17c9b8b49878eb37190ff8a86e5e0741b03803c8fa0f7a0b0e9798729ee8aa6d

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb929e66ba75e7cccad3c3405b19a6a0_NEIKI.exe
Size

405KB
MD5

bb929e66ba75e7cccad3c3405b19a6a0
SHA1

9992c77be6395ded74195d9e5657362e042aa5c2
SHA256

17c9b8b49878eb37190ff8a86e5e0741b03803c8fa0f7a0b0e9798729ee8aa6d
SHA512

af7c3f5cb02fd4fbe5bd8207d9d8a357b0bf5da28a34c2a452c9eadbf63af43474770f69db63ba39ddd1b1737ec0087d37349314b07fd9a598517208c7e2cfb4
SSDEEP

6144:4GdvJ/oHeN+uqljd3rKzwN8Jlljd3njPX9ZAk3fig:46xQ4+XjpKXjtjP9Ztx

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goddhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fioija32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gieojq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bb929e66ba75e7cccad3c3405b19a6a0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Faagpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhkpmjln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdapak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpdhklkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjilieka.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiaeoang.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geolea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe

Executes dropped EXE 42 IoCs

pid	Process
2888	Fnbkddem.exe
3012	Faagpp32.exe
2696	Fpdhklkl.exe
2656	Fhkpmjln.exe
2876	Fjilieka.exe
2452	Fmhheqje.exe
2052	Fdapak32.exe
820	Fioija32.exe
1932	Flmefm32.exe
2232	Fddmgjpo.exe
2348	Ffbicfoc.exe
1952	Fiaeoang.exe
384	Gpknlk32.exe
2684	Gicbeald.exe
2680	Gpmjak32.exe
2800	Gieojq32.exe
2952	Gdopkn32.exe
1152	Ghkllmoi.exe
3048	Gkihhhnm.exe
1580	Goddhg32.exe
1616	Geolea32.exe
1804	Gdamqndn.exe
3036	Ggpimica.exe
1548	Gogangdc.exe
2172	Gaemjbcg.exe
2688	Ghoegl32.exe
2512	Hmlnoc32.exe
2852	Hpkjko32.exe
1828	Hgdbhi32.exe
2004	Hicodd32.exe
1168	Hlakpp32.exe
2588	Hckcmjep.exe
2788	Hejoiedd.exe
1252	Hcnpbi32.exe
2504	Hellne32.exe
3052	Hjhhocjj.exe
1544	Hhmepp32.exe
2124	Hlhaqogk.exe
960	Iaeiieeb.exe
1740	Idceea32.exe
1756	Ihoafpmp.exe
2396	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2764	bb929e66ba75e7cccad3c3405b19a6a0_NEIKI.exe
2764	bb929e66ba75e7cccad3c3405b19a6a0_NEIKI.exe
2888	Fnbkddem.exe
2888	Fnbkddem.exe
3012	Faagpp32.exe
3012	Faagpp32.exe
2696	Fpdhklkl.exe
2696	Fpdhklkl.exe
2656	Fhkpmjln.exe
2656	Fhkpmjln.exe
2876	Fjilieka.exe
2876	Fjilieka.exe
2452	Fmhheqje.exe
2452	Fmhheqje.exe
2052	Fdapak32.exe
2052	Fdapak32.exe
820	Fioija32.exe
820	Fioija32.exe
1932	Flmefm32.exe
1932	Flmefm32.exe
2232	Fddmgjpo.exe
2232	Fddmgjpo.exe
2348	Ffbicfoc.exe
2348	Ffbicfoc.exe
1952	Fiaeoang.exe
1952	Fiaeoang.exe
384	Gpknlk32.exe
384	Gpknlk32.exe
2684	Gicbeald.exe
2684	Gicbeald.exe
2680	Gpmjak32.exe
2680	Gpmjak32.exe
2800	Gieojq32.exe
2800	Gieojq32.exe
2952	Gdopkn32.exe
2952	Gdopkn32.exe
1152	Ghkllmoi.exe
1152	Ghkllmoi.exe
3048	Gkihhhnm.exe
3048	Gkihhhnm.exe
1580	Goddhg32.exe
1580	Goddhg32.exe
1616	Geolea32.exe
1616	Geolea32.exe
1804	Gdamqndn.exe
1804	Gdamqndn.exe
3036	Ggpimica.exe
3036	Ggpimica.exe
1548	Gogangdc.exe
1548	Gogangdc.exe
2172	Gaemjbcg.exe
2172	Gaemjbcg.exe
2688	Ghoegl32.exe
2688	Ghoegl32.exe
2512	Hmlnoc32.exe
2512	Hmlnoc32.exe
2852	Hpkjko32.exe
2852	Hpkjko32.exe
1828	Hgdbhi32.exe
1828	Hgdbhi32.exe
2004	Hicodd32.exe
2004	Hicodd32.exe
1168	Hlakpp32.exe
1168	Hlakpp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hmhfjo32.dll	Gicbeald.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Ggpimica.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Hlakpp32.exe
File opened for modification	C:\Windows\SysWOW64\Fpdhklkl.exe	Faagpp32.exe
File opened for modification	C:\Windows\SysWOW64\Ffbicfoc.exe	Fddmgjpo.exe
File created	C:\Windows\SysWOW64\Goddhg32.exe	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Gaemjbcg.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Hlakpp32.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Pnbgan32.dll	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Faagpp32.exe	Fnbkddem.exe
File opened for modification	C:\Windows\SysWOW64\Gdamqndn.exe	Geolea32.exe
File opened for modification	C:\Windows\SysWOW64\Hpkjko32.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Dbnkge32.dll	Goddhg32.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Hlhaqogk.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Lkoabpeg.dll	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Iebpge32.dll	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Ahcocb32.dll	Ghkllmoi.exe
File created	C:\Windows\SysWOW64\Gdamqndn.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Codpklfq.dll	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hejoiedd.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Hjhhocjj.exe
File opened for modification	C:\Windows\SysWOW64\Faagpp32.exe	Fnbkddem.exe
File opened for modification	C:\Windows\SysWOW64\Gieojq32.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Gieojq32.exe	Gpmjak32.exe
File opened for modification	C:\Windows\SysWOW64\Ghkllmoi.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Jondlhmp.dll	Geolea32.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Ggpimica.exe
File opened for modification	C:\Windows\SysWOW64\Fnbkddem.exe	bb929e66ba75e7cccad3c3405b19a6a0_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Iaeiieeb.exe
File opened for modification	C:\Windows\SysWOW64\Geolea32.exe	Goddhg32.exe
File created	C:\Windows\SysWOW64\Gicbeald.exe	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Fjilieka.exe	Fhkpmjln.exe
File created	C:\Windows\SysWOW64\Cmbmkg32.dll	Ffbicfoc.exe
File opened for modification	C:\Windows\SysWOW64\Iaeiieeb.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Fjilieka.exe	Fhkpmjln.exe
File created	C:\Windows\SysWOW64\Gogangdc.exe	Ggpimica.exe
File created	C:\Windows\SysWOW64\Anllbdkl.dll	Hicodd32.exe
File opened for modification	C:\Windows\SysWOW64\Gpknlk32.exe	Fiaeoang.exe
File created	C:\Windows\SysWOW64\Gpknlk32.exe	Fiaeoang.exe
File created	C:\Windows\SysWOW64\Ghkllmoi.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Cnkajfop.dll	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Fenhecef.dll	Hellne32.exe
File created	C:\Windows\SysWOW64\Fioija32.exe	Fdapak32.exe
File created	C:\Windows\SysWOW64\Fpdhklkl.exe	Faagpp32.exe
File created	C:\Windows\SysWOW64\Fhkpmjln.exe	Fpdhklkl.exe
File created	C:\Windows\SysWOW64\Njgcpp32.dll	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Lgahch32.dll	Fnbkddem.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Pqiqnfej.dll	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Idceea32.exe
File created	C:\Windows\SysWOW64\Bccnbmal.dll	Faagpp32.exe
File created	C:\Windows\SysWOW64\Flmefm32.exe	Fioija32.exe
File created	C:\Windows\SysWOW64\Jnmgmhmc.dll	Fioija32.exe
File opened for modification	C:\Windows\SysWOW64\Gaemjbcg.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Bnkajj32.dll	Fhkpmjln.exe

Program crash 1 IoCs

pid	pid_target	Process
2488	2396	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll"	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccnbmal.dll"	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjilieka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqknigk.dll"	Fdapak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll"	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	bb929e66ba75e7cccad3c3405b19a6a0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll"	Fioija32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bb929e66ba75e7cccad3c3405b19a6a0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll"	Fddmgjpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmhheqje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	bb929e66ba75e7cccad3c3405b19a6a0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpdhklkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hellne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll"	Ggpimica.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2888	2764	bb929e66ba75e7cccad3c3405b19a6a0_NEIKI.exe	28
PID 2764 wrote to memory of 2888	2764	bb929e66ba75e7cccad3c3405b19a6a0_NEIKI.exe	28
PID 2764 wrote to memory of 2888	2764	bb929e66ba75e7cccad3c3405b19a6a0_NEIKI.exe	28
PID 2764 wrote to memory of 2888	2764	bb929e66ba75e7cccad3c3405b19a6a0_NEIKI.exe	28
PID 2888 wrote to memory of 3012	2888	Fnbkddem.exe	29
PID 2888 wrote to memory of 3012	2888	Fnbkddem.exe	29
PID 2888 wrote to memory of 3012	2888	Fnbkddem.exe	29
PID 2888 wrote to memory of 3012	2888	Fnbkddem.exe	29
PID 3012 wrote to memory of 2696	3012	Faagpp32.exe	30
PID 3012 wrote to memory of 2696	3012	Faagpp32.exe	30
PID 3012 wrote to memory of 2696	3012	Faagpp32.exe	30
PID 3012 wrote to memory of 2696	3012	Faagpp32.exe	30
PID 2696 wrote to memory of 2656	2696	Fpdhklkl.exe	31
PID 2696 wrote to memory of 2656	2696	Fpdhklkl.exe	31
PID 2696 wrote to memory of 2656	2696	Fpdhklkl.exe	31
PID 2696 wrote to memory of 2656	2696	Fpdhklkl.exe	31
PID 2656 wrote to memory of 2876	2656	Fhkpmjln.exe	32
PID 2656 wrote to memory of 2876	2656	Fhkpmjln.exe	32
PID 2656 wrote to memory of 2876	2656	Fhkpmjln.exe	32
PID 2656 wrote to memory of 2876	2656	Fhkpmjln.exe	32
PID 2876 wrote to memory of 2452	2876	Fjilieka.exe	33
PID 2876 wrote to memory of 2452	2876	Fjilieka.exe	33
PID 2876 wrote to memory of 2452	2876	Fjilieka.exe	33
PID 2876 wrote to memory of 2452	2876	Fjilieka.exe	33
PID 2452 wrote to memory of 2052	2452	Fmhheqje.exe	34
PID 2452 wrote to memory of 2052	2452	Fmhheqje.exe	34
PID 2452 wrote to memory of 2052	2452	Fmhheqje.exe	34
PID 2452 wrote to memory of 2052	2452	Fmhheqje.exe	34
PID 2052 wrote to memory of 820	2052	Fdapak32.exe	35
PID 2052 wrote to memory of 820	2052	Fdapak32.exe	35
PID 2052 wrote to memory of 820	2052	Fdapak32.exe	35
PID 2052 wrote to memory of 820	2052	Fdapak32.exe	35
PID 820 wrote to memory of 1932	820	Fioija32.exe	36
PID 820 wrote to memory of 1932	820	Fioija32.exe	36
PID 820 wrote to memory of 1932	820	Fioija32.exe	36
PID 820 wrote to memory of 1932	820	Fioija32.exe	36
PID 1932 wrote to memory of 2232	1932	Flmefm32.exe	37
PID 1932 wrote to memory of 2232	1932	Flmefm32.exe	37
PID 1932 wrote to memory of 2232	1932	Flmefm32.exe	37
PID 1932 wrote to memory of 2232	1932	Flmefm32.exe	37
PID 2232 wrote to memory of 2348	2232	Fddmgjpo.exe	38
PID 2232 wrote to memory of 2348	2232	Fddmgjpo.exe	38
PID 2232 wrote to memory of 2348	2232	Fddmgjpo.exe	38
PID 2232 wrote to memory of 2348	2232	Fddmgjpo.exe	38
PID 2348 wrote to memory of 1952	2348	Ffbicfoc.exe	39
PID 2348 wrote to memory of 1952	2348	Ffbicfoc.exe	39
PID 2348 wrote to memory of 1952	2348	Ffbicfoc.exe	39
PID 2348 wrote to memory of 1952	2348	Ffbicfoc.exe	39
PID 1952 wrote to memory of 384	1952	Fiaeoang.exe	40
PID 1952 wrote to memory of 384	1952	Fiaeoang.exe	40
PID 1952 wrote to memory of 384	1952	Fiaeoang.exe	40
PID 1952 wrote to memory of 384	1952	Fiaeoang.exe	40
PID 384 wrote to memory of 2684	384	Gpknlk32.exe	41
PID 384 wrote to memory of 2684	384	Gpknlk32.exe	41
PID 384 wrote to memory of 2684	384	Gpknlk32.exe	41
PID 384 wrote to memory of 2684	384	Gpknlk32.exe	41
PID 2684 wrote to memory of 2680	2684	Gicbeald.exe	42
PID 2684 wrote to memory of 2680	2684	Gicbeald.exe	42
PID 2684 wrote to memory of 2680	2684	Gicbeald.exe	42
PID 2684 wrote to memory of 2680	2684	Gicbeald.exe	42
PID 2680 wrote to memory of 2800	2680	Gpmjak32.exe	43
PID 2680 wrote to memory of 2800	2680	Gpmjak32.exe	43
PID 2680 wrote to memory of 2800	2680	Gpmjak32.exe	43
PID 2680 wrote to memory of 2800	2680	Gpmjak32.exe	43

C:\Users\Admin\AppData\Local\Temp\bb929e66ba75e7cccad3c3405b19a6a0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\bb929e66ba75e7cccad3c3405b19a6a0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\Fnbkddem.exe
  C:\Windows\system32\Fnbkddem.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\Faagpp32.exe
    C:\Windows\system32\Faagpp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\Fpdhklkl.exe
      C:\Windows\system32\Fpdhklkl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\Fhkpmjln.exe
        
        C:\Windows\system32\Fhkpmjln.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\SysWOW64\Fjilieka.exe
        
        C:\Windows\system32\Fjilieka.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Fmhheqje.exe
        
        C:\Windows\system32\Fmhheqje.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Fdapak32.exe
        
        C:\Windows\system32\Fdapak32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Fioija32.exe
        
        C:\Windows\system32\Fioija32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Flmefm32.exe
        
        C:\Windows\system32\Flmefm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Fddmgjpo.exe
        
        C:\Windows\system32\Fddmgjpo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Ffbicfoc.exe
        
        C:\Windows\system32\Ffbicfoc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Fiaeoang.exe
        
        C:\Windows\system32\Fiaeoang.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Gpknlk32.exe
        
        C:\Windows\system32\Gpknlk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Gpmjak32.exe
        
        C:\Windows\system32\Gpmjak32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Gieojq32.exe
        
        C:\Windows\system32\Gieojq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Ghkllmoi.exe
        
        C:\Windows\system32\Ghkllmoi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Gkihhhnm.exe
        
        C:\Windows\system32\Gkihhhnm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Goddhg32.exe
        
        C:\Windows\system32\Goddhg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\Geolea32.exe
        
        C:\Windows\system32\Geolea32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Gdamqndn.exe
        
        C:\Windows\system32\Gdamqndn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Ggpimica.exe
        
        C:\Windows\system32\Ggpimica.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Gaemjbcg.exe
        
        C:\Windows\system32\Gaemjbcg.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Ghoegl32.exe
        
        C:\Windows\system32\Ghoegl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2512
        
        C:\Windows\SysWOW64\Hpkjko32.exe
        
        C:\Windows\system32\Hpkjko32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Hlakpp32.exe
        
        C:\Windows\system32\Hlakpp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        43⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 140
        44⤵
        Program crash
        
        PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Faagpp32.exe

Filesize
405KB

MD5
6784d0e8c6b64de41a35fa695bad60c0

SHA1
00e60b693a5f649c40a6af3f463a14092bec6c33

SHA256
34150271baff927bc62ff8491d1bb42f59c83b152f39a3eedd0e6523cbb48ac3

SHA512
97bda81ea26b22b98aec30f21cfebfbe33fc48581f29d5d6836b2da08e894fb0a430920f2ec762c639f34e247304c2e2e45ac58921603e38acf3983b6d749e25

Download Submit
C:\Windows\SysWOW64\Fdapak32.exe

Filesize
405KB

MD5
35b9f1b9cd68def448169308a560e07b

SHA1
41655204cd79530f99cad9fd2e521086a574e56f

SHA256
6007aaf44ad0572f2ba807e309700f34abb34da88fee4b81cbb8b09edf899d79

SHA512
036b74b6465d9b19a19b54eb792b73d574d5754c2bce7f57010c97e2760142b553b0646cdac95b5834228da7ee16266df5ec26d485c8286cfe256fb8fb236967

Download Submit
C:\Windows\SysWOW64\Fddmgjpo.exe

Filesize
405KB

MD5
2a060be0f23c2448632b60eb4e2173cd

SHA1
175ccb22e836208d03b1f0d138b10eda6af89b56

SHA256
22b213ca2b21b55314042cb18a6656a7bf4afcf093de16522d6a01b6c8be71d0

SHA512
2f9b76171312ece9347de319b828a3a6f286048757cc57627b6abf797c0afd4aeab9214cf49c24b22da4245be6b0950b44a5f3c43538e157f62ef5977e428d6a

Download Submit
C:\Windows\SysWOW64\Ffbicfoc.exe

Filesize
405KB

MD5
871708b54d54556e3d29e003373cc4e0

SHA1
b0711921fa9e40675a0b9805bb0442fc99122302

SHA256
d0773ec72b240b96679d2a1d8e67659f7c45352b05813de4a3ca5b8fe4039374

SHA512
26be51824340ec56451befb8dc6c0e66946e21b3196ee90231170357e531ef938b28fabb51088eb899d8ab7234fc1c69d18bf1f951886d3e338afa05b4a08cca

Download Submit
C:\Windows\SysWOW64\Fhkpmjln.exe

Filesize
405KB

MD5
e67c000954cf2331d5471ff1296a8967

SHA1
93a5c51fd6cbb40518f32ee6998b2eda8359a1b6

SHA256
7c60ef4b2bcd20c2df2856d535b5eb3cade4c44008eb88ad597a39247926baac

SHA512
6538bbb3c1a01252c2468d8a3480c626468c9291c9c10a71551bb9d638c9f45a983c4fa0f8c3fdda96d2b2df244c6814c0540fe374e13787d10462f866436c15

Download Submit
C:\Windows\SysWOW64\Fiaeoang.exe

Filesize
405KB

MD5
16a03fe87c7fe91efcbda536a15bbbf6

SHA1
a8b132fee4d214ac30d15b24bad71195211d3248

SHA256
06c6ae862aaba40c71afffe4c0aae7db2887b1d17977d5bb996f34f802c4d3cb

SHA512
1384e9b3dd2fc7acaeadd50e55b20d014b61e09e0a37515b0a7f1489f4c358a05202a0114ae833b3b921ff29843d2df58b7ea21e28ed2820a8e9be04e699e1ce

Download Submit
C:\Windows\SysWOW64\Fioija32.exe

Filesize
405KB

MD5
c994fbbd6d441d0f769782a803dace7b

SHA1
07c7dfc145b9ad6d94366196569cb993fcaff9ef

SHA256
03fee22f56ba0754fea0e3870748d13410836a4767c56dcf74a7ae1e8f59e68e

SHA512
14d958573eec505764eb7f471cd479f520060a504b3a91d5a1d49961f73670b0ee681fb7ed849b3f71d210cf3c6774b6edc0882168f59e3103fc688100688921

Download Submit
C:\Windows\SysWOW64\Fjilieka.exe

Filesize
405KB

MD5
fbed57197b81d0f3ef5711acbc1e7943

SHA1
40897fe21984ba6d500e438d1b7d23f382452e2c

SHA256
3acb883dcce4b8ddf54edcc6dbd8149a92f6cb4e4ddcdb6ad360589346f832fb

SHA512
06ed84d0265b4d16b0e00aeb7fbfb1d8d88c2eade87416078e3addaa529ef5922750d2a8971da0ee2b15f654b289d0aafe31cb03d81d69296817a9fe1417b204

Download Submit
C:\Windows\SysWOW64\Flmefm32.exe

Filesize
405KB

MD5
42e74ef44e473431f77db6dd3c0c7ced

SHA1
213ae0f6017e85cc33bf17278e0205daec0ac79f

SHA256
2e07e6c9bbdff0b5a4ff202de81d2844ebe43ea63d672e5023a3c102d222d96e

SHA512
6f452181d18c6e91e3c051eb4db880e1df34a4baedbafec1da9d696807a5494c8d4ab4bd56ea5b7fd388c0fc4a1057dd379700a1c0139eb4bb947090b585c5bb

Download Submit
C:\Windows\SysWOW64\Fmhheqje.exe

Filesize
405KB

MD5
0aac8f9dfcf8ce145c79324b981b1650

SHA1
cd17dd4ca27af906bd439c9feccea17aaebc7136

SHA256
1016b0ef5a2d6d295079f7a4bab70b304625228afa0247c2de53eaf4e558dd40

SHA512
341f3a3b9165bf22176cf0f59c2add24f962bd860708bb2770776cc747bc243b40ca77fecf1d750a0f46d6ff629879997efd3bb4c2ddd9ecddaa66ff15043d77

Download Submit
C:\Windows\SysWOW64\Fnbkddem.exe

Filesize
405KB

MD5
7cd0ca316e01d92de08504ce171a7a92

SHA1
7f1395bf2b360badd2fe380226922124e797b38e

SHA256
9f08e45148f2779e9c2299694ce854750a0d80aafa64d22fc82c9b52f80ef3e5

SHA512
afb4c6cdb44079abb4de2c4de6e7fdacde5c02e48b22e63af59682ccb534ae3505583a936825187fc8042bd87531039d2f02cb5553452ba0cdc4caf841d52580

Download Submit
C:\Windows\SysWOW64\Fpdhklkl.exe

Filesize
405KB

MD5
590299239f438a08970d58b41e473c89

SHA1
3fc0ebe60e5cdd3d8da383e51206c1b66a9149ea

SHA256
1f2ed8486de5e61e1cdc1d385614b70a2bf013759502449120576f13590b9ef9

SHA512
ed973fcafbeb038042e349382940126ebf1b15cfa344b3a81f09d23ef74e87d54b65b8ba72301eb5fb12306dedea732caa9d8d09b1400b7436e10f71b3e0ce9a

Download Submit
C:\Windows\SysWOW64\Gaemjbcg.exe

Filesize
405KB

MD5
5f1f84e4f95861af641d46929c4ff6b2

SHA1
9d7017d9d9dd625f87b48d788f6878e8fb2bac8f

SHA256
5a4eacf01d903d1c348ee9ecd63bce676c76f6d4c5184c57f85ee578c425ab81

SHA512
71dcbfc9e6d919a2cb33a93c24c884671178b06737b365b7f03d7aacee62acb4722477d21088c6a2068a510c1baabbd313e78d6b0d6094bd2b943f50273190a1

Download Submit
C:\Windows\SysWOW64\Gdamqndn.exe

Filesize
405KB

MD5
3c0456d27befa14787cbb36255544725

SHA1
c5c15616f99175d3b79d528be381ab695ee78fb3

SHA256
bddc173b279deb91813644e3fc6b6206e8d58ee3004604d5c0c6ac64eaf8c5fd

SHA512
d9e732bbc04fc201a0603b8a29a520bc37ade451f55fdd643cfae463380dbd754df76693da205d0c4c5cdc8240392fb5cd734603d0197aca2a013d5103f07414

Download Submit
C:\Windows\SysWOW64\Gdopkn32.exe

Filesize
405KB

MD5
8fb631ccc5d506a158d175544b211179

SHA1
b43bfd40b7134f152f1be24e087d22b44a5765da

SHA256
cfce9305e6a3e8f7f0e2f8202b243c7fe9a25dd68666da96347e6b909116d68b

SHA512
9f0b2cec91ba49af23a36d31df7bb8b7e155e97541857a7eae88b01126d012ca15ba4c99e7420904dd5c66a815fb83787267fa19be736856e99e66d7c745b2ae

Download Submit
C:\Windows\SysWOW64\Geolea32.exe

Filesize
405KB

MD5
c02cf180b13c8571df1ef124042f0520

SHA1
293e693cd7140033cb053f5cddf11a8960152eab

SHA256
ca010d62e1c52612fc39a2695eef7a7a7cef927b0bc2a0ed0b27bdf7488b6745

SHA512
cac4cd58f2bce716b3de7c5fa7ef4a775abeb9687f06328368e09f0fe6ac8caec8d1f02a2fb13fde1ae0418e134cc3705c52d27904e68a776f496d870fe659c7

Download Submit
C:\Windows\SysWOW64\Ggpimica.exe

Filesize
405KB

MD5
c0c50990719b10f2e55fd9ff7db92bfd

SHA1
aff8aae5097b7f6e897eb56f53844f6fc11f0ae8

SHA256
d1f9a987b6eb54fa8dbfd50ee7781dd18dcaa7f4c0866361059cd1c5be9b75dc

SHA512
0ee565278c380ef7787cab827cadaa59ae9c40814d7c000899d90ea7fe3cd873321ac3ea84a35dbfb9e8f38fe9da69eea75b96847b4fc3a95f80bf58856739b9

Download Submit
C:\Windows\SysWOW64\Ghkllmoi.exe

Filesize
405KB

MD5
1d9bcb64894382769ab7ce6af6798587

SHA1
b7988b288c7a07e04289e31ed64541ff8c224991

SHA256
88c6bacf792682a020aa4c550f9843b2f879726307c9f93c2bac775e25b353c7

SHA512
de6c966f14da279635254522a79c42e0659680c536e84bc9a9e8d79f9741d1d1c08b3cd20ca1aba8683a19f5db068fe1aa98174f4e3d69854541eeb42abbdbb3

Download Submit
C:\Windows\SysWOW64\Ghoegl32.exe

Filesize
405KB

MD5
db87e911e601ba4bc1a6f5ef18dc307a

SHA1
f24b7884c7fd3169b9c4f8e46d622c6d257d3552

SHA256
96aada8c7b6bfaeac91182e88864d727ff097654220c05190fdfcf65fa3aa13d

SHA512
63f9eae16887b56dc4613bb8a0966144304a7e56b9b6821af6fdc43e655f32e0bca031da7996a8e86e7fdb909b05fea835d472342f0385d795e21b3f7c2d06b2

Download Submit
C:\Windows\SysWOW64\Gieojq32.exe

Filesize
405KB

MD5
b55587bc87d1b4c145a72958b98669d8

SHA1
774085e768fb9e04f0a326d3f8c2fb0951073e82

SHA256
1544cb5448f48d6f7b7766d6f548cd54e7f4b99e610da76da354b026a51fa890

SHA512
6b515b720c32c0ff71601e9396fe2af922f5e0f2f904696676a2851d629871a48bb9b331e82aeb54fe88f2f4a33b76e83a00d6df976e735677df76d79d4ec5c5

Download Submit
C:\Windows\SysWOW64\Gkihhhnm.exe

Filesize
405KB

MD5
bceee76176d919364ecd6fb53fdc272b

SHA1
bc6b195d5dd380e565f3f5b2aae285743267c6a4

SHA256
83c99808b9b3d1a14420fb036600dfd8d9c2679f68d9f4210cc4cf663f790077

SHA512
27d63b753926823ada128ca7b9343b95ac88515c6de8a6d912d8b8339c1aedd96df606e50aa196e1c03acd73e14ddd25545be0e6c683a6fd5654acd6be9c658c

Download Submit
C:\Windows\SysWOW64\Goddhg32.exe

Filesize
405KB

MD5
24edc6a9d5b346a283ab4899f8ef1b4b

SHA1
7dfceccf639d8169aea9049937ce527807933824

SHA256
372094860b0bd8459ce53556ea343595b2c50dcd97f11434e4dd3a9062d406f8

SHA512
6c4c084ebc3ce9ee761f1d91f222c6aed73ece7c63ff51199d2a6f9dc38c265e41d3bd36fc023d8344d45558af89b847f314c7353a837362c2fc433708271458

Download Submit
C:\Windows\SysWOW64\Gogangdc.exe

Filesize
405KB

MD5
58c46ca88d93e40f2d13ccd7fa039944

SHA1
180c570fade8a27e95afcab21249570310f866d5

SHA256
354bf558e47e7a0646f549b5ce7d923bc85bd75b1987914e7a0e347214609534

SHA512
14259269cfc1fc3a6c8438418266416424f0863b684b4b3e928cb5b8b3dfaec46d337de22ba86b666fa592bc57abbacbbae378d8dbf828ce81285e7777f0174c

Download Submit
C:\Windows\SysWOW64\Gpknlk32.exe

Filesize
405KB

MD5
00f205e12202c1436553970e1fae3818

SHA1
fa552f169424b7b9f1e566ea006adcbcad62ac76

SHA256
aae792a7d81ae8e82a1684f668c9ef7c43fda56a0c3a1c37a0d1d3fdc5aaa8af

SHA512
32f5ad7074c478af8363b4c1af73004a07879a46726be6e1517c447e4cd7a71df0c470c1f271c85b13a4e59bc82a6faac076df80225c22305a939d2500427b7c

Download Submit
C:\Windows\SysWOW64\Gpmjak32.exe

Filesize
405KB

MD5
49de013ed3b90695f93d3aea2920f54e

SHA1
81375ff8c5ada5dcdae47b654ec921f8cdfca014

SHA256
a57205f2212499b85fa12dd1d3aa11a1a6b7dc5e86d95a0081b2ed0ac9d7d0e2

SHA512
5165f4c48ed5afe3511ee7aa6ca28b288a12a9e4faf0b72dd6c6f471337184da7bf2f41425eeeb3412bb47b4b3b7dc4e21508e24c3131deec8c472f2a29ae0fe

Download Submit
C:\Windows\SysWOW64\Hckcmjep.exe

Filesize
405KB

MD5
8a33b698127b3d6c4771a0a5ff41e3bc

SHA1
d642c207d7a559f0b054b8593ee6ab108fb9b85c

SHA256
17f1f90dd2a38b0240e9186ae55575b29667c4eb84111e2df33fcda12389df7c

SHA512
d91d869b6cc0bdd5f6f53abd9ad72184978defc00c91af1e9b27492bd8b516c4cc2332ab7bf88ddd84f76f9b8760c84751f677144019135ecffeef563060b3d5

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
405KB

MD5
8762fee12960426abde48ac8c50d4beb

SHA1
4ff28642540dadc6ce51987e3211d839d964f455

SHA256
868eb4b0802a6af728fca8458a0f05584d42a0bea0137cfa1cafd8a2c7a5c61f

SHA512
3094796d22831aa6c4b19e6ca570ce97797286162bdbb718f7bf0123c25284773802a884cbada83cf47851a7630557da1e732eb299f5023d54620aafbe2eef66

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
405KB

MD5
58f60bced9f92ef2d609e24171303a6d

SHA1
29ae28eec834c65357e6887bf6fa5b77aa1edf8f

SHA256
7a3e6d417354254cd3c17737e644625f90b1c89b74b459a2b9039d315d9a6ca9

SHA512
fffe5c9e9cd53c12cc7e53cc5ca236530bc868bc1a160d6e94fd6b62ba2a1c5d8d4ef9e1177c0aafec94ec13995f1edfa74e5ab85c7f4b8d84ae6a5aa86c4ace

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
405KB

MD5
d8ea30aac403dd2d29235a73cdd1ab39

SHA1
f3e53572a5b3e1e202ed44e452e71d34451362a3

SHA256
76968c3112d210d4cb62d81fd9ce8be29217846a028564acb0b89a88b26dbe63

SHA512
3d896d171943f28a986caa5c85905970a1eee55e2854491487d7dbd2a1722fbfdf6546b862ebd54ff3a051d83811d3a68f698dcaf13435ead53ce50555caec88

Download Submit
C:\Windows\SysWOW64\Hgdbhi32.exe

Filesize
405KB

MD5
bc129c897cd1eda55093ab494f7f4f18

SHA1
abe8b083ea167f3f148be13206cb7d8227fbc716

SHA256
a2075bf3f251d20997e06362cb086e4ea73eb7b78fac6d489798f6658cde37ef

SHA512
88921d606982950979bde8e2d2a93d73678b75cdd6b13a596f983a038792ceb2cf999420bd9c2eb07d779f56480109d082101ed7c40756e34728b13d36713265

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
405KB

MD5
c2aab8b67493dd564c3aed57a56f5ab4

SHA1
1541238bdb5b17e7b551bfa6cf1892851d147fb8

SHA256
37fe3cff0061d343743f98fb21bead7a6e6544412f025127ba81b8ac8ff14346

SHA512
a58e2aac4029d2d881535b814e85cc6c092a26e9cf00d5ce09ecba5e3977b1c972e5d91ce8fc8f9509d78693690be4c8c629b909388976241636adceeb71cc7c

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
405KB

MD5
488cafd9b9cfc37db8e0636485e6f957

SHA1
e4ef8973cc4030b771b26e26e2ec50720d72b699

SHA256
8209ccebfc860e9342a276f47e4402c4d0c6645004e96dd13ce0f64aa4686d19

SHA512
1ae986711df770d645c8f8329f1af17eb2cf87f0082a8fedbf174c8c10cc0f81d266946111489c4e263fd483166bf358c1d60f13d5fbd010484bccda54fe71bb

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe

Filesize
405KB

MD5
4e7b7b795421e2951bf12a91aac8e802

SHA1
936f5d1ee5212404b9265c7857b97a22bb1ee184

SHA256
4afc12f49e8be37761daf9024847da759e508d2d4e9253dcf0bbdeebc963a0c6

SHA512
36240fc7f7524ec70bc3c5e5766cdef1329e9c743b44c19ce5b4943d77fdc5f0e57055c003c04a8b3b60a0bb308ad77ece17e2ad583cbc50a55af69655341a3d

Download Submit
C:\Windows\SysWOW64\Hlakpp32.exe

Filesize
405KB

MD5
287135dbadfeb8f2572e0c552ab9115b

SHA1
6beca603b0f82f6e95ac2afad5192c330a49e279

SHA256
a7848355dd83c2ff937679dddb609e008732ca21e382c4ad79903d5df57609b2

SHA512
902f7bcaeea527405d9b016d67280bd44e8ebe16fc2fb4fe0577ed0bfe576f078fc3550a0436415aedad0dfc69fe9653a15fe937afcfaa37b251e11ee5d10920

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe

Filesize
405KB

MD5
31f4ad97558ac3ae7b6422383015b10b

SHA1
edbdc1e150867304848620e79858beb34f61200d

SHA256
501528887ae50d347957f457889a2e5959ec83aa9974beb2701ce91716e912f1

SHA512
250d77fdc67d4e6e2336bec48293de3f8b6fc895bc82b2f2b3dd2d5e267df091a8c630221fcf9ecfb512d24d6e77812abdb61256a71c923f34f2943686a3212b

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
405KB

MD5
c69695ae39a97cd037238238ef38a9bf

SHA1
65309678410a0aca554e95286f8723c4c2912212

SHA256
5914a4930966ad0003d70813b9a6f2560c954fae34e78571cfc96baeb871cdcf

SHA512
f5506c02829027d2d09828d306af3f4caebdbe7532d943eccd3246019375f02cd8baf6411f5354f9c1875aa0fbce7fba4604dfe8c85c5cb1782d6367db79e99d

Download Submit
C:\Windows\SysWOW64\Hpkjko32.exe

Filesize
405KB

MD5
6112e2178ff439e91d4ab2f8d621da4e

SHA1
1c9de38e737ddf8c1957f20215cafa52fd808139

SHA256
863f4fee4e63adef8291751669ebf744bb7f0f59da33905a53353f358e6b261f

SHA512
19c3a59e4a3175328b9a7dff7451cb0518e1ea731f13e942134be6a9d28a35176a217d60f98d1203ef83f019140744300b3606229f6ed2d17d644ece008c2319

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
405KB

MD5
3ac17eff3ee76c60237cce67e1740e13

SHA1
358f58f6fe23ac4a12c72aa66b481145baace9db

SHA256
3a7aa277e44e0b88e0dca262803c822a73f36ec9d403aed8c13f2e5f4e469c3d

SHA512
a4634333eac0f9f0dab971dc9f555697d21782f548fc572a8e2fd1d72f1caa2e02c204f182b9751e76f13887d3930f0abb7287d6b6e78dd7e9a8b154cb3bdb26

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
405KB

MD5
a1520c845e3f47793073353d684bceab

SHA1
a0b77cc689dc13cf4db7e32d5b07c03a79997fe3

SHA256
ac7f25ee79e3e5bd2891dfe37b453961239b65a1431b02fae80c184c27bda497

SHA512
5eb78c448f5e9646736061f63ad028b7a1ad2735a61c173d97a113204b99403e03572f6b733e836f2ed771eeb2e6127562ed10d19ea665b37f3f096dcfcd14dc

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
405KB

MD5
1f18bfc473d07377a3c18a7fde3214ac

SHA1
5dc8178380191e517168c8cfc17d561c30dfd736

SHA256
642cb2e4635422f629e51c1fc0becc764b0c647700fdc8a65f886707ddc99e77

SHA512
0bb7858e545470e9ae7870e5e04578d597bfe4a33bed03bb056f62502d42259db056ae6bdb7c0f9d182ea9956c1c2cfe337cc14afd982b69bcbaa23c9d53ca70

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
405KB

MD5
83910d8eafa2ffa80ade411a403d5aad

SHA1
aea449b636f185f50a2ce1bbf06963c40068396e

SHA256
abaad4b3ecdb84d518bcd0a73fe928bf4075c7773c4fd54fdb82347cc2518c66

SHA512
9ab57f1b7f0df17a1f090e13bd09d4374c92ae775ef4d83131cf5f14dbfcea8625715655723a18854abb547e9be052b49411e98d8fcdaeb542d866ea1df3b61c

Download Submit
\Windows\SysWOW64\Gicbeald.exe

Filesize
405KB

MD5
3ef70687e95600c4e88f0f818f13d126

SHA1
41ae93eaf9d8024da22ac17620c1d5e3b3a110ec

SHA256
020964c1b7a7b3dbe507c70a1462637c76c572f0a4ddb9299a9345daeaf3094f

SHA512
e77a7add6a102e3ceda2e90f6516550a1f02aa72add10027d72a93b927947297cd819b5dfb88ad9a880fa939d1e8ec7cbf4d74725bb79eb680b631c23499470d

Download Submit
memory/384-183-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/384-243-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/384-196-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/820-197-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/820-111-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1152-264-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/1152-325-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1152-332-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/1152-254-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1168-402-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/1168-401-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/1168-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1252-432-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1252-434-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/1544-457-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1548-315-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1548-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1580-281-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/1580-279-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1616-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1616-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1804-387-0x0000000001F40000-0x0000000001F84000-memory.dmp

Filesize
272KB

Download
memory/1804-304-0x0000000001F40000-0x0000000001F84000-memory.dmp

Filesize
272KB

Download
memory/1804-296-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1804-378-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1828-371-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1932-199-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1932-123-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1932-136-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/1952-231-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1952-181-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1952-167-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1952-235-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/2004-377-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2004-460-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2004-393-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2052-97-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2052-191-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2172-404-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2172-329-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2232-151-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2232-219-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2232-140-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2232-213-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2348-155-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2348-221-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2452-96-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2452-182-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2452-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2504-433-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2512-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2512-427-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2512-435-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/2588-403-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-166-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-60-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2680-214-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2680-285-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2680-228-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2680-266-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2680-229-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2684-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2684-263-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-345-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-426-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2696-164-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2696-54-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2696-41-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2764-12-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2764-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2764-94-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2764-6-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2788-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-238-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2852-370-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/2852-361-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2876-81-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/2876-175-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2876-69-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2888-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2888-26-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2952-253-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/2952-244-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2952-321-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3012-40-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/3012-150-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3036-399-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/3036-306-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3036-314-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/3036-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3048-355-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/3048-356-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/3048-265-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3048-333-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3052-456-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3052-459-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads