27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736

Analysis

max time kernel
142s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe
Size

256KB
MD5

a19ab3d9555aa2b472bb60127ca24d5f
SHA1

50ed8edc88e03b5acdbbe3634f7de1338a188ddf
SHA256

27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736
SHA512

d31eccfb82ede4184dd84e440ce17568120bdda2f12ef8b25e3ed65724ae0ed7498d5760241a9865ec3fe34a60ca035a4859c4b5635a19adc41df56acf296741
SSDEEP

6144:2+8XwCkZE9AebCxeH3HVpaopOpHVILifyeYVDcfR:v8XvkZE9A0HAHyefyeYCR

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjlhneio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdoclk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghfbqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcmgfkeg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkkalk32.exe

UPX dump on OEP (original entry point) 19 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012280-5.dat	UPX
behavioral1/files/0x0008000000014464-25.dat	UPX
behavioral1/files/0x00070000000145be-33.dat	UPX
behavioral1/files/0x000900000001471a-46.dat	UPX
behavioral1/files/0x0006000000015686-59.dat	UPX
behavioral1/files/0x0006000000015b6e-72.dat	UPX
behavioral1/files/0x0006000000015cb8-86.dat	UPX
behavioral1/files/0x0006000000015cdf-107.dat	UPX
behavioral1/files/0x0006000000015cf0-114.dat	UPX
behavioral1/files/0x0038000000014335-128.dat	UPX
behavioral1/files/0x0006000000015d24-142.dat	UPX
behavioral1/files/0x0006000000015d53-156.dat	UPX
behavioral1/files/0x0006000000015d7b-170.dat	UPX
behavioral1/files/0x0006000000015d90-184.dat	UPX
behavioral1/files/0x0006000000015dca-198.dat	UPX
behavioral1/files/0x0006000000015f73-221.dat	UPX
behavioral1/files/0x000600000001611e-227.dat	UPX
behavioral1/files/0x00060000000162e4-237.dat	UPX
behavioral1/files/0x0006000000016581-248.dat	UPX

Executes dropped EXE 19 IoCs

pid	Process
2472	Fcmgfkeg.exe
2656	Fdoclk32.exe
2712	Fjlhneio.exe
2940	Fbgmbg32.exe
2380	Gpknlk32.exe
2532	Ghfbqn32.exe
2368	Gieojq32.exe
2836	Gdopkn32.exe
2892	Gmgdddmq.exe
1332	Gogangdc.exe
1688	Hiqbndpb.exe
2760	Hgdbhi32.exe
632	Hnojdcfi.exe
1552	Hpocfncj.exe
2184	Hlfdkoin.exe
580	Hcplhi32.exe
1908	Hjjddchg.exe
1124	Hkkalk32.exe
824	Iagfoe32.exe

Loads dropped DLL 42 IoCs

pid	Process
2116	27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe
2116	27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe
2472	Fcmgfkeg.exe
2472	Fcmgfkeg.exe
2656	Fdoclk32.exe
2656	Fdoclk32.exe
2712	Fjlhneio.exe
2712	Fjlhneio.exe
2940	Fbgmbg32.exe
2940	Fbgmbg32.exe
2380	Gpknlk32.exe
2380	Gpknlk32.exe
2532	Ghfbqn32.exe
2532	Ghfbqn32.exe
2368	Gieojq32.exe
2368	Gieojq32.exe
2836	Gdopkn32.exe
2836	Gdopkn32.exe
2892	Gmgdddmq.exe
2892	Gmgdddmq.exe
1332	Gogangdc.exe
1332	Gogangdc.exe
1688	Hiqbndpb.exe
1688	Hiqbndpb.exe
2760	Hgdbhi32.exe
2760	Hgdbhi32.exe
632	Hnojdcfi.exe
632	Hnojdcfi.exe
1552	Hpocfncj.exe
1552	Hpocfncj.exe
2184	Hlfdkoin.exe
2184	Hlfdkoin.exe
580	Hcplhi32.exe
580	Hcplhi32.exe
1908	Hjjddchg.exe
1908	Hjjddchg.exe
1124	Hkkalk32.exe
1124	Hkkalk32.exe
1564	WerFault.exe
1564	WerFault.exe
1564	WerFault.exe
1564	WerFault.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gpknlk32.exe	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Kjpfgi32.dll	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Cnkajfop.dll	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Facklcaq.dll	27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe
File created	C:\Windows\SysWOW64\Fdoclk32.exe	Fcmgfkeg.exe
File created	C:\Windows\SysWOW64\Blnhfb32.dll	Gieojq32.exe
File created	C:\Windows\SysWOW64\Febhomkh.dll	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hjjddchg.exe
File opened for modification	C:\Windows\SysWOW64\Hiqbndpb.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Gpknlk32.exe	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Gmgdddmq.exe
File created	C:\Windows\SysWOW64\Omabcb32.dll	Gogangdc.exe
File opened for modification	C:\Windows\SysWOW64\Hpocfncj.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Mhfkbo32.dll	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Gfoihbdp.dll	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Gieojq32.exe	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Lkoabpeg.dll	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Odpegjpg.dll	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hlfdkoin.exe
File opened for modification	C:\Windows\SysWOW64\Hjjddchg.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	Hjjddchg.exe
File opened for modification	C:\Windows\SysWOW64\Fjlhneio.exe	Fdoclk32.exe
File opened for modification	C:\Windows\SysWOW64\Fbgmbg32.exe	Fjlhneio.exe
File opened for modification	C:\Windows\SysWOW64\Ghfbqn32.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Gdopkn32.exe	Gieojq32.exe
File created	C:\Windows\SysWOW64\Fbgmbg32.exe	Fjlhneio.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Fjlhneio.exe	Fdoclk32.exe
File created	C:\Windows\SysWOW64\Aloeodfi.dll	Fdoclk32.exe
File created	C:\Windows\SysWOW64\Bfekgp32.dll	Fjlhneio.exe
File created	C:\Windows\SysWOW64\Fcmgfkeg.exe	27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe
File created	C:\Windows\SysWOW64\Olndbg32.dll	Fcmgfkeg.exe
File opened for modification	C:\Windows\SysWOW64\Gdopkn32.exe	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Gmgdddmq.exe
File opened for modification	C:\Windows\SysWOW64\Hlfdkoin.exe	Hpocfncj.exe
File opened for modification	C:\Windows\SysWOW64\Fdoclk32.exe	Fcmgfkeg.exe
File created	C:\Windows\SysWOW64\Hnojdcfi.exe	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Hnojdcfi.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Ghfbqn32.exe	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Gieojq32.exe	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Hciofb32.dll	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Gogangdc.exe	Gmgdddmq.exe
File created	C:\Windows\SysWOW64\Hiqbndpb.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Hiqbndpb.exe
File opened for modification	C:\Windows\SysWOW64\Fcmgfkeg.exe	27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe
File created	C:\Windows\SysWOW64\Gmgdddmq.exe	Gdopkn32.exe
File opened for modification	C:\Windows\SysWOW64\Gmgdddmq.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Hpocfncj.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Oiogaqdb.dll	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Hjjddchg.exe	Hcplhi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1564	824	WerFault.exe	46

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll"	Gmgdddmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcmgfkeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll"	Ghfbqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll"	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll"	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpfgi32.dll"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdoclk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facklcaq.dll"	27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll"	Fjlhneio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll"	Hjjddchg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2472	2116	27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe	28
PID 2116 wrote to memory of 2472	2116	27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe	28
PID 2116 wrote to memory of 2472	2116	27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe	28
PID 2116 wrote to memory of 2472	2116	27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe	28
PID 2472 wrote to memory of 2656	2472	Fcmgfkeg.exe	29
PID 2472 wrote to memory of 2656	2472	Fcmgfkeg.exe	29
PID 2472 wrote to memory of 2656	2472	Fcmgfkeg.exe	29
PID 2472 wrote to memory of 2656	2472	Fcmgfkeg.exe	29
PID 2656 wrote to memory of 2712	2656	Fdoclk32.exe	30
PID 2656 wrote to memory of 2712	2656	Fdoclk32.exe	30
PID 2656 wrote to memory of 2712	2656	Fdoclk32.exe	30
PID 2656 wrote to memory of 2712	2656	Fdoclk32.exe	30
PID 2712 wrote to memory of 2940	2712	Fjlhneio.exe	31
PID 2712 wrote to memory of 2940	2712	Fjlhneio.exe	31
PID 2712 wrote to memory of 2940	2712	Fjlhneio.exe	31
PID 2712 wrote to memory of 2940	2712	Fjlhneio.exe	31
PID 2940 wrote to memory of 2380	2940	Fbgmbg32.exe	32
PID 2940 wrote to memory of 2380	2940	Fbgmbg32.exe	32
PID 2940 wrote to memory of 2380	2940	Fbgmbg32.exe	32
PID 2940 wrote to memory of 2380	2940	Fbgmbg32.exe	32
PID 2380 wrote to memory of 2532	2380	Gpknlk32.exe	33
PID 2380 wrote to memory of 2532	2380	Gpknlk32.exe	33
PID 2380 wrote to memory of 2532	2380	Gpknlk32.exe	33
PID 2380 wrote to memory of 2532	2380	Gpknlk32.exe	33
PID 2532 wrote to memory of 2368	2532	Ghfbqn32.exe	34
PID 2532 wrote to memory of 2368	2532	Ghfbqn32.exe	34
PID 2532 wrote to memory of 2368	2532	Ghfbqn32.exe	34
PID 2532 wrote to memory of 2368	2532	Ghfbqn32.exe	34
PID 2368 wrote to memory of 2836	2368	Gieojq32.exe	35
PID 2368 wrote to memory of 2836	2368	Gieojq32.exe	35
PID 2368 wrote to memory of 2836	2368	Gieojq32.exe	35
PID 2368 wrote to memory of 2836	2368	Gieojq32.exe	35
PID 2836 wrote to memory of 2892	2836	Gdopkn32.exe	36
PID 2836 wrote to memory of 2892	2836	Gdopkn32.exe	36
PID 2836 wrote to memory of 2892	2836	Gdopkn32.exe	36
PID 2836 wrote to memory of 2892	2836	Gdopkn32.exe	36
PID 2892 wrote to memory of 1332	2892	Gmgdddmq.exe	37
PID 2892 wrote to memory of 1332	2892	Gmgdddmq.exe	37
PID 2892 wrote to memory of 1332	2892	Gmgdddmq.exe	37
PID 2892 wrote to memory of 1332	2892	Gmgdddmq.exe	37
PID 1332 wrote to memory of 1688	1332	Gogangdc.exe	38
PID 1332 wrote to memory of 1688	1332	Gogangdc.exe	38
PID 1332 wrote to memory of 1688	1332	Gogangdc.exe	38
PID 1332 wrote to memory of 1688	1332	Gogangdc.exe	38
PID 1688 wrote to memory of 2760	1688	Hiqbndpb.exe	39
PID 1688 wrote to memory of 2760	1688	Hiqbndpb.exe	39
PID 1688 wrote to memory of 2760	1688	Hiqbndpb.exe	39
PID 1688 wrote to memory of 2760	1688	Hiqbndpb.exe	39
PID 2760 wrote to memory of 632	2760	Hgdbhi32.exe	40
PID 2760 wrote to memory of 632	2760	Hgdbhi32.exe	40
PID 2760 wrote to memory of 632	2760	Hgdbhi32.exe	40
PID 2760 wrote to memory of 632	2760	Hgdbhi32.exe	40
PID 632 wrote to memory of 1552	632	Hnojdcfi.exe	41
PID 632 wrote to memory of 1552	632	Hnojdcfi.exe	41
PID 632 wrote to memory of 1552	632	Hnojdcfi.exe	41
PID 632 wrote to memory of 1552	632	Hnojdcfi.exe	41
PID 1552 wrote to memory of 2184	1552	Hpocfncj.exe	42
PID 1552 wrote to memory of 2184	1552	Hpocfncj.exe	42
PID 1552 wrote to memory of 2184	1552	Hpocfncj.exe	42
PID 1552 wrote to memory of 2184	1552	Hpocfncj.exe	42
PID 2184 wrote to memory of 580	2184	Hlfdkoin.exe	43
PID 2184 wrote to memory of 580	2184	Hlfdkoin.exe	43
PID 2184 wrote to memory of 580	2184	Hlfdkoin.exe	43
PID 2184 wrote to memory of 580	2184	Hlfdkoin.exe	43

C:\Users\Admin\AppData\Local\Temp\27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe
"C:\Users\Admin\AppData\Local\Temp\27cf4c25d7195a3bedad24a82cdd2d95d40c4c67d955b7d3c9b0393a0eb26736.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\Fcmgfkeg.exe
  C:\Windows\system32\Fcmgfkeg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\Fdoclk32.exe
    C:\Windows\system32\Fdoclk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\Fjlhneio.exe
      C:\Windows\system32\Fjlhneio.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\SysWOW64\Fbgmbg32.exe
        
        C:\Windows\system32\Fbgmbg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\SysWOW64\Gpknlk32.exe
        
        C:\Windows\system32\Gpknlk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Ghfbqn32.exe
        
        C:\Windows\system32\Ghfbqn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Gieojq32.exe
        
        C:\Windows\system32\Gieojq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Gmgdddmq.exe
        
        C:\Windows\system32\Gmgdddmq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Hiqbndpb.exe
        
        C:\Windows\system32\Hiqbndpb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Hpocfncj.exe
        
        C:\Windows\system32\Hpocfncj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        20⤵
        Executes dropped EXE
        
        PID:824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 140
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fdoclk32.exe

Filesize
256KB

MD5
84cc6096f5015c24908f48db6c5071b0

SHA1
977d6565bd6deb44d4c9eeb7cb9ecf07c9e795bc

SHA256
141ad1f6c1c5655456b2311522f9113a36b2c6cd708766ef91a840ce1de4ce4b

SHA512
3f47ca88a4349402084001e84a1451d3d1c276c04feb72b39c7bf227d5b53680734720a9509ebbbdf1a90110cb5edd670392b2b3659a27bc8826355adc3accf2

Download Submit
C:\Windows\SysWOW64\Gdopkn32.exe

Filesize
256KB

MD5
191e6a35416a90fc8aba99eca899a4a6

SHA1
6d37a3859bec65cbc4ea1d31977f74b04a476357

SHA256
bdb8bc89fb59d08761737ab087dcde5b338ff840f3c657a170875bac3344ca06

SHA512
c23a6a8487cd293da857db9400b7f23e01f9fb5015896e68b2bb7a8c0e84097ea135f8047ebacac34ebaceb5560f6d1e40adc270d572be49e87cb8160dfa55a6

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
256KB

MD5
71d7e42d64c19e22bdc09a37fd27b69e

SHA1
a31c2976cd7e703a0132fdf6169edbb8fba8e112

SHA256
5a1e1c6982f7c920424b5c4f641845f0fe646562eff32d255b1ce6d388b2b70d

SHA512
3459b4003141246cc72b161dd68ab2d82dce8b5bbbf48074458f44c5e4012c962835795beebf464dd5988902303f1b2078222bbaaa75f1c590144b56310ad9f7

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
256KB

MD5
3c056f9a2024ce07ff78f7bbff88d9e7

SHA1
532a0e839b17a6647bffded0f04e86cf416c00de

SHA256
c26a05db7c91a183e75af5c89b44e1e22e38eb3dcf3eefb0db5748b187125448

SHA512
8d0346f7495b20c12defb98006f74b40644b4915a0c9da7a8db03021ea828ccd557f939408490985af5931a1bf366ed8df824f8c5ea325faca0d40149ebbb374

Download Submit
C:\Windows\SysWOW64\Hkkalk32.exe

Filesize
256KB

MD5
721ec48c88a574f629cf251b0c57d8ed

SHA1
0b3c3f14300ce2a947fd2f61b291a929b6a676eb

SHA256
48174ea2ecc6d9156bc6f513b1d599e790bc550ad80c080dcc26e164edec3552

SHA512
c6955bdf1c2ff3fa5002e598895a1e0bdf0001978b19586296d3cf2613891488ee89766f1e6cbbe5d3527cdd2754d8ab3eaa3bece40dbe96de00e4fcc31d9489

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
256KB

MD5
530eac9c9bdcf12631857d0ce76641a0

SHA1
033c7b1087fa68572c35c2d15e0dd38e64b8131d

SHA256
c570cc7aa9f9382513231679ffcfdbae3424336f181ba5db7d67c733c8d7c265

SHA512
17af13197d70fc40d1b010df15a8e27f1dd9c16c1290a644b89c265450906563f2f7ab07dcfe7d677815b72cf163878d21c9a8463bf270b8bdef525378ec6389

Download Submit
\Windows\SysWOW64\Fbgmbg32.exe

Filesize
256KB

MD5
db740786a51dc6b7515c3ae096425d4e

SHA1
fed05b202fcc05e5c72d02aa1aef1feb072aa004

SHA256
56fd3b290010d21a7e659e3436433bb7b05ec9d7664a60039524ab41482c4d41

SHA512
55f1c2eac9622049fb07438081a36f36c9cc5bec01bc03d8034b6be8e26e54616995285c28ce8a5e7e36635bd1a1a9ca3ae938fcbfc65033d0c990e1544c6c80

Download Submit
\Windows\SysWOW64\Fcmgfkeg.exe

Filesize
256KB

MD5
e2d1bf9ca8c03a29e16c828145afe1de

SHA1
ca07c60b79a8b5e1357a933962b58fb305a762ef

SHA256
fe2587d7e1f97e3a49b6bb08e62b5a3692e8abffd34909a91b62622e0dc7f34d

SHA512
618707f8c31e53eb551c7223d2135b0f1d1968f6a20600604ba481a395f828b2c018c7c4b18cdf66bb3928decbb3a69ce5c3494e9648863627c4feeedfe4a5de

Download Submit
\Windows\SysWOW64\Fjlhneio.exe

Filesize
256KB

MD5
f4754c9b847b65de8536baa2cc98cfec

SHA1
16d3ec47f4821b228b71573215fadbdac33c00bf

SHA256
974629b66a799c476190ddbb5e0f3e33ccd3c5bf420737af1b070739b551df57

SHA512
30c1cefcaff5cac0e2ed50b1ba9cf21f0c834c86642dd3fa26a16b25f75e8d68f08e83426fcc586c330328d82d3c4e27f940ffd7ee0b3de2aa0169157fbd1c49

Download Submit
\Windows\SysWOW64\Ghfbqn32.exe

Filesize
256KB

MD5
a029659ecc26d6743795aa5e78994f60

SHA1
2aa99ee37a58c4acbc3dc062d88a464cbbc2a4b4

SHA256
c6a287d3d87e87af5c10f20131855f4bcee8809fdb529379c13bd77a773cbfff

SHA512
387c93cc233ff143ba8b85f7ee87c9f21e2284871d07a24ba64bf9bb17ce01fdbc27e682294f97ff9578d2c834d13ec9eba503cab970468bb633acc49f75bc71

Download Submit
\Windows\SysWOW64\Gieojq32.exe

Filesize
256KB

MD5
79429a6cfb101ea885941b86d818907b

SHA1
b2babd335fde92becfc6268b2e4aefae95aba379

SHA256
a2d87aedd874d32eac587aef4195033c7ba557e5983e72c091ded6fcdaa69b90

SHA512
a111c8235fcbfa56c9cf1f8536b5aa252a2deb9de18ad95dd2fad42b9860f49e79679c684ff5ac8023e3a261e0b91d9996ed17f7713da89988649eba6256bdbf

Download Submit
\Windows\SysWOW64\Gmgdddmq.exe

Filesize
256KB

MD5
7c18010ad9e8f03cdb2604e0c9ae5650

SHA1
a6ea4e9d68f5c49a81be88ff84d251f64923a803

SHA256
fc8dfed33c04d9900765bb3dc9a0353a87a27c673317211f9a43d97e28401f68

SHA512
19d4d9538f5a3540f21bd898f28cc890b8da5a5147ea54fd0f17b4390e1a2680779e96257f0a7394032e934ff6ebf2a19f1fc81370375ce138267a3ef81fac83

Download Submit
\Windows\SysWOW64\Gogangdc.exe

Filesize
256KB

MD5
da74a2558b6870f71cc96991dcc11a3f

SHA1
aaebda9d1b14fbf24129292b8cd1543afc014b02

SHA256
fb9e9298a200ef52d00c9fea08452175d01ebde5a178e83a06153d4b8f31a341

SHA512
121fecc1d1badc3829a76a59654c740d52f5dff809052b33996b551801b4ce3a9b77e13561112366ff1d3ff23b8cf912a947cec781a067704e2d0f337c753e85

Download Submit
\Windows\SysWOW64\Gpknlk32.exe

Filesize
256KB

MD5
55a2f5446de0ef2d07ab10abba1fae56

SHA1
813d4db3bd1d02745ffc7e93b195f4ce03e7660b

SHA256
61e43331e015d8d53528b45860b8af6fc8a062d504d0228b7fe0a79acd189e96

SHA512
c318e6af8e3376422b5938b3cfa24537349f1a3c3a2059d3151b57f07d2fccf40df8ad2fd47c22adac955e3e13da5b03c2479b58b02d97f5b4905b2ce6db2086

Download Submit
\Windows\SysWOW64\Hgdbhi32.exe

Filesize
256KB

MD5
30998cb10cfdfc67408b5328186ee3f1

SHA1
edb664405c79d7a1d9f068311ae0bc2225188397

SHA256
153ad625b97662b062146572a381903858f48c72cf5e7709f10a5fcda7f06636

SHA512
385a23989e94202ea57609dc6441b6755d3dd42d7ce3185bc04a0da6b659653aada1493ed890a276493fb81ca8039a54f98b3500f81bb50112283c64ef9b9bf6

Download Submit
\Windows\SysWOW64\Hiqbndpb.exe

Filesize
256KB

MD5
dc0cd3132ea3c339dd8a429472c2e80c

SHA1
c8f54d586b2b654ebe6a3905946ff872581635d8

SHA256
2657e53bf1bbe31fca331e317a38b437066876347e1a32791c69b060c9aa8170

SHA512
7937597418ca2262a1ce550bba2e616ddb7f6bb9171275258a5ccc962e57aaee76348933c1248a3accb800e3c03dc9160b8889ace9cf5a9aad3b2a28215b8465

Download Submit
\Windows\SysWOW64\Hlfdkoin.exe

Filesize
256KB

MD5
10df09ae1652aa4f9b7dc51557f027a3

SHA1
c2bf3a6e16b78febf3ca042bc3a74a419fd60d99

SHA256
4a3b99a4886d55931ca460b8487031da3356fe97028008c3831bac7067944bf4

SHA512
e58914ee526f9d8878f65e37d051679b4560c8014de3bc0a14597f773720d66397c85383d00475340e1d20772e65138ef0e9b8fc88da5ebe00d0c85915a77855

Download Submit
\Windows\SysWOW64\Hnojdcfi.exe

Filesize
256KB

MD5
a769e8d5b1606e7d3f76d52612821a65

SHA1
fa2c103e992fd59cf6585835923356237eb483f2

SHA256
e42389711cbc812c14ad1b305dbf20bff4499b0c896a52f1cccd972823cf3911

SHA512
d399cbe119fe429b7ddca95d1fd2ca49b0d4599a11d1d3b92d0a9087f51f6509dfb105e919b9753dfe815f228db4c3f09d68251256834641522a35b079dae5f3

Download Submit
\Windows\SysWOW64\Hpocfncj.exe

Filesize
256KB

MD5
f0cf2c3e005ce7ae57066f7289223c90

SHA1
5f9766abb146f55f1b14059c4d9c3a487de2f9ab

SHA256
41fd8248d05063d5a2a3b474aaa84ac6dad3108a6df60a0cbfcc51a920935d26

SHA512
eb9871396de849fd2552f18d2fbd8ff26c1936df66d5cdc6f56be8e35ea3475e9bf7281680d7343365e63939ce4049319ebe29922825647b7f21edb42216f63b

Download Submit
memory/580-220-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/580-233-0x00000000006C0000-0x0000000000719000-memory.dmp

Filesize
356KB

Download
memory/580-327-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/632-178-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/632-191-0x0000000001FC0000-0x0000000002019000-memory.dmp

Filesize
356KB

Download
memory/632-321-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/824-252-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1124-241-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1124-333-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1124-251-0x0000000000310000-0x0000000000369000-memory.dmp

Filesize
356KB

Download
memory/1124-247-0x0000000000310000-0x0000000000369000-memory.dmp

Filesize
356KB

Download
memory/1332-136-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1332-148-0x00000000002D0000-0x0000000000329000-memory.dmp

Filesize
356KB

Download
memory/1332-315-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1552-192-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1552-204-0x0000000000310000-0x0000000000369000-memory.dmp

Filesize
356KB

Download
memory/1552-323-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1688-164-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/1688-317-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1688-150-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1908-329-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1908-240-0x0000000000310000-0x0000000000369000-memory.dmp

Filesize
356KB

Download
memory/1908-236-0x0000000000310000-0x0000000000369000-memory.dmp

Filesize
356KB

Download
memory/2116-6-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2116-3-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2116-295-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2184-325-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2184-207-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2184-219-0x00000000004D0000-0x0000000000529000-memory.dmp

Filesize
356KB

Download
memory/2368-102-0x0000000000330000-0x0000000000389000-memory.dmp

Filesize
356KB

Download
memory/2368-309-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2368-94-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2380-305-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2380-78-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2472-13-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2472-297-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2472-26-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2532-307-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2532-90-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2532-80-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2656-35-0x0000000000320000-0x0000000000379000-memory.dmp

Filesize
356KB

Download
memory/2656-299-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2656-27-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2712-301-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2760-319-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2760-169-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2760-173-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download
memory/2836-311-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2836-120-0x00000000002B0000-0x0000000000309000-memory.dmp

Filesize
356KB

Download
memory/2836-108-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2892-313-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2892-135-0x00000000005F0000-0x0000000000649000-memory.dmp

Filesize
356KB

Download
memory/2892-122-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2940-303-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2940-53-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2940-65-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads