3cc0f2c08632696b94ebbdc22c1ee670d7619f4f3f814a4cd1b23f095e112f72

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 21:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3cc0f2c08632696b94ebbdc22c1ee670d7619f4f3f814a4cd1b23f095e112f72.exe
Size

71KB
MD5

a4e40cfb15f7d066db1d4d3c41a6d6ff
SHA1

7368639ea4c5d3746860a8825b3f6e2641c82be4
SHA256

3cc0f2c08632696b94ebbdc22c1ee670d7619f4f3f814a4cd1b23f095e112f72
SHA512

5eabb22b21024532c0a3e5732e306a389a8d1dc14d14d32e3e710d77047454505e208ca623ddc6e641fdd77cd60ea078d57f42662fe9f8c0f49f66f64b971f35
SSDEEP

1536:XanFyP4S5ezVbueNFHSfIljWNBHa9Papvx9aVGzHhTi8wRQqK1P+ATT:qnFyP4S5eznSbzCPkvxpTY8weZP+A3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmgdddmq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Facdeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fioija32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	3cc0f2c08632696b94ebbdc22c1ee670d7619f4f3f814a4cd1b23f095e112f72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3cc0f2c08632696b94ebbdc22c1ee670d7619f4f3f814a4cd1b23f095e112f72.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjilieka.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fpdhklkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fioija32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmgdddmq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpdhklkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gldkfl32.exe

Executes dropped EXE 35 IoCs

pid	Process
2196	Fmcoja32.exe
2616	Fjgoce32.exe
2748	Fpdhklkl.exe
2960	Fjilieka.exe
2784	Facdeo32.exe
2528	Fbdqmghm.exe
3044	Fioija32.exe
2864	Flmefm32.exe
2904	Feeiob32.exe
2700	Fmlapp32.exe
304	Gbijhg32.exe
1960	Gicbeald.exe
2332	Gopkmhjk.exe
1516	Gejcjbah.exe
2056	Gldkfl32.exe
2752	Gaqcoc32.exe
380	Glfhll32.exe
1100	Gmgdddmq.exe
1488	Gdamqndn.exe
2088	Gkkemh32.exe
2388	Gaemjbcg.exe
2496	Gddifnbk.exe
1988	Hiqbndpb.exe
1824	Hpkjko32.exe
1068	Hkpnhgge.exe
1600	Hlakpp32.exe
1392	Hnagjbdf.exe
2340	Hobcak32.exe
2780	Hhjhkq32.exe
2964	Hpapln32.exe
2548	Hhmepp32.exe
2524	Hkkalk32.exe
3048	Idceea32.exe
1168	Ihoafpmp.exe
2896	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
1712	3cc0f2c08632696b94ebbdc22c1ee670d7619f4f3f814a4cd1b23f095e112f72.exe
1712	3cc0f2c08632696b94ebbdc22c1ee670d7619f4f3f814a4cd1b23f095e112f72.exe
2196	Fmcoja32.exe
2196	Fmcoja32.exe
2616	Fjgoce32.exe
2616	Fjgoce32.exe
2748	Fpdhklkl.exe
2748	Fpdhklkl.exe
2960	Fjilieka.exe
2960	Fjilieka.exe
2784	Facdeo32.exe
2784	Facdeo32.exe
2528	Fbdqmghm.exe
2528	Fbdqmghm.exe
3044	Fioija32.exe
3044	Fioija32.exe
2864	Flmefm32.exe
2864	Flmefm32.exe
2904	Feeiob32.exe
2904	Feeiob32.exe
2700	Fmlapp32.exe
2700	Fmlapp32.exe
304	Gbijhg32.exe
304	Gbijhg32.exe
1960	Gicbeald.exe
1960	Gicbeald.exe
2332	Gopkmhjk.exe
2332	Gopkmhjk.exe
1516	Gejcjbah.exe
1516	Gejcjbah.exe
2056	Gldkfl32.exe
2056	Gldkfl32.exe
2752	Gaqcoc32.exe
2752	Gaqcoc32.exe
380	Glfhll32.exe
380	Glfhll32.exe
1100	Gmgdddmq.exe
1100	Gmgdddmq.exe
1488	Gdamqndn.exe
1488	Gdamqndn.exe
2088	Gkkemh32.exe
2088	Gkkemh32.exe
2388	Gaemjbcg.exe
2388	Gaemjbcg.exe
2496	Gddifnbk.exe
2496	Gddifnbk.exe
1988	Hiqbndpb.exe
1988	Hiqbndpb.exe
1824	Hpkjko32.exe
1824	Hpkjko32.exe
1068	Hkpnhgge.exe
1068	Hkpnhgge.exe
1600	Hlakpp32.exe
1600	Hlakpp32.exe
1392	Hnagjbdf.exe
1392	Hnagjbdf.exe
2340	Hobcak32.exe
2340	Hobcak32.exe
2780	Hhjhkq32.exe
2780	Hhjhkq32.exe
2964	Hpapln32.exe
2964	Hpapln32.exe
2548	Hhmepp32.exe
2548	Hhmepp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hlakpp32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Clphjpmh.dll	Facdeo32.exe
File created	C:\Windows\SysWOW64\Ghqknigk.dll	Fbdqmghm.exe
File created	C:\Windows\SysWOW64\Gopkmhjk.exe	Gicbeald.exe
File opened for modification	C:\Windows\SysWOW64\Gddifnbk.exe	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Gbijhg32.exe	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Fndldonj.dll	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Omabcb32.dll	Gddifnbk.exe
File opened for modification	C:\Windows\SysWOW64\Gldkfl32.exe	Gejcjbah.exe
File created	C:\Windows\SysWOW64\Gmgdddmq.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Hiqbndpb.exe	Gddifnbk.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Fpdhklkl.exe	Fjgoce32.exe
File opened for modification	C:\Windows\SysWOW64\Feeiob32.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Anllbdkl.dll	Hkpnhgge.exe
File opened for modification	C:\Windows\SysWOW64\Hhjhkq32.exe	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Fjilieka.exe	Fpdhklkl.exe
File opened for modification	C:\Windows\SysWOW64\Gopkmhjk.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Hpkjko32.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Flmefm32.exe	Fioija32.exe
File opened for modification	C:\Windows\SysWOW64\Gaemjbcg.exe	Gkkemh32.exe
File opened for modification	C:\Windows\SysWOW64\Hiqbndpb.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hlakpp32.exe
File opened for modification	C:\Windows\SysWOW64\Fmlapp32.exe	Feeiob32.exe
File opened for modification	C:\Windows\SysWOW64\Gkkemh32.exe	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Gaemjbcg.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Gddifnbk.exe	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Fmlapp32.exe	Feeiob32.exe
File created	C:\Windows\SysWOW64\Gejcjbah.exe	Gopkmhjk.exe
File opened for modification	C:\Windows\SysWOW64\Gmgdddmq.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Fmcoja32.exe	3cc0f2c08632696b94ebbdc22c1ee670d7619f4f3f814a4cd1b23f095e112f72.exe
File created	C:\Windows\SysWOW64\Gldkfl32.exe	Gejcjbah.exe
File opened for modification	C:\Windows\SysWOW64\Hkpnhgge.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Lghegkoc.dll	3cc0f2c08632696b94ebbdc22c1ee670d7619f4f3f814a4cd1b23f095e112f72.exe
File created	C:\Windows\SysWOW64\Bnkajj32.dll	Fpdhklkl.exe
File opened for modification	C:\Windows\SysWOW64\Glfhll32.exe	Gaqcoc32.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Gicbeald.exe	Gbijhg32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Kleiio32.dll	Gbijhg32.exe
File created	C:\Windows\SysWOW64\Pnnclg32.dll	Gejcjbah.exe
File opened for modification	C:\Windows\SysWOW64\Hpkjko32.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Pqiqnfej.dll	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Jkoginch.dll	Fmcoja32.exe
File created	C:\Windows\SysWOW64\Facdeo32.exe	Fjilieka.exe
File created	C:\Windows\SysWOW64\Bcqgok32.dll	Feeiob32.exe
File opened for modification	C:\Windows\SysWOW64\Gbijhg32.exe	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Pfabenjd.dll	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Fbdqmghm.exe	Facdeo32.exe
File created	C:\Windows\SysWOW64\Gaqcoc32.exe	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Febhomkh.dll	Glfhll32.exe
File created	C:\Windows\SysWOW64\Jnmgmhmc.dll	Fioija32.exe
File created	C:\Windows\SysWOW64\Lnnhje32.dll	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hpkjko32.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hlakpp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2512	2896	WerFault.exe	62

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll"	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll"	Facdeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll"	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fpdhklkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3cc0f2c08632696b94ebbdc22c1ee670d7619f4f3f814a4cd1b23f095e112f72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll"	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghegkoc.dll"	3cc0f2c08632696b94ebbdc22c1ee670d7619f4f3f814a4cd1b23f095e112f72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	3cc0f2c08632696b94ebbdc22c1ee670d7619f4f3f814a4cd1b23f095e112f72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqknigk.dll"	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll"	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll"	Fjilieka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fmcoja32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2196	1712	3cc0f2c08632696b94ebbdc22c1ee670d7619f4f3f814a4cd1b23f095e112f72.exe	28
PID 1712 wrote to memory of 2196	1712	3cc0f2c08632696b94ebbdc22c1ee670d7619f4f3f814a4cd1b23f095e112f72.exe	28
PID 1712 wrote to memory of 2196	1712	3cc0f2c08632696b94ebbdc22c1ee670d7619f4f3f814a4cd1b23f095e112f72.exe	28
PID 1712 wrote to memory of 2196	1712	3cc0f2c08632696b94ebbdc22c1ee670d7619f4f3f814a4cd1b23f095e112f72.exe	28
PID 2196 wrote to memory of 2616	2196	Fmcoja32.exe	29
PID 2196 wrote to memory of 2616	2196	Fmcoja32.exe	29
PID 2196 wrote to memory of 2616	2196	Fmcoja32.exe	29
PID 2196 wrote to memory of 2616	2196	Fmcoja32.exe	29
PID 2616 wrote to memory of 2748	2616	Fjgoce32.exe	30
PID 2616 wrote to memory of 2748	2616	Fjgoce32.exe	30
PID 2616 wrote to memory of 2748	2616	Fjgoce32.exe	30
PID 2616 wrote to memory of 2748	2616	Fjgoce32.exe	30
PID 2748 wrote to memory of 2960	2748	Fpdhklkl.exe	31
PID 2748 wrote to memory of 2960	2748	Fpdhklkl.exe	31
PID 2748 wrote to memory of 2960	2748	Fpdhklkl.exe	31
PID 2748 wrote to memory of 2960	2748	Fpdhklkl.exe	31
PID 2960 wrote to memory of 2784	2960	Fjilieka.exe	32
PID 2960 wrote to memory of 2784	2960	Fjilieka.exe	32
PID 2960 wrote to memory of 2784	2960	Fjilieka.exe	32
PID 2960 wrote to memory of 2784	2960	Fjilieka.exe	32
PID 2784 wrote to memory of 2528	2784	Facdeo32.exe	33
PID 2784 wrote to memory of 2528	2784	Facdeo32.exe	33
PID 2784 wrote to memory of 2528	2784	Facdeo32.exe	33
PID 2784 wrote to memory of 2528	2784	Facdeo32.exe	33
PID 2528 wrote to memory of 3044	2528	Fbdqmghm.exe	34
PID 2528 wrote to memory of 3044	2528	Fbdqmghm.exe	34
PID 2528 wrote to memory of 3044	2528	Fbdqmghm.exe	34
PID 2528 wrote to memory of 3044	2528	Fbdqmghm.exe	34
PID 3044 wrote to memory of 2864	3044	Fioija32.exe	35
PID 3044 wrote to memory of 2864	3044	Fioija32.exe	35
PID 3044 wrote to memory of 2864	3044	Fioija32.exe	35
PID 3044 wrote to memory of 2864	3044	Fioija32.exe	35
PID 2864 wrote to memory of 2904	2864	Flmefm32.exe	36
PID 2864 wrote to memory of 2904	2864	Flmefm32.exe	36
PID 2864 wrote to memory of 2904	2864	Flmefm32.exe	36
PID 2864 wrote to memory of 2904	2864	Flmefm32.exe	36
PID 2904 wrote to memory of 2700	2904	Feeiob32.exe	37
PID 2904 wrote to memory of 2700	2904	Feeiob32.exe	37
PID 2904 wrote to memory of 2700	2904	Feeiob32.exe	37
PID 2904 wrote to memory of 2700	2904	Feeiob32.exe	37
PID 2700 wrote to memory of 304	2700	Fmlapp32.exe	38
PID 2700 wrote to memory of 304	2700	Fmlapp32.exe	38
PID 2700 wrote to memory of 304	2700	Fmlapp32.exe	38
PID 2700 wrote to memory of 304	2700	Fmlapp32.exe	38
PID 304 wrote to memory of 1960	304	Gbijhg32.exe	39
PID 304 wrote to memory of 1960	304	Gbijhg32.exe	39
PID 304 wrote to memory of 1960	304	Gbijhg32.exe	39
PID 304 wrote to memory of 1960	304	Gbijhg32.exe	39
PID 1960 wrote to memory of 2332	1960	Gicbeald.exe	40
PID 1960 wrote to memory of 2332	1960	Gicbeald.exe	40
PID 1960 wrote to memory of 2332	1960	Gicbeald.exe	40
PID 1960 wrote to memory of 2332	1960	Gicbeald.exe	40
PID 2332 wrote to memory of 1516	2332	Gopkmhjk.exe	41
PID 2332 wrote to memory of 1516	2332	Gopkmhjk.exe	41
PID 2332 wrote to memory of 1516	2332	Gopkmhjk.exe	41
PID 2332 wrote to memory of 1516	2332	Gopkmhjk.exe	41
PID 1516 wrote to memory of 2056	1516	Gejcjbah.exe	42
PID 1516 wrote to memory of 2056	1516	Gejcjbah.exe	42
PID 1516 wrote to memory of 2056	1516	Gejcjbah.exe	42
PID 1516 wrote to memory of 2056	1516	Gejcjbah.exe	42
PID 2056 wrote to memory of 2752	2056	Gldkfl32.exe	43
PID 2056 wrote to memory of 2752	2056	Gldkfl32.exe	43
PID 2056 wrote to memory of 2752	2056	Gldkfl32.exe	43
PID 2056 wrote to memory of 2752	2056	Gldkfl32.exe	43

C:\Users\Admin\AppData\Local\Temp\3cc0f2c08632696b94ebbdc22c1ee670d7619f4f3f814a4cd1b23f095e112f72.exe
"C:\Users\Admin\AppData\Local\Temp\3cc0f2c08632696b94ebbdc22c1ee670d7619f4f3f814a4cd1b23f095e112f72.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\Fmcoja32.exe
  C:\Windows\system32\Fmcoja32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\Fjgoce32.exe
    C:\Windows\system32\Fjgoce32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\Fpdhklkl.exe
      C:\Windows\system32\Fpdhklkl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\SysWOW64\Fjilieka.exe
        
        C:\Windows\system32\Fjilieka.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Windows\SysWOW64\Facdeo32.exe
        
        C:\Windows\system32\Facdeo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Fbdqmghm.exe
        
        C:\Windows\system32\Fbdqmghm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Fioija32.exe
        
        C:\Windows\system32\Fioija32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Flmefm32.exe
        
        C:\Windows\system32\Flmefm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Feeiob32.exe
        
        C:\Windows\system32\Feeiob32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Fmlapp32.exe
        
        C:\Windows\system32\Fmlapp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Gbijhg32.exe
        
        C:\Windows\system32\Gbijhg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:304
        
        C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Gopkmhjk.exe
        
        C:\Windows\system32\Gopkmhjk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Gejcjbah.exe
        
        C:\Windows\system32\Gejcjbah.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Gldkfl32.exe
        
        C:\Windows\system32\Gldkfl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Gaqcoc32.exe
        
        C:\Windows\system32\Gaqcoc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Glfhll32.exe
        
        C:\Windows\system32\Glfhll32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Gmgdddmq.exe
        
        C:\Windows\system32\Gmgdddmq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Gdamqndn.exe
        
        C:\Windows\system32\Gdamqndn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Gkkemh32.exe
        
        C:\Windows\system32\Gkkemh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Gaemjbcg.exe
        
        C:\Windows\system32\Gaemjbcg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Gddifnbk.exe
        
        C:\Windows\system32\Gddifnbk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Hiqbndpb.exe
        
        C:\Windows\system32\Hiqbndpb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Hpkjko32.exe
        
        C:\Windows\system32\Hpkjko32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Hlakpp32.exe
        
        C:\Windows\system32\Hlakpp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        36⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 140
        37⤵
        Program crash
        
        PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gaemjbcg.exe

Filesize
71KB

MD5
0b19988c9ca523d58336dff8c4c4658d

SHA1
024afec704f0e2108c4dd0907cf5d1a32a10e39d

SHA256
a6121db64b039b7a851fe0c2341bfd0d1bf74f83064f82a9aafe3285c86c463f

SHA512
a9aa4a97d7cc4dbcd9a64793597b0275039988e6771fe2fa180d32cfeac853c0c4ddb92cd29883fda3760f6bbacc21688286c615cc63086f675714f354083a58

Download Submit
C:\Windows\SysWOW64\Gaqcoc32.exe

Filesize
71KB

MD5
9b48403452e21cf228cbee43b4ce6b24

SHA1
cd1fb485c3707eb7e0d186df60272f3fa679560f

SHA256
3223d0ce618b06aa91237ce664e4964336da5da1d40d66863ed441443ca46877

SHA512
3d946454ce9cff1f23f9bb0f446e61b67f006c555fa80c42790c759ae7d7f47a63555f686909916654ac74ef423f70bbc88b4ded39d0d8eb49ab449ded2afcce

Download Submit
C:\Windows\SysWOW64\Gdamqndn.exe

Filesize
71KB

MD5
a9a2fb2594c909a389c21f3b569b2a4e

SHA1
678db5afdbd31dc3f8152671af58a53d3f386beb

SHA256
599cc55d447ae76c1826b5a7f5c3f1574144c0b129366505b2faa9a7a968241f

SHA512
bcdc85fdf952a7905ad367b2fe122b965a49150f7fb41448f99d0a35fba146c803205b4afd73dedccc4482acac22d4dc7d75bc9cc6eabad43f7414fbc56f8370

Download Submit
C:\Windows\SysWOW64\Gddifnbk.exe

Filesize
71KB

MD5
c33c40dff114c33099b6ffe3b3f17989

SHA1
d886d1e464d36937ba72ec8ae2ee59d303f17aee

SHA256
4f95498a1362736b4c2978a660101c29c4acbe9184cbd47bf8579c15467edb91

SHA512
5a69613e52a8dd2928fcfebfdd9c3841736960ef1506351c69d86699f002a0a07806d01fe5e5fa4e9cc6a44d48ecdd6b440a006a2a6b07ee9b4eb5ba3e3fa489

Download Submit
C:\Windows\SysWOW64\Gejcjbah.exe

Filesize
71KB

MD5
3488103091a8c2b273a4663ee1d39bc3

SHA1
4f23fa754b73b22c002f667da9d5c58880629988

SHA256
a9c329c7f2fba40c6946e708242fb54c57868ec9a34b3b42239006c31bf97aed

SHA512
3ba1d963a2279d2d154f5287184c19290fde17f59063f4ae4a36e3d51558574571a3bf951d3d8d78242c6c058693046e9855ccf6a9151aa7fad4c8ea32c5d0be

Download Submit
C:\Windows\SysWOW64\Gkkemh32.exe

Filesize
71KB

MD5
30e11b5786b87fcd970267bc590df438

SHA1
410e535002c6819f050d6355c888b847dc658954

SHA256
ee6fa78e5e6f88d5973faf94eab97671425ea4c05dc9a10f5ab593713b24a4d2

SHA512
34244f5348c8a073e91b3882063418e5f7f4aa27f6242fe09503bb8811477cbf916553c5f2dda04805aac189fa48296a583650cf7aa7bc6c43512a1e702e49b6

Download Submit
C:\Windows\SysWOW64\Glfhll32.exe

Filesize
71KB

MD5
88eab4b75bf71a48e88f7163c777b84a

SHA1
af8dac7b0e7702cdc23d75edd1f3eed4eafee1a1

SHA256
3c3a4a41bdda10744dc10ab073c45bb8d6106cd14d688ed53eff1e346bfaca1e

SHA512
c1fcfec7501af7eb64c069c8a3986585e58638f136e510323964bcc58470b717ce36620991359f0593723516cb9defdaa5e4cc67e1c344cee612900810f2d1c7

Download Submit
C:\Windows\SysWOW64\Gmgdddmq.exe

Filesize
71KB

MD5
10adb724471f3e0caa234127deefeadf

SHA1
84da0f8acc1c21d12f1575e8e52e3fdfbfe4af8c

SHA256
c4d875cd510eb5754246c121fd54c1f59d5cbe991bcc9ef19c45a658f3c1a642

SHA512
510a8c4d15c6378aae48c40522dbd993ceaf67877c6886cb303e6ecf21aba07d040dc2295e7047ceb1771909970ea4fc44f0e4eca3f96213e58bf55ba08474f1

Download Submit
C:\Windows\SysWOW64\Hhjhkq32.exe

Filesize
71KB

MD5
75ff39a7ae8efccb5f1aa0980268ed83

SHA1
59032d5be34a4073b207729e658014ef581bba9e

SHA256
d4174daec6038b4b5bc7fd26279de3be84fe74d3f2fc1d942edbdeffb65006e8

SHA512
2cfd7353862ac0f8c5e83a61f0d3e5f40cd2bd9487ec35e2ec236ad84eed6229a91588fe81658902ce3926468b50ecd09cf2fc137a0280f069c2055659943ef3

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
71KB

MD5
47ccf2b731279417fbfb8c0c18dd7964

SHA1
f9d2f0b42ec42dddbebb1f31a631c2843123bae9

SHA256
5bea6c864cc704d574d9fd06c107f54d88ac2375cfceceee12b1a797751d798a

SHA512
24bc04abc352f53295b296635fa670ef86ce2bc2169d52b14374a2c508c1573706bbf63dc676c193af6d2a2c89fff2c68e9476f92ad91a1c97a8971a88bc06f6

Download Submit
C:\Windows\SysWOW64\Hiqbndpb.exe

Filesize
71KB

MD5
d7e4beaa69dafa6620d2680c6187a7e6

SHA1
2d3b01e4ede3e7167850bdc96c577076aaf8ee15

SHA256
213bb93198ef7d91132e5b3bedb3663fde89b54b7a3d4808602324dfecdf3034

SHA512
7652c8fa2ffc9611d77ced954131672b1abf86f24f828cf56b3ee2cc64e6144876406b3e130265aa12a6b9218852e4e735089051876d10ebd77dc674874b2fc1

Download Submit
C:\Windows\SysWOW64\Hkkalk32.exe

Filesize
71KB

MD5
0cca10c32ff721a3114b0607086faf41

SHA1
98486d73aa8b4c9aa04089bc676e006e47e76835

SHA256
b0e3316aa22ac85e16a5e58d2ec55a63a9d94f7ec77f9061df3638cd6901784f

SHA512
ceb90a1024bc22a63338db5a9456f80e6cbe018d48c82367ff2f3a988bdd6d42de46129e875d3e9c2971cb0418e8fdee2fc9534b0b1b561cf2a6fea5323edabb

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe

Filesize
71KB

MD5
bbdb21b34f59154a84d2aff028646d26

SHA1
84a87587afa9841acd269f7e3910e74d045293d8

SHA256
7f84610a568ce96d7b12c162351a0b8107b8c3aebcaaa5229795761a92d8373f

SHA512
9945f643e75ada577c6d563c8a735cb2cab2fa20d631f18ebce37bc603e11ede5fcdafe201c0769f69b9621dab33290366d0ecae23b21d11b533d4964b30196f

Download Submit
C:\Windows\SysWOW64\Hlakpp32.exe

Filesize
71KB

MD5
ef02e2726f8d8bb19544eec53519c49e

SHA1
57eef75a0ff2fab47973869dd815ba2c4a008faa

SHA256
7ff98485f269978f1bcc6b2f096ba0c5603c251a0298deb3478844ca94736444

SHA512
9d25cd984440b107cd2cd1b85e90aab7c33f53bc394d148a3fa4a1502033e0cc995e0fca2f1d9c8c7cab11d8696da8930d6814ba0679fadae5fcb2150da50623

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
71KB

MD5
9682e3894b86d83d6ac0ec545d6641ee

SHA1
1ff3953704d4735de30a6ad409c89e857b44d1ab

SHA256
865b5b6a9616a5a8d1a20062c0e777774aa8941b4a6084a7887178869dcc5912

SHA512
f40670a71d3aaeebdbbc4f0067a56947bc98097fd8833b8f570a71a32a775f6d2d50ba3e81ffb34b8c10ebe73eb41c50025cea5863b3fde0966d5f9e23f514e9

Download Submit
C:\Windows\SysWOW64\Hobcak32.exe

Filesize
71KB

MD5
f7b7db816a9334b0a2dc085d463f3c4d

SHA1
caa0022ab040f46bcb4911769c43cb25e8e3ca22

SHA256
693a49b68b4d7e6f6844491859da739f1147b8127df3de98be3b3567d7752e48

SHA512
0e52ced4291202b577506d5b18ae08d51fe0b583f69f34c2b6c73d9ccba9a6eba81d023fe72d3ceb502f9acebe662de6e0288c99118f536b0e3b9b7e522c42b0

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe

Filesize
71KB

MD5
54770fdea126ebf4f542fd8a5458acf2

SHA1
02d054c88fe5b70a50dae7c619b46c87a006aff7

SHA256
17a000a4ea35d82b531b3aa53fe67d636ce83ffe66a5513490f35e74b840e565

SHA512
5c29beba8b85adcb8fcead6fa589523b4291bad4a0d8f3aa8c49191a4ef64c7b9bea855be48f97057b1dad98910f9b97bd4aa3f5a38d81c621e4818b4fa4d0b4

Download Submit
C:\Windows\SysWOW64\Hpkjko32.exe

Filesize
71KB

MD5
9989025cd36c94d7b2404bbb4b8c96b6

SHA1
e6618968a40a1aa7eaff458403df791c518ebb99

SHA256
40be3370a94677211b1fadff0dba211f8afb369b941dfe6bcbba31e914e02876

SHA512
6e3efc62a0fba687a02db957c6cc07bdb08753e0ef886d2498506e80f213a6dda834a665d3e0d692f53cfa582df1cc9a0af962d247aa76343fdd4096f3a4e74f

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
71KB

MD5
1f84fbaddf99854f572083a5786f00e5

SHA1
d0cdfd74c921893154246f98e8a173a9658ca2ab

SHA256
8351124ed7114c330a4fcd3f47e30ee404114fdb7ab76d75845a1df0081650e2

SHA512
1e77d712043dfb420ad08217bc5a4431f615530ff42f34caab300c450c59da11f78767f8e90f51386f4811b8abc13458797a802ff113f871ca45b45cb9d9a054

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
71KB

MD5
93fd3b59320d3487e56703465621c255

SHA1
920bb2d2d3e1db7b0438cc54573de15b24fe2c55

SHA256
47378f4ddd62d712b6113a90ecda28f5376b2dfacab699f23b50254305806a73

SHA512
dd79c85b3b01f0d5e47cdf95fe5bec12bc8c792d5352f2d70fa87302f4c37551415e98b0e4d871396fcc0db9fc6593fa0c92090b7ebf6282f8c8c63e4b402430

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
71KB

MD5
13a6597c246e50295932a18cd6e6f55e

SHA1
23ebad8c2b8d4041c09afee7af94ffdb5624ca94

SHA256
a90082a62ba9aad87bd6b6d340602ed4f7c0716283753c3779f589df7e65b1fd

SHA512
9fd425ead31598448216f8c755429d005b01dc1d182b8dc972c0d6c12216548255fdcb53d1d341c70a9c9781d19fe45316bc1f04b122218eeaf933fa98434c80

Download Submit
C:\Windows\SysWOW64\Jkamkfgh.dll

Filesize
7KB

MD5
f10c5f405a0493896f2317e0e2a6c86f

SHA1
9946a5f20214cacf9c3e7772316571f3f3f05f68

SHA256
7922ebde1cf89dfef5dab4be7375a151bdfa8440924ffc3710e0cead3050216c

SHA512
7221a497996fb2da6049d241422362a58826a145792eddf36f9d996ff5bb9acfb1d4a66775f698dabedc5455b8ba1056d6d3b25fc73fbf481e7f7f7ddab5c83c

Download Submit
\Windows\SysWOW64\Facdeo32.exe

Filesize
71KB

MD5
6947e026b6770c8b3e4a57ca2a2af6d7

SHA1
473cb6147822cd055251be4abaa3c74c4bf018a5

SHA256
b2660d1c24f1285180e69fc47ee2b74f65cc775f27d45f398da72bd75635b7d5

SHA512
80a9e2feaf3e4ab80c682a0897803a0e520c6910b1c7a0d1ab5dbe378d517b79c2dd406b4483bae43c208ab7ebccdf9a601cb4510982058e4c5fdbfd46479171

Download Submit
\Windows\SysWOW64\Fbdqmghm.exe

Filesize
71KB

MD5
f280fb2b8dfed56beb287256eeac9c1f

SHA1
ce6d79179fd99398fbdf1ca3259b6f861b5f3a97

SHA256
9c1f360468418da6a8971e76f0fe52b86b985866f9fdf088fea7f3f8e9e98188

SHA512
bec95803a6be75a828dede0e16db955137fce9c21a089fbcf9c0c1bec559ad92c99511dc8de9acf3da17b9991ed5d2f2bdc1179817d51329e1f10e21060247db

Download Submit
\Windows\SysWOW64\Feeiob32.exe

Filesize
71KB

MD5
0cad50f6bee94fc89b0607079ca8e844

SHA1
0123bd3fb70872271e19c691ac9ab7cb769d3818

SHA256
4201749f6fcd373e851da4788d55d535e042e2a6d98bdb5d15ad558d37327ce4

SHA512
84acd5594ec0f73df915be5ab518be91c4a01786691e3ae5af970e003875ad396edb7e60ac4da10f670c4995730e8a5052a2f39ae0e67eab73fb7c08747b310f

Download Submit
\Windows\SysWOW64\Fioija32.exe

Filesize
71KB

MD5
5cb39548a96157b877d08467fb9594de

SHA1
1a3e4eb7a46f624591f851e324d8bd24374847e4

SHA256
0dce0335e6352b2d9f826cd372c67ea02add2509e39dda453efe55bf8cfa77b3

SHA512
6538f52d2a371e1a0485d2f16ef6ddf5ec8264b4817e136c89200fed8828c03b5981b9f60b7958eb4f6835d21bbe39b3dcb6175d0498aa15bb7265ef16da9ec8

Download Submit
\Windows\SysWOW64\Fjgoce32.exe

Filesize
71KB

MD5
313af2b1fbdd8f2be75d9002922884f3

SHA1
efe032e42fd20e32b3382d695e0d2ae80d25b5ad

SHA256
ee9a83864fac082af0501651836309144873237a37a200dcfbe96af965d64ca3

SHA512
4029d568f895651590ddd2b62f15bf4336c7c3356ee5fffeb1a7b7bbf5665275ebadc9abf0570828f9f393d8b46bbd242c5e2016a46308324ce573ab797f0b56

Download Submit
\Windows\SysWOW64\Fjilieka.exe

Filesize
71KB

MD5
b6dc75c39adb22b61e846e13e08120e8

SHA1
0d98397a5b7df2bc85e9a9f691f5fa3c120604ec

SHA256
ad3f78378445e0d37a3e7c77a99ba0ad45e1ebddca446b2889fd44f4732293d3

SHA512
0f4cee886188df60afad3bf072663b74244eee5eca94bb73e85a4be769d37753ec069e4f40f5d21e91fd79b2a383ef13ed2cb86838de4c445b1c575cf7dd499c

Download Submit
\Windows\SysWOW64\Flmefm32.exe

Filesize
71KB

MD5
0f9f9e167610ae01426179dd37baaad2

SHA1
30ea56063baec27a171e59eb1efc26c836892693

SHA256
a2ace6ebfa29cb42b1ffa6bbf24ab9f92be27897d4d47526c6c82e83643c2fab

SHA512
0f37b37332d6fc6b225bf1244bceffa73accd7cb738f6ca15ce313819b827aeb9cc160d9dd525b16922f57a6f2827de75936a3e04c756aeecfce49e86729456e

Download Submit
\Windows\SysWOW64\Fmcoja32.exe

Filesize
71KB

MD5
edd415e4581c523b84dbbf84bb890f5c

SHA1
81091ea9b0a8126ee65ddf1c1d3b6ce497589a3d

SHA256
ee4e7d3e11bcb23f9a0775ddfffedc997bc2e25586143a26e1b7c21df73683f3

SHA512
4a0d9b0dede21c5a05cb82bba001c14437023a8b4b88e218fd29ab4cfa502ddaee78757111c6ceb5184d997fd8dae771da34cae3278d8a8647f2bbdb4ea6992b

Download Submit
\Windows\SysWOW64\Fmlapp32.exe

Filesize
71KB

MD5
f7180a753cef267f184e4edb73c9bc8b

SHA1
f772bbd638873b5249ea3fccb94c00f48d5b6de3

SHA256
51a0011acea786582634038679137741c1d4c711c7e972692b2d71d8993ac3e7

SHA512
7f9d2f91bd91f4277e0dc9dbda74475bc72ecf8a1de165c0eb1727de4b38f043f38df379bcdff916d10260830b0e5c47bd78a735f081ad11d9f7c131cbb86934

Download Submit
\Windows\SysWOW64\Fpdhklkl.exe

Filesize
71KB

MD5
52b9355d06a46c1ac680fe6844f5a85c

SHA1
bc55185ce2a4c37ea861fe095e7c838dcfb42fa0

SHA256
2fc0629f6cc0ec5952ca8e896819b06c9f1403ff5fd432e7376f3c6ca2233991

SHA512
216f17f2f465d673e9720fef343c62aeab3172f822db09654ab8c9e9db73ba308b06c9c05c8325acbaa1e9396c23e1550e24b0e22adb3e7a67c3c4794739ef37

Download Submit
\Windows\SysWOW64\Gbijhg32.exe

Filesize
71KB

MD5
f9900674f882c557a674a7fbe2f40c75

SHA1
f389b7599509708356064a58fb9a242d2d985176

SHA256
974d871a5d5b780f2567f27bd6f6045d368bdebc5ee28c9aed5c2dee77c1d282

SHA512
008cc6b4bfd799d94705fbdcacb7e8576fd96de962dae2d6f2d2ed52f3fb3f79d46ba086194c7c42eaec28d8dea59e3d7c82c28cb0b64fcc73da8e17d3d68c2c

Download Submit
\Windows\SysWOW64\Gicbeald.exe

Filesize
71KB

MD5
ea168ff955a1ff9912bcffedbfa7974e

SHA1
fc8468bd7c3be62ec82e9d6a516b42461bbc126a

SHA256
dad32ef0158ee6cc8556580743271df75c2aadbd4a9d77fc4beb73bcda3ac220

SHA512
acee54c06b0b6377ee46754a381929472f7ed9810541c819a84cfd158b080efc33bcfcf514395dc776d4a01d9765cb3f8fab5fcbc828ef76ccdaccddfdd6f0a2

Download Submit
\Windows\SysWOW64\Gldkfl32.exe

Filesize
71KB

MD5
7d27ea829f320d70d9301b36d7159421

SHA1
c3f579790afa643b989d47000203e6e54bc1d585

SHA256
9425613a31c489636c80cd974bcda98f85bbc97b5e39360c6afa72037d04379c

SHA512
054e4c3819ca8ef0c4374209927b110944f53a419f854d8d891b52d194e7cc7358fd6b187d73b340c2ae4ae9c188ac2f5e3cdee121d313162190f9634a3a6f4b

Download Submit
\Windows\SysWOW64\Gopkmhjk.exe

Filesize
71KB

MD5
665c16466664d438f976c34d6c98e1de

SHA1
ede9857b5c57d13808c21ee7ec89378c378578dd

SHA256
a68189720857d7e03dac1bb9b2bd31a0560cb5ba5412470c5af1a5ee3755dc3d

SHA512
035d1738503f1e0075355eeebfcfb3ecc1c4599f8cd60d1430b109cf027190559389a501e9aa28c3f99c78a0980f9dfa987a8f99b717df2f581c1fc75878b87e

Download Submit
memory/304-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/304-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-304-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1068-309-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1068-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-406-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1168-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-407-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1392-331-0x0000000000320000-0x0000000000353000-memory.dmp

Filesize
204KB

Download
memory/1392-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-330-0x0000000000320000-0x0000000000353000-memory.dmp

Filesize
204KB

Download
memory/1392-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-320-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1600-317-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1600-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-6-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1824-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-297-0x0000000000330000-0x0000000000363000-memory.dmp

Filesize
204KB

Download
memory/1824-298-0x0000000000330000-0x0000000000363000-memory.dmp

Filesize
204KB

Download
memory/1824-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-167-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1988-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-286-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1988-287-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1988-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-26-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2196-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-342-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2340-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-341-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2340-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-266-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2388-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-276-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2524-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-389-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2524-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-388-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2528-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-374-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2548-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-36-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2700-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-140-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2748-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-352-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2780-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-353-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2780-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-62-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2960-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-363-0x0000000000340000-0x0000000000373000-memory.dmp

Filesize
204KB

Download
memory/2964-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-364-0x0000000000340000-0x0000000000373000-memory.dmp

Filesize
204KB

Download
memory/3044-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-396-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/3048-395-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads