c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830

Analysis

max time kernel
143s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe
Size

430KB
MD5

07dd488f9d80678e2a773d3a7245f8f5
SHA1

98d333f5b33229dbc7f08c6648bfd519d0c7f58f
SHA256

c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830
SHA512

9744d16db2148145314789ad0bfa765589da8004a7472d5cfeb1f0ded1f82dfa8bf8227171b53e6bf39ba32a6664b2b7e91b0c4f11a0411316ccaab8f482e5af
SSDEEP

3072:1UbnJAOyDvT4ZzrATsk5XVAURfE+HAokWmvEie0RFz3yE2ZwVh16Mz7GFD0AlWsf:eGcF6fXRs+HLlD0rN2ZwVht740Psz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejbfhfaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emhlfmgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcmgfkeg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efppoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcmgfkeg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enihne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdoclk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe

UPX dump on OEP (original entry point) 32 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012248-5.dat	UPX
behavioral1/files/0x0008000000016056-27.dat	UPX
behavioral1/files/0x0007000000016277-34.dat	UPX
behavioral1/files/0x0007000000016525-54.dat	UPX
behavioral1/files/0x0006000000016d17-61.dat	UPX
behavioral1/files/0x0006000000016d27-80.dat	UPX
behavioral1/files/0x0006000000016d40-89.dat	UPX
behavioral1/files/0x0006000000016d4b-103.dat	UPX
behavioral1/files/0x0006000000016f82-118.dat	UPX
behavioral1/files/0x0006000000017185-138.dat	UPX
behavioral1/files/0x0036000000015d5d-146.dat	UPX
behavioral1/files/0x0006000000017458-167.dat	UPX
behavioral1/files/0x0006000000017474-174.dat	UPX
behavioral1/files/0x0031000000018649-188.dat	UPX
behavioral1/files/0x0005000000018664-201.dat	UPX
behavioral1/files/0x00050000000186cf-216.dat	UPX
behavioral1/files/0x0005000000018717-230.dat	UPX
behavioral1/files/0x0005000000018765-240.dat	UPX
behavioral1/files/0x0006000000018ffa-252.dat	UPX
behavioral1/files/0x0005000000019233-260.dat	UPX
behavioral1/files/0x0005000000019260-273.dat	UPX
behavioral1/files/0x0005000000019383-280.dat	UPX
behavioral1/files/0x00050000000193a1-293.dat	UPX
behavioral1/files/0x00050000000193eb-301.dat	UPX
behavioral1/files/0x0005000000019410-312.dat	UPX
behavioral1/files/0x000500000001942d-324.dat	UPX
behavioral1/files/0x000500000001955a-336.dat	UPX
behavioral1/files/0x00050000000195e2-345.dat	UPX
behavioral1/files/0x00050000000195e6-358.dat	UPX
behavioral1/files/0x00050000000195ea-367.dat	UPX
behavioral1/files/0x00050000000195ee-378.dat	UPX
behavioral1/files/0x00050000000195f2-388.dat	UPX

Executes dropped EXE 32 IoCs

pid	Process
1744	Emhlfmgj.exe
2576	Enihne32.exe
2300	Efppoc32.exe
2708	Ejbfhfaj.exe
2616	Fmcoja32.exe
2512	Fcmgfkeg.exe
1920	Fdoclk32.exe
2636	Facdeo32.exe
1396	Flmefm32.exe
1008	Fbgmbg32.exe
1336	Gfefiemq.exe
1600	Gicbeald.exe
1704	Gkgkbipp.exe
1996	Gdopkn32.exe
784	Gdamqndn.exe
656	Gkkemh32.exe
2132	Hmlnoc32.exe
408	Hdfflm32.exe
3048	Hnojdcfi.exe
1692	Hlakpp32.exe
352	Hejoiedd.exe
1964	Hnagjbdf.exe
2992	Hpocfncj.exe
1268	Hcnpbi32.exe
1512	Hjhhocjj.exe
2212	Hcplhi32.exe
2776	Hhmepp32.exe
2084	Hkkalk32.exe
2600	Ieqeidnl.exe
2720	Ilknfn32.exe
2472	Ioijbj32.exe
2916	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
1312	c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe
1312	c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe
1744	Emhlfmgj.exe
1744	Emhlfmgj.exe
2576	Enihne32.exe
2576	Enihne32.exe
2300	Efppoc32.exe
2300	Efppoc32.exe
2708	Ejbfhfaj.exe
2708	Ejbfhfaj.exe
2616	Fmcoja32.exe
2616	Fmcoja32.exe
2512	Fcmgfkeg.exe
2512	Fcmgfkeg.exe
1920	Fdoclk32.exe
1920	Fdoclk32.exe
2636	Facdeo32.exe
2636	Facdeo32.exe
1396	Flmefm32.exe
1396	Flmefm32.exe
1008	Fbgmbg32.exe
1008	Fbgmbg32.exe
1336	Gfefiemq.exe
1336	Gfefiemq.exe
1600	Gicbeald.exe
1600	Gicbeald.exe
1704	Gkgkbipp.exe
1704	Gkgkbipp.exe
1996	Gdopkn32.exe
1996	Gdopkn32.exe
784	Gdamqndn.exe
784	Gdamqndn.exe
656	Gkkemh32.exe
656	Gkkemh32.exe
2132	Hmlnoc32.exe
2132	Hmlnoc32.exe
408	Hdfflm32.exe
408	Hdfflm32.exe
3048	Hnojdcfi.exe
3048	Hnojdcfi.exe
1692	Hlakpp32.exe
1692	Hlakpp32.exe
352	Hejoiedd.exe
352	Hejoiedd.exe
1964	Hnagjbdf.exe
1964	Hnagjbdf.exe
2992	Hpocfncj.exe
2992	Hpocfncj.exe
1268	Hcnpbi32.exe
1268	Hcnpbi32.exe
1512	Hjhhocjj.exe
1512	Hjhhocjj.exe
2212	Hcplhi32.exe
2212	Hcplhi32.exe
2776	Hhmepp32.exe
2776	Hhmepp32.exe
2084	Hkkalk32.exe
2084	Hkkalk32.exe
2600	Ieqeidnl.exe
2600	Ieqeidnl.exe
2720	Ilknfn32.exe
2720	Ilknfn32.exe
2472	Ioijbj32.exe
2472	Ioijbj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Hkkalk32.exe
File opened for modification	C:\Windows\SysWOW64\Ejbfhfaj.exe	Efppoc32.exe
File opened for modification	C:\Windows\SysWOW64\Fcmgfkeg.exe	Fmcoja32.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Flmefm32.exe	Facdeo32.exe
File created	C:\Windows\SysWOW64\Hghmjpap.dll	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Gicbeald.exe	Gfefiemq.exe
File opened for modification	C:\Windows\SysWOW64\Gkkemh32.exe	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Kcaipkch.dll	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Hdfflm32.exe	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hdfflm32.exe	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hnojdcfi.exe	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Kgcampld.dll	c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe
File created	C:\Windows\SysWOW64\Fbgmbg32.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Gfefiemq.exe	Fbgmbg32.exe
File opened for modification	C:\Windows\SysWOW64\Hlakpp32.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Gdamqndn.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Gbolehjh.dll	Enihne32.exe
File created	C:\Windows\SysWOW64\Ejbfhfaj.exe	Efppoc32.exe
File created	C:\Windows\SysWOW64\Facdeo32.exe	Fdoclk32.exe
File created	C:\Windows\SysWOW64\Jondlhmp.dll	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Hnojdcfi.exe	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Hciofb32.dll	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hpocfncj.exe
File opened for modification	C:\Windows\SysWOW64\Emhlfmgj.exe	c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe
File created	C:\Windows\SysWOW64\Enihne32.exe	Emhlfmgj.exe
File opened for modification	C:\Windows\SysWOW64\Gfefiemq.exe	Fbgmbg32.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Facklcaq.dll	Fmcoja32.exe
File created	C:\Windows\SysWOW64\Flmefm32.exe	Facdeo32.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Fcmgfkeg.exe	Fmcoja32.exe
File created	C:\Windows\SysWOW64\Jnmgmhmc.dll	Facdeo32.exe
File created	C:\Windows\SysWOW64\Gkkemh32.exe	Gdamqndn.exe
File opened for modification	C:\Windows\SysWOW64\Facdeo32.exe	Fdoclk32.exe
File created	C:\Windows\SysWOW64\Jkamkfgh.dll	Fdoclk32.exe
File created	C:\Windows\SysWOW64\Gdopkn32.exe	Gkgkbipp.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Hpocfncj.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Efppoc32.exe	Enihne32.exe
File created	C:\Windows\SysWOW64\Fmcoja32.exe	Ejbfhfaj.exe
File created	C:\Windows\SysWOW64\Olndbg32.dll	Fcmgfkeg.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hkkalk32.exe
File opened for modification	C:\Windows\SysWOW64\Gkgkbipp.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Gdamqndn.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Lghegkoc.dll	Ejbfhfaj.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Hjhhocjj.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Fenhecef.dll	Hcnpbi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2248	2916	WerFault.exe	59

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enihne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll"	Efppoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecimppi.dll"	Emhlfmgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll"	c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejbfhfaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghegkoc.dll"	Ejbfhfaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmkde32.dll"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facklcaq.dll"	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll"	Hhmepp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 1744	1312	c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe	28
PID 1312 wrote to memory of 1744	1312	c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe	28
PID 1312 wrote to memory of 1744	1312	c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe	28
PID 1312 wrote to memory of 1744	1312	c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe	28
PID 1744 wrote to memory of 2576	1744	Emhlfmgj.exe	29
PID 1744 wrote to memory of 2576	1744	Emhlfmgj.exe	29
PID 1744 wrote to memory of 2576	1744	Emhlfmgj.exe	29
PID 1744 wrote to memory of 2576	1744	Emhlfmgj.exe	29
PID 2576 wrote to memory of 2300	2576	Enihne32.exe	30
PID 2576 wrote to memory of 2300	2576	Enihne32.exe	30
PID 2576 wrote to memory of 2300	2576	Enihne32.exe	30
PID 2576 wrote to memory of 2300	2576	Enihne32.exe	30
PID 2300 wrote to memory of 2708	2300	Efppoc32.exe	31
PID 2300 wrote to memory of 2708	2300	Efppoc32.exe	31
PID 2300 wrote to memory of 2708	2300	Efppoc32.exe	31
PID 2300 wrote to memory of 2708	2300	Efppoc32.exe	31
PID 2708 wrote to memory of 2616	2708	Ejbfhfaj.exe	32
PID 2708 wrote to memory of 2616	2708	Ejbfhfaj.exe	32
PID 2708 wrote to memory of 2616	2708	Ejbfhfaj.exe	32
PID 2708 wrote to memory of 2616	2708	Ejbfhfaj.exe	32
PID 2616 wrote to memory of 2512	2616	Fmcoja32.exe	33
PID 2616 wrote to memory of 2512	2616	Fmcoja32.exe	33
PID 2616 wrote to memory of 2512	2616	Fmcoja32.exe	33
PID 2616 wrote to memory of 2512	2616	Fmcoja32.exe	33
PID 2512 wrote to memory of 1920	2512	Fcmgfkeg.exe	34
PID 2512 wrote to memory of 1920	2512	Fcmgfkeg.exe	34
PID 2512 wrote to memory of 1920	2512	Fcmgfkeg.exe	34
PID 2512 wrote to memory of 1920	2512	Fcmgfkeg.exe	34
PID 1920 wrote to memory of 2636	1920	Fdoclk32.exe	35
PID 1920 wrote to memory of 2636	1920	Fdoclk32.exe	35
PID 1920 wrote to memory of 2636	1920	Fdoclk32.exe	35
PID 1920 wrote to memory of 2636	1920	Fdoclk32.exe	35
PID 2636 wrote to memory of 1396	2636	Facdeo32.exe	36
PID 2636 wrote to memory of 1396	2636	Facdeo32.exe	36
PID 2636 wrote to memory of 1396	2636	Facdeo32.exe	36
PID 2636 wrote to memory of 1396	2636	Facdeo32.exe	36
PID 1396 wrote to memory of 1008	1396	Flmefm32.exe	37
PID 1396 wrote to memory of 1008	1396	Flmefm32.exe	37
PID 1396 wrote to memory of 1008	1396	Flmefm32.exe	37
PID 1396 wrote to memory of 1008	1396	Flmefm32.exe	37
PID 1008 wrote to memory of 1336	1008	Fbgmbg32.exe	38
PID 1008 wrote to memory of 1336	1008	Fbgmbg32.exe	38
PID 1008 wrote to memory of 1336	1008	Fbgmbg32.exe	38
PID 1008 wrote to memory of 1336	1008	Fbgmbg32.exe	38
PID 1336 wrote to memory of 1600	1336	Gfefiemq.exe	39
PID 1336 wrote to memory of 1600	1336	Gfefiemq.exe	39
PID 1336 wrote to memory of 1600	1336	Gfefiemq.exe	39
PID 1336 wrote to memory of 1600	1336	Gfefiemq.exe	39
PID 1600 wrote to memory of 1704	1600	Gicbeald.exe	40
PID 1600 wrote to memory of 1704	1600	Gicbeald.exe	40
PID 1600 wrote to memory of 1704	1600	Gicbeald.exe	40
PID 1600 wrote to memory of 1704	1600	Gicbeald.exe	40
PID 1704 wrote to memory of 1996	1704	Gkgkbipp.exe	41
PID 1704 wrote to memory of 1996	1704	Gkgkbipp.exe	41
PID 1704 wrote to memory of 1996	1704	Gkgkbipp.exe	41
PID 1704 wrote to memory of 1996	1704	Gkgkbipp.exe	41
PID 1996 wrote to memory of 784	1996	Gdopkn32.exe	42
PID 1996 wrote to memory of 784	1996	Gdopkn32.exe	42
PID 1996 wrote to memory of 784	1996	Gdopkn32.exe	42
PID 1996 wrote to memory of 784	1996	Gdopkn32.exe	42
PID 784 wrote to memory of 656	784	Gdamqndn.exe	43
PID 784 wrote to memory of 656	784	Gdamqndn.exe	43
PID 784 wrote to memory of 656	784	Gdamqndn.exe	43
PID 784 wrote to memory of 656	784	Gdamqndn.exe	43

C:\Users\Admin\AppData\Local\Temp\c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe
"C:\Users\Admin\AppData\Local\Temp\c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\SysWOW64\Emhlfmgj.exe
  C:\Windows\system32\Emhlfmgj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\Enihne32.exe
    C:\Windows\system32\Enihne32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\Efppoc32.exe
      C:\Windows\system32\Efppoc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\SysWOW64\Ejbfhfaj.exe
        
        C:\Windows\system32\Ejbfhfaj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Fmcoja32.exe
        
        C:\Windows\system32\Fmcoja32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Fcmgfkeg.exe
        
        C:\Windows\system32\Fcmgfkeg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Fdoclk32.exe
        
        C:\Windows\system32\Fdoclk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Facdeo32.exe
        
        C:\Windows\system32\Facdeo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Flmefm32.exe
        
        C:\Windows\system32\Flmefm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Fbgmbg32.exe
        
        C:\Windows\system32\Fbgmbg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Gfefiemq.exe
        
        C:\Windows\system32\Gfefiemq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Gkgkbipp.exe
        
        C:\Windows\system32\Gkgkbipp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Gdamqndn.exe
        
        C:\Windows\system32\Gdamqndn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\Gkkemh32.exe
        
        C:\Windows\system32\Gkkemh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Hdfflm32.exe
        
        C:\Windows\system32\Hdfflm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Hlakpp32.exe
        
        C:\Windows\system32\Hlakpp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:352
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Hpocfncj.exe
        
        C:\Windows\system32\Hpocfncj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        33⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 140
        34⤵
        Program crash
        
        PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ejbfhfaj.exe

Filesize
430KB

MD5
b1afe36beb75bca6cb6632ab5e888e19

SHA1
b54bbc3fbd2c9008f47506952e43755d8b5ac274

SHA256
1ed4f1ba3c851cab144ea49e8ebf2547db3a76428d8a13c60478448e0158bf24

SHA512
a5d45c5a8b7a22b86cf3666f7cc9bf1a749d5cf86e879bea4ffd2f27cbd5eebd81a900910d6d1e6043158ba2da5d1a7f0fabf24f36a7e5553a31123773ff327a

Download Submit
C:\Windows\SysWOW64\Enihne32.exe

Filesize
430KB

MD5
721b2b09baf1f4ab6fe4165f909d2e12

SHA1
375f4f6c7b0c3cd41d344b95b15773da59c8939f

SHA256
58fb6321f53f57dd2113ee20a40628d90693f95864add5d0d96bafb1df8e2066

SHA512
31bd44abf92829b2130a38fcecebee49babd2c80d7e31baa7e5f49be168d45f905c4920e58157f67a9dcbbb3d519f545b7515664192abad20a04c13abc6c1bd7

Download Submit
C:\Windows\SysWOW64\Fbgmbg32.exe

Filesize
430KB

MD5
3e36fce40b3e0a74ba64cb45544d96d9

SHA1
05012d8a2a3637e44864dcacbc8ac7c471b96fe5

SHA256
5d0066cacc36d6e1019c6faeedba0267dbfa811d68cfb1e45a58ac0056a09a38

SHA512
37b16a530dc47d12cc653fd213f0379198fb0256da66db347d1ad7f179237dcc20a2884fade9ec0534c4c548f338bcf726ee8298c43ebe0f2f6444cce0f70c75

Download Submit
C:\Windows\SysWOW64\Fcmgfkeg.exe

Filesize
430KB

MD5
48f59ef95ac8947288b1dd541146150f

SHA1
0ca4db904ae06f6130d2118084d5f3477628722c

SHA256
9d7be1c38fa3bc2247deffcc6b0bf423f154951cfc7282297c023b6b213d81b8

SHA512
eceb100a7df713f17176f8c74b990e00ac7661cae8904c29cec01b9e8ef4f73b6699272d2c6c900dd25bc6be7c57074d7fdfd5fee74d10eefac8eb03c561377a

Download Submit
C:\Windows\SysWOW64\Gicbeald.exe

Filesize
430KB

MD5
96ea924da442404ccd13ae49ba150f38

SHA1
ff50b91b9c31fbada91e6b15287bc2175c1e45ef

SHA256
fb43fbd6739d66f948dfc6e9c9ef93cbe5a4760ca3b455846c2c0a301ee80567

SHA512
1bf328f136ba23aeee8004a677715d91c9695d1b275044e9ea0e8388f522d9401ea4aebbb45db5457a4d9502efdac2b4a74efd96daa605b250cac871e0fc8a0f

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
430KB

MD5
3176bde64a6696f4e9c70535dc5fa218

SHA1
cfef1b5bc404d9d2a013e8a23fc983a909f85708

SHA256
5b798e548c9a46da97d107f3abdfebb4117b5714560ab31d17bb02f8f08881b9

SHA512
ca593229fcd38d0396fda07f83cab7a5c8aeecc9da486f79d82557f399f5586b847be1b456960a55e87ae44e233749121adc0a93c9ecac9b826cb7c8f2cc5485

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
430KB

MD5
31045f7fe12981574eb1f2f8861e16b8

SHA1
5488297791d7378e30ce5d33da6626d32385eb65

SHA256
e2ff0bf292b42f2fbe45baaa8d0db5c3dbfd8c8da34dede46de7ec1dc78a45f6

SHA512
1bcfefd0eee495254ebaf199dccbf06b4130fb2395ac48e930e51bbca49255f79ce7b26478b09f832efe625650b4009cfa6c8a7afdf25e987dbdd5c3e97c2489

Download Submit
C:\Windows\SysWOW64\Hdfflm32.exe

Filesize
430KB

MD5
31d41c32796e615746bd2cfa078c2fe3

SHA1
398ed16981e13c11d31e637d69e8386f5bafac88

SHA256
c0ef14485a4edc6981404a373363652c82a6b497cdad331bab28e322f37c7029

SHA512
9e4a6b61e26ffb2ac925903d419680541e849555799b47767434295a1e319cf3f42c150d94ded19c48fbdf7c53f19c79121453d52f70b51a39c07428b50bf169

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
430KB

MD5
7e6709c028e6fb206a9976d6b879be42

SHA1
c463940ee0e0aa40edfdc97d42a4ef0f0ded966d

SHA256
a054b8efda9f94a9c08f4485f05774397f2033ad57d6e919ed61f8a1fa85d5eb

SHA512
a6dfcfdf94a31fa16c05c6bbc7d70acd3291f98204ef86b4c710a072a0758c2014d2abfd66642edadd229e4827d22cbee2ee15788f9d0ced4cb6455021f6126d

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
430KB

MD5
f61e1dc89ac92c1cee3de94b31f8025f

SHA1
502c0b5f90588747e6700cf4eb246543ff97d9e0

SHA256
754f66b019ee4afe186b760148fbd623e904a9ed88eefc36baddb88cbd50969f

SHA512
31defafd423a97f5414ac26a49d5575263bddabbbe3219262b2cde161882b554f1c323a487fb3c91f5985b740efd0c5e9e713ac6e06cbeeefb4ec4f1b4a2271c

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe

Filesize
430KB

MD5
805be0279d29fd3056f5816237d6040e

SHA1
1ccc87e7cfc297dc0450786ca0ef94eab32ef5c5

SHA256
0a6291cca2c6db26bcbcfaf90d08bc987e153e333f17e892ca5287d8f1245bd3

SHA512
4ec1aa62b3f3abe1aa6d85d6696522022941f6fbe1e70722d708dda8a6b2b6273e842ee4d633646a41b590ac8084d6e2921087b670a566db9ae96d3d6ad6d681

Download Submit
C:\Windows\SysWOW64\Hkkalk32.exe

Filesize
430KB

MD5
b2a89e9463647dc09873529108bca8c2

SHA1
9c0937422184452c1ec08b4a8836d0c73774035e

SHA256
c91e1164780f2d0276dc78bf4e7981fffe1b9d5e4e3c1f84e8020720dd3bb6cd

SHA512
02e0fb1fc0843efb8b475aa0e22c1be8f16588bdb3f276d6b4072883494947f40d13754258d867b8835d22944e3c8ddefee2833996ecab058f5affc7d63dad9c

Download Submit
C:\Windows\SysWOW64\Hlakpp32.exe

Filesize
430KB

MD5
b2f88a046a9511fd439c366353a0a8e0

SHA1
dcc03635c52d986e8556b6c9e7b86bea71eceb0c

SHA256
d749fc70cbcf9f485823ef7503ddc1c3bc56a23a8fdbfbdf5eb901fce13a5131

SHA512
d5de44ed45dc33d1e525e220ba048e67b900a447f18dd3895d4b7d01c07376043c55ef730b0f6b68be2cc546a387cb0d667fddff1a582ccf050a48d7acc075d4

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
430KB

MD5
eb9b601fc4472e6cf07e8e94177204fc

SHA1
6cf4eefaba590401f98ff3d0eb94d0fa07acb454

SHA256
f965ae0d77d7d23afdd81db28f2d3c49d8807b3a7d594aed3e5ec5f128f9781c

SHA512
f3b356db61a07a4cbb61310b51e1bd99be0f5d1c497599bfffc8c24ff4033c928151ea4cf95fb1b5b12e1bcf434c4a1e54ea12450e62e2e246bdfd42b515d372

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
430KB

MD5
efc408b9343293e2a8acc112f22936d6

SHA1
0bdf005245c885bfff86ab91cae5253d82f0f6bc

SHA256
1a93d1c49dfc56236dd31e9646fc5df019c8f4308df30fb5f53e4c7c89946432

SHA512
84e1e8785513333f848dc1b037eee08c8e1e7d1bb824593d44c39eba4fef3571033c187d708e6a60cf0af42c246ff4e7114124b186b74ec5e37522888d86b7c7

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe

Filesize
430KB

MD5
cce075126cd08aeb57424c135a5d4ad8

SHA1
e3c7eb34bb8628e1a574bd38feb63eacaa230c38

SHA256
ac26d1480dc8772716f497c51da07dc6a10e42e795bf664b0ffb194969b06c04

SHA512
15bf698934b798da4f5dc342b5306461bd97fb8fbd98c27c68a108c801edfa3b32b6ec8c7f683a37a12dc3b97a6e3ccf592de78f94bfdc0783680d69e54e5a23

Download Submit
C:\Windows\SysWOW64\Hpocfncj.exe

Filesize
430KB

MD5
afa4a09cfe3d69164d4852c42a107dc2

SHA1
477b36e74026eb49d529fa2197877b8bd7912321

SHA256
6c38ce2b01e500e20af397a8f089fe1a81dd8f28a6de85bdf94d8f6fee03a564

SHA512
079063b0f81ff38d59233cff5d4ddbb3e4ac2f1d180eec5db737b31a21898f00d8021b27804ae2f8dbd36077b4f49f61d4c7a45d81f3c23093c243e345730e57

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
430KB

MD5
b0fd92725158fa54dc438ac5524f843f

SHA1
fcab6d4722570f964fdf299a5b59032dce5fbfac

SHA256
1e0268ce8813a7cbe9576ad48956df176d49ac639c9bdb4aedef4f7720bff958

SHA512
15d51ce2a74a22a89cb7e8f531b0c370e6d543261fac7dc552e4ade797778a7f4366ef9f10e11d22fc31c66b9068f0b7b19bf762ebf2f506b8947a75297ef044

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
430KB

MD5
8b009ca7833d495f81684fca0976aa7b

SHA1
62a8904642d3210661701a4dc0e7941a3d6e1c5b

SHA256
e255aa2ae81cd8100d2ce66a6acc516e98da2715d0aa35ee815c483de9cdc96e

SHA512
772b8bb552ec625b028b0a116bfbffe7332fa33864f4981492a99c9ed11f07ef7cf52d0271728e7a8cd49cb093d31253bde5e1e7b9f5c172b553bfa5e76c228a

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
430KB

MD5
ba95b6407258ac6f369b71316d1a8adf

SHA1
e6a8018ff745c253bf2d08630ed42d7625766b91

SHA256
491d601bc0168cdfea54f279684c30e69a931e6db230ae7df7e0bdc1c477310b

SHA512
871b57ffbc502ff02454b0ecbb5cff5e392f2ea5029603a160c21c9d39132b7ff6f44a9ae5078714ae11097d7ffcd34f31ecc5609695f6557b43e37f714e7d6d

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
430KB

MD5
5258cbb5c30f3da4caba84fdce3aad6b

SHA1
94689958b9ff5cdd29593deae2e116e78cde860d

SHA256
2f05f745ea445d9852af4dd543ab0327ba34f5376b754a04bd58ada171357516

SHA512
980807891170a54428b03cf076eac455f3cc7630e31a0ae472c0f496e0a9e704144cbba5551911124df5ce1b895a98c951410f40d615e3d2ab3a76da23cd365e

Download Submit
\Windows\SysWOW64\Efppoc32.exe

Filesize
430KB

MD5
470e91a5cbfe674c562621e4bdb043e1

SHA1
7442c3ab3d8301e316648246f993d3117c0a35c5

SHA256
d853a1cc9245410a27b933a2e16eb93e7a283096109161861a42a5df66fe02e1

SHA512
eff3f30d4ff153a7dcfedb439af335f96cc39c0c0cb4fbbc34733be50b839ed6f47b7d5f3c9d08322e1674efc6e0e990b9748b30aeae7d5656f18e955f32adfb

Download Submit
\Windows\SysWOW64\Emhlfmgj.exe

Filesize
430KB

MD5
83e45a6ca59c3fd3dac056f692cc8adb

SHA1
15df56850380f25d7f5f946a98bdfe6d60b5de8b

SHA256
c73e62f708ec33c9919dc79f512dea4d541d9e02bc49229888c710922eedffb7

SHA512
07f46d29258e01f0feefc3d70790b6f30fd6112a3eb620627026008c7d0c6fff3664ba25626686e7db1b7e5772cbdebbeb716c097b9c09aa37243bc28b646b75

Download Submit
\Windows\SysWOW64\Facdeo32.exe

Filesize
430KB

MD5
ed9f210a8482f5801ff8e8f2cd9edeb5

SHA1
691f2b94e2d2cd95c6d68249fcf4890dc4437ee6

SHA256
55a4eb3835f63ab41dd877ecb7ee5a7092b8a62c2ba08d1f68caa24dca8ca068

SHA512
1668450a5905fe892a4597a7bf08482912d8ba1118ee4a7f4a5d369d21e13949cf94d4ce3cca905dea7c12df9df27e41ed9368f636ea80c83c81a8f343ae5742

Download Submit
\Windows\SysWOW64\Fdoclk32.exe

Filesize
430KB

MD5
a8e24bbac7b4d7e9c336877529948dc9

SHA1
b02c7b086cbc131e2f22199cf8a726191272b3d8

SHA256
afbdd8620da7607ad5e740fc590127fea1a18cebbc8d40d78a3e7fe344ce122e

SHA512
d57b124078b51d1d2f31693dc9f0981398ab843f41913c0ce9c8d41da0e0452350bcf8300dfc9911d42c4a3ae6c2cf7862b9d0951d9faec9666ffbc096b46b79

Download Submit
\Windows\SysWOW64\Flmefm32.exe

Filesize
430KB

MD5
3417289e0dcf02752a4913ddee9d3fff

SHA1
0d5205b0bbfebe7cea7235d1c1b1dca015ad1811

SHA256
40da557ee866a0561ca15e9defea8c75e4f8d3b5ce01972bad03d0a29e36bd29

SHA512
5b8ea1cb0a9141161c5c0d116c077d8851ad617e5956c2ceef9ae8bfeeb03ce556461f9ed7b0d723298a694a4639cfebcb1b6243d0080eebc60d658ac848022d

Download Submit
\Windows\SysWOW64\Fmcoja32.exe

Filesize
430KB

MD5
00c581850a2bb3253dbe65b63cfd6d52

SHA1
c4bc7682ce7c66d14a84061f3346a0c4f74a18c9

SHA256
4a405d706ec973d1ed1165fa8d4bb55435b7c6864fefb41b8e15ed5f5a3f288e

SHA512
4e21307804cc5450eb38d4d9cdb55f00c50e4a34252cd5ac06df38e1296c06af9afad616f3ba67e798947f17c0881b8a2ee9f1583eee1d4c77229c9419b3ce8a

Download Submit
\Windows\SysWOW64\Gdamqndn.exe

Filesize
430KB

MD5
ae7b0219cf9b171d2e9825a80d2125c7

SHA1
679232f517b76377f6adc6ba63ff8874bb8c1cc6

SHA256
f9ba50388779956f848d65a867d38ed89ca834884253d164b514e891eaa9cf4e

SHA512
e05dd7e5ba9890bf4ddb83f9af75952dbe056e8d34acb3b39000fdbab4f647d02370758edd43899adcd983faca3bbe38c5d2d8447683ca4e19ff540c12c08ccb

Download Submit
\Windows\SysWOW64\Gdopkn32.exe

Filesize
430KB

MD5
5832607b342dbb5eca814b6ca672f239

SHA1
61ca4995a21bfd4c0d27ed3c0a6339d10324ec5d

SHA256
cbba6e1c196855a1de21510cc86a3f60504b0d06e11728e0d5a02e1ec523966d

SHA512
3befc7348b40fc27a6bd27d36f17b16d02f4a8afe56aaefb2c307f95253153c45eca6674d114719f31401a50b424372d40d381156424489c84ab0b7ed09502d9

Download Submit
\Windows\SysWOW64\Gfefiemq.exe

Filesize
430KB

MD5
234f3c583ca3a040fcea5958aa139021

SHA1
4e3e465f40678ebcaaa166d7fbf6ee9bd75fbe3e

SHA256
1e4afc98038282978ae3f8bb70af912829d3f99caa6f82721298f5a52c249db2

SHA512
0441f949e95eea3cff09c57ace84afa90dcb386cd2f5cff8d3b3f78a05b51dddab1b20010073fa5409edc75368aff0eb7f4d45440a6e819e27fdf2a034602d5a

Download Submit
\Windows\SysWOW64\Gkgkbipp.exe

Filesize
430KB

MD5
25550e41d120ff49c63c86dfa8c3c784

SHA1
b2df8fec9a79d0e1a5926186c38c465d1cb2cd1f

SHA256
020cbd18556656121862ad9bf35085a377a353db49e4fbc3585fb071b8bf6cc9

SHA512
09e832ac6e7ea8c88eb510bfabfad31d09c56c8b685b2986d4fceb03e976f373f32470ceafc7e5429afd4c4f8a9b18e7df97d847a9be7f96930438ed9639c1c7

Download Submit
\Windows\SysWOW64\Gkkemh32.exe

Filesize
430KB

MD5
0d2bb24463cc77dc82f05550aced7e07

SHA1
54a24c41f8e138b074158dad76a63531f6ef16e9

SHA256
8c2e89a2fe542702fe227df7d22906ddf0fd42f4de8e61b496a558ba49f14415

SHA512
683cf76ab63a876632506ddbb8301be749e8e9b0fc29d3f20cbbb3c97108980bae524ec818a08b83ef36bcc20e3641b8cb13b0a703e3f5ccd69ce9a85f244132

Download Submit
memory/352-283-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/352-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-253-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/408-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-233-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/656-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/784-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-148-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1008-158-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1268-315-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1268-316-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1268-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-13-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1312-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-6-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1336-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-139-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1396-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-327-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1512-323-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1600-175-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1600-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-270-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1692-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-190-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1704-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-32-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1744-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-109-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1920-110-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1920-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-298-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1964-290-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1996-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-207-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1996-208-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2084-362-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2084-364-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2084-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-243-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2212-341-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2212-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-342-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2212-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-391-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2472-392-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2512-95-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2512-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-96-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2512-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-36-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2600-375-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2600-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-372-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2616-82-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2616-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-120-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2708-68-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2708-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-385-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2776-348-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2776-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-349-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2916-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-304-0x0000000000320000-0x0000000000353000-memory.dmp

Filesize
204KB

Download
memory/2992-305-0x0000000000320000-0x0000000000353000-memory.dmp

Filesize
204KB

Download
memory/3048-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-263-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3048-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads