354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b.exe
Size

163KB
MD5

a0fdc98f2a0237d8901a7b6b3463b23d
SHA1

57fa1d3a6001537599dfa8acfcba21c3bc6d9d8a
SHA256

354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b
SHA512

47ba224b5ddb00599cb1d1ef4a498b99be3375903ccf12d9a212f14cf1e49a6088f18a91033e15ea392e7f5a9cb9130c2c37fae0bed9d4bd4dab1aecfbf47fab
SSDEEP

1536:PtYAtggM+s9Bl0R+wa1HN335mn4lxRinlProNVU4qNVUrk/9QbfBr+7GwKrPAsqE:VrmgM+sR0EM4ljinltOrWKDBr+yJb

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Cbnbobin.exeGacpdbej.exeHnagjbdf.exeIknnbklc.exeCndbcc32.exeEkholjqg.exeEilpeooq.exeEiaiqn32.exeFlabbihl.exeFhhcgj32.exeFhkpmjln.exeFmjejphb.exeFfbicfoc.exeHkpnhgge.exe354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b.exeBgknheej.exeDmoipopd.exeEbinic32.exeFilldb32.exeGegfdb32.exeGhfbqn32.exeHknach32.exeEijcpoac.exeHpmgqnfl.exeIaeiieeb.exeCpeofk32.exeCgpgce32.exeGkgkbipp.exeHnojdcfi.exeHlhaqogk.exeDgaqgh32.exeEkklaj32.exeGhmiam32.exeBdooajdc.exeDqelenlc.exeDgfjbgmh.exeHodpgjha.exeHenidd32.exeClaifkkf.exeDgmglh32.exeFnbkddem.exeGaqcoc32.exeCfeddafl.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbnbobin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekholjqg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eilpeooq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiaiqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flabbihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhkpmjln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmjejphb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgknheej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmoipopd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Filldb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghfbqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eijcpoac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eilpeooq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpeofk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpgce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbnbobin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgaqgh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekklaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdooajdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqelenlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffbicfoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgfjbgmh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eijcpoac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkgkbipp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Claifkkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgmglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgaqgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekklaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgknheej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfeddafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfeddafl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Claifkkf.exe

Detects executables built or packed with MPress PE compressor 48 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\Bgknheej.exe	INDICATOR_EXE_Packed_MPress
\Windows\SysWOW64\Bdooajdc.exe	INDICATOR_EXE_Packed_MPress
\Windows\SysWOW64\Cpeofk32.exe	INDICATOR_EXE_Packed_MPress
\Windows\SysWOW64\Cgpgce32.exe	INDICATOR_EXE_Packed_MPress
\Windows\SysWOW64\Cfeddafl.exe	INDICATOR_EXE_Packed_MPress
\Windows\SysWOW64\Comimg32.exe	INDICATOR_EXE_Packed_MPress
\Windows\SysWOW64\Claifkkf.exe	INDICATOR_EXE_Packed_MPress
\Windows\SysWOW64\Cbnbobin.exe	INDICATOR_EXE_Packed_MPress
\Windows\SysWOW64\Cndbcc32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Dgmglh32.exe	INDICATOR_EXE_Packed_MPress
\Windows\SysWOW64\Dqelenlc.exe	INDICATOR_EXE_Packed_MPress
\Windows\SysWOW64\Dgodbh32.exe	INDICATOR_EXE_Packed_MPress
\Windows\SysWOW64\Dgaqgh32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Dmoipopd.exe	INDICATOR_EXE_Packed_MPress
\Windows\SysWOW64\Dfgmhd32.exe	INDICATOR_EXE_Packed_MPress
\Windows\SysWOW64\Dgfjbgmh.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Eijcpoac.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Ekholjqg.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Eilpeooq.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Ekklaj32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Eiaiqn32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Eloemi32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Ebinic32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Flabbihl.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Fhhcgj32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Fnbkddem.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Fhkpmjln.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Filldb32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Fmjejphb.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Ffbicfoc.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Gegfdb32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Ghfbqn32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Gkgkbipp.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Gaqcoc32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Ghmiam32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Gacpdbej.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Ghoegl32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Hknach32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Hkpnhgge.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Hnojdcfi.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Hpmgqnfl.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Hnagjbdf.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Hodpgjha.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Henidd32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Hlhaqogk.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Iaeiieeb.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Iknnbklc.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Iagfoe32.exe	INDICATOR_EXE_Packed_MPress

UPX dump on OEP (original entry point) 48 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\Bgknheej.exe	UPX
\Windows\SysWOW64\Bdooajdc.exe	UPX
\Windows\SysWOW64\Cpeofk32.exe	UPX
\Windows\SysWOW64\Cgpgce32.exe	UPX
\Windows\SysWOW64\Cfeddafl.exe	UPX
\Windows\SysWOW64\Comimg32.exe	UPX
\Windows\SysWOW64\Claifkkf.exe	UPX
\Windows\SysWOW64\Cbnbobin.exe	UPX
\Windows\SysWOW64\Cndbcc32.exe	UPX
C:\Windows\SysWOW64\Dgmglh32.exe	UPX
\Windows\SysWOW64\Dqelenlc.exe	UPX
\Windows\SysWOW64\Dgodbh32.exe	UPX
\Windows\SysWOW64\Dgaqgh32.exe	UPX
C:\Windows\SysWOW64\Dmoipopd.exe	UPX
\Windows\SysWOW64\Dfgmhd32.exe	UPX
\Windows\SysWOW64\Dgfjbgmh.exe	UPX
C:\Windows\SysWOW64\Eijcpoac.exe	UPX
C:\Windows\SysWOW64\Ekholjqg.exe	UPX
C:\Windows\SysWOW64\Eilpeooq.exe	UPX
C:\Windows\SysWOW64\Ekklaj32.exe	UPX
C:\Windows\SysWOW64\Eiaiqn32.exe	UPX
C:\Windows\SysWOW64\Eloemi32.exe	UPX
C:\Windows\SysWOW64\Ebinic32.exe	UPX
C:\Windows\SysWOW64\Flabbihl.exe	UPX
C:\Windows\SysWOW64\Fhhcgj32.exe	UPX
C:\Windows\SysWOW64\Fnbkddem.exe	UPX
C:\Windows\SysWOW64\Fhkpmjln.exe	UPX
C:\Windows\SysWOW64\Filldb32.exe	UPX
C:\Windows\SysWOW64\Fmjejphb.exe	UPX
C:\Windows\SysWOW64\Ffbicfoc.exe	UPX
C:\Windows\SysWOW64\Gegfdb32.exe	UPX
C:\Windows\SysWOW64\Ghfbqn32.exe	UPX
C:\Windows\SysWOW64\Gkgkbipp.exe	UPX
C:\Windows\SysWOW64\Gaqcoc32.exe	UPX
C:\Windows\SysWOW64\Ghmiam32.exe	UPX
C:\Windows\SysWOW64\Gacpdbej.exe	UPX
C:\Windows\SysWOW64\Ghoegl32.exe	UPX
C:\Windows\SysWOW64\Hknach32.exe	UPX
C:\Windows\SysWOW64\Hkpnhgge.exe	UPX
C:\Windows\SysWOW64\Hnojdcfi.exe	UPX
C:\Windows\SysWOW64\Hpmgqnfl.exe	UPX
C:\Windows\SysWOW64\Hnagjbdf.exe	UPX
C:\Windows\SysWOW64\Hodpgjha.exe	UPX
C:\Windows\SysWOW64\Henidd32.exe	UPX
C:\Windows\SysWOW64\Hlhaqogk.exe	UPX
C:\Windows\SysWOW64\Iaeiieeb.exe	UPX
C:\Windows\SysWOW64\Iknnbklc.exe	UPX
C:\Windows\SysWOW64\Iagfoe32.exe	UPX

Executes dropped EXE 48 IoCs

Processes:

Bgknheej.exeBdooajdc.exeCpeofk32.exeCgpgce32.exeCfeddafl.exeComimg32.exeClaifkkf.exeCbnbobin.exeCndbcc32.exeDgmglh32.exeDqelenlc.exeDgodbh32.exeDgaqgh32.exeDmoipopd.exeDfgmhd32.exeDgfjbgmh.exeEijcpoac.exeEkholjqg.exeEilpeooq.exeEkklaj32.exeEiaiqn32.exeEloemi32.exeEbinic32.exeFlabbihl.exeFhhcgj32.exeFnbkddem.exeFhkpmjln.exeFilldb32.exeFmjejphb.exeFfbicfoc.exeGegfdb32.exeGhfbqn32.exeGkgkbipp.exeGaqcoc32.exeGacpdbej.exeGhmiam32.exeGhoegl32.exeHknach32.exeHkpnhgge.exeHnojdcfi.exeHpmgqnfl.exeHnagjbdf.exeHodpgjha.exeHenidd32.exeHlhaqogk.exeIaeiieeb.exeIknnbklc.exeIagfoe32.exe

pid	process
2856	Bgknheej.exe
2684	Bdooajdc.exe
2304	Cpeofk32.exe
2848	Cgpgce32.exe
2712	Cfeddafl.exe
2604	Comimg32.exe
3028	Claifkkf.exe
2884	Cbnbobin.exe
1700	Cndbcc32.exe
1756	Dgmglh32.exe
2020	Dqelenlc.exe
1552	Dgodbh32.exe
1412	Dgaqgh32.exe
1768	Dmoipopd.exe
2960	Dfgmhd32.exe
1928	Dgfjbgmh.exe
1036	Eijcpoac.exe
2360	Ekholjqg.exe
2492	Eilpeooq.exe
1708	Ekklaj32.exe
912	Eiaiqn32.exe
1200	Eloemi32.exe
2976	Ebinic32.exe
1740	Flabbihl.exe
1728	Fhhcgj32.exe
2092	Fnbkddem.exe
2356	Fhkpmjln.exe
2760	Filldb32.exe
2840	Fmjejphb.exe
2832	Ffbicfoc.exe
2536	Gegfdb32.exe
2616	Ghfbqn32.exe
2232	Gkgkbipp.exe
2780	Gaqcoc32.exe
1620	Gacpdbej.exe
1964	Ghmiam32.exe
1572	Ghoegl32.exe
2784	Hknach32.exe
1832	Hkpnhgge.exe
1416	Hnojdcfi.exe
2276	Hpmgqnfl.exe
2920	Hnagjbdf.exe
772	Hodpgjha.exe
1488	Henidd32.exe
632	Hlhaqogk.exe
300	Iaeiieeb.exe
2964	Iknnbklc.exe
1804	Iagfoe32.exe

Loads dropped DLL 64 IoCs

Processes:

354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b.exeBgknheej.exeBdooajdc.exeCpeofk32.exeCgpgce32.exeCfeddafl.exeComimg32.exeClaifkkf.exeCbnbobin.exeCndbcc32.exeDgmglh32.exeDqelenlc.exeDgodbh32.exeDgaqgh32.exeDmoipopd.exeDfgmhd32.exeDgfjbgmh.exeEijcpoac.exeEkholjqg.exeEilpeooq.exeEkklaj32.exeEiaiqn32.exeEloemi32.exeEbinic32.exeFlabbihl.exeFhhcgj32.exeFnbkddem.exeFhkpmjln.exeFilldb32.exeFmjejphb.exeFfbicfoc.exeGegfdb32.exe

pid	process
2368	354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b.exe
2368	354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b.exe
2856	Bgknheej.exe
2856	Bgknheej.exe
2684	Bdooajdc.exe
2684	Bdooajdc.exe
2304	Cpeofk32.exe
2304	Cpeofk32.exe
2848	Cgpgce32.exe
2848	Cgpgce32.exe
2712	Cfeddafl.exe
2712	Cfeddafl.exe
2604	Comimg32.exe
2604	Comimg32.exe
3028	Claifkkf.exe
3028	Claifkkf.exe
2884	Cbnbobin.exe
2884	Cbnbobin.exe
1700	Cndbcc32.exe
1700	Cndbcc32.exe
1756	Dgmglh32.exe
1756	Dgmglh32.exe
2020	Dqelenlc.exe
2020	Dqelenlc.exe
1552	Dgodbh32.exe
1552	Dgodbh32.exe
1412	Dgaqgh32.exe
1412	Dgaqgh32.exe
1768	Dmoipopd.exe
1768	Dmoipopd.exe
2960	Dfgmhd32.exe
2960	Dfgmhd32.exe
1928	Dgfjbgmh.exe
1928	Dgfjbgmh.exe
1036	Eijcpoac.exe
1036	Eijcpoac.exe
2360	Ekholjqg.exe
2360	Ekholjqg.exe
2492	Eilpeooq.exe
2492	Eilpeooq.exe
1708	Ekklaj32.exe
1708	Ekklaj32.exe
912	Eiaiqn32.exe
912	Eiaiqn32.exe
1200	Eloemi32.exe
1200	Eloemi32.exe
2976	Ebinic32.exe
2976	Ebinic32.exe
1740	Flabbihl.exe
1740	Flabbihl.exe
1728	Fhhcgj32.exe
1728	Fhhcgj32.exe
2092	Fnbkddem.exe
2092	Fnbkddem.exe
2356	Fhkpmjln.exe
2356	Fhkpmjln.exe
2760	Filldb32.exe
2760	Filldb32.exe
2840	Fmjejphb.exe
2840	Fmjejphb.exe
2832	Ffbicfoc.exe
2832	Ffbicfoc.exe
2536	Gegfdb32.exe
2536	Gegfdb32.exe

Drops file in System32 directory 64 IoCs

Processes:

Hkpnhgge.exeIknnbklc.exeBgknheej.exeCndbcc32.exeHenidd32.exeDgfjbgmh.exeBdooajdc.exeCfeddafl.exeEbinic32.exeGegfdb32.exeCpeofk32.exeEkklaj32.exeFfbicfoc.exeIaeiieeb.exeDgodbh32.exeEkholjqg.exeFnbkddem.exeComimg32.exeClaifkkf.exeGkgkbipp.exeHlhaqogk.exeDfgmhd32.exeEloemi32.exeDmoipopd.exeFmjejphb.exeHnojdcfi.exeHodpgjha.exeDgmglh32.exeDqelenlc.exeFhhcgj32.exeGhmiam32.exeGhoegl32.exeDgaqgh32.exeGhfbqn32.exeCgpgce32.exeEilpeooq.exeFlabbihl.exeHpmgqnfl.exeGacpdbej.exeHknach32.exeEijcpoac.exeGaqcoc32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Hnojdcfi.exe	Hkpnhgge.exe
File opened for modification	C:\Windows\SysWOW64\Hnojdcfi.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Bdooajdc.exe	Bgknheej.exe
File created	C:\Windows\SysWOW64\Mcbndm32.dll	Cndbcc32.exe
File opened for modification	C:\Windows\SysWOW64\Dgmglh32.exe	Cndbcc32.exe
File created	C:\Windows\SysWOW64\Pnbgan32.dll	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Eijcpoac.exe	Dgfjbgmh.exe
File created	C:\Windows\SysWOW64\Cpeofk32.exe	Bdooajdc.exe
File created	C:\Windows\SysWOW64\Comimg32.exe	Cfeddafl.exe
File created	C:\Windows\SysWOW64\Ajlppdeb.dll	Ebinic32.exe
File created	C:\Windows\SysWOW64\Kjpfgi32.dll	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Hlhaqogk.exe	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Cgpgce32.exe	Cpeofk32.exe
File created	C:\Windows\SysWOW64\Eiaiqn32.exe	Ekklaj32.exe
File created	C:\Windows\SysWOW64\Flabbihl.exe	Ebinic32.exe
File created	C:\Windows\SysWOW64\Ocjcidbb.dll	Ffbicfoc.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Hgmhlp32.dll	Dgodbh32.exe
File created	C:\Windows\SysWOW64\Eilpeooq.exe	Ekholjqg.exe
File opened for modification	C:\Windows\SysWOW64\Fhkpmjln.exe	Fnbkddem.exe
File created	C:\Windows\SysWOW64\Claifkkf.exe	Comimg32.exe
File opened for modification	C:\Windows\SysWOW64\Cbnbobin.exe	Claifkkf.exe
File created	C:\Windows\SysWOW64\Fndldonj.dll	Gkgkbipp.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Dgfjbgmh.exe	Dfgmhd32.exe
File opened for modification	C:\Windows\SysWOW64\Ebinic32.exe	Eloemi32.exe
File created	C:\Windows\SysWOW64\Dgaqgh32.exe	Dgodbh32.exe
File created	C:\Windows\SysWOW64\Dfgmhd32.exe	Dmoipopd.exe
File created	C:\Windows\SysWOW64\Ipjchc32.dll	Fmjejphb.exe
File opened for modification	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Henidd32.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Iknnbklc.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Fglhobmg.dll	Dgmglh32.exe
File created	C:\Windows\SysWOW64\Fncann32.dll	Dqelenlc.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Iknnbklc.exe
File opened for modification	C:\Windows\SysWOW64\Eiaiqn32.exe	Ekklaj32.exe
File opened for modification	C:\Windows\SysWOW64\Fnbkddem.exe	Fhhcgj32.exe
File created	C:\Windows\SysWOW64\Gpekfank.dll	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Hknach32.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Eqpofkjo.dll	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Dgmglh32.exe	Cndbcc32.exe
File opened for modification	C:\Windows\SysWOW64\Dfgmhd32.exe	Dmoipopd.exe
File opened for modification	C:\Windows\SysWOW64\Claifkkf.exe	Comimg32.exe
File created	C:\Windows\SysWOW64\Dmoipopd.exe	Dgaqgh32.exe
File opened for modification	C:\Windows\SysWOW64\Ffbicfoc.exe	Fmjejphb.exe
File created	C:\Windows\SysWOW64\Gkgkbipp.exe	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Dmljjm32.dll	Cgpgce32.exe
File created	C:\Windows\SysWOW64\Hkfmal32.dll	Cfeddafl.exe
File opened for modification	C:\Windows\SysWOW64\Eilpeooq.exe	Ekholjqg.exe
File created	C:\Windows\SysWOW64\Fpmkde32.dll	Ghfbqn32.exe
File opened for modification	C:\Windows\SysWOW64\Dgodbh32.exe	Dqelenlc.exe
File opened for modification	C:\Windows\SysWOW64\Ekklaj32.exe	Eilpeooq.exe
File opened for modification	C:\Windows\SysWOW64\Fhhcgj32.exe	Flabbihl.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Cfeddafl.exe	Cgpgce32.exe
File created	C:\Windows\SysWOW64\Cbnbobin.exe	Claifkkf.exe
File created	C:\Windows\SysWOW64\Cgpgce32.exe	Cpeofk32.exe
File created	C:\Windows\SysWOW64\Hnempl32.dll	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Hkpnhgge.exe	Hknach32.exe
File created	C:\Windows\SysWOW64\Kcfdakpf.dll	Eijcpoac.exe
File created	C:\Windows\SysWOW64\Fhhcgj32.exe	Flabbihl.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Gaqcoc32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2264 1804 WerFault.exe Iagfoe32.exe

pid	pid_target	process	target process
2264	1804	WerFault.exe	Iagfoe32.exe

Modifies registry class 64 IoCs

Processes:

Dqelenlc.exeGacpdbej.exeHnagjbdf.exeCpeofk32.exeEbinic32.exeFilldb32.exeGhoegl32.exe354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b.exeCndbcc32.exeDgodbh32.exeFhkpmjln.exeGhfbqn32.exeGaqcoc32.exeIaeiieeb.exeEloemi32.exeBgknheej.exeBdooajdc.exeEijcpoac.exeEkholjqg.exeGhmiam32.exeCfeddafl.exeDgmglh32.exeHodpgjha.exeEilpeooq.exeEkklaj32.exeIknnbklc.exeDgaqgh32.exeHkpnhgge.exeComimg32.exeHenidd32.exeHlhaqogk.exeFfbicfoc.exeDfgmhd32.exeDgfjbgmh.exeFlabbihl.exeEiaiqn32.exeFnbkddem.exeHpmgqnfl.exeCgpgce32.exeHknach32.exeCbnbobin.exeDmoipopd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dqelenlc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpeofk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakqnc32.dll"	Filldb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkkgcp32.dll"	354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndbcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgodbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eloemi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgknheej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdooajdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eijcpoac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekholjqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfeddafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgmglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eilpeooq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekklaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgaqgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oockje32.dll"	Comimg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinfim32.dll"	Eloemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll"	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncann32.dll"	Dqelenlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfgmhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgfjbgmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgfjbgmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll"	Flabbihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flabbihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll"	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlppdeb.dll"	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll"	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpicol32.dll"	Bdooajdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgpgce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffbicfoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eijcpoac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpenlb32.dll"	Cbnbobin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglhobmg.dll"	Dgmglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfedefbi.dll"	Dmoipopd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmoipopd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2368 wrote to memory of 2856	2368	354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b.exe	Bgknheej.exe
PID 2368 wrote to memory of 2856	2368	354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b.exe	Bgknheej.exe
PID 2368 wrote to memory of 2856	2368	354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b.exe	Bgknheej.exe
PID 2368 wrote to memory of 2856	2368	354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b.exe	Bgknheej.exe
PID 2856 wrote to memory of 2684	2856	Bgknheej.exe	Bdooajdc.exe
PID 2856 wrote to memory of 2684	2856	Bgknheej.exe	Bdooajdc.exe
PID 2856 wrote to memory of 2684	2856	Bgknheej.exe	Bdooajdc.exe
PID 2856 wrote to memory of 2684	2856	Bgknheej.exe	Bdooajdc.exe
PID 2684 wrote to memory of 2304	2684	Bdooajdc.exe	Cpeofk32.exe
PID 2684 wrote to memory of 2304	2684	Bdooajdc.exe	Cpeofk32.exe
PID 2684 wrote to memory of 2304	2684	Bdooajdc.exe	Cpeofk32.exe
PID 2684 wrote to memory of 2304	2684	Bdooajdc.exe	Cpeofk32.exe
PID 2304 wrote to memory of 2848	2304	Cpeofk32.exe	Cgpgce32.exe
PID 2304 wrote to memory of 2848	2304	Cpeofk32.exe	Cgpgce32.exe
PID 2304 wrote to memory of 2848	2304	Cpeofk32.exe	Cgpgce32.exe
PID 2304 wrote to memory of 2848	2304	Cpeofk32.exe	Cgpgce32.exe
PID 2848 wrote to memory of 2712	2848	Cgpgce32.exe	Cfeddafl.exe
PID 2848 wrote to memory of 2712	2848	Cgpgce32.exe	Cfeddafl.exe
PID 2848 wrote to memory of 2712	2848	Cgpgce32.exe	Cfeddafl.exe
PID 2848 wrote to memory of 2712	2848	Cgpgce32.exe	Cfeddafl.exe
PID 2712 wrote to memory of 2604	2712	Cfeddafl.exe	Comimg32.exe
PID 2712 wrote to memory of 2604	2712	Cfeddafl.exe	Comimg32.exe
PID 2712 wrote to memory of 2604	2712	Cfeddafl.exe	Comimg32.exe
PID 2712 wrote to memory of 2604	2712	Cfeddafl.exe	Comimg32.exe
PID 2604 wrote to memory of 3028	2604	Comimg32.exe	Claifkkf.exe
PID 2604 wrote to memory of 3028	2604	Comimg32.exe	Claifkkf.exe
PID 2604 wrote to memory of 3028	2604	Comimg32.exe	Claifkkf.exe
PID 2604 wrote to memory of 3028	2604	Comimg32.exe	Claifkkf.exe
PID 3028 wrote to memory of 2884	3028	Claifkkf.exe	Cbnbobin.exe
PID 3028 wrote to memory of 2884	3028	Claifkkf.exe	Cbnbobin.exe
PID 3028 wrote to memory of 2884	3028	Claifkkf.exe	Cbnbobin.exe
PID 3028 wrote to memory of 2884	3028	Claifkkf.exe	Cbnbobin.exe
PID 2884 wrote to memory of 1700	2884	Cbnbobin.exe	Cndbcc32.exe
PID 2884 wrote to memory of 1700	2884	Cbnbobin.exe	Cndbcc32.exe
PID 2884 wrote to memory of 1700	2884	Cbnbobin.exe	Cndbcc32.exe
PID 2884 wrote to memory of 1700	2884	Cbnbobin.exe	Cndbcc32.exe
PID 1700 wrote to memory of 1756	1700	Cndbcc32.exe	Dgmglh32.exe
PID 1700 wrote to memory of 1756	1700	Cndbcc32.exe	Dgmglh32.exe
PID 1700 wrote to memory of 1756	1700	Cndbcc32.exe	Dgmglh32.exe
PID 1700 wrote to memory of 1756	1700	Cndbcc32.exe	Dgmglh32.exe
PID 1756 wrote to memory of 2020	1756	Dgmglh32.exe	Dqelenlc.exe
PID 1756 wrote to memory of 2020	1756	Dgmglh32.exe	Dqelenlc.exe
PID 1756 wrote to memory of 2020	1756	Dgmglh32.exe	Dqelenlc.exe
PID 1756 wrote to memory of 2020	1756	Dgmglh32.exe	Dqelenlc.exe
PID 2020 wrote to memory of 1552	2020	Dqelenlc.exe	Dgodbh32.exe
PID 2020 wrote to memory of 1552	2020	Dqelenlc.exe	Dgodbh32.exe
PID 2020 wrote to memory of 1552	2020	Dqelenlc.exe	Dgodbh32.exe
PID 2020 wrote to memory of 1552	2020	Dqelenlc.exe	Dgodbh32.exe
PID 1552 wrote to memory of 1412	1552	Dgodbh32.exe	Dgaqgh32.exe
PID 1552 wrote to memory of 1412	1552	Dgodbh32.exe	Dgaqgh32.exe
PID 1552 wrote to memory of 1412	1552	Dgodbh32.exe	Dgaqgh32.exe
PID 1552 wrote to memory of 1412	1552	Dgodbh32.exe	Dgaqgh32.exe
PID 1412 wrote to memory of 1768	1412	Dgaqgh32.exe	Dmoipopd.exe
PID 1412 wrote to memory of 1768	1412	Dgaqgh32.exe	Dmoipopd.exe
PID 1412 wrote to memory of 1768	1412	Dgaqgh32.exe	Dmoipopd.exe
PID 1412 wrote to memory of 1768	1412	Dgaqgh32.exe	Dmoipopd.exe
PID 1768 wrote to memory of 2960	1768	Dmoipopd.exe	Dfgmhd32.exe
PID 1768 wrote to memory of 2960	1768	Dmoipopd.exe	Dfgmhd32.exe
PID 1768 wrote to memory of 2960	1768	Dmoipopd.exe	Dfgmhd32.exe
PID 1768 wrote to memory of 2960	1768	Dmoipopd.exe	Dfgmhd32.exe
PID 2960 wrote to memory of 1928	2960	Dfgmhd32.exe	Dgfjbgmh.exe
PID 2960 wrote to memory of 1928	2960	Dfgmhd32.exe	Dgfjbgmh.exe
PID 2960 wrote to memory of 1928	2960	Dfgmhd32.exe	Dgfjbgmh.exe
PID 2960 wrote to memory of 1928	2960	Dfgmhd32.exe	Dgfjbgmh.exe

C:\Users\Admin\AppData\Local\Temp\354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b.exe
"C:\Users\Admin\AppData\Local\Temp\354478fe7f685fc854c7d1cc0cb36ba6b324cd6121b2aefc902f158836bde57b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\Bgknheej.exe
C:\Windows\system32\Bgknheej.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\Bdooajdc.exe
C:\Windows\system32\Bdooajdc.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\Cpeofk32.exe
C:\Windows\system32\Cpeofk32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\Cgpgce32.exe
C:\Windows\system32\Cgpgce32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\Cfeddafl.exe
C:\Windows\system32\Cfeddafl.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\Comimg32.exe
C:\Windows\system32\Comimg32.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\Claifkkf.exe
C:\Windows\system32\Claifkkf.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\Cbnbobin.exe
C:\Windows\system32\Cbnbobin.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\Cndbcc32.exe
C:\Windows\system32\Cndbcc32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\Dgmglh32.exe
C:\Windows\system32\Dgmglh32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\Dqelenlc.exe
C:\Windows\system32\Dqelenlc.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\Dgodbh32.exe
C:\Windows\system32\Dgodbh32.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\Dgaqgh32.exe
C:\Windows\system32\Dgaqgh32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\Dmoipopd.exe
C:\Windows\system32\Dmoipopd.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\Dfgmhd32.exe
C:\Windows\system32\Dfgmhd32.exe
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\Dgfjbgmh.exe
C:\Windows\system32\Dgfjbgmh.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1928

C:\Windows\SysWOW64\Eijcpoac.exe
C:\Windows\system32\Eijcpoac.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1036

C:\Windows\SysWOW64\Ekholjqg.exe
C:\Windows\system32\Ekholjqg.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2360

C:\Windows\SysWOW64\Eilpeooq.exe
C:\Windows\system32\Eilpeooq.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2492

C:\Windows\SysWOW64\Ekklaj32.exe
C:\Windows\system32\Ekklaj32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1708

C:\Windows\SysWOW64\Eiaiqn32.exe
C:\Windows\system32\Eiaiqn32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:912

C:\Windows\SysWOW64\Eloemi32.exe
C:\Windows\system32\Eloemi32.exe
23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1200

C:\Windows\SysWOW64\Ebinic32.exe
C:\Windows\system32\Ebinic32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2976

C:\Windows\SysWOW64\Flabbihl.exe
C:\Windows\system32\Flabbihl.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1740

C:\Windows\SysWOW64\Fhhcgj32.exe
C:\Windows\system32\Fhhcgj32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1728

C:\Windows\SysWOW64\Fnbkddem.exe
C:\Windows\system32\Fnbkddem.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2092

C:\Windows\SysWOW64\Fhkpmjln.exe
C:\Windows\system32\Fhkpmjln.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2356

C:\Windows\SysWOW64\Filldb32.exe
C:\Windows\system32\Filldb32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2760

C:\Windows\SysWOW64\Fmjejphb.exe
C:\Windows\system32\Fmjejphb.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2840

C:\Windows\SysWOW64\Ffbicfoc.exe
C:\Windows\system32\Ffbicfoc.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2832

C:\Windows\SysWOW64\Gegfdb32.exe
C:\Windows\system32\Gegfdb32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2536

C:\Windows\SysWOW64\Ghfbqn32.exe
C:\Windows\system32\Ghfbqn32.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2616

C:\Windows\SysWOW64\Gkgkbipp.exe
C:\Windows\system32\Gkgkbipp.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2232

C:\Windows\SysWOW64\Gaqcoc32.exe
C:\Windows\system32\Gaqcoc32.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2780

C:\Windows\SysWOW64\Gacpdbej.exe
C:\Windows\system32\Gacpdbej.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1620

C:\Windows\SysWOW64\Ghmiam32.exe
C:\Windows\system32\Ghmiam32.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1964

C:\Windows\SysWOW64\Ghoegl32.exe
C:\Windows\system32\Ghoegl32.exe
38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1572

C:\Windows\SysWOW64\Hknach32.exe
C:\Windows\system32\Hknach32.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2784

C:\Windows\SysWOW64\Hkpnhgge.exe
C:\Windows\system32\Hkpnhgge.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1832

C:\Windows\SysWOW64\Hnojdcfi.exe
C:\Windows\system32\Hnojdcfi.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1416

C:\Windows\SysWOW64\Hpmgqnfl.exe
C:\Windows\system32\Hpmgqnfl.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2276

C:\Windows\SysWOW64\Hnagjbdf.exe
C:\Windows\system32\Hnagjbdf.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2920

C:\Windows\SysWOW64\Hodpgjha.exe
C:\Windows\system32\Hodpgjha.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:772

C:\Windows\SysWOW64\Henidd32.exe
C:\Windows\system32\Henidd32.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1488

C:\Windows\SysWOW64\Hlhaqogk.exe
C:\Windows\system32\Hlhaqogk.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:632

C:\Windows\SysWOW64\Iaeiieeb.exe
C:\Windows\system32\Iaeiieeb.exe
47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:300

C:\Windows\SysWOW64\Iknnbklc.exe
C:\Windows\system32\Iknnbklc.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2964

C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
49⤵
- Executes dropped EXE
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 140
50⤵
- Program crash
PID:2264

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dgmglh32.exe
Filesize
163KB

MD5
c5cb8f2cc4fba084047463ce74948c63

SHA1
a4dc0aba2ce73931ce8f3fbd40b84b0835cdafe4

SHA256
797b91684e231752030f32449fb58de708d014d6e4a4262cdd2327c72e98edd4

SHA512
558780648eb3e3fea8d032f916647b25bcd88089eb8afa8d7fb05a45a42dfaf954fda0bdacc3a419d74b15b951fa237ccafc82c18e41282c49ddd11870fd6278

Download Submit
C:\Windows\SysWOW64\Dmoipopd.exe
Filesize
163KB

MD5
44dfc7ca54cc8d4ba73aa733d77f4d7e

SHA1
23d1b2c1da8b72069064f9fbff1773564f51c97d

SHA256
05a94cdec73b375183c4d110a9ada35db831b8ae3e19d30be6c3e40b2ece3eb9

SHA512
6ea563cf5e9015ca146413d18157cabf8e5e25b89b1a2192a1b0e85db506e3fbf2b9a95ea8fc803fde2d73bd058055dcd20adb2688c3fac898d383b388dc491d

Download Submit
C:\Windows\SysWOW64\Ebinic32.exe
Filesize
163KB

MD5
fddbd2466be8993485f233366f138ed8

SHA1
0267e093e5b2bcf81f4a9447394119cb3ff4319f

SHA256
af1b0656fb5f89934ca6e99c1493e716da41ded3a4f1894b680b2f9e581062b0

SHA512
ae65e2b71a4f4552abf7e55c67438a175eadadb7ca83c929415feefb3c6a57a7d57bc8ec866c533c783f8e5d25f3b53c2f0521124854792fa42c48c2acce1c34

Download Submit
C:\Windows\SysWOW64\Eiaiqn32.exe
Filesize
163KB

MD5
a7cc4fbc0e164f7b729bfe11401f909b

SHA1
f7e47ac84054fa39947461f8087ba2c3b1ee1bc6

SHA256
ab6d50951b036b1a82d6527d61fcfe29c5614465db262d7e948c4343d1c276e4

SHA512
9eb8e7fddeadd0c989671ca31625f88483d712e6fec85f1fd01eafecfd9795617472cfce39571685f6eee6886958c74496eb0a2a2bde8af42cf0afb2d2ac5cf4

Download Submit
C:\Windows\SysWOW64\Eijcpoac.exe
Filesize
163KB

MD5
420e1bd5e233193743d0e2438bbf4436

SHA1
599e7bc34be56f160d63cc451ff1149e72f07184

SHA256
dd945bcd1a0c2d0bd989ef8dc9afb401431d23f170274d6f5b9b628c1ed1c722

SHA512
a09a871f588c42f30d297d8d6e5396e88725319daf7180fb50fa3e5662ac5e0e217e1bc67ebde99dae781986027887f7d3758a617e87552369a2fd9020a2e4a1

Download Submit
C:\Windows\SysWOW64\Eilpeooq.exe
Filesize
163KB

MD5
cc148b8b1181ab5043edbc4a28f575fa

SHA1
cd6ef3523300becfcf4535248bc89623bfa9a3aa

SHA256
8f8523f2bf69f2d3701b6bb3d02cb102121365b864a4e05c59329085f88c7c09

SHA512
b68e42aa661e84e4902f0fe4071690fe63153968bd22c16a1375a32d28273ecf6ddcb0378bfe960da77bbc38d9bcab1639ae44ca1b63480917774e75c9aa8d45

Download Submit
C:\Windows\SysWOW64\Ekholjqg.exe
Filesize
163KB

MD5
fed228639bfffe8d7656d154f81c3a00

SHA1
96212ec311e1270ccd3b8348979af0122b27d07f

SHA256
c1a3083d244a3f7e19f05d69d6bd0d2486043afafd5f732c2826c1ae40b1b803

SHA512
fe0681d83f59b2bd27d52d0dc7d9514570d70f61479e807e55c56e5a8c1d223d1b5f855e7ecd86a0b9dd4bc1d88970a8ae3d18493215b243c0dd57b7c2240c4d

Download Submit
C:\Windows\SysWOW64\Ekklaj32.exe
Filesize
163KB

MD5
0a4489304eec3b33b60fa13523660834

SHA1
594a9fd5fb9e82c9ec4983d8560ab00a3d2976b1

SHA256
8e853def07cd530a50c240707713c9549d917b607060c28c4aff6ac58e0386b7

SHA512
ceec4046aaf6418c798f3c33c3339c0ca4d19fccab5a64d9ac08fa71919348b031218a5f1ffba511478a2feaec0bd918c9cd072b6d0c8e7050b45405f50e45ba

Download Submit
C:\Windows\SysWOW64\Eloemi32.exe
Filesize
163KB

MD5
4b56d721471817d624da91a46f7456f3

SHA1
f48d69f6a03a08f9b5ac1e0056c321cd83284da8

SHA256
6ad590fd6e792b3eee8ba0ccfc2331b4b7e7f34c6db7d9e8ad06452b2e82db55

SHA512
ce9c6e7dccc56ced83bb6e9c680f4190f13d90233d697704766056a41cbbf83f627f62c273715ed9ef1eab5510a40ad7acfd98a37bd0642873f88b70a2bdd70f

Download Submit
C:\Windows\SysWOW64\Ffbicfoc.exe
Filesize
163KB

MD5
bb8da2fdddd10d5f8c42ff3aa7957a39

SHA1
495ecb5a71fc7a887c5850ca7c1c5922e8341d4c

SHA256
012d35e295ee85a3e04afdcfcaf8324a699199e87f4a7e2b6c1c992a69f6664c

SHA512
67e205033da9289845fa6384da676e03cc7e325c5ea373fbdcdcc5ba037b8f246e3c121990d222f9a88ee0e3765e24627c822ad0ad635ba511fa9fc6a719091e

Download Submit
C:\Windows\SysWOW64\Fhhcgj32.exe
Filesize
163KB

MD5
a60304c69435828b12f218f84333795d

SHA1
efde633d1ffd8463186acff357dad68d68fb3fe4

SHA256
7c7a83f7ace1ff1ca6f4e7317e556dcb6308bf4df1341cb88c4dcdbfb8851512

SHA512
c4250fc04b2ce8ed82cf384441f8e0f9b94239d55c84fcbc3bdd0baff1758387d794c270944e2808576bb2d63d4cfc15d4a8d76756f3d93c200a13f4f5de1f5d

Download Submit
C:\Windows\SysWOW64\Fhkpmjln.exe
Filesize
163KB

MD5
9559662b9f7bc3fa634a3737e7a51b6d

SHA1
42ab0c6d6a6dfbc0c2a56e2b62940c9f5cb68d1d

SHA256
3e962acac618b22ddefa208b7ef9431386bfdae756db5a354766ec8ee95c0a40

SHA512
185c06e528ebc9f90b0a07b1b3038804a563eea27bf58f0b86170d41593c2eef307c864bd4c71eb6c3fe95c19b95e0cd9b7fc8de9ecf54df9a44bd1cfe48d027

Download Submit
C:\Windows\SysWOW64\Filldb32.exe
Filesize
163KB

MD5
357da7f706a3d21ec095d42c00daa16c

SHA1
30c839e8289105fbb4a27e9991e4fd59a45d6696

SHA256
babf4db0395467ef0546c71a8929bb11ee35ce7261e70b051efc574bf987f2d8

SHA512
1dda16c364f1f9b4d979e112bf6a667dcb02e684ff3cf766169db830e4c0eb3ac012863f14bd9f1e89a7fc7e738bef0ef6c48a8c72fef03640a8de7734a5a287

Download Submit
C:\Windows\SysWOW64\Flabbihl.exe
Filesize
163KB

MD5
f28b80ba389a071e440162a0f43b51d5

SHA1
5e7f6df5631c559855553abb8e0680cf5c6f9867

SHA256
94a9a4d6935d90353e75bcee441d22978c2806f5310aeab57eca9584a88d3c07

SHA512
88faee45a20b205cb7fb40d7afb9f86e69e9d2336e9ff470571eb099694ca2666e7b1c7c9deca413204603e61706470257391f0a9309ee9e0198400f00f41e52

Download Submit
C:\Windows\SysWOW64\Fmjejphb.exe
Filesize
163KB

MD5
06cafdd122b3f657d2a2fd7292428b27

SHA1
c76ace7e3f2a8779877daa707659a34aa1bde90b

SHA256
e6ebe4535c898212d909d2310db83a9280c522a331d8c051d65d689afca06f29

SHA512
b98c25b8d3240beffd93277940ea71efb148e48379c2de7bfdf52237918257bd93c18764c96690775ef5c148d842d694b0d5f589c177601588cd19ecf8a4e000

Download Submit
C:\Windows\SysWOW64\Fnbkddem.exe
Filesize
163KB

MD5
5fcb99c71ddaf4c402203ed743d63af5

SHA1
80b907bad353ce8b253ee0a0f286b5b755b980e6

SHA256
bd17ff56327b4dbdc1d04129fdf504b3262f1adb256e56d3f3dfc298496f7854

SHA512
153ec55b8ca39c3892a1cd9725a2ec2e139d2fa33769bd0747234c6782d22b21b69feb98a7b9716daa1cbea7d7aa2af146e6abcb6487d4ad0b7a2a6b3c9d7879

Download Submit
C:\Windows\SysWOW64\Gacpdbej.exe
Filesize
163KB

MD5
b3c1caaa412447089d9c9a4115b0bedb

SHA1
1373df0e8d971a09290ee8db81cd54f3257482e1

SHA256
469307f02c05f344b435fe085dde227f1c5882464685a56b4dc13697eec5ddc4

SHA512
1c9f06bc5539e0f8f3e9a76039546a3b2b5ac5139bd4ab36ea81c2172fba9605a90da042b11eee0c673a9c972390a0006d0c3bbc1deaf7133bc36cc45555a560

Download Submit
C:\Windows\SysWOW64\Gaqcoc32.exe
Filesize
163KB

MD5
57f469850f71c5262cbc8196b6ccc21e

SHA1
75fca6e19e986f120747f176800858d497792510

SHA256
1266ad7069b1602641e6df1cedf1dffcb83387f9829ef6ff168c1b7ccdeb65c2

SHA512
72faf07ff3e3fa3101215a0cffdd94f851d1c30e8ce734091605e7ad64be70eee69607b9ac9f121d08170995ab1fdc1713ffdae0130324d6eb17896157c3c142

Download Submit
C:\Windows\SysWOW64\Gegfdb32.exe
Filesize
163KB

MD5
8254be3025ab3a0eb750a5e40eeb1ab2

SHA1
3f1e128567d1da30722284c8ac30c1cde6d0b8f3

SHA256
9c4b741ac23f3e24a561f71d999b3c1f6da889078ed831052e680639d53467b9

SHA512
9de2fd18dbd422bd77b09c2df238380e15e59d920440de5cc4e39d755b9284315a348d3f1b8912882dd349ffc24973be1916428681b2e0c46cb3249f9048d693

Download Submit
C:\Windows\SysWOW64\Ghfbqn32.exe
Filesize
163KB

MD5
87b5a50848a11f020be4ccc739d44361

SHA1
c1991e2106fffe09292eb560ad38d7fde2873a14

SHA256
cc3c9178e2c0e37ccbbb2de1b19d7351a062171ebe43934eb695bda2fc2e77a0

SHA512
13382bb142d5ff323a167c2223df60414e0d606480883dad5b3b58cf0a87e5ba680b885aeb5cc3e726424143784af1e68d7d8217fa06078ccd56d14dba064f81

Download Submit
C:\Windows\SysWOW64\Ghmiam32.exe
Filesize
163KB

MD5
fa77844b8398b74defeae0fcc2bc3476

SHA1
743f80a0af3bb22a21e2f962a0423321340db8f5

SHA256
b7900c900a2c209d1e58191a2b474e1870584ae18713b104c9f6e8864a8127f1

SHA512
1e5eb43b93fe1c55cd0fb5a8b5c8c1b2a3b54d49bc2ea83daf8f35eb7a5dd91be22cac909eacdbe4bcb48e1e8722dbfea34a8ee346a0f2aefcf883d8550aa754

Download Submit
C:\Windows\SysWOW64\Ghoegl32.exe
Filesize
163KB

MD5
5bd6b3064c59e51fd4254cd1c2153346

SHA1
e7c086fa3631be58b8eb059b544295ba24b821d0

SHA256
e2bd0eec88b366b9cf6ee4ae7098de566d930b73d748a35518b139c28324e509

SHA512
278a069567f0a44e1b49ab1cfc94eb9a8d903944977c8941d31cd3b783af3b931cfad737797a5f4d1db08bb5203b529d13d39ca27463e9f95e34cb62b16f5841

Download Submit
C:\Windows\SysWOW64\Gkgkbipp.exe
Filesize
163KB

MD5
b176c15e61d30e6ee5e3e081d39ed0bd

SHA1
4e2eb9207569a94f2810621a4b4a7fd470f7de0e

SHA256
3cdcfe24da4fc3b476860dd7090ef72eb4fb49b3a9abca1c80cf509f0d9c2eeb

SHA512
fa0377ebb114873a53b75230541e7f0f7b784ac053ad9a95747656e622621c33eab192f5605e6eef90339e861f700e27761370695bf75ac1885e3365bd8aea22

Download Submit
C:\Windows\SysWOW64\Henidd32.exe
Filesize
163KB

MD5
2a1d173f90a2da41800e5b2ffe962285

SHA1
fcd61f4ff21c75545a94200f9fc36034278507ce

SHA256
398386adb7fb96a412d75571c422e74ea30561f4bd357f3eb0c2830bb31d9595

SHA512
82baf2ec28c63792c4539dd7c09691e90901a9a61b2964dab0d511bfe1800c7f4a5817f458ae88530c4503649ec0fb90576ea28f224477daae01e9f4ce2ee3be

Download Submit
C:\Windows\SysWOW64\Hknach32.exe
Filesize
163KB

MD5
770a66469400b1046f6274d5c8f5aac4

SHA1
ac12e2d7d3f65b10cd0ecde895d1ce28b5af2483

SHA256
94605b0143f7de0147476ad6cdce4dc99870ef78a3c6ca8677e24e30243b7b1a

SHA512
4380a536e7fdf198c82752616ceecec0d506255d3af2aa5661f43bb266003bb1286213bfdbe57b5442d46957fc4418e53d1188281bc2b8d8eb73723d35fec508

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe
Filesize
163KB

MD5
2145fe06a710e21f68bcaefb4bc00716

SHA1
f1bd1f3d8c986b0cbea8f5012d23c5167f6db5ef

SHA256
38e8ea497103dcaa0cc6d1cd86cbcc01ae50c17ce76be2a05704404e43a2cb05

SHA512
15bcf9542ce22ac353639f00e332767282ed2bc6350aaa4fab0b98ac9b0c19591289a2263e54d1ae209e8f5695846e3b20775eb9923c2de7169229b512791047

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe
Filesize
163KB

MD5
98402bd5b7a1fad05c2b2e062250bec5

SHA1
409eda56a53c6e3ff459fa0d5299104cf527fc3d

SHA256
f8d80d42446eb769c4adec3b619448bee7b73766003d0ed502376a8234c06ca2

SHA512
d35dca879a118062ceb021ae25587e74319188c900608cfc0b99f8975fff99f7f6ad50c4029ecc5999e9896d4c8198e93108e601a5a307f9444dd2f4eb003d1c

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe
Filesize
163KB

MD5
b0a353adcdee14af406a7d93eccdae6c

SHA1
7e361b41dab2a1429c23bcb49b57d78ae4133a5a

SHA256
67751064abcd858adf01a60e107294eb11591523979b540772d3485e71d25b6a

SHA512
bba585e9bd27eb1197fa39abe5c40649673b8b36c248b7c98731633d494d3400abaf7349f29320d531a200da538a9efd7ac51acefb1324593aacc61c3e8fc79a

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe
Filesize
163KB

MD5
e571bf782377a101ff24180f82db41d7

SHA1
99443e9c3352f5c0268e9192fd51b9d4cef12083

SHA256
79d294ce167dc4b75aa77c01200c911689cdb0148b89f93711d5d4fc5427907a

SHA512
b145ad3b1cd8511ecb67343febe261b60a8c442f2cefe6fa54a3bbf8fdd51c27313899d6ff714b89f212b9701597a667f99bdc3f94573c02dc0e3adbc44305e8

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe
Filesize
163KB

MD5
3ea252874ed47d4b64d081e578c4d068

SHA1
74c7926f179254d30c898639c3d0cca389aea558

SHA256
69587fdb0dd14d5e11f87dc07a09b492102a51481d6c8dabadf29ee82f50003e

SHA512
31e55a985384a0f0035124a2560a57cbe7c13f3eabf060b5e99bc12639159a50257fee1026e2c8ee6b0116c39811bbecdf739e1c7b557c15210233cbd44306e0

Download Submit
C:\Windows\SysWOW64\Hpmgqnfl.exe
Filesize
163KB

MD5
6ddf71d529771053503bf48a15573378

SHA1
e166cfcb38e4c0095d0278f1e1a5b49291d1cfa7

SHA256
a17d4148e913163b30fd2cbc981a3f7e4dc61b641e544db7d632d37dec3ca35f

SHA512
1f85f8009cedf12298182c2253bdf5f7e2df3ea3a41e0a3ec0ed31c921ec042e913eb1e46a0a74f6cc4406390925198f5a0b45bc2fd1656e5ca2f1fa94cb6bb3

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe
Filesize
163KB

MD5
36805466e6667d2ebcc38eae323b2865

SHA1
0a9aef9b22a39497b01621de0d0ff190c4a43830

SHA256
c06421b4fa05f2288c88b90c04c49d3869247104396c8f8626dbcce13135b431

SHA512
69132d7a9563b694dec5ef89cfd14bc8971b3f6042f61c94868a5bfca5f2087547dee22c7c0b474ac69a0ed9c5848c2b4233426703e86fe149aa27409b0a787d

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe
Filesize
163KB

MD5
a6e5c4f2bfc94ff116c150b0e747c9e7

SHA1
8a5887098081335a6d07040fa56f844d979c2602

SHA256
1eb869d1410ed7f31e2213e8d9cacd7f15ad6f4292652497c48d349c28dd207e

SHA512
10beb8a2d809d35684448356308361e5d5ad3582adbf3d4101e3acf7025f6949265fd7da09765b2fa509b5ee3cd8479bee9540f302cb96a3ba95ae79398db6ec

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe
Filesize
163KB

MD5
20a9973b74af1ce5ac63289b731dca7b

SHA1
dcf05955e667ad65dd63e1ac981eef23e771a7a4

SHA256
b02e51db961fada41efdf9d8ef1a48edc758001b5af87c63dd3f0b0a41b3fcd9

SHA512
f0473d4410449d17c0b45469f667be701e62646ab04eac1dd74f39f3bdc448c45b768fe2e134a17c6070894abf5a1b4c4a6b173c1fb42bb8fc998f4e87a7359a

Download Submit
\Windows\SysWOW64\Bdooajdc.exe
Filesize
163KB

MD5
60515a216120c82dc6d3c78d7e8b949d

SHA1
84b9b63a64d37d6a07ec8b0ef3f5d7fd4b7c3555

SHA256
264009fafe5ca4204e0c15de65ba28e71ce8ac02c612682fae3ef0303dac5624

SHA512
6cf838b3070af629f49a1ab0159eebf50ad92217a0606f32cacf9d1a343d58cdcc9ebec010b4a66f370a533abe46634e878bbfcc9a6c4b84c615a06c586f6a3a

Download Submit
\Windows\SysWOW64\Bgknheej.exe
Filesize
163KB

MD5
db04f53c037a334ac98553f8d1b62275

SHA1
512882c6705b64a9aeebe11e1cf89e00223b5bcb

SHA256
fde9800ab97b7e9cbb2d467b7392312ee2a5b015df0584a91e092e3c9f6d72ea

SHA512
966ecf227b88bd42fb5c288b1334e994e40210279928e21d9203290fb329675d10d9223e8efddc5ba14995f7cc3b173b75cf8d75592a22bf661c411f2dec64c4

Download Submit
\Windows\SysWOW64\Cbnbobin.exe
Filesize
163KB

MD5
153c97af2296f2e2c0fd02032452c075

SHA1
cac19a209a8e5fdaa67b169e378d7d56f2d21b43

SHA256
27c9a776f9c53b5c5fd95efbda9c34a4401279c56abde9fbd68a6ff1f188559e

SHA512
7c1771461f552c4f948343646f2638647a7bfd6ef97c5ece7fb4f7896ec3ac4f86ec3f417784a33ad3bf238fd63980b7b74ec295fd8e32ddfbdbd32693631ade

Download Submit
\Windows\SysWOW64\Cfeddafl.exe
Filesize
163KB

MD5
320e2c8107a54de0e241cbe56b805419

SHA1
8d4fb2bb4ea566b84852926ded84239faaa5094a

SHA256
25e938462cc6fe6dd4dab2ed844ef24c9948a4b24ee441d38246696afe71ff93

SHA512
ab1849a72e24a4a952d31e168e76b1c45433cff33f7d15daddce275a05cf601a998541dfa403a3319fafe8f21f974e5b9ab1f072796f75802aac5f62285aaf3e

Download Submit
\Windows\SysWOW64\Cgpgce32.exe
Filesize
163KB

MD5
48aca4fd61365a1fb48e9fabfa5021d6

SHA1
d1ec22d92a4e63a78bc0971a5155e1a1850e69cf

SHA256
6ca7aad15cc57b9d415ff4e7b24710cd857eab8449f7ad87d5ff5832346df2c6

SHA512
613cbe0abb4b81ba9ead873549d5ebff5fc361845cbe6819bade8510cc27c9f047a9f33dbe439f6e810e028b102d2c0b05eb76aca1d28f5935c60f4da2bce05b

Download Submit
\Windows\SysWOW64\Claifkkf.exe
Filesize
163KB

MD5
be833a578526a40e5ae02aa1d041acc9

SHA1
55c862ad04c38f7642a049021dbacbdfb6c680fc

SHA256
295a083d07a598107365f554778fac73cfa3109aee5016a8c811810f2e3d7476

SHA512
f560cee0fa2e03a35896c7863185abc63a9cdbdb01a4a9ecac5a08d9b566c4ccd030c9f0e049a92425c5badc361d487b96e19e891f069cb57cbc047605af6cf3

Download Submit
\Windows\SysWOW64\Cndbcc32.exe
Filesize
163KB

MD5
e661d21d0d4fba5570f4debc036d10e0

SHA1
433ec5fa4b79e9058c098dbfb610c30cdc5c55a0

SHA256
6fa2cabe6d0f9768ad5673933fab215f3442e471f27c4c8444daeb5b07572c5f

SHA512
516723aa48a3a68faf97c07f4e2fe86924b7c4060ec45adceb82406ca84290641f68f8ba17e211888cbf0acdf0a2a101b7da3c9cc28e9bfa52a52817cdaa9496

Download Submit
\Windows\SysWOW64\Comimg32.exe
Filesize
163KB

MD5
7ce688853d908a130686d9c6b2d4347e

SHA1
c143ce8ea6822d2391d5f94fccf7b0058b4f352a

SHA256
62f5dc60a5b14479bda938d341855b4facfc9720515837fbeb2ce2dacd7a57b3

SHA512
6db8117f3551a215c1b741d574c13979e7663d3fda93a85cad67ce1a843d15c95eb91e0848569a2a37e3f02392892a369f7d90623e9b8a439d906952e4e393fe

Download Submit
\Windows\SysWOW64\Cpeofk32.exe
Filesize
163KB

MD5
0f8870e88e0553d80333876428f8b7d7

SHA1
b6cb4181137915234187cb6feb560f7dce323b4d

SHA256
c79713fb5eca89fbb90103127a87bbae7c9b3e866c5c00c3e959aa6d0333024c

SHA512
2d488d9b04901344d09cccc4fde34140c841dc307df60c1b2fe52a49eb321b5359521ebbd036283107aeb22a91a9f55751f4ce44d068be7631bbc222d35d70bc

Download Submit
\Windows\SysWOW64\Dfgmhd32.exe
Filesize
163KB

MD5
a5fa97f1a89c1584e07330475223cca6

SHA1
577d32f0a1aa01272fbce7807cae8c023736c283

SHA256
df9c2739423d4f88b352bccfc04027ad907980efb98481efb976c3cb8a66268c

SHA512
10176655c9a57cc56ef057244c5ffd5cc886344f05336d7c2c37be1b0e25c23030a07765c247d2887365770e7b96527e289f9909252cb8a8a1ef667fd868d84c

Download Submit
\Windows\SysWOW64\Dgaqgh32.exe
Filesize
163KB

MD5
926edb304eff44a967711c777779fa5a

SHA1
8a195a3ffd702e3f59571885daa4c9817e740e1c

SHA256
4d7a83fe89ba7ebb10ef9fc31046e7cc0ded72daad64cea66ffa247668beacf0

SHA512
0d7c67f291372463964387fd870eec1be9802e44df04f3a75045c1967b125f6b7a8bdf50723cac8cf67bdeb70026b34c595c1d88d0d3aa9752150277d2c33714

Download Submit
\Windows\SysWOW64\Dgfjbgmh.exe
Filesize
163KB

MD5
c1ad578a3845e688939093862d8f88be

SHA1
7f3dda17d2571a7bd3f6bfd0043e4f68b6f0e30d

SHA256
edf41fe43b3497ee8ecf24c49cf8ac5d8914a0c3739694b3c60db7375770b9b4

SHA512
b6d21c9431d741ccb1d1d135753352202b5ae865b49a10723ff7ede3862d3a210ce7992f2acd9c05466f5ecb7bdac465c4f22d6727918cf529381f885312b0fc

Download Submit
\Windows\SysWOW64\Dgodbh32.exe
Filesize
163KB

MD5
104b43e8f0e48d7721695911602298ce

SHA1
30fb640be168d26b03fc3ad0f1fc381601df15d6

SHA256
8bd7bcae5657ab56de8bf568b038ca12e79a5bca8fbf1317cab3c555a9ef7dfc

SHA512
551dd8783cc54bc1dfff3f0071979eea8a92ccf922d37898ab1c62dbfce0e819113e31f9b70c643b14b98b7bcfbeaa0c361cd06ca1d77d56713cb765ee56228a

Download Submit
\Windows\SysWOW64\Dqelenlc.exe
Filesize
163KB

MD5
8e81239cfa765926bc87b1daaa49f46a

SHA1
f0acd1d2581c8e3fe30e044dc64e2cdad8c852cd

SHA256
3c8f9239926fabc3e1ce9e50efa33d781ab69b29e48b36320e2b804172a986d1

SHA512
431b517146cdf3f555eaed67555ef5ad3b635113055e54a7e3c605b1c3a34a3a3406fea1e762ae51a276466c8db2188d31cd6a6bf20e11cf93df015efcab30ee

Download Submit
memory/300-527-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/912-278-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/912-277-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/1036-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1036-234-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/1036-235-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/1200-289-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/1200-288-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/1200-279-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1412-176-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1416-481-0x0000000000300000-0x0000000000353000-memory.dmp

Filesize
332KB

Download
memory/1416-482-0x0000000000300000-0x0000000000353000-memory.dmp

Filesize
332KB

Download
memory/1488-517-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1488-522-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1552-165-0x0000000000270000-0x00000000002C3000-memory.dmp

Filesize
332KB

Download
memory/1552-157-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1572-447-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1572-442-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1620-418-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1620-427-0x0000000000330000-0x0000000000383000-memory.dmp

Filesize
332KB

Download
memory/1700-118-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1708-267-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1708-268-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1708-258-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1728-320-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/1740-315-0x0000000000300000-0x0000000000353000-memory.dmp

Filesize
332KB

Download
memory/1740-301-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1740-314-0x0000000000300000-0x0000000000353000-memory.dmp

Filesize
332KB

Download
memory/1756-131-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1768-196-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1768-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1832-472-0x0000000000330000-0x0000000000383000-memory.dmp

Filesize
332KB

Download
memory/1832-467-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1928-224-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1928-213-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1928-223-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1964-428-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1964-441-0x0000000001F50000-0x0000000001FA3000-memory.dmp

Filesize
332KB

Download
memory/2020-151-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2092-330-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2092-331-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2092-321-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2232-396-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2232-402-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2232-406-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2276-488-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/2276-484-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/2304-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2356-336-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2356-341-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2360-245-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2360-246-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2360-236-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2368-6-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2368-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2368-500-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2492-256-0x0000000000300000-0x0000000000353000-memory.dmp

Filesize
332KB

Download
memory/2492-257-0x0000000000300000-0x0000000000353000-memory.dmp

Filesize
332KB

Download
memory/2492-247-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2536-384-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2536-380-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2604-86-0x0000000001F50000-0x0000000001FA3000-memory.dmp

Filesize
332KB

Download
memory/2604-79-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2616-394-0x00000000006C0000-0x0000000000713000-memory.dmp

Filesize
332KB

Download
memory/2616-395-0x00000000006C0000-0x0000000000713000-memory.dmp

Filesize
332KB

Download
memory/2616-385-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2684-27-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2760-351-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2760-342-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2760-352-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2780-417-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2780-407-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2780-416-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2784-466-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2784-448-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2784-465-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2832-364-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2832-377-0x00000000002B0000-0x0000000000303000-memory.dmp

Filesize
332KB

Download
memory/2832-376-0x00000000002B0000-0x0000000000303000-memory.dmp

Filesize
332KB

Download
memory/2840-356-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2840-363-0x0000000000300000-0x0000000000353000-memory.dmp

Filesize
332KB

Download
memory/2840-362-0x0000000000300000-0x0000000000353000-memory.dmp

Filesize
332KB

Download
memory/2848-65-0x00000000002F0000-0x0000000000343000-memory.dmp

Filesize
332KB

Download
memory/2848-53-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2856-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2856-21-0x0000000000340000-0x0000000000393000-memory.dmp

Filesize
332KB

Download
memory/2884-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2920-499-0x0000000000270000-0x00000000002C3000-memory.dmp

Filesize
332KB

Download
memory/2920-498-0x0000000000270000-0x00000000002C3000-memory.dmp

Filesize
332KB

Download
memory/2920-489-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2960-211-0x0000000000360000-0x00000000003B3000-memory.dmp

Filesize
332KB

Download
memory/2960-198-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2960-212-0x0000000000360000-0x00000000003B3000-memory.dmp

Filesize
332KB

Download
memory/2976-294-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2976-300-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2976-296-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads