00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-04-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4.exe
Size

207KB
MD5

d0f8d7fb5c42939b65e620afe322e925
SHA1

d3537ffc6ee7a886deae304e2feb578b90157d63
SHA256

00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4
SHA512

4f4aaa503a23a89bfb67294a91c64e376178524a76fa24f5430ed8f2b176b73082da858b0dae6101e2f1bbf866d79e94623f7fd79ed09cba4450b741b1a71caa
SSDEEP

3072:MN7RBftwD9mlQtDn20++VjoSdoxx4KcWmjRrzyAyAtWgoJSWYVo2ASOvojoS:u/ft69mlyC+Vjj+VPj92d62ASOwj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgaqgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebbgid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebedndfa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djbiicon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgaqgh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmafennb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djefobmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbgid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djefobmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fehjeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fejgko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmcfkme.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgmglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fejgko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmcfkme.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjgoce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebedndfa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgmglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djbiicon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmafennb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaqcoc32.exe

UPX dump on OEP (original entry point) 33 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000122b8-5.dat	UPX
behavioral1/files/0x002f00000001566b-25.dat	UPX
behavioral1/files/0x0007000000015ce1-30.dat	UPX
behavioral1/files/0x0007000000015d07-43.dat	UPX
behavioral1/files/0x00060000000161e7-56.dat	UPX
behavioral1/files/0x00060000000164b2-69.dat	UPX
behavioral1/files/0x000600000001661c-82.dat	UPX
behavioral1/files/0x0006000000016a9a-101.dat	UPX
behavioral1/files/0x0006000000016c63-107.dat	UPX
behavioral1/files/0x0006000000016cb7-123.dat	UPX
behavioral1/files/0x002f00000001567f-132.dat	UPX
behavioral1/files/0x0006000000016d1e-145.dat	UPX
behavioral1/files/0x0006000000016d3a-157.dat	UPX
behavioral1/files/0x0006000000016d90-170.dat	UPX
behavioral1/files/0x0006000000016dbb-186.dat	UPX
behavioral1/memory/3040-198-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral1/files/0x0006000000016e94-199.dat	UPX
behavioral1/files/0x0006000000017052-213.dat	UPX
behavioral1/files/0x00060000000173d8-225.dat	UPX
behavioral1/files/0x0006000000017456-234.dat	UPX
behavioral1/files/0x000600000001747d-245.dat	UPX
behavioral1/files/0x0006000000017556-254.dat	UPX
behavioral1/files/0x000500000001866b-266.dat	UPX
behavioral1/files/0x0005000000018778-276.dat	UPX
behavioral1/files/0x0006000000018c1a-287.dat	UPX
behavioral1/files/0x0006000000019021-297.dat	UPX
behavioral1/files/0x00050000000191a7-308.dat	UPX
behavioral1/files/0x00050000000191ed-319.dat	UPX
behavioral1/files/0x000500000001922e-329.dat	UPX
behavioral1/files/0x0005000000019241-339.dat	UPX
behavioral1/files/0x000500000001924d-350.dat	UPX
behavioral1/files/0x00050000000192ef-361.dat	UPX
behavioral1/files/0x000500000001934f-372.dat	UPX

Executes dropped EXE 32 IoCs

pid	Process
2016	Dgmglh32.exe
2536	Dhmcfkme.exe
2672	Dgaqgh32.exe
2708	Djbiicon.exe
2836	Dmafennb.exe
2440	Djefobmk.exe
2996	Ebbgid32.exe
2828	Emhlfmgj.exe
2952	Ebedndfa.exe
1328	Elmigj32.exe
2412	Ejbfhfaj.exe
2760	Fehjeo32.exe
1516	Fejgko32.exe
488	Fjgoce32.exe
3040	Fjilieka.exe
2420	Fpfdalii.exe
2876	Feeiob32.exe
1680	Gonnhhln.exe
1676	Gbkgnfbd.exe
1272	Gieojq32.exe
1356	Gaqcoc32.exe
1388	Gdopkn32.exe
2056	Ghmiam32.exe
564	Gogangdc.exe
1444	Hmlnoc32.exe
472	Hgdbhi32.exe
2940	Hdhbam32.exe
2404	Hobcak32.exe
1580	Hodpgjha.exe
2668	Henidd32.exe
2712	Ihoafpmp.exe
2288	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2088	00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4.exe
2088	00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4.exe
2016	Dgmglh32.exe
2016	Dgmglh32.exe
2536	Dhmcfkme.exe
2536	Dhmcfkme.exe
2672	Dgaqgh32.exe
2672	Dgaqgh32.exe
2708	Djbiicon.exe
2708	Djbiicon.exe
2836	Dmafennb.exe
2836	Dmafennb.exe
2440	Djefobmk.exe
2440	Djefobmk.exe
2996	Ebbgid32.exe
2996	Ebbgid32.exe
2828	Emhlfmgj.exe
2828	Emhlfmgj.exe
2952	Ebedndfa.exe
2952	Ebedndfa.exe
1328	Elmigj32.exe
1328	Elmigj32.exe
2412	Ejbfhfaj.exe
2412	Ejbfhfaj.exe
2760	Fehjeo32.exe
2760	Fehjeo32.exe
1516	Fejgko32.exe
1516	Fejgko32.exe
488	Fjgoce32.exe
488	Fjgoce32.exe
3040	Fjilieka.exe
3040	Fjilieka.exe
2420	Fpfdalii.exe
2420	Fpfdalii.exe
2876	Feeiob32.exe
2876	Feeiob32.exe
1680	Gonnhhln.exe
1680	Gonnhhln.exe
1676	Gbkgnfbd.exe
1676	Gbkgnfbd.exe
1272	Gieojq32.exe
1272	Gieojq32.exe
1356	Gaqcoc32.exe
1356	Gaqcoc32.exe
1388	Gdopkn32.exe
1388	Gdopkn32.exe
2056	Ghmiam32.exe
2056	Ghmiam32.exe
564	Gogangdc.exe
564	Gogangdc.exe
1444	Hmlnoc32.exe
1444	Hmlnoc32.exe
472	Hgdbhi32.exe
472	Hgdbhi32.exe
2940	Hdhbam32.exe
2940	Hdhbam32.exe
2404	Hobcak32.exe
2404	Hobcak32.exe
1580	Hodpgjha.exe
1580	Hodpgjha.exe
2668	Henidd32.exe
2668	Henidd32.exe
2712	Ihoafpmp.exe
2712	Ihoafpmp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fehjeo32.exe	Ejbfhfaj.exe
File opened for modification	C:\Windows\SysWOW64\Fjilieka.exe	Fjgoce32.exe
File created	C:\Windows\SysWOW64\Feeiob32.exe	Fpfdalii.exe
File created	C:\Windows\SysWOW64\Oecbjjic.dll	Feeiob32.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Ghmiam32.exe
File opened for modification	C:\Windows\SysWOW64\Hodpgjha.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Dgmglh32.exe	00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4.exe
File created	C:\Windows\SysWOW64\Jpbpbqda.dll	Djbiicon.exe
File opened for modification	C:\Windows\SysWOW64\Gaqcoc32.exe	Gieojq32.exe
File created	C:\Windows\SysWOW64\Blnhfb32.dll	Gaqcoc32.exe
File opened for modification	C:\Windows\SysWOW64\Ghmiam32.exe	Gdopkn32.exe
File opened for modification	C:\Windows\SysWOW64\Hdhbam32.exe	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmcfkme.exe	Dgmglh32.exe
File opened for modification	C:\Windows\SysWOW64\Emhlfmgj.exe	Ebbgid32.exe
File created	C:\Windows\SysWOW64\Emhlfmgj.exe	Ebbgid32.exe
File opened for modification	C:\Windows\SysWOW64\Fejgko32.exe	Fehjeo32.exe
File created	C:\Windows\SysWOW64\Jkoginch.dll	Fejgko32.exe
File created	C:\Windows\SysWOW64\Fjilieka.exe	Fjgoce32.exe
File opened for modification	C:\Windows\SysWOW64\Fpfdalii.exe	Fjilieka.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Mcbndm32.dll	00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4.exe
File created	C:\Windows\SysWOW64\Hgmhlp32.dll	Dhmcfkme.exe
File created	C:\Windows\SysWOW64\Liqebf32.dll	Hobcak32.exe
File created	C:\Windows\SysWOW64\Fpfdalii.exe	Fjilieka.exe
File created	C:\Windows\SysWOW64\Gbkgnfbd.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Lkoabpeg.dll	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Fndldonj.dll	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Ebbgid32.exe	Djefobmk.exe
File opened for modification	C:\Windows\SysWOW64\Fjgoce32.exe	Fejgko32.exe
File created	C:\Windows\SysWOW64\Ejbfhfaj.exe	Elmigj32.exe
File created	C:\Windows\SysWOW64\Gaqcoc32.exe	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Gdopkn32.exe	Gaqcoc32.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Henidd32.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Dhmcfkme.exe	Dgmglh32.exe
File created	C:\Windows\SysWOW64\Ddgkcd32.dll	Dgmglh32.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Kifjcn32.dll	Fpfdalii.exe
File created	C:\Windows\SysWOW64\Ghmiam32.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Hkabadei.dll	Emhlfmgj.exe
File created	C:\Windows\SysWOW64\Ogjbla32.dll	Ebedndfa.exe
File created	C:\Windows\SysWOW64\Ambcae32.dll	Elmigj32.exe
File created	C:\Windows\SysWOW64\Gdopkn32.exe	Gaqcoc32.exe
File created	C:\Windows\SysWOW64\Kgcampld.dll	Ebbgid32.exe
File opened for modification	C:\Windows\SysWOW64\Feeiob32.exe	Fpfdalii.exe
File created	C:\Windows\SysWOW64\Gogangdc.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Hdhbam32.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Henidd32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Dgaqgh32.exe	Dhmcfkme.exe
File created	C:\Windows\SysWOW64\Djefobmk.exe	Dmafennb.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Gogangdc.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hdhbam32.exe
File opened for modification	C:\Windows\SysWOW64\Elmigj32.exe	Ebedndfa.exe
File opened for modification	C:\Windows\SysWOW64\Fehjeo32.exe	Ejbfhfaj.exe
File created	C:\Windows\SysWOW64\Fjgoce32.exe	Fejgko32.exe
File created	C:\Windows\SysWOW64\Bnkajj32.dll	Fjgoce32.exe
File created	C:\Windows\SysWOW64\Ndabhn32.dll	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Henidd32.exe	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Dmafennb.exe	Djbiicon.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2584	2288	WerFault.exe	59

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgmglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgaqgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djefobmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoginch.dll"	Fejgko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll"	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll"	Fpfdalii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmafennb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamfqeie.dll"	Djefobmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebbgid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebedndfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcnijgi.dll"	Dgaqgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmafennb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll"	Feeiob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll"	Ebbgid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djefobmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkabadei.dll"	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fehjeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll"	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbla32.dll"	Ebedndfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbndm32.dll"	00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmcfdad.dll"	Dmafennb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebbgid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgmglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djbiicon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll"	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2016	2088	00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4.exe	28
PID 2088 wrote to memory of 2016	2088	00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4.exe	28
PID 2088 wrote to memory of 2016	2088	00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4.exe	28
PID 2088 wrote to memory of 2016	2088	00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4.exe	28
PID 2016 wrote to memory of 2536	2016	Dgmglh32.exe	29
PID 2016 wrote to memory of 2536	2016	Dgmglh32.exe	29
PID 2016 wrote to memory of 2536	2016	Dgmglh32.exe	29
PID 2016 wrote to memory of 2536	2016	Dgmglh32.exe	29
PID 2536 wrote to memory of 2672	2536	Dhmcfkme.exe	30
PID 2536 wrote to memory of 2672	2536	Dhmcfkme.exe	30
PID 2536 wrote to memory of 2672	2536	Dhmcfkme.exe	30
PID 2536 wrote to memory of 2672	2536	Dhmcfkme.exe	30
PID 2672 wrote to memory of 2708	2672	Dgaqgh32.exe	31
PID 2672 wrote to memory of 2708	2672	Dgaqgh32.exe	31
PID 2672 wrote to memory of 2708	2672	Dgaqgh32.exe	31
PID 2672 wrote to memory of 2708	2672	Dgaqgh32.exe	31
PID 2708 wrote to memory of 2836	2708	Djbiicon.exe	32
PID 2708 wrote to memory of 2836	2708	Djbiicon.exe	32
PID 2708 wrote to memory of 2836	2708	Djbiicon.exe	32
PID 2708 wrote to memory of 2836	2708	Djbiicon.exe	32
PID 2836 wrote to memory of 2440	2836	Dmafennb.exe	33
PID 2836 wrote to memory of 2440	2836	Dmafennb.exe	33
PID 2836 wrote to memory of 2440	2836	Dmafennb.exe	33
PID 2836 wrote to memory of 2440	2836	Dmafennb.exe	33
PID 2440 wrote to memory of 2996	2440	Djefobmk.exe	34
PID 2440 wrote to memory of 2996	2440	Djefobmk.exe	34
PID 2440 wrote to memory of 2996	2440	Djefobmk.exe	34
PID 2440 wrote to memory of 2996	2440	Djefobmk.exe	34
PID 2996 wrote to memory of 2828	2996	Ebbgid32.exe	35
PID 2996 wrote to memory of 2828	2996	Ebbgid32.exe	35
PID 2996 wrote to memory of 2828	2996	Ebbgid32.exe	35
PID 2996 wrote to memory of 2828	2996	Ebbgid32.exe	35
PID 2828 wrote to memory of 2952	2828	Emhlfmgj.exe	36
PID 2828 wrote to memory of 2952	2828	Emhlfmgj.exe	36
PID 2828 wrote to memory of 2952	2828	Emhlfmgj.exe	36
PID 2828 wrote to memory of 2952	2828	Emhlfmgj.exe	36
PID 2952 wrote to memory of 1328	2952	Ebedndfa.exe	37
PID 2952 wrote to memory of 1328	2952	Ebedndfa.exe	37
PID 2952 wrote to memory of 1328	2952	Ebedndfa.exe	37
PID 2952 wrote to memory of 1328	2952	Ebedndfa.exe	37
PID 1328 wrote to memory of 2412	1328	Elmigj32.exe	38
PID 1328 wrote to memory of 2412	1328	Elmigj32.exe	38
PID 1328 wrote to memory of 2412	1328	Elmigj32.exe	38
PID 1328 wrote to memory of 2412	1328	Elmigj32.exe	38
PID 2412 wrote to memory of 2760	2412	Ejbfhfaj.exe	39
PID 2412 wrote to memory of 2760	2412	Ejbfhfaj.exe	39
PID 2412 wrote to memory of 2760	2412	Ejbfhfaj.exe	39
PID 2412 wrote to memory of 2760	2412	Ejbfhfaj.exe	39
PID 2760 wrote to memory of 1516	2760	Fehjeo32.exe	40
PID 2760 wrote to memory of 1516	2760	Fehjeo32.exe	40
PID 2760 wrote to memory of 1516	2760	Fehjeo32.exe	40
PID 2760 wrote to memory of 1516	2760	Fehjeo32.exe	40
PID 1516 wrote to memory of 488	1516	Fejgko32.exe	41
PID 1516 wrote to memory of 488	1516	Fejgko32.exe	41
PID 1516 wrote to memory of 488	1516	Fejgko32.exe	41
PID 1516 wrote to memory of 488	1516	Fejgko32.exe	41
PID 488 wrote to memory of 3040	488	Fjgoce32.exe	42
PID 488 wrote to memory of 3040	488	Fjgoce32.exe	42
PID 488 wrote to memory of 3040	488	Fjgoce32.exe	42
PID 488 wrote to memory of 3040	488	Fjgoce32.exe	42
PID 3040 wrote to memory of 2420	3040	Fjilieka.exe	43
PID 3040 wrote to memory of 2420	3040	Fjilieka.exe	43
PID 3040 wrote to memory of 2420	3040	Fjilieka.exe	43
PID 3040 wrote to memory of 2420	3040	Fjilieka.exe	43

C:\Users\Admin\AppData\Local\Temp\00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4.exe
"C:\Users\Admin\AppData\Local\Temp\00ace93b0e5d12529c14b796ebae2c3511848fb02c1d90bdfddbcdba86ae7be4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\Dgmglh32.exe
  C:\Windows\system32\Dgmglh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\Dhmcfkme.exe
    C:\Windows\system32\Dhmcfkme.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\Dgaqgh32.exe
      C:\Windows\system32\Dgaqgh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\Djbiicon.exe
        
        C:\Windows\system32\Djbiicon.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Dmafennb.exe
        
        C:\Windows\system32\Dmafennb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Djefobmk.exe
        
        C:\Windows\system32\Djefobmk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Ebbgid32.exe
        
        C:\Windows\system32\Ebbgid32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Emhlfmgj.exe
        
        C:\Windows\system32\Emhlfmgj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Ebedndfa.exe
        
        C:\Windows\system32\Ebedndfa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Elmigj32.exe
        
        C:\Windows\system32\Elmigj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Ejbfhfaj.exe
        
        C:\Windows\system32\Ejbfhfaj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Fehjeo32.exe
        
        C:\Windows\system32\Fehjeo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Fejgko32.exe
        
        C:\Windows\system32\Fejgko32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Fjgoce32.exe
        
        C:\Windows\system32\Fjgoce32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:488
        
        C:\Windows\SysWOW64\Fjilieka.exe
        
        C:\Windows\system32\Fjilieka.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Fpfdalii.exe
        
        C:\Windows\system32\Fpfdalii.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Feeiob32.exe
        
        C:\Windows\system32\Feeiob32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Gonnhhln.exe
        
        C:\Windows\system32\Gonnhhln.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Gbkgnfbd.exe
        
        C:\Windows\system32\Gbkgnfbd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Gieojq32.exe
        
        C:\Windows\system32\Gieojq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Gaqcoc32.exe
        
        C:\Windows\system32\Gaqcoc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:564
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:472
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        33⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 140
        34⤵
        Program crash
        
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dhmcfkme.exe

Filesize
207KB

MD5
2b34519456b5be9b6581a93557454ecc

SHA1
e544a94d4ba6c1bafccfe95f6f4976f563d292d0

SHA256
9d80402d59c84ccff428f1835d2e5a1c6bf3a81b3bb4d2a32ba9a0343bd65aee

SHA512
e30c7bc735698aba22558cf5ddfe38ebc17ac7c7885ae1b557b2826e40944e37cb2c7f3659ac4d22b80c72b3170f38b09f054c335345c0143e1724d7d62086c4

Download Submit
C:\Windows\SysWOW64\Elmigj32.exe

Filesize
207KB

MD5
430d9bf94e7043fe37308a8cd47721c2

SHA1
345200357ec601cd47fb66a077f311b88fd298c0

SHA256
ec80ac7114a7984a8643838b407ab98cfdc5097323df6c11667752a05b6bd530

SHA512
d609c7a906d405b2f6e2aab6ef0197035d571664ce5567cd11f935adb48c582de23db5aba087086456c282c91784a2eb979706e7e56dd9daef58980f4a2e4d94

Download Submit
C:\Windows\SysWOW64\Emhlfmgj.exe

Filesize
207KB

MD5
58ca9a125170c9279afd4dc79b2c9650

SHA1
8117e287aa9fc78ecb03b10404e141d560f46c08

SHA256
8c9ded5596bb8f73c37d28e3aced5fdb616037b57fb868c5dfe9a236c2f6f652

SHA512
b9c29c8091c28080cb63622322ecfa82a578486e807d0dc5e7cad19ae6af7f370dedd47f95cf18e09737067d680dea09f61f1178d3df4420b02b8ce89a9b8e48

Download Submit
C:\Windows\SysWOW64\Feeiob32.exe

Filesize
207KB

MD5
0495d011851a2e5a57f9f6dddf827b98

SHA1
36c96797d14be66e232c9eeec9b9707b1547d12a

SHA256
69606bf2c95a00595adc3378548218534f1739c3a6944ea865cc947309880c29

SHA512
fe8a613f2fa8fee8410fd18640646af5b6370633d96a36edb7ba1fe5e4ed87dd012113a9b774c20b073f715e156ef1dfb4d256ecdd3cc4051f802fd0ac9d2c42

Download Submit
C:\Windows\SysWOW64\Fjilieka.exe

Filesize
207KB

MD5
47f9d12247d9140876f0040463d1c2f3

SHA1
9f96d40f568fcb70eece57af8208f652f2845780

SHA256
fa29863e260704395b77f0d6dbf18c387846a3eb188460d83ec36c5e7c48de2e

SHA512
8e4af320a737e9770a5bf787f3a59070d8a319cab70cae280740ab382a688682dc70a40a44e6ce06635b046d3041b42e592a33beae8f2558cc853db282286685

Download Submit
C:\Windows\SysWOW64\Gaqcoc32.exe

Filesize
207KB

MD5
295a83253c02dfbe3106041a800c54c7

SHA1
0c1820971ffadb2601a9592e25210ff8073ef63d

SHA256
e793084e22ea7ce3211f7a950be541ddbfea047bed272070f40e7227eb90b383

SHA512
7fe9bcf9b0271b34c52d6f2483c9bba5fdc50f0d63505763b17331112e2ab0187ebec4f36de021bc9f60c90b6d16a724e09d308495a6f610e2a6ebbba1a20491

Download Submit
C:\Windows\SysWOW64\Gbkgnfbd.exe

Filesize
207KB

MD5
388c3e09b76e1cce34ebc80e169dc4fb

SHA1
25ea33103f0c6f4858e61e796f4a24e4ce6cc394

SHA256
5e98eb5f54f0a284e5a78e6bd76a4290e671ffadd76d58d231a8127e8605d3a4

SHA512
3f5e2e9d5ab98623ce613252bcd78c8ade86bf0223a483751a5bbef8335b15a14ffb0917643a0e9766ed287edf474dbc5180894c056ab3e8198a950eea7bd1cf

Download Submit
C:\Windows\SysWOW64\Gdopkn32.exe

Filesize
207KB

MD5
aad20f79d6f1739f452340ec47e48ab9

SHA1
49bf4d9bce1fd41b465780e176141a100eea3fc0

SHA256
3ccafde1dcab3a3d098bb1871d06f7a93c5bfdee660ae57026bd0063eccc360f

SHA512
b3b00df2c5cfc6ce79401402c3c5ba016fddd951d40cde3f503328c69f098a50f27111a48820c53e70efe604a4267d2b02dbe017e29ae996a3edf240d6f40459

Download Submit
C:\Windows\SysWOW64\Ghmiam32.exe

Filesize
207KB

MD5
3a89baef21acc49dd85b656505ead268

SHA1
2fc503f05fc12f308cf67fd531d1915eec3a7272

SHA256
b5fd8a526e4535adbdc2deb75a410642147334369f06c85ce28b0ac27de59443

SHA512
3a752c19edb7bde66e06e3437955d04c3d4526174323ad4c8189896969355f43a897cfb66ddcf46168352d9267df3b5332cb0ceb9fae13920be23bcbe407ac62

Download Submit
C:\Windows\SysWOW64\Gieojq32.exe

Filesize
207KB

MD5
489973e8219d07f2219041b685a1ce49

SHA1
3f1f8e02dad6b42e3725067af426e700a59fa825

SHA256
912304ae6c2a25dfd3f190313c3baa70ec459363aff17c6a56293885e7d1e637

SHA512
3bcc4c7fbb8b14190c5b90f6e7b3a3856cb950578b88d3f8b0c4d562c0dfb6e86290a7a5e21b3c3f468058c3f4117e502978d26559d1a68be32158bed0482d63

Download Submit
C:\Windows\SysWOW64\Gogangdc.exe

Filesize
207KB

MD5
69f1269cf11cf36866c0e1a169c15f96

SHA1
c534508245c5b3af501ee8f203cf21bb2b119733

SHA256
27b689f451d4c5c4752dff6a3db013349d5fb6ba0fac24b4c7f05b650491a54d

SHA512
c6e173580580782fbba77cc01812fbc3af6c22d5429dc0d82962b875b230b1ecd2af06d968ef17de9ecfd829fc15ff922fc691d200b23d591fe995f9a8b64ed0

Download Submit
C:\Windows\SysWOW64\Gonnhhln.exe

Filesize
207KB

MD5
342e0d77ca64a72c01b040c81aac5f6a

SHA1
7a2d6d4caf18432ce9ed1b3c0fb665c44699c565

SHA256
026cb40ef9ed15763ddb5bc94b7e3e794167f2ca9311bdf65fddc46df5441f28

SHA512
42c5ba96e2d8539a617f3c04742b1000c23003776a4b722ff4a99575be086a4af8f6840330a495a24154af19612fe11f9257f2e63b9e726a9bd60e2b0553bf14

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
207KB

MD5
4624f50328a6d8589939b8e5cca2e5ed

SHA1
408fb9226d959d9ec61bbc1609d1e7851d60191d

SHA256
a3578bd7a43cc15d5b74476e5bed2a243f6042708f9492ec19f672e152eee06b

SHA512
899217304be794493c749a2feb6de8accf50552c1495e41e879a2f10092a82e60b75087e58c30b0620cde86599d9108f2ee661b4abbdb05a874049fee05dc63d

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
207KB

MD5
45af336a040908ac61c5660859a2b59d

SHA1
5d895bbe4a9669bc3bd57df20cdea51ff00c9a6c

SHA256
72ca237a7e3577dfd9d11217c1f667fef66b47dd1bb8424d752a4257bdf8a540

SHA512
0618f783530b11cacef0772235a90ea076594c7aa0880820764e25f83b1594daff121c88d70c3c4d79e3870dc30396b50f1025e864220421a0e44010ae962ef8

Download Submit
C:\Windows\SysWOW64\Hgdbhi32.exe

Filesize
207KB

MD5
7b5ce5f36d6ec77e4f9949c6eae4b561

SHA1
8344c21b84bad54f961ea726c036cd1d03fb6a1b

SHA256
113ea102910dabcbe5f1d2f8526a5a805eb5fc3abb8b665bfbe51a43eb11ee88

SHA512
a9757379c6981ff2fa5e324f176c528fb5e9c744b64069756952acd0a985fd2e2918b75cc3c64114d422b7cd872803958bc2ae280ff49d08347f13d753a6afb9

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
207KB

MD5
4aa4453582d846ede5ab17716ece6312

SHA1
ef6c208be797158abe5f66de416b2e027f82311b

SHA256
689539fd73405c86705bd4e2dcad32a4497831ecf28c41c3958eb99f14b34582

SHA512
a368bfca75bc9d867b6c5d685d05f3b71da62ebe150da711f1750f8e8eef57a48fa9964591a9a104724d887d7a52ff04c040e5a26139a57567d1341df0751b1c

Download Submit
C:\Windows\SysWOW64\Hobcak32.exe

Filesize
207KB

MD5
6aee32c4741d92f9828b1e31b9fa6891

SHA1
46ba6b34823b483b1d61d1c21eb10e863442fe75

SHA256
1d7395bdd3ac6a32b5614d5eeecbc4da6b72412e077024788a52879f9e887223

SHA512
7af84c7f69d827dd74344d13d53c8962c18d109732b7302eb2951da1a61192e5bb00878ead04f99a31b7e628a3f525246997e72848a084379af421ef8c7cc9f9

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
207KB

MD5
3c934b419462f36e92afe546b32cc3f4

SHA1
78e2b4cbe2a67ab4f19a781a0b7a21d8adab470c

SHA256
b3da315b17989d3a117e045040f85c798f1030528fa4fa8abfd144cd3231fb0d

SHA512
08e18bcd30189256ce220278053d5f520574df5a1eaaebfecd0ee7b09ec45d23be10385fef016ed0c33c46422732a5df1a06b6414e406ec5d40fdeeb3ad0e0b0

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
207KB

MD5
e2d3170acc17bd7f5ab7706dc58e659a

SHA1
02487a5ce00d16fd12e1e8d4d3cfb22ecbd1562f

SHA256
3d1fa8cd6a1be9d1f2f8f1819e8041276eee169af26ea9febf71dfb015bf51de

SHA512
c5a112412dbaff5993cd7f34cf72231562a6f3f40401ee52767009cd698965b77776296dfd7867669ee698557df2b31715f27d5a1bbc9c42172b28d0121f3e6c

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
207KB

MD5
99679c151a447a56fc6c339cdd106deb

SHA1
627fc4b7f91854177a18c5f8bc51d70062d585e9

SHA256
bd46bf6aba59159d19cc7eb91f1592042dc920821ea19ec5b3120a6cd7218637

SHA512
a11f90a76355b4e977fbc5e96d9ccabad65787e0643824fe8d39efba5d6245995d6793b24849d8815060f727212d6f09b71fd51d7a776daab94bd957ec225c2e

Download Submit
C:\Windows\SysWOW64\Jpbpbqda.dll

Filesize
7KB

MD5
1486f07599bd39832ba9d78e915d7ed3

SHA1
c7ffc6219e449ab757cb532957163b1afdbf2e9d

SHA256
3061f55c881cd323143c7fa8616b26b791bf939daeafc29772d1769b424ada60

SHA512
c112bdd788ba4f430afe485b4f86e8275d9236b3d631fb272e92ce42e0d55adc86c8f5d7a2d2d829c8f962b624c8c2d0f03538634d37c188fa0268786983d21b

Download Submit
\Windows\SysWOW64\Dgaqgh32.exe

Filesize
207KB

MD5
0193e41700ea4124d173cd7b08d8c20b

SHA1
ed17827723a815176b041c4d115124f4cf361f8b

SHA256
259d215d75841669721ac2fb74e3c11d56df572f3b0cacbf47111090788f8d5d

SHA512
2a95749349348a674095782e7b72eba0809d7dc10dce0d95e6a700b84a139417a562b35d2caaab35ac102c45e8e9287e48c6b3ea91d8d11f050c6770f6989fb8

Download Submit
\Windows\SysWOW64\Dgmglh32.exe

Filesize
207KB

MD5
c8ce270626391d34f0271f039faf58d3

SHA1
c45067dc9fdc36d0a051fef22aa04c802baf77a4

SHA256
cc053dc660d8f03ff6641bb96b17c4800140f6d2e9ab96a5a821582f076d160b

SHA512
05785d1a6cab47c6d3454d33b83f040c971acffc93c221ac501b7e99ac739f2f8c2f829007840092b829daadc03b3d9b5af2011d2a2cfe74849f1c890c5931ee

Download Submit
\Windows\SysWOW64\Djbiicon.exe

Filesize
207KB

MD5
7c12bdcf718ea30b930d6554d4abfde0

SHA1
9200bbd3ad805243e10bc4ca24e8b0c6b3b51ff3

SHA256
32022281b8e177750fba9b4b7e328aa1abacfee7f31f8dd06548ea28c82ab0ff

SHA512
8b5636fe7d24831315b9088f5028fd4e5fc53da08ba36fde7cf2b2cd51560a170753e0628bee6968fabed228a533aa2c8ee7e619c7085d613a91177f8f890122

Download Submit
\Windows\SysWOW64\Djefobmk.exe

Filesize
207KB

MD5
406cedad33bcb4ebd8878fa57dabe908

SHA1
fb6f6f188425047d3ac03175ecda08aaf40f87a1

SHA256
f7d1b94f9f83a9514598146657f1e0d5a48ffed0f4cf442e486095f146cc9299

SHA512
a41e40ca88ae7fdbb28fd74264b44388d8a00abe99103ae3201db67cac57e0edcff82fc79a684995f9c730ea3288c9bef3f2bd77d0229ddeab68397df140bf37

Download Submit
\Windows\SysWOW64\Dmafennb.exe

Filesize
207KB

MD5
323a53c53b33f9ff2352b0abf35f5703

SHA1
7ba411bdde47e60a0bb722da9f055d26c7a177b1

SHA256
c155fdaafbb2a14a19c444893c0453dfdaaaeb5500cbb64edb18642be62ad636

SHA512
141dd6c70d960ab21d09d8acd66e66f51ec2c47dd9e48fe12978f35fa9098d9578732ffd2258ca7d07ad8f242a5e80e94fdf410e82f42e3aa1f9ef050cf9673a

Download Submit
\Windows\SysWOW64\Ebbgid32.exe

Filesize
207KB

MD5
e5a1681605a0c8977f79679c7f86df49

SHA1
85f0cf5aef93bfbcf662e49d5c194bd871febfeb

SHA256
fc02bb1d1e707e20dc10343cb7156289da4b207e4e3a4f903f0b55983dbf3cf7

SHA512
8e65e6375985b8c960ae1d665f2922a7494259f40e317b33116ab111007ce46a98fbef7e1b5b37ffc0b6b50dea2861341fa56b25383979ff45efc324baaad088

Download Submit
\Windows\SysWOW64\Ebedndfa.exe

Filesize
207KB

MD5
7f61e75162611a6d69397c8c29e3cf3d

SHA1
88a2db6ebe0a57d2a95079d53a952159e9e294b5

SHA256
c9da51d8346ec38b93eb2eada60ed80aed35a7ab42b4705d4cbfc04d5ac6c235

SHA512
2996253cae85d356c6eb18630d9fba91a4cd12d14dac1b9ee3924546a6ac14d0bbf6d23c17e88b88378bb2459d07b4e38051128863b324fd07572b51aa6f7cfd

Download Submit
\Windows\SysWOW64\Ejbfhfaj.exe

Filesize
207KB

MD5
9401278f4cd2e814f4510f8a2bd46726

SHA1
79882393a6b88a53402d60868734d1ebf20af61c

SHA256
2ba9a98aee7f66a9b8f7410158138dff96e15affb7fc4c10a6434b3444507e24

SHA512
eb0f595fb8dd97dfb4d90bc1bd656c896e780b3268a7c5e8c010b75b23960c138628349755b1c270c9bd298a5951d0982e67577e933e8d232019b0fad4f77325

Download Submit
\Windows\SysWOW64\Fehjeo32.exe

Filesize
207KB

MD5
4892f0358d2ef526de7f7b3028dec451

SHA1
f6f28ff7acd2925d1e56ccaed2d2edc6d7e4cc22

SHA256
cc493b0690acf62221ec846791243e5bb4b218464642d42f95b67caf638187df

SHA512
2adeef996618fa4f20ea6293707c59cd34749304bc5cd1fb5ea308be4331061cd8a78287cfe713f8bf91bd1dc498b7badae637f1ffeb4e3cdc090fa20bbbb9c0

Download Submit
\Windows\SysWOW64\Fejgko32.exe

Filesize
207KB

MD5
13384a479288bf4bc6737784334538e3

SHA1
4a62bf358da80203bbde2af7674b3e5501e607bb

SHA256
5c02c1a63fd872a0f014229e5e95d717c385147bca07658b6a788e222ee04694

SHA512
16a5d12eec1b65396a5bdfa4985eeda4321ba4f54987a6db033dfecd65e31eb86c6ee8a96772b310f773431ccc657be9d560236741bcf156ce4df7693689c812

Download Submit
\Windows\SysWOW64\Fjgoce32.exe

Filesize
207KB

MD5
2a84f59a9c3e74989d5a32a98aa8757a

SHA1
74c4dbeabcbfa308f86c6a124863131c5a34b349

SHA256
88cf3db114abf9439e4d83804a937288637d7694dd9753a84bb2f378f76945cd

SHA512
c9463c19fcdbc2e894c757c141c743d674400bf3825b845f005591e649bc24d63c9d1a77fb3e50de26d08b25c4f0c0bed4ed514fe35480d1547d12a61469b7f8

Download Submit
\Windows\SysWOW64\Fpfdalii.exe

Filesize
207KB

MD5
ec038f8d91d718b6e24920d63c2b9aa4

SHA1
76bcb0f7f1395da943afbb3fd3cc593c8d7109c1

SHA256
db06399e1666b455fa2303ab675002148aa17631cc2f670567e6d2138551c759

SHA512
16619ced005628ae56f1ac94ec2616e1dfaa47bfd705cab3e89df8638f5ee9cbae20bb918f966efc3911e3f317e9fd4f41bb4bca91eae6a42f796ebdfe18ca35

Download Submit
memory/472-317-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/472-322-0x00000000002D0000-0x000000000032B000-memory.dmp

Filesize
364KB

Download
memory/472-327-0x00000000002D0000-0x000000000032B000-memory.dmp

Filesize
364KB

Download
memory/488-197-0x00000000004D0000-0x000000000052B000-memory.dmp

Filesize
364KB

Download
memory/488-189-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/488-196-0x00000000004D0000-0x000000000052B000-memory.dmp

Filesize
364KB

Download
memory/564-300-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/564-305-0x0000000000270000-0x00000000002CB000-memory.dmp

Filesize
364KB

Download
memory/564-306-0x0000000000270000-0x00000000002CB000-memory.dmp

Filesize
364KB

Download
memory/1272-262-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/1272-257-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/1356-265-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/1356-269-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/1356-263-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1388-285-0x00000000002D0000-0x000000000032B000-memory.dmp

Filesize
364KB

Download
memory/1388-283-0x00000000002D0000-0x000000000032B000-memory.dmp

Filesize
364KB

Download
memory/1388-274-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1444-316-0x0000000000470000-0x00000000004CB000-memory.dmp

Filesize
364KB

Download
memory/1444-315-0x0000000000470000-0x00000000004CB000-memory.dmp

Filesize
364KB

Download
memory/1516-177-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/1580-353-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/1580-342-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1580-354-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/1676-252-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/1676-243-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1680-242-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/1680-237-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2016-37-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2016-445-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2056-290-0x0000000000290000-0x00000000002EB000-memory.dmp

Filesize
364KB

Download
memory/2056-296-0x0000000000290000-0x00000000002EB000-memory.dmp

Filesize
364KB

Download
memory/2056-284-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2088-443-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2088-23-0x00000000002A0000-0x00000000002FB000-memory.dmp

Filesize
364KB

Download
memory/2088-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2288-377-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2404-347-0x0000000000320000-0x000000000037B000-memory.dmp

Filesize
364KB

Download
memory/2404-348-0x0000000000320000-0x000000000037B000-memory.dmp

Filesize
364KB

Download
memory/2404-338-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2412-139-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2420-223-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2420-216-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2420-221-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2536-447-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2668-359-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2668-364-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2668-369-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2672-449-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2708-51-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2708-451-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2712-376-0x0000000000290000-0x00000000002EB000-memory.dmp

Filesize
364KB

Download
memory/2712-375-0x0000000000290000-0x00000000002EB000-memory.dmp

Filesize
364KB

Download
memory/2712-370-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2760-163-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2828-114-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2836-63-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2836-453-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2836-74-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2876-232-0x00000000002B0000-0x000000000030B000-memory.dmp

Filesize
364KB

Download
memory/2940-332-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2996-89-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3040-222-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/3040-211-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/3040-198-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads