894b6443d4341a14ea15d9a50f348786e57b16912cc913aec807b024f4cdf562

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae93d901c0d71b867179f042de74a620_NEIKI.exe
Size

464KB
MD5

ae93d901c0d71b867179f042de74a620
SHA1

32985450e426b8f33f47d3274d99b367f3f7d930
SHA256

894b6443d4341a14ea15d9a50f348786e57b16912cc913aec807b024f4cdf562
SHA512

eb57422934cfff238e4644d31aaa2726596ee157613f3866960f96dea5a2f61c157e705ff8a37d41e3655fd54d9c2a546a8ebf27494b391a925fec4f90245a8b
SSDEEP

6144:/W9OGwEOIIIPCn4EOIuIPJEOOcHTETKEOIIIPC:+oEVI2C4EVu2JEVcBEVI2C

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgbdhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdmmgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	ae93d901c0d71b867179f042de74a620_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgdmmgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckdjbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbpodagk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgbdhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgodbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Epaogi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecmkghcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eecqjpee.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecmkghcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eijcpoac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckdjbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faagpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbpodagk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgodbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkpbgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ennaieib.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eijcpoac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfgaiaci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ealnephf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ae93d901c0d71b867179f042de74a620_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epaogi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eecqjpee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ennaieib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ealnephf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfgaiaci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkpbgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddeaalpg.exe

Executes dropped EXE 35 IoCs

pid	Process
2888	Cgbdhd32.exe
2572	Cfgaiaci.exe
2652	Ckdjbh32.exe
2692	Cndbcc32.exe
2156	Dbpodagk.exe
2128	Dgodbh32.exe
1608	Dkkpbgli.exe
1456	Ddeaalpg.exe
1612	Dgdmmgpj.exe
1560	Epaogi32.exe
1868	Ecmkghcl.exe
2160	Eijcpoac.exe
2824	Ekholjqg.exe
2476	Eecqjpee.exe
556	Ennaieib.exe
1736	Ealnephf.exe
1284	Faagpp32.exe
452	Gonnhhln.exe
1704	Gfefiemq.exe
380	Gicbeald.exe
1224	Ghfbqn32.exe
2968	Gpmjak32.exe
2784	Gbkgnfbd.exe
2844	Gejcjbah.exe
904	Hmlnoc32.exe
3044	Hdfflm32.exe
2884	Hcifgjgc.exe
2632	Hkpnhgge.exe
1972	Hiekid32.exe
2596	Hobcak32.exe
2092	Hellne32.exe
2300	Hhjhkq32.exe
1964	Hodpgjha.exe
3008	Ioijbj32.exe
1360	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
3032	ae93d901c0d71b867179f042de74a620_NEIKI.exe
3032	ae93d901c0d71b867179f042de74a620_NEIKI.exe
2888	Cgbdhd32.exe
2888	Cgbdhd32.exe
2572	Cfgaiaci.exe
2572	Cfgaiaci.exe
2652	Ckdjbh32.exe
2652	Ckdjbh32.exe
2692	Cndbcc32.exe
2692	Cndbcc32.exe
2156	Dbpodagk.exe
2156	Dbpodagk.exe
2128	Dgodbh32.exe
2128	Dgodbh32.exe
1608	Dkkpbgli.exe
1608	Dkkpbgli.exe
1456	Ddeaalpg.exe
1456	Ddeaalpg.exe
1612	Dgdmmgpj.exe
1612	Dgdmmgpj.exe
1560	Epaogi32.exe
1560	Epaogi32.exe
1868	Ecmkghcl.exe
1868	Ecmkghcl.exe
2160	Eijcpoac.exe
2160	Eijcpoac.exe
2824	Ekholjqg.exe
2824	Ekholjqg.exe
2476	Eecqjpee.exe
2476	Eecqjpee.exe
556	Ennaieib.exe
556	Ennaieib.exe
1736	Ealnephf.exe
1736	Ealnephf.exe
1284	Faagpp32.exe
1284	Faagpp32.exe
452	Gonnhhln.exe
452	Gonnhhln.exe
1704	Gfefiemq.exe
1704	Gfefiemq.exe
380	Gicbeald.exe
380	Gicbeald.exe
1224	Ghfbqn32.exe
1224	Ghfbqn32.exe
2968	Gpmjak32.exe
2968	Gpmjak32.exe
2784	Gbkgnfbd.exe
2784	Gbkgnfbd.exe
2844	Gejcjbah.exe
2844	Gejcjbah.exe
904	Hmlnoc32.exe
904	Hmlnoc32.exe
3044	Hdfflm32.exe
3044	Hdfflm32.exe
2884	Hcifgjgc.exe
2884	Hcifgjgc.exe
2632	Hkpnhgge.exe
2632	Hkpnhgge.exe
1972	Hiekid32.exe
1972	Hiekid32.exe
2596	Hobcak32.exe
2596	Hobcak32.exe
2092	Hellne32.exe
2092	Hellne32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ckdjbh32.exe	Cfgaiaci.exe
File created	C:\Windows\SysWOW64\Fncann32.dll	Dbpodagk.exe
File opened for modification	C:\Windows\SysWOW64\Ddeaalpg.exe	Dkkpbgli.exe
File created	C:\Windows\SysWOW64\Ealnephf.exe	Ennaieib.exe
File created	C:\Windows\SysWOW64\Dgodbh32.exe	Dbpodagk.exe
File created	C:\Windows\SysWOW64\Epaogi32.exe	Dgdmmgpj.exe
File opened for modification	C:\Windows\SysWOW64\Hellne32.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hobcak32.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Cndbcc32.exe	Ckdjbh32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkpbgli.exe	Dgodbh32.exe
File created	C:\Windows\SysWOW64\Eecqjpee.exe	Ekholjqg.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hiekid32.exe
File created	C:\Windows\SysWOW64\Dbpodagk.exe	Cndbcc32.exe
File created	C:\Windows\SysWOW64\Acpmei32.dll	Eecqjpee.exe
File created	C:\Windows\SysWOW64\Cgbdhd32.exe	ae93d901c0d71b867179f042de74a620_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Ecmkghcl.exe	Epaogi32.exe
File created	C:\Windows\SysWOW64\Ennaieib.exe	Eecqjpee.exe
File opened for modification	C:\Windows\SysWOW64\Gpmjak32.exe	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Fealjk32.dll	Hdfflm32.exe
File opened for modification	C:\Windows\SysWOW64\Eijcpoac.exe	Ecmkghcl.exe
File created	C:\Windows\SysWOW64\Faagpp32.exe	Ealnephf.exe
File opened for modification	C:\Windows\SysWOW64\Gejcjbah.exe	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Dkkpbgli.exe	Dgodbh32.exe
File opened for modification	C:\Windows\SysWOW64\Ealnephf.exe	Ennaieib.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Dgdmmgpj.exe	Ddeaalpg.exe
File opened for modification	C:\Windows\SysWOW64\Faagpp32.exe	Ealnephf.exe
File opened for modification	C:\Windows\SysWOW64\Gonnhhln.exe	Faagpp32.exe
File created	C:\Windows\SysWOW64\Hcifgjgc.exe	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Kcfdakpf.dll	Eijcpoac.exe
File created	C:\Windows\SysWOW64\Gfefiemq.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Gpmjak32.exe	Ghfbqn32.exe
File opened for modification	C:\Windows\SysWOW64\Hiekid32.exe	Hkpnhgge.exe
File opened for modification	C:\Windows\SysWOW64\Cgbdhd32.exe	ae93d901c0d71b867179f042de74a620_NEIKI.exe
File created	C:\Windows\SysWOW64\Dgdmmgpj.exe	Ddeaalpg.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Dhflmk32.dll	Ddeaalpg.exe
File created	C:\Windows\SysWOW64\Gonnhhln.exe	Faagpp32.exe
File created	C:\Windows\SysWOW64\Qahefm32.dll	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Hojopmqk.dll	Hellne32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Ennaieib.exe	Eecqjpee.exe
File created	C:\Windows\SysWOW64\Ghfbqn32.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Ldahol32.dll	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Gejcjbah.exe
File created	C:\Windows\SysWOW64\Phofkg32.dll	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Hghmjpap.dll	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Gejcjbah.exe	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Hdfflm32.exe	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hcifgjgc.exe	Hdfflm32.exe
File opened for modification	C:\Windows\SysWOW64\Cfgaiaci.exe	Cgbdhd32.exe
File created	C:\Windows\SysWOW64\Ckdjbh32.exe	Cfgaiaci.exe
File created	C:\Windows\SysWOW64\Mghjoa32.dll	Dgodbh32.exe
File opened for modification	C:\Windows\SysWOW64\Epaogi32.exe	Dgdmmgpj.exe
File created	C:\Windows\SysWOW64\Oecbjjic.dll	Faagpp32.exe
File created	C:\Windows\SysWOW64\Gicbeald.exe	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Ddeaalpg.exe	Dkkpbgli.exe
File created	C:\Windows\SysWOW64\Epafjqck.dll	Dgdmmgpj.exe
File created	C:\Windows\SysWOW64\Ecmkghcl.exe	Epaogi32.exe
File created	C:\Windows\SysWOW64\Kjpfgi32.dll	Gicbeald.exe
File created	C:\Windows\SysWOW64\Nokeef32.dll	Hiekid32.exe

Program crash 1 IoCs

pid	pid_target	Process
2284	1360	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckdjbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncann32.dll"	Dbpodagk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpenlb32.dll"	Ckdjbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ecmkghcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niifne32.dll"	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgbdhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddeaalpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgdmmgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgqjffca.dll"	Ecmkghcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ealnephf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopekk32.dll"	Ekholjqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpfgi32.dll"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkdol32.dll"	Cgbdhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdphdj.dll"	Cfgaiaci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll"	Hellne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgdmmgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ekholjqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ennaieib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eijcpoac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgbdhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll"	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfgaiaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghjoa32.dll"	Dgodbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hiekid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhflmk32.dll"	Ddeaalpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ae93d901c0d71b867179f042de74a620_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqlckoi.dll"	ae93d901c0d71b867179f042de74a620_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkkpbgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eecqjpee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ecmkghcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Faagpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	ae93d901c0d71b867179f042de74a620_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddeaalpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	ae93d901c0d71b867179f042de74a620_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Epaogi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll"	Ealnephf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2888	3032	ae93d901c0d71b867179f042de74a620_NEIKI.exe	28
PID 3032 wrote to memory of 2888	3032	ae93d901c0d71b867179f042de74a620_NEIKI.exe	28
PID 3032 wrote to memory of 2888	3032	ae93d901c0d71b867179f042de74a620_NEIKI.exe	28
PID 3032 wrote to memory of 2888	3032	ae93d901c0d71b867179f042de74a620_NEIKI.exe	28
PID 2888 wrote to memory of 2572	2888	Cgbdhd32.exe	29
PID 2888 wrote to memory of 2572	2888	Cgbdhd32.exe	29
PID 2888 wrote to memory of 2572	2888	Cgbdhd32.exe	29
PID 2888 wrote to memory of 2572	2888	Cgbdhd32.exe	29
PID 2572 wrote to memory of 2652	2572	Cfgaiaci.exe	30
PID 2572 wrote to memory of 2652	2572	Cfgaiaci.exe	30
PID 2572 wrote to memory of 2652	2572	Cfgaiaci.exe	30
PID 2572 wrote to memory of 2652	2572	Cfgaiaci.exe	30
PID 2652 wrote to memory of 2692	2652	Ckdjbh32.exe	31
PID 2652 wrote to memory of 2692	2652	Ckdjbh32.exe	31
PID 2652 wrote to memory of 2692	2652	Ckdjbh32.exe	31
PID 2652 wrote to memory of 2692	2652	Ckdjbh32.exe	31
PID 2692 wrote to memory of 2156	2692	Cndbcc32.exe	32
PID 2692 wrote to memory of 2156	2692	Cndbcc32.exe	32
PID 2692 wrote to memory of 2156	2692	Cndbcc32.exe	32
PID 2692 wrote to memory of 2156	2692	Cndbcc32.exe	32
PID 2156 wrote to memory of 2128	2156	Dbpodagk.exe	33
PID 2156 wrote to memory of 2128	2156	Dbpodagk.exe	33
PID 2156 wrote to memory of 2128	2156	Dbpodagk.exe	33
PID 2156 wrote to memory of 2128	2156	Dbpodagk.exe	33
PID 2128 wrote to memory of 1608	2128	Dgodbh32.exe	34
PID 2128 wrote to memory of 1608	2128	Dgodbh32.exe	34
PID 2128 wrote to memory of 1608	2128	Dgodbh32.exe	34
PID 2128 wrote to memory of 1608	2128	Dgodbh32.exe	34
PID 1608 wrote to memory of 1456	1608	Dkkpbgli.exe	35
PID 1608 wrote to memory of 1456	1608	Dkkpbgli.exe	35
PID 1608 wrote to memory of 1456	1608	Dkkpbgli.exe	35
PID 1608 wrote to memory of 1456	1608	Dkkpbgli.exe	35
PID 1456 wrote to memory of 1612	1456	Ddeaalpg.exe	36
PID 1456 wrote to memory of 1612	1456	Ddeaalpg.exe	36
PID 1456 wrote to memory of 1612	1456	Ddeaalpg.exe	36
PID 1456 wrote to memory of 1612	1456	Ddeaalpg.exe	36
PID 1612 wrote to memory of 1560	1612	Dgdmmgpj.exe	37
PID 1612 wrote to memory of 1560	1612	Dgdmmgpj.exe	37
PID 1612 wrote to memory of 1560	1612	Dgdmmgpj.exe	37
PID 1612 wrote to memory of 1560	1612	Dgdmmgpj.exe	37
PID 1560 wrote to memory of 1868	1560	Epaogi32.exe	38
PID 1560 wrote to memory of 1868	1560	Epaogi32.exe	38
PID 1560 wrote to memory of 1868	1560	Epaogi32.exe	38
PID 1560 wrote to memory of 1868	1560	Epaogi32.exe	38
PID 1868 wrote to memory of 2160	1868	Ecmkghcl.exe	39
PID 1868 wrote to memory of 2160	1868	Ecmkghcl.exe	39
PID 1868 wrote to memory of 2160	1868	Ecmkghcl.exe	39
PID 1868 wrote to memory of 2160	1868	Ecmkghcl.exe	39
PID 2160 wrote to memory of 2824	2160	Eijcpoac.exe	40
PID 2160 wrote to memory of 2824	2160	Eijcpoac.exe	40
PID 2160 wrote to memory of 2824	2160	Eijcpoac.exe	40
PID 2160 wrote to memory of 2824	2160	Eijcpoac.exe	40
PID 2824 wrote to memory of 2476	2824	Ekholjqg.exe	41
PID 2824 wrote to memory of 2476	2824	Ekholjqg.exe	41
PID 2824 wrote to memory of 2476	2824	Ekholjqg.exe	41
PID 2824 wrote to memory of 2476	2824	Ekholjqg.exe	41
PID 2476 wrote to memory of 556	2476	Eecqjpee.exe	42
PID 2476 wrote to memory of 556	2476	Eecqjpee.exe	42
PID 2476 wrote to memory of 556	2476	Eecqjpee.exe	42
PID 2476 wrote to memory of 556	2476	Eecqjpee.exe	42
PID 556 wrote to memory of 1736	556	Ennaieib.exe	43
PID 556 wrote to memory of 1736	556	Ennaieib.exe	43
PID 556 wrote to memory of 1736	556	Ennaieib.exe	43
PID 556 wrote to memory of 1736	556	Ennaieib.exe	43

C:\Users\Admin\AppData\Local\Temp\ae93d901c0d71b867179f042de74a620_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\ae93d901c0d71b867179f042de74a620_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\Cgbdhd32.exe
  C:\Windows\system32\Cgbdhd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\Cfgaiaci.exe
    C:\Windows\system32\Cfgaiaci.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\Ckdjbh32.exe
      C:\Windows\system32\Ckdjbh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\Cndbcc32.exe
        
        C:\Windows\system32\Cndbcc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\SysWOW64\Dbpodagk.exe
        
        C:\Windows\system32\Dbpodagk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Dgodbh32.exe
        
        C:\Windows\system32\Dgodbh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Dkkpbgli.exe
        
        C:\Windows\system32\Dkkpbgli.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Ddeaalpg.exe
        
        C:\Windows\system32\Ddeaalpg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Dgdmmgpj.exe
        
        C:\Windows\system32\Dgdmmgpj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Epaogi32.exe
        
        C:\Windows\system32\Epaogi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Ecmkghcl.exe
        
        C:\Windows\system32\Ecmkghcl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Eijcpoac.exe
        
        C:\Windows\system32\Eijcpoac.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Ekholjqg.exe
        
        C:\Windows\system32\Ekholjqg.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Eecqjpee.exe
        
        C:\Windows\system32\Eecqjpee.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Ennaieib.exe
        
        C:\Windows\system32\Ennaieib.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Ealnephf.exe
        
        C:\Windows\system32\Ealnephf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Faagpp32.exe
        
        C:\Windows\system32\Faagpp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Gonnhhln.exe
        
        C:\Windows\system32\Gonnhhln.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Gfefiemq.exe
        
        C:\Windows\system32\Gfefiemq.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Ghfbqn32.exe
        
        C:\Windows\system32\Ghfbqn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Gpmjak32.exe
        
        C:\Windows\system32\Gpmjak32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Gbkgnfbd.exe
        
        C:\Windows\system32\Gbkgnfbd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Gejcjbah.exe
        
        C:\Windows\system32\Gejcjbah.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Hdfflm32.exe
        
        C:\Windows\system32\Hdfflm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Hcifgjgc.exe
        
        C:\Windows\system32\Hcifgjgc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Hiekid32.exe
        
        C:\Windows\system32\Hiekid32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        36⤵
        Executes dropped EXE
        
        PID:1360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 140
        37⤵
        Program crash
        
        PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cndbcc32.exe

Filesize
464KB

MD5
33a7f511704f4f3adebb6292054fef0d

SHA1
f5515d9366707672a39ebfe5cf6f5c9ff40f0b61

SHA256
f71cb8b498a7487d3c7a34d482802e39ec09eba75bd3b224796188b8427ec5ce

SHA512
0d4649704a9894de198fb79fb1061c715bd007fbd3236b5125743e98bdd3b8ebc0f9e47d4448a00013f821ec04af3c9999a04606d8afb0dba580830262a53a33

Download Submit
C:\Windows\SysWOW64\Ddeaalpg.exe

Filesize
464KB

MD5
e9992593ee4821d6a03eae5cba7316b8

SHA1
8b66e4fd559ad5530d956df528781c87eabf9293

SHA256
568796544eebe7f304635317481718e5960ce04e568c1cb5526a88068f2ad40c

SHA512
d6e194227fcb787f23701eeb5d32eec431097b62ef5517a96d9c79352989c2a31e5971d8d8164a944695d8845e7a868fc2994900413032d41d57bef4c077d5ff

Download Submit
C:\Windows\SysWOW64\Dgdmmgpj.exe

Filesize
464KB

MD5
95ed137b4a6e9ca2b398b58bab534424

SHA1
2a0e52f3cacf57311400574897b7f5d559626c8b

SHA256
c0b4647a9468187d199f3d5352203e48f0304bf3aea9bde58abb0730a6514c55

SHA512
5d65161a290b01fae8aea71ca195ee6819eabd00130d9d220efd38f56a5044e5d7485160ae41e40e858ab56ae9db9a6604e048c955aace68dbdd1ef028539384

Download Submit
C:\Windows\SysWOW64\Dkkpbgli.exe

Filesize
464KB

MD5
1235b2680d011c8a998fcc0145f54574

SHA1
df0206e6f4cb4d330aea80b64117710cf849673f

SHA256
343983ce1c5d87f036574b5a85d6d0a00643b54723dc2707745b8158e720737f

SHA512
8167899d63a91a6ed34c6aaa943d4274a85bae70ce5d405dfbeaa02a482bfe0e219c3c392aae34e55a6b619c65c478762daa04db273e955d17458d54347cb526

Download Submit
C:\Windows\SysWOW64\Ealnephf.exe

Filesize
464KB

MD5
86fccf87a6212809b94602f592317215

SHA1
bf9dd0dd286ae6852af85cf6d9e72e5da5a4d4d0

SHA256
190f3c568e01d1544e82ecd70fd6d490972886107a0b7be28fec59289eeee5d0

SHA512
216370e5077024b890acd099a5f2e31ecc42c96a107334ba9ecdfea0600fb661aa3ada2f9d26ded5f05c31e0747e934eb8cd79e4243c7a406dbb0e80417eb9c3

Download Submit
C:\Windows\SysWOW64\Ecmkghcl.exe

Filesize
464KB

MD5
9d75aa35d091c21a30561736d1a4eb39

SHA1
4edfe10483d472595a5a0346a6bdcbf9d96386c3

SHA256
6a91b36bd8db80054931aca3c25129f4e622e7098f94bc4090c6f5bec7f87684

SHA512
385adfd96790e29e6dce034f4f373db213ea2461f4018e60e17f29791ea2dca8634a5fedcb1f2c91bec1426d9d0690ea23f76460cea09c0fc5f8de41130a28f2

Download Submit
C:\Windows\SysWOW64\Eijcpoac.exe

Filesize
464KB

MD5
f6ae4d28251f3e2d1ef78da90674f3a2

SHA1
129509f8550b49f57b3c564d54b2c18b05cc0c15

SHA256
23e418f4946182685d6c303e05d1d11d0834c96ab5cc4fd6275334170de9a14e

SHA512
a36021c88717e45e87c7ec02168419430f107d827b6f9f44ec29b07fd111880831e6c08ab95666d1c1d04e5fd91a683e98b5408cbc599a141feffe47debef213

Download Submit
C:\Windows\SysWOW64\Ennaieib.exe

Filesize
464KB

MD5
a68d8151d451a5405ccf419efe1180da

SHA1
52d8b8aef7ac26099b3b767f9da6c36257059b19

SHA256
11c18eff4694c65fb3facc7d574c8d7a591a3f8806eb96c7e57b7c022a52fa03

SHA512
99b286b1b633b61795b4319ecea687e9a3d4d5ceac6eeb0d4f0443fb2b1d6048e9915331d5266f1a8061b5da8d96c322b4704c473a4f8d2cff18f398e4338f9b

Download Submit
C:\Windows\SysWOW64\Epaogi32.exe

Filesize
464KB

MD5
0f6bf4fe4c87b551b4b7853365aa16a6

SHA1
bf74145f6b3b1508299f5e77992c13dc00394b8c

SHA256
a93257720b4586c3529e222dcfef2ecc87258c44157feb7b3d4b35200b1c45c8

SHA512
feeba103c1c79ce0e03d104881390da21d5cba7be3b74c658a34bbc3fee679033dbc52b9766d439e514f88e9255e9db6608c0d13739c8a4e4861ba6b404ad0c9

Download Submit
C:\Windows\SysWOW64\Faagpp32.exe

Filesize
464KB

MD5
716cda38ea68de5c72ee90083edf358e

SHA1
68ae8e643436134fc2a560743869929bb3d8f4a9

SHA256
d035d8aa9156fb4a571d95179ad554750312ad21f35bc6a5c0cccf918927efd6

SHA512
6d9e36e25ce8ba6dc73795a413a93f7de429a14fbdc346c3e339ef7577ff9f50b691acb1e43a9c93ddf0f4ad62743f00d9106d80fb261e107fe4aa0dc688aab4

Download Submit
C:\Windows\SysWOW64\Gbkgnfbd.exe

Filesize
464KB

MD5
14e66be933f282ae5e7d211e08a4e490

SHA1
53b79caefa742d419ff62820fb9849f5f1d9fe14

SHA256
241b9112bce4164fb599dfb1755980a3b8b8c4fd1114f6da9fe36cbe19a9c678

SHA512
74b0634fa0bfdb9813b03fd375b1fab207a1b80b4b8513ee5c44cd58911a3c162bb067ed4c079dd761c4169018d09556ac4a03946484bf44a91ac8fdb79c58ec

Download Submit
C:\Windows\SysWOW64\Gejcjbah.exe

Filesize
464KB

MD5
dab2c1125b2606352dc841660bfc4813

SHA1
3c19dae6eeb23e6e93c57576b7ab7af4f56e8bde

SHA256
ddaee194e49abd46210656b513563e223e86002d92a51a855ccdec6a324a0dd7

SHA512
d30149b83b991701c84ac2d92f7656640a74754b301790390b647a490f97de6afe161877f7e7874e91f969835dd9580365246a61079efe24be1b4d08c3e7d388

Download Submit
C:\Windows\SysWOW64\Gfefiemq.exe

Filesize
464KB

MD5
d901d71f552930e219926f5d6fcf9df4

SHA1
d9d47873b14fba93fd841526b662462aee91de64

SHA256
bafe64ff21f275f27ff49a526f94d99789e661709580eb0d776775546d104756

SHA512
d6edfd2397e60689941cf8945a3c14033bb0ae0cccee70a26480dbf1aa6f6c83763877f08b274be8c17b0ebbbef12d7014c4b9439102520e77bb82da38b04ec6

Download Submit
C:\Windows\SysWOW64\Ghfbqn32.exe

Filesize
464KB

MD5
496765012a22658f5fff740df953a5b4

SHA1
f65e81b79dfb676cf699f937bd66c604ffeaa456

SHA256
246646d634dbd3c02ef1ce13296083efe1c867f9a4a24e31fd0e12ad708db873

SHA512
7f13d623d4c7455ba4ee6d32d6d6672e64730c9ccc1bea6c3ae176a8183140980c15f9a3354433027026f638a51a58b948d1cd927500a6dea615150e2b7fa1e3

Download Submit
C:\Windows\SysWOW64\Gicbeald.exe

Filesize
464KB

MD5
4df50a117250f7f6c29fb405be9d8f00

SHA1
2ada2c71110b7759a816c008b99fb57e322a0b9c

SHA256
bc5bf42fab16f58e5e259f7741589a5439c3d8e3e68794ca0bd90547729d31b7

SHA512
0a36bebb0499c875de2f018a4c2acd18b14370c053bec2a243b2aace7a8ae4031f4c22951c7c6cae3812a0672775b0e8f3b4af748d4f2316a624a75f89aae18d

Download Submit
C:\Windows\SysWOW64\Gonnhhln.exe

Filesize
464KB

MD5
d80b73d32dee8f82b6ee93fe7e99ea99

SHA1
7a59f69dbb7d42e5e810593e8bf0fec6956d259d

SHA256
7514795956a26a7fa345749c412572dd4568066f9ceb988759b36dd91fdfe882

SHA512
8da1ade49b175503dfac15d7b8af91ebc279c767e129c8e6904e55f5577692817cc397ea88153b2835a4508ad6fde25255157abb766cca3512c314596e73282b

Download Submit
C:\Windows\SysWOW64\Gpmjak32.exe

Filesize
464KB

MD5
45b1669d357fbbb5f6ea1faf2bf59bab

SHA1
f8b79ed072809207beab96c8f4875b6ff7e7a34f

SHA256
3ea4079081efbe07f1925d5106df23d2d24f74d50a2ffacf8f82db56a3478144

SHA512
5b0d7141191fe24092a3ab8eaf580cf3353cf072aecd9c420876d280185f04cd87013e5ac661e93be3f36fb9eca79e1e3ad941f17cc8d1350a782ad33fb973d6

Download Submit
C:\Windows\SysWOW64\Hcifgjgc.exe

Filesize
464KB

MD5
38596efbfb70ec8650f1469c359f4251

SHA1
d74597999a6e922590b357687904a1c16c65a20f

SHA256
755e4a5d0b7d04b75f13357a480606cc6356909fc9c896b11ce55c52cb6edbf2

SHA512
655ecf76ea5629dd94419ae1dde3c3c3e532b8b28dcda16ec651fefb7a04c2ce136e6afd8f8933bfeb5ba825897eebdbfaf72b75e1a5954fce933e8c7bcd425f

Download Submit
C:\Windows\SysWOW64\Hdfflm32.exe

Filesize
464KB

MD5
4ab6cec880400075c72714f391dfceb7

SHA1
e1676e6037111b4ea958ee9b2a68e89d35385639

SHA256
517bccc17257b84a0a1b0bb86aa5485d1b89d4c61c0ddec090f0e8aaffabcdeb

SHA512
3bd302664577009589e24674fd055982121d852524fc2456ba376e8199feca4fe34f362763009f5a958dde8be1329ac03a3a6c0d0fd69f8181d4b90005d97a70

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
464KB

MD5
d69567ce48e444124875b02b47c9c80d

SHA1
98ea0fbd0deb95021eae66abf2545b6275364038

SHA256
3d2fecf7565ef239ae549c3becf814a1e4f6e01faac34b6a2cb82919ee813d72

SHA512
cd17bb5fcdeb492f52b218a7e360dcac2b5a452127e6ba4f2a75c8fd44c7cf9e0dfb5cc9e610eafcb4a1677bc28a1cdef7b9e29f44385981faeeaa0aa1a68185

Download Submit
C:\Windows\SysWOW64\Hhjhkq32.exe

Filesize
464KB

MD5
af9662353b21f5e4952b2821253f2f52

SHA1
705f64f49acf76a21bbd33babf1467a9e8ca0e3e

SHA256
ea79bbb72b89b0ba4db2672b134e27412a507654101f0d5aa8fb516654a853d3

SHA512
9a73ce6717db3176c52ca5e5544b83e2e20b87c5c9a3a1cde0398c2f53842b68a187f6f9c681ce9b531a51f0daf4e7dfa4b385e8347dcf932fdeba009242df5c

Download Submit
C:\Windows\SysWOW64\Hiekid32.exe

Filesize
464KB

MD5
46b4599a35afb991304f31f4cdd0f9dd

SHA1
f1afca382a1ee3d5e464f8762693efb00bc79619

SHA256
5abea4d6c7a85b7ad71343bf0ce3d1cc336222fff89e0951043bc735a57fb0ec

SHA512
82602782f5e48958ba8b111558cf5669da613d0d8b648d80da06e5ce2d78eb54e5697355865b3c4ddb202ac583d5cbd4e87ef2a5076b762a72bcbba30fa27e64

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe

Filesize
464KB

MD5
f12a06ad13db71989dc0d2ed20f5d7c7

SHA1
2bcca96065c69cfff561c5791ecf4e5c68aa484e

SHA256
cc10e1ff0bcd6db6757dd4908718b44af2d89acbaa93bc2984900d856c6a6991

SHA512
154b8e74aa074446f1b26f3bbef55c82f95adb58efad2590119fd8e117aaa0c5574eb7902f4703927ea4aeb5693ac70655980434c7a6e75983437b05d0ee94ea

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
464KB

MD5
2705d61e44f921c7af621c4923db58e0

SHA1
98d76daae58c2b83834c448080dfb8e73812381a

SHA256
9c7f8ea2cbafb7522e0f390bcfd52f7109c72391212a81bfb8d1c9b9f78d7f9e

SHA512
e666a090d8c7d180317df6628a93d3e8d98105c5b511dfed9afa11d9623560d850e3d09df85e2c8af58e6af7fad034afdd1756ef65a96fd939bd706cfc691806

Download Submit
C:\Windows\SysWOW64\Hobcak32.exe

Filesize
464KB

MD5
57e71b2e4c9dbf0f28807d882f08b906

SHA1
baeb86001578f9707cbd8e6c587e2d90ec5e41c7

SHA256
2a4eb349100cff1db8e24c853dcc22d1ac102d231f9410ab4ba00d1c80f62c74

SHA512
d8b413f0addff71cf61b61c17b74d6d14135ff79babb73025b4b2169e3eaead692f3cfa73168edb305cb82bd39322ebddab0200241af7785c61b204ffeda948a

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
464KB

MD5
490f40d67e83e1d40d2d8897b8668292

SHA1
6e7271c8e593338f0bd9e7dff6cab5f898bacfea

SHA256
b169eb8b8a4114b916b9ba632a6ef2756191b6f3846fb425c35519d510d32d96

SHA512
7190c6889680515e65abdda7f959e420ad78e7dd308865fe74b133346b6994ceb22099fd3705a0f3b5cd524ba4690ec5f97341bb7a4ea22640e6616900eed9ba

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
464KB

MD5
7fd750a2daf5e5908e1f78e15a928717

SHA1
46118679a28648921fa4ad3c8fbf2818cffe617c

SHA256
66c440b0427677555f1691fdb285b532848026da37e07642a35eabc40cea9989

SHA512
73019ce6eaf3b4f612752c10877497a6284dfd71617d90a9b423aa1b9df96ba5fdfc7c4b47f996b685371dec254bb0733816e680fdeb374cd75c4d7e09b4f392

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
464KB

MD5
7e6027a2ce4011058a22cd4d0cbf3633

SHA1
8d227a0fe4736c66cea78c80f02811ed3ebec489

SHA256
e771b7b5f67316595a32d28844909e844c524128bcbd7404dc0f7c9c4213944f

SHA512
bc8fe667ed456017318e38e97f5ab043a817488ab62764a93f91f96cc1c0f1aeef0d18eebd31fb1ff90a0a581c71fc4033d4ade46f2574f5d5a231f9831065d9

Download Submit
C:\Windows\SysWOW64\Niifne32.dll

Filesize
7KB

MD5
383c8cdcddf20ce433e1eccd39ab9446

SHA1
f0ae3cb9b0baa677380c15e8241cdf7b7f027219

SHA256
216fc8d9e22b25eac28bb52b9a1ec8113845a1fa28b80b504ee54990e44496ad

SHA512
5b81cbb1690381c51c13bae4eea1589b325296da3f7d846f56c6e5042bf2a156ee3da06a5c070245cabe50a9b95eb28e87482103e7e76db7502e4262aa4b2fcb

Download Submit
\Windows\SysWOW64\Cfgaiaci.exe

Filesize
464KB

MD5
2cea2cf31d3230cb51060ecc287a842c

SHA1
a8829ebc4dec55e63d832c18b48916d4902f7793

SHA256
23b1729619dc503a43d8394b7a93666b6ebc0e8e36fea3c978e0c3046feede08

SHA512
5c71c37c69f1819c2d695e4d168be027a94d6a0e2cf6e8d0138b48388a471771e49028e3abfa0d0e76087f6075438c008a4e28c6495fff826075e4810ae190d4

Download Submit
\Windows\SysWOW64\Cgbdhd32.exe

Filesize
464KB

MD5
ebb09ab08749c64ba136a6da3f54f7bd

SHA1
b474a46846a66f7e7373e1b2b294a7b182987888

SHA256
ba6e1a84312bab3bae40de9a27ce9cce0e05199aab5a09103164dbf960567c09

SHA512
107929ab3c89564554efff79ae46011a2f211ef35b6087d1c330e3f92d1301ccc84e21a05323786c23ebe4f6f8d3e9b9d60fd14c194c54a9dc6c2b197a8c17fd

Download Submit
\Windows\SysWOW64\Ckdjbh32.exe

Filesize
464KB

MD5
4f1a14886bb4ff8ef85aff572d771686

SHA1
4936da43d52cc5bb0a10b7b46940e119e849ddba

SHA256
074e9700b2a385ebea4cddda065d386e8bcfdc2c644bb1905a3d5d08d2aba32a

SHA512
9c1913b4d1363b0f28eb58e94c3c9d1773dd69cfba4eaecc16bda7ec4ae2290f9721caf709b68631e67b9aaff1cda67171d8cf4facde023f5c5e77432ca79087

Download Submit
\Windows\SysWOW64\Dbpodagk.exe

Filesize
464KB

MD5
ed9ca33466a4e3c7fd7ccaadd6fb4736

SHA1
00680889a33dffc826a2be433e3fb9e134af25e3

SHA256
13a4608f5db375364c68297fdd020105694642e9c889a2d50e60e51f7d105249

SHA512
134a31cf486a40bb145f8531c4cfe91b8b922d4879c98939a9d40c58ec9a2ef79b7ca6540fa1993e1d1f0726f10b17b9058f85f68f0e1bec04cf691769b293d8

Download Submit
\Windows\SysWOW64\Dgodbh32.exe

Filesize
464KB

MD5
a49d3bd2bbd803e0716ac7779c6a8817

SHA1
ae174ed6ea78770042c6671a3b9d1cbbd41cee58

SHA256
cb98b1907cd24f969011f89edd12f18044e622b2a80377a0dd74f37264fcee7d

SHA512
dd49d77a012a5fa429b10fac19993f928b74da88435c9c1c9957f0282aefc6a7278b71c1c6b5002fce36826fe685bd911fc9ae600d042365df29a14b4324d4f9

Download Submit
\Windows\SysWOW64\Eecqjpee.exe

Filesize
464KB

MD5
ff9eb9bc62117a69f35ca751c4615374

SHA1
554c2d063404f472171c8285d28b5f5fb860b87e

SHA256
929ff6efb210720eb0fb10c9722492fff6fe7e049177d819260f4088bd972885

SHA512
b4b170113cd3802e5ebdaacb2c6af6f99f73f29731371aba2ecbeab060fa9384c39ebbb5a272d811b91654a3472362c9ee050cc19416fa2b0f8e933347203ec6

Download Submit
\Windows\SysWOW64\Ekholjqg.exe

Filesize
464KB

MD5
c319b545e753bca6a9373ef74910b533

SHA1
a90149d22c7df51f9c517862667c9ca17fb77980

SHA256
a67868c98a86f71a4bf4ce02ec73d2cde4cc7ed67089e8bbd5390835d43919b6

SHA512
f1680a915b13a0218e24d73f939c0eb91abcd684def4a855c164b21a94173c61337a1b7275cd62e723348c775d8cea5ba3b68b90c86483db61469b4e9f0fb39c

Download Submit
memory/380-275-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/380-285-0x0000000000360000-0x00000000003FD000-memory.dmp

Filesize
628KB

Download
memory/380-282-0x0000000000360000-0x00000000003FD000-memory.dmp

Filesize
628KB

Download
memory/452-264-0x0000000000250000-0x00000000002ED000-memory.dmp

Filesize
628KB

Download
memory/452-266-0x0000000000250000-0x00000000002ED000-memory.dmp

Filesize
628KB

Download
memory/452-255-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/556-232-0x0000000000250000-0x00000000002ED000-memory.dmp

Filesize
628KB

Download
memory/556-226-0x0000000000250000-0x00000000002ED000-memory.dmp

Filesize
628KB

Download
memory/556-213-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/904-332-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/904-342-0x00000000020C0000-0x000000000215D000-memory.dmp

Filesize
628KB

Download
memory/904-341-0x00000000020C0000-0x000000000215D000-memory.dmp

Filesize
628KB

Download
memory/1224-288-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1224-297-0x0000000000310000-0x00000000003AD000-memory.dmp

Filesize
628KB

Download
memory/1224-303-0x0000000000310000-0x00000000003AD000-memory.dmp

Filesize
628KB

Download
memory/1284-245-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1284-249-0x00000000004A0000-0x000000000053D000-memory.dmp

Filesize
628KB

Download
memory/1284-250-0x00000000004A0000-0x000000000053D000-memory.dmp

Filesize
628KB

Download
memory/1360-435-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1456-120-0x0000000000330000-0x00000000003CD000-memory.dmp

Filesize
628KB

Download
memory/1456-121-0x0000000000330000-0x00000000003CD000-memory.dmp

Filesize
628KB

Download
memory/1456-113-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1560-151-0x0000000000260000-0x00000000002FD000-memory.dmp

Filesize
628KB

Download
memory/1560-143-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1560-153-0x0000000000260000-0x00000000002FD000-memory.dmp

Filesize
628KB

Download
memory/1608-93-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1608-107-0x0000000000250000-0x00000000002ED000-memory.dmp

Filesize
628KB

Download
memory/1608-112-0x0000000000250000-0x00000000002ED000-memory.dmp

Filesize
628KB

Download
memory/1612-142-0x00000000020C0000-0x000000000215D000-memory.dmp

Filesize
628KB

Download
memory/1612-123-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1612-131-0x00000000020C0000-0x000000000215D000-memory.dmp

Filesize
628KB

Download
memory/1704-277-0x0000000000250000-0x00000000002ED000-memory.dmp

Filesize
628KB

Download
memory/1704-281-0x0000000000250000-0x00000000002ED000-memory.dmp

Filesize
628KB

Download
memory/1704-274-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1736-243-0x0000000000250000-0x00000000002ED000-memory.dmp

Filesize
628KB

Download
memory/1736-235-0x0000000000250000-0x00000000002ED000-memory.dmp

Filesize
628KB

Download
memory/1736-233-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1868-167-0x0000000001FF0000-0x000000000208D000-memory.dmp

Filesize
628KB

Download
memory/1868-171-0x0000000001FF0000-0x000000000208D000-memory.dmp

Filesize
628KB

Download
memory/1868-152-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1964-429-0x0000000000250000-0x00000000002ED000-memory.dmp

Filesize
628KB

Download
memory/1964-424-0x0000000000250000-0x00000000002ED000-memory.dmp

Filesize
628KB

Download
memory/1964-415-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1972-389-0x0000000000350000-0x00000000003ED000-memory.dmp

Filesize
628KB

Download
memory/1972-384-0x0000000000350000-0x00000000003ED000-memory.dmp

Filesize
628KB

Download
memory/1972-374-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2092-407-0x0000000000360000-0x00000000003FD000-memory.dmp

Filesize
628KB

Download
memory/2092-397-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2092-406-0x0000000000360000-0x00000000003FD000-memory.dmp

Filesize
628KB

Download
memory/2156-67-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2156-79-0x0000000000310000-0x00000000003AD000-memory.dmp

Filesize
628KB

Download
memory/2160-173-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2160-181-0x0000000000250000-0x00000000002ED000-memory.dmp

Filesize
628KB

Download
memory/2160-176-0x0000000000250000-0x00000000002ED000-memory.dmp

Filesize
628KB

Download
memory/2300-408-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2300-409-0x00000000004A0000-0x000000000053D000-memory.dmp

Filesize
628KB

Download
memory/2300-414-0x00000000004A0000-0x000000000053D000-memory.dmp

Filesize
628KB

Download
memory/2476-211-0x0000000000360000-0x00000000003FD000-memory.dmp

Filesize
628KB

Download
memory/2476-212-0x0000000000360000-0x00000000003FD000-memory.dmp

Filesize
628KB

Download
memory/2476-203-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2572-33-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2596-392-0x0000000000510000-0x00000000005AD000-memory.dmp

Filesize
628KB

Download
memory/2596-391-0x0000000000510000-0x00000000005AD000-memory.dmp

Filesize
628KB

Download
memory/2596-390-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2632-370-0x00000000002F0000-0x000000000038D000-memory.dmp

Filesize
628KB

Download
memory/2632-369-0x00000000002F0000-0x000000000038D000-memory.dmp

Filesize
628KB

Download
memory/2652-46-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2692-59-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2784-312-0x00000000004A0000-0x000000000053D000-memory.dmp

Filesize
628KB

Download
memory/2784-320-0x00000000004A0000-0x000000000053D000-memory.dmp

Filesize
628KB

Download
memory/2784-310-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2824-191-0x0000000000360000-0x00000000003FD000-memory.dmp

Filesize
628KB

Download
memory/2824-184-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2824-202-0x0000000000360000-0x00000000003FD000-memory.dmp

Filesize
628KB

Download
memory/2844-326-0x0000000000320000-0x00000000003BD000-memory.dmp

Filesize
628KB

Download
memory/2844-327-0x0000000000320000-0x00000000003BD000-memory.dmp

Filesize
628KB

Download
memory/2844-321-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2884-354-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2884-364-0x0000000000340000-0x00000000003DD000-memory.dmp

Filesize
628KB

Download
memory/2884-359-0x0000000000340000-0x00000000003DD000-memory.dmp

Filesize
628KB

Download
memory/2888-25-0x00000000002D0000-0x000000000036D000-memory.dmp

Filesize
628KB

Download
memory/2888-505-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2888-13-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2888-26-0x00000000002D0000-0x000000000036D000-memory.dmp

Filesize
628KB

Download
memory/2968-304-0x00000000002F0000-0x000000000038D000-memory.dmp

Filesize
628KB

Download
memory/2968-299-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2968-309-0x00000000002F0000-0x000000000038D000-memory.dmp

Filesize
628KB

Download
memory/3008-434-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3008-436-0x00000000002D0000-0x000000000036D000-memory.dmp

Filesize
628KB

Download
memory/3008-437-0x00000000002D0000-0x000000000036D000-memory.dmp

Filesize
628KB

Download
memory/3032-6-0x0000000002100000-0x000000000219D000-memory.dmp

Filesize
628KB

Download
memory/3032-503-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3032-4-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3044-344-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3044-349-0x00000000002F0000-0x000000000038D000-memory.dmp

Filesize
628KB

Download
memory/3044-348-0x00000000002F0000-0x000000000038D000-memory.dmp

Filesize
628KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads