c145e047a3c0b81a7f20a2064d54b7ce6655745f99881f04c3636a4c153ae4dd

Analysis

max time kernel
210s
max time network
28s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
11/11/2023, 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a501b19909319395eb1e2e975cabe3e1.exe
Size

81KB
MD5

a501b19909319395eb1e2e975cabe3e1
SHA1

cf8ffb73e41514c0e60e919b9c72f3bc17579997
SHA256

c145e047a3c0b81a7f20a2064d54b7ce6655745f99881f04c3636a4c153ae4dd
SHA512

7bf4084d255dce3865b2b4b65e97e94c325d50d1e1d85364f83e8515065008755dac65d9684a3fc944c116958c2c41cdd5aa7d5af92ef91e56d0439366264552
SSDEEP

1536:BzTC/xkjSVdlUtSxU9TfM8sl7m4LO++/+1m6KadhYxU33HX0L:hTKxkwS39TU8A/LrCimBaH8UH30L

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghnaaljp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbolce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpgakh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flhkhnel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjlgna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbolce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmhmdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.a501b19909319395eb1e2e975cabe3e1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjlgna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhmdc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghnaaljp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgakh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flhkhnel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbfin32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghlell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghlell32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.a501b19909319395eb1e2e975cabe3e1.exe

Executes dropped EXE 9 IoCs

pid	Process
2780	Hpgakh32.exe
2484	Flhkhnel.exe
2256	Lgbfin32.exe
524	Pjlgna32.exe
2876	Gbolce32.exe
2932	Ghlell32.exe
2172	Gmhmdc32.exe
1108	Ghnaaljp.exe
772	Gmmgobfd.exe

Loads dropped DLL 22 IoCs

pid	Process
2832	NEAS.a501b19909319395eb1e2e975cabe3e1.exe
2832	NEAS.a501b19909319395eb1e2e975cabe3e1.exe
2780	Hpgakh32.exe
2780	Hpgakh32.exe
2484	Flhkhnel.exe
2484	Flhkhnel.exe
2256	Lgbfin32.exe
2256	Lgbfin32.exe
524	Pjlgna32.exe
524	Pjlgna32.exe
2876	Gbolce32.exe
2876	Gbolce32.exe
2932	Ghlell32.exe
2932	Ghlell32.exe
2172	Gmhmdc32.exe
2172	Gmhmdc32.exe
1108	Ghnaaljp.exe
1108	Ghnaaljp.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pjlgna32.exe	Lgbfin32.exe
File created	C:\Windows\SysWOW64\Idlfno32.dll	Ghnaaljp.exe
File created	C:\Windows\SysWOW64\Mminle32.dll	NEAS.a501b19909319395eb1e2e975cabe3e1.exe
File opened for modification	C:\Windows\SysWOW64\Flhkhnel.exe	Hpgakh32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbfin32.exe	Flhkhnel.exe
File created	C:\Windows\SysWOW64\Bnmhejjl.dll	Lgbfin32.exe
File created	C:\Windows\SysWOW64\Ejdjke32.dll	Hpgakh32.exe
File created	C:\Windows\SysWOW64\Lgbfin32.exe	Flhkhnel.exe
File created	C:\Windows\SysWOW64\Gbolce32.exe	Pjlgna32.exe
File created	C:\Windows\SysWOW64\Hlgpmnkj.dll	Pjlgna32.exe
File created	C:\Windows\SysWOW64\Ghlell32.exe	Gbolce32.exe
File created	C:\Windows\SysWOW64\Hpgakh32.exe	NEAS.a501b19909319395eb1e2e975cabe3e1.exe
File opened for modification	C:\Windows\SysWOW64\Ghlell32.exe	Gbolce32.exe
File opened for modification	C:\Windows\SysWOW64\Gmhmdc32.exe	Ghlell32.exe
File created	C:\Windows\SysWOW64\Qpaknfnf.dll	Gmhmdc32.exe
File opened for modification	C:\Windows\SysWOW64\Gmmgobfd.exe	Ghnaaljp.exe
File opened for modification	C:\Windows\SysWOW64\Ghnaaljp.exe	Gmhmdc32.exe
File opened for modification	C:\Windows\SysWOW64\Hpgakh32.exe	NEAS.a501b19909319395eb1e2e975cabe3e1.exe
File created	C:\Windows\SysWOW64\Flhkhnel.exe	Hpgakh32.exe
File created	C:\Windows\SysWOW64\Cndcgd32.dll	Flhkhnel.exe
File opened for modification	C:\Windows\SysWOW64\Gbolce32.exe	Pjlgna32.exe
File created	C:\Windows\SysWOW64\Bnfjbkng.dll	Gbolce32.exe
File created	C:\Windows\SysWOW64\Ghnaaljp.exe	Gmhmdc32.exe
File created	C:\Windows\SysWOW64\Gmhmdc32.exe	Ghlell32.exe
File created	C:\Windows\SysWOW64\Gacdmc32.dll	Ghlell32.exe
File created	C:\Windows\SysWOW64\Gmmgobfd.exe	Ghnaaljp.exe
File opened for modification	C:\Windows\SysWOW64\Pjlgna32.exe	Lgbfin32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2812	772	WerFault.exe	37

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbfin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghlell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gacdmc32.dll"	Ghlell32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghnaaljp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbolce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghlell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdjke32.dll"	Hpgakh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlfno32.dll"	Ghnaaljp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnfjbkng.dll"	Gbolce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mminle32.dll"	NEAS.a501b19909319395eb1e2e975cabe3e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpgakh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjlgna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlgpmnkj.dll"	Pjlgna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbolce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmhmdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.a501b19909319395eb1e2e975cabe3e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.a501b19909319395eb1e2e975cabe3e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.a501b19909319395eb1e2e975cabe3e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cndcgd32.dll"	Flhkhnel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flhkhnel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghnaaljp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpaknfnf.dll"	Gmhmdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpgakh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flhkhnel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnmhejjl.dll"	Lgbfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjlgna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	NEAS.a501b19909319395eb1e2e975cabe3e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	NEAS.a501b19909319395eb1e2e975cabe3e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmhmdc32.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2780	2832	NEAS.a501b19909319395eb1e2e975cabe3e1.exe	29
PID 2832 wrote to memory of 2780	2832	NEAS.a501b19909319395eb1e2e975cabe3e1.exe	29
PID 2832 wrote to memory of 2780	2832	NEAS.a501b19909319395eb1e2e975cabe3e1.exe	29
PID 2832 wrote to memory of 2780	2832	NEAS.a501b19909319395eb1e2e975cabe3e1.exe	29
PID 2780 wrote to memory of 2484	2780	Hpgakh32.exe	30
PID 2780 wrote to memory of 2484	2780	Hpgakh32.exe	30
PID 2780 wrote to memory of 2484	2780	Hpgakh32.exe	30
PID 2780 wrote to memory of 2484	2780	Hpgakh32.exe	30
PID 2484 wrote to memory of 2256	2484	Flhkhnel.exe	31
PID 2484 wrote to memory of 2256	2484	Flhkhnel.exe	31
PID 2484 wrote to memory of 2256	2484	Flhkhnel.exe	31
PID 2484 wrote to memory of 2256	2484	Flhkhnel.exe	31
PID 2256 wrote to memory of 524	2256	Lgbfin32.exe	32
PID 2256 wrote to memory of 524	2256	Lgbfin32.exe	32
PID 2256 wrote to memory of 524	2256	Lgbfin32.exe	32
PID 2256 wrote to memory of 524	2256	Lgbfin32.exe	32
PID 524 wrote to memory of 2876	524	Pjlgna32.exe	33
PID 524 wrote to memory of 2876	524	Pjlgna32.exe	33
PID 524 wrote to memory of 2876	524	Pjlgna32.exe	33
PID 524 wrote to memory of 2876	524	Pjlgna32.exe	33
PID 2876 wrote to memory of 2932	2876	Gbolce32.exe	34
PID 2876 wrote to memory of 2932	2876	Gbolce32.exe	34
PID 2876 wrote to memory of 2932	2876	Gbolce32.exe	34
PID 2876 wrote to memory of 2932	2876	Gbolce32.exe	34
PID 2932 wrote to memory of 2172	2932	Ghlell32.exe	35
PID 2932 wrote to memory of 2172	2932	Ghlell32.exe	35
PID 2932 wrote to memory of 2172	2932	Ghlell32.exe	35
PID 2932 wrote to memory of 2172	2932	Ghlell32.exe	35
PID 2172 wrote to memory of 1108	2172	Gmhmdc32.exe	36
PID 2172 wrote to memory of 1108	2172	Gmhmdc32.exe	36
PID 2172 wrote to memory of 1108	2172	Gmhmdc32.exe	36
PID 2172 wrote to memory of 1108	2172	Gmhmdc32.exe	36
PID 1108 wrote to memory of 772	1108	Ghnaaljp.exe	37
PID 1108 wrote to memory of 772	1108	Ghnaaljp.exe	37
PID 1108 wrote to memory of 772	1108	Ghnaaljp.exe	37
PID 1108 wrote to memory of 772	1108	Ghnaaljp.exe	37
PID 772 wrote to memory of 2812	772	Gmmgobfd.exe	38
PID 772 wrote to memory of 2812	772	Gmmgobfd.exe	38
PID 772 wrote to memory of 2812	772	Gmmgobfd.exe	38
PID 772 wrote to memory of 2812	772	Gmmgobfd.exe	38

C:\Users\Admin\AppData\Local\Temp\NEAS.a501b19909319395eb1e2e975cabe3e1.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a501b19909319395eb1e2e975cabe3e1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\SysWOW64\Hpgakh32.exe
  C:\Windows\system32\Hpgakh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\Flhkhnel.exe
    C:\Windows\system32\Flhkhnel.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\SysWOW64\Lgbfin32.exe
      C:\Windows\system32\Lgbfin32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\SysWOW64\Pjlgna32.exe
        
        C:\Windows\system32\Pjlgna32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:524
      - C:\Windows\SysWOW64\Gbolce32.exe
        
        C:\Windows\system32\Gbolce32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Ghlell32.exe
        
        C:\Windows\system32\Ghlell32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Gmhmdc32.exe
        
        C:\Windows\system32\Gmhmdc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Ghnaaljp.exe
        
        C:\Windows\system32\Ghnaaljp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Gmmgobfd.exe
        
        C:\Windows\system32\Gmmgobfd.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 140
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Flhkhnel.exe

Filesize
81KB

MD5
efc82062b890f9c20f506c6707071bd8

SHA1
16541995a76662b5574f08a36cd73083cb24cff0

SHA256
29d79cd112887efb7f476ff79a6ecbcf06c1ddc3c57af402196affa7f0cea94d

SHA512
9f89d85f81177fd6e3fb08d0a5412451e83fe585b002a8b84bd3214680995ba3cadbc6c930c6d54e9aa358a0090be13b6b2969e088d27cb1a6aa09996f826e5d

Download Submit
C:\Windows\SysWOW64\Flhkhnel.exe

Filesize
81KB

MD5
efc82062b890f9c20f506c6707071bd8

SHA1
16541995a76662b5574f08a36cd73083cb24cff0

SHA256
29d79cd112887efb7f476ff79a6ecbcf06c1ddc3c57af402196affa7f0cea94d

SHA512
9f89d85f81177fd6e3fb08d0a5412451e83fe585b002a8b84bd3214680995ba3cadbc6c930c6d54e9aa358a0090be13b6b2969e088d27cb1a6aa09996f826e5d

Download Submit
C:\Windows\SysWOW64\Flhkhnel.exe

Filesize
81KB

MD5
efc82062b890f9c20f506c6707071bd8

SHA1
16541995a76662b5574f08a36cd73083cb24cff0

SHA256
29d79cd112887efb7f476ff79a6ecbcf06c1ddc3c57af402196affa7f0cea94d

SHA512
9f89d85f81177fd6e3fb08d0a5412451e83fe585b002a8b84bd3214680995ba3cadbc6c930c6d54e9aa358a0090be13b6b2969e088d27cb1a6aa09996f826e5d

Download Submit
C:\Windows\SysWOW64\Gbolce32.exe

Filesize
81KB

MD5
3b489bf6996569a93395cab025a26894

SHA1
03dcd0799c2f87e1d449ffbbca48664a4cd241b9

SHA256
c07353933fa20ca7e756a30a4b8d2979a75c1f3b76dd7f4e0859b6da962b3e7a

SHA512
de5da311d12b964535432fbcc3dd434bceb3ae41fb97d40c43c78b47fe9554858ef387bfad0fe7d997f010c55cfaac703c36c6650ea0db948e88b58cafb2cfe5

Download Submit
C:\Windows\SysWOW64\Gbolce32.exe

Filesize
81KB

MD5
3b489bf6996569a93395cab025a26894

SHA1
03dcd0799c2f87e1d449ffbbca48664a4cd241b9

SHA256
c07353933fa20ca7e756a30a4b8d2979a75c1f3b76dd7f4e0859b6da962b3e7a

SHA512
de5da311d12b964535432fbcc3dd434bceb3ae41fb97d40c43c78b47fe9554858ef387bfad0fe7d997f010c55cfaac703c36c6650ea0db948e88b58cafb2cfe5

Download Submit
C:\Windows\SysWOW64\Gbolce32.exe

Filesize
81KB

MD5
3b489bf6996569a93395cab025a26894

SHA1
03dcd0799c2f87e1d449ffbbca48664a4cd241b9

SHA256
c07353933fa20ca7e756a30a4b8d2979a75c1f3b76dd7f4e0859b6da962b3e7a

SHA512
de5da311d12b964535432fbcc3dd434bceb3ae41fb97d40c43c78b47fe9554858ef387bfad0fe7d997f010c55cfaac703c36c6650ea0db948e88b58cafb2cfe5

Download Submit
C:\Windows\SysWOW64\Ghlell32.exe

Filesize
81KB

MD5
5cbb1423b01552f009bdcfc974c85be4

SHA1
e6837dd3775c12851b20b58cea22ce0bbe88af5f

SHA256
812e3e0ab9dc2219edd35fb0094bc30655acb594820a92e8db5ec2b6f88782f9

SHA512
9182a7d7481cf0debd4b0c4c10580fc9797771c911abfec44ed8c735a6f3d4556e5dd3da9fc1ccde712322883ce455fa620508be1390b1064954d70a366ce5fd

Download Submit
C:\Windows\SysWOW64\Ghlell32.exe

Filesize
81KB

MD5
5cbb1423b01552f009bdcfc974c85be4

SHA1
e6837dd3775c12851b20b58cea22ce0bbe88af5f

SHA256
812e3e0ab9dc2219edd35fb0094bc30655acb594820a92e8db5ec2b6f88782f9

SHA512
9182a7d7481cf0debd4b0c4c10580fc9797771c911abfec44ed8c735a6f3d4556e5dd3da9fc1ccde712322883ce455fa620508be1390b1064954d70a366ce5fd

Download Submit
C:\Windows\SysWOW64\Ghlell32.exe

Filesize
81KB

MD5
5cbb1423b01552f009bdcfc974c85be4

SHA1
e6837dd3775c12851b20b58cea22ce0bbe88af5f

SHA256
812e3e0ab9dc2219edd35fb0094bc30655acb594820a92e8db5ec2b6f88782f9

SHA512
9182a7d7481cf0debd4b0c4c10580fc9797771c911abfec44ed8c735a6f3d4556e5dd3da9fc1ccde712322883ce455fa620508be1390b1064954d70a366ce5fd

Download Submit
C:\Windows\SysWOW64\Ghnaaljp.exe

Filesize
81KB

MD5
55bb2b4d185ed4cc83c84ee4e5440c5d

SHA1
9307fa200487a3b62e3e9bec5623b37b3f5266a3

SHA256
8fc2ea8eece266b3bf733e5d8a36cacb18c46dd7457a556e42844056c8e9dbdc

SHA512
df0dfb2241d356e416a9b844cd7dbf9603d58e7560902d1e460cc3f2c84b039974e75c95345e4eb7289df97ffe3d25b156da382be537108d4b638b6ddff7858f

Download Submit
C:\Windows\SysWOW64\Ghnaaljp.exe

Filesize
81KB

MD5
55bb2b4d185ed4cc83c84ee4e5440c5d

SHA1
9307fa200487a3b62e3e9bec5623b37b3f5266a3

SHA256
8fc2ea8eece266b3bf733e5d8a36cacb18c46dd7457a556e42844056c8e9dbdc

SHA512
df0dfb2241d356e416a9b844cd7dbf9603d58e7560902d1e460cc3f2c84b039974e75c95345e4eb7289df97ffe3d25b156da382be537108d4b638b6ddff7858f

Download Submit
C:\Windows\SysWOW64\Ghnaaljp.exe

Filesize
81KB

MD5
55bb2b4d185ed4cc83c84ee4e5440c5d

SHA1
9307fa200487a3b62e3e9bec5623b37b3f5266a3

SHA256
8fc2ea8eece266b3bf733e5d8a36cacb18c46dd7457a556e42844056c8e9dbdc

SHA512
df0dfb2241d356e416a9b844cd7dbf9603d58e7560902d1e460cc3f2c84b039974e75c95345e4eb7289df97ffe3d25b156da382be537108d4b638b6ddff7858f

Download Submit
C:\Windows\SysWOW64\Gmhmdc32.exe

Filesize
81KB

MD5
7e456f3b7aa6e8f7c7206454f731e6e0

SHA1
90c968e46c919384b638b6111be329ef248fa2bd

SHA256
8be51d4e34da7b37ea19bd63fb27ee48ac9ebe4e895aa07247b52f08d2a07ddb

SHA512
40efbd813989f83cf1496096b8077eb3735eb3cda153a2627cdff0b3cfe8075408e34424cee204387f232123508d626e4400e20fdf6ed8c55de2ef169758365c

Download Submit
C:\Windows\SysWOW64\Gmhmdc32.exe

Filesize
81KB

MD5
7e456f3b7aa6e8f7c7206454f731e6e0

SHA1
90c968e46c919384b638b6111be329ef248fa2bd

SHA256
8be51d4e34da7b37ea19bd63fb27ee48ac9ebe4e895aa07247b52f08d2a07ddb

SHA512
40efbd813989f83cf1496096b8077eb3735eb3cda153a2627cdff0b3cfe8075408e34424cee204387f232123508d626e4400e20fdf6ed8c55de2ef169758365c

Download Submit
C:\Windows\SysWOW64\Gmhmdc32.exe

Filesize
81KB

MD5
7e456f3b7aa6e8f7c7206454f731e6e0

SHA1
90c968e46c919384b638b6111be329ef248fa2bd

SHA256
8be51d4e34da7b37ea19bd63fb27ee48ac9ebe4e895aa07247b52f08d2a07ddb

SHA512
40efbd813989f83cf1496096b8077eb3735eb3cda153a2627cdff0b3cfe8075408e34424cee204387f232123508d626e4400e20fdf6ed8c55de2ef169758365c

Download Submit
C:\Windows\SysWOW64\Gmmgobfd.exe

Filesize
81KB

MD5
d4fac2d4a0f9f6615e0da0ed079f8235

SHA1
c453470661de1268c7843ffa262a5cf1fede19cb

SHA256
4022ff393010ada517d33af1209fc3b48537a55aac53325919621184d9c444c2

SHA512
aff41395fe6d2322eec572a1213462e5f2b8201ae31eae9741e638b128c1c1a55d3d08945a6173e98c623f0e13fcad878b0a4b07903857518cc887720fbb9de8

Download Submit
C:\Windows\SysWOW64\Gmmgobfd.exe

Filesize
81KB

MD5
d4fac2d4a0f9f6615e0da0ed079f8235

SHA1
c453470661de1268c7843ffa262a5cf1fede19cb

SHA256
4022ff393010ada517d33af1209fc3b48537a55aac53325919621184d9c444c2

SHA512
aff41395fe6d2322eec572a1213462e5f2b8201ae31eae9741e638b128c1c1a55d3d08945a6173e98c623f0e13fcad878b0a4b07903857518cc887720fbb9de8

Download Submit
C:\Windows\SysWOW64\Hpgakh32.exe

Filesize
81KB

MD5
4a3e4ec59dac99494ff8f8b7877299c3

SHA1
24149f0cfa83f38ea710b86735d46ce79b5cd6bc

SHA256
e07c8e630f113d1bffd9a7e12842f3c0c3dbacf8bba9a7fa965e48efb0005c36

SHA512
fc88cc2156e5de04d7ee5c12613df99565d70702063e49c5584570bba5c9e4b2207eaee36657b4082a722016e4829169e6452403b22fcf94882abeba0fcae9cf

Download Submit
C:\Windows\SysWOW64\Hpgakh32.exe

Filesize
81KB

MD5
4a3e4ec59dac99494ff8f8b7877299c3

SHA1
24149f0cfa83f38ea710b86735d46ce79b5cd6bc

SHA256
e07c8e630f113d1bffd9a7e12842f3c0c3dbacf8bba9a7fa965e48efb0005c36

SHA512
fc88cc2156e5de04d7ee5c12613df99565d70702063e49c5584570bba5c9e4b2207eaee36657b4082a722016e4829169e6452403b22fcf94882abeba0fcae9cf

Download Submit
C:\Windows\SysWOW64\Hpgakh32.exe

Filesize
81KB

MD5
4a3e4ec59dac99494ff8f8b7877299c3

SHA1
24149f0cfa83f38ea710b86735d46ce79b5cd6bc

SHA256
e07c8e630f113d1bffd9a7e12842f3c0c3dbacf8bba9a7fa965e48efb0005c36

SHA512
fc88cc2156e5de04d7ee5c12613df99565d70702063e49c5584570bba5c9e4b2207eaee36657b4082a722016e4829169e6452403b22fcf94882abeba0fcae9cf

Download Submit
C:\Windows\SysWOW64\Lgbfin32.exe

Filesize
81KB

MD5
1dacb37a5f7d17f7bdfd2b49f5834e53

SHA1
6a997a96decd2e646ed797a3bec0401c73055d2d

SHA256
b551a0346f1a57a254502d8054519ad313afbea88daa64263e3a6e2bd009fc28

SHA512
13ee1ff94fbb251e43aa8904f8946c490e255667f3e453e4131016087f66317db23ca1bb2e5b649ea604545ed7a5579fd94ff8f1f92326e0f52915615ef141d3

Download Submit
C:\Windows\SysWOW64\Lgbfin32.exe

Filesize
81KB

MD5
1dacb37a5f7d17f7bdfd2b49f5834e53

SHA1
6a997a96decd2e646ed797a3bec0401c73055d2d

SHA256
b551a0346f1a57a254502d8054519ad313afbea88daa64263e3a6e2bd009fc28

SHA512
13ee1ff94fbb251e43aa8904f8946c490e255667f3e453e4131016087f66317db23ca1bb2e5b649ea604545ed7a5579fd94ff8f1f92326e0f52915615ef141d3

Download Submit
C:\Windows\SysWOW64\Lgbfin32.exe

Filesize
81KB

MD5
1dacb37a5f7d17f7bdfd2b49f5834e53

SHA1
6a997a96decd2e646ed797a3bec0401c73055d2d

SHA256
b551a0346f1a57a254502d8054519ad313afbea88daa64263e3a6e2bd009fc28

SHA512
13ee1ff94fbb251e43aa8904f8946c490e255667f3e453e4131016087f66317db23ca1bb2e5b649ea604545ed7a5579fd94ff8f1f92326e0f52915615ef141d3

Download Submit
C:\Windows\SysWOW64\Pjlgna32.exe

Filesize
81KB

MD5
445ea5344a82d93ba1ebee68468abeb9

SHA1
26ba398175dae6fbfe8a30723e27054f47a348ef

SHA256
4c627f1f31658b7545dd19b0292a1d005c0265e25aa39a7f7c79d55c5567e658

SHA512
f90a5b8b1d073de6991c5eaae43fd4421a6c10603a76e268e1c4395185716546150a30ec2bb45fbf9c8302bc7e30fa480ddaa24d2befe0a61f0fae91fe28a765

Download Submit
C:\Windows\SysWOW64\Pjlgna32.exe

Filesize
81KB

MD5
445ea5344a82d93ba1ebee68468abeb9

SHA1
26ba398175dae6fbfe8a30723e27054f47a348ef

SHA256
4c627f1f31658b7545dd19b0292a1d005c0265e25aa39a7f7c79d55c5567e658

SHA512
f90a5b8b1d073de6991c5eaae43fd4421a6c10603a76e268e1c4395185716546150a30ec2bb45fbf9c8302bc7e30fa480ddaa24d2befe0a61f0fae91fe28a765

Download Submit
C:\Windows\SysWOW64\Pjlgna32.exe

Filesize
81KB

MD5
445ea5344a82d93ba1ebee68468abeb9

SHA1
26ba398175dae6fbfe8a30723e27054f47a348ef

SHA256
4c627f1f31658b7545dd19b0292a1d005c0265e25aa39a7f7c79d55c5567e658

SHA512
f90a5b8b1d073de6991c5eaae43fd4421a6c10603a76e268e1c4395185716546150a30ec2bb45fbf9c8302bc7e30fa480ddaa24d2befe0a61f0fae91fe28a765

Download Submit
\Windows\SysWOW64\Flhkhnel.exe

Filesize
81KB

MD5
efc82062b890f9c20f506c6707071bd8

SHA1
16541995a76662b5574f08a36cd73083cb24cff0

SHA256
29d79cd112887efb7f476ff79a6ecbcf06c1ddc3c57af402196affa7f0cea94d

SHA512
9f89d85f81177fd6e3fb08d0a5412451e83fe585b002a8b84bd3214680995ba3cadbc6c930c6d54e9aa358a0090be13b6b2969e088d27cb1a6aa09996f826e5d

Download Submit
\Windows\SysWOW64\Flhkhnel.exe

Filesize
81KB

MD5
efc82062b890f9c20f506c6707071bd8

SHA1
16541995a76662b5574f08a36cd73083cb24cff0

SHA256
29d79cd112887efb7f476ff79a6ecbcf06c1ddc3c57af402196affa7f0cea94d

SHA512
9f89d85f81177fd6e3fb08d0a5412451e83fe585b002a8b84bd3214680995ba3cadbc6c930c6d54e9aa358a0090be13b6b2969e088d27cb1a6aa09996f826e5d

Download Submit
\Windows\SysWOW64\Gbolce32.exe

Filesize
81KB

MD5
3b489bf6996569a93395cab025a26894

SHA1
03dcd0799c2f87e1d449ffbbca48664a4cd241b9

SHA256
c07353933fa20ca7e756a30a4b8d2979a75c1f3b76dd7f4e0859b6da962b3e7a

SHA512
de5da311d12b964535432fbcc3dd434bceb3ae41fb97d40c43c78b47fe9554858ef387bfad0fe7d997f010c55cfaac703c36c6650ea0db948e88b58cafb2cfe5

Download Submit
\Windows\SysWOW64\Gbolce32.exe

Filesize
81KB

MD5
3b489bf6996569a93395cab025a26894

SHA1
03dcd0799c2f87e1d449ffbbca48664a4cd241b9

SHA256
c07353933fa20ca7e756a30a4b8d2979a75c1f3b76dd7f4e0859b6da962b3e7a

SHA512
de5da311d12b964535432fbcc3dd434bceb3ae41fb97d40c43c78b47fe9554858ef387bfad0fe7d997f010c55cfaac703c36c6650ea0db948e88b58cafb2cfe5

Download Submit
\Windows\SysWOW64\Ghlell32.exe

Filesize
81KB

MD5
5cbb1423b01552f009bdcfc974c85be4

SHA1
e6837dd3775c12851b20b58cea22ce0bbe88af5f

SHA256
812e3e0ab9dc2219edd35fb0094bc30655acb594820a92e8db5ec2b6f88782f9

SHA512
9182a7d7481cf0debd4b0c4c10580fc9797771c911abfec44ed8c735a6f3d4556e5dd3da9fc1ccde712322883ce455fa620508be1390b1064954d70a366ce5fd

Download Submit
\Windows\SysWOW64\Ghlell32.exe

Filesize
81KB

MD5
5cbb1423b01552f009bdcfc974c85be4

SHA1
e6837dd3775c12851b20b58cea22ce0bbe88af5f

SHA256
812e3e0ab9dc2219edd35fb0094bc30655acb594820a92e8db5ec2b6f88782f9

SHA512
9182a7d7481cf0debd4b0c4c10580fc9797771c911abfec44ed8c735a6f3d4556e5dd3da9fc1ccde712322883ce455fa620508be1390b1064954d70a366ce5fd

Download Submit
\Windows\SysWOW64\Ghnaaljp.exe

Filesize
81KB

MD5
55bb2b4d185ed4cc83c84ee4e5440c5d

SHA1
9307fa200487a3b62e3e9bec5623b37b3f5266a3

SHA256
8fc2ea8eece266b3bf733e5d8a36cacb18c46dd7457a556e42844056c8e9dbdc

SHA512
df0dfb2241d356e416a9b844cd7dbf9603d58e7560902d1e460cc3f2c84b039974e75c95345e4eb7289df97ffe3d25b156da382be537108d4b638b6ddff7858f

Download Submit
\Windows\SysWOW64\Ghnaaljp.exe

Filesize
81KB

MD5
55bb2b4d185ed4cc83c84ee4e5440c5d

SHA1
9307fa200487a3b62e3e9bec5623b37b3f5266a3

SHA256
8fc2ea8eece266b3bf733e5d8a36cacb18c46dd7457a556e42844056c8e9dbdc

SHA512
df0dfb2241d356e416a9b844cd7dbf9603d58e7560902d1e460cc3f2c84b039974e75c95345e4eb7289df97ffe3d25b156da382be537108d4b638b6ddff7858f

Download Submit
\Windows\SysWOW64\Gmhmdc32.exe

Filesize
81KB

MD5
7e456f3b7aa6e8f7c7206454f731e6e0

SHA1
90c968e46c919384b638b6111be329ef248fa2bd

SHA256
8be51d4e34da7b37ea19bd63fb27ee48ac9ebe4e895aa07247b52f08d2a07ddb

SHA512
40efbd813989f83cf1496096b8077eb3735eb3cda153a2627cdff0b3cfe8075408e34424cee204387f232123508d626e4400e20fdf6ed8c55de2ef169758365c

Download Submit
\Windows\SysWOW64\Gmhmdc32.exe

Filesize
81KB

MD5
7e456f3b7aa6e8f7c7206454f731e6e0

SHA1
90c968e46c919384b638b6111be329ef248fa2bd

SHA256
8be51d4e34da7b37ea19bd63fb27ee48ac9ebe4e895aa07247b52f08d2a07ddb

SHA512
40efbd813989f83cf1496096b8077eb3735eb3cda153a2627cdff0b3cfe8075408e34424cee204387f232123508d626e4400e20fdf6ed8c55de2ef169758365c

Download Submit
\Windows\SysWOW64\Gmmgobfd.exe

Filesize
81KB

MD5
d4fac2d4a0f9f6615e0da0ed079f8235

SHA1
c453470661de1268c7843ffa262a5cf1fede19cb

SHA256
4022ff393010ada517d33af1209fc3b48537a55aac53325919621184d9c444c2

SHA512
aff41395fe6d2322eec572a1213462e5f2b8201ae31eae9741e638b128c1c1a55d3d08945a6173e98c623f0e13fcad878b0a4b07903857518cc887720fbb9de8

Download Submit
\Windows\SysWOW64\Gmmgobfd.exe

Filesize
81KB

MD5
d4fac2d4a0f9f6615e0da0ed079f8235

SHA1
c453470661de1268c7843ffa262a5cf1fede19cb

SHA256
4022ff393010ada517d33af1209fc3b48537a55aac53325919621184d9c444c2

SHA512
aff41395fe6d2322eec572a1213462e5f2b8201ae31eae9741e638b128c1c1a55d3d08945a6173e98c623f0e13fcad878b0a4b07903857518cc887720fbb9de8

Download Submit
\Windows\SysWOW64\Gmmgobfd.exe

Filesize
81KB

MD5
d4fac2d4a0f9f6615e0da0ed079f8235

SHA1
c453470661de1268c7843ffa262a5cf1fede19cb

SHA256
4022ff393010ada517d33af1209fc3b48537a55aac53325919621184d9c444c2

SHA512
aff41395fe6d2322eec572a1213462e5f2b8201ae31eae9741e638b128c1c1a55d3d08945a6173e98c623f0e13fcad878b0a4b07903857518cc887720fbb9de8

Download Submit
\Windows\SysWOW64\Gmmgobfd.exe

Filesize
81KB

MD5
d4fac2d4a0f9f6615e0da0ed079f8235

SHA1
c453470661de1268c7843ffa262a5cf1fede19cb

SHA256
4022ff393010ada517d33af1209fc3b48537a55aac53325919621184d9c444c2

SHA512
aff41395fe6d2322eec572a1213462e5f2b8201ae31eae9741e638b128c1c1a55d3d08945a6173e98c623f0e13fcad878b0a4b07903857518cc887720fbb9de8

Download Submit
\Windows\SysWOW64\Gmmgobfd.exe

Filesize
81KB

MD5
d4fac2d4a0f9f6615e0da0ed079f8235

SHA1
c453470661de1268c7843ffa262a5cf1fede19cb

SHA256
4022ff393010ada517d33af1209fc3b48537a55aac53325919621184d9c444c2

SHA512
aff41395fe6d2322eec572a1213462e5f2b8201ae31eae9741e638b128c1c1a55d3d08945a6173e98c623f0e13fcad878b0a4b07903857518cc887720fbb9de8

Download Submit
\Windows\SysWOW64\Gmmgobfd.exe

Filesize
81KB

MD5
d4fac2d4a0f9f6615e0da0ed079f8235

SHA1
c453470661de1268c7843ffa262a5cf1fede19cb

SHA256
4022ff393010ada517d33af1209fc3b48537a55aac53325919621184d9c444c2

SHA512
aff41395fe6d2322eec572a1213462e5f2b8201ae31eae9741e638b128c1c1a55d3d08945a6173e98c623f0e13fcad878b0a4b07903857518cc887720fbb9de8

Download Submit
\Windows\SysWOW64\Hpgakh32.exe

Filesize
81KB

MD5
4a3e4ec59dac99494ff8f8b7877299c3

SHA1
24149f0cfa83f38ea710b86735d46ce79b5cd6bc

SHA256
e07c8e630f113d1bffd9a7e12842f3c0c3dbacf8bba9a7fa965e48efb0005c36

SHA512
fc88cc2156e5de04d7ee5c12613df99565d70702063e49c5584570bba5c9e4b2207eaee36657b4082a722016e4829169e6452403b22fcf94882abeba0fcae9cf

Download Submit
\Windows\SysWOW64\Hpgakh32.exe

Filesize
81KB

MD5
4a3e4ec59dac99494ff8f8b7877299c3

SHA1
24149f0cfa83f38ea710b86735d46ce79b5cd6bc

SHA256
e07c8e630f113d1bffd9a7e12842f3c0c3dbacf8bba9a7fa965e48efb0005c36

SHA512
fc88cc2156e5de04d7ee5c12613df99565d70702063e49c5584570bba5c9e4b2207eaee36657b4082a722016e4829169e6452403b22fcf94882abeba0fcae9cf

Download Submit
\Windows\SysWOW64\Lgbfin32.exe

Filesize
81KB

MD5
1dacb37a5f7d17f7bdfd2b49f5834e53

SHA1
6a997a96decd2e646ed797a3bec0401c73055d2d

SHA256
b551a0346f1a57a254502d8054519ad313afbea88daa64263e3a6e2bd009fc28

SHA512
13ee1ff94fbb251e43aa8904f8946c490e255667f3e453e4131016087f66317db23ca1bb2e5b649ea604545ed7a5579fd94ff8f1f92326e0f52915615ef141d3

Download Submit
\Windows\SysWOW64\Lgbfin32.exe

Filesize
81KB

MD5
1dacb37a5f7d17f7bdfd2b49f5834e53

SHA1
6a997a96decd2e646ed797a3bec0401c73055d2d

SHA256
b551a0346f1a57a254502d8054519ad313afbea88daa64263e3a6e2bd009fc28

SHA512
13ee1ff94fbb251e43aa8904f8946c490e255667f3e453e4131016087f66317db23ca1bb2e5b649ea604545ed7a5579fd94ff8f1f92326e0f52915615ef141d3

Download Submit
\Windows\SysWOW64\Pjlgna32.exe

Filesize
81KB

MD5
445ea5344a82d93ba1ebee68468abeb9

SHA1
26ba398175dae6fbfe8a30723e27054f47a348ef

SHA256
4c627f1f31658b7545dd19b0292a1d005c0265e25aa39a7f7c79d55c5567e658

SHA512
f90a5b8b1d073de6991c5eaae43fd4421a6c10603a76e268e1c4395185716546150a30ec2bb45fbf9c8302bc7e30fa480ddaa24d2befe0a61f0fae91fe28a765

Download Submit
\Windows\SysWOW64\Pjlgna32.exe

Filesize
81KB

MD5
445ea5344a82d93ba1ebee68468abeb9

SHA1
26ba398175dae6fbfe8a30723e27054f47a348ef

SHA256
4c627f1f31658b7545dd19b0292a1d005c0265e25aa39a7f7c79d55c5567e658

SHA512
f90a5b8b1d073de6991c5eaae43fd4421a6c10603a76e268e1c4395185716546150a30ec2bb45fbf9c8302bc7e30fa480ddaa24d2befe0a61f0fae91fe28a765

Download Submit
memory/524-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/524-72-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/772-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-107-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2172-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-53-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2484-45-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2484-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-30-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2780-24-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2780-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-7-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2832-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-86-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads