cb0b8164f22ccf12bbe07cfcfb7939e2ddc4974fc07fe1d6347ac9c2784bed1d

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb0b8164f22ccf12bbe07cfcfb7939e2ddc4974fc07fe1d6347ac9c2784bed1d.exe
Size

161KB
MD5

b7a5e00381115128926001f3448dcd5a
SHA1

5f189f409830a4b67abe0d9272d835dfd6976b59
SHA256

cb0b8164f22ccf12bbe07cfcfb7939e2ddc4974fc07fe1d6347ac9c2784bed1d
SHA512

63dcdac9907f9af2a8c87aee9c7e7126abd866bed7f32b11ae4290b353b275f014bfc6369a378963626c417b8ed5651808fed7ae6fc588702c125dabd29a419d
SSDEEP

3072:JItfRXzDakNCbq/yMkiVwtCJXeex7rrIRZK8K8/kvV:JItf1akNCbWkiVwtmeetrIyRV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmoipopd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqlafm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gangic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmoipopd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faokjpfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emcbkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emcbkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmgdddmq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dqlafm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiomkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ggpimica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fphafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekholjqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eiomkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjilieka.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmjaic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjilieka.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Facdeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmgdddmq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnpnndgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkmmhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebpkce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eloemi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fphafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmjaic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	cb0b8164f22ccf12bbe07cfcfb7939e2ddc4974fc07fe1d6347ac9c2784bed1d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekholjqg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eloemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfgmhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Faokjpfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkmmhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfgmhd32.exe

Executes dropped EXE 40 IoCs

pid	Process
1992	Dngoibmo.exe
2100	Dkkpbgli.exe
2740	Dkmmhf32.exe
2588	Dmoipopd.exe
2608	Dfgmhd32.exe
2532	Dqlafm32.exe
2348	Emcbkn32.exe
2660	Ebpkce32.exe
2020	Ekholjqg.exe
1936	Efncicpm.exe
1060	Enihne32.exe
284	Eiomkn32.exe
1516	Eiaiqn32.exe
2068	Eloemi32.exe
2248	Fnpnndgp.exe
1768	Faokjpfd.exe
1132	Fjilieka.exe
668	Facdeo32.exe
1940	Fphafl32.exe
1912	Fbgmbg32.exe
604	Gonnhhln.exe
2824	Gfefiemq.exe
3016	Ghfbqn32.exe
1688	Gangic32.exe
2132	Gaqcoc32.exe
620	Gdopkn32.exe
2580	Gmgdddmq.exe
2680	Ggpimica.exe
3008	Gmjaic32.exe
2384	Hknach32.exe
2524	Hdhbam32.exe
1632	Hobcak32.exe
760	Hjhhocjj.exe
2808	Hpapln32.exe
2032	Hhmepp32.exe
2156	Hogmmjfo.exe
1552	Iaeiieeb.exe
1600	Ihoafpmp.exe
2236	Ioijbj32.exe
2784	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2056	cb0b8164f22ccf12bbe07cfcfb7939e2ddc4974fc07fe1d6347ac9c2784bed1d.exe
2056	cb0b8164f22ccf12bbe07cfcfb7939e2ddc4974fc07fe1d6347ac9c2784bed1d.exe
1992	Dngoibmo.exe
1992	Dngoibmo.exe
2100	Dkkpbgli.exe
2100	Dkkpbgli.exe
2740	Dkmmhf32.exe
2740	Dkmmhf32.exe
2588	Dmoipopd.exe
2588	Dmoipopd.exe
2608	Dfgmhd32.exe
2608	Dfgmhd32.exe
2532	Dqlafm32.exe
2532	Dqlafm32.exe
2348	Emcbkn32.exe
2348	Emcbkn32.exe
2660	Ebpkce32.exe
2660	Ebpkce32.exe
2020	Ekholjqg.exe
2020	Ekholjqg.exe
1936	Efncicpm.exe
1936	Efncicpm.exe
1060	Enihne32.exe
1060	Enihne32.exe
284	Eiomkn32.exe
284	Eiomkn32.exe
1516	Eiaiqn32.exe
1516	Eiaiqn32.exe
2068	Eloemi32.exe
2068	Eloemi32.exe
2248	Fnpnndgp.exe
2248	Fnpnndgp.exe
1768	Faokjpfd.exe
1768	Faokjpfd.exe
1132	Fjilieka.exe
1132	Fjilieka.exe
668	Facdeo32.exe
668	Facdeo32.exe
1940	Fphafl32.exe
1940	Fphafl32.exe
1912	Fbgmbg32.exe
1912	Fbgmbg32.exe
604	Gonnhhln.exe
604	Gonnhhln.exe
2824	Gfefiemq.exe
2824	Gfefiemq.exe
3016	Ghfbqn32.exe
3016	Ghfbqn32.exe
1688	Gangic32.exe
1688	Gangic32.exe
2132	Gaqcoc32.exe
2132	Gaqcoc32.exe
620	Gdopkn32.exe
620	Gdopkn32.exe
2580	Gmgdddmq.exe
2580	Gmgdddmq.exe
2680	Ggpimica.exe
2680	Ggpimica.exe
3008	Gmjaic32.exe
3008	Gmjaic32.exe
2384	Hknach32.exe
2384	Hknach32.exe
2524	Hdhbam32.exe
2524	Hdhbam32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lpbjlbfp.dll	Eiaiqn32.exe
File created	C:\Windows\SysWOW64\Hghmjpap.dll	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Aimkgn32.dll	Ggpimica.exe
File opened for modification	C:\Windows\SysWOW64\Hogmmjfo.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Ebpkce32.exe	Emcbkn32.exe
File created	C:\Windows\SysWOW64\Eiomkn32.exe	Enihne32.exe
File opened for modification	C:\Windows\SysWOW64\Ebpkce32.exe	Emcbkn32.exe
File created	C:\Windows\SysWOW64\Jpajnpao.dll	Gmjaic32.exe
File created	C:\Windows\SysWOW64\Fnpnndgp.exe	Eloemi32.exe
File created	C:\Windows\SysWOW64\Bnkajj32.dll	Faokjpfd.exe
File created	C:\Windows\SysWOW64\Njgcpp32.dll	Gmgdddmq.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Dkkpbgli.exe	Dngoibmo.exe
File created	C:\Windows\SysWOW64\Mghjoa32.dll	Dngoibmo.exe
File opened for modification	C:\Windows\SysWOW64\Facdeo32.exe	Fjilieka.exe
File created	C:\Windows\SysWOW64\Nokeef32.dll	Hdhbam32.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Dfgmhd32.exe	Dmoipopd.exe
File opened for modification	C:\Windows\SysWOW64\Dqlafm32.exe	Dfgmhd32.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Enihne32.exe	Efncicpm.exe
File opened for modification	C:\Windows\SysWOW64\Gaqcoc32.exe	Gangic32.exe
File created	C:\Windows\SysWOW64\Facdeo32.exe	Fjilieka.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Gaqcoc32.exe	Gangic32.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Mmqgncdn.dll	Dqlafm32.exe
File created	C:\Windows\SysWOW64\Fbgmbg32.exe	Fphafl32.exe
File created	C:\Windows\SysWOW64\Blnhfb32.dll	Gaqcoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hdhbam32.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Kcfdakpf.dll	Ebpkce32.exe
File opened for modification	C:\Windows\SysWOW64\Gangic32.exe	Ghfbqn32.exe
File opened for modification	C:\Windows\SysWOW64\Ghfbqn32.exe	Gfefiemq.exe
File opened for modification	C:\Windows\SysWOW64\Hdhbam32.exe	Hknach32.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Iaeiieeb.exe
File opened for modification	C:\Windows\SysWOW64\Fnpnndgp.exe	Eloemi32.exe
File created	C:\Windows\SysWOW64\Fphafl32.exe	Facdeo32.exe
File created	C:\Windows\SysWOW64\Jbelkc32.dll	Facdeo32.exe
File created	C:\Windows\SysWOW64\Ghfbqn32.exe	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Hknach32.exe	Gmjaic32.exe
File opened for modification	C:\Windows\SysWOW64\Eloemi32.exe	Eiaiqn32.exe
File opened for modification	C:\Windows\SysWOW64\Faokjpfd.exe	Fnpnndgp.exe
File created	C:\Windows\SysWOW64\Lanfmb32.dll	Enihne32.exe
File opened for modification	C:\Windows\SysWOW64\Eiaiqn32.exe	Eiomkn32.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hdhbam32.exe
File opened for modification	C:\Windows\SysWOW64\Dngoibmo.exe	cb0b8164f22ccf12bbe07cfcfb7939e2ddc4974fc07fe1d6347ac9c2784bed1d.exe
File created	C:\Windows\SysWOW64\Naeqjnho.dll	Dkmmhf32.exe
File opened for modification	C:\Windows\SysWOW64\Fjilieka.exe	Faokjpfd.exe
File created	C:\Windows\SysWOW64\Jkamkfgh.dll	Fjilieka.exe
File created	C:\Windows\SysWOW64\Kjpfgi32.dll	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Gmgdddmq.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Hdhbam32.exe	Hknach32.exe
File opened for modification	C:\Windows\SysWOW64\Ekholjqg.exe	Ebpkce32.exe
File created	C:\Windows\SysWOW64\Cqmnhocj.dll	Fnpnndgp.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Bibckiab.dll	Eiomkn32.exe
File created	C:\Windows\SysWOW64\Gfefiemq.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Gfedefbi.dll	Dmoipopd.exe
File opened for modification	C:\Windows\SysWOW64\Efncicpm.exe	Ekholjqg.exe
File created	C:\Windows\SysWOW64\Lkojpojq.dll	Ekholjqg.exe
File created	C:\Windows\SysWOW64\Gdopkn32.exe	Gaqcoc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
600	2784	WerFault.exe	67

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll"	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmgdddmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	cb0b8164f22ccf12bbe07cfcfb7939e2ddc4974fc07fe1d6347ac9c2784bed1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	cb0b8164f22ccf12bbe07cfcfb7939e2ddc4974fc07fe1d6347ac9c2784bed1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmloladn.dll"	Eloemi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	cb0b8164f22ccf12bbe07cfcfb7939e2ddc4974fc07fe1d6347ac9c2784bed1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbelkc32.dll"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Faokjpfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghfbqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghjoa32.dll"	Dngoibmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfedefbi.dll"	Dmoipopd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eiomkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll"	Gmgdddmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dngoibmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dngoibmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebpkce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecimppi.dll"	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll"	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpjfeia.dll"	Dfgmhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dqlafm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgnljad.dll"	Dkkpbgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll"	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfgmhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdoik32.dll"	Emcbkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfdakpf.dll"	Ebpkce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	cb0b8164f22ccf12bbe07cfcfb7939e2ddc4974fc07fe1d6347ac9c2784bed1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll"	Eiomkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkajj32.dll"	Faokjpfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkmmhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkmmhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emcbkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eiomkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkpbgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmnhocj.dll"	Fnpnndgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gangic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhmepp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 1992	2056	cb0b8164f22ccf12bbe07cfcfb7939e2ddc4974fc07fe1d6347ac9c2784bed1d.exe	28
PID 2056 wrote to memory of 1992	2056	cb0b8164f22ccf12bbe07cfcfb7939e2ddc4974fc07fe1d6347ac9c2784bed1d.exe	28
PID 2056 wrote to memory of 1992	2056	cb0b8164f22ccf12bbe07cfcfb7939e2ddc4974fc07fe1d6347ac9c2784bed1d.exe	28
PID 2056 wrote to memory of 1992	2056	cb0b8164f22ccf12bbe07cfcfb7939e2ddc4974fc07fe1d6347ac9c2784bed1d.exe	28
PID 1992 wrote to memory of 2100	1992	Dngoibmo.exe	29
PID 1992 wrote to memory of 2100	1992	Dngoibmo.exe	29
PID 1992 wrote to memory of 2100	1992	Dngoibmo.exe	29
PID 1992 wrote to memory of 2100	1992	Dngoibmo.exe	29
PID 2100 wrote to memory of 2740	2100	Dkkpbgli.exe	30
PID 2100 wrote to memory of 2740	2100	Dkkpbgli.exe	30
PID 2100 wrote to memory of 2740	2100	Dkkpbgli.exe	30
PID 2100 wrote to memory of 2740	2100	Dkkpbgli.exe	30
PID 2740 wrote to memory of 2588	2740	Dkmmhf32.exe	31
PID 2740 wrote to memory of 2588	2740	Dkmmhf32.exe	31
PID 2740 wrote to memory of 2588	2740	Dkmmhf32.exe	31
PID 2740 wrote to memory of 2588	2740	Dkmmhf32.exe	31
PID 2588 wrote to memory of 2608	2588	Dmoipopd.exe	32
PID 2588 wrote to memory of 2608	2588	Dmoipopd.exe	32
PID 2588 wrote to memory of 2608	2588	Dmoipopd.exe	32
PID 2588 wrote to memory of 2608	2588	Dmoipopd.exe	32
PID 2608 wrote to memory of 2532	2608	Dfgmhd32.exe	33
PID 2608 wrote to memory of 2532	2608	Dfgmhd32.exe	33
PID 2608 wrote to memory of 2532	2608	Dfgmhd32.exe	33
PID 2608 wrote to memory of 2532	2608	Dfgmhd32.exe	33
PID 2532 wrote to memory of 2348	2532	Dqlafm32.exe	34
PID 2532 wrote to memory of 2348	2532	Dqlafm32.exe	34
PID 2532 wrote to memory of 2348	2532	Dqlafm32.exe	34
PID 2532 wrote to memory of 2348	2532	Dqlafm32.exe	34
PID 2348 wrote to memory of 2660	2348	Emcbkn32.exe	35
PID 2348 wrote to memory of 2660	2348	Emcbkn32.exe	35
PID 2348 wrote to memory of 2660	2348	Emcbkn32.exe	35
PID 2348 wrote to memory of 2660	2348	Emcbkn32.exe	35
PID 2660 wrote to memory of 2020	2660	Ebpkce32.exe	36
PID 2660 wrote to memory of 2020	2660	Ebpkce32.exe	36
PID 2660 wrote to memory of 2020	2660	Ebpkce32.exe	36
PID 2660 wrote to memory of 2020	2660	Ebpkce32.exe	36
PID 2020 wrote to memory of 1936	2020	Ekholjqg.exe	37
PID 2020 wrote to memory of 1936	2020	Ekholjqg.exe	37
PID 2020 wrote to memory of 1936	2020	Ekholjqg.exe	37
PID 2020 wrote to memory of 1936	2020	Ekholjqg.exe	37
PID 1936 wrote to memory of 1060	1936	Efncicpm.exe	38
PID 1936 wrote to memory of 1060	1936	Efncicpm.exe	38
PID 1936 wrote to memory of 1060	1936	Efncicpm.exe	38
PID 1936 wrote to memory of 1060	1936	Efncicpm.exe	38
PID 1060 wrote to memory of 284	1060	Enihne32.exe	39
PID 1060 wrote to memory of 284	1060	Enihne32.exe	39
PID 1060 wrote to memory of 284	1060	Enihne32.exe	39
PID 1060 wrote to memory of 284	1060	Enihne32.exe	39
PID 284 wrote to memory of 1516	284	Eiomkn32.exe	40
PID 284 wrote to memory of 1516	284	Eiomkn32.exe	40
PID 284 wrote to memory of 1516	284	Eiomkn32.exe	40
PID 284 wrote to memory of 1516	284	Eiomkn32.exe	40
PID 1516 wrote to memory of 2068	1516	Eiaiqn32.exe	41
PID 1516 wrote to memory of 2068	1516	Eiaiqn32.exe	41
PID 1516 wrote to memory of 2068	1516	Eiaiqn32.exe	41
PID 1516 wrote to memory of 2068	1516	Eiaiqn32.exe	41
PID 2068 wrote to memory of 2248	2068	Eloemi32.exe	42
PID 2068 wrote to memory of 2248	2068	Eloemi32.exe	42
PID 2068 wrote to memory of 2248	2068	Eloemi32.exe	42
PID 2068 wrote to memory of 2248	2068	Eloemi32.exe	42
PID 2248 wrote to memory of 1768	2248	Fnpnndgp.exe	43
PID 2248 wrote to memory of 1768	2248	Fnpnndgp.exe	43
PID 2248 wrote to memory of 1768	2248	Fnpnndgp.exe	43
PID 2248 wrote to memory of 1768	2248	Fnpnndgp.exe	43

C:\Users\Admin\AppData\Local\Temp\cb0b8164f22ccf12bbe07cfcfb7939e2ddc4974fc07fe1d6347ac9c2784bed1d.exe
"C:\Users\Admin\AppData\Local\Temp\cb0b8164f22ccf12bbe07cfcfb7939e2ddc4974fc07fe1d6347ac9c2784bed1d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\Dngoibmo.exe
  C:\Windows\system32\Dngoibmo.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\Dkkpbgli.exe
    C:\Windows\system32\Dkkpbgli.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\SysWOW64\Dkmmhf32.exe
      C:\Windows\system32\Dkmmhf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\Dmoipopd.exe
        
        C:\Windows\system32\Dmoipopd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
      - C:\Windows\SysWOW64\Dfgmhd32.exe
        
        C:\Windows\system32\Dfgmhd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Dqlafm32.exe
        
        C:\Windows\system32\Dqlafm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Emcbkn32.exe
        
        C:\Windows\system32\Emcbkn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Ebpkce32.exe
        
        C:\Windows\system32\Ebpkce32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Ekholjqg.exe
        
        C:\Windows\system32\Ekholjqg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Efncicpm.exe
        
        C:\Windows\system32\Efncicpm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Enihne32.exe
        
        C:\Windows\system32\Enihne32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Eiomkn32.exe
        
        C:\Windows\system32\Eiomkn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:284
        
        C:\Windows\SysWOW64\Eiaiqn32.exe
        
        C:\Windows\system32\Eiaiqn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Eloemi32.exe
        
        C:\Windows\system32\Eloemi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Fnpnndgp.exe
        
        C:\Windows\system32\Fnpnndgp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Faokjpfd.exe
        
        C:\Windows\system32\Faokjpfd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Fjilieka.exe
        
        C:\Windows\system32\Fjilieka.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Facdeo32.exe
        
        C:\Windows\system32\Facdeo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Fphafl32.exe
        
        C:\Windows\system32\Fphafl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\Fbgmbg32.exe
        
        C:\Windows\system32\Fbgmbg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Gonnhhln.exe
        
        C:\Windows\system32\Gonnhhln.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:604
        
        C:\Windows\SysWOW64\Gfefiemq.exe
        
        C:\Windows\system32\Gfefiemq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Ghfbqn32.exe
        
        C:\Windows\system32\Ghfbqn32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Gangic32.exe
        
        C:\Windows\system32\Gangic32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Gaqcoc32.exe
        
        C:\Windows\system32\Gaqcoc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Gmgdddmq.exe
        
        C:\Windows\system32\Gmgdddmq.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Ggpimica.exe
        
        C:\Windows\system32\Ggpimica.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Gmjaic32.exe
        
        C:\Windows\system32\Gmjaic32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\Hknach32.exe
        
        C:\Windows\system32\Hknach32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Hogmmjfo.exe
        
        C:\Windows\system32\Hogmmjfo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        41⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 140
        42⤵
        Program crash
        
        PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebpkce32.exe

Filesize
161KB

MD5
bf5de36109be26c5730efb34891b9580

SHA1
2c3ac5ba98ad5021ff24a320578582bd05bd1857

SHA256
8d35e34e09af48cd9f29c0421b70da9b31b487b754614c01846a2ca43de133bc

SHA512
0b5077e3ca2111ed24b9ade8e527c73be492bb4a603269632a6c77410e4018403298abf0bc7e398352be07b52816c250cbd2f2982109a6e20535c165006d4502

Download Submit
C:\Windows\SysWOW64\Eloemi32.exe

Filesize
161KB

MD5
87e39b49032869f8f0cbb38abac7eefe

SHA1
c1ccace895c1ec449521e495f205d121e6e03d28

SHA256
3ec23e430a083afe7c27743ef11d085c5d94cd850e53a8f2ebb07215afd467d2

SHA512
fe0c642083ccfb95b0385da61d778c1085980396d622a6d4f65a38d8b579176ec0c01926788ca4b9f2b26a1ce22fda67d4ec935585ad074f32b73a68ce0c7eb0

Download Submit
C:\Windows\SysWOW64\Facdeo32.exe

Filesize
161KB

MD5
91b2fed16a5d24562932cae635bc705f

SHA1
3f097fd0b1b71453b0376ad036822852436934d4

SHA256
8e77104b09fbdef16fa48f4a41a84c85c99ed6a2153201fd5fed8b6b38db63e0

SHA512
9dbe3bd06bb40886988d5605412bdb1fae00009e895268b447f9fa48532a832f0bd2995104bfc8d40d032d4c145f23adeb8a1bab33a698c7a0a35ee3de370dac

Download Submit
C:\Windows\SysWOW64\Faokjpfd.exe

Filesize
161KB

MD5
f8aef180a745a64010e3b68703cdcbe2

SHA1
0f0be10781b670f942c05f21c844495eb282ebef

SHA256
91acf3209162becf5038718e12f67efaaca7c7dd8a7a0143f28506205763a145

SHA512
1bb282fe36247b1a8aef46ebeef792e2d232574191ccc84f8495537d87f8c9142529777078c90002f38affd8433bb706c5744ff681c8efd6b4be71a790b21c86

Download Submit
C:\Windows\SysWOW64\Fbgmbg32.exe

Filesize
161KB

MD5
585b4bbe2a2c26641b033ff2234a3ab0

SHA1
b944f12bf25da04a581513d78c4c5b2db857e2e8

SHA256
cbc3b449e098462e1c8d53edb4c69627c14a395b85fec673b2325eec99bea2ea

SHA512
e708ec0c4ddc9ba8a32467c90dd1f6375a11fd26f6ef366ec9f217f9b30a9ac9355f4f87295d527b8456060e1fba04548bee2ed04e6af20a93ff4afd2688fc6a

Download Submit
C:\Windows\SysWOW64\Fjilieka.exe

Filesize
161KB

MD5
f33a4181404bb9ebd68d4c8e57a5db77

SHA1
a03aa61a4f9eb64a4f9e6a9476e7261243125654

SHA256
87826625b2d96d1c007135202d8167abfa2aa6a4ee2234ea189ade8864725644

SHA512
11b943ba61b0da2a7169f0a57ad814588cef35fc5c894e274e618fd1ace2f0db6b95640a086d77c71e8c529f7f946fe71bb65aaaedf1c7394104015b5ba5a15b

Download Submit
C:\Windows\SysWOW64\Fphafl32.exe

Filesize
161KB

MD5
843653fd9100e3d79137e742b4ca2bbf

SHA1
e26d3e680daa10832102f6d54fef5762da04debf

SHA256
5030bd85335c13f06c4482750de1a47616bdc5dd6ed53093b407ae7b9131dab1

SHA512
d3a15f7344bee201059c4afb876ac376810a18238b6565010d761d82647879495cad12d01c7de33abab44cea2e13389e00730c6c76b12a42f9b3e4229bbccbe7

Download Submit
C:\Windows\SysWOW64\Gangic32.exe

Filesize
161KB

MD5
caae07d4c35e74f7a23f538bc190127c

SHA1
6d5c4b781359bf0522012712965558500731abd0

SHA256
a8716c9dbc5a47cb569dd332c706d7809ec6aff98c2b7c10e13a3292710d069f

SHA512
2efab166184e3584b02bbec8d94c81b9304e6dae94b3b5b38633ac94ec4042238e73e9fbbde39ce595993b4eb867c6de017b62168d8cb584c9c3af7b56da3fc4

Download Submit
C:\Windows\SysWOW64\Gaqcoc32.exe

Filesize
161KB

MD5
0a5f45ff9c007dfa12225daa3fd83460

SHA1
25ff4aa3d89d37b1ea4801e1f629187a49cd049f

SHA256
591b9d343ac1d34690a45a45405addce88cb3f006f1e6c751b021807d3221b21

SHA512
9c8de89fa79f0a03ad4fdd0e7cf654bbf8a959f6c02c9e442d3398428bf45cfc2f82a3a04aede4fe0647b48e63e9ee3c7eb4abc6968371d126b615d96824b9ab

Download Submit
C:\Windows\SysWOW64\Gdopkn32.exe

Filesize
161KB

MD5
d50a95c3dcab7375ece6ecd0303e5507

SHA1
c20816ac412a5f87edba2dc4053282a40adef0de

SHA256
56579f7c9beee0c2985907cf7cdab3f57b30aa0407ac56f9597bb7ac6cf60228

SHA512
4beab3e9ea68b39eafa8b1a50de9c5b523b5eb3ef0aa1d5b815bc8d264a3d57566b588bde0ec4b04d5bcbfd043bb9f945e594a02f3fe8bd3e6bbcbbfa92b533a

Download Submit
C:\Windows\SysWOW64\Gfedefbi.dll

Filesize
7KB

MD5
bfd5f7fe3f5b2fc6e61672d5903a74ec

SHA1
6dedaa5d2511af1278781b96df46a232b9d13735

SHA256
022c1c29372d0fdfb0eab47c8ad24d80208820fbe4c9cade24bd61cffa591b6e

SHA512
8eba505fadb919c2ac94a2382de77086ee9e077e3175576913c7b5813007f52f5f0373ddc1e44bb7a7443d60b7f131263af88eeb728ae610e8ca0a99e2129ba2

Download Submit
C:\Windows\SysWOW64\Gfefiemq.exe

Filesize
161KB

MD5
46428b9c2b0a854bf311514dfd992d1b

SHA1
023dc9a8104c5f9888f8d4b5fff08171c9ff511e

SHA256
7c2f43b387628bfb6cf25a4a94af8aff5d731a77c4935dc03edeb10c23707cf6

SHA512
d3d4c2058c0b9297d346ad52c85bcac558fc331f37357aedb9e3670c1bb88409c294291155fd589cd4d1a9ff52555e0806c21b29bc8c3b24bb96a0fc91f56913

Download Submit
C:\Windows\SysWOW64\Ggpimica.exe

Filesize
161KB

MD5
6bcf3ba6974aedbf1d08a9334814c006

SHA1
9fab2d13a4fab2a3682894473f2c095ae87177af

SHA256
b26eb73f710b5b100fcd961224fc36aa6868e000b5fe9682bc00fe9d9bd9e599

SHA512
a7d7ac9c29fa1ecf92471d3da140e8496bed64d66971e4c65fac44f3d75b2c9b879112a20373dc543f8c6ae0badd9ab6922a355801f1c818d8bd7945928b64ab

Download Submit
C:\Windows\SysWOW64\Ghfbqn32.exe

Filesize
161KB

MD5
968cbeafc3f1cff74307bc8676ada7fd

SHA1
58c03972ab9d1038fec631a0683f4d6f39f1325f

SHA256
e7b42625a58ee79b609e29fe26388e904a1873301d0e38b8d426efc716690319

SHA512
6b253ebe68e2a92428fb872bb8d2099a5e5f733500f237c6873acede950f9e989c46f90a9658f8f1cc57bc70c9867b82da7bbab6f6da79c61524456617ad5bb4

Download Submit
C:\Windows\SysWOW64\Gmgdddmq.exe

Filesize
161KB

MD5
37a6ec8dd5fe4584ae05123a33429a2e

SHA1
748045ac74b5da1b8aaeac6a557487efe5738db5

SHA256
a6024073dbe85c9dc16662df8f1b040322948f2dda8dadcf5e4ca9ccc9999f4a

SHA512
858d595240e135c64576c8c37646e800738a4af3d9aa716aa0152d8cbf9b08ebe7806661115f7c0cec139111c3dee2dd8d34f97e5ede7088b1351a2723a3cd5e

Download Submit
C:\Windows\SysWOW64\Gmjaic32.exe

Filesize
161KB

MD5
30546034b095af19514b495c4601cbb1

SHA1
e4b30aabac75367efa3297077ccbac47b7054e9e

SHA256
cd8ebb113c62c6708fd6fc28ebab934471b20b73001132ee56f48e9ae163ab8a

SHA512
273238caac652ec8188806c8bbca3cc9daeeda9579ee1bd5ac256aad8779d11d1042bc266abd955ea370180be6e6f468d81bf2954927cd5b295ea8445845e8a6

Download Submit
C:\Windows\SysWOW64\Gonnhhln.exe

Filesize
161KB

MD5
7634975a876b439e7eb27ff93890d0d6

SHA1
1e763b6c67077f50353b0eb06c26e4353c495285

SHA256
ba0b067ed59d814a826bc18d40d197cfb50ce45a8b68a77af87f0e3e222a56b8

SHA512
c6f50fdf04f7bda1a45307f59abf6009f5ab2fb8af4235a2ed1e65f1f09625cc091676d29df814ea538ac19cb7d84bb02c33f4b5cf699ebf8227a6837ad86f8a

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
161KB

MD5
3f829fc0eb6b6301dbd674db415e17c6

SHA1
47674ec6b06d3041d5a4866ef7e3fcd437df9141

SHA256
0cc6776b9ffacfafd6cf76e8da327fc6599fb1e4d4909d72806193210955db97

SHA512
fd1d7381ea4b89bde8ef904bb00e70b22eb11bd22fe7c805c8c62b1e3e674c9c6a237b2d61a461816f83f9a8e18b4d7a07596dc88687c5d0bb20c3326708ded5

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
161KB

MD5
a0cc6f46385dd404918ba19274a72027

SHA1
56f4d09701286e78889c7753fbbc6381b047664c

SHA256
5a282dddc55a048719fd88277a28ebac3f3e9023b14eb57678260c984111631e

SHA512
a68a0630d3cd0ef9eb61642fe1a2478d60fe224719356b5ad4a3e26b208835424714466c7d730ce7d0f72f8cbc1981f8d0ac9ebbc8f1f096bac59443278278f2

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe

Filesize
161KB

MD5
36a78e1d23d63ddcf96fad425e6c45fb

SHA1
9292068fb516cebee1010abbe8bae40538f30c60

SHA256
6c7902f0a80b70ac577087c1930bc8b61e834e9365fa818ea6374e8bcdf63ad5

SHA512
d5373526626a79a4c61d552b4f2dccd46811909a4317867b1228bf3c97e33262e843b67c0f4cc4eeda3b73ba61b291fa6dccb173d01d096d31e258af1e4c14ae

Download Submit
C:\Windows\SysWOW64\Hknach32.exe

Filesize
161KB

MD5
8af655dfbd83248a15355f005f0a0d5f

SHA1
d66d738787246f56677c0c64dc4d167f28b4b404

SHA256
404c9e69b0c69693c4f3102ddb4304255d6501005e3bb6f3d5cef7a91898d4f6

SHA512
f6a45d0d3c08c93d28365ec04e7e4a733cb3cc9664b29f2b4447e5f0610472df60ceb1763929d811c9ee96e7fc2c7db6f95437d448c923906229364dea060425

Download Submit
C:\Windows\SysWOW64\Hobcak32.exe

Filesize
161KB

MD5
33bb4b945f785e54ad68ec79319084ac

SHA1
15a3541cb5df4a8d9152dc1f1418f5ec931d91ba

SHA256
cf0522adfb582dd5961ec87043f88a4fbf1083265d7845b8513cb2a50843263c

SHA512
0ed986af3c3ea5dfc77ccaf5c25356d90c6e12dcdf0442a21a6c28a337007507de48c6ff7263d21336f73622dc0df9504ed14a071abc2ab772a90c7f83abe5d9

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
161KB

MD5
cb69a27447b65e5e9724a23b672b760f

SHA1
9d5503b023cdcbf5553a32c8a44fbe497bce2b20

SHA256
73e102d87355c1c2527da26a0da00d1cdb4ce133b2ee6b3d826984973c2656d1

SHA512
a356ce64bfeed01b07020e9d29fbf55d541e3b56c3b9737190916655dae0f051aeab6c61a1fe7be78df542e07b70ad86bb91b16bd64f9fc093dccc340d465fb1

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe

Filesize
161KB

MD5
2706f1e6a3072b5b82f577dfa937b154

SHA1
814f8275f672f358857578ced35eccb1dcc41867

SHA256
6177e8cdfb98dc7ba5e282b845d3ff8b4e5c7cce04308f011ef0749d3cc6136e

SHA512
59e9a995512b1792695dbf8cfd66e41d673860adbbc4e75f7b3dc6c5f752f5499a1eda53b051d6b726ae7bbda8cb2f22a00989b0c4cd914a0b6d71fe58327470

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
161KB

MD5
4b46e422ba124c72ad18d34f1a50ac5d

SHA1
6f9f0de98838f254b62078f205d0acfce826ae58

SHA256
a3d37f11d839b507214023cfccdbc48cff0f562f63b0b378ef90525935d16ef8

SHA512
eb7c1f43321d0d934ab2635ce2da391745c856bc1a301447c3821fa747765c991b705b806c61bd8bddc797ce85815ec1f6ce99578e34b64abfbd48b73b8edf98

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
161KB

MD5
d1db6be53d1769d70f370884f93e6871

SHA1
1031b74db1ef2406921c511e749eca44aaa9be98

SHA256
a1ecc6c7b54d90f42880a8a07b97f511d7fb90ac1f914a59eccf7323bae4c872

SHA512
54eb7e1bf7767178cb78370f74978e1baf976009a37b2c25d791901d6e23e7f378ad8e036210f3737a55b913f9be438d2fcbba605909918d0f77ed8b37c91d53

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
161KB

MD5
d1a4865c19e1b763f567799dd06d6d22

SHA1
841bc07f7872f2b521ad55c4c4d69c43783a55df

SHA256
3b9f7701e02476b1e613b6c96fc109bcdb8dd38808e5bedd060ea5de1bb3ccdf

SHA512
b79a58d496005a3aebe3663ccd02d0a9ba09a4f45f38e174f4656343d2beb14d5f6732c2af3662a50ba9d5173f61b1c4f74fd2c3d860fed92a465607a0a2ef61

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
161KB

MD5
5a6cd8c76c0b09bb206d8a7e3d6cc179

SHA1
448e764b15b2db8d4ab21a9c8819150816c0a95f

SHA256
573d2d825876e7ea5ff6d4c3632ef30e030ceb5eb4f0782fdbf4ea86b6a308f0

SHA512
8087aa810695868373dce07e9d259a7f2b95b535d36e6d243301cd3bc03c2d64d0565b6e6068d7c393c822914fa28dbdc7cbba0a7b8e16c4ba6ab12157bd63b1

Download Submit
\Windows\SysWOW64\Dfgmhd32.exe

Filesize
161KB

MD5
a3c12a092703b7403b9bf88d8fd8796d

SHA1
1cf68b5ed617199c607355c94bcda9f6adfa8ec6

SHA256
815599fc6ff7466d547c6bb65bb7f382c305d33e2f52bfa147ffdacfabe1b357

SHA512
fcef9d6492f3cc138e68c8480f0f4ad2fa7a563e5ce6c08a8087af1685510620cde50a8230ecb78143de9e890f30db84fbf822c8374f9976790e12eed2565f4d

Download Submit
\Windows\SysWOW64\Dkkpbgli.exe

Filesize
161KB

MD5
96d12a546d3081778cfbf78da42a3ed7

SHA1
55dc819a9545141f7961ff63e3e4f1f080f2acb8

SHA256
1196c55e0db0744f9cfb6ff2e62a98cd84648a0a2e671df016c68d5a1cade537

SHA512
9aff1fcc6db2c748b6c88583e2f864e9aaac83690fb05aba5a31270540756fcc72f804607b20b34979fac1d8c1e9aa3fde5197163002100518853c9877e13c67

Download Submit
\Windows\SysWOW64\Dkmmhf32.exe

Filesize
161KB

MD5
c753efc5d7e0d0ed3a25d4e5e86859d7

SHA1
303b1c046072a8141bb5973a5130b91dacbe4270

SHA256
48c7dd907575dc89b2f513e0de087db55f91c6daf2e00cf68483c6e8bbb93cb8

SHA512
f3bb6adc59e31fd00cbd131f172415125d121593aa7d5a50d9ee8d67dd9d8acf52aaa2392ba2fdf6a9fb529e588b224931acde15ffc627192f397b52f3e1bfa9

Download Submit
\Windows\SysWOW64\Dmoipopd.exe

Filesize
161KB

MD5
6f6fe298d96e6540dc9e733d08d97c06

SHA1
329f4824019a9061c69be7532d3848e4de6d3da1

SHA256
041127fea162671db2d0323f5ae299757ccda36384936e7491ea33e8b4e82ae2

SHA512
9f78c6a567b60b4c17cde6ca9d48d6b3eeb0e014e27b1f87b733d01a4b1f95a0d8701367cc82f8b5af93c7081df17947421ec89bc065d5b9fc5a6daf397afd6a

Download Submit
\Windows\SysWOW64\Dngoibmo.exe

Filesize
161KB

MD5
71ae2b1e8a2e9a1d52497632cd56ad5e

SHA1
696caade68d23ba445beaaeceb6817781e834d94

SHA256
c064bb1653e79a80220c0e7949ce526d23af9a7b7cdd4a10e579accc10969812

SHA512
86cefb90f2de2cdba86ec6c04a12eda773ef58048d81375e4544eee804ba21a6509d2eb42c00438586be2d51eed4fb1b516346a9e8ab294ee9c591e4d6b5f9be

Download Submit
\Windows\SysWOW64\Dqlafm32.exe

Filesize
161KB

MD5
62251b71e7d60f7393dbb393499c0d90

SHA1
f54d7c5bed7e754db1e7272cc6ebe51d12581bd4

SHA256
69f7265104eedb9c17989e6754db935f54b688070f0100417c8ada1952a0456d

SHA512
9999e90c1ca35a6157be579319b1042e115687043ec0aec7066f8e5fa24f29676bcae234d39e89bffb0f5b8c0314eeef9f7fc5c274a9fa89301b06b2925d882a

Download Submit
\Windows\SysWOW64\Efncicpm.exe

Filesize
161KB

MD5
224113d0811f7bf2433c365bca7b489a

SHA1
215db56aab57167fc6af00b8f916f82211b03d9a

SHA256
62a5716bf9736ebbc056456c114b4d307106a2df315f360d45b91cc8b7527ef7

SHA512
15482c325aeffb9a806c87698130e420ce19cf6c84ba2098d402f8601eb67be28765f4603456ed597d1fe9c04757d111702fb0e2466e3d9bca5c8094ccfa185c

Download Submit
\Windows\SysWOW64\Eiaiqn32.exe

Filesize
161KB

MD5
7a42f1fb92f9c6b96af5b7ab3469f9e5

SHA1
35d7dde1f1c536abd302b1de30971d3d1bc6ef20

SHA256
4c0fcc836b1e622c789fac164aa04c33c6730ce3de6ddf08075a2dcbaa35d73f

SHA512
88955afa630c2391ad4e8d19e39bdb309086022ec9805310f042717848500084790f6814907d542c6c5539d667e31d16cd79c6e6764934f51fd8571bb4ac6c12

Download Submit
\Windows\SysWOW64\Eiomkn32.exe

Filesize
161KB

MD5
6e054c34b2c5b278434fdc7881293f20

SHA1
c38613a5e868c8bcf3a895438344268b7c3a49fe

SHA256
2429bac9241a5a55b7f3fe34431bcd6f62a0b90b11caf15cf723f5baba6338c9

SHA512
9d4cdfc4bddf9cd44e0fb7576a06a7fed5d2a2846a874195fdf2d0ee4921d9f1348083d3600e666f3525f97cbd14cc739e9ff0718c701f09e3340ea7b150f962

Download Submit
\Windows\SysWOW64\Ekholjqg.exe

Filesize
161KB

MD5
72cb9460280541356d563c8b44dfd60a

SHA1
6b428ea330fae09b278944cca24693b0861494ff

SHA256
b4f1c2bf6373303560b060a504ffff49237f0325ef1ec5d66ebe71a161b12b56

SHA512
03f80049f3debe89b7af62dc00b9aa02d6d6411ede75bfc1ef9f318adb9cf10afb27b0cb9ca7b3d8dac995600d40cc8479bbc1f49b583f3321a95875d04e6dda

Download Submit
\Windows\SysWOW64\Emcbkn32.exe

Filesize
161KB

MD5
094e9ba24f1e558b1c5d999bcc3cdbc4

SHA1
1fd52e40cb484b62958ea703b4e5352f75a601af

SHA256
1d3ee34582ac59788a1fbdd33b712ac8aa0af57cffa0cbbdd0e0cd29059ae014

SHA512
a0d1536f04bd83487ffa7253aa91989857c881bc66b02e9e4f6ef103f34502c13ee37e78167f185fc0db5849fa72c8998f92f61b4884672bc74773ade01264a4

Download Submit
\Windows\SysWOW64\Enihne32.exe

Filesize
161KB

MD5
6bf9d25c82659d0a148f7522722dc3c7

SHA1
67e111fd4b261de751a4a2e7094120fbab8e1b80

SHA256
0a5734d7edf55139ee7e6847e03c9eb0c551065249062ae74dae254794f3f086

SHA512
b5d8acae8312b9aaf947d4902b98f02012708a48e05590ee6892018024589c7dbbfa94c718486864a4ffb6a0a1036728e8e4b3be7d2ea7ca9d7b351b153c625f

Download Submit
\Windows\SysWOW64\Fnpnndgp.exe

Filesize
161KB

MD5
828f4e24af35017141a6fa53d635e7ac

SHA1
89b5405733902a28b793d1b8d16045b9842f58cd

SHA256
7ff09b4781dfe922b14762952c9cb378efdb023242c83c212290522f8fc75892

SHA512
9c9b4674ed43363da8786cea02238f4669223d7b32f96774f6c2fcc298f74eefd2d24866df7ba248cdf15fc0f8b7761e757d670e268d6099eb600a1540bc35d2

Download Submit
memory/284-188-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/284-273-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/284-189-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/284-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/604-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/604-365-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/604-294-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/604-372-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/620-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/620-408-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/620-401-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/620-350-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/668-253-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/668-338-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/668-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/668-262-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/668-337-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/760-423-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1060-252-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1060-271-0x0000000000300000-0x000000000033F000-memory.dmp

Filesize
252KB

Download
memory/1060-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1132-243-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1132-325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-190-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1632-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1632-421-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/1688-385-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1688-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1768-229-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1768-312-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1912-361-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1912-284-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1912-359-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1912-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1936-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1936-251-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1936-246-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1940-267-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1940-339-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1992-26-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/1992-13-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1992-91-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1992-27-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2020-245-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2020-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2020-130-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2056-6-0x0000000000300000-0x000000000033F000-memory.dmp

Filesize
252KB

Download
memory/2056-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2056-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2068-218-0x0000000000360000-0x000000000039F000-memory.dmp

Filesize
252KB

Download
memory/2068-283-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2068-198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-36-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/2100-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2132-396-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2132-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2248-219-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2248-226-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/2248-304-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/2348-113-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2348-216-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2384-402-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/2384-397-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/2384-390-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2532-92-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2532-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2532-99-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2532-83-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2580-360-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/2580-354-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2588-68-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2588-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2588-129-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2608-156-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2608-70-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2660-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2660-228-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2660-217-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2680-422-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2680-374-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2680-375-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2680-367-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2740-128-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2740-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2740-42-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2824-305-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2824-295-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2824-373-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2824-376-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/3008-389-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/3008-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3016-316-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/3016-384-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/3016-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3016-377-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads