3af60fde61865af8b54072398a862e3bcbdb6f8af8544b44a03c2fad9336fedd

Analysis

max time kernel
139s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 02:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ced2c754e4a05d3bba16d21b23e0eee0_NEIKI.exe
Size

1.2MB
MD5

ced2c754e4a05d3bba16d21b23e0eee0
SHA1

45e679c8d46a59c4452d811364b655f86064d450
SHA256

3af60fde61865af8b54072398a862e3bcbdb6f8af8544b44a03c2fad9336fedd
SHA512

93572f4b6a7014e87b6b29990bec2f175543888b643513a9ce3ff7e9f28bc7be4744fa1b27056703f4920d0c178d14d811348c96a5d2396064cee511e969ea26
SSDEEP

24576:czfHBvHPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHR:czfHBvXbazR0vKLXZR

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dofpgqji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dofpgqji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ced2c754e4a05d3bba16d21b23e0eee0_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Diihojkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpedjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clnadfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cimhckeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cimhckeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe

Executes dropped EXE 64 IoCs

pid	Process
4832	Bockjc32.exe
4312	Biiohl32.exe
3144	Cpedjf32.exe
2232	Cimhckeo.exe
980	Clnadfbp.exe
1800	Cchiaqjm.exe
780	Cidncj32.exe
4824	Capchmmb.exe
404	Dpacfd32.exe
1976	Dcopbp32.exe
5108	Diihojkb.exe
3400	Dlgdkeje.exe
3924	Dofpgqji.exe
4992	Dadlclim.exe
2040	Elagacbk.exe
4980	Ehhgfdho.exe
4808	Epopgbia.exe
1580	Ecbenm32.exe
1240	Eqfeha32.exe
4760	Ecdbdl32.exe
4736	Fjqgff32.exe
3984	Fqkocpod.exe
3088	Fcikolnh.exe
3636	Fjepaecb.exe
2352	Gjjjle32.exe
4724	Gfqjafdq.exe
1064	Gqfooodg.exe
4860	Gjocgdkg.exe
888	Gcggpj32.exe
1956	Gidphq32.exe
2276	Hboagf32.exe
4436	Hihicplj.exe
2120	Hpbaqj32.exe
1444	Hikfip32.exe
4340	Hpenfjad.exe
4884	Hbckbepg.exe
1236	Hjjbcbqj.exe
4640	Hmioonpn.exe
3444	Hpgkkioa.exe
2788	Hbeghene.exe
4028	Hmklen32.exe
1608	Hcedaheh.exe
3180	Haidklda.exe
1552	Ibjqcd32.exe
4108	Iakaql32.exe
3868	Ifhiib32.exe
1732	Imbaemhc.exe
4396	Ifjfnb32.exe
2880	Imdnklfp.exe
2252	Ijhodq32.exe
812	Ipegmg32.exe
2136	Jaedgjjd.exe
3376	Jjmhppqd.exe
4952	Jfdida32.exe
5100	Jbkjjblm.exe
5012	Jdjfcecp.exe
4856	Jmbklj32.exe
1664	Jdmcidam.exe
2988	Jfkoeppq.exe
2528	Jiikak32.exe
3848	Kaqcbi32.exe
1532	Kgmlkp32.exe
4816	Kilhgk32.exe
4440	Kacphh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Cimhckeo.exe	Cpedjf32.exe
File opened for modification	C:\Windows\SysWOW64\Ecbenm32.exe	Epopgbia.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Ocaapo32.dll	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Oddfqf32.dll	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Gidphq32.exe	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Cpedjf32.exe	Biiohl32.exe
File opened for modification	C:\Windows\SysWOW64\Epopgbia.exe	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Ijhodq32.exe	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Jilbbcha.dll	Cimhckeo.exe
File created	C:\Windows\SysWOW64\Cidncj32.exe	Cchiaqjm.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Hmioonpn.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Agbpag32.dll	Fqkocpod.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Hmioonpn.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Clnadfbp.exe	Cimhckeo.exe
File created	C:\Windows\SysWOW64\Ehhgfdho.exe	Elagacbk.exe
File created	C:\Windows\SysWOW64\Jmkefnli.dll	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Fdcfcpdf.dll	Epopgbia.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lcnodhch.dll	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Capchmmb.exe	Cidncj32.exe
File created	C:\Windows\SysWOW64\Ecbenm32.exe	Epopgbia.exe
File created	C:\Windows\SysWOW64\Hihicplj.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5336	5896	WerFault.exe	206

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Elagacbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpacfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppmkg32.dll"	ced2c754e4a05d3bba16d21b23e0eee0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpedjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denfkg32.dll"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dadlclim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdcfcpdf.dll"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dofpgqji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hikfip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ced2c754e4a05d3bba16d21b23e0eee0_NEIKI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 4832	4828	ced2c754e4a05d3bba16d21b23e0eee0_NEIKI.exe	82
PID 4828 wrote to memory of 4832	4828	ced2c754e4a05d3bba16d21b23e0eee0_NEIKI.exe	82
PID 4828 wrote to memory of 4832	4828	ced2c754e4a05d3bba16d21b23e0eee0_NEIKI.exe	82
PID 4832 wrote to memory of 4312	4832	Bockjc32.exe	83
PID 4832 wrote to memory of 4312	4832	Bockjc32.exe	83
PID 4832 wrote to memory of 4312	4832	Bockjc32.exe	83
PID 4312 wrote to memory of 3144	4312	Biiohl32.exe	84
PID 4312 wrote to memory of 3144	4312	Biiohl32.exe	84
PID 4312 wrote to memory of 3144	4312	Biiohl32.exe	84
PID 3144 wrote to memory of 2232	3144	Cpedjf32.exe	85
PID 3144 wrote to memory of 2232	3144	Cpedjf32.exe	85
PID 3144 wrote to memory of 2232	3144	Cpedjf32.exe	85
PID 2232 wrote to memory of 980	2232	Cimhckeo.exe	86
PID 2232 wrote to memory of 980	2232	Cimhckeo.exe	86
PID 2232 wrote to memory of 980	2232	Cimhckeo.exe	86
PID 980 wrote to memory of 1800	980	Clnadfbp.exe	88
PID 980 wrote to memory of 1800	980	Clnadfbp.exe	88
PID 980 wrote to memory of 1800	980	Clnadfbp.exe	88
PID 1800 wrote to memory of 780	1800	Cchiaqjm.exe	90
PID 1800 wrote to memory of 780	1800	Cchiaqjm.exe	90
PID 1800 wrote to memory of 780	1800	Cchiaqjm.exe	90
PID 780 wrote to memory of 4824	780	Cidncj32.exe	91
PID 780 wrote to memory of 4824	780	Cidncj32.exe	91
PID 780 wrote to memory of 4824	780	Cidncj32.exe	91
PID 4824 wrote to memory of 404	4824	Capchmmb.exe	93
PID 4824 wrote to memory of 404	4824	Capchmmb.exe	93
PID 4824 wrote to memory of 404	4824	Capchmmb.exe	93
PID 404 wrote to memory of 1976	404	Dpacfd32.exe	94
PID 404 wrote to memory of 1976	404	Dpacfd32.exe	94
PID 404 wrote to memory of 1976	404	Dpacfd32.exe	94
PID 1976 wrote to memory of 5108	1976	Dcopbp32.exe	95
PID 1976 wrote to memory of 5108	1976	Dcopbp32.exe	95
PID 1976 wrote to memory of 5108	1976	Dcopbp32.exe	95
PID 5108 wrote to memory of 3400	5108	Diihojkb.exe	96
PID 5108 wrote to memory of 3400	5108	Diihojkb.exe	96
PID 5108 wrote to memory of 3400	5108	Diihojkb.exe	96
PID 3400 wrote to memory of 3924	3400	Dlgdkeje.exe	97
PID 3400 wrote to memory of 3924	3400	Dlgdkeje.exe	97
PID 3400 wrote to memory of 3924	3400	Dlgdkeje.exe	97
PID 3924 wrote to memory of 4992	3924	Dofpgqji.exe	98
PID 3924 wrote to memory of 4992	3924	Dofpgqji.exe	98
PID 3924 wrote to memory of 4992	3924	Dofpgqji.exe	98
PID 4992 wrote to memory of 2040	4992	Dadlclim.exe	99
PID 4992 wrote to memory of 2040	4992	Dadlclim.exe	99
PID 4992 wrote to memory of 2040	4992	Dadlclim.exe	99
PID 2040 wrote to memory of 4980	2040	Elagacbk.exe	100
PID 2040 wrote to memory of 4980	2040	Elagacbk.exe	100
PID 2040 wrote to memory of 4980	2040	Elagacbk.exe	100
PID 4980 wrote to memory of 4808	4980	Ehhgfdho.exe	101
PID 4980 wrote to memory of 4808	4980	Ehhgfdho.exe	101
PID 4980 wrote to memory of 4808	4980	Ehhgfdho.exe	101
PID 4808 wrote to memory of 1580	4808	Epopgbia.exe	102
PID 4808 wrote to memory of 1580	4808	Epopgbia.exe	102
PID 4808 wrote to memory of 1580	4808	Epopgbia.exe	102
PID 1580 wrote to memory of 1240	1580	Ecbenm32.exe	103
PID 1580 wrote to memory of 1240	1580	Ecbenm32.exe	103
PID 1580 wrote to memory of 1240	1580	Ecbenm32.exe	103
PID 1240 wrote to memory of 4760	1240	Eqfeha32.exe	104
PID 1240 wrote to memory of 4760	1240	Eqfeha32.exe	104
PID 1240 wrote to memory of 4760	1240	Eqfeha32.exe	104
PID 4760 wrote to memory of 4736	4760	Ecdbdl32.exe	105
PID 4760 wrote to memory of 4736	4760	Ecdbdl32.exe	105
PID 4760 wrote to memory of 4736	4760	Ecdbdl32.exe	105
PID 4736 wrote to memory of 3984	4736	Fjqgff32.exe	106

C:\Users\Admin\AppData\Local\Temp\ced2c754e4a05d3bba16d21b23e0eee0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\ced2c754e4a05d3bba16d21b23e0eee0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\SysWOW64\Bockjc32.exe
  C:\Windows\system32\Bockjc32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\SysWOW64\Biiohl32.exe
    C:\Windows\system32\Biiohl32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\SysWOW64\Cpedjf32.exe
      C:\Windows\system32\Cpedjf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3144
    - - C:\Windows\SysWOW64\Cimhckeo.exe
        
        C:\Windows\system32\Cimhckeo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Windows\SysWOW64\Clnadfbp.exe
        
        C:\Windows\system32\Clnadfbp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\Cchiaqjm.exe
        
        C:\Windows\system32\Cchiaqjm.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3984
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        24⤵
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        26⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        31⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1236
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4028
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        44⤵
        Executes dropped EXE
        
        PID:3180
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4108
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        48⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        54⤵
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        67⤵
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        68⤵
        Drops file in System32 directory
        
        PID:3824
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4540
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        71⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        74⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        75⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        76⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        77⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        78⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        79⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        86⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        87⤵
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        89⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        90⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        92⤵
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        94⤵
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1616
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        101⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        102⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        108⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        110⤵
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        112⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        114⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        117⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 400
        118⤵
        Program crash
        
        PID:5336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5896 -ip 5896
1⤵
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Biiohl32.exe

Filesize
1.2MB

MD5
eae549df2bebf4d18870380c7b224586

SHA1
1c8364bd73010736a45e482a666306513336c724

SHA256
a95ca79e526e3ff4b0ea6b1fa6f5e2a37b128dc9db6fba43f20498242bc094fa

SHA512
1a7a6c50dfc9a8b35a09d32d9baffc03801de1a91200ae76bb1d743a7e471f3a28819cb67c56fbb7a45cf2baad6cf5091e9e5780bfe983f846d9c55e14f537dd

Download Submit
C:\Windows\SysWOW64\Bockjc32.exe

Filesize
1.2MB

MD5
1b36e5245de3a110259ee049480f439c

SHA1
1a14a2de260332e19a4d2f59c92aa3382022031e

SHA256
9d34d663ddb0f8f2f95dec7d9c039f1bdd9fd38c5ca5f06cf1a2655c399ae7a5

SHA512
b53129914430a863381b4f6cfd2675d6ee1af9ea93ff1a5f6460a14d80f11c60c3dc09b3157acdcb0e27bf1fed7974dcc1324d69196b56b55d51abeec2290605

Download Submit
C:\Windows\SysWOW64\Capchmmb.exe

Filesize
1.2MB

MD5
5ffe1e20df53b90e66056060eeee3423

SHA1
bd683bbf11ee679b79eefe567739fa76c0bfae86

SHA256
cca149425fded6dd24c1604cd68611194aa5634c0b8bdaff4b16a4b7ca3650cb

SHA512
1c3e2b9c86873ec7f8effe0081a29a69e519f4d2f6a96b4f280e5d570fe31fa53475e7f20b42e83fb250364d3661e07c12800a1e76b3356cc5cd2f718a814ca2

Download Submit
C:\Windows\SysWOW64\Cchiaqjm.exe

Filesize
1.2MB

MD5
7025395277f2f072efc6701800bdaba6

SHA1
4b29021ebc9cfb3807b811f6cae8006b0b7f334a

SHA256
cade4c68315735542372519717a14ddc45d486880eeef3ae1fe4d3aa45e8ef2f

SHA512
193b4eae94a8f824f66aeee72e36084972843bd1fe96b0adc08043377804e671bc86332e5a2418be90682bb7ae27cd71dc036f9f1868df7a43e802d5089edaa2

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
1.2MB

MD5
66d8087d04a0ad6b4daa99ac9cd0551d

SHA1
a72c117aa3ccb9fed1757fe10f3f3a9a6f75d501

SHA256
edc54f069d2abd8ca39d2c8915f2ad1cd0f78906f165a8f344e70ed9773ea756

SHA512
25ff2cb56a52d345ac6dee59d0370ad8a11a482b35f25a1d0c18a53dd35a3616a0cffa575d07e0e8d5c2db98fb994fc515196b0f4f5123542796bd18c7059ae9

Download Submit
C:\Windows\SysWOW64\Cimhckeo.exe

Filesize
1.2MB

MD5
0a7ccaa84245aae8f0faed5f94bbf9b2

SHA1
ef963b9acc5683e041ababc50563e85c6606b617

SHA256
5bf7e8bb56ae9a7875c21244641db5481250ca9bd77360015051d9266c91de8a

SHA512
d5d8cc558967569c508fe28ea91f429c694c934cfae33c244373a8583639cacf929787899e33488caee9a68d54006c3fc75f6551f5e6ee659323b8e4d8746735

Download Submit
C:\Windows\SysWOW64\Clnadfbp.exe

Filesize
1.2MB

MD5
62b8af5feec031b90d369978923f9552

SHA1
31e2b2d053699493cfe7c013a843b7b2b52f2d8c

SHA256
c08d20589522a9b460dddee1e931e6f520cebf5c58f3a870d644b912bfd4f431

SHA512
9011569f85d729c8754e3d7d3d24996f2a0d527b40f81c1673a9035a3c46bf9d4e91378621f77b6b84534945823baf841458c68c2bb9ae7c72933855dd98606f

Download Submit
C:\Windows\SysWOW64\Cpedjf32.exe

Filesize
1.2MB

MD5
2f13a5fd1ea7a2547e7cc167c2a58268

SHA1
973273204e89b553d91dd3d4d0e02c954bd11413

SHA256
b572851cece42471b64564907f7648714bb0c1c93e583f021b5372a54693f8be

SHA512
ba56fda225a743519744c09e3474ac947a28c22a2456707e0f17beeab4567611f11e2b14cc3c976eb18bf9f5d858b0e8259f4ff1d83b2fa0fe58c34b15f6fc4f

Download Submit
C:\Windows\SysWOW64\Dadlclim.exe

Filesize
1.2MB

MD5
db6dd2509e20e84cef0c141509feb2d2

SHA1
214d5ca2524fd5a2821a1763fddd98c3f6e663ac

SHA256
5bf5a8870ad02070eccd15ea310a474c69bf241cb71401f73fb5e7689cb4b751

SHA512
dbb467084fb83ca60b454c17f9d5e9a3b102a3d862da416eb9a4c1cb19cd640b87e08a59a5e736d7281a3e248872f0bd8b88ef9c1a14612d917e6afa5f562545

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
1.2MB

MD5
09e8a5dfabe0f0e5b3960e9d5c5e7225

SHA1
8752efd5d9f24bcb1ef69614f6be55dd20ca40f7

SHA256
a99322d5b3b81213187a98a79495438f9f5ec370fcab88205fe7eaa1528ecc02

SHA512
02a6129b7845bef18eaac068a0bb5bf89330d0d338c4833c4eed964dedf7b871fcf042989798a0ae4d7c19b7150eaf8eed87245cd406f499283b39bd822b1b68

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
1.2MB

MD5
2e1e2c29682aa0a4b9a75bd2896b8533

SHA1
99dbe8a6ebdcae9f81ffb98fc8dcd40c3ed13cfe

SHA256
abaf57837d310da8e931e8533f4c027977a549a2216e1348368a53d216ff522e

SHA512
ea80c1ed19265ee8515f0fd07b595d34262013f91e3c2c7b2314794a7a4d26c21b3e8261b5634c86dfc683999b43794d41dd903d9f6707f413c09ddc3be3d5ce

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
1.2MB

MD5
62aac25f5a6f0f92023ef5d09e0ed862

SHA1
1d3d02280c0214268f9ef7908a50f69a08dc9e39

SHA256
3ab39d69c76293e55c08f0957d116631ab6b9b04574d6610364de2d81ce73083

SHA512
bcedca258ac976416fece46856e3204ea05e0c3090009e9fb70f7e87a487994c47501b9d00529694d014b914b024f8bd4fa98c962f628da53a0afca97bd58075

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
1.2MB

MD5
f0c32efd6a78ec53c1783ab5ea771b4d

SHA1
d0b2a817af61fdfe534a55cda99862145973708f

SHA256
cc139bb314d4462fe363191e77fdda7650d424f28a57e5698e61dd928e1aca8e

SHA512
d52bd22d94225548e07ee4746b17b24408a26de46638df9bc4d49c8c7a78ae76006c4d1040c7f66aa3c8ad2c17cee5e64e52c8bb31730a99077ab749542e3d20

Download Submit
C:\Windows\SysWOW64\Dpacfd32.exe

Filesize
1.2MB

MD5
3ca09fafe9c047f266ea257c65b7733b

SHA1
f866111d9eb4d3722a16c344c4ee550d2c959445

SHA256
3c71a9d3612674a6c6b2a15a25d72fb2629780a4fd6731940430e3f8ae5e1a84

SHA512
8ac57bb03f27cccac01fd888cac21630624767e24903d8878bd4e8e62dfa68d8bd7e3dc3a04379e01e46f096e7b65e20f662d85a6e612fa935b5277fc9355ed8

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
1.2MB

MD5
af9240abcb6e929cc348ac3317c8812a

SHA1
70ad1176ee78b078d82f1de62e66f1128673891c

SHA256
781f86109010e426d90e9519ea7be4689208ae392cff6b80c0a28d91b135cac1

SHA512
54910594faef66c3547286aa82be99a39bca36751d6726fd077ae7c62eb8de9af0f0efe0133ecbfff16b4eef886afae5e59d98721ac1507fb6ed1836034e5b13

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
1.2MB

MD5
6f4811de41f9d26118313553f7ad4f36

SHA1
4b328e62a52b752dd8363a79e2d507018f959542

SHA256
a1c5edf67de91cbf69456dc5d8ec91ee58e0dab915f1a9e68a78d98c7df34b14

SHA512
ef091c48cf9f579a8375bb026c0105dc28c6da5ff1d5da22febba2bfcf662bd232f2383233ef01d32c508b69832b8744e662359bf18916617e775b91415202ec

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
1.2MB

MD5
8a42a5c41402da8f8a5f97e57aca11ad

SHA1
d5a810bd79e8364066b8b1287d4b89c656be84cd

SHA256
525ad669180dfbec21fbc70dba7cbe4a91f02529ab83d64ea977d98962538048

SHA512
b8f97a60463e773181769a11da9b3c469d950bede767936d0db59f6a351588f0e709767e630668ab648cef9e090c8ce42298f6c87ee382b3e429065543ba421f

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
1.2MB

MD5
99254710ba1781e6adbe56e84da8d17b

SHA1
184e6f51a63db554acb38f1dbe63671524a46932

SHA256
557962794b2fdcb8860914b471aae11805ff64ed2c13b5e50d6b04757df86be4

SHA512
156978ea6d209b5ae61f96a9bc2912077eef488e2c4844d2adf33dd0ce0a9b9521c9dba14889400ab9648fb42ca5ba67929a780a1ff3e171f77f5431e2957bb9

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
1.2MB

MD5
42d4fee36e72145637c6e645d18ea55a

SHA1
133b966a39ad63baaf10a09d2ccb99981c80ccb1

SHA256
c5091f4e3573fcd5d54f67601bed9565027a0cc7a853fcccf5bf99627001d551

SHA512
a901c64a92e8c96f286e940f7781442d1e5f440be09f22e1d7e2c2c6a57e0a4eeac534d844245b57c6ac67fd137006064a6c66aec7ece31144dbcd49e681b74b

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
1.2MB

MD5
694258c7161593c53641b996c5da57c1

SHA1
f4ac716c796a36103950a0cc5c5f3ad982f5168f

SHA256
4d59c14f86de599d0fdbc5d37b98de3a6df534e83821fc740d81b0e841ebdb74

SHA512
9d4c84721976388d906640580f199e83ef714a6c82b09fecba8e820b614938055ce96e9f7d9e95382423c158aa09ce19ca107f5335279c7c03dcd85575d52027

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
1.2MB

MD5
f4e053028954bede517a33d351d5812a

SHA1
41f4fca11f4963364c43c6e21b0c86e04b7d91bc

SHA256
e07623d09cd69409f776ba86c04fd99697c473944469946c79db18b3157a7a31

SHA512
2a1c5b2fea79f0bcd7f23c7d31b25e3552cac55bd6d22400da36f6e8ac75baf35b3c29ad8fa70c7b957b10040090d7612fa9df166b715285d84e2ef6d8ed122d

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
1.2MB

MD5
5b9966f68c453a8c930b441fda849de8

SHA1
698dcceb76ba3ded2b40cb4e289e9d18350748ef

SHA256
02fe7c2d6e18eb2ebeb295e0a8afcad9865ebc8648653f62073005ad9f854838

SHA512
18f866db60e0996bc64b8c3a916ce7599bf8c5be43c1f2f228c08e0012bc64c5723736df7fe546be599486251cb5496a3f53a32c264d05fa748f98afe6cc391b

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
1.2MB

MD5
8bffe5c61d6acd9d3aa7afb3230bf986

SHA1
8d1fb462a6666ab603471514e0ffa40b7efd78bb

SHA256
2a8aa8290c6b930b08e7026c725336542b8d943b3b4e7509f5aa450659a6afdb

SHA512
471c43b5f058cad0baf2b5c236f9c521e6bcf65094ce24f5a1aedf58360ad35c8d2d01def0c0543f1cc94ffde5f37b023455e0843110526bbdb6802ec7d89123

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
1.2MB

MD5
e7a41015cfba7141e22a19e0d5f47b6c

SHA1
349402300ef825d7114087d8987cedede2f077da

SHA256
7c82369f6ae1489bce80ce075db93e1549e6ed479d13eb5103ba89c343e8fb12

SHA512
65bf763c0c371ad7d83ab7012acc3b9f1a3f627bd7345268527b440b7b25c9be91de5c78bff4c6e03c8a241faf54fadc97c8673225057e27967a87520aca646c

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
1.2MB

MD5
7e0db473cf02ff1d90f2bd0a869bf7e9

SHA1
092cab038daea8be22460f574b0beb6a81f8e03e

SHA256
99c8089dd51c59b8bcc6a79ed7cf76667ab4d1c5c4c7961c05bea710d4fc8d75

SHA512
0db74d93a25aa727559c12b7b21e675229ce5c7873a17bf64643ca1615963a82933ab39541da656042314d1c2bcd2b2f086305089bb8abbd954667431df8f206

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
1.2MB

MD5
c6c558986765da72e872c641bce0c93b

SHA1
232d2453c5c8a7f7e108d94f767e37849f092d6b

SHA256
41fa3032ffb31858d5315ee2e8768e9210d3d3ae51c580a48d7b715c43f47b59

SHA512
c4c034e4ede214e3525611eb1038242e58dd5088bee6d367f1319738982d6915dd09594979b8cacae6b220a9836a1f6043810b13f3f2d7c5b2969198b6c79f9a

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
1.2MB

MD5
18c3e976551440e82aa2b0e6ac7b9ec1

SHA1
607c9e60739ddd7cc77ef94ecdc19030aa720d68

SHA256
bb2ed6c2d906def181c6285982bd0f5d305ca254b1a4a7325e16362fbe2dac6f

SHA512
58025472c05361a9d4b78e427fc25de1e198e1abbdd14674282c24b0b7b64a11a98c1a790b0741fd992f5d089d3b21955d6c0757e11c6d6c8ddd2a04e208ec57

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
1.2MB

MD5
09f5a4b1ad21fc376664dcce42ccb190

SHA1
13ec3e8fe8d2b9a715d66a2a4f3f07fd737970d7

SHA256
88874e4a35ecd3266490a3d4eb24a103dea6277413d146cc0dd7f2be77ade81a

SHA512
1a96007e8a898bf3fb62444ed52e67f4a4c254a14cd5808d2a058141993035b040e641b65ec63cf545a55d6b661302e4a2d7f899c9974a6a5393124868fccedd

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
1.2MB

MD5
4db5f0098983ce72d018eca5178d5ddf

SHA1
619e27e8e984d9a568f17b3aa25252ad603698f3

SHA256
55b97ef89468e9088d4f3c0eb97b79229404b582d70c3ec7618ffb545a849c76

SHA512
2fd43b21529da62ced695f706cb20ea886209507b95367dae40b80eae843bdf0654723452dd84b0049057bda38d8df0d41bc8312fe9428f1e25208e0087c0662

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
1.2MB

MD5
80c575bcd0e2788be0862bbe86d5484d

SHA1
77e4630cc6ce2eabd18af172770c83cbfea742c9

SHA256
a4804e306936b3f006c53da34119d595c99225db6993413555e02f482d04a259

SHA512
42adb6cf0a1f862a4a2d6ab892fb5e31b30aa7ba7e8a25171f1b15117c6cacf81f9f4e885d72f9dbc9e5a1f3f78af47a8f826687179ecc4aa50fb2eeaeb7319b

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
1.2MB

MD5
f667dbb8fce8bf867b0c5e023b78b637

SHA1
3bddae48b94663d9939672b42a216039c4dcf44c

SHA256
94aeddbe89d6c8841cb1df8f9471f99f93067d67ec0db940536c66d764504d2d

SHA512
3536ad27f115259a9d5e406bf6651181f225242a62020563cd3ecdbe36027566f0ee16a95254fa7f36ae172cf3c923a1e33a2bbfd74b6d67425214fa50355d10

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
1.2MB

MD5
3cdb8c694590a0ede576f6d2e9e5a5a1

SHA1
fa62a4693088722fded3c21a15ba5293b4b512bf

SHA256
c8b077a57c9414445d900b9bdff80ebd59890c970458bc2cb6c4611418d75464

SHA512
5f36270c7ccd59a381abe6db1f2e76110ac3a0e28334d08e395640c8f8b0d1a0744b69edd177633d600128a55e68ee207e6aa0df208beff7cfa6306f6096a027

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
1.2MB

MD5
fe4d7248324f9de5b15321824d3e1f1e

SHA1
c06a2af402b145f2ecc29291adf156ef5fddd2a5

SHA256
a6251add7952f1b1172aa1c3d3a20151baf7e8244f170d1d4950005639031380

SHA512
43e5e5c7d0e3f633708b22499265e6e7081a7504de324fe8a5a258522a6bb9f0e4e8c3a8cdb9c273d5d10a95eb3f67a20aedde4a5dc4ef1f610e36b004887f2a

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
1.2MB

MD5
18f154853cd08cee752ced9011c144f0

SHA1
69a2e9aa96d1b55ca3b6ee2617c617ad767276cf

SHA256
f910544ebe4fbc895943fb16d0e442e1afc1f427d4434282130540e9a26589c5

SHA512
e02ed751ff3c0681f7b3d17ee2d801b7feb2e1dcb3f5dcf9adb7be4501a4f02708b8e0bc8f4840cb42cded90ce299c70a817cb6fdb050e45db6b9866e4e77861

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
1.2MB

MD5
4d73ce64cf59c80b45eec60ddcf215ba

SHA1
d3d896cec96a898e6e5ec1e949b57a57fe4e7ab4

SHA256
f61306f07ea6b68e8af7e80cc59c2e3910021b9dff866e0ff2ecb89f690b5954

SHA512
da0ff43ae1b6e5c5e2fba4294ba089b744eb796d6345029ab99530364266a13244a034e8da40be4e36e99842f36cf47aa51275d96daae351979985e65d044b1b

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
1.2MB

MD5
fdcad1f267ddc0560c326f171a5946df

SHA1
ca7460bd14e24ed8d7bf4adbedac2d6aa069e859

SHA256
b8e13d5fc99623ea01a2856bc97480456f4838cca91c9ac031a65f04acf999d1

SHA512
e78552841641283ee3cee58be1e5ef48266d0947dabb899ea47b763f16f031e225bd0363dc430d7b77779abe67519e40f82a2434413b3af28fcf2891b084e9f7

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
1.2MB

MD5
8a99a8870897b5bbfd2fd83b5999fd3f

SHA1
f261338159f0220d537098ba7f3388301edaaf0b

SHA256
e47bdbc2c1c1c15851f3915142eb91eb69c1f229f527e2c9c5de88521e4fb720

SHA512
cf56477d99e2fa9ea4204fa27a6e81567687dc596c854e416d3db2e66f02d7cbac7e1c46c20229e8bee3eeba310ea382eabd9f36c6db40ac118ea8d205ab40d5

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
1.2MB

MD5
5dcb6fc2003f6beae1724640d3ecb2d5

SHA1
c73b00e623b0209578160e7710769e6b9a1d990c

SHA256
2e7ba2d1762264dd4eec6f47f91b46c5c23297a7423c61ee08654b04fdd11265

SHA512
b5ee47604d3dc62edb371e95cf623148e17259f1c4b70d4498401013d3115900227bac23f6732075c3250d52032556831f9098a2fb12e84f80f7e96900d2c2d5

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
1.2MB

MD5
e5f5715fde2d9a9625bae44372354ccb

SHA1
8bab504fe2f5b818ad076c9f95441ffa13c11f06

SHA256
b678864925350494b2d9821fca9114ab5f37194856c79ca5cbf21ec0204ecff0

SHA512
e26c1e75aea002ca0bf864bf2ae9277ece998ce7f3935ae655a5c41a6deb63e6865e541f341c59b0b74a59d5987d56c3533dfb41d90a31b574f9ff836e289b3a

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
1.2MB

MD5
409bdb70a3f07610f6507c39dddcebb1

SHA1
5bb9b43cf15dfddad6ddba3b6d1e30c2735cc917

SHA256
832ddce2ea2fa2c8f62965418b5faf15b89d1726474ef3057402c9e252a339ab

SHA512
d0125ac8ea0adf5acaa8ae12fcea0cbe64632c96242a98c592a18dcf32f2b9ebbc8ef67a33fb7bceaab0a3910e695afb7dc79599490d5191d2bfb4c97fc841a1

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
1.2MB

MD5
ec4f5181f902b564caafae7c2272c8e2

SHA1
755b84e8453bba528e324f8236f14f0542213448

SHA256
a3c8e13797cbc519f61b721a28adf15020c96e30d123b9a6126fdf0af63b7814

SHA512
e25127528b9546723db9185a16cf6d1f78115ec2ab7b2d354d36106108db375e996bb277e08c500334e459a35f3ea7d16c80291e45b1c77d9dfc9c74535daebc

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
1.2MB

MD5
ba7703a40d4f7836e00fe37eb6f22065

SHA1
7d1c0fabbf56c391abdc657b38bea51ce4418dca

SHA256
7b1ced733617ab24c41853acefe858fecafa2747697a5d930b519730bc55416d

SHA512
5af071dfdc0f0162564409fb6d33609fcfe619fbfa270ccc67f360969c1875fdf0e9cc1288972eb590b3501e7301a4fdb7a5f9fff70d0661c91364824c0926e3

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
1.2MB

MD5
56bab66419afd2f1a40e803dc114145a

SHA1
06bf1e211fc596261e02158a1ee34365497528d3

SHA256
6270948805c410ed4f7f3c17f0b9f3c5a1d64ba00945dac0f17f277e69994289

SHA512
645f2a0eefcf636cab38c450bab1fac90f232fb5a9eed2f4e96a8b8357e58a721b6cdc217dc5c7c2ec2d5a16cb949df470cc8b70bdb931f0664eba1d48570f8a

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
1.2MB

MD5
630944c3585c2f576516a0f5958df04e

SHA1
ef5e43c6193069cc6e2cacd801cf8adc66202a28

SHA256
23e95eb0245bdae6ef37d80a206edd30dd60096e0a6f59e62485f87832ef2a90

SHA512
5fb937af6fced46911b63500c9dc7dfb04304fb94a1925b9788dbf4574f41fc2ca6bac71a23dbc57034d36dc1ed0fc7265a7edc45c2f44049a0b9ea8285753c5

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
1.2MB

MD5
2fb4abd9c3a490e2ce0b6deaa45425d2

SHA1
d4d07392b8a3d9e0a9052344829cedc5bb8678cd

SHA256
ebbb9758b310e25cd117e7a60a4d38a36b4e349837d2034e410230d5bd0a738d

SHA512
b839f6d359dc960aa9923cf3caed24c334622042d8ada2b43b65352aba7c90697e51b8615a3fbe0f7ba840877e25dc54fa5300ff43178b0b73b588c8eeae9fef

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
1.2MB

MD5
bae962f4d995efa1b9859ccc19e41f50

SHA1
5b691e3bb9f1057ce0b64c510f210673f0fdc590

SHA256
08733820df6dbec39fdbbe670e5909e24aa57d614dab04da77a2732e1baa663b

SHA512
b8626d7a533ba570531007d18896438dd37f148638a49a6c008cdef14be0eb1930c6adf56ff2518575c8015a31f454e8272d957d85170072e5f2e47f0048d2f9

Download Submit
memory/404-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/980-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/980-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4828-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-900-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5128-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5188-867-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5188-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5228-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5268-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5308-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5348-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5388-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5428-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5472-855-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5472-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5520-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5560-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5636-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5680-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5732-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5732-846-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5776-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5788-810-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5820-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5872-840-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5964-838-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads