ba4f198daabe893934bcad4dda8d668a3a

SHA512
9dae73b8dd59f07a7d9f6682fcd6cb8d69cea2b066e9090f91aa05fdda0108bba0bd0ecc00fae2cf60c80cb2587f5e1a3c134f56421cf9ec527b2fa77116e40d

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
582KB

MD5
f073d8dbe0102bb51f61a2f0660ba95e

SHA1
0d07443f1e86db1541a7c68a4d5a356cc07a4cca

SHA256
e71c9af7664e18a8f7fe0f9e36d65b7a6b37b04c6e46ee800e598948b283000c

SHA512
531a2dbfbf4de6eea834b307ead363ce34aa1255ffc6d475a863a8aa43e30590fa13ad6fabc9a31f01e435a2b8e06cc11504e10f17c0a3967e7c484536aa82d6

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
582KB

MD5
8e928b1f57b7be0e6a0f4a35a0907c0f

SHA1
4c74e3d6a60c13341f9500296fd6c556418aa241

SHA256
16a8f2459d5c98e5699fabeffb521f10742efa72cc72cb8f106e85c0c4be0c07

SHA512
68738284948251e544439f1dcd76d3ae86c79e9448c7557d107ce9e2140a5bc480acd89476ee034d88ea59fb30a87fd3d69ae47bb9dfe65231e94ae8baa9edfb

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
582KB

MD5
7ed27a622a8e88a4ce7ae75f56fe624c

SHA1
3b1fa6894639e1c724594217820b6e99b55b3708

SHA256
f5986dba4b524016cd548b464ae677884659bffdf2455f2ed488010ce319cfd7

SHA512
e405f3f8070e76a5817792b88c38de44d2e7a7c67862a24fedc102818ce0f4dbb36edf22583f5fe9bfd45d2b04827dc948eaafa0f4360108d53e33d2dcf70c32

Download Submit
memory/60-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/212-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/212-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/896-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/924-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1060-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1060-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1376-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1796-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1904-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1904-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-528-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-535-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3164-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3164-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3336-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3336-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-537-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3876-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3976-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3976-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads