986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 01:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe
Size

377KB
MD5

0e5d30ea19ce2f88a0c28a9c40270606
SHA1

7c37e52ebf905419022f8378f8353bb8b36b92d8
SHA256

986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0
SHA512

d6bec92188ae7e8c68bb54a65c1b800904abb530a28a9cf6914bfc19f79fc96903c916443c7b8304bdcb1a340a752737753138b7a6f32926b3f09750225ba9d1
SSDEEP

6144:pQTOcoZjNaGSgnohijgAUv5fKx/SgnohignC5V:GTOcadMTv5i1dayV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iheddndj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbaileio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebmgcohn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfbcbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfdmggnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haiccald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjifhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idcokkak.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lanaiahq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nigome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faigdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hapicp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Magqncba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djmicm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdpndnei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Faigdn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpncej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haiccald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfiale32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjifhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljibgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maedhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djmicm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbpgggol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdjhndl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbaileio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idcokkak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffhpbacb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iheddndj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfbcbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapicp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpncej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffhpbacb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lccdel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lanaiahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljibgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdpndnei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfdjhndl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejhlgaeh.exe

UPX dump on OEP (original entry point) 36 IoCs

resource	yara_rule
behavioral1/files/0x0028000000016601-27.dat	UPX
behavioral1/files/0x0007000000016c1e-38.dat	UPX
behavioral1/files/0x000a000000012267-9.dat	UPX
behavioral1/files/0x0007000000016ca7-41.dat	UPX
behavioral1/files/0x00060000000170e9-76.dat	UPX
behavioral1/files/0x0008000000016d6d-65.dat	UPX
behavioral1/files/0x0028000000016ace-82.dat	UPX
behavioral1/files/0x000500000001867d-98.dat	UPX
behavioral1/files/0x00050000000186b4-107.dat	UPX
behavioral1/memory/2744-121-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral1/files/0x0006000000018afc-122.dat	UPX
behavioral1/files/0x0006000000018b25-136.dat	UPX
behavioral1/files/0x0006000000018b56-154.dat	UPX
behavioral1/files/0x0006000000018b78-167.dat	UPX
behavioral1/memory/1092-166-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral1/files/0x0006000000018bac-188.dat	UPX
behavioral1/files/0x0006000000018f7d-202.dat	UPX
behavioral1/files/0x0005000000019316-208.dat	UPX
behavioral1/files/0x0005000000019383-221.dat	UPX
behavioral1/files/0x00050000000193b1-229.dat	UPX
behavioral1/files/0x000500000001946e-237.dat	UPX
behavioral1/files/0x0005000000019484-245.dat	UPX
behavioral1/files/0x000500000001948a-253.dat	UPX
behavioral1/files/0x00050000000194bf-261.dat	UPX
behavioral1/files/0x000500000001950f-269.dat	UPX
behavioral1/files/0x0005000000019576-277.dat	UPX
behavioral1/files/0x00050000000195a3-285.dat	UPX
behavioral1/files/0x00050000000195a7-293.dat	UPX
behavioral1/files/0x00050000000195ab-302.dat	UPX
behavioral1/files/0x00050000000195af-309.dat	UPX
behavioral1/files/0x00050000000195b3-317.dat	UPX
behavioral1/files/0x00050000000195b9-325.dat	UPX
behavioral1/files/0x00050000000195c3-333.dat	UPX
behavioral1/files/0x000500000001963f-336.dat	UPX
behavioral1/files/0x0005000000019754-349.dat	UPX
behavioral1/files/0x0005000000019804-357.dat	UPX

Executes dropped EXE 34 IoCs

pid	Process
2316	Djmicm32.exe
2508	Dfdjhndl.exe
2504	Dkqbaecc.exe
2988	Ebmgcohn.exe
2532	Ejhlgaeh.exe
2416	Egafleqm.exe
2344	Ffhpbacb.exe
2552	Faigdn32.exe
2744	Gpncej32.exe
812	Gbaileio.exe
480	Haiccald.exe
1092	Hapicp32.exe
2700	Idcokkak.exe
612	Iheddndj.exe
2748	Jdpndnei.exe
2088	Jfiale32.exe
1252	Kjifhc32.exe
2268	Kfbcbd32.exe
432	Lanaiahq.exe
1124	Ljibgg32.exe
804	Lfpclh32.exe
1708	Lccdel32.exe
1612	Lfdmggnm.exe
364	Mpmapm32.exe
636	Mieeibkn.exe
2804	Mapjmehi.exe
1244	Mbpgggol.exe
852	Maedhd32.exe
1960	Magqncba.exe
2040	Nhaikn32.exe
1812	Nlcnda32.exe
2516	Ngibaj32.exe
2512	Nigome32.exe
2456	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
2860	986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe
2860	986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe
2316	Djmicm32.exe
2316	Djmicm32.exe
2508	Dfdjhndl.exe
2508	Dfdjhndl.exe
2504	Dkqbaecc.exe
2504	Dkqbaecc.exe
2988	Ebmgcohn.exe
2988	Ebmgcohn.exe
2532	Ejhlgaeh.exe
2532	Ejhlgaeh.exe
2416	Egafleqm.exe
2416	Egafleqm.exe
2344	Ffhpbacb.exe
2344	Ffhpbacb.exe
2552	Faigdn32.exe
2552	Faigdn32.exe
2744	Gpncej32.exe
2744	Gpncej32.exe
812	Gbaileio.exe
812	Gbaileio.exe
480	Haiccald.exe
480	Haiccald.exe
1092	Hapicp32.exe
1092	Hapicp32.exe
2700	Idcokkak.exe
2700	Idcokkak.exe
612	Iheddndj.exe
612	Iheddndj.exe
2748	Jdpndnei.exe
2748	Jdpndnei.exe
2088	Jfiale32.exe
2088	Jfiale32.exe
1252	Kjifhc32.exe
1252	Kjifhc32.exe
2268	Kfbcbd32.exe
2268	Kfbcbd32.exe
432	Lanaiahq.exe
432	Lanaiahq.exe
1124	Ljibgg32.exe
1124	Ljibgg32.exe
804	Lfpclh32.exe
804	Lfpclh32.exe
1708	Lccdel32.exe
1708	Lccdel32.exe
1612	Lfdmggnm.exe
1612	Lfdmggnm.exe
364	Mpmapm32.exe
364	Mpmapm32.exe
636	Mieeibkn.exe
636	Mieeibkn.exe
2804	Mapjmehi.exe
2804	Mapjmehi.exe
1244	Mbpgggol.exe
1244	Mbpgggol.exe
852	Maedhd32.exe
852	Maedhd32.exe
1960	Magqncba.exe
1960	Magqncba.exe
1596	Nckjkl32.exe
1596	Nckjkl32.exe
1812	Nlcnda32.exe
1812	Nlcnda32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pgicjg32.dll	Ejhlgaeh.exe
File opened for modification	C:\Windows\SysWOW64\Gbaileio.exe	Gpncej32.exe
File opened for modification	C:\Windows\SysWOW64\Kjifhc32.exe	Jfiale32.exe
File created	C:\Windows\SysWOW64\Nbfphc32.dll	Egafleqm.exe
File created	C:\Windows\SysWOW64\Mpmapm32.exe	Lfdmggnm.exe
File created	C:\Windows\SysWOW64\Ffhpbacb.exe	Egafleqm.exe
File created	C:\Windows\SysWOW64\Dkcinege.dll	Haiccald.exe
File created	C:\Windows\SysWOW64\Apbfblll.dll	Lanaiahq.exe
File opened for modification	C:\Windows\SysWOW64\Maedhd32.exe	Mbpgggol.exe
File opened for modification	C:\Windows\SysWOW64\Jdpndnei.exe	Iheddndj.exe
File created	C:\Windows\SysWOW64\Hnecbc32.dll	Ljibgg32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nigome32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Ajdlmi32.dll	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Odifab32.dll	986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe
File opened for modification	C:\Windows\SysWOW64\Dfdjhndl.exe	Djmicm32.exe
File created	C:\Windows\SysWOW64\Ngbkba32.dll	Hapicp32.exe
File opened for modification	C:\Windows\SysWOW64\Lfpclh32.exe	Ljibgg32.exe
File created	C:\Windows\SysWOW64\Clialdph.dll	Dkqbaecc.exe
File created	C:\Windows\SysWOW64\Ejhlgaeh.exe	Ebmgcohn.exe
File opened for modification	C:\Windows\SysWOW64\Egafleqm.exe	Ejhlgaeh.exe
File created	C:\Windows\SysWOW64\Qfgkcdoe.dll	Iheddndj.exe
File created	C:\Windows\SysWOW64\Ljibgg32.exe	Lanaiahq.exe
File opened for modification	C:\Windows\SysWOW64\Lfdmggnm.exe	Lccdel32.exe
File opened for modification	C:\Windows\SysWOW64\Mieeibkn.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Ngibaj32.exe	Nlcnda32.exe
File opened for modification	C:\Windows\SysWOW64\Nigome32.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Djmicm32.exe	986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe
File opened for modification	C:\Windows\SysWOW64\Ejhlgaeh.exe	Ebmgcohn.exe
File opened for modification	C:\Windows\SysWOW64\Ffhpbacb.exe	Egafleqm.exe
File created	C:\Windows\SysWOW64\Piccpc32.dll	Gbaileio.exe
File opened for modification	C:\Windows\SysWOW64\Ljibgg32.exe	Lanaiahq.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Nigome32.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Fpcqjacl.dll	Jfiale32.exe
File created	C:\Windows\SysWOW64\Elonamqm.dll	Maedhd32.exe
File created	C:\Windows\SysWOW64\Macalohk.dll	Mbpgggol.exe
File created	C:\Windows\SysWOW64\Gbaileio.exe	Gpncej32.exe
File opened for modification	C:\Windows\SysWOW64\Haiccald.exe	Gbaileio.exe
File opened for modification	C:\Windows\SysWOW64\Mapjmehi.exe	Mieeibkn.exe
File opened for modification	C:\Windows\SysWOW64\Magqncba.exe	Maedhd32.exe
File created	C:\Windows\SysWOW64\Ckgkkllh.dll	Dfdjhndl.exe
File created	C:\Windows\SysWOW64\Faigdn32.exe	Ffhpbacb.exe
File opened for modification	C:\Windows\SysWOW64\Faigdn32.exe	Ffhpbacb.exe
File opened for modification	C:\Windows\SysWOW64\Lccdel32.exe	Lfpclh32.exe
File created	C:\Windows\SysWOW64\Fhhmapcq.dll	Lccdel32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqbaecc.exe	Dfdjhndl.exe
File created	C:\Windows\SysWOW64\Ebmgcohn.exe	Dkqbaecc.exe
File opened for modification	C:\Windows\SysWOW64\Ebmgcohn.exe	Dkqbaecc.exe
File created	C:\Windows\SysWOW64\Fihicd32.dll	Faigdn32.exe
File created	C:\Windows\SysWOW64\Hapicp32.exe	Haiccald.exe
File opened for modification	C:\Windows\SysWOW64\Jfiale32.exe	Jdpndnei.exe
File created	C:\Windows\SysWOW64\Kjifhc32.exe	Jfiale32.exe
File created	C:\Windows\SysWOW64\Dhhlgc32.dll	Ebmgcohn.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Egafleqm.exe	Ejhlgaeh.exe
File created	C:\Windows\SysWOW64\Olahaplc.dll	Lfdmggnm.exe
File created	C:\Windows\SysWOW64\Fpahiebe.dll	Mapjmehi.exe
File created	C:\Windows\SysWOW64\Ogjgkqaa.dll	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Magqncba.exe	Maedhd32.exe
File created	C:\Windows\SysWOW64\Lpgimglf.dll	Idcokkak.exe
File opened for modification	C:\Windows\SysWOW64\Lanaiahq.exe	Kfbcbd32.exe
File opened for modification	C:\Windows\SysWOW64\Djmicm32.exe	986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe
File created	C:\Windows\SysWOW64\Dfdjhndl.exe	Djmicm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2480	2456	WerFault.exe	62

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihicd32.dll"	Faigdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbaileio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbkba32.dll"	Hapicp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljibgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifab32.dll"	986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgkkllh.dll"	Dfdjhndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Faigdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfpclh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdpndnei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfbcbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lccdel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iheddndj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfdmggnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfiale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbpgggol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgimglf.dll"	Idcokkak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljibgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjifhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnecbc32.dll"	Ljibgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macalohk.dll"	Mbpgggol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll"	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhlgc32.dll"	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbfphc32.dll"	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eimofi32.dll"	Gpncej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfgkcdoe.dll"	Iheddndj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll"	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebmgcohn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Faigdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haiccald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjifhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egafleqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebpopmpp.dll"	Ffhpbacb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpncej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idcokkak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfiale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malllmgi.dll"	Kfbcbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iheddndj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lanaiahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffhpbacb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haiccald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdpndnei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfbcbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpncej32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2316	2860	986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe	28
PID 2860 wrote to memory of 2316	2860	986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe	28
PID 2860 wrote to memory of 2316	2860	986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe	28
PID 2860 wrote to memory of 2316	2860	986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe	28
PID 2316 wrote to memory of 2508	2316	Djmicm32.exe	29
PID 2316 wrote to memory of 2508	2316	Djmicm32.exe	29
PID 2316 wrote to memory of 2508	2316	Djmicm32.exe	29
PID 2316 wrote to memory of 2508	2316	Djmicm32.exe	29
PID 2508 wrote to memory of 2504	2508	Dfdjhndl.exe	30
PID 2508 wrote to memory of 2504	2508	Dfdjhndl.exe	30
PID 2508 wrote to memory of 2504	2508	Dfdjhndl.exe	30
PID 2508 wrote to memory of 2504	2508	Dfdjhndl.exe	30
PID 2504 wrote to memory of 2988	2504	Dkqbaecc.exe	31
PID 2504 wrote to memory of 2988	2504	Dkqbaecc.exe	31
PID 2504 wrote to memory of 2988	2504	Dkqbaecc.exe	31
PID 2504 wrote to memory of 2988	2504	Dkqbaecc.exe	31
PID 2988 wrote to memory of 2532	2988	Ebmgcohn.exe	32
PID 2988 wrote to memory of 2532	2988	Ebmgcohn.exe	32
PID 2988 wrote to memory of 2532	2988	Ebmgcohn.exe	32
PID 2988 wrote to memory of 2532	2988	Ebmgcohn.exe	32
PID 2532 wrote to memory of 2416	2532	Ejhlgaeh.exe	33
PID 2532 wrote to memory of 2416	2532	Ejhlgaeh.exe	33
PID 2532 wrote to memory of 2416	2532	Ejhlgaeh.exe	33
PID 2532 wrote to memory of 2416	2532	Ejhlgaeh.exe	33
PID 2416 wrote to memory of 2344	2416	Egafleqm.exe	34
PID 2416 wrote to memory of 2344	2416	Egafleqm.exe	34
PID 2416 wrote to memory of 2344	2416	Egafleqm.exe	34
PID 2416 wrote to memory of 2344	2416	Egafleqm.exe	34
PID 2344 wrote to memory of 2552	2344	Ffhpbacb.exe	35
PID 2344 wrote to memory of 2552	2344	Ffhpbacb.exe	35
PID 2344 wrote to memory of 2552	2344	Ffhpbacb.exe	35
PID 2344 wrote to memory of 2552	2344	Ffhpbacb.exe	35
PID 2552 wrote to memory of 2744	2552	Faigdn32.exe	36
PID 2552 wrote to memory of 2744	2552	Faigdn32.exe	36
PID 2552 wrote to memory of 2744	2552	Faigdn32.exe	36
PID 2552 wrote to memory of 2744	2552	Faigdn32.exe	36
PID 2744 wrote to memory of 812	2744	Gpncej32.exe	37
PID 2744 wrote to memory of 812	2744	Gpncej32.exe	37
PID 2744 wrote to memory of 812	2744	Gpncej32.exe	37
PID 2744 wrote to memory of 812	2744	Gpncej32.exe	37
PID 812 wrote to memory of 480	812	Gbaileio.exe	38
PID 812 wrote to memory of 480	812	Gbaileio.exe	38
PID 812 wrote to memory of 480	812	Gbaileio.exe	38
PID 812 wrote to memory of 480	812	Gbaileio.exe	38
PID 480 wrote to memory of 1092	480	Haiccald.exe	39
PID 480 wrote to memory of 1092	480	Haiccald.exe	39
PID 480 wrote to memory of 1092	480	Haiccald.exe	39
PID 480 wrote to memory of 1092	480	Haiccald.exe	39
PID 1092 wrote to memory of 2700	1092	Hapicp32.exe	40
PID 1092 wrote to memory of 2700	1092	Hapicp32.exe	40
PID 1092 wrote to memory of 2700	1092	Hapicp32.exe	40
PID 1092 wrote to memory of 2700	1092	Hapicp32.exe	40
PID 2700 wrote to memory of 612	2700	Idcokkak.exe	41
PID 2700 wrote to memory of 612	2700	Idcokkak.exe	41
PID 2700 wrote to memory of 612	2700	Idcokkak.exe	41
PID 2700 wrote to memory of 612	2700	Idcokkak.exe	41
PID 612 wrote to memory of 2748	612	Iheddndj.exe	42
PID 612 wrote to memory of 2748	612	Iheddndj.exe	42
PID 612 wrote to memory of 2748	612	Iheddndj.exe	42
PID 612 wrote to memory of 2748	612	Iheddndj.exe	42
PID 2748 wrote to memory of 2088	2748	Jdpndnei.exe	43
PID 2748 wrote to memory of 2088	2748	Jdpndnei.exe	43
PID 2748 wrote to memory of 2088	2748	Jdpndnei.exe	43
PID 2748 wrote to memory of 2088	2748	Jdpndnei.exe	43

C:\Users\Admin\AppData\Local\Temp\986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe
"C:\Users\Admin\AppData\Local\Temp\986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\Djmicm32.exe
  C:\Windows\system32\Djmicm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\Dfdjhndl.exe
    C:\Windows\system32\Dfdjhndl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\SysWOW64\Dkqbaecc.exe
      C:\Windows\system32\Dkqbaecc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\SysWOW64\Ebmgcohn.exe
        
        C:\Windows\system32\Ebmgcohn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Windows\SysWOW64\Ejhlgaeh.exe
        
        C:\Windows\system32\Ejhlgaeh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Egafleqm.exe
        
        C:\Windows\system32\Egafleqm.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Ffhpbacb.exe
        
        C:\Windows\system32\Ffhpbacb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Faigdn32.exe
        
        C:\Windows\system32\Faigdn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Gpncej32.exe
        
        C:\Windows\system32\Gpncej32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Gbaileio.exe
        
        C:\Windows\system32\Gbaileio.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Haiccald.exe
        
        C:\Windows\system32\Haiccald.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:480
        
        C:\Windows\SysWOW64\Hapicp32.exe
        
        C:\Windows\system32\Hapicp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Idcokkak.exe
        
        C:\Windows\system32\Idcokkak.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Iheddndj.exe
        
        C:\Windows\system32\Iheddndj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Windows\SysWOW64\Jdpndnei.exe
        
        C:\Windows\system32\Jdpndnei.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Jfiale32.exe
        
        C:\Windows\system32\Jfiale32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Kjifhc32.exe
        
        C:\Windows\system32\Kjifhc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Kfbcbd32.exe
        
        C:\Windows\system32\Kfbcbd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Lanaiahq.exe
        
        C:\Windows\system32\Lanaiahq.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Ljibgg32.exe
        
        C:\Windows\system32\Ljibgg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Lfpclh32.exe
        
        C:\Windows\system32\Lfpclh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Lccdel32.exe
        
        C:\Windows\system32\Lccdel32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Lfdmggnm.exe
        
        C:\Windows\system32\Lfdmggnm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Mpmapm32.exe
        
        C:\Windows\system32\Mpmapm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:364
        
        C:\Windows\SysWOW64\Mieeibkn.exe
        
        C:\Windows\system32\Mieeibkn.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Mapjmehi.exe
        
        C:\Windows\system32\Mapjmehi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Mbpgggol.exe
        
        C:\Windows\system32\Mbpgggol.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Maedhd32.exe
        
        C:\Windows\system32\Maedhd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SysWOW64\Magqncba.exe
        
        C:\Windows\system32\Magqncba.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Nhaikn32.exe
        
        C:\Windows\system32\Nhaikn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Nckjkl32.exe
        
        C:\Windows\system32\Nckjkl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Nlcnda32.exe
        
        C:\Windows\system32\Nlcnda32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Nigome32.exe
        
        C:\Windows\system32\Nigome32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        36⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 140
        37⤵
        Program crash
        
        PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dfdjhndl.exe

Filesize
377KB

MD5
b81980720dd6cbdcf1d99f4ff5c8c9c9

SHA1
e55ad1f09021d2dcbdf70ed15d5bdce8374c97c2

SHA256
d76e007b76e6bda2160ea703fcac833be247c55cbbc4826a28cf8843b730e1b6

SHA512
75a7fb73d53688860d18c6785e32dbb269b0efdbf5d08f061c9af9304cd11b9d07a8b4a05e2a8210c97bcee9babbf23a3d6cb186eaa1c3c360375b09231e97ee

Download Submit
C:\Windows\SysWOW64\Djmicm32.exe

Filesize
377KB

MD5
e08824dedb9b36ae1c3a465fea2c4373

SHA1
c5c80dbf59968d870bcf17d10b6950c764bc805c

SHA256
df6ae80fb7888ed59b32dd9826819c617cdb771dfa46b326c3edc0e6fdbfa86f

SHA512
17d6705ae5f0066b23f8a126abc1d1709d3d1d5ac6b798402f2c01445b3e6d4aecaf5e4732f973c93bfec9adca86dce36bd2f9a1dfb693b9ad9713970f5ac450

Download Submit
C:\Windows\SysWOW64\Dkqbaecc.exe

Filesize
377KB

MD5
8a67bbe77280d2788e7990263861be9e

SHA1
ce9b500e2281948edcfc6ea912fc76985ce29312

SHA256
882c8246425e02a2e18ddd8d620bf754d31a3d78da8511add5b0da9d9a2462ec

SHA512
27817c9df8abef7dd6784ef86e2e84151f34713b25d34822bff871f44e82c5a2cb67cf016190c4b5e82d8aac361c19e64e23af353a8ecb0d76b574bc9b4e01dc

Download Submit
C:\Windows\SysWOW64\Ebmgcohn.exe

Filesize
377KB

MD5
a27d1ab1f86334a230c00bd69c681a5f

SHA1
05f691ae7722461ecdbe094c4a167e498937b883

SHA256
0c7a2fe2aede482576775443d07ee4a1ab6e16a94a3e4fb7942f779bdadc59cb

SHA512
657e6f411137f94d181912711f5b44103da9e3f0a1afc1b97ad890042d58e750ddbe543f02f55795b4ea11f3b7219e4a6f7781ee3296787229f258f7178f1469

Download Submit
C:\Windows\SysWOW64\Egafleqm.exe

Filesize
377KB

MD5
a70eb5fc9ffae66dcf96cf396770dfce

SHA1
fa92c89331957230d6feefde93cc8816ab6ecba0

SHA256
2d4f724565d68edb5b1d76ca47ed1d80710e1872d1031067e5a16a6c976c5433

SHA512
df1572b00ae484edc305abea0b87d2b14a6c0339403735f92c84d59c79856a06c942a37141ec9565e03e6203179d1d47a5c5e13c5bfffd3bf9903fe859b40d77

Download Submit
C:\Windows\SysWOW64\Ejhlgaeh.exe

Filesize
377KB

MD5
30937f036115ef350ff93192d00071df

SHA1
ec74dd069a7e6da0531ea50139607114b9f3f9de

SHA256
833320e20ee2018bab3bced05cb124f62b1961ab1aa356b1f85e846794a617ef

SHA512
1c1e4fb123a08c1ec4fd9b1be6c13585cc42a629b4febca6a5642aade9fc80a57af97d4d36fffe5a8c4d44b24b11e639ecd892b49b03accdba0bde7dafe8b01f

Download Submit
C:\Windows\SysWOW64\Faigdn32.exe

Filesize
377KB

MD5
094285f9ca8a07a90e1732c7afdf0c63

SHA1
afce949a5c2d9bd3133e3a54b54ca498f947f668

SHA256
2aad5d102f2ae25f6bfd07ac4da9a7e3b6ac6b8ebbc975f37c49b9b75ae1a94c

SHA512
1e0e886aec5ffab171cae1b9493102eb29246092d2004683cf7d14f9ac070714732c7b24ddb42af95aafcb888079af67d499902709c1ac7e2785c7cde0c0e41d

Download Submit
C:\Windows\SysWOW64\Iheddndj.exe

Filesize
377KB

MD5
f958cb43ecb9482207995cbaf32ca9d8

SHA1
0f9ac0bcf8a3edc6ce7765fd50802b1dc7bae7db

SHA256
66935ad834108e0b44bda01047c4cdb46aa7595f86c0400808fd7558cd7a243b

SHA512
d712caf419503ee47d0aceea4e86e2731f316a4626af13a2ac36b4e2e6ec3c42e33c542f12a14f4bc1a0f27f38c721c44a0649c50845d9e9a5dd2dcbd958dcc4

Download Submit
C:\Windows\SysWOW64\Jdpndnei.exe

Filesize
377KB

MD5
91b76ddd5dff036a65f0eb16b1b55fd5

SHA1
7058bdd954bb6ce405ffc6614000a96a6bc1056c

SHA256
217dbbd7d80ffe560be0019f383571c983cdd4ebe4c05ad5db5e20f50f61a2a5

SHA512
286035f03b211938c1fc66de0534fb342218c6d36b4bf0fdc996a1da31acca25e112edd19d6acf94dca682d10502ea13133c714431d3b5f64bdf8247df7a70ae

Download Submit
C:\Windows\SysWOW64\Kfbcbd32.exe

Filesize
377KB

MD5
1c28c3509094dbc34c04a548bd747383

SHA1
a54f7544747fb405650a13c052dc0262821ace6c

SHA256
8ce915d8fd9c425db6f1369078cdaf5df2d8721db1780f030ab6f5bd76c7fb33

SHA512
7602f5bdc7787cd37a42f70cc755f26b5a7e211718c4176ba2c4d4c72e4ff3e0b2447483af2904b6bc68de1bdcae654475d5702add38976923c8e4bc67816f47

Download Submit
C:\Windows\SysWOW64\Kjifhc32.exe

Filesize
377KB

MD5
79943f1f194cd8ca63686a30fc31dcbf

SHA1
9a61dc733bad4d9c0db87002bf6b006722d06be8

SHA256
d9a7a4d09b555b568378eb3f3fb396be15bfd2c9a5e3d7e3adc004d96ae7eaeb

SHA512
056d475a7d8ec239f48466365d1b250290502f3fb0032516bf817c272c8f50e0a6adfdd1ab4122de519fd806002b0d1c4acc06fbae9c8b289e71226b1c3d7a85

Download Submit
C:\Windows\SysWOW64\Lanaiahq.exe

Filesize
377KB

MD5
b8edbf31278361fab57e335ad2e0a3ef

SHA1
09587e0d763416b2171d11ef46b4cf2aad064648

SHA256
da2832c13462d0e5c4304a7d5b88bbe749b4429524f066cca3c4df8ca1bd435b

SHA512
f9251666640256f9c28f3ff5ba1ccebdeada7b37b31b5e6ec76745fb1e6c49748404942708103c8d8601cd3f083ea290454bc1f4f788b1b7b858d820620b5533

Download Submit
C:\Windows\SysWOW64\Lccdel32.exe

Filesize
377KB

MD5
a6f96f4674ed71182cc6aba67c071044

SHA1
eacbc915dd3b508a2e96e39afd832bb54663ff32

SHA256
a0d7bb83e80f848b502e485e4669e7726402a89ef4629cfd81836ec2902ea3a4

SHA512
cefa5afe53c10355e0ee36b57a9b5615e9ca8c22ae7be3966fe8a12cd8ae0f4fb31f93eb992223d0fd89808327558e4558ded89104eaaf5a59bfc72a9c6622b0

Download Submit
C:\Windows\SysWOW64\Lfdmggnm.exe

Filesize
377KB

MD5
0ebc36507297079c9e28fa0ed55d6b21

SHA1
70ddc8c67fbf9d0b6400b92eabaa0eb01cd92fc9

SHA256
b3c9832f5808ee1be43bee706266f71089eeb3f6e8cd6bb4c6d87fcd68114961

SHA512
a77e26775b2a191223be12596bd27c827b69cff340fc2a2ecd6955711c277825419ea248e1b692c0dc268f5f1fd02cab47f9b82e1c70fe82ec01a12e500b2be4

Download Submit
C:\Windows\SysWOW64\Lfpclh32.exe

Filesize
377KB

MD5
019d61092d068028bfdc7b7c3a7b3d86

SHA1
23797d6fba339e138c41779869e16be44b44db91

SHA256
f5113290d24c5aa26318916e688cac22a1d9d231711ddd4d71d7a5c2714d5d59

SHA512
7fdb2a58cbd98b87bd9fa14314c9e147fc5834c1884aa59dbafabff6173b55edd5bdecf8503c06cc289613e83ba689eef62bcf33793635be0517371af597b51d

Download Submit
C:\Windows\SysWOW64\Ljibgg32.exe

Filesize
377KB

MD5
a4d9174a383694e2a33f4bcd134d427f

SHA1
a21e3eb7b9b536ca7e10b579d720250117f842e7

SHA256
2f292d8e472893dfcd240a09a9ba13b54eba79a4184653e816d939b62d9a855a

SHA512
9b7d13d9309197aa79cede2271b9acd931eec5c8a78aa9c248543d026ba90fa6896e52ecb6e3737d28221c799c597e23c0c2bfe904e06e0eaafb953f12226db6

Download Submit
C:\Windows\SysWOW64\Maedhd32.exe

Filesize
377KB

MD5
6b546008ec30937f5baa88583a1e6e56

SHA1
b228342307adf5f3753e101627bb9e0bc16a72bd

SHA256
e973cd5b62d4a882762cc2bc6edc083da5e84d02e3fae13838eadfd773f56b3d

SHA512
b27664dae3ffd21e21cecc13870f250f0f90943b60a2a01c42a905ccc74b4d190c0eaca88eb6dae717ba881a6c0f774d98c2c54ba613c523bc8e7e6870e3b20a

Download Submit
C:\Windows\SysWOW64\Magqncba.exe

Filesize
377KB

MD5
e17a0f27dbceb2d527280f77fa53e938

SHA1
7df2ab79840516b4385d9e26b96ecd10664ce5de

SHA256
0949a3bf0d3be92ab87b563e914af14e35645e33d54dd93289b0cc54058fd4a9

SHA512
2502a400a8fe5a8394777cdc8e2b64d7ff31a9a90b1a149b8b69baa6ac00fc4156e2cbb8129f51c1ece441d4b37c50b62cf7957e5327226d9554e7e9a417e0df

Download Submit
C:\Windows\SysWOW64\Mapjmehi.exe

Filesize
377KB

MD5
25afc965994aa308d212d9d50d2f83c3

SHA1
b7fec06bac3df7fa8abbf3fb667db9044720cd62

SHA256
695cc592438c702fabc41aa8a44e1656c96095a559b63a5f2df854492e21cd9c

SHA512
a6593144a6b4bf51e8135b44b4ce9a3d563e31984b3ef1f3a2d5c725611b99f0bc38cf5627153b36f1971dbc329c37474603754bab26e359230d36ccd8dc017d

Download Submit
C:\Windows\SysWOW64\Mbpgggol.exe

Filesize
377KB

MD5
0d38196b23f3542994fc7eb05e169f6b

SHA1
9506f0f9e04e0c7c66034a61c2ef40fbec7f9f1f

SHA256
e95922759d282785e0482890131df60b34cebee0aa38fcc16a1484b443932831

SHA512
1de167a9e2e8a542aae5d25dcab8f5fe8cdab0f732d449d560d47310d7df0ceae6c5ee5f33ca46b746008b567b1278b7153bb085d7e32454d52ccfb952a9e677

Download Submit
C:\Windows\SysWOW64\Mieeibkn.exe

Filesize
377KB

MD5
b8de22ea416fbbe8083c2405304ec8de

SHA1
b3eb1db4f989bc5c0f339e7fd6a0fa8b55c3a1ef

SHA256
6e45b6b5075ef75976e9fbe2de6e058fe89cab981616334fe4e12f8e656dab4b

SHA512
364dc593a20fa854da268cefc5aede82344f0b168f1c0ee5641c6a2ec92f788b3ad914a08ff106b3e6572c08cb57bfd84e7ea8b247730d1ac230c39c180c5ade

Download Submit
C:\Windows\SysWOW64\Mpmapm32.exe

Filesize
377KB

MD5
2ba0239f4cc48e95c00b8151aeae070c

SHA1
994bad3ab932dd95e3fc7109944671a0965878ad

SHA256
41dab1145297bf3d03a47318846a0511942ae6d6154f42cee489d2cc696596db

SHA512
c9b51f4706f166276642c9dbc3cb0d9cfed379bc793eab1620046eb35734cf50f970c44e79d1cab581d3dab163b458f0a8a7b6d20a3c99b57161bb027684f198

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
377KB

MD5
6e313dbda59257d96ecf411dc8c553df

SHA1
24edda49c9670cb9dfea87608ff13f5ab749d808

SHA256
ec12e526f91b53edf69652b2f0743cf0098a310719e46e04aa6c8f6ab277895a

SHA512
13a81665d61d5d40094a8d78fd88674672bcbd55cd188264254eec56c2627b7a92615d68a7b7c1de570fab7851b761152af0ffd7beb466e7854794918cd30212

Download Submit
C:\Windows\SysWOW64\Nhaikn32.exe

Filesize
377KB

MD5
282995dda1aedc2368283345528e6758

SHA1
1e38b71e2ffaf7e62220142d1db6faec96c6e7b0

SHA256
7c530f4c516de57d2a93858cf14fd69addc92bd07cd9e0a0b0be78efd8bd8f48

SHA512
366eb0bc7b3ae20af9c4dc9728635866e94ccd33cff3f655e366232b7a55e2e69707800ed8807e0587aff8482f501173e6def26c00fb160a9d64632c4ef66a72

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
377KB

MD5
7cc491840214ec5f82095d0931cec66d

SHA1
e5392e05f1e8e99df4a9a19ef28186203d766162

SHA256
ad4758368c103a2927f8c9b6f4f20a97341f1ecbab4887a2cc7b67ed163cde55

SHA512
aef3a4f845e9e71167e148006c7ac111f539bf8f66bab5f158d91a3d166b3316756c1598141a293f73222c8a8e90d931838de02e2d1b741cce3f5e8e8484f22b

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
377KB

MD5
672b81b7944e3bf525a80b898082d6df

SHA1
32048c49c7c4b16a6877192f355e0abafe230de5

SHA256
c842a9f0bc05e7f6f544f9d818df8d38ccee2d060a31ae82578d3a59ac431ea9

SHA512
5cbc408d7d936aded90eba7ed01dd327e887a3eefeb1f4ee3a69a50051b717d00c6fa26eb66e4b6d1ef48d97a09e517402b64a517ed2e975a1a7e9824c6fac2d

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
377KB

MD5
7e0cd5cee71f89b50dc3d1e25e1c4571

SHA1
de28c45543b4d1b1e1cfedf90455f2f70eeb9d8f

SHA256
063b3334712717d8ece060d58782b1604cbafae5c09adbc5f13c3f5539fefc9e

SHA512
7ed4709777bbc256af4a1ea92d8a15b8596f4bbe48855d01dc98d935e1098d088a8ecca38400d2bc56ff684288d29ee03c3e6d34c82122ac104c586f8e202509

Download Submit
\Windows\SysWOW64\Ffhpbacb.exe

Filesize
377KB

MD5
e2847b52a1f4d58eb9eec964a84d4444

SHA1
b39b71ecbfd113c622c729660c8f153fdd681923

SHA256
12978f6f88a64de2a4abd04988e4b026b88ffb5a72c6c3fc55b790309ba5dfd9

SHA512
adb13fc6dd4257356aec1685f831ad0e8b19aed630a19462979402168d73a5a7efe870014f8f2067300e752fd9570e7dc1fc7a436e7ec78f539f08d74b30abed

Download Submit
\Windows\SysWOW64\Gbaileio.exe

Filesize
377KB

MD5
86b1503379aefc44eee46a172503ca57

SHA1
e17abcbc46f89b8ef87aafa97bb794cb5d68d203

SHA256
b3fc2cfac4bd00fd77adaca15e14d772821a2af69ffb8ec90f128e0daff1ae28

SHA512
524d708b08a419720c34491f251aa8eaa9c223a4716820ffe2e8923a09c714060992ff95279829f0170df7952806b69d95e45b10a0f7d31ae69235fda3756925

Download Submit
\Windows\SysWOW64\Gpncej32.exe

Filesize
377KB

MD5
d0f4d727b47defd972f8592f9b92d593

SHA1
2e0f09277df3b450cf66243de41caf788633c4dd

SHA256
8318a2b8c9b4b58c5000e983e215c2f56e7c4f61636eb6ac2bb95c4db2c6f4e3

SHA512
5d1cfbe0fdcd8082046a8adb9b3f02c2fa7a0dd9c8be37d13381479c1fec49feb01ac65049df9f23550a48c13b19267e9728f8dae1d16ae3e84578a38a51e0e3

Download Submit
\Windows\SysWOW64\Haiccald.exe

Filesize
377KB

MD5
b2e4cdf47565ab3ec16dc9288a04cab9

SHA1
2fe543c861f22b8fb96fa170c85dbe99b5549ca4

SHA256
77c03ad45165add212f8c27a26bc0435a9a5ad0fd347da2de60efbcb0c4c61fd

SHA512
b5109eb21361850db322424ae24201b09fab55a32ece0c97c6520ab00a8bdcae17d57fb0e13a2386acb53f842d22019a065cdd70218237bd0ac5a454a8cab064

Download Submit
\Windows\SysWOW64\Hapicp32.exe

Filesize
377KB

MD5
72b94e521cd65e5d3c0628c6682260ce

SHA1
2a2ddaf4558d7f41f59825dff1382c920e1cc691

SHA256
a8ca6f8125409c9fd380c110ef0f3196ac04debe1366c6486f3b3513ee857c7d

SHA512
10e92f515596df23cd530aad912188438b9ee3967bae7b8f38c2c6c5b76d2dcb9ed5caca68fb8a5c7e2fb92852994391ecfe3225f4bb0e346492e94b99e8cbe8

Download Submit
\Windows\SysWOW64\Idcokkak.exe

Filesize
377KB

MD5
83da41eaa17754482404bbe9ae894604

SHA1
fc8ca1762fe2dd4108afb025de142c21e3ce6bed

SHA256
fce42f98c7c34925b3359d4e228c4471f90f2e3b39ca6175cbf35f848ae9d7bc

SHA512
85337d15b4b5f5170e830345723505e390d206292d426a14567a3cb0f6767ed18654d36e13b1788132bab4ef621e9d57a4c9898c5e2207041302032bfbeea79e

Download Submit
\Windows\SysWOW64\Jfiale32.exe

Filesize
377KB

MD5
0c4f6e3e33606d78f458a13b74f13b81

SHA1
4323c3c77a141b005575c1ff112bf1b65f60890d

SHA256
655affeb1edd16d18279f74a586a33fe8a5e8101355ef24326f222364b15dafd

SHA512
d6883f6364cf281921248ec2fba00943b7127240259a9356efa7f706c10d85b3f97e55ff1affb26677cede58e67e01c6e67c0043a23d08f764f33fbd7b2ae8f5

Download Submit
memory/364-409-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/432-399-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/480-165-0x0000000000490000-0x000000000051A000-memory.dmp

Filesize
552KB

Download
memory/480-160-0x0000000000490000-0x000000000051A000-memory.dmp

Filesize
552KB

Download
memory/480-151-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/480-383-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/612-389-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/636-411-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/804-403-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/812-149-0x0000000000220000-0x00000000002AA000-memory.dmp

Filesize
552KB

Download
memory/812-381-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/812-150-0x0000000000220000-0x00000000002AA000-memory.dmp

Filesize
552KB

Download
memory/812-135-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/852-417-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1092-166-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1092-181-0x00000000002B0000-0x000000000033A000-memory.dmp

Filesize
552KB

Download
memory/1092-169-0x00000000002B0000-0x000000000033A000-memory.dmp

Filesize
552KB

Download
memory/1092-385-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1124-401-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1244-416-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1252-395-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1596-425-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1612-407-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1708-406-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1812-424-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1960-419-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2040-429-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2088-393-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2268-397-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2316-26-0x00000000002E0000-0x000000000036A000-memory.dmp

Filesize
552KB

Download
memory/2316-24-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2316-364-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2344-375-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2416-373-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2416-88-0x0000000000220000-0x00000000002AA000-memory.dmp

Filesize
552KB

Download
memory/2504-39-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2504-367-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2508-365-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2512-432-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2516-430-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2532-64-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2532-371-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2552-116-0x0000000000320000-0x00000000003AA000-memory.dmp

Filesize
552KB

Download
memory/2552-113-0x0000000000320000-0x00000000003AA000-memory.dmp

Filesize
552KB

Download
memory/2552-377-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2700-387-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2700-190-0x0000000000220000-0x00000000002AA000-memory.dmp

Filesize
552KB

Download
memory/2700-180-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2700-195-0x0000000000220000-0x00000000002AA000-memory.dmp

Filesize
552KB

Download
memory/2744-121-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2744-379-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2744-128-0x0000000001C20000-0x0000000001CAA000-memory.dmp

Filesize
552KB

Download
memory/2744-142-0x0000000001C20000-0x0000000001CAA000-memory.dmp

Filesize
552KB

Download
memory/2748-391-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2804-413-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2860-6-0x0000000000220000-0x00000000002AA000-memory.dmp

Filesize
552KB

Download
memory/2860-361-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2860-0-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2988-369-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads