7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe
Size

112KB
MD5

e4112f02a5f4ae4d32d75ba57f0c664d
SHA1

47cd93ae7bc849d52f0d989ac4191fe25fee92a3
SHA256

7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11
SHA512

f60b0a4806fc56f6bcf2b9d31378f5764da8215e6d73e412116c9a6ce858984eff7b0aad716229a93b6797118891a3ed8b8a01fcc39a5c3b0216c9b44f23b343
SSDEEP

3072:cE03BIbGOJTfAWeSR7zk3nEb8l09FeJLCQnFIBOaCUjKaVLjd:cE03BdMYqRr8l09FeJLbnCBbC+nVLjd

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fddmgjpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hknach32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggpimica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fddmgjpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goddhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmjaic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hggomh32.exe

Executes dropped EXE 48 IoCs

pid	Process
2932	Ffpmnf32.exe
2676	Fddmgjpo.exe
2572	Fbgmbg32.exe
2548	Feeiob32.exe
2444	Fmlapp32.exe
3012	Gonnhhln.exe
1724	Gfefiemq.exe
1544	Gicbeald.exe
1432	Gpmjak32.exe
2320	Gopkmhjk.exe
468	Gangic32.exe
604	Gieojq32.exe
948	Gkgkbipp.exe
1372	Gbnccfpb.exe
2708	Gdopkn32.exe
2760	Ghkllmoi.exe
560	Goddhg32.exe
640	Gacpdbej.exe
2292	Ghmiam32.exe
1568	Ggpimica.exe
860	Gmjaic32.exe
1628	Gaemjbcg.exe
312	Ghoegl32.exe
704	Ghoegl32.exe
916	Hknach32.exe
3000	Hiqbndpb.exe
1440	Hahjpbad.exe
2028	Hdfflm32.exe
2648	Hnojdcfi.exe
2556	Hggomh32.exe
2936	Hiekid32.exe
2652	Hnagjbdf.exe
3068	Hobcak32.exe
2660	Hobcak32.exe
2412	Hgilchkf.exe
1368	Hellne32.exe
2828	Hlfdkoin.exe
1916	Hacmcfge.exe
1652	Henidd32.exe
776	Hhmepp32.exe
1920	Hkkalk32.exe
808	Hogmmjfo.exe
984	Iaeiieeb.exe
3064	Idceea32.exe
2704	Ihoafpmp.exe
2372	Iknnbklc.exe
2396	Inljnfkg.exe
308	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2872	7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe
2872	7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe
2932	Ffpmnf32.exe
2932	Ffpmnf32.exe
2676	Fddmgjpo.exe
2676	Fddmgjpo.exe
2572	Fbgmbg32.exe
2572	Fbgmbg32.exe
2548	Feeiob32.exe
2548	Feeiob32.exe
2444	Fmlapp32.exe
2444	Fmlapp32.exe
3012	Gonnhhln.exe
3012	Gonnhhln.exe
1724	Gfefiemq.exe
1724	Gfefiemq.exe
1544	Gicbeald.exe
1544	Gicbeald.exe
1432	Gpmjak32.exe
1432	Gpmjak32.exe
2320	Gopkmhjk.exe
2320	Gopkmhjk.exe
468	Gangic32.exe
468	Gangic32.exe
604	Gieojq32.exe
604	Gieojq32.exe
948	Gkgkbipp.exe
948	Gkgkbipp.exe
1372	Gbnccfpb.exe
1372	Gbnccfpb.exe
2708	Gdopkn32.exe
2708	Gdopkn32.exe
2760	Ghkllmoi.exe
2760	Ghkllmoi.exe
560	Goddhg32.exe
560	Goddhg32.exe
640	Gacpdbej.exe
640	Gacpdbej.exe
2292	Ghmiam32.exe
2292	Ghmiam32.exe
1568	Ggpimica.exe
1568	Ggpimica.exe
860	Gmjaic32.exe
860	Gmjaic32.exe
1628	Gaemjbcg.exe
1628	Gaemjbcg.exe
312	Ghoegl32.exe
312	Ghoegl32.exe
704	Ghoegl32.exe
704	Ghoegl32.exe
916	Hknach32.exe
916	Hknach32.exe
3000	Hiqbndpb.exe
3000	Hiqbndpb.exe
1440	Hahjpbad.exe
1440	Hahjpbad.exe
2028	Hdfflm32.exe
2028	Hdfflm32.exe
2648	Hnojdcfi.exe
2648	Hnojdcfi.exe
2556	Hggomh32.exe
2556	Hggomh32.exe
2936	Hiekid32.exe
2936	Hiekid32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Inljnfkg.exe
File created	C:\Windows\SysWOW64\Gdopkn32.exe	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Gcaciakh.dll	Gmjaic32.exe
File created	C:\Windows\SysWOW64\Gpekfank.dll	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Hdfflm32.exe	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Inljnfkg.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Ffpmnf32.exe	7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe
File opened for modification	C:\Windows\SysWOW64\Gangic32.exe	Gopkmhjk.exe
File opened for modification	C:\Windows\SysWOW64\Ghkllmoi.exe	Gdopkn32.exe
File opened for modification	C:\Windows\SysWOW64\Hiqbndpb.exe	Hknach32.exe
File opened for modification	C:\Windows\SysWOW64\Henidd32.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Gfefiemq.exe	Gonnhhln.exe
File opened for modification	C:\Windows\SysWOW64\Ghoegl32.exe	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Hiqbndpb.exe	Hknach32.exe
File created	C:\Windows\SysWOW64\Ojhcelga.dll	Hkkalk32.exe
File opened for modification	C:\Windows\SysWOW64\Feeiob32.exe	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Oecbjjic.dll	Fmlapp32.exe
File opened for modification	C:\Windows\SysWOW64\Gbnccfpb.exe	Gkgkbipp.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Nbniiffi.dll	Hobcak32.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Goddhg32.exe
File opened for modification	C:\Windows\SysWOW64\Gpekfank.dll	Ghoegl32.exe
File opened for modification	C:\Windows\SysWOW64\Hnojdcfi.exe	Hdfflm32.exe
File opened for modification	C:\Windows\SysWOW64\Hggomh32.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Hogmmjfo.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Ghoegl32.exe	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Eqpofkjo.dll	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Gfefiemq.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Jgdmei32.dll	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Gangic32.exe	Gopkmhjk.exe
File created	C:\Windows\SysWOW64\Ghkllmoi.exe	Gdopkn32.exe
File opened for modification	C:\Windows\SysWOW64\Ggpimica.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Hellne32.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Hacmcfge.exe	Hlfdkoin.exe
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Gopkmhjk.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Goddhg32.exe	Ghkllmoi.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Ffpmnf32.exe	7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe
File created	C:\Windows\SysWOW64\Blnhfb32.dll	Gbnccfpb.exe
File opened for modification	C:\Windows\SysWOW64\Hdfflm32.exe	Hahjpbad.exe
File opened for modification	C:\Windows\SysWOW64\Hgilchkf.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Kifjcn32.dll	Fbgmbg32.exe
File opened for modification	C:\Windows\SysWOW64\Gpmjak32.exe	Gicbeald.exe
File opened for modification	C:\Windows\SysWOW64\Hknach32.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hnojdcfi.exe
File opened for modification	C:\Windows\SysWOW64\Hogmmjfo.exe	Hkkalk32.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Qhbpij32.dll	Ghkllmoi.exe
File created	C:\Windows\SysWOW64\Hahjpbad.exe	Hiqbndpb.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hiekid32.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Iknnbklc.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	Goddhg32.exe
File opened for modification	C:\Windows\SysWOW64\Gacpdbej.exe	Goddhg32.exe
File created	C:\Windows\SysWOW64\Ggpimica.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Alogkm32.dll	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Pqiqnfej.dll	Iaeiieeb.exe
File opened for modification	C:\Windows\SysWOW64\Fbgmbg32.exe	Fddmgjpo.exe
File opened for modification	C:\Windows\SysWOW64\Ghmiam32.exe	Gacpdbej.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1636	308	WerFault.exe	75

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll"	Gangic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gieojq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll"	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll"	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll"	Feeiob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ggpimica.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmekj32.dll"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffpmnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll"	7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gicbeald.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2932	2872	7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe	28
PID 2872 wrote to memory of 2932	2872	7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe	28
PID 2872 wrote to memory of 2932	2872	7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe	28
PID 2872 wrote to memory of 2932	2872	7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe	28
PID 2932 wrote to memory of 2676	2932	Ffpmnf32.exe	29
PID 2932 wrote to memory of 2676	2932	Ffpmnf32.exe	29
PID 2932 wrote to memory of 2676	2932	Ffpmnf32.exe	29
PID 2932 wrote to memory of 2676	2932	Ffpmnf32.exe	29
PID 2676 wrote to memory of 2572	2676	Fddmgjpo.exe	30
PID 2676 wrote to memory of 2572	2676	Fddmgjpo.exe	30
PID 2676 wrote to memory of 2572	2676	Fddmgjpo.exe	30
PID 2676 wrote to memory of 2572	2676	Fddmgjpo.exe	30
PID 2572 wrote to memory of 2548	2572	Fbgmbg32.exe	31
PID 2572 wrote to memory of 2548	2572	Fbgmbg32.exe	31
PID 2572 wrote to memory of 2548	2572	Fbgmbg32.exe	31
PID 2572 wrote to memory of 2548	2572	Fbgmbg32.exe	31
PID 2548 wrote to memory of 2444	2548	Feeiob32.exe	32
PID 2548 wrote to memory of 2444	2548	Feeiob32.exe	32
PID 2548 wrote to memory of 2444	2548	Feeiob32.exe	32
PID 2548 wrote to memory of 2444	2548	Feeiob32.exe	32
PID 2444 wrote to memory of 3012	2444	Fmlapp32.exe	33
PID 2444 wrote to memory of 3012	2444	Fmlapp32.exe	33
PID 2444 wrote to memory of 3012	2444	Fmlapp32.exe	33
PID 2444 wrote to memory of 3012	2444	Fmlapp32.exe	33
PID 3012 wrote to memory of 1724	3012	Gonnhhln.exe	34
PID 3012 wrote to memory of 1724	3012	Gonnhhln.exe	34
PID 3012 wrote to memory of 1724	3012	Gonnhhln.exe	34
PID 3012 wrote to memory of 1724	3012	Gonnhhln.exe	34
PID 1724 wrote to memory of 1544	1724	Gfefiemq.exe	35
PID 1724 wrote to memory of 1544	1724	Gfefiemq.exe	35
PID 1724 wrote to memory of 1544	1724	Gfefiemq.exe	35
PID 1724 wrote to memory of 1544	1724	Gfefiemq.exe	35
PID 1544 wrote to memory of 1432	1544	Gicbeald.exe	36
PID 1544 wrote to memory of 1432	1544	Gicbeald.exe	36
PID 1544 wrote to memory of 1432	1544	Gicbeald.exe	36
PID 1544 wrote to memory of 1432	1544	Gicbeald.exe	36
PID 1432 wrote to memory of 2320	1432	Gpmjak32.exe	37
PID 1432 wrote to memory of 2320	1432	Gpmjak32.exe	37
PID 1432 wrote to memory of 2320	1432	Gpmjak32.exe	37
PID 1432 wrote to memory of 2320	1432	Gpmjak32.exe	37
PID 2320 wrote to memory of 468	2320	Gopkmhjk.exe	38
PID 2320 wrote to memory of 468	2320	Gopkmhjk.exe	38
PID 2320 wrote to memory of 468	2320	Gopkmhjk.exe	38
PID 2320 wrote to memory of 468	2320	Gopkmhjk.exe	38
PID 468 wrote to memory of 604	468	Gangic32.exe	39
PID 468 wrote to memory of 604	468	Gangic32.exe	39
PID 468 wrote to memory of 604	468	Gangic32.exe	39
PID 468 wrote to memory of 604	468	Gangic32.exe	39
PID 604 wrote to memory of 948	604	Gieojq32.exe	40
PID 604 wrote to memory of 948	604	Gieojq32.exe	40
PID 604 wrote to memory of 948	604	Gieojq32.exe	40
PID 604 wrote to memory of 948	604	Gieojq32.exe	40
PID 948 wrote to memory of 1372	948	Gkgkbipp.exe	41
PID 948 wrote to memory of 1372	948	Gkgkbipp.exe	41
PID 948 wrote to memory of 1372	948	Gkgkbipp.exe	41
PID 948 wrote to memory of 1372	948	Gkgkbipp.exe	41
PID 1372 wrote to memory of 2708	1372	Gbnccfpb.exe	42
PID 1372 wrote to memory of 2708	1372	Gbnccfpb.exe	42
PID 1372 wrote to memory of 2708	1372	Gbnccfpb.exe	42
PID 1372 wrote to memory of 2708	1372	Gbnccfpb.exe	42
PID 2708 wrote to memory of 2760	2708	Gdopkn32.exe	43
PID 2708 wrote to memory of 2760	2708	Gdopkn32.exe	43
PID 2708 wrote to memory of 2760	2708	Gdopkn32.exe	43
PID 2708 wrote to memory of 2760	2708	Gdopkn32.exe	43

C:\Users\Admin\AppData\Local\Temp\7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe
"C:\Users\Admin\AppData\Local\Temp\7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\Ffpmnf32.exe
  C:\Windows\system32\Ffpmnf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SysWOW64\Fddmgjpo.exe
    C:\Windows\system32\Fddmgjpo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\Fbgmbg32.exe
      C:\Windows\system32\Fbgmbg32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\Feeiob32.exe
        
        C:\Windows\system32\Feeiob32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\SysWOW64\Fmlapp32.exe
        
        C:\Windows\system32\Fmlapp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Gonnhhln.exe
        
        C:\Windows\system32\Gonnhhln.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Gfefiemq.exe
        
        C:\Windows\system32\Gfefiemq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Gpmjak32.exe
        
        C:\Windows\system32\Gpmjak32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Gopkmhjk.exe
        
        C:\Windows\system32\Gopkmhjk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Gangic32.exe
        
        C:\Windows\system32\Gangic32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Gieojq32.exe
        
        C:\Windows\system32\Gieojq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:604
        
        C:\Windows\SysWOW64\Gkgkbipp.exe
        
        C:\Windows\system32\Gkgkbipp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Gbnccfpb.exe
        
        C:\Windows\system32\Gbnccfpb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Ghkllmoi.exe
        
        C:\Windows\system32\Ghkllmoi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\Goddhg32.exe
        
        C:\Windows\system32\Goddhg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Ggpimica.exe
        
        C:\Windows\system32\Ggpimica.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Gmjaic32.exe
        
        C:\Windows\system32\Gmjaic32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Gaemjbcg.exe
        
        C:\Windows\system32\Gaemjbcg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\Ghoegl32.exe
        
        C:\Windows\system32\Ghoegl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:312
        
        C:\Windows\SysWOW64\Ghoegl32.exe
        
        C:\Windows\system32\Ghoegl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Hknach32.exe
        
        C:\Windows\system32\Hknach32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Hiqbndpb.exe
        
        C:\Windows\system32\Hiqbndpb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Hahjpbad.exe
        
        C:\Windows\system32\Hahjpbad.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Hdfflm32.exe
        
        C:\Windows\system32\Hdfflm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Hiekid32.exe
        
        C:\Windows\system32\Hiekid32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Hgilchkf.exe
        
        C:\Windows\system32\Hgilchkf.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1368
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Hogmmjfo.exe
        
        C:\Windows\system32\Hogmmjfo.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Iknnbklc.exe
        
        C:\Windows\system32\Iknnbklc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Inljnfkg.exe
        
        C:\Windows\system32\Inljnfkg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        49⤵
        Executes dropped EXE
        
        PID:308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 308 -s 140
        50⤵
        Program crash
        
        PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcqgok32.dll

Filesize
7KB

MD5
e8584d4ba5b0b55412f1fe91b2dae885

SHA1
07bf3d5ebad0d1c8c4614a1101fb519597de022f

SHA256
f5e80332005790b3d9249e84cd81476aeeeba1578ac67e3e1f538436fcfb2dbb

SHA512
ff27d970f0460b38c22e2bade111db283020f8f9e585c263b117fd4f60dc95138a50d2b13255e7f28ce3f1a4810b8451bfec3bd730ab6e3d5f292508ecfed810

Download Submit
C:\Windows\SysWOW64\Fbgmbg32.exe

Filesize
112KB

MD5
d19b4a21fa3ee4b398d68d20f90347ea

SHA1
b47881d01ec42173a576ae6cd8d41e24ecbceaf7

SHA256
a745568e9c4a98d7c84727420734cf06bac743f90e02656ed250b2d8dcec41e5

SHA512
0aee7de325153f3e9dcd5a341b7501f92a297ae4e87ca5870c6bd76e2e5952faa13703c7a762eb6ec0cbc92c7634f630f3a721abfd25ec2347d25d9e60650cfa

Download Submit
C:\Windows\SysWOW64\Fddmgjpo.exe

Filesize
112KB

MD5
2879118ba1e83d513163889c68d06b7d

SHA1
f192aa9d95e8e8d93fbe22503e3fe956e4a65f1a

SHA256
04fda4e77c86258e1dd7ed1c001f16737079a286803567aab40f56defb537441

SHA512
eeb294146b69ffbb60b68901445042cd2f785ccdf9926c2732dfbdcb12f08fbc12d3ea77e06a954267c24d7b6173783baaffacaaebddf1bcdf9756b2255a861c

Download Submit
C:\Windows\SysWOW64\Feeiob32.exe

Filesize
112KB

MD5
f74094f2d4bcc7b929f057d30f2fe5fc

SHA1
ae305c71e96f40538a8e27558215afea2268515e

SHA256
37dc33b0b4b05853f4b37500ed86f3309c5f993002bfff49baaa370aa3ede95c

SHA512
ad6b3d0530caebf8937a606a418164e03660884a113050fdb493cb47cd119fabf2566afd820927f68d14d7ecf4ebcccf9b92c8297a05f9b52c6519ece7431496

Download Submit
C:\Windows\SysWOW64\Gacpdbej.exe

Filesize
112KB

MD5
392dc5ce32cdead97e8e7a8a001dfebd

SHA1
bf0357b8d6dc873d9f02ea2e7e05d44f4805408f

SHA256
9ba278bf44b1933601bf0f59c4f15e6bffccb3bac2b520c4a20ddde6a01eee63

SHA512
286346328ec3aaae7dab582e828290c874e751def338a628176688d75faa28da294c132d60504fd1ba556e16e4ec3064b79c5ecc7f97c8ae4f728df0ee9936a8

Download Submit
C:\Windows\SysWOW64\Gaemjbcg.exe

Filesize
112KB

MD5
9437c443892e6dcaad355197e80373c2

SHA1
50c09a8eff565fee82daafc1b25b27919c755570

SHA256
cc7ef543f93aaa9e0a0b5237442d69e974c2c101cdc10448b2153f0e4852554d

SHA512
785a2b21718579a3f828d5d96e5617e3ef4baedac323193ee8fade0d34d6fe54b3674e3e2270aed53ce32d83b33801d543a6e7951e9bfbbb825bfec87a6f65fb

Download Submit
C:\Windows\SysWOW64\Gangic32.exe

Filesize
112KB

MD5
4c37aa0a42920ef2967d3af4fdd3564f

SHA1
99afe784f9b83393c702ff663af6025ae340b2af

SHA256
d8b61e616e1effc8e0cc57676a25277efb710932345a97e3f34692c94c3bda7b

SHA512
5fd3bd751d37d507da2660089dd5afabebe68c556d10769f9585aec1211a749740d68c40731e13ad2e4090072dbe3786cd787d8ee2bd65ab60201c869854d649

Download Submit
C:\Windows\SysWOW64\Gbnccfpb.exe

Filesize
112KB

MD5
723756580ccff79517e405055376643b

SHA1
beb51bcacf3e6a41fb64d71fc167639a889b392f

SHA256
496d5285260719393293451ab4ca5eb92890232f220dcd24f0d887e6d8bdee07

SHA512
99a489eb123732454699999525adc97d3f5d36f14d5182a7a37a655d7a5f5e1704ed327b6891557919a55476a074bd0876c5b40fcacfb6aefd8beb076bdf3a40

Download Submit
C:\Windows\SysWOW64\Ggpimica.exe

Filesize
112KB

MD5
274849a5c6d79777374a6b058096f796

SHA1
25b99322546ca20ae60bd659444c4599ad292711

SHA256
0d558eb1acc2a6c82b296d8d441b04f58ebcf9d44034b13d68cc4a44f7f86e43

SHA512
8642586c286cf9a0dbd0a72a02ac91de88fd494080c4073c6e05e9f07dd0e2fd6d95e680318405bcc7867f15355e57bf488acaf11d93d9c33b3f6e6149c9feba

Download Submit
C:\Windows\SysWOW64\Ghkllmoi.exe

Filesize
112KB

MD5
7dff4eb41a8fcf8156cc21a6e55665e4

SHA1
699b3302be4d6d215a48b50d1107c2bb0c59f698

SHA256
c5f187e3703500305f68a2636fdd1cf2d16070f8677a97ba7f48a9dba97aadf5

SHA512
f4abe6cc9e9bcfe5dfdb73218f465d6736c953216d615af18cd8f91247e02ac037d874673b43dc9438c8940273cf1c6fcbd211ed4a94a199e751792d5db5657e

Download Submit
C:\Windows\SysWOW64\Ghmiam32.exe

Filesize
112KB

MD5
929cce2c1a74f785a725e9ae0837243b

SHA1
e54bd6095f9a993b851ace0908db913a7a8c6073

SHA256
a26f87ebbe9f9aaf99aee8b431d12914d2f881be0c9eb0f109fff60aec14672d

SHA512
de9901ef7ed6d8a088d4f016f7a055e0943da1a5bbe434b8b44b2053e6e56796f69890fd910153caa484ec1d4bdd36453b21226cdd4ad9c970464d53381e62e5

Download Submit
C:\Windows\SysWOW64\Ghoegl32.exe

Filesize
112KB

MD5
580e9e9fce6774d629e364135305c74a

SHA1
da325a32fb3e5d2e6896b7eb0a3270cb1115c8db

SHA256
5c09fb07c37aa889db54be741408a45fe72965b0e26730fe7c3dfc0951a94854

SHA512
88ce5f187c25547c655c0fd11bb91172f861ea64479b4e6fd88e443a12b2120c16b18a628df4cc7fea2d8099e67394506ae23a974ca77b078dc215ca1b319406

Download Submit
C:\Windows\SysWOW64\Gieojq32.exe

Filesize
112KB

MD5
ca709e7481bb10e769f667f38b104325

SHA1
33b5369703f3e04afdcbf43224e8b1608b154a05

SHA256
08473fa826e6250d4f79ee1dfe8f9a715475f7ef06dde5a571e7497f25910602

SHA512
86e1f03fdad29a59073d7b64cb168f57609e20bd9f9f400c01e66e627b8d294948a3faf80008b231be073e342c4012b62d734b9f7a80ee0628ef843119073179

Download Submit
C:\Windows\SysWOW64\Gkgkbipp.exe

Filesize
112KB

MD5
1e309ab8c69812372021c52cf385a739

SHA1
11ef6a1b87476202c23c9be7835b90b02fadc713

SHA256
3afeed9add769f298b0aa5e91bbace213c6c2394cd8aeed77d7310bf3f8b3a21

SHA512
b803e337ee9a05782eb08cd142313946079893880bb5813e06e4f40ed3beaef0b4e2a55904f518dc56f8fee5353c28c9b2ff8f10933ea0b75cfa94efd557f169

Download Submit
C:\Windows\SysWOW64\Gmjaic32.exe

Filesize
112KB

MD5
50d1c16af87b77d939b62a395483fd75

SHA1
a5df775d9c84d16af5cc54c73b5c05e9b80e082b

SHA256
11a5eb810b08be29e04055e5ed59f3a30d2c4845c02f1bb41b4131aeb34fce09

SHA512
0404bf506ca8de7058f31fa6334f784b374c6a26652691fcc9ea86963c4b46e1570d3c0a85855df99ac8508898887ec54156e3c40d82c0289ab02311bf7aac6d

Download Submit
C:\Windows\SysWOW64\Goddhg32.exe

Filesize
112KB

MD5
2767566f60e1adc0d3724764e21b4693

SHA1
c9f3e1627c6de7a117822ec8a6d539214017f581

SHA256
a54c0c9cdd85de3de865c00f14ca6d4deeb24e57e6c848220d4bd2420f8b13e6

SHA512
98e668b2fcfc3ff55f4becbae83b301da548f1a4e30f37dd9afa5922cddb3440e0d60087dabeda8b91ac07c1f9e92f576339e66d9021fbdd1bc4bb0f2423f42b

Download Submit
C:\Windows\SysWOW64\Gopkmhjk.exe

Filesize
112KB

MD5
616268c9afff859977a335f8a18b43ee

SHA1
50ba48e58993695da6991c5d3a5d8cef17903c7b

SHA256
0e5f8b7f39663864141386cbd084ea34d9ea6d32cd4d23b34e6dcbd357693c7b

SHA512
7f18845bb8a783e22a8c348dc437d1e29a87d3297852b17c03f6a71f6cf630b430aeb4ee6092be67e62e007815d44581e89d94c2242a38efecad85438f8a399e

Download Submit
C:\Windows\SysWOW64\Gpmjak32.exe

Filesize
112KB

MD5
3fc7c1921f9245b5f3bd4836010cb371

SHA1
9a7c1b85005cff022249faa1390a34643e398df8

SHA256
e22327bfecf39281bf2de0e7891164760beef699c934c2eca21eeca87fa95fd5

SHA512
f6600470137dc69081c345393c51df0bd2e7328e3e9ebe37d0fe5798074cc5537354257becfc30e567b1c79106751eab0a4cf756564887c055c515ffdfe387ed

Download Submit
C:\Windows\SysWOW64\Hacmcfge.exe

Filesize
112KB

MD5
b87980ec27804d987670e52ea341cddf

SHA1
8b06b7cab40cb4ab3bc1f8064238123bbf0ce705

SHA256
0e834f33f6fa00406eb9767d073d24c83201c467daadc70edefffff631c1d8f7

SHA512
65764ace8a16a0a25fa0115df0ce33a1bd2dad59e59f3fb71fc3539e2832221a7a2dbb3b352196b3bba1ed524c64d963fb4a84e880083d744367c3155f45e172

Download Submit
C:\Windows\SysWOW64\Hahjpbad.exe

Filesize
112KB

MD5
a79b6cc0c415bef3ad38815b45635e99

SHA1
0b645bf8e2e2247acf6cc30a9f94fcd258afb40c

SHA256
b38f9e933d52ede25614eecd2e611880a0549dd7f2eacf7d86f6278d12546113

SHA512
00023a43b53c35c3aa07427127f200852444d5a030a8d9f00524edb7f2590499f5a811162ad0b0aeb915c69dc4a64e9b238325b94228f05a83da9f86c4bec7d2

Download Submit
C:\Windows\SysWOW64\Hdfflm32.exe

Filesize
112KB

MD5
096471ff9fb201e5db0ea23a8e233518

SHA1
5cc6389eee8f06f44e8caaf4f78da7ac781430c2

SHA256
7ecfa0ddbfdc47edf6a77378b9de79903613160fdd52137299193717d86ab147

SHA512
4faba8e26b302388c86eed44fa83afa3c62933be8ecbfb8873d0dc9f778597ae61862b440ca4ba5d6dd871ea600602f1baec576ea2528bb07ee8c3dd0007246a

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
112KB

MD5
2287d6e22c84fbd0f21c846ff6062b1c

SHA1
536075dbfb9889984f206cf605019ed3a641cbd5

SHA256
44a44e986984a51733532011e5805d59def8db889cf10aa4fd26060940a6cdd4

SHA512
2c5383a8ada9910b80ee67f4bb20bf8d46b838c42c019b7abd0014972192d066206a983e443d32a40bd698f7fd416ec08e954d4af3cd3e6b697834acb9f5c06a

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
112KB

MD5
102436844e6acaa99442f3cdecae7170

SHA1
8a81bb304672a9bd0e0b5d9db3b97b5b3485ec83

SHA256
0613a54c8c5beabdf2c2d6995901f16766ab4b95d8a0c3a0c00efeffcde54fc7

SHA512
3e1ff82f6560e3adbf34b31c9e3db7afa6c3eb7e692942a235afb1924ae638c8ba0b1df1e50c1edff3482ca89e4bfc68058e229fc7537e684fa9727310650891

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
112KB

MD5
4339073e577b9b02af227f5c336a17e1

SHA1
6fc1f4ffa481d624fb5f4e2dfe561cda805ceb7a

SHA256
c4cb8955f96ccf1883a6e2dd7f14a9e1851262d6dd76c9ed1193c2d9a613f0b9

SHA512
00eb4d5297696f4de8da30ac17f290769cd0114bca958acc8ad165789985a2de5a7bedb823d0c94eacc86e5bc1d50e95c9f3351f766c0cb4eac5e2e67c18cd8f

Download Submit
C:\Windows\SysWOW64\Hgilchkf.exe

Filesize
112KB

MD5
37467f9c19105f0d0a793776429cabd8

SHA1
d43b8b084419b1fdb62d8a4f2cf03306802cdb0c

SHA256
298f121a497e9419e6ce84c9de369fe93e5ac55a7f9ab48d39c711f63b39ad99

SHA512
4ee73f7e0127df8b9c8a41516542d2933770525e6c472905cac56674d750eceb168d51f5ff0cdd2339ef26f3af13cc208ba7cbfb0e1a7713c4d751122f95aad0

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
112KB

MD5
b178b7e4454185168488149c3ac77d5e

SHA1
8829df80f306c27bbd49c04bd0ddb9ef666a2ff4

SHA256
60b03f499b78d76466018433c77825bea13ef099aada26d815e1187d4ee49b49

SHA512
96283dc971d3389aec3b90f43754f00197602d5559ac70cb65e8a20a04df617c100c844c8af8cba5a012baa6bd122dc6fd20f25cd58852ba88d1baf7a0bd50e0

Download Submit
C:\Windows\SysWOW64\Hiekid32.exe

Filesize
112KB

MD5
82a69a70325be9440079f8749c78dc9a

SHA1
27aaad5f4c0d177622ae7cd17da32c697a94066d

SHA256
95fd1f367815e06c300ccd5f9918a326c0484b7632f214bd08e0a3ba4eed3cee

SHA512
d735544100500915e4567ab624905474ca2d2f16be7200034348b73fe09268cfa72d5440d6d2f420d287687796f81dfce1f1cf82bc69588bde0972083a026263

Download Submit
C:\Windows\SysWOW64\Hkkalk32.exe

Filesize
112KB

MD5
fd37efa08a6c40ba394bc024cf936c8d

SHA1
a7cb9559ecd7f59276969da9cd27681df05d16c6

SHA256
ff40711243b9ccfdee0252c83bdd2cf0c727234327a1c8e37baaa14211c7e26f

SHA512
78878860b527a9231335bfc7f968f0e11bf7c5880534d9526725ad74acd491f1005a12c3a464d34d01462838c4fd0818ad42b8f772986de1d15325c04a06e07f

Download Submit
C:\Windows\SysWOW64\Hknach32.exe

Filesize
112KB

MD5
75fa94d9d9cddcd29a95ce90c89e2cd6

SHA1
45e58ef44d6ef2e53ad80c6e5add355f4a2d4a65

SHA256
e68048bb229e47469895c27c82dc7156b35ab625f6359278e0ebb45c410b2279

SHA512
b825836a313271df1c99132072495e6c790abd24b5967273d64cd6e4329446014b532fe418a734f0267f6f0909e4150a82a8363e60da8316b09b12ec2bce3acc

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
112KB

MD5
ceb87a9d6cd84494435fe114afeff305

SHA1
c76a63e926b8bb3be79277dcaa85b5c3f2307660

SHA256
2e26f76dfac85b59364d510293df654f6d9999ac8eb86b36c86968e144888ce7

SHA512
ff1922562a03e1b6845c010aa4dc9657e01ae13fc57831bbeb6e381cd5e5ecc9a5f9c47c9a836be1e16538e8b5f4fb113849c31fa02a2bbc422097aa664aa04c

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
112KB

MD5
0fc3592ad37f692cdcbad6adb4bd5fb1

SHA1
0d169e33461e5179b3a78bbc53492ed72bb5ab00

SHA256
45d3f2335d6bc2431ced458732853ce3a4329e4156b774577259af49e811308f

SHA512
b90d0d4ea3bf076484e33055f6772d90e91d26f67c90d8f9182b8956da85051d6da74e10432509c4c6bf1c161d658027006367c20b1e71ebc47ec1e507a5cf4a

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe

Filesize
112KB

MD5
ddc17971a7550be6ae7f7517f9ba4bff

SHA1
6794d1ceb2839c38fdd0186eb4cf1f779c9ab635

SHA256
c266701622265389cef7ac8fe752ed6fe10fb1480bb8720ecb46dc394d158bf4

SHA512
dd6480557abe6ffa27f5523b5459c5c650385a66422d7c15e50493cc882c2d492ebc169f152351d9f1794921f2182aa4b770b88ddfc5650f6d443cc9f0879687

Download Submit
C:\Windows\SysWOW64\Hobcak32.exe

Filesize
112KB

MD5
23c156591d2dd7ccb0c3285b3bf37976

SHA1
a335698feba665acb7247ada379dd749b22ec946

SHA256
289dd4f3908647cf88083a6f5329fb24512a1254415e8c1f791757b64d11a0e2

SHA512
ce1097f4813ef35df9aeaec701cf2f25c1d41baeff662b84c51a486732cd8ce9167503795bbb204d27a3dc726a7a783f47dd98cac0bd6e7d017adf28d13c7b7c

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
112KB

MD5
3e73b995adb6d5813269626a610188f7

SHA1
3a8ac5265b458d0f9dd666261bd5f519a6351010

SHA256
9f53ed68a76beefc8b2d0e01c9567a63e2cdaaa41110f9ed2cac446bd3b754d9

SHA512
8eb9c0829566edc533f31e5749efedaf85c65c4e9c3316ad1ed7ea8876a514609d49d9d51a9fd94940fc54a7701db572e96f6ea5a2601356c5df5ffa1e8b103f

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
112KB

MD5
dae4e409b143251bb5aeba4491ccd1a2

SHA1
e47ebb8a6d0413089f85f7c9341649cdf878ef80

SHA256
2cc9642f7a8cc82f32c7240db8b5268fac5186ae938277ed074863076241be80

SHA512
4a331f420433aeacdfc3dd0f1697645a5216bc68bba49c648862f78c1b9b8125cd9f75ebd581c3f0b79a743d3a7e095d6eee19ecb2fcd1487413aa77bc95aa12

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
112KB

MD5
347e246ec725d6390303d9fe72ce76a3

SHA1
a9feccff5ef1fa7b2b00f6d2c8bf6e13b7883421

SHA256
2d8ccb319900218f65cfebeea3b7a7ad6152c5bc5310390490f5c3646632a6f0

SHA512
00ede531ef430c53ad8f45b0bd579bbe4219396ffb164264df64c4ae86a24ccb56e3c65a9b6ff04213a946a11fd26154c1262a98e9bc8b4dea5032338acab6d8

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
112KB

MD5
db8fa3ad52dfceeae3c09c208915d8da

SHA1
afe3d119d1cecb11f7db0f0a636c35627cf31618

SHA256
a0050f17b980e86f0163d217671ceff57f246b4a24f7c44ac810c6f1a923101a

SHA512
b3aa86709d953f4e3c35f9556a18a27211ffb42cba7841972168dc1acafa0c9ba3e8e7da61e72e0f942627671b6f4cc2c3065926a358e8951bb6b56554b8c433

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
112KB

MD5
4bab09914cb16acdf62c1f5b94629c47

SHA1
456008bd1418866dbbffdf21542d23160b6b3b47

SHA256
c7e80b706e6ce601b61a9d2c4f433d8db73502ea558e9e2e5705f81b648da69f

SHA512
8fa352ab505533d41531544ef597ce9f6a694b102b2bc8af3913cb140e8389add92ee336421de68a2f5143c3eecef5633d50b163d68ea8ecacace07e1df95fc4

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe

Filesize
112KB

MD5
98212d80e9992fcc3632d19e8e328daa

SHA1
2873355ddfd88c04d3861336be720d8b9509f511

SHA256
0b95c3289f069d0df74ec2341f1bfabd5261001a863fe4470d152344e0990a7c

SHA512
69ae3e3cee88fd574c8a41a44dad52a51721f7bfc909ae835eeebd8d9294f03e38b0fa36d32e7cb8cb7ebf2f7697c25ecc5f13cf757c02c1ad3d000092e46156

Download Submit
C:\Windows\SysWOW64\Inljnfkg.exe

Filesize
112KB

MD5
1ad853feb2870761305932c5d155ae52

SHA1
5a7d48ab2fd01fe9c8b04a03a6d56adfd8536906

SHA256
78901ac305a01dde5e61ae2fc0004e7f6a6464770abd604075dd3f35f74b5acb

SHA512
1af00c0af3c84b2bd22185807980265112afb6faf4c4cd5bfc31583719639d9d0e02fbc2fbd839c778fc12d98782e7caa737a5e8f292350fa31e2727490760b5

Download Submit
\Windows\SysWOW64\Ffpmnf32.exe

Filesize
112KB

MD5
8d90e29166a0b79d04b1a0c1a04f1207

SHA1
465358f996ef33e33de6a40d08ef5ca9298d38ad

SHA256
f100b6fa2d0ed4d8c4e41972594f227ff30c6cf08f9c20067888d4b3c14bc008

SHA512
abb32b24592fce952997262f3d2e7acfe21ef9175b864487259832643e4fd39c1c55bd0bc7aed32a06fa45b83851f374baa689379151a0f65635a8bb8675de1d

Download Submit
\Windows\SysWOW64\Fmlapp32.exe

Filesize
112KB

MD5
4e02ffc6d9523e3d863856e81a9b4bb4

SHA1
9772e98c7bf746fd66b3df4b46f32bee59a80a6c

SHA256
db260d37942e902530a319a38bd5eed0c1f25b68c9004970e59fe1979aaf9e34

SHA512
9f1a0e18ee217dc72ba8b502af0ab49ecc31d8f090db6e31966775a5388336808e0fd973385127cb3cbe05be8046bddd1f27cf7545dd5e6493ffdf9e0b741312

Download Submit
\Windows\SysWOW64\Gdopkn32.exe

Filesize
112KB

MD5
4000c7b2afa46afc20fcf6ce091eb030

SHA1
acd77505d94199729df1852d82c3eb78152d8121

SHA256
a93a2e6a7b9375e7e0024dd395cae670f49678f0f035a9d29a1710fd95b03466

SHA512
026ee660db97ef528bd2de0924648d22e600ee340f7502d246e526536f1b7cea3db2a7fea44fcf3af48c18067a7e39e2fc7a78fa58ef2bf31189d042dbca45bd

Download Submit
\Windows\SysWOW64\Gfefiemq.exe

Filesize
112KB

MD5
63a7fd2ac4edb1d0e7f5ca006bcec538

SHA1
df9c9c9b602c5aa9575aebe204dc76c8be559551

SHA256
4046f6c2060021b1060a0f35380afacf2fd73feb052a778dac97bf60331c298b

SHA512
cd8509576b4d3a9f4d8c6e61fb8f118692ee5a7ef594512ff47b1c03dbe15a0ff60ad2fe4a41335c58e2d72833da80bb3c6698cff6108b3bd077517b366bf654

Download Submit
\Windows\SysWOW64\Gicbeald.exe

Filesize
112KB

MD5
76c641908dbdea79f94dbc063be352cc

SHA1
52300204401fc23f530f67426d6ad97a7bfebb21

SHA256
ec3df5110540114a04e8ac6b5f93c99c2736efa662c5186faf8dfa95c0740795

SHA512
a00884971251f68d2aa3c62d079616623f23f876b8f2dbd338c34bcdab0e901c820c72accfd734f44f5da390405ca0079316a967443c5e29de0eb7f9b4198a95

Download Submit
\Windows\SysWOW64\Gonnhhln.exe

Filesize
112KB

MD5
9ec8d3dcc85702b04b19b2ff193877a0

SHA1
2a2c8c4f9c35992c938f753ff2201fe51c3bbe37

SHA256
00de23ef1b1e23673944b4c0f3f81b68cefba9d1cd5e6c186953323907c970ca

SHA512
8149b345fc0ef3255a91a314bee3d66e5fc09a4f1c0cd2d66996ec1ec704c41398e21dbf704af513d6cd1359c19ec7c20304ff779c5c0af7864c6c1329fa72ae

Download Submit
memory/312-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/468-149-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/560-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/604-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/640-228-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/704-308-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/808-493-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/808-492-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/860-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/916-318-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/916-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/916-327-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/948-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/984-495-0x00000000004B0000-0x00000000004E5000-memory.dmp

Filesize
212KB

Download
memory/984-494-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1368-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1368-485-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1372-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1432-130-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1440-360-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1440-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1544-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1628-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1652-488-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1652-489-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1724-92-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-491-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1920-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2028-374-0x00000000006B0000-0x00000000006E5000-memory.dmp

Filesize
212KB

Download
memory/2028-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2292-263-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2292-246-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2292-243-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2320-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2412-482-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2412-483-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2444-66-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2548-53-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2556-393-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2556-384-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2572-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2648-379-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2652-412-0x0000000001FA0000-0x0000000001FD5000-memory.dmp

Filesize
212KB

Download
memory/2660-464-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2660-481-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2676-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2708-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2760-218-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2828-486-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2828-487-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2872-12-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/2872-6-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/2872-4-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2932-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2936-402-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2936-407-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/3000-345-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/3000-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3012-84-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3064-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3064-497-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/3068-434-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/3068-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3068-451-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads