f0d72701d93e4e72d2f7ad39e95a116e7b9c1e8192624c6a7ecb75659d029337

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5203e5a3fcaf573f4b69f3639bb3160_NEIKI.exe
Size

224KB
MD5

c5203e5a3fcaf573f4b69f3639bb3160
SHA1

5f5448af97c168107ec46dbf488d8ab0c2d2cbb0
SHA256

f0d72701d93e4e72d2f7ad39e95a116e7b9c1e8192624c6a7ecb75659d029337
SHA512

5d7a060d48b2d53a1effd42afdbacde02884ee3822fbb9cf8de8b099d3ea65d04ffd3dcf60987c635275d487f657ff2d437f95a3b667369caffa7ec445617f8e
SSDEEP

3072:FC3OJFe11KjF4q9IuYUvIMDrFDHZtOgxBOXXwwfBoD6N3h8N5G2qVUDrFDHZtOgt:TJFe1Ayo4s5tTDUZNSN58VU5tTtf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fddmgjpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcmgfkeg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffnphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpfdalii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjlhneio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmekoalh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eloemi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fddmgjpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c5203e5a3fcaf573f4b69f3639bb3160_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Globlmmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmjaic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c5203e5a3fcaf573f4b69f3639bb3160_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eloemi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goddhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmjejphb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiekid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpmjak32.exe

Executes dropped EXE 38 IoCs

pid	Process
2848	Eloemi32.exe
2600	Fehjeo32.exe
2584	Fcmgfkeg.exe
2616	Fmekoalh.exe
2624	Fhkpmjln.exe
2528	Ffnphf32.exe
1236	Fmhheqje.exe
2544	Fpfdalii.exe
1548	Fjlhneio.exe
1516	Fmjejphb.exe
1536	Fddmgjpo.exe
1308	Feeiob32.exe
668	Globlmmj.exe
2012	Gonnhhln.exe
2844	Gicbeald.exe
2208	Gpmjak32.exe
1052	Gejcjbah.exe
1092	Gldkfl32.exe
1844	Gaqcoc32.exe
2884	Ghkllmoi.exe
1264	Goddhg32.exe
820	Geolea32.exe
908	Ggpimica.exe
1836	Gmjaic32.exe
560	Gphmeo32.exe
2088	Hknach32.exe
2936	Hcifgjgc.exe
2608	Hicodd32.exe
2860	Hdhbam32.exe
2232	Hiekid32.exe
2508	Hpocfncj.exe
1176	Hjhhocjj.exe
1732	Hpapln32.exe
272	Henidd32.exe
1328	Hkkalk32.exe
2516	Ieqeidnl.exe
2792	Iknnbklc.exe
2172	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2972	c5203e5a3fcaf573f4b69f3639bb3160_NEIKI.exe
2972	c5203e5a3fcaf573f4b69f3639bb3160_NEIKI.exe
2848	Eloemi32.exe
2848	Eloemi32.exe
2600	Fehjeo32.exe
2600	Fehjeo32.exe
2584	Fcmgfkeg.exe
2584	Fcmgfkeg.exe
2616	Fmekoalh.exe
2616	Fmekoalh.exe
2624	Fhkpmjln.exe
2624	Fhkpmjln.exe
2528	Ffnphf32.exe
2528	Ffnphf32.exe
1236	Fmhheqje.exe
1236	Fmhheqje.exe
2544	Fpfdalii.exe
2544	Fpfdalii.exe
1548	Fjlhneio.exe
1548	Fjlhneio.exe
1516	Fmjejphb.exe
1516	Fmjejphb.exe
1536	Fddmgjpo.exe
1536	Fddmgjpo.exe
1308	Feeiob32.exe
1308	Feeiob32.exe
668	Globlmmj.exe
668	Globlmmj.exe
2012	Gonnhhln.exe
2012	Gonnhhln.exe
2844	Gicbeald.exe
2844	Gicbeald.exe
2208	Gpmjak32.exe
2208	Gpmjak32.exe
1052	Gejcjbah.exe
1052	Gejcjbah.exe
1092	Gldkfl32.exe
1092	Gldkfl32.exe
1844	Gaqcoc32.exe
1844	Gaqcoc32.exe
2884	Ghkllmoi.exe
2884	Ghkllmoi.exe
1264	Goddhg32.exe
1264	Goddhg32.exe
820	Geolea32.exe
820	Geolea32.exe
908	Ggpimica.exe
908	Ggpimica.exe
1836	Gmjaic32.exe
1836	Gmjaic32.exe
560	Gphmeo32.exe
560	Gphmeo32.exe
2088	Hknach32.exe
2088	Hknach32.exe
2936	Hcifgjgc.exe
2936	Hcifgjgc.exe
2608	Hicodd32.exe
2608	Hicodd32.exe
2860	Hdhbam32.exe
2860	Hdhbam32.exe
2232	Hiekid32.exe
2232	Hiekid32.exe
2508	Hpocfncj.exe
2508	Hpocfncj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fmekoalh.exe	Fcmgfkeg.exe
File created	C:\Windows\SysWOW64\Kleiio32.dll	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Hiekid32.exe	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Ndabhn32.dll	Hicodd32.exe
File opened for modification	C:\Windows\SysWOW64\Gicbeald.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Aimkgn32.dll	Ggpimica.exe
File opened for modification	C:\Windows\SysWOW64\Hicodd32.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Eqpofkjo.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Facklcaq.dll	Fehjeo32.exe
File created	C:\Windows\SysWOW64\Geolea32.exe	Goddhg32.exe
File created	C:\Windows\SysWOW64\Gmjaic32.exe	Ggpimica.exe
File created	C:\Windows\SysWOW64\Hjhhocjj.exe	Hpocfncj.exe
File opened for modification	C:\Windows\SysWOW64\Fddmgjpo.exe	Fmjejphb.exe
File created	C:\Windows\SysWOW64\Gejcjbah.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Hciofb32.dll	Hiekid32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File opened for modification	C:\Windows\SysWOW64\Fmhheqje.exe	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Gldkfl32.exe	Gejcjbah.exe
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Jeccgbbh.dll	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Gphmeo32.exe	Gmjaic32.exe
File created	C:\Windows\SysWOW64\Hkkmeglp.dll	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Fmekoalh.exe	Fcmgfkeg.exe
File created	C:\Windows\SysWOW64\Qhbpij32.dll	Ghkllmoi.exe
File opened for modification	C:\Windows\SysWOW64\Hknach32.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Fmjejphb.exe	Fjlhneio.exe
File created	C:\Windows\SysWOW64\Goddhg32.exe	Ghkllmoi.exe
File created	C:\Windows\SysWOW64\Ohbepi32.dll	Fmhheqje.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Hjhhocjj.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Cakqnc32.dll	Fjlhneio.exe
File created	C:\Windows\SysWOW64\Ggpimica.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Jmmjdk32.dll	Gmjaic32.exe
File created	C:\Windows\SysWOW64\Fhkpmjln.exe	Fmekoalh.exe
File opened for modification	C:\Windows\SysWOW64\Hcifgjgc.exe	Hknach32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hkkalk32.exe
File opened for modification	C:\Windows\SysWOW64\Fehjeo32.exe	Eloemi32.exe
File created	C:\Windows\SysWOW64\Pnnclg32.dll	Gejcjbah.exe
File opened for modification	C:\Windows\SysWOW64\Gaqcoc32.exe	Gldkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Ghkllmoi.exe	Gaqcoc32.exe
File opened for modification	C:\Windows\SysWOW64\Goddhg32.exe	Ghkllmoi.exe
File opened for modification	C:\Windows\SysWOW64\Geolea32.exe	Goddhg32.exe
File created	C:\Windows\SysWOW64\Aloeodfi.dll	Fpfdalii.exe
File created	C:\Windows\SysWOW64\Hpqpdnop.dll	Feeiob32.exe
File created	C:\Windows\SysWOW64\Fndldonj.dll	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Hkkalk32.exe
File opened for modification	C:\Windows\SysWOW64\Fcmgfkeg.exe	Fehjeo32.exe
File created	C:\Windows\SysWOW64\Qlidlf32.dll	Fmjejphb.exe
File opened for modification	C:\Windows\SysWOW64\Gmjaic32.exe	Ggpimica.exe
File created	C:\Windows\SysWOW64\Fealjk32.dll	Hknach32.exe
File opened for modification	C:\Windows\SysWOW64\Hdhbam32.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Iknnbklc.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Ongbcmlc.dll	Fcmgfkeg.exe
File opened for modification	C:\Windows\SysWOW64\Ggpimica.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Jpajnpao.dll	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Gpmjak32.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Ldahol32.dll	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Lpbjlbfp.dll	c5203e5a3fcaf573f4b69f3639bb3160_NEIKI.exe
File created	C:\Windows\SysWOW64\Fcmgfkeg.exe	Fehjeo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1664	2172	WerFault.exe	65

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegiig32.dll"	Fhkpmjln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Geolea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facklcaq.dll"	Fehjeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakqnc32.dll"	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll"	Fmjejphb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll"	Fmhheqje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhkpmjln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eloemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbcmlc.dll"	Fcmgfkeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c5203e5a3fcaf573f4b69f3639bb3160_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Feeiob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c5203e5a3fcaf573f4b69f3639bb3160_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll"	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll"	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c5203e5a3fcaf573f4b69f3639bb3160_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c5203e5a3fcaf573f4b69f3639bb3160_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goddhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eloemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c5203e5a3fcaf573f4b69f3639bb3160_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll"	c5203e5a3fcaf573f4b69f3639bb3160_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gicbeald.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2848	2972	c5203e5a3fcaf573f4b69f3639bb3160_NEIKI.exe	28
PID 2972 wrote to memory of 2848	2972	c5203e5a3fcaf573f4b69f3639bb3160_NEIKI.exe	28
PID 2972 wrote to memory of 2848	2972	c5203e5a3fcaf573f4b69f3639bb3160_NEIKI.exe	28
PID 2972 wrote to memory of 2848	2972	c5203e5a3fcaf573f4b69f3639bb3160_NEIKI.exe	28
PID 2848 wrote to memory of 2600	2848	Eloemi32.exe	29
PID 2848 wrote to memory of 2600	2848	Eloemi32.exe	29
PID 2848 wrote to memory of 2600	2848	Eloemi32.exe	29
PID 2848 wrote to memory of 2600	2848	Eloemi32.exe	29
PID 2600 wrote to memory of 2584	2600	Fehjeo32.exe	30
PID 2600 wrote to memory of 2584	2600	Fehjeo32.exe	30
PID 2600 wrote to memory of 2584	2600	Fehjeo32.exe	30
PID 2600 wrote to memory of 2584	2600	Fehjeo32.exe	30
PID 2584 wrote to memory of 2616	2584	Fcmgfkeg.exe	31
PID 2584 wrote to memory of 2616	2584	Fcmgfkeg.exe	31
PID 2584 wrote to memory of 2616	2584	Fcmgfkeg.exe	31
PID 2584 wrote to memory of 2616	2584	Fcmgfkeg.exe	31
PID 2616 wrote to memory of 2624	2616	Fmekoalh.exe	32
PID 2616 wrote to memory of 2624	2616	Fmekoalh.exe	32
PID 2616 wrote to memory of 2624	2616	Fmekoalh.exe	32
PID 2616 wrote to memory of 2624	2616	Fmekoalh.exe	32
PID 2624 wrote to memory of 2528	2624	Fhkpmjln.exe	33
PID 2624 wrote to memory of 2528	2624	Fhkpmjln.exe	33
PID 2624 wrote to memory of 2528	2624	Fhkpmjln.exe	33
PID 2624 wrote to memory of 2528	2624	Fhkpmjln.exe	33
PID 2528 wrote to memory of 1236	2528	Ffnphf32.exe	34
PID 2528 wrote to memory of 1236	2528	Ffnphf32.exe	34
PID 2528 wrote to memory of 1236	2528	Ffnphf32.exe	34
PID 2528 wrote to memory of 1236	2528	Ffnphf32.exe	34
PID 1236 wrote to memory of 2544	1236	Fmhheqje.exe	35
PID 1236 wrote to memory of 2544	1236	Fmhheqje.exe	35
PID 1236 wrote to memory of 2544	1236	Fmhheqje.exe	35
PID 1236 wrote to memory of 2544	1236	Fmhheqje.exe	35
PID 2544 wrote to memory of 1548	2544	Fpfdalii.exe	36
PID 2544 wrote to memory of 1548	2544	Fpfdalii.exe	36
PID 2544 wrote to memory of 1548	2544	Fpfdalii.exe	36
PID 2544 wrote to memory of 1548	2544	Fpfdalii.exe	36
PID 1548 wrote to memory of 1516	1548	Fjlhneio.exe	37
PID 1548 wrote to memory of 1516	1548	Fjlhneio.exe	37
PID 1548 wrote to memory of 1516	1548	Fjlhneio.exe	37
PID 1548 wrote to memory of 1516	1548	Fjlhneio.exe	37
PID 1516 wrote to memory of 1536	1516	Fmjejphb.exe	38
PID 1516 wrote to memory of 1536	1516	Fmjejphb.exe	38
PID 1516 wrote to memory of 1536	1516	Fmjejphb.exe	38
PID 1516 wrote to memory of 1536	1516	Fmjejphb.exe	38
PID 1536 wrote to memory of 1308	1536	Fddmgjpo.exe	39
PID 1536 wrote to memory of 1308	1536	Fddmgjpo.exe	39
PID 1536 wrote to memory of 1308	1536	Fddmgjpo.exe	39
PID 1536 wrote to memory of 1308	1536	Fddmgjpo.exe	39
PID 1308 wrote to memory of 668	1308	Feeiob32.exe	40
PID 1308 wrote to memory of 668	1308	Feeiob32.exe	40
PID 1308 wrote to memory of 668	1308	Feeiob32.exe	40
PID 1308 wrote to memory of 668	1308	Feeiob32.exe	40
PID 668 wrote to memory of 2012	668	Globlmmj.exe	41
PID 668 wrote to memory of 2012	668	Globlmmj.exe	41
PID 668 wrote to memory of 2012	668	Globlmmj.exe	41
PID 668 wrote to memory of 2012	668	Globlmmj.exe	41
PID 2012 wrote to memory of 2844	2012	Gonnhhln.exe	42
PID 2012 wrote to memory of 2844	2012	Gonnhhln.exe	42
PID 2012 wrote to memory of 2844	2012	Gonnhhln.exe	42
PID 2012 wrote to memory of 2844	2012	Gonnhhln.exe	42
PID 2844 wrote to memory of 2208	2844	Gicbeald.exe	43
PID 2844 wrote to memory of 2208	2844	Gicbeald.exe	43
PID 2844 wrote to memory of 2208	2844	Gicbeald.exe	43
PID 2844 wrote to memory of 2208	2844	Gicbeald.exe	43

C:\Users\Admin\AppData\Local\Temp\c5203e5a3fcaf573f4b69f3639bb3160_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\c5203e5a3fcaf573f4b69f3639bb3160_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\Eloemi32.exe
  C:\Windows\system32\Eloemi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\Fehjeo32.exe
    C:\Windows\system32\Fehjeo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\Fcmgfkeg.exe
      C:\Windows\system32\Fcmgfkeg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\Fmekoalh.exe
        
        C:\Windows\system32\Fmekoalh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\SysWOW64\Fhkpmjln.exe
        
        C:\Windows\system32\Fhkpmjln.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Ffnphf32.exe
        
        C:\Windows\system32\Ffnphf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Fmhheqje.exe
        
        C:\Windows\system32\Fmhheqje.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Fpfdalii.exe
        
        C:\Windows\system32\Fpfdalii.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Fjlhneio.exe
        
        C:\Windows\system32\Fjlhneio.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Fmjejphb.exe
        
        C:\Windows\system32\Fmjejphb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Fddmgjpo.exe
        
        C:\Windows\system32\Fddmgjpo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Feeiob32.exe
        
        C:\Windows\system32\Feeiob32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Globlmmj.exe
        
        C:\Windows\system32\Globlmmj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\SysWOW64\Gonnhhln.exe
        
        C:\Windows\system32\Gonnhhln.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Gpmjak32.exe
        
        C:\Windows\system32\Gpmjak32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Gejcjbah.exe
        
        C:\Windows\system32\Gejcjbah.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1052
        
        C:\Windows\SysWOW64\Gldkfl32.exe
        
        C:\Windows\system32\Gldkfl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Gaqcoc32.exe
        
        C:\Windows\system32\Gaqcoc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Ghkllmoi.exe
        
        C:\Windows\system32\Ghkllmoi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Goddhg32.exe
        
        C:\Windows\system32\Goddhg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Geolea32.exe
        
        C:\Windows\system32\Geolea32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\Ggpimica.exe
        
        C:\Windows\system32\Ggpimica.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Gmjaic32.exe
        
        C:\Windows\system32\Gmjaic32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Gphmeo32.exe
        
        C:\Windows\system32\Gphmeo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Hknach32.exe
        
        C:\Windows\system32\Hknach32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Hcifgjgc.exe
        
        C:\Windows\system32\Hcifgjgc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Hiekid32.exe
        
        C:\Windows\system32\Hiekid32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Hpocfncj.exe
        
        C:\Windows\system32\Hpocfncj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:272
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Iknnbklc.exe
        
        C:\Windows\system32\Iknnbklc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        39⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 140
        40⤵
        Program crash
        
        PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fddmgjpo.exe

Filesize
224KB

MD5
ccbfc6ae870247bb6bcd04df1c7723b7

SHA1
8664cc171cbdedc22bae866e9784acb724484e38

SHA256
2d32fccaf78ba18d5699848b30c5938bc026dbe0cdb0a4d35036480b210240dd

SHA512
f8982bebfd640f0cd42d4fd192a665e844d8de028bf7e57415cce539b99d69a7b5236c84c55abd3ab17d9471f9b6931a4964f684c0191f969478a14db932ce91

Download Submit
C:\Windows\SysWOW64\Feeiob32.exe

Filesize
224KB

MD5
e684a32ce917c13654693968a0dbfaa9

SHA1
8e3ef92d34fa24e682790f1be0567c9cbbf64789

SHA256
6384876d0968c4565877850cbd73caaf27c5a5de1d8040aba18ac06ae667457b

SHA512
1574115a3376862aaf10c51a45896e66dd65b4f38b6d22213e1a65ae7bf6828c6ff9674d86ba03c9b700ced90353351b16b87f629f07559ba83d3673d4a32964

Download Submit
C:\Windows\SysWOW64\Ffnphf32.exe

Filesize
224KB

MD5
366006ae861943a232b13f855550eb8c

SHA1
028b41b5b9e0834b1fb4c94c27f824f2fc357770

SHA256
b458810b63c2ec8cd4df2d3fc2450ce19e1a483522ffd9b5f132bfd849cc6212

SHA512
7fb4136624e72785e64fd3a58ee92278604f7ef9ecb9501435e5f47e7824f9bdaf0a10be4495816b2c3a71bac95f10766d58dbdbf86643bf74716d59fba3e072

Download Submit
C:\Windows\SysWOW64\Fhkpmjln.exe

Filesize
224KB

MD5
c7275f0fefb028d66f202b62e93bf5cc

SHA1
a589da20b8c2f48518622d0f073c13e89219980b

SHA256
facf9fbc2c1a8074c869daee5f5078ad5f958b79bbe52fd0cbc72c32990cffbb

SHA512
4269ab8dc52f5fe18244f6a67890147af3d0ede0debabfd4b2fe1ab854c4fa3de12556adad8a9b1988680b66602194474fd485cc93488c48f9f15ca7c7831cc0

Download Submit
C:\Windows\SysWOW64\Fjlhneio.exe

Filesize
224KB

MD5
bd08d71045c43125f513fcd1341da157

SHA1
a0226284a637a0f269f1a8b2cb17db76eb8c195d

SHA256
debbd5217b97cf629bd5a2990b48df96e66666d721d0bfba15f2c3b6fde0eeb2

SHA512
8a53bc7bb64d0e3c072849e6d1597ef8f7aff64228fdd43404f1f13564fe52ac6292c40cf709d5f1bb1ba8834569008218cfc2d9e9edc780720248c9a0b8d8e7

Download Submit
C:\Windows\SysWOW64\Fmhheqje.exe

Filesize
224KB

MD5
da4fcb92b3cf0e8a72c204c188749b07

SHA1
722794eefe8cc2c106b7a2af684a55dc2fa829dc

SHA256
2370e6bf358bb2552da535163d9c3b77fcfacd0949acc336657292bc69257497

SHA512
28f1f980e032feac22e32d78959b765965eaaaa4aabe3131e90b12501c94bcb79ff682c7e2805e149dcda37372d1ed8757f7173ac95dfb474b5f1f334978ed7d

Download Submit
C:\Windows\SysWOW64\Fmjejphb.exe

Filesize
224KB

MD5
4cc1ef07e03bda06b2739d4109a42d7e

SHA1
b9c1f6154694b268a186e9e96196c98a762a7178

SHA256
5e86aa9e4c2d8fb8f5fbb511da3aa2b01de91f6d285c8dace6c449c4b2053d6c

SHA512
a7162d58b0f363c2aa3d0edf353893c214ff7fa767f71160cab000190da38b82eb8a9287fc950ee2012acea0894820fde1ea610649e5651ab2d7c2374a2e0da2

Download Submit
C:\Windows\SysWOW64\Gaqcoc32.exe

Filesize
224KB

MD5
339ae1fe6b2adb80c4d93f0292896346

SHA1
10765c244ec022cfec7d9e71f648da3a8ae63ca7

SHA256
c734ae66a7f68b4ce215e25e59160f045bad10526aa5ff172540981fc0caf174

SHA512
7141c6b2f9823ee9beca5bbfb51b86c09e65a3a011040657593acde40d93129203cce809bfb82e63c009c7b3dcf83d04e5b05bf8b70f7ec5166bd030c3026fe8

Download Submit
C:\Windows\SysWOW64\Gejcjbah.exe

Filesize
224KB

MD5
d87326600881beeaedc841566b01d8f2

SHA1
9537004fe7c548a48144a82e1fdf48babceef2e8

SHA256
f749258b48c272c5e185dfc7eae6d851bd66c96bb423bca055c53ecc0e3e95f6

SHA512
17076319d04481eaddd7659776d980bbb548c8ee579077fda2d91a5a55da450d63a72621ec236a3e217c6dd83c560c8599ad945e026b99ae5765fca6e9ed99c9

Download Submit
C:\Windows\SysWOW64\Geolea32.exe

Filesize
224KB

MD5
d3730be4417bebbe83767bbe89b17b58

SHA1
eaed01b40830d95827c1e8696068c39210fd6eba

SHA256
2f815bd9bbdc74c1f3213295ccabb32e734b5eb1eabcf8e1f5c29a115944fb1c

SHA512
49e7c87ccf869eec7c51bf63d796a367fc3571d810f951dd468f80058d64301d0f1a4daab7ac587bb4c20341bcf2aec22ebcf58cf75427796d52e9b9bb426583

Download Submit
C:\Windows\SysWOW64\Ggpimica.exe

Filesize
224KB

MD5
11fcda245d09bd75b69251aa383ffd67

SHA1
ffae0d89f2f781dd3ad5c99e8b6cb30f9d3eb186

SHA256
d9d8fedc84699dd504f5456f0efb0923e2f59b3633a0e024cecadf5e29141f2e

SHA512
b8c46c09e3f9460203c08663a5fe1704fd76f36e81417c5666c8c4862a5e1b563aea99cb9ec212d2ec7bb6c51df9eea09699320715a267b2d5a2ace52ca5df52

Download Submit
C:\Windows\SysWOW64\Ghkllmoi.exe

Filesize
224KB

MD5
077611b3d67a98974f1ee03722350f39

SHA1
ad4c94b6cf6a810dec6057985f2b57882129310a

SHA256
b1dd7fc9dc65dd933bbbd274b37eeb3d2c13292e08d93cbc81b1e046305870f2

SHA512
0d3ca0fb620f0810a0c6e2c548195777d350eef29cb409764cc0c5af5cab5bb357d44090228f8e1d3125c6c0e2b28615d894d83a519b7ea3354aac647a474001

Download Submit
C:\Windows\SysWOW64\Gicbeald.exe

Filesize
224KB

MD5
ab17c6a13445594154cc591fa2f14118

SHA1
2c9d2d312bbd4c4317b1c1cbf86f9dc8e6a0a914

SHA256
bd7b21076aec00a8bf99257efb172edffa392f19c3028ec6bb72b1854ff7c360

SHA512
1a53a42f15b8c2f84c945e7859760191c91c7b216013dfd1b8feb42d68782ed50fb769f7a4e1f8fa701683ef1b205fab3b744b4a2c6e59d246190eb9375c1f7f

Download Submit
C:\Windows\SysWOW64\Gldkfl32.exe

Filesize
224KB

MD5
7e0b5debd3ee8e73d04cb87870a26968

SHA1
fbe9b2f38444f60b1649ea2b339f2247d844ae8c

SHA256
6e1c43420b6c2c1ee9615b9dbfcb6f1d98b47c1aef2798e3cdc57e94a1f75931

SHA512
9f34ec0eaa6505871a794e411952629809844ee0563a009d16260d2960b67ccfd467c8cb5a1c8a512594346581c4791110ae808745ae16856f35ab3d6d1523d4

Download Submit
C:\Windows\SysWOW64\Globlmmj.exe

Filesize
224KB

MD5
ef2f8e29ae54eb41193020ecf8bce47d

SHA1
4552864c1825382f594dd3d9a7533b7a67148ed5

SHA256
0ffe9131f2a977e43435f07da0826e8184a3bae6cf9888682244079f0ded4912

SHA512
3eeec80b2e83080a63896f2964b0e33b357c2969c5d6f038ed3c901540d996ae31263e13b312ca69bf6a3adc4a1562e7e3f8d364aa02ef6519bcb8ab19ae2a56

Download Submit
C:\Windows\SysWOW64\Gmjaic32.exe

Filesize
224KB

MD5
2903dea0949e95a5754949b3818ca726

SHA1
07fcf845bbfcb77e6751118b2423d4ec848bcc96

SHA256
38c8e1b11eb25ddee3b5613e838a65bfe7530d648e231c8c4afa00673ccb4544

SHA512
896ea8fcd89717100e87baf95a07eb4966d7dd27fc8f078fa0d22c469dff3701f09649d2add88270f6c298eb1a63cacc6460439eaf068df1baf5a81bd0b526dd

Download Submit
C:\Windows\SysWOW64\Goddhg32.exe

Filesize
224KB

MD5
57cf5622f50694f69c64b28b0a0b7a8c

SHA1
a0e91371f0580ddf01a2d9afc39fdb098518c1d0

SHA256
8c53103e4c7491a63de87d79a8a1db8f1c4dfc2b68efb791497c06b3042c76f9

SHA512
7d1ceaadea5b2152ebaa03d6e7fb6d3cd32b55d7c1b22bfefc23547f7a76b13e087fefcb1b2c09110ffa3a4597cb7f3c448c6157b7ee3992d0fbe18da4f82126

Download Submit
C:\Windows\SysWOW64\Gonnhhln.exe

Filesize
224KB

MD5
ccae3a31f7c57dcfcf4d5dde13179d34

SHA1
ceae6a39cd2554131cc10db7e5b0a0b3e1de1177

SHA256
8a7d0c80c74b6459f4c457a10bbc044ec3420deebd4d8066aa600b068a0281e0

SHA512
67399a77724938290a990b8923a35777dea2d49e9c9d4777f4e4515e1b010d94fb6696db1f17365f395aceb1b0ccdeae082cb100002a16d56d66bbf277b828f5

Download Submit
C:\Windows\SysWOW64\Gphmeo32.exe

Filesize
224KB

MD5
f84bea3813282ff723310ebeff4fd3af

SHA1
188eb45522fd604f9652e093485cf9267fa41f83

SHA256
853fde9fb13c78b0ebc70533a88588e8316facb58b50402721839367d66efe47

SHA512
797ff11ff8b3bf63ae10d4cd3da390b14e25d78eec67fa63202854600d950758302e75e1b815b2ef17a2839776a0ad13136bd3336c7d1deccd07447e1a3b7028

Download Submit
C:\Windows\SysWOW64\Gpmjak32.exe

Filesize
224KB

MD5
90582387dd0fcc817f3de59b39e36f05

SHA1
1cfeec78d311655dd800fffb9cc0c70fc85dcf4c

SHA256
c0e20a08cb3e932d7881362ed8718b7d8ded370cd12330db5f7bf8b6e0f62fc8

SHA512
778d4fbeb750126de863e67024d4adf42044ac28f287652f35e71be0aa9b8110f20ec1d1809338593402ca100cb3a5f6474177328f1a2e6b9609512bb508e61f

Download Submit
C:\Windows\SysWOW64\Hcifgjgc.exe

Filesize
224KB

MD5
ef894ff5f16a7d53722d2f597b530678

SHA1
ee32c1995cf6e1db5f87e6cec78350cb440eee56

SHA256
ed2d77701093e8296b81289878dce51c978fb6996abcd10b1b30c6252ec899de

SHA512
f24c68339ca74e2ba7c13fd0839c942b0538124e6cc311238a1c34c6a104ff9cd6d5a77a8281b32278ea3b8339e1a315754240bfc918f3b857010a53556dbf7a

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
224KB

MD5
253b21fa47ac8896197c532041e66f8c

SHA1
c743ab59499acbe3c1d6d1b66b3d9cf79a51aa5f

SHA256
baa965988c7610dd4a32299a0180c1a734061451f8075e68a6a740411c47812b

SHA512
8a4f1a5d2aec65ac74bfbe44a6e77b8caf1aabc07e7951fe34fd1d2ededd83471a107a7ca0f232a9c9b7b8adb81b6e295893693e32035042d36b86e18adb0506

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
224KB

MD5
06b2a79f766cd9b36e87a68a9bbae84a

SHA1
93322b0da7886b86113eaa1847fdc4d69f286e89

SHA256
e7701eebd4fe6c1982b3dabb86e41eab94f8633fb8464f15b605c25320a351f4

SHA512
2d44c18eaccbc945a2caee05a91933835bc4511f2e9ca873b57da3c3e95a041cc39b5a9e6abacd98540b99cdf6c04fa8021838b2d0743c75fc04904b4555ac7a

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
224KB

MD5
f962923c6f98677e068719e64d5a07ff

SHA1
e064d3ef0855a4050cb4fb235ea30e23a991362d

SHA256
2dddae224a75e6a637f0498fad644c88a1d14e0536534f39039b41548d402d8a

SHA512
f0ddc9a6dbf7b844b77bcaa48f36d09940f8cb50adc4e9fb64306550b4f1f7a4400e22b63ecbd60fb32fad85aea7c67b3bf9140e6e6b6f48f875b5863e1c2e08

Download Submit
C:\Windows\SysWOW64\Hiekid32.exe

Filesize
224KB

MD5
7d4541736f90c75c26d0d900cfbba94f

SHA1
90efb03187f107e23393e1b3c8a0b7e481e43fb6

SHA256
7f13f1721b949bbef77abe0fba25c2909e8129a7246ff989d51682856ad4990b

SHA512
cc09b8b7158a41f847956b79cd89303e926541fd3d90866761c8d52120c2995d69660a1b36dcb3397013d64463b3615c72550260e5edfc9227630369f590e67a

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe

Filesize
224KB

MD5
b35eeba1f27495be19e8446d24ca06de

SHA1
fe834b7bfbe1e56b309667fc377d7b802f59cb4d

SHA256
5e5e3c3bd2d432009620bf5632801a2b145dea9fbc4a259fcccc2e2722114e7f

SHA512
f207e6d8dfb17e7bae1fbd1f65e74cd77c74eaa0af2bef95d3e291dbab271bab7f643011f35227a8909d8feac2fa763f2740eb5917ba61cc47001d499eb0c29a

Download Submit
C:\Windows\SysWOW64\Hkkalk32.exe

Filesize
224KB

MD5
1ad9e5cf2bbf2d8ce4a0eb1cc4cc4366

SHA1
b2f27bf0afdfa674854fd2fee9ccd728ab7ca89f

SHA256
a2d074f126560d2d7ad193e4267d1e0836f4925af62b9c18403f2411fbc6d17d

SHA512
a785e003a7fa2cf5a46b3d1d6b12c93aa190f5e1409b42445ff04afa51a01331ce58bb5661239e8cae5d04b7c02940103b5027fb3d41cfe15cd671f8c4cdb22a

Download Submit
C:\Windows\SysWOW64\Hknach32.exe

Filesize
224KB

MD5
f4f316567abadfd4f3cd67bbd2fae80a

SHA1
bd8f0daffea631dca52e2223bfda4341e674ffe3

SHA256
b853b33ceab13189673d29ba691044d7a2d5cd772cc362e5dcc240181f04f6a7

SHA512
6a6be777c052d8c9566c753916bdf624388d3d3c53578adfc21163f766a0d0b1efe666dd75e1360dfd3879d8da6cf9f1986ef12f0570b8f494dfc769e44c02b7

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe

Filesize
224KB

MD5
c36ebee9bcc90e7125acbb2bf0ee4aa9

SHA1
f13c18760b6243e07b63cf2bf8f00bf40828e55c

SHA256
83ddfadf380cf4fe2b1ddcc0178f900e9d0d8ea7ef934f6e87a162859a55f356

SHA512
79b377bd2047f0a98038aaeb7810e681dcf465c0b64f8adbab3fd004b1fde9ed42e0fb6bcdaf875ed81251699476c32c7dc8f9db85ee84d0d423cd694dc25850

Download Submit
C:\Windows\SysWOW64\Hpocfncj.exe

Filesize
224KB

MD5
22d55fddf2b89a90c2a8a6b07de59999

SHA1
dd50e04a8db8f139900186445401c465833882bf

SHA256
f62cebe34832026a9c7c1fbea766e42b3ca2c64f4578e5f0c3047235a076acf6

SHA512
6b8b4e839e2f82389ec801234ea9259b2a55570e27ae577ca6782583d4651a3db7036e408bc516ffeb7b46bb4f87d16e66d115dbbc03b93cd912e39b6cf7d83e

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
224KB

MD5
6d8ce6610e46db5dab03af1f38a6b519

SHA1
b3fcb393b2a9d6e6ad8edaa1c1c2c3c4a2c18d41

SHA256
bfbceaa3cd311103dfe80a7ecade4c95eac6c38afe3c882e19975d05740686f3

SHA512
59220e28759b56ae998e88f9707def7db7eef1c47f6613f2aa92a554a4acb78c3c347019ebf095df33c4e8eed912ef35a8d81de5e3c66d28da0ae5ef7f018956

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
224KB

MD5
973550a27d812e02367f71dd7db96ed9

SHA1
7518e7168973107d1cc9ab43b371632110236c32

SHA256
7a97de4a9c0bb634d27a175f4814c27365271658dacfbd5a4cb1f7d99e9ae2a0

SHA512
c42bacf3ad554affde73bdc56326af319b3cde2e9519a8ced520984fadb078686e561e16bd0a914108987ecc8f4224bc287a3df300bdf9361c1530ab3efbd85d

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe

Filesize
224KB

MD5
e26fa0c20eecc939d09826a43f70a4f2

SHA1
ea86ab64e7136ba0cd6509c9447367d548baf1ef

SHA256
d1e2eb578f77067234e5fc47deac34373cc2398186b78415c71389827a21a986

SHA512
f6eb0ab0140080dd303704134fa8caefedbc6a0f25be13d30fdfa26e70b5132306ac58b8af3d721e761f03ad8952461e07b01fdf5f75ae89622055384d8042c0

Download Submit
\Windows\SysWOW64\Eloemi32.exe

Filesize
224KB

MD5
f02a24838d1721c768cdeb3b61090242

SHA1
98cf91c215448833f5f78eca32626f41077c5631

SHA256
207faeb3920688f2a8e94ba9e86c76fd4f2ee43e86cd2d666688e2c6c30b7317

SHA512
3789ead2fafb819979af4a54470a3817f00d183503a251067944daff241d499aa319e7fd973666c424377977877570e849ba1c988f08b6979878560fdd98200c

Download Submit
\Windows\SysWOW64\Fcmgfkeg.exe

Filesize
224KB

MD5
84466df5d7d94ac9af35975593e9de63

SHA1
34ad43915909bb04377f7fd0581aab5c8febc052

SHA256
918d8437dba01e5e8d527b938d017fd2d3b598696a34e747051e073244a4bd27

SHA512
5a0b99db0d073b4324864ebc299b1540b23c4628417cb3cea807bd29177a45399f69a93f78441ba1a402bd04bcaf5cddb1a1d2c697c26d9f8d42ac6c8041b4f1

Download Submit
\Windows\SysWOW64\Fehjeo32.exe

Filesize
224KB

MD5
1fc4a641042c601d8349db05524d7375

SHA1
39687c948a7f425245242de991ca148762de7e18

SHA256
dbb2e76b218d64f27620dd2f325b89031900ff83142da11f305f62cf5215f7fc

SHA512
30d3c6f295a57934b2bc9b66b0b49ff733918be342e9f436fc5f3704b5b2906588d2e7568d64ee7320ade05230cdeb687ef86b5d2680df458b62fbd51b41328e

Download Submit
\Windows\SysWOW64\Fmekoalh.exe

Filesize
224KB

MD5
a9a250d9a0dd92c62341508f2193232a

SHA1
c111534cb40426ec3bf9f222e28b8f74fc16910b

SHA256
6433620646b79a7edc77f26d4b31d9a993a64e33c4ce9059dea8d93b3783a965

SHA512
9390d77afe10258f4903b7a8a695de11ec4904835bbe29241d196c083ff50eca934414746c963d9354ca67f3dcd379ad2b7f70fbe93ade6ea726a17e1377bf15

Download Submit
\Windows\SysWOW64\Fpfdalii.exe

Filesize
224KB

MD5
7ea528c659744e3ad047973bcef8524c

SHA1
e868129346b8bf6852b6f689c2c33ff359877806

SHA256
1cf9e13e71ae9ce6b9f7a0d2826e40376db7408d599115cc57bcebf82d285188

SHA512
12662340f4262650ef67779f5bac7ded5802844705e08f9e34263419bdd781af1984cf43cfd484601bbb9dae28d2b9485923faa0dc553f50f845a1ca002e01f4

Download Submit
memory/272-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/272-427-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/272-428-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/560-329-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/560-328-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/560-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/668-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/820-296-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/820-297-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/820-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/908-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/908-306-0x0000000001F60000-0x0000000001FA0000-memory.dmp

Filesize
256KB

Download
memory/908-308-0x0000000001F60000-0x0000000001FA0000-memory.dmp

Filesize
256KB

Download
memory/1052-238-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1052-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1052-239-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1092-250-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1092-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1092-249-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1176-403-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/1176-402-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/1176-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1236-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1236-111-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1264-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1264-286-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1264-285-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1308-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1308-175-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1328-439-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1328-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1328-438-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1516-148-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1516-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1536-149-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-122-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-416-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1732-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-417-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1836-319-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1836-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-318-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1844-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1844-264-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2012-202-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2012-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2088-336-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2088-337-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2088-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2208-228-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2208-227-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2208-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2232-377-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2232-381-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2232-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-395-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2508-394-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2508-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-450-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2516-449-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2516-440-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-84-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-94-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2544-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-49-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2584-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2600-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2600-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-359-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2608-358-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2608-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2616-58-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2792-458-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2792-457-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2792-451-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2844-219-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2844-221-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2844-203-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-25-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2848-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-372-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2860-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-373-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2884-274-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2884-273-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2884-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-348-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2936-347-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2972-11-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2972-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2972-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads