188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee.exe
Size

1020KB
MD5

1f0af073a0f2af8e787f0a64abe51723
SHA1

770bb14e5e849a760271d86299f1e821cfbeb319
SHA256

188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee
SHA512

3a4bc42bc056b6706d1d90fa719c838764a553f736a0e4acae4df6b8511e9073514180b09834b57fddb757c98850568d8955b471987c990ddd6130da555cabd9
SSDEEP

24576:82mHxfyvzecrHPh2kkkkK4kXkkkkkkkkhLX3a20R0i:82mHxfyvKcrXbazR0i

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmoipopd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejgcdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekklaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmoipopd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekklaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjdbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejgcdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjdbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe

Executes dropped EXE 25 IoCs

pid	Process
1740	Dmoipopd.exe
2312	Ejgcdb32.exe
2716	Ekklaj32.exe
2632	Fjdbnf32.exe
2464	Fjgoce32.exe
2456	Gpknlk32.exe
1992	Glaoalkh.exe
2816	Gbkgnfbd.exe
1628	Gobgcg32.exe
1976	Hicodd32.exe
1664	Hpmgqnfl.exe
2680	Hckcmjep.exe
1584	Hejoiedd.exe
776	Hlcgeo32.exe
3040	Hcnpbi32.exe
2916	Hellne32.exe
756	Hlfdkoin.exe
1492	Hcplhi32.exe
1608	Hjjddchg.exe
1676	Hlhaqogk.exe
1084	Icbimi32.exe
836	Ieqeidnl.exe
1648	Ihoafpmp.exe
1868	Ioijbj32.exe
2056	Iagfoe32.exe

Loads dropped DLL 54 IoCs

pid	Process
2752	188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee.exe
2752	188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee.exe
1740	Dmoipopd.exe
1740	Dmoipopd.exe
2312	Ejgcdb32.exe
2312	Ejgcdb32.exe
2716	Ekklaj32.exe
2716	Ekklaj32.exe
2632	Fjdbnf32.exe
2632	Fjdbnf32.exe
2464	Fjgoce32.exe
2464	Fjgoce32.exe
2456	Gpknlk32.exe
2456	Gpknlk32.exe
1992	Glaoalkh.exe
1992	Glaoalkh.exe
2816	Gbkgnfbd.exe
2816	Gbkgnfbd.exe
1628	Gobgcg32.exe
1628	Gobgcg32.exe
1976	Hicodd32.exe
1976	Hicodd32.exe
1664	Hpmgqnfl.exe
1664	Hpmgqnfl.exe
2680	Hckcmjep.exe
2680	Hckcmjep.exe
1584	Hejoiedd.exe
1584	Hejoiedd.exe
776	Hlcgeo32.exe
776	Hlcgeo32.exe
3040	Hcnpbi32.exe
3040	Hcnpbi32.exe
2916	Hellne32.exe
2916	Hellne32.exe
756	Hlfdkoin.exe
756	Hlfdkoin.exe
1492	Hcplhi32.exe
1492	Hcplhi32.exe
1608	Hjjddchg.exe
1608	Hjjddchg.exe
1676	Hlhaqogk.exe
1676	Hlhaqogk.exe
1084	Icbimi32.exe
1084	Icbimi32.exe
836	Ieqeidnl.exe
836	Ieqeidnl.exe
1648	Ihoafpmp.exe
1648	Ihoafpmp.exe
1868	Ioijbj32.exe
1868	Ioijbj32.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hellne32.exe
File opened for modification	C:\Windows\SysWOW64\Ejgcdb32.exe	Dmoipopd.exe
File created	C:\Windows\SysWOW64\Njqaac32.dll	Dmoipopd.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Dchfknpg.dll	Ekklaj32.exe
File created	C:\Windows\SysWOW64\Hkkmeglp.dll	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Hgpdcgoc.dll	Hicodd32.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Icbimi32.exe
File created	C:\Windows\SysWOW64\Naeqjnho.dll	188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee.exe
File created	C:\Windows\SysWOW64\Glaoalkh.exe	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Glaoalkh.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Gobgcg32.exe	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Hicodd32.exe	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hlfdkoin.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Ekklaj32.exe	Ejgcdb32.exe
File created	C:\Windows\SysWOW64\Maphhihi.dll	Ejgcdb32.exe
File created	C:\Windows\SysWOW64\Gpknlk32.exe	Fjgoce32.exe
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Mhfkbo32.dll	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Fjdbnf32.exe	Ekklaj32.exe
File created	C:\Windows\SysWOW64\Gfoihbdp.dll	Fjgoce32.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hckcmjep.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Pnbgan32.dll	Hjjddchg.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Jkoginch.dll	Fjdbnf32.exe
File created	C:\Windows\SysWOW64\Gbkgnfbd.exe	Glaoalkh.exe
File opened for modification	C:\Windows\SysWOW64\Gobgcg32.exe	Gbkgnfbd.exe
File opened for modification	C:\Windows\SysWOW64\Hlfdkoin.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Hjjddchg.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Dmoipopd.exe	188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee.exe
File opened for modification	C:\Windows\SysWOW64\Fjgoce32.exe	Fjdbnf32.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Gpknlk32.exe	Fjgoce32.exe
File created	C:\Windows\SysWOW64\Hellne32.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Oiogaqdb.dll	Hellne32.exe
File opened for modification	C:\Windows\SysWOW64\Hicodd32.exe	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Hckcmjep.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjddchg.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Ejgcdb32.exe	Dmoipopd.exe
File created	C:\Windows\SysWOW64\Ekklaj32.exe	Ejgcdb32.exe
File created	C:\Windows\SysWOW64\Chhpdp32.dll	Gbkgnfbd.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Dmoipopd.exe	188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee.exe
File created	C:\Windows\SysWOW64\Addnil32.dll	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Gbkgnfbd.exe	Glaoalkh.exe
File created	C:\Windows\SysWOW64\Qahefm32.dll	Glaoalkh.exe
File created	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Fjdbnf32.exe	Ekklaj32.exe
File created	C:\Windows\SysWOW64\Cabknqko.dll	Hpmgqnfl.exe
File opened for modification	C:\Windows\SysWOW64\Hejoiedd.exe	Hckcmjep.exe

Program crash 1 IoCs

pid	pid_target	Process
916	2056	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmoipopd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejgcdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll"	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejgcdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll"	Ekklaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoginch.dll"	Fjdbnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addnil32.dll"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekklaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maphhihi.dll"	Ejgcdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekklaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll"	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll"	Dmoipopd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjdbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjdbnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gobgcg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 1740	2752	188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee.exe	28
PID 2752 wrote to memory of 1740	2752	188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee.exe	28
PID 2752 wrote to memory of 1740	2752	188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee.exe	28
PID 2752 wrote to memory of 1740	2752	188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee.exe	28
PID 1740 wrote to memory of 2312	1740	Dmoipopd.exe	29
PID 1740 wrote to memory of 2312	1740	Dmoipopd.exe	29
PID 1740 wrote to memory of 2312	1740	Dmoipopd.exe	29
PID 1740 wrote to memory of 2312	1740	Dmoipopd.exe	29
PID 2312 wrote to memory of 2716	2312	Ejgcdb32.exe	30
PID 2312 wrote to memory of 2716	2312	Ejgcdb32.exe	30
PID 2312 wrote to memory of 2716	2312	Ejgcdb32.exe	30
PID 2312 wrote to memory of 2716	2312	Ejgcdb32.exe	30
PID 2716 wrote to memory of 2632	2716	Ekklaj32.exe	31
PID 2716 wrote to memory of 2632	2716	Ekklaj32.exe	31
PID 2716 wrote to memory of 2632	2716	Ekklaj32.exe	31
PID 2716 wrote to memory of 2632	2716	Ekklaj32.exe	31
PID 2632 wrote to memory of 2464	2632	Fjdbnf32.exe	32
PID 2632 wrote to memory of 2464	2632	Fjdbnf32.exe	32
PID 2632 wrote to memory of 2464	2632	Fjdbnf32.exe	32
PID 2632 wrote to memory of 2464	2632	Fjdbnf32.exe	32
PID 2464 wrote to memory of 2456	2464	Fjgoce32.exe	33
PID 2464 wrote to memory of 2456	2464	Fjgoce32.exe	33
PID 2464 wrote to memory of 2456	2464	Fjgoce32.exe	33
PID 2464 wrote to memory of 2456	2464	Fjgoce32.exe	33
PID 2456 wrote to memory of 1992	2456	Gpknlk32.exe	34
PID 2456 wrote to memory of 1992	2456	Gpknlk32.exe	34
PID 2456 wrote to memory of 1992	2456	Gpknlk32.exe	34
PID 2456 wrote to memory of 1992	2456	Gpknlk32.exe	34
PID 1992 wrote to memory of 2816	1992	Glaoalkh.exe	35
PID 1992 wrote to memory of 2816	1992	Glaoalkh.exe	35
PID 1992 wrote to memory of 2816	1992	Glaoalkh.exe	35
PID 1992 wrote to memory of 2816	1992	Glaoalkh.exe	35
PID 2816 wrote to memory of 1628	2816	Gbkgnfbd.exe	36
PID 2816 wrote to memory of 1628	2816	Gbkgnfbd.exe	36
PID 2816 wrote to memory of 1628	2816	Gbkgnfbd.exe	36
PID 2816 wrote to memory of 1628	2816	Gbkgnfbd.exe	36
PID 1628 wrote to memory of 1976	1628	Gobgcg32.exe	37
PID 1628 wrote to memory of 1976	1628	Gobgcg32.exe	37
PID 1628 wrote to memory of 1976	1628	Gobgcg32.exe	37
PID 1628 wrote to memory of 1976	1628	Gobgcg32.exe	37
PID 1976 wrote to memory of 1664	1976	Hicodd32.exe	38
PID 1976 wrote to memory of 1664	1976	Hicodd32.exe	38
PID 1976 wrote to memory of 1664	1976	Hicodd32.exe	38
PID 1976 wrote to memory of 1664	1976	Hicodd32.exe	38
PID 1664 wrote to memory of 2680	1664	Hpmgqnfl.exe	39
PID 1664 wrote to memory of 2680	1664	Hpmgqnfl.exe	39
PID 1664 wrote to memory of 2680	1664	Hpmgqnfl.exe	39
PID 1664 wrote to memory of 2680	1664	Hpmgqnfl.exe	39
PID 2680 wrote to memory of 1584	2680	Hckcmjep.exe	40
PID 2680 wrote to memory of 1584	2680	Hckcmjep.exe	40
PID 2680 wrote to memory of 1584	2680	Hckcmjep.exe	40
PID 2680 wrote to memory of 1584	2680	Hckcmjep.exe	40
PID 1584 wrote to memory of 776	1584	Hejoiedd.exe	41
PID 1584 wrote to memory of 776	1584	Hejoiedd.exe	41
PID 1584 wrote to memory of 776	1584	Hejoiedd.exe	41
PID 1584 wrote to memory of 776	1584	Hejoiedd.exe	41
PID 776 wrote to memory of 3040	776	Hlcgeo32.exe	42
PID 776 wrote to memory of 3040	776	Hlcgeo32.exe	42
PID 776 wrote to memory of 3040	776	Hlcgeo32.exe	42
PID 776 wrote to memory of 3040	776	Hlcgeo32.exe	42
PID 3040 wrote to memory of 2916	3040	Hcnpbi32.exe	43
PID 3040 wrote to memory of 2916	3040	Hcnpbi32.exe	43
PID 3040 wrote to memory of 2916	3040	Hcnpbi32.exe	43
PID 3040 wrote to memory of 2916	3040	Hcnpbi32.exe	43

C:\Users\Admin\AppData\Local\Temp\188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee.exe
"C:\Users\Admin\AppData\Local\Temp\188a936b3248f07d9e90aeb7f7bd882979e3f012fb8aad338e19bdaff9ff1dee.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\Dmoipopd.exe
  C:\Windows\system32\Dmoipopd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\Ejgcdb32.exe
    C:\Windows\system32\Ejgcdb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\Ekklaj32.exe
      C:\Windows\system32\Ekklaj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\SysWOW64\Fjdbnf32.exe
        
        C:\Windows\system32\Fjdbnf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\SysWOW64\Fjgoce32.exe
        
        C:\Windows\system32\Fjgoce32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Gpknlk32.exe
        
        C:\Windows\system32\Gpknlk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Glaoalkh.exe
        
        C:\Windows\system32\Glaoalkh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Gbkgnfbd.exe
        
        C:\Windows\system32\Gbkgnfbd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Gobgcg32.exe
        
        C:\Windows\system32\Gobgcg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Hpmgqnfl.exe
        
        C:\Windows\system32\Hpmgqnfl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        26⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 140
        27⤵
        Loads dropped DLL
        Program crash
        
        PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fjdbnf32.exe

Filesize
1020KB

MD5
6cc36583bed605ab74c5ab724dc86da8

SHA1
77c1bd91598b8bb3c62bf06fbd43d7ce44bc1ed0

SHA256
4998c4c1c763c5514eb545f7c0b2ce2d5dbaeab8f42bc3f35b5586e072d4ba77

SHA512
c596b94a8d737c9df27887eb8894e5a370b629135dc5df19ca0da658e517cc89364e5f30b58acbff551229d1547d45f099200f9e9d4316eb97ce0f1db8ea6559

Download Submit
C:\Windows\SysWOW64\Gbkgnfbd.exe

Filesize
832KB

MD5
5d01f35374d482832b705a8ac3ad07b9

SHA1
acc934c99f8589fcceff925bbafef68f21210f01

SHA256
0e9fa866c47a2351af31744738aae050aa89efe4a22780aa5fcc3bbc3ef0b3fc

SHA512
3db52d7d2d67a008d8a0de4d51661663f15048090d44bcdce6e16bd6e2debe8846347ff08bddb07e4e14a19e72bacd2e579f8343bfd3df0f3ede3a51e61b770a

Download Submit
C:\Windows\SysWOW64\Gbkgnfbd.exe

Filesize
8KB

MD5
1f2d2994a45c29b178e3ebb1c7d8c0ba

SHA1
02541c0aeb2fdfe3eab9b6b56ba8069ec0006d54

SHA256
27153229bb3d0d088e4123a0fbf249ea6e66642d99d4749f7c22747739323cf6

SHA512
81541bb23ff826447b988c30a654a9abe85a70e17aa179eebabcbff783f2ae8f8cc0698b0f5f40fe56537edbf61f929755308b54e669c06ab00438bd2fa71c39

Download Submit
C:\Windows\SysWOW64\Gbkgnfbd.exe

Filesize
1020KB

MD5
411eb0926bee8870f398959243f5ffdc

SHA1
affc68e88d72471bb5aeae930ac1a1198e49eb25

SHA256
3267d1de12030857362459354c2f2e7619c05f1ec24a67389a807bc66683040f

SHA512
e1affaf0a9c3bfb4c2bb10dc9a3005d1a7cfb66d7e920bb8e9fa74330925dd1a6fe75bff9605bad067009b177a0a8c8d669cc297f22901c05b3fbf13b4dc2b16

Download Submit
C:\Windows\SysWOW64\Glaoalkh.exe

Filesize
896KB

MD5
d3c2891bd99bc6927b56aa20abe00b5e

SHA1
ba1411466127c1ce39c03d78de5146e405bf11cc

SHA256
f95ae6550196dc50678906263232910c5c1eca337d5b5aaa7599d30a2b59d5cd

SHA512
2b283db9fd91503ff481cc6bb1105acb191b0bc56874cc6b88fcf2ef6e23ea901290ea5fa28c2c1c5d8fc89c00774bc631df8b26a75aca7bff0a9301a6f2fe13

Download Submit
C:\Windows\SysWOW64\Gobgcg32.exe

Filesize
1020KB

MD5
831f5cef5e3551955b36976c33fda726

SHA1
b5553e4037aba4612bdc2d6aa87fe38255432c0a

SHA256
3f14e0436ea60154096d43308b3125b6148fbcca0baa6f28d311b3550d07be6e

SHA512
17af20ed35e954b2553a7aae286402825a9ecaee6749ee85263a6476581d3aae5cc0cca9d52d1444f0a1b66a3c315f56802319823a3357102eb1ce35de5e1fc7

Download Submit
C:\Windows\SysWOW64\Gobgcg32.exe

Filesize
384KB

MD5
32363ea2a76f4806a08f013e439f2756

SHA1
2f57dca49d5b5333435a44d9a4640f34e0361d64

SHA256
70de22813f685e43f2d12a1c38e761794d6b9cc023dac5a87f9fdcb65a7750b4

SHA512
e02fea68ee1f8675b2520c202edfd27990d7a290b471ae2c838b7ceea1a28eeb96ceb61ba0e2d771024a31813975296ace3189f294a3bd91d9444f3f66702ec0

Download Submit
C:\Windows\SysWOW64\Gpknlk32.exe

Filesize
64KB

MD5
245848a374245530102b20967a8135b7

SHA1
536ab940affd41099d4f328abaae9cf774d18b76

SHA256
e171031bbab36f151256285c0e9bafd8be49d702dbef3530803e877bf4e1ae90

SHA512
0aa82545d9a2097a84d0d91e24c39fd583e10d0b9542afe94b80b8428f99ca9ee075547aaca8e9f739ee9c82d39aa57fe4bfa8ef3eeb4b8aef66cc1b7e228a7c

Download Submit
C:\Windows\SysWOW64\Gpknlk32.exe

Filesize
896KB

MD5
a3291e9a8c0dce36ab7d0074bf93ba91

SHA1
7b5d88069b2b4ef363134691ad277a7259dc221d

SHA256
039e8c75310aca694db68d0cb517a8017e59062b97b963aa4a911936c81b11ad

SHA512
469e33022616fd1b65886b19bb3c7e2567515d436b3f81b3b8d43c15bd5d784e56a7bd3895a5cb79e87dedf3e0ff17ff1152b06da832c253c37c3439bdd4becd

Download Submit
C:\Windows\SysWOW64\Hckcmjep.exe

Filesize
1020KB

MD5
3f46db5a07c8b9546683e4d4ae94b8a6

SHA1
196bef3a90a6c348d050c1ab35b7d82885683694

SHA256
b987101a941f532e4794bb112e0a9348c1195e815bf7162360d3d0b8b805f5a9

SHA512
45ecaba505e138a941a209db9574f167a495be1d6e7196f2b6f7eae48efe70db95a210895d67b2e56e3901e87f732c285039afe2242e45416a940ec70e6ed2df

Download Submit
C:\Windows\SysWOW64\Hckcmjep.exe

Filesize
512KB

MD5
291b8311dd2195f2e3c025c43862f895

SHA1
1a02b519741a15a8f2bfa076cfa0414beb338bf8

SHA256
1e4e47b195708ea2f8dcce454dc9cf3b75657edf53c20decacb96f4ae2c7b3d9

SHA512
b04c876b1ea23b5ccbc2803d409d9f8522ac580e0d42a5885cce24b643ffc93dac390324d74f7d0797958dc8f500ef21b2c6e0687408d98e0039537f97adfd28

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
1020KB

MD5
736864922abd3107944cee307935bffb

SHA1
74aaaba644d1008df8f98fffd47ed5ab6334b102

SHA256
b1d39d5f5da7cc2a49400bef8f1033504d0fb8267d8fde068115695a663d5fb8

SHA512
9485cd8940b688916c7864a30044f167b1ba11c36485d3557a6c762fd6b3e290c84414b558abaabc3be00da832f6804e42f710ad50f7e8509c1935c89685f509

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
1020KB

MD5
3b81fdbb1a5427679fdb7ea053007438

SHA1
fb8bee34aeae4f29705029715fb6a0dfca201278

SHA256
b10646150398eee8776aaaf9c8f66f7c8dc1144b5a6a9a811c1e9a39d8d99d40

SHA512
0e0121389f8f9b69087c0fe081058fc7f109ca0e840bdc9d494ff4ba8ca7c65d90048a5dc751b866584223849cfdacb99cc522168a90c40bb602adaf6f5cb40f

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
1020KB

MD5
756f178b4ab51be95fdef3db5858ea2c

SHA1
34b3fd041e4c3980472a2caff7b95997676ceb1f

SHA256
193ee109abff6945b91f46a1edcbd513b1ee5914e68141002a1639266cffe9f3

SHA512
eb424a6fc562788fde5e8ec029f78636fb4b8853466cd27647dcffa0414f2ad2ed8c32749e00597f12e74033beeeca80a40d7969e0970c46d36cd0337a07d970

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
384KB

MD5
d3a2277c6df53d9870e9d0104686525f

SHA1
3c0ad415d09971e2b6598ef20ba7f82c2845d802

SHA256
f65f9ce00d55be68d0c5210e2a319f09254440ef3a1a843cccc16161f4696c0a

SHA512
e5b390ea2d10a0214b35ccaf6299d30feeba44ad241c905d18d1e1af85b6bd95b76ffd8b937d106e092a2978320fe8d1fef6c20db5edbf20683dd6dc44992afd

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
1020KB

MD5
04e4c7aa8fbe1de3a789a8571879535a

SHA1
7fc91cf3e735148638eb9b1e1c6f8b3a5e022c48

SHA256
ddb6b336a7d23582d2a936d62af7f740d4c2e435f76bacef43292062fd6a7072

SHA512
631c24825a06a32f58fab1757484f21eafd3489f4572bd4f89f158b058c16f87d9a23b4207d986dfef53828450e6091e647adbde6a73e171fac11deaff8c79e1

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
192KB

MD5
e8c1ea9cb49a7865093d2453a7d5708a

SHA1
1d2e020f386df855ead0cd75bf54e4f3a405fd5a

SHA256
46b8ee65997d9ac7721c7ab2b82b3a01d93a9eadfab452cc3c315856cfeee7ac

SHA512
98ec9045b4474129983bd58864e54766e68b2dc36ccbba76aa680816b8497ce1f594f9ca22580ca517ccb8a8ce6f02930ae01b5c6417ca15019221d75e1ce9f6

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
1020KB

MD5
3dc64291640d29f89b43f898331bb38a

SHA1
b7f3de823da2dc84ce39b29e25c37f42a4d8fa09

SHA256
36bd3078f823057b8519e4a996629a38b1593947206524f813e62b6549550d04

SHA512
7f9b36188177cec8797ede16d533ee0959d4729c0cc8408e71472158da14acc26ed140d89d79118a24c52513e443b795521ddccab5b6ba533259f5e6b229eea6

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
384KB

MD5
ae8d2972888d2aefb24862c07089bcc1

SHA1
5be1f6d39701e7d4bfd5ce084603982aa4defc31

SHA256
2447d1e3ec3134de0df478e66dff552655aed013f79a6c980083311a7b533674

SHA512
3ec03ffa958536ac4b03a5c50a51129df4ba30cbd56b6376d3466af8dc0e77639ee28fc3ce2802c39a86827cb1cb2d4274fe3075cd60b10df3424623a1b1adea

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
1020KB

MD5
6d88d789b48b2d0f6a5f338123ec1c2d

SHA1
f86a91a3b33368454292a6c6548fd253f33c5aac

SHA256
c1e620e0df59a10c725854fdc3044b025faf6dc3e34b855a2cf671a90270353a

SHA512
ba8bd252faca1458eaefb17b93c7bbbe5c40219bdc471e38e0714e102403d47fe0db16f198552cde5a059f124270d218c610f972953f977b30c2029a10506aad

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
1020KB

MD5
e83de2f5e8b8192e2a99680f217b6036

SHA1
509a42eacfce89de5c75a530257537cca9b1feb0

SHA256
812c1d2d5a3ea8d9d01a24795fe1008e177ffa30c204284463da103fbafba534

SHA512
074cff9a0a769b226e8c7e9f80acdccf1caf55a1e31a35c4af251e18adc0fbc9347621d0c4fde392599fbad340229822439e841222f47e6ff56e750c9208ff85

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
384KB

MD5
41d2639aae1c38dc63d925d2e34d7dd1

SHA1
3f790abfc5c7cba8139689a3b0cdecd36992b8fd

SHA256
99bde27d017d1defa12c2ec6c2a5f8e3d5d357a5a9e05d63f590445f95133db0

SHA512
a98f6401faeb032e34dbd6b31b645718950979d578da6327cab6abb88297f372901e8daf66f82c2d76ba4ecbd4048a791797f7e9138a547fdceb760bae63e3ed

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
1020KB

MD5
89ecf78fb0036b82d790e5433b83e52f

SHA1
06dbe40ff78011b082ba33f2188374079e659f28

SHA256
e1f5689f338b475c8c69ec7fbfa26ace90da7594e8f8d67d7e4fe641562b0780

SHA512
08755700d7fd5ad7da4a03ed3441789cffe7b9322e7478894c2f30e2e03151197974bea940b2618204fb0303b75894cc47f71c42b19cfd3a4c52385a4bdc07d4

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe

Filesize
1020KB

MD5
88735a27553a95e215ec300e25ffb8e3

SHA1
b643d3f76b12d6e35c164d5f37c07574dd5a4b21

SHA256
a5b3b5d68148a83436312b6048f4440d680e480fb39621ec68db24b721d1e954

SHA512
99bda2ebdb2a173e4b252d098949a0980e9f649dddb931bd3ac202ab3212295852b75f44baea6b7a1b3590cc7dc6897717c5449aab4552c8c5c64a44781f57c8

Download Submit
C:\Windows\SysWOW64\Hpmgqnfl.exe

Filesize
1020KB

MD5
2e75cd198b134e1789aadc65113c9b26

SHA1
2aa69f8d620614441121ae9f7806b5485d7b013e

SHA256
382e8a8942c3290fa9558a21705ec430aafcca5a2e4d50b16ec21b7d7b8cb279

SHA512
4a15a0564b33ddf50846346c7423ab0c8bf7fc6dc6cd0bf2f6c0c49c38aaab861eb5ca8fbb29e5835e80f126168fd9c9f3c42c6de9d4ca54458c6d0d33c93112

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
19KB

MD5
de1fb83928961a8bbabe77b863e7002d

SHA1
f3be28c48eb0ee91ed840488792b64f533095af6

SHA256
b16ba8d4d65c695b8d2c1c87a8723d3ee76e1c27baee7b9ee75fa4aa8bdcc554

SHA512
671dd6ba62ad9fbda35180fd97dd1f07acf9a7a160ed7cc9c90f7e1ae5e6e078daca1e098dbd7abacf219a161807c9aba4275da38ce952bd20690bde6f3422fa

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
1020KB

MD5
c9231e7ad7107e93f8c0478fdbcfd66f

SHA1
9ffce9a3754d7a94a20c2172fad51e81b1c7a4ad

SHA256
37f1748cc5991dd5d263d1377c23db08834a3d862c8dd05573021bc20db04fc3

SHA512
9bf7017ad62570e7ba822673397a79e49f125061a78b90014066b29aa3418ad0a3e4ffb9ee183403bccb6388e6632c5f81d4871c30db0a4852ed8ef1acbd31db

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
1020KB

MD5
f4933428a33bb9090e4e1456932d421b

SHA1
59647433fc269030ede2f1d9ab1dd160f0614279

SHA256
3c1af175f96b16dab3a10003526321351cf72c57e274a8486dfde69b6bedc1de

SHA512
e822d6766020c83811a3253ec33f324ede2a54aebdbe0d0e8ae3fea90332c6fb4591dcfad2db305ec7107e8f43372c884c4ead521be8146ca68f2d427a91520d

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
42KB

MD5
87b9acb367ca859f7c302c461db07430

SHA1
f4a223d31caefc4f4d5c19a7213d25e3c60f93ea

SHA256
1babdbaf58a65237b1c42adcaad136621390ec37e76c6f6a61923fa10902a78f

SHA512
7b07a56c942f6e4050dad02b11e6511924ff7f450b37c345066438bb97576e9ac6597ac236fb9ce998fabbbc24ec9eaabf150df67cbfb6145e94061e480ba63e

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
22KB

MD5
8f9ad0287e79fcc5e3e019f76d3e6971

SHA1
aca7f83bfde213410bfe99c1a651654ae91a231e

SHA256
da650bb6db0215df612868f73804d90b20f453f5a33c5021ea193db632cda376

SHA512
52c897c529b3f6d6d3a3ca6decf99130ca214bac40476082e2e9b22a3071518a57fe5ccdb1c4319fe5a795c2c7e84f828925f3f53f19dcac94b298d5d6c647c6

Download Submit
\Windows\SysWOW64\Dmoipopd.exe

Filesize
1020KB

MD5
eb88a186aeef723ffe250821b823c998

SHA1
a4012a34b94169a8cc5149a3fc4277fcb428f2b0

SHA256
708e9992efedd26a05a9af8af75691128820f8f085df135e17736decb98d0843

SHA512
7d09b5e2b0b828ba13e67e8ec0108eed1f6f864b3a577e19d8401e8e14a25b02bac5207f500dd4e41f7e1dec7724add2c69f4d6119163a6d35b5448ba1f86a83

Download Submit
\Windows\SysWOW64\Ejgcdb32.exe

Filesize
1020KB

MD5
12bd70ffe4a5d6e30af2a7eb09b3fcc1

SHA1
13c3c44f2dc1f670307756acbf0aec305be76660

SHA256
c9b42bf3f1771b0bb17b9d8c06b9060ded869ca4a43ae5fbb9c971b693b80b92

SHA512
a56296bcaf588ee630a0e8caf458578325a7549d05fffd49fabcf1d61f790b964c906a7ef8bcebdc4236a05264eee9d5e8de7efdfbe3df1e9a5ec6ca7a0d5dee

Download Submit
\Windows\SysWOW64\Ekklaj32.exe

Filesize
1020KB

MD5
cb719859f0ef226d57eb2881e1a3cc39

SHA1
10f902a6d287955989d031072fa2a11c50aaa2d9

SHA256
c5b6cd5a65cc8b7a9036980c92fbe0a2d814aa55b55877a0f107ea46f8034292

SHA512
6f631a12df018dbe8a0f801f443e53f7ec28aa668c3208412e12484ff3a66894a5748861b49dfbc7623de554f8effdf87a9711bafa27e45b07d0c467155380c5

Download Submit
\Windows\SysWOW64\Fjgoce32.exe

Filesize
1020KB

MD5
a07d7c3311e549f2bcecffec6472dd60

SHA1
4d975f050eccfef69060de349b36fba2a21a934a

SHA256
3bef0f5fbdbe0a0c093bea52bd4027b47de757a4062d748ac332cd8361bbb605

SHA512
1a48a3216d4281e3265d7ced4c4b6d65a92c2441573bd1490b41fa5b305555c01c8ea70cc98541a7476d08ed0af0e4fbe0cd1f5aeabeae81949de08d5d93b1e8

Download Submit
\Windows\SysWOW64\Gbkgnfbd.exe

Filesize
960KB

MD5
d7e6e0e05fdc4e24f2ced8061f38be7b

SHA1
a58906b4af96d48a77bc1388be2aa5347e99db3c

SHA256
e5f3bd84dd343155fa4dac2ed5763bfda214a61935c956b5e7bf61dfd17ee1ae

SHA512
217f8c74061a9c65055c80cbb887281b599b724ac7b0e760f85bc4b9deadb4916e9a5879ec5143ed793cc7fdb600daa0996852237a8cdfec8fc7006e775b44af

Download Submit
\Windows\SysWOW64\Glaoalkh.exe

Filesize
1020KB

MD5
eeebef03bab402c91dbc91aa6afd095a

SHA1
575261e0607177916db18160cc824a80ef594678

SHA256
cce6c88fb387e168c107fb7c0406c29e111ef8c95a3ab51efa5bce2c8d680490

SHA512
5419dec258abbca48115703283f36d1bbed51a58bc1f2b1bee5c450d8c82ff574f539d787cd675540ea3229007cc12c5771fd9f3424cc4dbb8f46d7f291ae1a3

Download Submit
memory/756-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/776-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/836-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1084-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1492-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1584-289-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1608-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1628-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1648-294-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1664-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1676-288-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1740-25-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/1740-19-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/1740-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1868-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1976-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1992-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1992-112-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2312-45-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2312-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2312-39-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2456-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2456-279-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2464-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2632-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2680-282-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2716-52-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2752-4-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2752-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2752-6-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/2816-283-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2916-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3040-295-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads