59b401ef4aa6146bd5a0a43fd67a929814cfd4dab889af0de94272ebb0047c65

Analysis

max time kernel
132s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 19:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1dca22afa260205410ded9c427ddd8a0_NeikiAnalytics.exe
Size

80KB
MD5

1dca22afa260205410ded9c427ddd8a0
SHA1

1d536f0355cd0d31365ba91b47664ee4e3df3e27
SHA256

59b401ef4aa6146bd5a0a43fd67a929814cfd4dab889af0de94272ebb0047c65
SHA512

d6b5d597af34fd85cf1d4e0bb41181834687537fc61826df04b566ad0904412ef14b93ad2519a47b1c42c6c2f2205f127db95dc9c29572887c60f7ac2209403f
SSDEEP

1536:qYUZvislGHLCMZJ96cWH4wKzZrUhutXMiZxHNRRQAZRJJ5R2xOSC4BG:5UtO/ZJIrWZYureWrJ5wxO344

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddonekbl.exe

Executes dropped EXE 64 IoCs

pid	Process
3516	Ogbipa32.exe
4884	Pnlaml32.exe
2112	Pqknig32.exe
1168	Pcijeb32.exe
1496	Pgefeajb.exe
744	Pjcbbmif.exe
1700	Pnonbk32.exe
3704	Pmannhhj.exe
2040	Pqmjog32.exe
4944	Pclgkb32.exe
1872	Pfjcgn32.exe
3296	Pjeoglgc.exe
3664	Pmdkch32.exe
2264	Pqpgdfnp.exe
1388	Pcncpbmd.exe
3184	Pgioqq32.exe
4396	Pncgmkmj.exe
3212	Pqbdjfln.exe
5004	Pfolbmje.exe
3676	Pjjhbl32.exe
3788	Pnfdcjkg.exe
2368	Pdpmpdbd.exe
2848	Pfaigm32.exe
1816	Qnhahj32.exe
4696	Qqfmde32.exe
3240	Qgqeappe.exe
4344	Qjoankoi.exe
4996	Qmmnjfnl.exe
1372	Qqijje32.exe
1948	Qgcbgo32.exe
5068	Ajanck32.exe
3196	Aqkgpedc.exe
1260	Adgbpc32.exe
1560	Ageolo32.exe
944	Ajckij32.exe
2224	Aqncedbp.exe
2464	Aeiofcji.exe
3440	Agglboim.exe
2056	Ajfhnjhq.exe
3236	Anadoi32.exe
896	Aeklkchg.exe
2976	Acnlgp32.exe
4216	Afmhck32.exe
4488	Amgapeea.exe
4624	Aabmqd32.exe
1748	Afoeiklb.exe
4336	Afoeiklb.exe
4596	Aadifclh.exe
1888	Accfbokl.exe
380	Bfabnjjp.exe
3276	Bnhjohkb.exe
440	Bagflcje.exe
208	Bcebhoii.exe
4532	Bfdodjhm.exe
3752	Bjokdipf.exe
2884	Baicac32.exe
864	Bchomn32.exe
2424	Bgcknmop.exe
2700	Bjagjhnc.exe
2640	Bmpcfdmg.exe
4920	Beglgani.exe
3932	Bgehcmmm.exe
4192	Bfhhoi32.exe
1796	Bnpppgdj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5764	5444	WerFault.exe	208

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	1dca22afa260205410ded9c427ddd8a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 3516	3552	1dca22afa260205410ded9c427ddd8a0_NeikiAnalytics.exe	83
PID 3552 wrote to memory of 3516	3552	1dca22afa260205410ded9c427ddd8a0_NeikiAnalytics.exe	83
PID 3552 wrote to memory of 3516	3552	1dca22afa260205410ded9c427ddd8a0_NeikiAnalytics.exe	83
PID 3516 wrote to memory of 4884	3516	Ogbipa32.exe	84
PID 3516 wrote to memory of 4884	3516	Ogbipa32.exe	84
PID 3516 wrote to memory of 4884	3516	Ogbipa32.exe	84
PID 4884 wrote to memory of 2112	4884	Pnlaml32.exe	85
PID 4884 wrote to memory of 2112	4884	Pnlaml32.exe	85
PID 4884 wrote to memory of 2112	4884	Pnlaml32.exe	85
PID 2112 wrote to memory of 1168	2112	Pqknig32.exe	86
PID 2112 wrote to memory of 1168	2112	Pqknig32.exe	86
PID 2112 wrote to memory of 1168	2112	Pqknig32.exe	86
PID 1168 wrote to memory of 1496	1168	Pcijeb32.exe	87
PID 1168 wrote to memory of 1496	1168	Pcijeb32.exe	87
PID 1168 wrote to memory of 1496	1168	Pcijeb32.exe	87
PID 1496 wrote to memory of 744	1496	Pgefeajb.exe	88
PID 1496 wrote to memory of 744	1496	Pgefeajb.exe	88
PID 1496 wrote to memory of 744	1496	Pgefeajb.exe	88
PID 744 wrote to memory of 1700	744	Pjcbbmif.exe	89
PID 744 wrote to memory of 1700	744	Pjcbbmif.exe	89
PID 744 wrote to memory of 1700	744	Pjcbbmif.exe	89
PID 1700 wrote to memory of 3704	1700	Pnonbk32.exe	90
PID 1700 wrote to memory of 3704	1700	Pnonbk32.exe	90
PID 1700 wrote to memory of 3704	1700	Pnonbk32.exe	90
PID 3704 wrote to memory of 2040	3704	Pmannhhj.exe	91
PID 3704 wrote to memory of 2040	3704	Pmannhhj.exe	91
PID 3704 wrote to memory of 2040	3704	Pmannhhj.exe	91
PID 2040 wrote to memory of 4944	2040	Pqmjog32.exe	92
PID 2040 wrote to memory of 4944	2040	Pqmjog32.exe	92
PID 2040 wrote to memory of 4944	2040	Pqmjog32.exe	92
PID 4944 wrote to memory of 1872	4944	Pclgkb32.exe	93
PID 4944 wrote to memory of 1872	4944	Pclgkb32.exe	93
PID 4944 wrote to memory of 1872	4944	Pclgkb32.exe	93
PID 1872 wrote to memory of 3296	1872	Pfjcgn32.exe	94
PID 1872 wrote to memory of 3296	1872	Pfjcgn32.exe	94
PID 1872 wrote to memory of 3296	1872	Pfjcgn32.exe	94
PID 3296 wrote to memory of 3664	3296	Pjeoglgc.exe	95
PID 3296 wrote to memory of 3664	3296	Pjeoglgc.exe	95
PID 3296 wrote to memory of 3664	3296	Pjeoglgc.exe	95
PID 3664 wrote to memory of 2264	3664	Pmdkch32.exe	96
PID 3664 wrote to memory of 2264	3664	Pmdkch32.exe	96
PID 3664 wrote to memory of 2264	3664	Pmdkch32.exe	96
PID 2264 wrote to memory of 1388	2264	Pqpgdfnp.exe	98
PID 2264 wrote to memory of 1388	2264	Pqpgdfnp.exe	98
PID 2264 wrote to memory of 1388	2264	Pqpgdfnp.exe	98
PID 1388 wrote to memory of 3184	1388	Pcncpbmd.exe	99
PID 1388 wrote to memory of 3184	1388	Pcncpbmd.exe	99
PID 1388 wrote to memory of 3184	1388	Pcncpbmd.exe	99
PID 3184 wrote to memory of 4396	3184	Pgioqq32.exe	101
PID 3184 wrote to memory of 4396	3184	Pgioqq32.exe	101
PID 3184 wrote to memory of 4396	3184	Pgioqq32.exe	101
PID 4396 wrote to memory of 3212	4396	Pncgmkmj.exe	102
PID 4396 wrote to memory of 3212	4396	Pncgmkmj.exe	102
PID 4396 wrote to memory of 3212	4396	Pncgmkmj.exe	102
PID 3212 wrote to memory of 5004	3212	Pqbdjfln.exe	103
PID 3212 wrote to memory of 5004	3212	Pqbdjfln.exe	103
PID 3212 wrote to memory of 5004	3212	Pqbdjfln.exe	103
PID 5004 wrote to memory of 3676	5004	Pfolbmje.exe	104
PID 5004 wrote to memory of 3676	5004	Pfolbmje.exe	104
PID 5004 wrote to memory of 3676	5004	Pfolbmje.exe	104
PID 3676 wrote to memory of 3788	3676	Pjjhbl32.exe	105
PID 3676 wrote to memory of 3788	3676	Pjjhbl32.exe	105
PID 3676 wrote to memory of 3788	3676	Pjjhbl32.exe	105
PID 3788 wrote to memory of 2368	3788	Pnfdcjkg.exe	106

C:\Users\Admin\AppData\Local\Temp\1dca22afa260205410ded9c427ddd8a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1dca22afa260205410ded9c427ddd8a0_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Windows\SysWOW64\Ogbipa32.exe
  C:\Windows\system32\Ogbipa32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\SysWOW64\Pnlaml32.exe
    C:\Windows\system32\Pnlaml32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\SysWOW64\Pqknig32.exe
      C:\Windows\system32\Pqknig32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        24⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        25⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        30⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        31⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3196
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        34⤵
        Executes dropped EXE
        
        PID:1260
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        41⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:896
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        48⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        50⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:380
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4532
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        64⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        66⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        67⤵
        
        PID:444
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        68⤵
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3420
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3512
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4376
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        73⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        76⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        77⤵
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4288
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        79⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        81⤵
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:728
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        83⤵
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        86⤵
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        88⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        90⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        92⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        95⤵
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        97⤵
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        100⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5988
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        104⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        105⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        110⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        116⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        118⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        121⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3588
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        123⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        124⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        125⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 408
        126⤵
        Program crash
        
        PID:5764

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5444 -ip 5444
1⤵
PID:5672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
80KB

MD5
35774b3f2952d6d7db6e6ce9ff2474cf

SHA1
58b3b3195aa6ffed1c2de1417c66ca3408996954

SHA256
399912dd3faa97fd0379d0044825fd1b3faf126c84dac2f0ab754f9d806fd9ff

SHA512
ed91ae9ae217b78c04fa16c022f73763290d65e13d6d69ce5e45e628d61df2dabd732f8f353a0710d16935cb17fc98b1f81970b81b3ebea5cfe5afc30c00e267

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
80KB

MD5
cca4d3959dd0f22be5900ac80d150129

SHA1
0ad8cee600c6078bfa0c3efc18d8d73bdb673d59

SHA256
865baa38c35157e2414af0d33266da2c367d8684c571bce5661f7df4beb0941f

SHA512
15004642b4186437f1ee423d336f1085a92ecb5aa079a8ccd5fb52189425353f482947ed40d7a0f30f71ebb5c9863adac3bd8de27a32c9b377cce08a4267a343

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
80KB

MD5
d0ccf62a493412d9f6d14815eae8308d

SHA1
dc2197838461dfe2b43f877b3391a11250340852

SHA256
6328918582a3b41cae2b8de510d5a7f07441e30be3951dd5506ccbbe60edbea7

SHA512
34aa459f0bb99347ca030dc2597811bb4c8277b3fc797f996d4b7655782235d8a9ebf198df8dc99df5eab1452a6fd6d9ea647a0ad3f0077d9471553ef05345c6

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
80KB

MD5
317945beb67df34c052df0c2134da58b

SHA1
02d7afdb02838b55ec0995c807d8ac21be3db71b

SHA256
8693b4f33bf4e29b3e1af86721092d69261ce700c6276d080dbcc7b894f2fc23

SHA512
cf78bfadbc14ecea2ae1b971c9ed6eec734349c6f7826b97dc2d024db66e945c12b0c2d24f5984d4f69d6ddf1e69caf56e9a3a7e33b629293ed81432a538ad73

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
80KB

MD5
9f07b9d8b1d4953a2980c12cb7221ca1

SHA1
9b36d8181df52c65b7158173aebaad9811c8406e

SHA256
b85ff23f848ee0c86d7476d43d9fe0937ec1383845feaf9b43c9695d2af592a7

SHA512
d79df7f1932a849526e771e630ea106889b3c4199a1e3d11ff5a709b2769d3720875b9e808b900ccada4f68ae5f0b71ccf2bad106627b53e6dfffb70d1e6fe05

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
80KB

MD5
9441a5fd22c4b71e5d58db0625db819a

SHA1
0009d87b870ae27c446a0df43a82a01a297586a8

SHA256
ccd9a33cfbe47ab7a549149db24df6a3bda0ff6bb7f17eeb9a0793cbf59a3c99

SHA512
1f5dd4d8cd6adf3b6bab3f6fc6db14c7546bbc11c915cb953f40ab5de462561523fd4cf1026b711996b7619c1eb6da404e5ca4457670f14504a1781c68dd3a9e

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
80KB

MD5
8f0be547aed70a0a7f4fa47ff1efddd4

SHA1
811cbb019a194a817456507626943ae67ac231fd

SHA256
49682e31d691e17ffbae0ebcc652f479f13d3cffafc8cffb3bf2891ca2850894

SHA512
8ac2bf7e0517a1f56ebf2028bce4d7c858d690061618f211a78fc0a51fd509a393c18de830af67555fba1df434608293bba27af44000f0635e5f1087fb619fa3

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
80KB

MD5
c8e91db1a5d0290708c809e13128f989

SHA1
357bf8304fd3340fe340f29e49b6f90867892292

SHA256
87afe3c5c8a3b7c5bd41f144ed361c457eef5b35fc699c467da05d1257c3862b

SHA512
b332e190759b50fc1d492488faa9ca93dc68f7143c8bf3c0496eefa959387576f5167f015fdff4576576e8985da6f6157e896c4839f1a6e7427fad652dc1e9d6

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
80KB

MD5
9bb0add54303cee909da39dc1f425203

SHA1
fcf0560db91c31d1f3e53f87f2e593750f5ef225

SHA256
7d1ccf9152b1aeee4805618e9ff5d54dacd45435144671d1270d157f6d6ce446

SHA512
20bcb1ea2a785ce16ce06800ee44538b106b2ebec6e75757633e3116febb72fdfec603f205a71ab67c6d9b4e04cdab5e92df8891f0cfcc90b215aaa2ccb4671d

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
80KB

MD5
2fda4378081244544005468d3cb90ea3

SHA1
606714a65d6a8eff2164563c0272156d3b7a6a76

SHA256
ed4dd38a0082d89414ba453bde281ec0fde616f09a096c4e8c64a46a7009b1b1

SHA512
995583c37359039076993da111c7b64bb580bbb4a20721de03f136a9486969e199bc920460fc83a9fd2a0e04d2d3875790c26256b5edd0d755c3004d65c1b32b

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
80KB

MD5
1493873f05f00b5656fb72edd1751b0e

SHA1
2bbc34dc36e7ef440b10ea433ebea722c5aeeab3

SHA256
8db8a80704bbd9ab24cbad25eb3888b50c8db8a180482b61baf99480b7c9bfe0

SHA512
c1930936262fba868e12be2dff2d3e0200fbdda4e2a913ecf7bab7c331df2f9ebb440c37853c9090534236e09412d4bca334028c1f57641d17dd679ce98b7fa5

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
80KB

MD5
22138140b60c930d22b6880818021dc7

SHA1
a5ad4fa107ad705a46b67fc3dde097e527404555

SHA256
10cc16cc5f8fdb3d8870967cc2a06d52a6eb112202144fea0debe75e38d2a2cd

SHA512
a042a23f99084968163ad845ca9f0ae06e49053d94ad4d30e4893fe9575ffc6df530b087aeddcbc727b5dd42fe94adb5e689583aa046d62eeca8f8d47e559d81

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
80KB

MD5
9cfec05dd10f2eb0da11b05b1e48a137

SHA1
976a7324b55cdd2f8e1868041d3ec7da2a1425c1

SHA256
d02585f87d78301be975fc0910377ea8e83fa0a180bbfe5a559a2dcf8a19ed1f

SHA512
ffc34929fb8add47fc65bfff3b17d224e833e097f5ac81b53aacb0fc949cb9d958005b7776f2e46aadc76c07d8f40c098a21a8660de212372a74b941fe82956f

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
80KB

MD5
25e5132ada2db38f0bf77d3fe165ce6a

SHA1
c21b75eecf4561515feb97068042e1005891c0be

SHA256
348a85dd8fb7b1083783c997722e11cbf0082165ad4b6a9b1c8862634948f2be

SHA512
2779d85d74d2be05aff4bd9ac810d871d907248faf16ab00191db9252f1a4525de666ae8e06c370cdc791688dd456f66af6ed0a6a6562ce349e9adeac9658cb7

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
80KB

MD5
75003f558677ed3087acdd246f22fd1e

SHA1
d46186bdc93e3fbce59baca2b242a2fb2c2d948b

SHA256
9e4f0f21e90a280838d926493e096b25f3606c3e83fec964344a6b528cc3a554

SHA512
655cb607a60c30ce36a07e36589e99f32fd80f7306c0037355ecdc1fa53a0cca186159399cb067c70be75ca2ae1320c715b51b0ca9215a7d9df304134193f91f

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
80KB

MD5
3cde5d769a86fd4e4d129ebf0ddb95d7

SHA1
d8b15042b78fff6e6309c97538b0c386bf6b13cd

SHA256
55f80f0a0fdac52c5ae62324d467268f76eba726d5b341e988189dcdc04229e8

SHA512
d7f9d38bcc10b8518385ae474f3899de742e85fb1ab78c1601e964df492a56073944cd13cb53904e154d3069ca3d838c86891627d5fe50c3138cdc189fe33127

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
80KB

MD5
a7d5fa9e7d65aaf26d01661e1c55c90e

SHA1
5536372e9f1683c1491d1bb41d258f0f43742fa8

SHA256
39e6d3f17bfaf14d6d46c1f3c87915b1870e01aaf67763b3f803a28338abd7b1

SHA512
9f34854bc8760ad5001ca997d79184ccd807a92f1f3c90290b0552fb93a1ff6f245be5095d350a1146958cbaefafb7a24c6e1a40f2c519c1236460e3d397adc7

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
80KB

MD5
703a55d288cf77b965f612265883b02d

SHA1
5fb393937972a873afc35f80940c5d035fb23e74

SHA256
794757df1b29cc31e76992d2c4850ce333393596ad2a280bb575b4978a768eb3

SHA512
f622fca152e9ebe232bc34e243ffde5c1ef405feb0f03a9008ede94f87ebe7f05c617a4810dbd45193246180fbe7455626ed302b0037795684e6ed3629821cd5

Download Submit
C:\Windows\SysWOW64\Ejfenk32.dll

Filesize
7KB

MD5
d6122412bbee99bbf121d3965d9222aa

SHA1
88ae0ff0567892e08311f9385f25ba60203da7aa

SHA256
a96396992d8156f32d403961e08707f668288662a5aa12e281f45b7b80daff9a

SHA512
b83a38cf1b4570e60d9815aa046072ed287b0a987f5c90cafa285be51e9bbc2341a990ae9a95501b761c8e110e1c3cfd6232b3bc5dd2d4e80631c8c56e05b159

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
80KB

MD5
9d2ae24efa493f3e9bd7b27f2aba3930

SHA1
a555274530864d394ce38b506304420f8a5c8d70

SHA256
df2eef3b8680a424fbf3c09c972843ebf9a1f9acb44a12dbc3a95ed277b44116

SHA512
f3b0e10a051f6513296569cb1d6de0ab28aa14ae7f1c57e9258889c6f1105af7ef4fc12d1ebd79b8b9cb719b4265b79d1395af36fd65eed66de25f6c579c426f

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
80KB

MD5
e9585cba083086281e14c9b4e29e1eda

SHA1
9f3448cd5c9b0b15c1b9f79380fd859f41b0da1c

SHA256
c9ab31bc8d3e6712b6f2fdcce2c2a190a5e453dac4ac3e82af93705bb7f12120

SHA512
f8797ec6355399014a458ad9a9fbc01f7b44f9cd992e263949f8f969b15a648e16c93243f1c2218ae893f6850bd44b6c84cfbdef533e7e885d7b47e44f39d5bc

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
80KB

MD5
c53c324d2833d1849c91e85167db6cde

SHA1
b61f8b1110b72a8c7b8a553c92fea9231f76e1e3

SHA256
158acaf7eb90d7884a9a8ba6dd961dfe9d86ddbff97ef4c733e05ccb031e84f4

SHA512
f5156919acbd4d18912b6a161bdf9b01746dfd076ba06afeaa3e78c0e999d3a7b223075573c3544f6250374c2fadfa5373db9aa10d65471de0569bb3049b0510

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
80KB

MD5
89e886af7dd09da633fa92b93f5cd3bf

SHA1
afff4580f257da877de8453b2fc6607edb49ba17

SHA256
da68e5b4916fa2f2c88f5d60055a66256d7bb0cb5e3c43baf65aedf47b6782b8

SHA512
dfd681995e4906a80e3639c3f3d9c0d3e10e97913ebede8ab6b4a3453823e16011bb90bd4a5b6382a1fe3b45920bf87b07212aad26ecc4c8a5a8f26b807ecac8

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
80KB

MD5
35f08029231fe5d2c6a0f8ac0716a403

SHA1
4f7c4651769f8e4d22c99e08e31b1ebe94d3bdf7

SHA256
d75f5754791dfc72fef7a1958c1fb5053b180991e8390b9d1512801c41bfc714

SHA512
b943e9291f97a529d735991868b86d31a69f50c249c9c3b174ff66af1082c8aa1f47e67c31cab7dac9bb2c184dffac46bfbf458e8da559d82edd0b4aa50d6b3e

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
80KB

MD5
fb716a355d4c2a910ba140df0563424c

SHA1
7e567aac8f3980e71d5c8155d203ae4eb26f0a76

SHA256
2d362af42cd6092aeaaceb7da2cc500bbc5d739a04ba3f579b976b30e429e088

SHA512
21ef7195efabce54fc6041f7e27703f3518d04667ade3f154394c6e2815f7b610c67822e20aa632988cae8cbe6ea636a42bc12681708be38543488e618ce1637

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
80KB

MD5
848a0af48cca732318dbff75ebf77f42

SHA1
01981591911c4ed639b3d189717c9b7e156bc411

SHA256
fd991445df5ccfc2f7a8e3d8e07dffee97a3cf4acc3d9f4022017907d21d47fa

SHA512
5fc1fdd4e14544204c58c19e0fd9904141c0402a88dc6cad66d39071f3c4e6356502c112979bb00fd729c85c34e0b0316dcc1244673e57936d324e2199da7c79

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
80KB

MD5
faaba45841e4fd09e0cb6556465dd7ac

SHA1
e6bb36ac2778db2308f2c0dd5fa582fa66b596c0

SHA256
64208bf84c875b88f44861f024fac785f3804164a8ce888b2ea698da57369795

SHA512
1d7c6f41ce4ac320136e497911f1affd3660f22be246bc4185a548134023fde7ebca77da4877579de151b3f7d12fd434c9c5e105db797dc18e4997cf05547bab

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
80KB

MD5
f4416685dfa8a20a594e876a05acf076

SHA1
5a9bb6c1d710b8bc5648bd37923866b443b63f37

SHA256
601478833264daef51b67bf9aa8744446a3ec0412ff7003d27ef663dee05ae2d

SHA512
a49880a6125132eb1c4801f6246f6c18b564e0eee59ea01c10c4ed86978b96296307495149875122b71dbea917e58250d9ca1b9bc5c2a10b93c95516553edf55

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
80KB

MD5
1fe5f7aa7014db9bbd8c7a6720b95a9b

SHA1
b14725aa02dde9591982fa565466d233c0e36494

SHA256
b84f43d8a03d2bfc9a848387e90b6a4aae39755227afacc4b43926f2d14bbfb0

SHA512
5cbfcde73b81c6301fcc0590d8c7b38e93cafac9697b0727f8881b91fee9efc8a1a0a84eda0195159caf6eff2a9dc539647c1d3dfbc9520e4eb69143acd59204

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
80KB

MD5
422c762d98e944e0f12af6cccb0f501a

SHA1
f40c81a1ca37cdb87ad6c2fcaedcba9e69e6b4c3

SHA256
cd9beb30ab25e5940e2b3ea7b6780197e0a8c8db9c59ec7ab696f6262bea15b7

SHA512
9212c8fe2eb26a3d03b6f02dc0e7862761daf225833f408952a3488567cce85be10028f3f10054b30770a7e2007f992c883741f54dd1cd2b6101e18516d81e79

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
80KB

MD5
e33d7a436bca274103ca69f4d93d0066

SHA1
090e65bed5661ab2bc793bd444c29ec6cac14a5c

SHA256
acda47df6689e1fc82fd65ebdc01533b369ccd86ad46a53de8f98519c11abe9a

SHA512
3a7fd964d5835de0a5e22d97698e9dac3fdbd63a91f80ce33b68dac8a1be2badf0cf6484f48b4069ac7a1bc9a7c4aaf4cc46e688ce48476def216354a502a402

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
80KB

MD5
082a70e0fe1eb8d9422a37a1b9d8a1eb

SHA1
5d5d5ceacf7c87f4601f0b863684711114743012

SHA256
f5760771c428fd06e195dd9744905cef3e7da68af2c3e2fd19a8239e6b361948

SHA512
987c200b3aef0127a6061a131e269dc590068a08d227c45562a581c5b6f434926ea9cb43ee11b1f319a5c89bf658f5896f70edbc27b245bf208f2ca50608b023

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
80KB

MD5
d28476342006f0e7ebc7264fa8d1a3ce

SHA1
5a69e66962dcc4ea41b1394339d475f6482b6613

SHA256
04e6d517c601b89ecd52f0ac12d655a503ec267808c0016a6e3dc7f1ceef9bcb

SHA512
f874da0505eaa532532437dffad1918704867eaa95756800a89f02d0c3ced8ffa3c4562caebf64f91487b11e4588b157065f1f177055c335bab04e4ac17f46ee

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
80KB

MD5
d4526bac19de8374f2a27cd9a3708af2

SHA1
994b7660387a1f81160b1f50f3b06f0802c00007

SHA256
2418ed0c631d6e4454e53787ae94930b7554558939b4e4b722cffc79237a786d

SHA512
4ddf82399db1321fdfba52593e7973ca93d1df0d89dc0af90261a5808afdd66dc753efe155ecbad645acd4c23aa93cc80a5a58197f320d4c5739d7e1f137691f

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
80KB

MD5
464e5121e9655dd493d09240d3705d0d

SHA1
8f73742a575fd7d329052fb67c1117b674a88afb

SHA256
68280b5342d348b9d6d1d7d1d1ffa0ee013f638d4dcccdc3ed688543bb8440c3

SHA512
92847e0b6167cdd291294959fef69ee09e8ea094637bfccb6c2aad45daceb455fbca84ea42b13d7983e59de2a6341ee0424359d2da5f023219961d803225525d

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
80KB

MD5
a4bfe7976246e1d0c9812d97c7a67060

SHA1
02f68b8e49e32a9e0f9e709e69f39263d77863fd

SHA256
af197cb104ecefaab60c519b43dbfcad907b4eb01570c0314d5eb31a90c8d6d8

SHA512
e59ea986e2c9d61ab0bd9b5d84c4fb48b6e992bcca217e5b7105c7eacea359f8e6994b12be8f1ee1e37043e4036df0ffea99d41f36ada4eddbf2f8af1df13571

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
80KB

MD5
1ab64d3e8713393b2f015dea9d4f8b0c

SHA1
d1c40a60ff89c21d23efd5bd8799f7170c802023

SHA256
4d9117e862bb8af7e9d1a6df19fea3bc4f4b334c7c2d9deca179c645c80c664f

SHA512
663b7144652fc844c9fe7ee045e7741de49a12bb3b87c218db2ad2002ae8da7466b5fd04ca806262fba213896267a9d708cfbc44c9ef8cd4d3e307e1ee160840

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
80KB

MD5
cdbc8fff931c38ca06f44f048c80e5f2

SHA1
b7b46477de29187c789070f2a2d4c3c71bf655d1

SHA256
912c121b8471dd0b38ddb9baec44ad14980eaa0282ddb28d225022a073eab939

SHA512
ca1929f39572fe5bf3011aeaee567fa51d783e7984412c2b0e947fd3e2799168f5f62659c5c99ace782f141c719393ce571767c05e307aa089c911e3504e6116

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
80KB

MD5
fc66eace3e376b3dd2f6be85bfd775b8

SHA1
7e1a77e4d0610ba0314cc5bc65a4a225fcf5589d

SHA256
a8f13d1d4cdd66fd237dcf1a7aa86544a26b6c3c4fef63cf781f8c345fec72e9

SHA512
ab7d935fe72ffce3df2111e95c1ce0234bdc927bb30588c05e295587237721c202d1ba844e1aa7e620a65041da3a071029e9951c55e958762c963d046aa88860

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
80KB

MD5
237999e48923d674e75ccbb2269635d8

SHA1
bda08bec8c3098ec084cc3d1facd38cd20a00d07

SHA256
8daa62e4f620c09222caf8e3762926913e1f886285bca7c7b782a9ef0d257c4e

SHA512
3217dfa38cce6e4e9f01dee9a201d38d115f56e27563ab5e4a93c9eb6cf04c131432c840c8c4e70deb47ac2641798243d3559be27e2638283f9e362b9be8feb9

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
80KB

MD5
e0c0aaaf556730bcc53ac8e8b8527f04

SHA1
e32c7766b39bcd2f2e8894bf2fe20ab9297a3f9d

SHA256
c18b81dca56663465139935a5732fae41183e74a24a238ed273804a1d1c6f528

SHA512
764fa1fd0677a56ecbbc54e714e66b1f5940f053e214794ade21611fcd549fe00a961b9f188deba3a1b47ed81de520d8b05062d8fdc58df8a53e911e24bc431f

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
80KB

MD5
f15632fabcbb371eb373c71679994f8b

SHA1
609abfbe1968cb37c58af3c1de87bfe97da4d504

SHA256
234951dea18bdffd8d6c7e0ca4db176988ca88c3e6171e0463300a60340690e9

SHA512
d43d664d5c46ecf991ff55aae9599a159165c88c799db4041d0b5a538b5e20cfde974d6a4bb81914f7b075aa020e9153f8f1d31428358d43d4b3072ab39e00fb

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
80KB

MD5
bd6a9e3e0d8fe83bc0f2d42658b8255b

SHA1
87821995a1a83b6eac52fb4d6ef7d3876ad61679

SHA256
bdc4a1434bf23673d23effb95bc895f44a0f40b845fe373b04f1fb35f8aa9925

SHA512
c28860ac315faa94c6b020ee9c8237ca9499702074452c9f2d7bffab08dfd90aba3ad50a9183570279b5e7218b9cf1cc8bdf212f31fa3382a3f1544194c786cf

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
80KB

MD5
97a88677601877c0b8f2971fa4388fb1

SHA1
47fe64f69a50f6eac10b6706028dc3b099560282

SHA256
e8029b29e88463e11028305e5a31d41ed887f83b480561f30c7651799bc24b3d

SHA512
3f2872073ac9565055d710d4579c27b55a148c947bb2683e06ad3d1db4bdc01fb3be11435fe67c61bd82002afb93952be5d43d17cf0108063e223d25579a55a9

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
80KB

MD5
5612ae2d7c81b59f920c746292a0615a

SHA1
fc9e595b7731881aae98f809a6617148433613d6

SHA256
b6bb65f19eaa747643a6ac89f99c900445b225f61deb5f58f0a21326698945fa

SHA512
c7dd990311d5e86f6a060788fa490a15f683fd3ff79d3eadb4e0bdcbcfbbfcf657dc2caeff15404d2f0541f035de2c6f29d8e339d4eaf662f9a4d6abb4832f4f

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
80KB

MD5
7abf0a99d76d3bc9d6a6dad854228b1b

SHA1
05de50ebb7835e9f7acf1824d53b8ab1ef514744

SHA256
e3b698ffc4d5e3828022278c10848e59581018095681f09c861a1df6faec7477

SHA512
1089751366bbe3885a2962acd669cd3074d470d449fd7b9938776dd29a25cb5541877195975ed410ee501a1d0ec01d51c0cd18b60f76f92817d6375df2068693

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
80KB

MD5
a9325dca9b41d3e369f4d1fadc5c6965

SHA1
7144ecdba3199486c2a94e6168707b7cb0bf7b09

SHA256
0210e822987b315e18e33dbd801ca028d4800d44fcc78725e73c0a3d3566647e

SHA512
eb385f9b25a528daf87f00da43a8d7ecbcf1d5892b23295d681c2237e0769124d56e4a1adafaec48ee5e5540d5552d51bc3fa1584156e3e3be408495daa43308

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
80KB

MD5
f8fdb6a6b48ed741b843df10483ffc25

SHA1
2d71bdfb20054044c40eb46c6206c9644bcd75f0

SHA256
3e29ae1c2c1347b98d0d66b80d277e22e4d0ec8a2c3e15430829fc6867990367

SHA512
cec021d2bbf9af45138032a4e111cc1885de004109d363df51dddbd36639549c956ace323ff5f6964f298756ff14d404e03e54fece51bbf76b147d048042966c

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
80KB

MD5
58bc5958d21625584778802fe95cca93

SHA1
2928e5f17d384c2f507bf55ccbf31000285b307d

SHA256
975d6530b80cc12ab58f5e414ee2d7229d8909c341595a5680882bdf4b7ab70e

SHA512
e9c3f345198f6f39dd928dbfbbcd1afbc10f789b59730fe757bf370e37a06bb527c7347b457f378d67c4e3fd1fc0d3de5888b33b80f4c77754a80e2376f94dab

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
80KB

MD5
3ef1360c1493137c44d3ddcfb4fde0ef

SHA1
77be37e160f458144a29caecf2b614ac0ba22360

SHA256
10cfd6e68d2a08d9b6613b1ac9c22d0d7d02e5039b8ef07342a3acf88ca38e6d

SHA512
682f5b911c47d7e59c6a4a355dedc6fb83d5951fd802363753176b4689eab4e12b1c1df3c3dc6ad408a3034c3c1178eb2e6586d9ea072a5f2a3d29c5d515ecc3

Download Submit
memory/208-415-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/380-400-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/440-408-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/744-133-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/744-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/864-440-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/896-399-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/896-337-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/944-297-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/944-367-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1168-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1168-116-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1260-349-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1260-283-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1372-326-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1372-248-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1388-130-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1496-40-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1496-129-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1560-290-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1560-360-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1700-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1700-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1748-371-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1816-204-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1816-289-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1872-177-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1872-90-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1888-391-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1948-329-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1948-258-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2040-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2040-72-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2056-327-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2112-106-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2112-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2224-308-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2264-203-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2264-117-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2368-186-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2368-279-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2464-310-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2464-372-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2848-282-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2848-195-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2884-433-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2976-407-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2976-343-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3184-221-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3184-134-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3196-280-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3212-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3212-243-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3236-390-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3236-330-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3240-307-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3240-222-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3276-401-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3296-185-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3296-99-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3440-374-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3440-316-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3516-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3516-89-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3552-84-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3552-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3664-107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3664-194-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3676-169-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3676-256-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3704-68-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3752-427-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3788-178-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3788-265-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4216-350-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4216-414-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4336-439-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4336-373-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4344-235-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4396-144-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4396-234-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4488-361-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4532-425-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4596-384-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4624-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4696-296-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4696-213-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4796-377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4884-98-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4884-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4944-86-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4996-245-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5004-168-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5004-244-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5068-336-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5068-266-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads