69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
Size

192KB
MD5

bae0a9960df892d7151538d58f9de242
SHA1

21a750fd69cb82caa25eb628fe61e329da601cb5
SHA256

69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62
SHA512

4a2f667268e506bd17ac7d7968286568b615b106c772b01b457ed64cdcc628fb57a58e6fcba4968381c7b927587f2e3b8d1665f9920c8c96b75bae2eb54b2480
SSDEEP

3072:PCwSPZmQLcr9JKCBAiyVLf2guEmeFKPD375lHzpa1P2FU6UK7q4+5DbGTO6GQd3H:PC7PZmQGLBAiyVeEmeYr75lHzpaF2e6T

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enihne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcfdgiid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecmkghcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmoipopd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjlhneio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcknbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eecqjpee.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epdkli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ennaieib.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjlhneio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eajaoq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmafennb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eecqjpee.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmafennb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcknbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Faagpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmoipopd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ennaieib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghkllmoi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe

Executes dropped EXE 36 IoCs

pid	Process
1844	Dcfdgiid.exe
2528	Dmoipopd.exe
2540	Dmafennb.exe
2600	Dcknbh32.exe
2620	Ecmkghcl.exe
2428	Epdkli32.exe
848	Efncicpm.exe
2764	Enihne32.exe
2888	Eecqjpee.exe
2200	Eajaoq32.exe
1916	Ennaieib.exe
2884	Fehjeo32.exe
888	Fcmgfkeg.exe
2348	Faagpp32.exe
1564	Facdeo32.exe
2088	Fjlhneio.exe
1424	Feeiob32.exe
2364	Gfefiemq.exe
2344	Gegfdb32.exe
880	Glaoalkh.exe
2836	Gldkfl32.exe
864	Ghkllmoi.exe
1472	Geolea32.exe
2292	Gogangdc.exe
1456	Ghoegl32.exe
892	Hpkjko32.exe
1740	Hcifgjgc.exe
2032	Hicodd32.exe
3032	Hdhbam32.exe
3040	Hgilchkf.exe
2516	Hlfdkoin.exe
2980	Hacmcfge.exe
2504	Hhmepp32.exe
2016	Ihoafpmp.exe
1984	Iknnbklc.exe
2768	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
112	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
112	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
1844	Dcfdgiid.exe
1844	Dcfdgiid.exe
2528	Dmoipopd.exe
2528	Dmoipopd.exe
2540	Dmafennb.exe
2540	Dmafennb.exe
2600	Dcknbh32.exe
2600	Dcknbh32.exe
2620	Ecmkghcl.exe
2620	Ecmkghcl.exe
2428	Epdkli32.exe
2428	Epdkli32.exe
848	Efncicpm.exe
848	Efncicpm.exe
2764	Enihne32.exe
2764	Enihne32.exe
2888	Eecqjpee.exe
2888	Eecqjpee.exe
2200	Eajaoq32.exe
2200	Eajaoq32.exe
1916	Ennaieib.exe
1916	Ennaieib.exe
2884	Fehjeo32.exe
2884	Fehjeo32.exe
888	Fcmgfkeg.exe
888	Fcmgfkeg.exe
2348	Faagpp32.exe
2348	Faagpp32.exe
1564	Facdeo32.exe
1564	Facdeo32.exe
2088	Fjlhneio.exe
2088	Fjlhneio.exe
1424	Feeiob32.exe
1424	Feeiob32.exe
2364	Gfefiemq.exe
2364	Gfefiemq.exe
2344	Gegfdb32.exe
2344	Gegfdb32.exe
880	Glaoalkh.exe
880	Glaoalkh.exe
2836	Gldkfl32.exe
2836	Gldkfl32.exe
864	Ghkllmoi.exe
864	Ghkllmoi.exe
1472	Geolea32.exe
1472	Geolea32.exe
2292	Gogangdc.exe
2292	Gogangdc.exe
1456	Ghoegl32.exe
1456	Ghoegl32.exe
892	Hpkjko32.exe
892	Hpkjko32.exe
1740	Hcifgjgc.exe
1740	Hcifgjgc.exe
2032	Hicodd32.exe
2032	Hicodd32.exe
3032	Hdhbam32.exe
3032	Hdhbam32.exe
3040	Hgilchkf.exe
3040	Hgilchkf.exe
2516	Hlfdkoin.exe
2516	Hlfdkoin.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hpkjko32.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Enihne32.exe	Efncicpm.exe
File created	C:\Windows\SysWOW64\Facklcaq.dll	Fehjeo32.exe
File created	C:\Windows\SysWOW64\Glpjaf32.dll	Ecmkghcl.exe
File created	C:\Windows\SysWOW64\Facdeo32.exe	Faagpp32.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Hacmcfge.exe
File opened for modification	C:\Windows\SysWOW64\Feeiob32.exe	Fjlhneio.exe
File opened for modification	C:\Windows\SysWOW64\Gfefiemq.exe	Feeiob32.exe
File created	C:\Windows\SysWOW64\Gogangdc.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Eajaoq32.exe	Eecqjpee.exe
File created	C:\Windows\SysWOW64\Dlgohm32.dll	Ennaieib.exe
File opened for modification	C:\Windows\SysWOW64\Hdhbam32.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Hgilchkf.exe	Hdhbam32.exe
File opened for modification	C:\Windows\SysWOW64\Dmafennb.exe	Dmoipopd.exe
File opened for modification	C:\Windows\SysWOW64\Facdeo32.exe	Faagpp32.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Iknnbklc.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Ennaieib.exe	Eajaoq32.exe
File created	C:\Windows\SysWOW64\Nbniiffi.dll	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Fealjk32.dll	Hpkjko32.exe
File opened for modification	C:\Windows\SysWOW64\Hacmcfge.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Dcfdgiid.exe	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
File created	C:\Windows\SysWOW64\Hghmjpap.dll	Feeiob32.exe
File created	C:\Windows\SysWOW64\Aloeodfi.dll	Facdeo32.exe
File opened for modification	C:\Windows\SysWOW64\Ghkllmoi.exe	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Hkkmeglp.dll	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Fkahhbbj.dll	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
File opened for modification	C:\Windows\SysWOW64\Enihne32.exe	Efncicpm.exe
File created	C:\Windows\SysWOW64\Dcknbh32.exe	Dmafennb.exe
File created	C:\Windows\SysWOW64\Fjlhneio.exe	Facdeo32.exe
File created	C:\Windows\SysWOW64\Ecmkghcl.exe	Dcknbh32.exe
File opened for modification	C:\Windows\SysWOW64\Epdkli32.exe	Ecmkghcl.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Geolea32.exe
File created	C:\Windows\SysWOW64\Oiogaqdb.dll	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Fehjeo32.exe	Ennaieib.exe
File created	C:\Windows\SysWOW64\Lgahch32.dll	Fcmgfkeg.exe
File opened for modification	C:\Windows\SysWOW64\Hpkjko32.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Hacmcfge.exe	Hlfdkoin.exe
File opened for modification	C:\Windows\SysWOW64\Dmoipopd.exe	Dcfdgiid.exe
File opened for modification	C:\Windows\SysWOW64\Eecqjpee.exe	Enihne32.exe
File created	C:\Windows\SysWOW64\Ghkllmoi.exe	Gldkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Hlfdkoin.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Ljenlcfa.dll	Dcknbh32.exe
File created	C:\Windows\SysWOW64\Feeiob32.exe	Fjlhneio.exe
File opened for modification	C:\Windows\SysWOW64\Faagpp32.exe	Fcmgfkeg.exe
File opened for modification	C:\Windows\SysWOW64\Hcifgjgc.exe	Hpkjko32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Codpklfq.dll	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Hcifgjgc.exe	Hpkjko32.exe
File opened for modification	C:\Windows\SysWOW64\Dcknbh32.exe	Dmafennb.exe
File created	C:\Windows\SysWOW64\Dbnkge32.dll	Ghkllmoi.exe
File created	C:\Windows\SysWOW64\Gpekfank.dll	Gogangdc.exe
File created	C:\Windows\SysWOW64\Dmoipopd.exe	Dcfdgiid.exe
File created	C:\Windows\SysWOW64\Pafagk32.dll	Dmafennb.exe
File opened for modification	C:\Windows\SysWOW64\Ghoegl32.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Alogkm32.dll	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Faagpp32.exe	Fcmgfkeg.exe
File created	C:\Windows\SysWOW64\Geolea32.exe	Ghkllmoi.exe
File created	C:\Windows\SysWOW64\Eqpofkjo.dll	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Lkojpojq.dll	Epdkli32.exe
File opened for modification	C:\Windows\SysWOW64\Fcmgfkeg.exe	Fehjeo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1776	2768	WerFault.exe	63

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll"	Ennaieib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafagk32.dll"	Dmafennb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecmkghcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facklcaq.dll"	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll"	Feeiob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmafennb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epdkli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkahhbbj.dll"	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ennaieib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcknbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enihne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fehjeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecmkghcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fehjeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eajaoq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecimppi.dll"	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmoipopd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eecqjpee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eecqjpee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll"	Ecmkghcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll"	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbqda.dll"	Dmoipopd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljenlcfa.dll"	Dcknbh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 1844	112	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe	28
PID 112 wrote to memory of 1844	112	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe	28
PID 112 wrote to memory of 1844	112	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe	28
PID 112 wrote to memory of 1844	112	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe	28
PID 1844 wrote to memory of 2528	1844	Dcfdgiid.exe	29
PID 1844 wrote to memory of 2528	1844	Dcfdgiid.exe	29
PID 1844 wrote to memory of 2528	1844	Dcfdgiid.exe	29
PID 1844 wrote to memory of 2528	1844	Dcfdgiid.exe	29
PID 2528 wrote to memory of 2540	2528	Dmoipopd.exe	30
PID 2528 wrote to memory of 2540	2528	Dmoipopd.exe	30
PID 2528 wrote to memory of 2540	2528	Dmoipopd.exe	30
PID 2528 wrote to memory of 2540	2528	Dmoipopd.exe	30
PID 2540 wrote to memory of 2600	2540	Dmafennb.exe	31
PID 2540 wrote to memory of 2600	2540	Dmafennb.exe	31
PID 2540 wrote to memory of 2600	2540	Dmafennb.exe	31
PID 2540 wrote to memory of 2600	2540	Dmafennb.exe	31
PID 2600 wrote to memory of 2620	2600	Dcknbh32.exe	32
PID 2600 wrote to memory of 2620	2600	Dcknbh32.exe	32
PID 2600 wrote to memory of 2620	2600	Dcknbh32.exe	32
PID 2600 wrote to memory of 2620	2600	Dcknbh32.exe	32
PID 2620 wrote to memory of 2428	2620	Ecmkghcl.exe	33
PID 2620 wrote to memory of 2428	2620	Ecmkghcl.exe	33
PID 2620 wrote to memory of 2428	2620	Ecmkghcl.exe	33
PID 2620 wrote to memory of 2428	2620	Ecmkghcl.exe	33
PID 2428 wrote to memory of 848	2428	Epdkli32.exe	34
PID 2428 wrote to memory of 848	2428	Epdkli32.exe	34
PID 2428 wrote to memory of 848	2428	Epdkli32.exe	34
PID 2428 wrote to memory of 848	2428	Epdkli32.exe	34
PID 848 wrote to memory of 2764	848	Efncicpm.exe	35
PID 848 wrote to memory of 2764	848	Efncicpm.exe	35
PID 848 wrote to memory of 2764	848	Efncicpm.exe	35
PID 848 wrote to memory of 2764	848	Efncicpm.exe	35
PID 2764 wrote to memory of 2888	2764	Enihne32.exe	36
PID 2764 wrote to memory of 2888	2764	Enihne32.exe	36
PID 2764 wrote to memory of 2888	2764	Enihne32.exe	36
PID 2764 wrote to memory of 2888	2764	Enihne32.exe	36
PID 2888 wrote to memory of 2200	2888	Eecqjpee.exe	37
PID 2888 wrote to memory of 2200	2888	Eecqjpee.exe	37
PID 2888 wrote to memory of 2200	2888	Eecqjpee.exe	37
PID 2888 wrote to memory of 2200	2888	Eecqjpee.exe	37
PID 2200 wrote to memory of 1916	2200	Eajaoq32.exe	38
PID 2200 wrote to memory of 1916	2200	Eajaoq32.exe	38
PID 2200 wrote to memory of 1916	2200	Eajaoq32.exe	38
PID 2200 wrote to memory of 1916	2200	Eajaoq32.exe	38
PID 1916 wrote to memory of 2884	1916	Ennaieib.exe	39
PID 1916 wrote to memory of 2884	1916	Ennaieib.exe	39
PID 1916 wrote to memory of 2884	1916	Ennaieib.exe	39
PID 1916 wrote to memory of 2884	1916	Ennaieib.exe	39
PID 2884 wrote to memory of 888	2884	Fehjeo32.exe	40
PID 2884 wrote to memory of 888	2884	Fehjeo32.exe	40
PID 2884 wrote to memory of 888	2884	Fehjeo32.exe	40
PID 2884 wrote to memory of 888	2884	Fehjeo32.exe	40
PID 888 wrote to memory of 2348	888	Fcmgfkeg.exe	41
PID 888 wrote to memory of 2348	888	Fcmgfkeg.exe	41
PID 888 wrote to memory of 2348	888	Fcmgfkeg.exe	41
PID 888 wrote to memory of 2348	888	Fcmgfkeg.exe	41
PID 2348 wrote to memory of 1564	2348	Faagpp32.exe	42
PID 2348 wrote to memory of 1564	2348	Faagpp32.exe	42
PID 2348 wrote to memory of 1564	2348	Faagpp32.exe	42
PID 2348 wrote to memory of 1564	2348	Faagpp32.exe	42
PID 1564 wrote to memory of 2088	1564	Facdeo32.exe	43
PID 1564 wrote to memory of 2088	1564	Facdeo32.exe	43
PID 1564 wrote to memory of 2088	1564	Facdeo32.exe	43
PID 1564 wrote to memory of 2088	1564	Facdeo32.exe	43

C:\Users\Admin\AppData\Local\Temp\69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
"C:\Users\Admin\AppData\Local\Temp\69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:112
- C:\Windows\SysWOW64\Dcfdgiid.exe
  C:\Windows\system32\Dcfdgiid.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\Dmoipopd.exe
    C:\Windows\system32\Dmoipopd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\Dmafennb.exe
      C:\Windows\system32\Dmafennb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\Dcknbh32.exe
        
        C:\Windows\system32\Dcknbh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\Ecmkghcl.exe
        
        C:\Windows\system32\Ecmkghcl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Epdkli32.exe
        
        C:\Windows\system32\Epdkli32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Efncicpm.exe
        
        C:\Windows\system32\Efncicpm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Enihne32.exe
        
        C:\Windows\system32\Enihne32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Eecqjpee.exe
        
        C:\Windows\system32\Eecqjpee.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Eajaoq32.exe
        
        C:\Windows\system32\Eajaoq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Ennaieib.exe
        
        C:\Windows\system32\Ennaieib.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Fehjeo32.exe
        
        C:\Windows\system32\Fehjeo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Fcmgfkeg.exe
        
        C:\Windows\system32\Fcmgfkeg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Faagpp32.exe
        
        C:\Windows\system32\Faagpp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Facdeo32.exe
        
        C:\Windows\system32\Facdeo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Fjlhneio.exe
        
        C:\Windows\system32\Fjlhneio.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Feeiob32.exe
        
        C:\Windows\system32\Feeiob32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Gfefiemq.exe
        
        C:\Windows\system32\Gfefiemq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Gegfdb32.exe
        
        C:\Windows\system32\Gegfdb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Glaoalkh.exe
        
        C:\Windows\system32\Glaoalkh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Gldkfl32.exe
        
        C:\Windows\system32\Gldkfl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Ghkllmoi.exe
        
        C:\Windows\system32\Ghkllmoi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Geolea32.exe
        
        C:\Windows\system32\Geolea32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Ghoegl32.exe
        
        C:\Windows\system32\Ghoegl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Hpkjko32.exe
        
        C:\Windows\system32\Hpkjko32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Hcifgjgc.exe
        
        C:\Windows\system32\Hcifgjgc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Hgilchkf.exe
        
        C:\Windows\system32\Hgilchkf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Iknnbklc.exe
        
        C:\Windows\system32\Iknnbklc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        37⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 140
        38⤵
        Program crash
        
        PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcknbh32.exe

Filesize
192KB

MD5
2aa64ab76e221adc3ed8f0c6f65c24ef

SHA1
323f76faacd9fcd06a66bc452d922678e3877b74

SHA256
36cddc097e1500ffed2a7eb976835d5a7efac9dfa8919ddf7c4f918639e3d442

SHA512
d33a7b4fd48a7083ab48ebac883923ec81ec7596feba00147d175ba85dfb06ae50c9ec0c4dad808c661cd1df0aed90c5fa1cdef872eaa2784fd5df3ebaadabc3

Download Submit
C:\Windows\SysWOW64\Dmafennb.exe

Filesize
192KB

MD5
8386b47a8654ce79fc57b506eab9c3d4

SHA1
fc243fcc4120b9af5e401b1c55fbe0aea0cd117c

SHA256
d6eb4e718a11ed22d26fdbfce0c2eecdeaa6502705777494979fe057dc1362ce

SHA512
6897b738deb7f5dad2ea414b3fa740f8162203e92defde8e0e3b56ba56fd1feef2c034ee99da9150bca99805625b5332e82a425868c2ebaeef4486dcafd283a5

Download Submit
C:\Windows\SysWOW64\Dmoipopd.exe

Filesize
192KB

MD5
a7d28c7511d0b1445898beea2bd564b1

SHA1
260961c1085f4ac30c4d9a21e1c87fbd4455d52a

SHA256
7265f82ca2b4f53b433869cba771a5999084ec2f25ee91d7f5581d3956f8cba6

SHA512
abbc06f4f89fb487522787e1330aadc9bb73fecaf90f6c0828c0940126ad9525fc3f69995a7eded6688ca75fd755318e6843259792ab407468b900587d495607

Download Submit
C:\Windows\SysWOW64\Eajaoq32.exe

Filesize
192KB

MD5
0bfa03649db24777d8940636cc53852d

SHA1
027f1cf29af7e047110a5940490985ca7d01f60c

SHA256
03f5e4e3c4610806851b0b9323fcde63b807052061708f8d802855dc6596b3c6

SHA512
17f65193032d27bbea05d9d8d7e835d56d492126362262e23612aee4ec599af34a90b73480e4716a257db0d36b42298256946f35ce82f4f5878f364a5d86531a

Download Submit
C:\Windows\SysWOW64\Enihne32.exe

Filesize
192KB

MD5
20727635c87b9e9e9d4c9a1855d82eaa

SHA1
1c986e5b9169ed0cc02d2e4152d1bd0fb0fa08be

SHA256
c2f69a6c75e5571daf4e23186e05485f3ce5f395f26b2dca6bd2ad726467c17a

SHA512
5f54c358b4d43ab40907c2d53efeaacfefb74c17c077870fe9fa8fb9f37f6631fd3d9774c0f06d9aa3330f6879f39183179a017d91686d2f45375bebbae570f6

Download Submit
C:\Windows\SysWOW64\Faagpp32.exe

Filesize
192KB

MD5
bcfb3d82df9b98063d1cd1cd3fac1632

SHA1
7e6b7f2239ad67bccd842d3fa7b4df850d3da6bb

SHA256
92f7161768fb58a9eff6aecaabf8b3a0e593446e3cc5b3fcda4e0ce91eaaa47c

SHA512
a8e2add4852cc161dacc4e005adce69f3c2633288a3769e5261ce25bf5be5f75f8400fd75d6daab86c942efc8ddd3f7c2a7afa6b3fe42c656fd491c53a728686

Download Submit
C:\Windows\SysWOW64\Feeiob32.exe

Filesize
192KB

MD5
c8f323e0042f1deb80348ba790c948da

SHA1
ee8fbe2ca97454e104212347036841803bab2f59

SHA256
c75f95e2a9f95f449d69fd026f49e5ea8b6adad24c86a73fd0606915b2ba8088

SHA512
a785d78dec479143559cbda869d98360b0d18bbca2c96e425360321ced67d1bc9de70bce84fea5cd658fcbf5588c8a2745f49b7e61242cfa4ae14c379a90e6ff

Download Submit
C:\Windows\SysWOW64\Fjlhneio.exe

Filesize
192KB

MD5
854bc034b548996069b3c2e4bbb91fa2

SHA1
f6ea2d1596f5c838c8eb0ae3b7a1f16409dddba2

SHA256
615fb528a29249f11cb35561553454b95bc038309d89da7c869196c3877b23eb

SHA512
97b6945efe3b5e30dfba73e179bdd5dd13a9eca22eaf02ff5d90ff71fb708c5a0de753bb932b6d619190dc2c1cdca1284a77cac98f13d7bc09c7f0fd8f794895

Download Submit
C:\Windows\SysWOW64\Gegfdb32.exe

Filesize
192KB

MD5
7b65a41d23b238a0be8277a5ffa2eb43

SHA1
5a6315b6f3932093e2887f65e68a58c197919d7f

SHA256
e15bc402c420012bd227e2e52d1c12569dbbd45de661a4bf62a010dbad5806b3

SHA512
c870e152772e2a9e2aa831d5022b1381a3160e4869f1c522f1ba2d6dc8cf96f58f5db31d410118be83e3572db07ea78281349dc2e275146f96a4b9f17b306612

Download Submit
C:\Windows\SysWOW64\Geolea32.exe

Filesize
192KB

MD5
e3ac6b3b11da256312dbbb82089acccd

SHA1
a1ea5fe2be2726248487a43e1e1f28647dc585ec

SHA256
2053b9bfab721410fd4e706b6800c402a4ddb3fa9a5ce36f49903ba2568ca412

SHA512
60d2901012d1cb1be14b1eba6a41d36e65e6812a162c6b738eea96a4cd16351cab4807aec00629723bf73d46fedb42a69eea06d41c688e3fccc6fd0227c0b905

Download Submit
C:\Windows\SysWOW64\Gfefiemq.exe

Filesize
192KB

MD5
1e1c3826c7ad9320acf0ffc8e3ec2f21

SHA1
236d6ebdd4656df409e9c97cda72cdff2cd6864b

SHA256
579e89495408e282c2d464f62c8c1470ed8319d56a9a405109553eeb6923e1c8

SHA512
db36f7f37b89932dc8cd468f7246062a1d342b14c888f0481f9c5554a2bb81b4321048861b8718f1a8bf473aa51857048d2fa245efbd70c46b46f3d123034790

Download Submit
C:\Windows\SysWOW64\Ghkllmoi.exe

Filesize
192KB

MD5
a837109eb62df771b6dfb2d47b77f864

SHA1
888a063642524e85335f68c85abceaa8a5409e96

SHA256
748cc18f73f1324ab72e9ebdb5a78aae5a43b801fce69315d4d3d09d9399370b

SHA512
0d40ecbcb94806bc1f90168ed360ae51590e91269fc20d88974f48bf3fe43e7f12faaaddbd638cb737efa97b60a3dde91c1ff15fd849be1a31f345630a8f0b78

Download Submit
C:\Windows\SysWOW64\Ghoegl32.exe

Filesize
192KB

MD5
62d113435035c0f35c3fd5671c7dda86

SHA1
939359be962021d73387595ccd4369ad0635e46c

SHA256
550293c627b7ab6d17971afa0c04b7f18aa14f796b904db42e4a33c6e6b43a97

SHA512
27fd3abb6a00d20a4c62b4122bfb2151531ae210c46c7870802876df4a93366a8c14a56be52247b55d2c9be3e8fe055e9c71704917a846eb7d93722f1788953c

Download Submit
C:\Windows\SysWOW64\Glaoalkh.exe

Filesize
192KB

MD5
98e5d72120143d78f77942fdbfc87c17

SHA1
6db33ed690ba73cef2e43f71ac86def433b81639

SHA256
d615c311a1e3cc07eb117e05acfe9356e1e317f432a70628860a4a8603d98f2c

SHA512
cb39df345aa43b5ec6524ddeaed4ef79fb08a245bc778a6ab848a38175a6b6d3a14275b4de6b3b31666cd1264eacc4d0a8ac7788aa891b3577c0b6b62b06e780

Download Submit
C:\Windows\SysWOW64\Gldkfl32.exe

Filesize
192KB

MD5
da13440e2afe4c7ed0390ceea7a51fad

SHA1
ae8963d5c0d180f3fc7cfbaea7b3f340b1e60bc9

SHA256
2c7be9c9e913b6c921b3cb6c716ae47b881a392b3a444fe2c5828d1ed58b39ec

SHA512
2bffcc4b22fb446656ff928f3cb61e4fa1af5db16fba04d9a86e9dc18f807115b1fddf7010bfab46bc5a6ecba017dafc50fc413a90636d63a1d31993ffe83e57

Download Submit
C:\Windows\SysWOW64\Gogangdc.exe

Filesize
192KB

MD5
78be3398b0b13dd09dc07bd53548aa42

SHA1
dcea651a5a2fa7984efd07bdfc92b3ee754c4542

SHA256
87e24363a8311572f0eb2d5231c6a9ae95b4ce46aad7f3381ebe280c107e60e9

SHA512
b9238ff4893a2137195063b3ec066b0e070614089d8439724bcb2f91dfa2a2854e1442bff9bcc5b332cf311e53b7f0006d275505b1b54e9173de1f92fdd3e816

Download Submit
C:\Windows\SysWOW64\Hacmcfge.exe

Filesize
192KB

MD5
cfa9dc1dd1b06085e7dca390a63cfaf1

SHA1
0f76efed04c7b7e6748c63eedb62afc34e717e21

SHA256
f587e4a9d8f71ff8524ebd6e6a8928a0cb78faca36abca412eaa039899c84881

SHA512
37be7bdcc0fb00322c069f51be6aabf3ca5dedc9ff5cc7165e7897ab88d39095c984f3d6470a13aac1db567d0c7106f2291fc98de84626caf0990500a3c1f1e6

Download Submit
C:\Windows\SysWOW64\Hcifgjgc.exe

Filesize
192KB

MD5
101f857dbda049a9d1974fc397d7d618

SHA1
23a7b66c75b49ed426f1ae2d1eb7336b5867a081

SHA256
af88ac2709944d1773a466d9a291f59c3e19c6b9892b1aab79969a74ae4a8d08

SHA512
9f9f429e8d89086389d260cf819687d4ea3ecd3ba7a648024a915637cbad1ef9ea4a7f7440de8e1f30ca303e64f474639412ff2d7a4e50b5f84825553c5d938f

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
192KB

MD5
fd3eee30a717a512d0fd90cf08863862

SHA1
651d7e722cec08dd82dcd50e9b4d97ceb5166fe0

SHA256
b32e3b847e569d09b06479f5ceed815a6480b9dc42724a4d21c9ee5b0c6471b4

SHA512
4814bef0685daaaeac6f9609fd26deff996ad6188e766f448c51acc21180fc445dcefd2d17c07e1a40d40a62097c21ee0e71d1d8360b709131cffddea7a90681

Download Submit
C:\Windows\SysWOW64\Hgilchkf.exe

Filesize
192KB

MD5
d4acf907d5f0f362f9959e13b0f6d6f5

SHA1
7845b53cbb516f516b0e60f9fdcf2538b4840e1a

SHA256
4d826b9d580d7d9d436f8fc04026bc2c1ef7dcc517aedaf28b5a04ff667e9042

SHA512
fa521acd36ca182e10961795fa4eb2db44ad433b8056d922d0b877a74a520c4d4f48503174c0b5d9752cdd939404cffcf6dc25388be96fddf206d7afdb22f6ff

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
192KB

MD5
3e398183b1272cb27737e07d56ec69fd

SHA1
c8b9050fd4db1e0af765ef6630df45f8d20d9af3

SHA256
fbac1d82c99a804a21873e5faf0ea4f07c51fa2ec3c09a0e2c6eb8ea0047b7a4

SHA512
bca97e25c8d2b931793a12724d85612d19c548bcba95f6253da3c498be02c995dc85dd84483aacdc6000c7cd6285baf3ab22944fb40ad0b801cba1ce3922e4d3

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
192KB

MD5
b61f6b6e4299d5ad974b24411030deb7

SHA1
444b6585428a9abe286d573e8f921a01840ff7b0

SHA256
f215e586aa2957f11be352dfdc0e8b7e693f92677ec18a4cb2128f3db74f4491

SHA512
0f53666d5e4e865d8c3f1301ccafd84b8117afec54b435125259ecfa4fee62f755ed8f6e8dfa47aa33a14de0074b6364bed085909628df001f0e249f49412f01

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
192KB

MD5
ffb1b0d628dd45caf14c01bc2dce09a6

SHA1
6daa2d6390997fda9ff10c39f750882892139a86

SHA256
d7a03abd2ec7d9f215bd7c3b0776ffe776bf3c400c644066a733dc2dbc4a6aab

SHA512
f50cbd369a0b5724917bb6a5d975b54c62c9ec6ee34b1c597ddb901fd0185e105d0305b65af1120a4b443d16d33174d94c242a0b7047dd325c98d555266ce63d

Download Submit
C:\Windows\SysWOW64\Hpkjko32.exe

Filesize
192KB

MD5
7ceb047a6c235b668b8140e7fd66a15f

SHA1
b4a3d125f6654d7e8678e693a1d4fe439022589c

SHA256
2684b8ac7c646fc41250cf96408460fee0671bdbd07e1cdfbf80f38e3947b98b

SHA512
97d668d82e9ff82a5df8b1d754a2717fec3f81141f0f667701902b4bf1f98ff9814dc5ff9f3b8d5a2f6ab0e5071a19da029fa23789f18ee83964d7494dc5a441

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
192KB

MD5
0b5c6545d535d51c6652e55f74f4d44b

SHA1
aefbeb7c4fa9f06a919055bf9b82d4a49e47064b

SHA256
00d0b99d7c5b0a16c9d3bae3f38a3716fec076f1472783af8a8287c573233dfe

SHA512
50939f3d753c2c2ec5f257f16bd682c8a44f7e254156f9b7d0f380b48fe4522316d76ab0026f8e2022d72cf4deebb40a6b216e926bb9d5498ddd9ba10f2a34a3

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
192KB

MD5
176bd6d0557972da2b80a0d5eb0b42ab

SHA1
1ee6ed87cec890739867225a476ba7102eeaab66

SHA256
dfc127733a836df8d2825504739b79c3507e6ab1518088e2810d5dd38d86e6a3

SHA512
5964524e87e919d1d4ab4955225a41207e4aad946dd6c315d39624f6256082b1ddb03db2dbfd9f66f5bf84e6e84b012a5ffbdddf1f208d6a4f95c226f81ba23f

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe

Filesize
192KB

MD5
599c1e8afbc695808d74036255a220a4

SHA1
1a30427c98a3b767d8333ad34521f6e9a968358e

SHA256
a8ed33cf76ba930f8351ff1e6aadcdcb50b04b6acf6967bf2e6869d5bd648e98

SHA512
a63700e06d865b9a69276e9512883d91a9745c761493e80a443dd283635f4eb50b2704313b92e8a7b106678b1d8606f8404213e183adfa87c5f790eddbb1cf0b

Download Submit
C:\Windows\SysWOW64\Ljenlcfa.dll

Filesize
7KB

MD5
07132ffd5920b6f9b663ce1216ed061d

SHA1
a4767a30120bf53fb45b5cd94b117b32eab577cf

SHA256
40eab2533fb4721beedc4cecf357db5541d8b711c10b1ac02e3f23e86f2f25aa

SHA512
ffa57168cc5bc06d70e104544ec7b4cacc5f1fd1228f07d74c0f9615225fa69151c3c285eeef481b2d968cce2a8071116fbb852493eccc1cd1fbe6aadbb71c25

Download Submit
\Windows\SysWOW64\Dcfdgiid.exe

Filesize
192KB

MD5
4833bc28d6fdc0acb0eaf474363d0c81

SHA1
bdc464bd61d2a802ec68ba1318b1578ef650e5bc

SHA256
ddf89f004f6c176935e6a65aa90fe067d418813c83db0199a421dd26f0eaf952

SHA512
73cf37ecfe2de5ba3e6047368f97f2b323d34d3fb98b7860f54eb14177cf50c737ee8ffc106023851965d1d6f4d34360bca6280e60a8c17a05abce9cde5d52b9

Download Submit
\Windows\SysWOW64\Ecmkghcl.exe

Filesize
192KB

MD5
52ac7f9c0f4ad178f0c09e07a0ae03ce

SHA1
719c350cb3e1f3c5d0ff215d210aff8fd62baac9

SHA256
a171f4a941cd7a15384ed9f42bf771796dfb823098ad965c76f7036b3e17ec0e

SHA512
2ccd1c48025f5a451ca693f370ac4e0e09c0dd2a0e280ba44310dd7606e85476a00c237f6a3bbb524382055a7362fa18e957386d9bc53cc50615658eb8f95d0d

Download Submit
\Windows\SysWOW64\Eecqjpee.exe

Filesize
192KB

MD5
552d90eb41c5cfa3e7aa474fa37e1ec8

SHA1
3aa4508cc528742bc1933debe1505a1b63691cd7

SHA256
0263492c20e9debc7986b1482d4a4f00be4c32e0f67b3ba1a07884fdb6c3400c

SHA512
34ec3d334d46eae44e1506b8c84b90c45bc1f98aeac8bdf2354a1d3b7468dfe2d19a0139d085a8969875b18a8b033d760b9ea0a626945f6adc9933abec1d308d

Download Submit
\Windows\SysWOW64\Efncicpm.exe

Filesize
192KB

MD5
9f0c80b716586d61c414bc93c4639459

SHA1
5848d69a65d67c72dd2628de36b6340548ac7c75

SHA256
f7a656e95463da2bc8409ef151bdf55ff0abce48fdb362e54aee5a9ee9b36e8e

SHA512
51c963ef550c7f262aaaddac199e90f3192cd356cf1271413789a03d73e02df7bfa6ddd73f3bef19d874f38f6f70c8667c73c5671bf5290fe9c569abe266c45f

Download Submit
\Windows\SysWOW64\Ennaieib.exe

Filesize
192KB

MD5
ca03291d64fb604965a7ffb1e33ca476

SHA1
79ade9ea4e8fd045773185398b39ced2ca7bf477

SHA256
4ebd15fadab16411538d06943419074f819dd1012615553664f20b1885a19912

SHA512
259e1c0b9e1cf6e590b53789ab35dcd95124a4e8da29469b9cd8c6fe506929ba48e51d69c40c2595c4049bd26d8313ca847dc955c15d6ecb4f68c65cf92d2451

Download Submit
\Windows\SysWOW64\Epdkli32.exe

Filesize
192KB

MD5
6f5cb8c5daec5e31e0557818a9ceba1a

SHA1
3dfe4782784b94ae73062a23e0398a0d74f932bf

SHA256
d33f50b7ab18f04048fe806d24b59d964391c6cecd48b2e2acd47a1844ba792d

SHA512
111b5ead65bd27104af06977d22b14e229f6917aa7203411f3898c508b7ccb0992dda80f2a6a78e8d5d521d23cd9d60b0b082b6a72a1320aaeecb381c613fb95

Download Submit
\Windows\SysWOW64\Facdeo32.exe

Filesize
192KB

MD5
46202afa30dcc2baeb766254a84d4b28

SHA1
e3531c150bf052d3e5fb4f7ed00ce51c8384b59f

SHA256
2dc4250fa70e585287008fd51c3b5c2c19f0e9cbe4c7523d52c5d41d3c01c73b

SHA512
59ebcd342704b4c3f5ccadb204088719a9f66dfd5b40a21b674f6b2b9ad7926644ed76b8a44e4d44be43a72e0dace17515a1ba861dc61253aca8cd47e59048cc

Download Submit
\Windows\SysWOW64\Fcmgfkeg.exe

Filesize
192KB

MD5
4e65a6772a90d53f88a42a6cb73e1b9f

SHA1
427f0ed86ab728378c251f79b3c083ebff5f8e22

SHA256
04090754b106da46ade8cc0e68806f6319efecc5dc1ebaf995d198abc82c36d4

SHA512
9be5b824da4627947a7755c01bf0444293e365c8dd65f709aa84329c25bbddcea04410a20f07237f71323fa1e401d0c90e604b29e710e917125fe9fde7218a01

Download Submit
\Windows\SysWOW64\Fehjeo32.exe

Filesize
192KB

MD5
36eaea9b41efdefcc14d53afbac062b0

SHA1
d84e69aa80b43c84ae9167f2b5b0a8d4131ce910

SHA256
ecbac43d2be6bb57e5d9507c99be7ee36a144794dcde1f9567dfddc6f9b8fccd

SHA512
0cbb12040113d37380d38451c00fa9994cb3390a0c60886f51b4dc2f3b25583d456dbea74b1d5f58b741e461a6421d0dfe0a1f959068b68fef11c5f2f368ed08

Download Submit
memory/112-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/112-6-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/848-92-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/864-290-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/864-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/864-285-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/880-269-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/880-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/880-263-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/888-171-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/892-343-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/892-326-0x0000000000300000-0x0000000000343000-memory.dmp

Filesize
268KB

Download
memory/892-344-0x0000000000300000-0x0000000000343000-memory.dmp

Filesize
268KB

Download
memory/1424-230-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/1424-239-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/1456-312-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1456-317-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1456-342-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1472-295-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1472-300-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1472-302-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1564-198-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1740-340-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1740-345-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1740-331-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1844-26-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/1844-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1916-145-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2032-351-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2032-350-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2032-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2088-218-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/2088-211-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2200-139-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2292-301-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2292-311-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2344-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2344-250-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2344-258-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2348-192-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/2348-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2364-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2364-245-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2364-256-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2428-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2516-381-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2516-387-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2516-386-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2528-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2540-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2600-60-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/2600-53-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2764-118-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/2764-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2836-275-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2836-271-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2836-264-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-158-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2888-131-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3032-361-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/3032-355-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3040-375-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/3040-371-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/3040-366-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads