06cb8cc93095c0d0ac663c2e3b6db597fa6e2f2661172a2f8bc45eb1c85d6614

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06cb8cc93095c0d0ac663c2e3b6db597fa6e2f2661172a2f8bc45eb1c85d6614.exe
Size

99KB
MD5

0f01f62416c75d8f3ac3dfefade6a6c4
SHA1

769fa82fa8f156b8934ecc4519a9d16378687982
SHA256

06cb8cc93095c0d0ac663c2e3b6db597fa6e2f2661172a2f8bc45eb1c85d6614
SHA512

90da3da242172227cd4724e953d1b2b2fb0208a4818424efce4aeb1328adf3e3fe0f042f5ae66ecf7054dfcbe5bb65b7e1f2d02f21c475f0cf4711981c809212
SSDEEP

3072:lD2JQijUDjWNp61K2xTTTTTTTYrf2Hgb3a3+X13XRzG:laJrOjWNp61nxTTTTTTTYrf2A7aOl3BK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	06cb8cc93095c0d0ac663c2e3b6db597fa6e2f2661172a2f8bc45eb1c85d6614.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epieghdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hknach32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebinic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffnphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkgkbipp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egdilkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fehjeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fphafl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epieghdk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fejgko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Faagpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fphafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghkllmoi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eeempocb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egdilkbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffkcbgek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fejgko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmjejphb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hknach32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeempocb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffkcbgek.exe

Executes dropped EXE 41 IoCs

pid	Process
2852	Epieghdk.exe
2596	Eeempocb.exe
2612	Egdilkbf.exe
2616	Ebinic32.exe
2624	Fehjeo32.exe
2532	Fmcoja32.exe
1944	Fejgko32.exe
1832	Ffkcbgek.exe
2788	Faagpp32.exe
768	Ffnphf32.exe
2152	Filldb32.exe
636	Facdeo32.exe
352	Fbdqmghm.exe
2036	Fmjejphb.exe
2932	Fphafl32.exe
1972	Gpknlk32.exe
2236	Gbijhg32.exe
696	Gfefiemq.exe
852	Gpmjak32.exe
1228	Gieojq32.exe
820	Gldkfl32.exe
1940	Gkgkbipp.exe
2428	Ghkllmoi.exe
1700	Geolea32.exe
2228	Ghmiam32.exe
2132	Gphmeo32.exe
1476	Hgbebiao.exe
3020	Hknach32.exe
2608	Hpkjko32.exe
2572	Hicodd32.exe
2620	Hlakpp32.exe
1176	Hggomh32.exe
2996	Hnagjbdf.exe
288	Hpocfncj.exe
2768	Hobcak32.exe
2172	Hodpgjha.exe
1516	Hjjddchg.exe
1748	Hhmepp32.exe
1308	Ieqeidnl.exe
2824	Ioijbj32.exe
2004	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2988	06cb8cc93095c0d0ac663c2e3b6db597fa6e2f2661172a2f8bc45eb1c85d6614.exe
2988	06cb8cc93095c0d0ac663c2e3b6db597fa6e2f2661172a2f8bc45eb1c85d6614.exe
2852	Epieghdk.exe
2852	Epieghdk.exe
2596	Eeempocb.exe
2596	Eeempocb.exe
2612	Egdilkbf.exe
2612	Egdilkbf.exe
2616	Ebinic32.exe
2616	Ebinic32.exe
2624	Fehjeo32.exe
2624	Fehjeo32.exe
2532	Fmcoja32.exe
2532	Fmcoja32.exe
1944	Fejgko32.exe
1944	Fejgko32.exe
1832	Ffkcbgek.exe
1832	Ffkcbgek.exe
2788	Faagpp32.exe
2788	Faagpp32.exe
768	Ffnphf32.exe
768	Ffnphf32.exe
2152	Filldb32.exe
2152	Filldb32.exe
636	Facdeo32.exe
636	Facdeo32.exe
352	Fbdqmghm.exe
352	Fbdqmghm.exe
2036	Fmjejphb.exe
2036	Fmjejphb.exe
2932	Fphafl32.exe
2932	Fphafl32.exe
1972	Gpknlk32.exe
1972	Gpknlk32.exe
2236	Gbijhg32.exe
2236	Gbijhg32.exe
696	Gfefiemq.exe
696	Gfefiemq.exe
852	Gpmjak32.exe
852	Gpmjak32.exe
1228	Gieojq32.exe
1228	Gieojq32.exe
820	Gldkfl32.exe
820	Gldkfl32.exe
1940	Gkgkbipp.exe
1940	Gkgkbipp.exe
2428	Ghkllmoi.exe
2428	Ghkllmoi.exe
1700	Geolea32.exe
1700	Geolea32.exe
2228	Ghmiam32.exe
2228	Ghmiam32.exe
2132	Gphmeo32.exe
2132	Gphmeo32.exe
1476	Hgbebiao.exe
1476	Hgbebiao.exe
3020	Hknach32.exe
3020	Hknach32.exe
2608	Hpkjko32.exe
2608	Hpkjko32.exe
2572	Hicodd32.exe
2572	Hicodd32.exe
2620	Hlakpp32.exe
2620	Hlakpp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mhfkbo32.dll	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Ffkcbgek.exe	Fejgko32.exe
File created	C:\Windows\SysWOW64\Hmhfjo32.dll	Gfefiemq.exe
File opened for modification	C:\Windows\SysWOW64\Hgbebiao.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Anllbdkl.dll	Hicodd32.exe
File opened for modification	C:\Windows\SysWOW64\Filldb32.exe	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Fbdqmghm.exe	Facdeo32.exe
File created	C:\Windows\SysWOW64\Hpocfncj.exe	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Gfefiemq.exe	Gbijhg32.exe
File created	C:\Windows\SysWOW64\Jpajnpao.dll	Hgbebiao.exe
File opened for modification	C:\Windows\SysWOW64\Hlakpp32.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Kegiig32.dll	Faagpp32.exe
File created	C:\Windows\SysWOW64\Gfoihbdp.dll	Fphafl32.exe
File opened for modification	C:\Windows\SysWOW64\Ghkllmoi.exe	Gkgkbipp.exe
File created	C:\Windows\SysWOW64\Hpkjko32.exe	Hknach32.exe
File opened for modification	C:\Windows\SysWOW64\Gphmeo32.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hggomh32.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjddchg.exe	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Faagpp32.exe	Ffkcbgek.exe
File opened for modification	C:\Windows\SysWOW64\Gkgkbipp.exe	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Eeempocb.exe	Epieghdk.exe
File opened for modification	C:\Windows\SysWOW64\Gldkfl32.exe	Gieojq32.exe
File created	C:\Windows\SysWOW64\Jmmjdk32.dll	Ghmiam32.exe
File opened for modification	C:\Windows\SysWOW64\Hknach32.exe	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Hjjddchg.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Jkamkfgh.dll	Filldb32.exe
File opened for modification	C:\Windows\SysWOW64\Gpmjak32.exe	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Fpmkde32.dll	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Jjcpjl32.dll	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Codpklfq.dll	Hknach32.exe
File created	C:\Windows\SysWOW64\Dlgohm32.dll	Ebinic32.exe
File opened for modification	C:\Windows\SysWOW64\Fejgko32.exe	Fmcoja32.exe
File created	C:\Windows\SysWOW64\Fphafl32.exe	Fmjejphb.exe
File created	C:\Windows\SysWOW64\Hghmjpap.dll	Gbijhg32.exe
File created	C:\Windows\SysWOW64\Qdcbfq32.dll	Fmcoja32.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Fmcoja32.exe	Fehjeo32.exe
File created	C:\Windows\SysWOW64\Ffkcbgek.exe	Fejgko32.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Nokeef32.dll	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Iebpge32.dll	Gkgkbipp.exe
File created	C:\Windows\SysWOW64\Hknach32.exe	Hgbebiao.exe
File opened for modification	C:\Windows\SysWOW64\Hpocfncj.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Clphjpmh.dll	Facdeo32.exe
File created	C:\Windows\SysWOW64\Cakqnc32.dll	Fbdqmghm.exe
File created	C:\Windows\SysWOW64\Gpknlk32.exe	Fphafl32.exe
File created	C:\Windows\SysWOW64\Pnnclg32.dll	Gieojq32.exe
File created	C:\Windows\SysWOW64\Ebinic32.exe	Egdilkbf.exe
File created	C:\Windows\SysWOW64\Gpmjak32.exe	Gfefiemq.exe
File opened for modification	C:\Windows\SysWOW64\Hicodd32.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Fmcoja32.exe	Fehjeo32.exe
File created	C:\Windows\SysWOW64\Gieojq32.exe	Gpmjak32.exe
File opened for modification	C:\Windows\SysWOW64\Hpkjko32.exe	Hknach32.exe
File created	C:\Windows\SysWOW64\Lonkjenl.dll	Epieghdk.exe
File created	C:\Windows\SysWOW64\Fejgko32.exe	Fmcoja32.exe
File created	C:\Windows\SysWOW64\Geolea32.exe	Ghkllmoi.exe
File created	C:\Windows\SysWOW64\Hgbebiao.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Epieghdk.exe	06cb8cc93095c0d0ac663c2e3b6db597fa6e2f2661172a2f8bc45eb1c85d6614.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1924	2004	WerFault.exe	68

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fejgko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fphafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fejgko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll"	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll"	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egdilkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffkcbgek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epieghdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll"	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fphafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakqnc32.dll"	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdhmlbj.dll"	06cb8cc93095c0d0ac663c2e3b6db597fa6e2f2661172a2f8bc45eb1c85d6614.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Filldb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eeempocb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	06cb8cc93095c0d0ac663c2e3b6db597fa6e2f2661172a2f8bc45eb1c85d6614.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonkjenl.dll"	Epieghdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epieghdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll"	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll"	Ffnphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghkllmoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eeempocb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hknach32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2852	2988	06cb8cc93095c0d0ac663c2e3b6db597fa6e2f2661172a2f8bc45eb1c85d6614.exe	28
PID 2988 wrote to memory of 2852	2988	06cb8cc93095c0d0ac663c2e3b6db597fa6e2f2661172a2f8bc45eb1c85d6614.exe	28
PID 2988 wrote to memory of 2852	2988	06cb8cc93095c0d0ac663c2e3b6db597fa6e2f2661172a2f8bc45eb1c85d6614.exe	28
PID 2988 wrote to memory of 2852	2988	06cb8cc93095c0d0ac663c2e3b6db597fa6e2f2661172a2f8bc45eb1c85d6614.exe	28
PID 2852 wrote to memory of 2596	2852	Epieghdk.exe	29
PID 2852 wrote to memory of 2596	2852	Epieghdk.exe	29
PID 2852 wrote to memory of 2596	2852	Epieghdk.exe	29
PID 2852 wrote to memory of 2596	2852	Epieghdk.exe	29
PID 2596 wrote to memory of 2612	2596	Eeempocb.exe	30
PID 2596 wrote to memory of 2612	2596	Eeempocb.exe	30
PID 2596 wrote to memory of 2612	2596	Eeempocb.exe	30
PID 2596 wrote to memory of 2612	2596	Eeempocb.exe	30
PID 2612 wrote to memory of 2616	2612	Egdilkbf.exe	31
PID 2612 wrote to memory of 2616	2612	Egdilkbf.exe	31
PID 2612 wrote to memory of 2616	2612	Egdilkbf.exe	31
PID 2612 wrote to memory of 2616	2612	Egdilkbf.exe	31
PID 2616 wrote to memory of 2624	2616	Ebinic32.exe	32
PID 2616 wrote to memory of 2624	2616	Ebinic32.exe	32
PID 2616 wrote to memory of 2624	2616	Ebinic32.exe	32
PID 2616 wrote to memory of 2624	2616	Ebinic32.exe	32
PID 2624 wrote to memory of 2532	2624	Fehjeo32.exe	33
PID 2624 wrote to memory of 2532	2624	Fehjeo32.exe	33
PID 2624 wrote to memory of 2532	2624	Fehjeo32.exe	33
PID 2624 wrote to memory of 2532	2624	Fehjeo32.exe	33
PID 2532 wrote to memory of 1944	2532	Fmcoja32.exe	34
PID 2532 wrote to memory of 1944	2532	Fmcoja32.exe	34
PID 2532 wrote to memory of 1944	2532	Fmcoja32.exe	34
PID 2532 wrote to memory of 1944	2532	Fmcoja32.exe	34
PID 1944 wrote to memory of 1832	1944	Fejgko32.exe	35
PID 1944 wrote to memory of 1832	1944	Fejgko32.exe	35
PID 1944 wrote to memory of 1832	1944	Fejgko32.exe	35
PID 1944 wrote to memory of 1832	1944	Fejgko32.exe	35
PID 1832 wrote to memory of 2788	1832	Ffkcbgek.exe	36
PID 1832 wrote to memory of 2788	1832	Ffkcbgek.exe	36
PID 1832 wrote to memory of 2788	1832	Ffkcbgek.exe	36
PID 1832 wrote to memory of 2788	1832	Ffkcbgek.exe	36
PID 2788 wrote to memory of 768	2788	Faagpp32.exe	37
PID 2788 wrote to memory of 768	2788	Faagpp32.exe	37
PID 2788 wrote to memory of 768	2788	Faagpp32.exe	37
PID 2788 wrote to memory of 768	2788	Faagpp32.exe	37
PID 768 wrote to memory of 2152	768	Ffnphf32.exe	38
PID 768 wrote to memory of 2152	768	Ffnphf32.exe	38
PID 768 wrote to memory of 2152	768	Ffnphf32.exe	38
PID 768 wrote to memory of 2152	768	Ffnphf32.exe	38
PID 2152 wrote to memory of 636	2152	Filldb32.exe	39
PID 2152 wrote to memory of 636	2152	Filldb32.exe	39
PID 2152 wrote to memory of 636	2152	Filldb32.exe	39
PID 2152 wrote to memory of 636	2152	Filldb32.exe	39
PID 636 wrote to memory of 352	636	Facdeo32.exe	40
PID 636 wrote to memory of 352	636	Facdeo32.exe	40
PID 636 wrote to memory of 352	636	Facdeo32.exe	40
PID 636 wrote to memory of 352	636	Facdeo32.exe	40
PID 352 wrote to memory of 2036	352	Fbdqmghm.exe	41
PID 352 wrote to memory of 2036	352	Fbdqmghm.exe	41
PID 352 wrote to memory of 2036	352	Fbdqmghm.exe	41
PID 352 wrote to memory of 2036	352	Fbdqmghm.exe	41
PID 2036 wrote to memory of 2932	2036	Fmjejphb.exe	42
PID 2036 wrote to memory of 2932	2036	Fmjejphb.exe	42
PID 2036 wrote to memory of 2932	2036	Fmjejphb.exe	42
PID 2036 wrote to memory of 2932	2036	Fmjejphb.exe	42
PID 2932 wrote to memory of 1972	2932	Fphafl32.exe	43
PID 2932 wrote to memory of 1972	2932	Fphafl32.exe	43
PID 2932 wrote to memory of 1972	2932	Fphafl32.exe	43
PID 2932 wrote to memory of 1972	2932	Fphafl32.exe	43

C:\Users\Admin\AppData\Local\Temp\06cb8cc93095c0d0ac663c2e3b6db597fa6e2f2661172a2f8bc45eb1c85d6614.exe
"C:\Users\Admin\AppData\Local\Temp\06cb8cc93095c0d0ac663c2e3b6db597fa6e2f2661172a2f8bc45eb1c85d6614.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\Epieghdk.exe
  C:\Windows\system32\Epieghdk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\Eeempocb.exe
    C:\Windows\system32\Eeempocb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\Egdilkbf.exe
      C:\Windows\system32\Egdilkbf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\Ebinic32.exe
        
        C:\Windows\system32\Ebinic32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\SysWOW64\Fehjeo32.exe
        
        C:\Windows\system32\Fehjeo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Fmcoja32.exe
        
        C:\Windows\system32\Fmcoja32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Fejgko32.exe
        
        C:\Windows\system32\Fejgko32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Ffkcbgek.exe
        
        C:\Windows\system32\Ffkcbgek.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Faagpp32.exe
        
        C:\Windows\system32\Faagpp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Ffnphf32.exe
        
        C:\Windows\system32\Ffnphf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Filldb32.exe
        
        C:\Windows\system32\Filldb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Facdeo32.exe
        
        C:\Windows\system32\Facdeo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Fbdqmghm.exe
        
        C:\Windows\system32\Fbdqmghm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:352
        
        C:\Windows\SysWOW64\Fmjejphb.exe
        
        C:\Windows\system32\Fmjejphb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Fphafl32.exe
        
        C:\Windows\system32\Fphafl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Gpknlk32.exe
        
        C:\Windows\system32\Gpknlk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Gbijhg32.exe
        
        C:\Windows\system32\Gbijhg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Gfefiemq.exe
        
        C:\Windows\system32\Gfefiemq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Gpmjak32.exe
        
        C:\Windows\system32\Gpmjak32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Gieojq32.exe
        
        C:\Windows\system32\Gieojq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Gldkfl32.exe
        
        C:\Windows\system32\Gldkfl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:820
        
        C:\Windows\SysWOW64\Gkgkbipp.exe
        
        C:\Windows\system32\Gkgkbipp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Ghkllmoi.exe
        
        C:\Windows\system32\Ghkllmoi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Geolea32.exe
        
        C:\Windows\system32\Geolea32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Gphmeo32.exe
        
        C:\Windows\system32\Gphmeo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Hgbebiao.exe
        
        C:\Windows\system32\Hgbebiao.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Hknach32.exe
        
        C:\Windows\system32\Hknach32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Hpkjko32.exe
        
        C:\Windows\system32\Hpkjko32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\Hlakpp32.exe
        
        C:\Windows\system32\Hlakpp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Hpocfncj.exe
        
        C:\Windows\system32\Hpocfncj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:288
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        42⤵
        Executes dropped EXE
        
        PID:2004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 140
        43⤵
        Program crash
        
        PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dlgohm32.dll

Filesize
7KB

MD5
e32d3a7c281751bad06dd91a51401cb8

SHA1
36b81c83c038b9870b27df3cc54c2152e0773bae

SHA256
9249982ca468e3cc6a89cfd24aedf7de90a1e5f00305cc0455ede8cfd0954c57

SHA512
a2eacf3acea661fa6729a03d20b88f940991a18ea29c553d31cf998e5f3e782d6c7d7f6537ef33d3366b78ac51dc9553341613635aac089c32748b48d5be533c

Download Submit
C:\Windows\SysWOW64\Eeempocb.exe

Filesize
99KB

MD5
50b3d045617479720786d2f1a377ab4b

SHA1
7d8f109e27e42b8ee5c37fb0e49ceedfdc757f8c

SHA256
ed86863bd2dd2c6e26174521c2c612133e8f87655df2d1aa3320e1962e7462e5

SHA512
e44e61e656e8a7b72f09cabd444c156eeaab6a2e5778e55789ad328056c422c7375a9e7e0384f633d292e21d61ea0960af0dc2cd0ea415f6d44975263d7b018f

Download Submit
C:\Windows\SysWOW64\Egdilkbf.exe

Filesize
99KB

MD5
6a71575738e823a3116c4a44ef4f88a5

SHA1
dcf703559c3f8a6ae755f83203c05f4202e26906

SHA256
9a86d387a89e59d6cb800944fa32653c1808a2ce8423970cfa0d411539c9acca

SHA512
2da82c34109f5e14231e3febd039866d7daf017a77bc94d9ca541fa32ad9a9f188267016e02e42d983a796410a07c03506810573fb94e8367212a71e668313bb

Download Submit
C:\Windows\SysWOW64\Fehjeo32.exe

Filesize
99KB

MD5
29bd451c571b136175a89fd126fd20fd

SHA1
51c113dcc17f7b75c0f667a961570a70267ca077

SHA256
22fa8264ebd548aac7d04aa2097eecc6e2de5ad88386b5449962ee155b8faff2

SHA512
a3b24cc235cf22e4dc498ea271a3b5e031dd22be319daa426b5cbc8bbdfe0f9d27d97bfd10e9334fa011b67acd48d19a712de9e3bf27af39f835a0800628977e

Download Submit
C:\Windows\SysWOW64\Ffkcbgek.exe

Filesize
99KB

MD5
ad17cf7713d5b949b53e6508d245f94d

SHA1
4c1eaee36da3bad5340fc8581af90cfe0a030f4c

SHA256
29cb831e25f04e04d51ce3389f21328bcfa0ead9f98a91fd15ccafa46e0d6d2b

SHA512
66ec58384f44bb5396055b6104837c172c92e47c861c789c8687c6396ac39a5d16be9afc810fca9c29a5d2eabb694237dd5ffd3a1360ff98b80bc4220bb2b564

Download Submit
C:\Windows\SysWOW64\Fphafl32.exe

Filesize
99KB

MD5
c6ae933be426b7b386375aef621a0138

SHA1
c41c17086035f67235867a51b99028c5374693c8

SHA256
75390d7b5a05ae8961fe39a1ec9b6a55a85ab9ac03864c6961bc0ce5669377f6

SHA512
d0e408272e86a5c2c2ad54c0a57aa26fe1908e6e2c55524ea4f036a58ee554a47834575563a6e7c5a09ffa70cfb75462d8843efe36a43b22ce47311335b48a6b

Download Submit
C:\Windows\SysWOW64\Gbijhg32.exe

Filesize
99KB

MD5
bf48ff05d78be379ea71e48ace3dfbb8

SHA1
a63f55efdbdd64fc48e9c7b2af0ce257cb9eac40

SHA256
97ffe6b3e5e6b467611a6f78cf5ff7ec7fa7f9b90af661e9890aad381424b019

SHA512
4d9a81e5996f4acbfcaa222bbed5478e7a2517273c605c58614d853614f665bc19a8354fc8263422c5981550dd16dd572fb9f14d6458fab093caa84ca2592bef

Download Submit
C:\Windows\SysWOW64\Geolea32.exe

Filesize
99KB

MD5
d24132d12d8ce1d164cbe4f5ec1a9cb7

SHA1
686e4131c4edc13332c9ca80c2bdafbe8cbaa885

SHA256
fe5a29dbb31b0f2644052051d3f97824205bdb3006255317a92c96f89c4a3dc0

SHA512
91fa6bdda724ec1757f5519597a462cf16d70708b1c8bdba9ddda940dc5a0d3f23d636b55b305ba4a0c6f87c2dbaed455c842db3e2ce3ccd1498be672a6595ad

Download Submit
C:\Windows\SysWOW64\Gfefiemq.exe

Filesize
99KB

MD5
6a0671d6c3d3bcd949e3b5913335305b

SHA1
24ea4345200d583383301afccee4854a90985db7

SHA256
ef29bf6f6dad90cff5c76e69831cb411449fa659cd7d4bdf5f7533001a4fbc6a

SHA512
09bc4d5c99e58b129fb39d25377d5c2cb379ba32c974241259c77e9089cd0d87e5d2a4ad6e25e7b6e8d03b0bccf4a06a47c866716fe443da3315aa7d67629921

Download Submit
C:\Windows\SysWOW64\Ghkllmoi.exe

Filesize
99KB

MD5
13d6ede7782526e18f1b47be2c7f9b83

SHA1
84d180e7f19840f38eacc53a2178d2fd6fa43121

SHA256
1804a3abe1656a61bdccdd595a605e676d490f2263a3ca11a6abd63ea8bf8773

SHA512
197d13e239286970918104da8aa6fd34c1a3ac775dde69ae1699d4cfd441b56410932283e982d82a4c7f43e3ce3a4123881baaf040a4650ef577b3ba57ea4da6

Download Submit
C:\Windows\SysWOW64\Ghmiam32.exe

Filesize
99KB

MD5
f9204fae1e45338d9848dd02d493e42b

SHA1
788e90bcc9604ed47b84503f56e2683d52b891cf

SHA256
36ad0e40179b4a1efddb2c127b82cd13696cbd6c5aaf64fc57cd06822db84deb

SHA512
d2d37a1ca7a51bdfd20faf53c74ec643aace342f23ffa236724e01c37a3f9f1cb8dd8ef39219838b8188dc0dd0afd3db504f3c85ce54d356058206dc49cd8439

Download Submit
C:\Windows\SysWOW64\Gieojq32.exe

Filesize
99KB

MD5
083d590646ec5353d53e26a804a33b2e

SHA1
0470dcde2e428830df6edaa4dd318479a75f929e

SHA256
4a98196c26ca69660b339658a5cf0d52004f15ba6e7a0770df7f0fed582ffb88

SHA512
787474dfe2a44f8eaba59d10fe05992071b3cbd196320635b60d39efc058767f1b6f97d099ba69271623ba7619871a677deb19c416f3b4e9ff3276e8131dae24

Download Submit
C:\Windows\SysWOW64\Gkgkbipp.exe

Filesize
99KB

MD5
f1f6ba7e1c2d4877ae3e67b348a2c118

SHA1
3b8977edc49d29eb14c249ec84ddc8c72d6d11f5

SHA256
97e272aac7e24cba0f63fa5c23cc699f41bd43ce896a81b520b17bdf996d844a

SHA512
4ab48185125644a2f4604efa74caf1cb3132a6a3a5cf3a17e579059eafd9f83e7b8588c7e84f63b743ca9478e1ace068df108b2a9315d5442d844cb908003263

Download Submit
C:\Windows\SysWOW64\Gldkfl32.exe

Filesize
99KB

MD5
d2f1b0414a1ec11d7895949d7ad6c765

SHA1
b0ff958c810018bfd81719f229f9d32d129ec703

SHA256
f13fa60ab66d233f428f58f2ead09fc795c05c3ee5297631515482ec298f68f9

SHA512
7af7ef379d0363d72806b5ddf9771ee4b722873de7703b502f716124559cc58e794631ca2248787d46d1aa354cd0619961cf7685498adc9e8c733d93bd32fead

Download Submit
C:\Windows\SysWOW64\Gphmeo32.exe

Filesize
99KB

MD5
67fa1e78b1d0418389408b1bfb74cd58

SHA1
03dcc4bce5bf2e24e975cc5d01fa03a5cff7c785

SHA256
974f48b11b4e6c57ae76dbbd7282b9c4067f91f4b4c50650bc55dec003da3dc7

SHA512
f40522aab406dd727a5ae302002f6e0bc7ffd148942e311819bb2098affad2e4be32c27c3e7765169a0d964b1543fbf0456e747616c1ab12a2a5a99b527b6604

Download Submit
C:\Windows\SysWOW64\Gpmjak32.exe

Filesize
99KB

MD5
34914dd9285ef1e8afb27d160ef83da5

SHA1
e0150740e51d22002272c21bed00dfb2bd1769b5

SHA256
77f47e507db4a94f4abe1833cb91da177870979e7b29c6a1eff2d1c9195ce887

SHA512
24335e406227bceda7388b45684c402559a80bce1785f153a1d542e353491b68b4c983830e8de8a2fbad33a6f56f2084bf3310887132877ea58ee97af7b90bc4

Download Submit
C:\Windows\SysWOW64\Hgbebiao.exe

Filesize
99KB

MD5
22f08ec8089cf6e236e73130314b44b5

SHA1
1937e9567b6cb00eeaf45b36abe11ae4b9e2eb20

SHA256
48b77f6f2b18303450ea40d878aba455760865f6b0566c7e718abe9332204fe9

SHA512
eef7733d005ac86afe50dda3502fd1bb63bd5ebf54c05bcee0901ea9358286e7b18d51676fd2fca935f2dc5a7a71f4e3126390495ce174e27c49460cbf6ef590

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
99KB

MD5
62a7e4fdc1430254a2ae5d8fbd33269f

SHA1
6897f3227fdfc3b049d922e92064776459ad244b

SHA256
8a82c3952ee2af14bb4820764159e4b626c793f5b8fe8d7ca08b901526a5817d

SHA512
7030b448f8d8e053104669a8fab4e93fc7920b8b1b95647e65180d29b4e6daf64d09b7eb65d10b80e5f45124c41f3543a4398fa1c790d536aa6ada5c032e8f46

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
99KB

MD5
6fc9a753dea481140af02ba6583fb401

SHA1
29cae794e048724d465a05796cf6a3669e3391b4

SHA256
2e194a6b6d2fb24793d5435442132e6bd3924bf4c91df328d20c608ecc233a86

SHA512
9fca4a691a45a0a116506f29f7c1215fbbba934a2d5312f7882fbc9d7bff5d7707f11bde27e76a40df5b99664e4c3905a1046b2d4caabe57ef306667bb72a4c2

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
99KB

MD5
bbce09e9fb4fbe33df05acc981657222

SHA1
e47cd3282f80040ff39253277470dd51eff49cb6

SHA256
8fa83845d0f1fab8f86c5e850603e59995becd8ae2b57dc596de3b2a0041dd30

SHA512
42a1c17be103e0a534eec64d25560a018933c5dfa75a910711c750560faa2b81259403a9a0b64042ecd743d90430b493300530b884940487404b1adc225ba0f6

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
99KB

MD5
e4aeca446e48dbf631ca6f22611d5bea

SHA1
6b4db1e105e3cf683a71be8a1ac085d2000a650a

SHA256
5055b19d587c7d57cc0b3da891daa42bd16d6ec3229bb192641d5fd56e2c48a0

SHA512
b225af7e72abea1def403aa0993a33389a9e2a60337efe35f01e3e7e0bf388799a49cb6b055f727e42cf798f32fe5df14ffb3e68de761baf98cd8b7dca323845

Download Submit
C:\Windows\SysWOW64\Hknach32.exe

Filesize
99KB

MD5
b2093f6f5132f596f5f3263e1092adfd

SHA1
261dec9c801d33ddb5ad6037d13cfee0fa35e802

SHA256
c92b575a70bfe1b0c77edf20c5bbc99d6acdd352b0657b4854576fd17a0f7a02

SHA512
40e36e4ce77e12026576a7b367f5fcc5df7a91978ca97f0c15816f900e1a21a7fab57e3985b26274493e25c5f21830fa3172b0e202243b2849b25570d66ca866

Download Submit
C:\Windows\SysWOW64\Hlakpp32.exe

Filesize
99KB

MD5
841770d5f2f7bd38fe4965a17b0e976d

SHA1
ce4f0dc5c148dd523e5dfd53d9c64b8cb7286d70

SHA256
f1e04bbde4b650f62aad2e423b4325f0e5b154bb73d6326e71010aa957821615

SHA512
bddc928ee1b70696e95229d4e091155ac67a5cdf1e9e543f713d82b115d8ae773b5f28d888ef5e928e2cb7e063abd2cf6680b4e44a5ac4117ee956ff3eb6a88c

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
99KB

MD5
52b92f52ae8f807f7eb95e07cadc2b31

SHA1
73e53c56be2f24b8962e104f9d7716e46d135b84

SHA256
3d24ba05665edf7c9b23ed68fa9ecb05c732e2134654628ffcf4b1b585b3543e

SHA512
f2aa27ca7aa569f49ee8cf3745db91ddc80b726164c16c817f6c985dede55cbd4ad28ed10d090b8aa76fd149527968b7bde54745b065d52d98ea14cb100775e4

Download Submit
C:\Windows\SysWOW64\Hobcak32.exe

Filesize
99KB

MD5
02f0b6efb261ec4d79115f304ce5a8c8

SHA1
dadc186f04adad9864bca3eb8b0fbcdda3fa5aee

SHA256
37b55a4b8fdc016f2ae60fb2405d1044a91c24c85b9438b3ffa92c397c2b3337

SHA512
c535a26b450b00ff4e3c1aaaf2c8b2b1fc217fb9f385d6fbef0cdec62bb399c0047c4be335030765b45e9f6e1b89181fc4b8ae6ac385f184b0036ab456a97dd8

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
99KB

MD5
e7a5fa50228425e1b27f4b0cacb67c65

SHA1
45f9c988895afb05cdd1f0f526cd4d8ee704ce93

SHA256
b24c08b41522ec808c697d847e8c61dc201756f2151ae9a0ac1d9e8275e2afe3

SHA512
4a3b77534ab7c98eb367c844a34d04d8a9fdff8702597d243e3bf3be41c0fef939ec71526e3583b7c4a21ed94abf75b2e5f7e5fb70a757d355bc265fdfb3ac9a

Download Submit
C:\Windows\SysWOW64\Hpkjko32.exe

Filesize
99KB

MD5
3d6f59a3660ddc2a3faf84326d8208e0

SHA1
cdbdfcbd8595124264cb0ba3773960e9d2d5f2d0

SHA256
ea730b30f4df50e0a49ce6064060989ca85bc9a7d1bb8200c13cb001930f1b50

SHA512
876be1b92f5ab5760861c7fb5287222dfc21d19b606125afa36d40b3dccbc63462eb4373700c57211bab3295a1cb6d03ef0c70d189efd7c7e91419f606e37547

Download Submit
C:\Windows\SysWOW64\Hpocfncj.exe

Filesize
99KB

MD5
5d3ec0bd30906eb1c41de561e66559e0

SHA1
8cba8dfeefe02d41e3e8e9cb7abe17a64a7a7afb

SHA256
7e8b95c533f8da2633bfe8955ba3e5dd559365907644fe1c505cd919ad9b7598

SHA512
3ff04ce9ca7c5488a5c3e266076be32f82f3a4f4fdb4a299b1d12f5763aa9a906dc8fc2d8b9b61a9b9b757f6a2502fda3a39f89f8a5e1d0210ec035f15ec9cc0

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
99KB

MD5
df20ddadac112b07453550de299513ad

SHA1
e3dbfede0e17d4c21533f7d4472e9436bf8a118e

SHA256
150bbf0df9828666a81bbd0b3797ce18e1e650109ee5431494f70731b545e4a5

SHA512
d3c61ec6747af7c07d7d734091fbff2856259a800f41aa19d30b8129e0acfcef881e55037c9f8db61a532222baa20d1f05e99461c51353eb1140f1065d926f61

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
99KB

MD5
dd3fd6ab53e5cd4d1bac6d4d1aecff6d

SHA1
070a86a1d8b24e8600ace7461a1e3a03e4700992

SHA256
89939a933f35f54f198dac31334d8119c35b554232672f94793724d9802bec5f

SHA512
50b301d2674e16a27d4309465cf2f419116fd2b7a3f4adb80a931dd59dce098bbd1b535296e1c97d88d3202eac1449c6628d59e1c83fe745327a2e4f1c9f03ad

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
99KB

MD5
0021d794bab88b1a96e8fb5faf90a640

SHA1
bcb8ad479738535f8b6ee5fb5a832001eb457215

SHA256
0a672c8054ca483b7aadb0db066f0ae1d4cc6796940c09fc887cdd2cb91ad24f

SHA512
d57b85bed543ca15d6b47e85d26475ca9f806d76c92fdc11bd527ee4b595c0c30d3025fb39af9d2b0aa4c5fb62fa11111bcbe6819192c1027129237c2d93729c

Download Submit
\Windows\SysWOW64\Ebinic32.exe

Filesize
99KB

MD5
706fe8b093167a3f79ae2540d64a75a6

SHA1
9260a07b022ef1380354047489b1cba5d8e4b00a

SHA256
5918cec78c17c990daaaa37332afb72953869a65ead0074aa0616ca3f5a7c774

SHA512
02c96fa276504cb05d4cbf05958eb7b9933cb5bd0bc3a50f301fd6d003a8bab5d038ed512dd37a4af9a50ef0c578f9de9ff1beeb0a73cecf4a81fad6dfe3843f

Download Submit
\Windows\SysWOW64\Epieghdk.exe

Filesize
99KB

MD5
d6da9563997b37fa63dc769440be91dc

SHA1
42a8a13f4452d234df05c1bcc1674dc42a2db56a

SHA256
12f94344ce450b36c884b0a1d50a541a944d74fc1ffee4fa2efce3542e36ed4c

SHA512
18023410a31cc5911cbcb1d3cb2cc739b6082be213f4c9d887b8d02a3640180aaef39c0e4689d44aa51fbe1b71fe2d83fadb9e12d8a15bd4095e5a81fa363516

Download Submit
\Windows\SysWOW64\Faagpp32.exe

Filesize
99KB

MD5
e19d26247e7d28a301501809441f42c4

SHA1
b835b796b3c9d35976b70ade1800b7988abac5c6

SHA256
966b3a8dc2e540612a772e3781a91f7f0804ad30497dd0e6e0acb4231b770846

SHA512
817b73531aaf02902e64f3ee6893ed5e40123956f0112a4f196cde79801f21b970ea3fc9d493312ca21fbd1d00a1dc158464ca97728b8cc673140815128b01f2

Download Submit
\Windows\SysWOW64\Facdeo32.exe

Filesize
99KB

MD5
41af80e2f360eb37c4f7d4d56508f260

SHA1
fb135b88b7cb7ff7cef3ee7cde71faa69b316c4c

SHA256
4644fd37539eef9eedf2afbb5fab10207ec205f4225a4795a9980fa17693eea8

SHA512
b50f3c65d33088948c2d8429050b5ad6727d3aad6b2d4c89f92b661c2d8e13fe91044e72f61815a72b36cc6267d2ca00ce70d2177c62752696ffaa48c2451792

Download Submit
\Windows\SysWOW64\Fbdqmghm.exe

Filesize
99KB

MD5
44fe6efa7782346b92a9bdb017a80e79

SHA1
49c18904ca99761209701af6f9a68df8b83168b3

SHA256
d8bc29c3dd22db1092ac34f5ef058d11a7fae18e33ec6bb6e097a8c6001e35f3

SHA512
be7b709fe7e4142c3525fbef90321ba9b44579076ca853462a121c0d0ca6da8051b6328ce1842712e4b501eef26fad7c33c2a03f653e6df390e46959aa20f5c2

Download Submit
\Windows\SysWOW64\Fejgko32.exe

Filesize
99KB

MD5
3d8ed79f2898b6b79db3a5ce617bebf0

SHA1
4cf170dabb1d9729827c788285a18d57a7b1e1cf

SHA256
ae46ca9bf52e4387bae5bd5dde43f6a945b3a8ba09e02d85f0bc4430269cd07b

SHA512
dc2e210df553b78f94ffd2511bd6310fa81be7a1e7141fb42fca6bf987fb6d5f8bb44d68deb2a767fa57d160112b094a2b310655eeaf7bafa5d77ed93df52c94

Download Submit
\Windows\SysWOW64\Ffnphf32.exe

Filesize
99KB

MD5
e5559ee06fd52b7f97503e75d6ed9b91

SHA1
69f06233cc1a09e328b2128d108573d217c741c8

SHA256
b0a6b7a1d90f57ddf4913ae9790829ea924567a3d4816b25971a75808bca7bd5

SHA512
c2c498703bc3a90aa700088c70ce22843e0bddedb21039cec2090f0157c7bb99687692ce648e307fa7910c0440c486f071763d9f2dbea17aa2766082735d5e0d

Download Submit
\Windows\SysWOW64\Filldb32.exe

Filesize
99KB

MD5
9975b960e3a7442519aedc05c2e6a84a

SHA1
a8d6fac16695705873d3ae62c1d3455891b948a6

SHA256
1b6a064e03cf97076842a787f214cc28272b69162c69a31dfb1e0facdc929716

SHA512
125ae9558c359156258fdaa4a8efa2ae262076bb3b605c29d7522f2bd4e9033211686e3ad7b23888d8363765f7d9534712f34b9b94be37feb79495fd60790d58

Download Submit
\Windows\SysWOW64\Fmcoja32.exe

Filesize
99KB

MD5
5734cf5892b42a2e3bf50370b49d419b

SHA1
b7a6b56799436e2235f5e648886ed782b29f6c0a

SHA256
5fc8fae9c6caa03a66de8f25a5c543b6450b824455956b7167515af1667a0c39

SHA512
c5e6a94693d309db9db8ed10dd9153e056545d80c86f5091f6cb5e1fc1dd77b8caaafd1ee5238da26331bbbcb42cd10362ad5bcc851ce1e3185a7b7b42e6787d

Download Submit
\Windows\SysWOW64\Fmjejphb.exe

Filesize
99KB

MD5
77323ba5c4ccfb59c3d5d4d409a2764f

SHA1
eaa192f59ed4972db293080eb71c928fc4fc5406

SHA256
bf9a3b9822c80df7b9592131299827c3baf3d548253b1697bbde6ea532560acc

SHA512
c5fd909f61a19d2ef0fb1848d2e88ecc0e84f8dfe4695608544ebd0264776a608a778f02319b869af1bc4475663268345fbc7a07a95fd2b9fc525260dae0653a

Download Submit
\Windows\SysWOW64\Gpknlk32.exe

Filesize
99KB

MD5
29b2dd6de48e3c2b563ded973ec73863

SHA1
199ab57454310b801602032b5ce0ddeb7d6f5a9d

SHA256
4399050f8c5b2dfcd35e52fe7c0e125e3543658f8548a10568c6e30a122cd0b7

SHA512
9a2d3f85eda22080ed1aba4d7a8d4ff04f59da3539f914e8872bbad179db6478dce9c8c50302f8f02eb90d548354806d2329755a2d8a0d1c81e5c2e0858e8669

Download Submit
memory/288-416-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/288-417-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/288-410-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/352-173-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/636-164-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/696-240-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/696-238-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/768-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/820-266-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/820-274-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/820-276-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/852-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/852-257-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/852-259-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/1176-394-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1176-401-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1176-393-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1228-265-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1228-260-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1228-264-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1308-470-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1308-471-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1308-461-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1476-337-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/1476-349-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/1476-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1516-458-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/1516-439-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1516-457-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/1700-308-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/1700-307-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1748-460-0x00000000004A0000-0x00000000004E2000-memory.dmp

Filesize
264KB

Download
memory/1748-459-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1832-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1832-120-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1940-285-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1940-286-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1940-287-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1944-94-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1972-222-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/1972-217-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2004-483-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2036-197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-330-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2132-329-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2132-320-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2152-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2172-444-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2172-438-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2172-437-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2228-309-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2228-319-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2228-318-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2236-237-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2236-236-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2236-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2428-306-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2428-288-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2428-305-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2532-93-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2572-372-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2572-373-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2572-363-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2596-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2596-486-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2608-362-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/2608-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2608-361-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/2612-49-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2612-41-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2612-487-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2616-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2620-384-0x0000000000370000-0x00000000003B2000-memory.dmp

Filesize
264KB

Download
memory/2620-383-0x0000000000370000-0x00000000003B2000-memory.dmp

Filesize
264KB

Download
memory/2620-378-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2624-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2768-432-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2768-422-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2768-436-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2788-121-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2824-481-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2824-482-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2824-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2852-26-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/2852-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2852-485-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2852-40-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/2932-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2988-6-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/2988-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2988-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2996-405-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/2996-406-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/2996-395-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3020-350-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3020-351-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads