510b4d784ad91bb64b14f2615f1192249ee1c3bf99ab3c79f93f86a859c000cb

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 22:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4166cd0f1ee1f5053f352eee6e648fc7.exe
Size

78KB
MD5

4166cd0f1ee1f5053f352eee6e648fc7
SHA1

5d4e640a5b3d4a8796dcc3d3a6a44eace55eeff4
SHA256

510b4d784ad91bb64b14f2615f1192249ee1c3bf99ab3c79f93f86a859c000cb
SHA512

84f2755794a4c1732b27fed562d5e3b0701979513df07db5300451c9204b0edc59e4aa2db320613c42f2a6d308f2173af82b98300bc0c4215b91c7d20baeff09
SSDEEP

1536:R8eI/Ajmhob8/Cf7vX8CtEgwweDiVSN+zL20gJi1ie:R8eChU8/+vXjtEgwrDiVSgzL20WKt

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4166cd0f1ee1f5053f352eee6e648fc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fphafl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fphafl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gieojq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4166cd0f1ee1f5053f352eee6e648fc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghfbqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghfbqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idceea32.exe

Executes dropped EXE 30 IoCs

pid	Process
1260	Fphafl32.exe
2084	Fiaeoang.exe
2760	Gfefiemq.exe
2564	Gicbeald.exe
2472	Ghfbqn32.exe
2448	Gpmjak32.exe
3016	Gopkmhjk.exe
1656	Gejcjbah.exe
2880	Gieojq32.exe
2812	Gkgkbipp.exe
2680	Gkihhhnm.exe
2172	Gdamqndn.exe
2808	Gkkemh32.exe
1048	Gmjaic32.exe
1036	Gddifnbk.exe
1740	Hiqbndpb.exe
1544	Hcifgjgc.exe
1720	Hicodd32.exe
584	Hdhbam32.exe
1704	Hggomh32.exe
2784	Hejoiedd.exe
1724	Hnagjbdf.exe
1052	Hgilchkf.exe
1328	Hjhhocjj.exe
1064	Hpapln32.exe
2080	Hcplhi32.exe
2972	Hogmmjfo.exe
2196	Idceea32.exe
2152	Inljnfkg.exe
2704	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2004	4166cd0f1ee1f5053f352eee6e648fc7.exe
2004	4166cd0f1ee1f5053f352eee6e648fc7.exe
1260	Fphafl32.exe
1260	Fphafl32.exe
2084	Fiaeoang.exe
2084	Fiaeoang.exe
2760	Gfefiemq.exe
2760	Gfefiemq.exe
2564	Gicbeald.exe
2564	Gicbeald.exe
2472	Ghfbqn32.exe
2472	Ghfbqn32.exe
2448	Gpmjak32.exe
2448	Gpmjak32.exe
3016	Gopkmhjk.exe
3016	Gopkmhjk.exe
1656	Gejcjbah.exe
1656	Gejcjbah.exe
2880	Gieojq32.exe
2880	Gieojq32.exe
2812	Gkgkbipp.exe
2812	Gkgkbipp.exe
2680	Gkihhhnm.exe
2680	Gkihhhnm.exe
2172	Gdamqndn.exe
2172	Gdamqndn.exe
2808	Gkkemh32.exe
2808	Gkkemh32.exe
1048	Gmjaic32.exe
1048	Gmjaic32.exe
1036	Gddifnbk.exe
1036	Gddifnbk.exe
1740	Hiqbndpb.exe
1740	Hiqbndpb.exe
1544	Hcifgjgc.exe
1544	Hcifgjgc.exe
1720	Hicodd32.exe
1720	Hicodd32.exe
584	Hdhbam32.exe
584	Hdhbam32.exe
1704	Hggomh32.exe
1704	Hggomh32.exe
2784	Hejoiedd.exe
2784	Hejoiedd.exe
1724	Hnagjbdf.exe
1724	Hnagjbdf.exe
1052	Hgilchkf.exe
1052	Hgilchkf.exe
1328	Hjhhocjj.exe
1328	Hjhhocjj.exe
1064	Hpapln32.exe
1064	Hpapln32.exe
2080	Hcplhi32.exe
2080	Hcplhi32.exe
2972	Hogmmjfo.exe
2972	Hogmmjfo.exe
2196	Idceea32.exe
2196	Idceea32.exe
2152	Inljnfkg.exe
2152	Inljnfkg.exe
2696	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ghfbqn32.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hggomh32.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Hogmmjfo.exe
File opened for modification	C:\Windows\SysWOW64\Gicbeald.exe	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Gopkmhjk.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Hicodd32.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Ndabhn32.dll	Hicodd32.exe
File opened for modification	C:\Windows\SysWOW64\Gpmjak32.exe	Ghfbqn32.exe
File opened for modification	C:\Windows\SysWOW64\Gopkmhjk.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Ldahol32.dll	Gopkmhjk.exe
File created	C:\Windows\SysWOW64\Gieojq32.exe	Gejcjbah.exe
File created	C:\Windows\SysWOW64\Gkkemh32.exe	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Hogmmjfo.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Gmjaic32.exe	Gkkemh32.exe
File opened for modification	C:\Windows\SysWOW64\Gmjaic32.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Aimkgn32.dll	Gkkemh32.exe
File opened for modification	C:\Windows\SysWOW64\Hicodd32.exe	Hcifgjgc.exe
File opened for modification	C:\Windows\SysWOW64\Hgilchkf.exe	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Hogmmjfo.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Inljnfkg.exe	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Gdamqndn.exe	Gkihhhnm.exe
File opened for modification	C:\Windows\SysWOW64\Hcifgjgc.exe	Hiqbndpb.exe
File opened for modification	C:\Windows\SysWOW64\Hdhbam32.exe	Hicodd32.exe
File opened for modification	C:\Windows\SysWOW64\Inljnfkg.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Fiaeoang.exe	Fphafl32.exe
File created	C:\Windows\SysWOW64\Gfefiemq.exe	Fiaeoang.exe
File created	C:\Windows\SysWOW64\Kleiio32.dll	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Ahcocb32.dll	Gkgkbipp.exe
File opened for modification	C:\Windows\SysWOW64\Gkkemh32.exe	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Pfabenjd.dll	Gmjaic32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Inljnfkg.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Cmbmkg32.dll	Fphafl32.exe
File opened for modification	C:\Windows\SysWOW64\Hiqbndpb.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Hgilchkf.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Hjhhocjj.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Kjpfgi32.dll	Gicbeald.exe
File opened for modification	C:\Windows\SysWOW64\Gkihhhnm.exe	Gkgkbipp.exe
File created	C:\Windows\SysWOW64\Omabcb32.dll	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hpapln32.exe
File created	C:\Windows\SysWOW64\Ojhcelga.dll	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Gfefiemq.exe	Fiaeoang.exe
File created	C:\Windows\SysWOW64\Hghmjpap.dll	Fiaeoang.exe
File created	C:\Windows\SysWOW64\Gejcjbah.exe	Gopkmhjk.exe
File opened for modification	C:\Windows\SysWOW64\Gddifnbk.exe	Gmjaic32.exe
File created	C:\Windows\SysWOW64\Hdhbam32.exe	Hicodd32.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Jgdmei32.dll	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Hkkmeglp.dll	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hejoiedd.exe
File opened for modification	C:\Windows\SysWOW64\Hjhhocjj.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Jdnaob32.dll	Idceea32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Inljnfkg.exe
File opened for modification	C:\Windows\SysWOW64\Ghfbqn32.exe	Gicbeald.exe
File opened for modification	C:\Windows\SysWOW64\Gieojq32.exe	Gejcjbah.exe
File opened for modification	C:\Windows\SysWOW64\Gkgkbipp.exe	Gieojq32.exe
File created	C:\Windows\SysWOW64\Hcifgjgc.exe	Hiqbndpb.exe
File opened for modification	C:\Windows\SysWOW64\Hejoiedd.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Fenhecef.dll	Hgilchkf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2696	2704	WerFault.exe	57

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll"	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll"	Fphafl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fiaeoang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inljnfkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbelkc32.dll"	4166cd0f1ee1f5053f352eee6e648fc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fphafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4166cd0f1ee1f5053f352eee6e648fc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmkde32.dll"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll"	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll"	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Inljnfkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4166cd0f1ee1f5053f352eee6e648fc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll"	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll"	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fphafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll"	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkgkbipp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	4166cd0f1ee1f5053f352eee6e648fc7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1260	2004	4166cd0f1ee1f5053f352eee6e648fc7.exe	28
PID 2004 wrote to memory of 1260	2004	4166cd0f1ee1f5053f352eee6e648fc7.exe	28
PID 2004 wrote to memory of 1260	2004	4166cd0f1ee1f5053f352eee6e648fc7.exe	28
PID 2004 wrote to memory of 1260	2004	4166cd0f1ee1f5053f352eee6e648fc7.exe	28
PID 1260 wrote to memory of 2084	1260	Fphafl32.exe	29
PID 1260 wrote to memory of 2084	1260	Fphafl32.exe	29
PID 1260 wrote to memory of 2084	1260	Fphafl32.exe	29
PID 1260 wrote to memory of 2084	1260	Fphafl32.exe	29
PID 2084 wrote to memory of 2760	2084	Fiaeoang.exe	30
PID 2084 wrote to memory of 2760	2084	Fiaeoang.exe	30
PID 2084 wrote to memory of 2760	2084	Fiaeoang.exe	30
PID 2084 wrote to memory of 2760	2084	Fiaeoang.exe	30
PID 2760 wrote to memory of 2564	2760	Gfefiemq.exe	31
PID 2760 wrote to memory of 2564	2760	Gfefiemq.exe	31
PID 2760 wrote to memory of 2564	2760	Gfefiemq.exe	31
PID 2760 wrote to memory of 2564	2760	Gfefiemq.exe	31
PID 2564 wrote to memory of 2472	2564	Gicbeald.exe	32
PID 2564 wrote to memory of 2472	2564	Gicbeald.exe	32
PID 2564 wrote to memory of 2472	2564	Gicbeald.exe	32
PID 2564 wrote to memory of 2472	2564	Gicbeald.exe	32
PID 2472 wrote to memory of 2448	2472	Ghfbqn32.exe	33
PID 2472 wrote to memory of 2448	2472	Ghfbqn32.exe	33
PID 2472 wrote to memory of 2448	2472	Ghfbqn32.exe	33
PID 2472 wrote to memory of 2448	2472	Ghfbqn32.exe	33
PID 2448 wrote to memory of 3016	2448	Gpmjak32.exe	34
PID 2448 wrote to memory of 3016	2448	Gpmjak32.exe	34
PID 2448 wrote to memory of 3016	2448	Gpmjak32.exe	34
PID 2448 wrote to memory of 3016	2448	Gpmjak32.exe	34
PID 3016 wrote to memory of 1656	3016	Gopkmhjk.exe	35
PID 3016 wrote to memory of 1656	3016	Gopkmhjk.exe	35
PID 3016 wrote to memory of 1656	3016	Gopkmhjk.exe	35
PID 3016 wrote to memory of 1656	3016	Gopkmhjk.exe	35
PID 1656 wrote to memory of 2880	1656	Gejcjbah.exe	36
PID 1656 wrote to memory of 2880	1656	Gejcjbah.exe	36
PID 1656 wrote to memory of 2880	1656	Gejcjbah.exe	36
PID 1656 wrote to memory of 2880	1656	Gejcjbah.exe	36
PID 2880 wrote to memory of 2812	2880	Gieojq32.exe	37
PID 2880 wrote to memory of 2812	2880	Gieojq32.exe	37
PID 2880 wrote to memory of 2812	2880	Gieojq32.exe	37
PID 2880 wrote to memory of 2812	2880	Gieojq32.exe	37
PID 2812 wrote to memory of 2680	2812	Gkgkbipp.exe	38
PID 2812 wrote to memory of 2680	2812	Gkgkbipp.exe	38
PID 2812 wrote to memory of 2680	2812	Gkgkbipp.exe	38
PID 2812 wrote to memory of 2680	2812	Gkgkbipp.exe	38
PID 2680 wrote to memory of 2172	2680	Gkihhhnm.exe	39
PID 2680 wrote to memory of 2172	2680	Gkihhhnm.exe	39
PID 2680 wrote to memory of 2172	2680	Gkihhhnm.exe	39
PID 2680 wrote to memory of 2172	2680	Gkihhhnm.exe	39
PID 2172 wrote to memory of 2808	2172	Gdamqndn.exe	40
PID 2172 wrote to memory of 2808	2172	Gdamqndn.exe	40
PID 2172 wrote to memory of 2808	2172	Gdamqndn.exe	40
PID 2172 wrote to memory of 2808	2172	Gdamqndn.exe	40
PID 2808 wrote to memory of 1048	2808	Gkkemh32.exe	41
PID 2808 wrote to memory of 1048	2808	Gkkemh32.exe	41
PID 2808 wrote to memory of 1048	2808	Gkkemh32.exe	41
PID 2808 wrote to memory of 1048	2808	Gkkemh32.exe	41
PID 1048 wrote to memory of 1036	1048	Gmjaic32.exe	42
PID 1048 wrote to memory of 1036	1048	Gmjaic32.exe	42
PID 1048 wrote to memory of 1036	1048	Gmjaic32.exe	42
PID 1048 wrote to memory of 1036	1048	Gmjaic32.exe	42
PID 1036 wrote to memory of 1740	1036	Gddifnbk.exe	43
PID 1036 wrote to memory of 1740	1036	Gddifnbk.exe	43
PID 1036 wrote to memory of 1740	1036	Gddifnbk.exe	43
PID 1036 wrote to memory of 1740	1036	Gddifnbk.exe	43

C:\Users\Admin\AppData\Local\Temp\4166cd0f1ee1f5053f352eee6e648fc7.exe
"C:\Users\Admin\AppData\Local\Temp\4166cd0f1ee1f5053f352eee6e648fc7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\Fphafl32.exe
  C:\Windows\system32\Fphafl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\SysWOW64\Fiaeoang.exe
    C:\Windows\system32\Fiaeoang.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\SysWOW64\Gfefiemq.exe
      C:\Windows\system32\Gfefiemq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Windows\SysWOW64\Ghfbqn32.exe
        
        C:\Windows\system32\Ghfbqn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Gpmjak32.exe
        
        C:\Windows\system32\Gpmjak32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Gopkmhjk.exe
        
        C:\Windows\system32\Gopkmhjk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Gejcjbah.exe
        
        C:\Windows\system32\Gejcjbah.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Gieojq32.exe
        
        C:\Windows\system32\Gieojq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Gkgkbipp.exe
        
        C:\Windows\system32\Gkgkbipp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Gkihhhnm.exe
        
        C:\Windows\system32\Gkihhhnm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Gdamqndn.exe
        
        C:\Windows\system32\Gdamqndn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Gkkemh32.exe
        
        C:\Windows\system32\Gkkemh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Gmjaic32.exe
        
        C:\Windows\system32\Gmjaic32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Gddifnbk.exe
        
        C:\Windows\system32\Gddifnbk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Hiqbndpb.exe
        
        C:\Windows\system32\Hiqbndpb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Hcifgjgc.exe
        
        C:\Windows\system32\Hcifgjgc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:584
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Hgilchkf.exe
        
        C:\Windows\system32\Hgilchkf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Hogmmjfo.exe
        
        C:\Windows\system32\Hogmmjfo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Inljnfkg.exe
        
        C:\Windows\system32\Inljnfkg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        31⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 140
        32⤵
        Loads dropped DLL
        Program crash
        
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fiaeoang.exe

Filesize
78KB

MD5
4a4b1bc27376cd3234ba8fc4543fa29f

SHA1
eaccb6e92c6ffabd053bfe91cc16f81d06379679

SHA256
d4c1a2509354428575d8a55613608f7ee6151e07ee66340cc9bd75413ac030c4

SHA512
be83428c8672b684988b3c8882cb4df0fa9b7bd7e797e54aee1920261cf7350e21d426d23480dcf9d8e4ea1e415fce3e609fe31e1273ac3d6c0a6544d996de81

Download Submit
C:\Windows\SysWOW64\Gdamqndn.exe

Filesize
78KB

MD5
94e526d7f45753a532aeac93256ed2d9

SHA1
cdf9605f77b31ae66652c5c33a93939d6a2b83aa

SHA256
78ca460898c4e0690ad0f7c8e66774d26ff0fda526f6655290db14040dd7d951

SHA512
a5db3365a6add62967af85944fd26fba03fd4bddf9ec429bc549835e8bad26514cc1088ceaec02b5b32b223004ad2fe1b720bcb0fb690cfe4fea5ba426603f1d

Download Submit
C:\Windows\SysWOW64\Gejcjbah.exe

Filesize
78KB

MD5
9d85c86cc3b55900d7c5d1487649989c

SHA1
6d1845a3a3a6bc3682505336bd162d944ac60bad

SHA256
8505ff76bd1d0983354283619efc5b7c98e572f42bf88825cb584f5f157a9801

SHA512
cb755968be628c9e27c6930c0546cd60691ca58b52767c7ebcda1fd8f776e38b4e5f7694d489cde926a807a34fe31aa520dc5a1ffcb900c9833ccfc361224770

Download Submit
C:\Windows\SysWOW64\Gfefiemq.exe

Filesize
78KB

MD5
3c78ca6a9449045a86e5de3342fa904c

SHA1
212e0d6cc5e600995fdc0aeddd4f99b35e3b3faa

SHA256
d49d8a8cd68efbb2509e393e403d445b51404fd5ea21a8deb374be7fe992463c

SHA512
28ab8e95750f54fc55e2d247e3c164ea6e51fe35589f6b156c3c225744a1e26254185ff737dcf9c77d5242f85ff1f7cd0c964dc381a511254ded26cb9c8ece7a

Download Submit
C:\Windows\SysWOW64\Ghfbqn32.exe

Filesize
78KB

MD5
14b8c4b7bf82e35b287a397a5997dd3b

SHA1
6558981c77ec00379406659010abf030bd049379

SHA256
ec3453fcbc65e706efc5d4506c9385c5990c224d67e9f4a0ba5f0ea868cd9396

SHA512
cee46ae69f0bf34dc203185e955af3f4615dd1633b80b5489015855252519ae8c259a03cb7897a5d60bb10f0310389abc10e0bcfeda46faaf0e5c6b62ac58ad5

Download Submit
C:\Windows\SysWOW64\Gicbeald.exe

Filesize
78KB

MD5
e1dccb0f126ae2a0d98d82091c510015

SHA1
a741b59a53c25477b61b49cdac6abb0ef5072a04

SHA256
3b86bdf179bfdcce983b23b8b221948aa80584e08db0547966e975d2b1b1eaf0

SHA512
aff1e2ee06cd105151b8fbe507d09d14ab1801aa3712acc94a081466a550b5184940d1d401137399f3e03c4b40357cf3b1121b73f336337b83315b5971758591

Download Submit
C:\Windows\SysWOW64\Gkkemh32.exe

Filesize
78KB

MD5
a2804556f70b1ac9cf3b33ba0b630ab7

SHA1
c05bb2895855e8b65d89b284fa0caafb7559740a

SHA256
7c039ddad68d135c01f9c4809bfca19632f92b665b8e44dec3e64330edacc7be

SHA512
0e12b9c197ed13dcbb4947088657b9a0114607377d7236d5b7bc312b84bdc5400037a481aa0ed5c388328ace716cf34ec102b9d0be82d4c1d38ce10d4115d495

Download Submit
C:\Windows\SysWOW64\Gmjaic32.exe

Filesize
78KB

MD5
822fe8c09d42de1cdfe3ade24e5badfc

SHA1
8789ff3dd0d1abeb4460cdcb054eef99b4fb12dc

SHA256
a8937b29979112715b92411f24ced6a0073b275f0c762c4f92f2d656c8be5ac0

SHA512
b63916ed23b5c7af0af15357c5158c9367a9c37dd623081dfb6a520030c2d2ad574ff4d44bfab9ec2932bf234daf096b9ab38db287a45452fc47ae600a164dd2

Download Submit
C:\Windows\SysWOW64\Gopkmhjk.exe

Filesize
78KB

MD5
b5d7f2f0ac13d01b629a385803ced031

SHA1
bbf7d7e5563a27261c26bf50ea7e34053db7f529

SHA256
a0dfdfbbf58d776e16a966ae8cafd4b309132fce7d8a157cfe00d185c2705bfa

SHA512
453d82b9940d1a0886666659fce7a0734ddb81c9f8c99d6748ce95acc1744811240f8f51ed8b8589eaaca6293810552f27370d44a99227a0698839c842a38a4f

Download Submit
C:\Windows\SysWOW64\Gpmjak32.exe

Filesize
78KB

MD5
c3b6bd20a1da5b0b116ab988429c864f

SHA1
e30f557abb1b6f6db79a4814e0b56c24899fab0d

SHA256
02e6e4b6b21030c8c532c278d66026a6047452425fa1d45b168fb5e14afefd35

SHA512
c90bc40a49df43f0abaeac37a9c4a3e1afba00b7dd88f542e8b8b3b4aeffc6847ceff19e1e034577315e89792eeb5285478ea029c4a66559a7a270b561decfca

Download Submit
C:\Windows\SysWOW64\Hcifgjgc.exe

Filesize
78KB

MD5
f08cbe2c10e760fcdba268126b9e7508

SHA1
0abbd166f380037752f5d1fc021f7a3f5a798fb2

SHA256
a20024a930ccb8f9e59e817ed8eeb195d90e89466a855156bc095e72d1a80bfe

SHA512
7e38cf4b356d4efe8f6080953055e58e87f10fbf0911b71cc4dc9231fc52b9fdadb9a11b0c68ad984e60a0599288f80f3469ea9b3ae79fb6e8f9eb389f5296b3

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
78KB

MD5
646ebe7764623a02b2bf1e3d41c6557d

SHA1
407c492d3c8676b42c2c851b879a12df3ad0b71d

SHA256
67f5db99079b6b0332266b1f36eda25bd18c28cc87f1c6e5d37291b626d3a2f7

SHA512
50052d99eebfb6523c9f54a51dc0e7d92e19dc4d70304d3a43c27a1b72138ed88c4c0509e36cdf01fdb542e3a7ebdec4ba470cda1daea86e5999e2edd1852309

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
78KB

MD5
7a1da7d11d55a160f81eb65248fe6bd4

SHA1
c8945c5fd417c77c3dc480e1d4840d9e7bb91bae

SHA256
3bebdfb0a7ee129b09e2a87b351d039bdc1559076ca20f54728f1a6bd5fdea45

SHA512
e8cd1572d67806d12d933d13c68d9e99fa1f195f66dba0ac96762dcc2ef2e9f50311d213bce41a84f191c46cf212860706c3c2ed5d362af542a22a2924dbd91b

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
78KB

MD5
9543f2bc7656e4e81fbabaf775194dd5

SHA1
da11c6a5ece1e8933f4dd647407b5d959a95e1c9

SHA256
b1ea30cc80508f64fc8bd6f93e72c97c1128be6ee997e95cc78974725b549b23

SHA512
47bc51d45de5ba01684018489c78086fc4dc5baa27c9eaa1fdc90290c92580af72f33d5857467f9d203831b421197c08ee07193aeec81eb9426f33cb082d348d

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
78KB

MD5
85562245e09b4e8cd2f0101132a11572

SHA1
73bfea0ea82de89ba3e61daae0efc30cda7eb8bf

SHA256
a0e302e2f8a36b98ef8ff06410f670383c144e5da72b811952afee2e29f5c33a

SHA512
de03c044ccc86c43b95bbe360767a0e35695121e7a929483c8f306111410e56c4a381faf3bf0246f3a5e58c383a9d4b85f8354c1460891c9cd4ab94ef8fdab8b

Download Submit
C:\Windows\SysWOW64\Hgilchkf.exe

Filesize
78KB

MD5
6f1fb32e24182c5296e5a0586df4081f

SHA1
6c3dd4c0c7da9a0309fd12ffeb3511cdc2a75c4d

SHA256
085bbacb408cab280e054820f70416206f9bb86b59949eebcb9e404752836b66

SHA512
5e054c56cc2212455ad4df7f803edc39115c48ba97f87149b99a0bde32251e21b3285544847aa667a59a42bc14c9f999dae9f5b37865ebdc563614ddbd4aa759

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
78KB

MD5
fd3f8befd4fb876fb108d25eba75f800

SHA1
3b1e73b49fcb4131837868c06b5a106903205406

SHA256
b92f2cdd1a89734ff845ffbef089dc7ace15228b0418328ccfd251919507544a

SHA512
a6abb92c2f574c40a9a7629538c9004781497535abff93fa34111d12149755928d28543a17040b22cd41c1d7ed4a1051fd6093c2fffd84efc8574ec3b6446955

Download Submit
C:\Windows\SysWOW64\Hiqbndpb.exe

Filesize
78KB

MD5
daf0f95a5cfda696ba19d6c29d606a10

SHA1
97c07cff440c56ffdfca8c14bfec1979baeb8aa4

SHA256
c7bc82713a46ba4992f7ac5674f53c6ce788bc455b17d4e072f9b78fbd55105a

SHA512
2f5c534673013dff1b507cccaceea67a223af2096d1fd0cb2b2ac054dfee0f08baab2443ee5a24e5f1be54956bc0a1e94a9d9011a2b675c24089b87cc6f6c41e

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe

Filesize
78KB

MD5
9cb17f1fcd6303e8d79e4ca1658b7709

SHA1
7042d81623954454880e607a5e8ec58c7182ad29

SHA256
f4dbb44c51bb2e89dc62d9809f0660c0a7ff412d477727614a3976aeebd7c971

SHA512
33231d84ee7fe286128954fb7999cff30fbfbbfdb4663cd2963cbc8a54ce63c46de1daa8d736f56150d4230183ff0a6fe13f4bacd39dd69eebf42b81b09d6530

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
78KB

MD5
1ec44c96939215c89641f58609404fbf

SHA1
5e0466ef95ee4537d7851df86a94a1328988d539

SHA256
affefdb17eb8ad9cb80e5f0e0a006ffbae7448581b807c663e155013df4bde06

SHA512
0c7096fb5adf134debab906493e142286defe2985c4a2c6eaa18bd751a59c98a811ddcfa80f307b2fdca8e0f7c3b715b8d82c8b586b71d47e8a2df6f788bd532

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
78KB

MD5
a75b12cfa9344c7418857ccfe2f7a3af

SHA1
4b856eb3c79f15243149f5d2bd4237075bd6ed81

SHA256
418d685ea180518013ad68c41bb63331109a5e601807fe77af77bd7f437a6fdc

SHA512
024f51df7ec3f7106a92549182e3e3911826f5c7f8e435b2d069b9ed06eda3682123e978012d86567370ccc4c59e3e6b982b4cce58ea46782c023a216e62bf42

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe

Filesize
78KB

MD5
0f8f54beb990663f7721955068553b1e

SHA1
46f9c6c909770ff4ce721116e293bc881d621ef2

SHA256
334aef7da2adb02731505ce919a1847eac199405d342c2908bfadb43eab8b2c9

SHA512
655a9045468a661829a9a3a1fd097fe3207bdaaa84841fd078fef3795ee6a5d061e1acdf4fa64f6c90dc6a9e1445b90550d35b10dfd1828f78043b4c321667c1

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
78KB

MD5
21eac17a1ac6a13a5264619873a2f245

SHA1
2cefa7881009f55554fc24d448f134aace197a42

SHA256
413dd37d3d70990a9c7cc9fd6b1bf9cb75049d93087cd1ead2d9eb3bc11ac003

SHA512
be4ac2b4c478f5851b83976f6ac9209c17effbe10eb471947067bf4cd85f2922c573401126d8086e4ac0ae2db7ebab3fc62309b169dff15d1220f76e5dbe58ed

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
78KB

MD5
1453fc1fec2ea2b63db475149a3fb29c

SHA1
2d6df517f307d8c568c41e318d4305a256a11573

SHA256
f2540cb824b8fb4665b0482fd893fb6538a53763687af4b79dfd9689f0914587

SHA512
2a8a4fe6433815f0fa31343a744674c23417197a9fd63b96678d90ff389fcc19f710b7eeb13d92e91a491deb47fe3a2ccd5c935fa5a3d37755289279e96d0254

Download Submit
C:\Windows\SysWOW64\Inljnfkg.exe

Filesize
78KB

MD5
f1ab73bfa34370b3a2d7898f5c1bd680

SHA1
df7b86a813e3073dedf84a21e33db75a0df0b229

SHA256
9f4b4c08868c92d0accb95f6b821ffea0010ee2d0007480e8023ebb6d1c81fb3

SHA512
cea7b4c1a77208f21fcaccfadac1d26e8bed283371be5712c7395f197481275971748b79a212a734b1b60f7727ba6337a84395b8cb0b00ea5376e18e63cabe16

Download Submit
\Windows\SysWOW64\Fphafl32.exe

Filesize
78KB

MD5
e466e34dbd47e813987f6f137ae74d44

SHA1
f6ae38c1d054649ab61dc3ccd76efdf6be2546db

SHA256
7d3ce88a397470b2b1d24040aabb33f409026c580c44544f8e1f1f43f256d897

SHA512
e56487cfd489f651d08f8cc676736ef000e3df6a77fc0017bda9c40ee91c6117d6a230aa505bcf9067621b9a30df6ae58f558591bcf697cf8e47035e02e8fa98

Download Submit
\Windows\SysWOW64\Gddifnbk.exe

Filesize
78KB

MD5
2b24e3bb7f49d11c52511f9861981e64

SHA1
a3499f0d6285a26f5fc0686c94e91a9b99c9961b

SHA256
5cd257447db83e5474989bca74329c314d95625855ec9089f404e37cff86b145

SHA512
dd537da8d19fa5da3505875a0efe1cd7f19aed237f96bb66f37435de47089f2826c48f05ebbdf8f5675bcd79814b57a1c090267cf8cd813fd24ebb5f12f14067

Download Submit
\Windows\SysWOW64\Gieojq32.exe

Filesize
78KB

MD5
b189f7052c5a2502f6653e62bb4b1704

SHA1
ff479ea8ba269557d8be1048c12f107e8dce66c7

SHA256
e9bc7b7fabb4bf3f60e7a58dfc16872a49abf1028f25a19f5dacdd27ccc0941b

SHA512
9cc1ffbd4d9b24834276f3334e20f15f15d53f52aefe2e4a5c83c07670d0efdf25df88c9e434e733077f1380a8b8d3d242c95b22264ba57c5c95bdbda9a735eb

Download Submit
\Windows\SysWOW64\Gkgkbipp.exe

Filesize
78KB

MD5
504eabd7f0e5da1ee607cc4a9348a51d

SHA1
8abaea0451c3f86c3559817dc982bee3d4c120a2

SHA256
ef1d1e618bb1a6074bbb9b344171bfa15e28d0a96465f4aa9f39f011168bb409

SHA512
6266de18f56cf0b470bc175fd50129a09851871a0668c0ca0320fad91ca2f34f8ceaa6b73df8a9b257728f04c7340d3428ff9320177854bcf308866d47a4b7bc

Download Submit
\Windows\SysWOW64\Gkihhhnm.exe

Filesize
78KB

MD5
c344d19f6aa3faa5c0e4c2fa488519a6

SHA1
582039fae81f0b3246499105eadb486eff0580ff

SHA256
caf5b9ac1180d980ed508e3de3ec4b72c06b9671e6dadb761e12024c69068569

SHA512
322b829ced42b3b9a0baca760bf2754adf121f811d8e570f7dd359be9a0a9b8422820ffd229bba490f44d136408250117d95bc4481e7811a6ce4358b90b4e2a8

Download Submit
memory/584-362-0x0000000000340000-0x0000000000381000-memory.dmp

Filesize
260KB

Download
memory/584-337-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/584-301-0x0000000000340000-0x0000000000381000-memory.dmp

Filesize
260KB

Download
memory/584-361-0x0000000000340000-0x0000000000381000-memory.dmp

Filesize
260KB

Download
memory/584-305-0x0000000000340000-0x0000000000381000-memory.dmp

Filesize
260KB

Download
memory/1036-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1048-222-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1052-332-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1052-367-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/1052-333-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/1052-334-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/1064-344-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/1064-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1260-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1260-115-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/1260-358-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/1328-342-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/1328-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1328-343-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/1544-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1656-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-338-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1704-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-363-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1704-315-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1720-360-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/1720-295-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/1720-290-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1724-366-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1724-331-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1724-339-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1724-340-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1740-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-357-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-23-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2004-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2080-346-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2080-345-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2084-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2084-116-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2152-354-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2152-355-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2152-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2172-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2448-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2472-137-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2564-118-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2680-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2704-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2760-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2784-330-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2784-329-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2784-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2784-364-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2784-365-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2808-213-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2808-359-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2808-266-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2812-202-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2972-348-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2972-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads