829ecde3940303410402dcbc0acac8869d1a56b616347521a49c3cd0885705af

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 23:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

829ecde3940303410402dcbc0acac8869d1a56b616347521a49c3cd0885705af.exe
Size

125KB
MD5

ace1eab1138de9b6b9867ad0e2484d79
SHA1

e20426ecab379d55eba0b60139a6e2fb01b8f26f
SHA256

829ecde3940303410402dcbc0acac8869d1a56b616347521a49c3cd0885705af
SHA512

bcae9fa420dc746fd9c2fbf78f2e8befb361a6ad4c363a707d9cf795fc9449dab0a3971e649413294ea8f954fad5249e71a254b06f472f33fdf9ae4f72015adf
SSDEEP

3072:y/apJIKohvPBXquRFCKN1Sic21WdTCn93OGey/ZhJakrPF:BIPhh3FvbctTCndOGeKTaG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmgdddmq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	829ecde3940303410402dcbc0acac8869d1a56b616347521a49c3cd0885705af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghfbqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fddmgjpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiekid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fddmgjpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmekoalh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdapak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	829ecde3940303410402dcbc0acac8869d1a56b616347521a49c3cd0885705af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fioija32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Filldb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hiekid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gobgcg32.exe

Executes dropped EXE 33 IoCs

pid	Process
2144	Fcmgfkeg.exe
2644	Fmekoalh.exe
2696	Filldb32.exe
2428	Fdapak32.exe
2400	Fioija32.exe
2884	Fddmgjpo.exe
1856	Feeiob32.exe
2720	Gpknlk32.exe
2196	Gbijhg32.exe
1432	Ghfbqn32.exe
1004	Gopkmhjk.exe
600	Ghhofmql.exe
2156	Gobgcg32.exe
1992	Gdopkn32.exe
1908	Gmgdddmq.exe
2244	Gdamqndn.exe
1740	Gkkemh32.exe
1800	Gaemjbcg.exe
2128	Hgbebiao.exe
2960	Hpkjko32.exe
1572	Hgdbhi32.exe
1808	Hnojdcfi.exe
912	Hggomh32.exe
3064	Hiekid32.exe
1812	Hobcak32.exe
1480	Hgilchkf.exe
2272	Hellne32.exe
2612	Hcplhi32.exe
2436	Hhmepp32.exe
2588	Icbimi32.exe
2876	Iaeiieeb.exe
1540	Ioijbj32.exe
2656	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2700	829ecde3940303410402dcbc0acac8869d1a56b616347521a49c3cd0885705af.exe
2700	829ecde3940303410402dcbc0acac8869d1a56b616347521a49c3cd0885705af.exe
2144	Fcmgfkeg.exe
2144	Fcmgfkeg.exe
2644	Fmekoalh.exe
2644	Fmekoalh.exe
2696	Filldb32.exe
2696	Filldb32.exe
2428	Fdapak32.exe
2428	Fdapak32.exe
2400	Fioija32.exe
2400	Fioija32.exe
2884	Fddmgjpo.exe
2884	Fddmgjpo.exe
1856	Feeiob32.exe
1856	Feeiob32.exe
2720	Gpknlk32.exe
2720	Gpknlk32.exe
2196	Gbijhg32.exe
2196	Gbijhg32.exe
1432	Ghfbqn32.exe
1432	Ghfbqn32.exe
1004	Gopkmhjk.exe
1004	Gopkmhjk.exe
600	Ghhofmql.exe
600	Ghhofmql.exe
2156	Gobgcg32.exe
2156	Gobgcg32.exe
1992	Gdopkn32.exe
1992	Gdopkn32.exe
1908	Gmgdddmq.exe
1908	Gmgdddmq.exe
2244	Gdamqndn.exe
2244	Gdamqndn.exe
1740	Gkkemh32.exe
1740	Gkkemh32.exe
1800	Gaemjbcg.exe
1800	Gaemjbcg.exe
2128	Hgbebiao.exe
2128	Hgbebiao.exe
2960	Hpkjko32.exe
2960	Hpkjko32.exe
1572	Hgdbhi32.exe
1572	Hgdbhi32.exe
1808	Hnojdcfi.exe
1808	Hnojdcfi.exe
912	Hggomh32.exe
912	Hggomh32.exe
3064	Hiekid32.exe
3064	Hiekid32.exe
1812	Hobcak32.exe
1812	Hobcak32.exe
1480	Hgilchkf.exe
1480	Hgilchkf.exe
2272	Hellne32.exe
2272	Hellne32.exe
2612	Hcplhi32.exe
2612	Hcplhi32.exe
2436	Hhmepp32.exe
2436	Hhmepp32.exe
2588	Icbimi32.exe
2588	Icbimi32.exe
2876	Iaeiieeb.exe
2876	Iaeiieeb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gmgdddmq.exe	Gdopkn32.exe
File opened for modification	C:\Windows\SysWOW64\Gaemjbcg.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Hpkjko32.exe	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Ghfbqn32.exe	Gbijhg32.exe
File opened for modification	C:\Windows\SysWOW64\Hgbebiao.exe	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hnojdcfi.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Filldb32.exe	Fmekoalh.exe
File opened for modification	C:\Windows\SysWOW64\Fddmgjpo.exe	Fioija32.exe
File created	C:\Windows\SysWOW64\Gpknlk32.exe	Feeiob32.exe
File created	C:\Windows\SysWOW64\Gaemjbcg.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hellne32.exe
File created	C:\Windows\SysWOW64\Dhggeddb.dll	Fmekoalh.exe
File created	C:\Windows\SysWOW64\Gopkmhjk.exe	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Lnnhje32.dll	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Fmekoalh.exe	Fcmgfkeg.exe
File opened for modification	C:\Windows\SysWOW64\Fdapak32.exe	Filldb32.exe
File created	C:\Windows\SysWOW64\Fddmgjpo.exe	Fioija32.exe
File created	C:\Windows\SysWOW64\Feeiob32.exe	Fddmgjpo.exe
File opened for modification	C:\Windows\SysWOW64\Fioija32.exe	Fdapak32.exe
File created	C:\Windows\SysWOW64\Ahpjhc32.dll	Gopkmhjk.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Nokeef32.dll	Hiekid32.exe
File created	C:\Windows\SysWOW64\Hgilchkf.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Facklcaq.dll	829ecde3940303410402dcbc0acac8869d1a56b616347521a49c3cd0885705af.exe
File created	C:\Windows\SysWOW64\Gbijhg32.exe	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Odpegjpg.dll	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hiekid32.exe
File opened for modification	C:\Windows\SysWOW64\Hellne32.exe	Hgilchkf.exe
File opened for modification	C:\Windows\SysWOW64\Fcmgfkeg.exe	829ecde3940303410402dcbc0acac8869d1a56b616347521a49c3cd0885705af.exe
File created	C:\Windows\SysWOW64\Kifjcn32.dll	Fddmgjpo.exe
File created	C:\Windows\SysWOW64\Jondlhmp.dll	Gmgdddmq.exe
File created	C:\Windows\SysWOW64\Ongbcmlc.dll	Fcmgfkeg.exe
File created	C:\Windows\SysWOW64\Gknfklng.dll	Hggomh32.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Hgbebiao.exe	Gaemjbcg.exe
File opened for modification	C:\Windows\SysWOW64\Hnojdcfi.exe	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hiekid32.exe
File opened for modification	C:\Windows\SysWOW64\Hiekid32.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Iaeiieeb.exe
File opened for modification	C:\Windows\SysWOW64\Gbijhg32.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Gpknlk32.exe	Feeiob32.exe
File opened for modification	C:\Windows\SysWOW64\Gdopkn32.exe	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Gdamqndn.exe	Gmgdddmq.exe
File opened for modification	C:\Windows\SysWOW64\Hggomh32.exe	Hnojdcfi.exe
File opened for modification	C:\Windows\SysWOW64\Filldb32.exe	Fmekoalh.exe
File created	C:\Windows\SysWOW64\Ghqknigk.dll	Fdapak32.exe
File opened for modification	C:\Windows\SysWOW64\Ghfbqn32.exe	Gbijhg32.exe
File created	C:\Windows\SysWOW64\Nopodm32.dll	Filldb32.exe
File created	C:\Windows\SysWOW64\Ghhofmql.exe	Gopkmhjk.exe
File created	C:\Windows\SysWOW64\Gobgcg32.exe	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Iaeiieeb.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Ghhofmql.exe	Gopkmhjk.exe
File created	C:\Windows\SysWOW64\Chhpdp32.dll	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Gkkemh32.exe	Gdamqndn.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Gopkmhjk.exe	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hgilchkf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2188	2656	WerFault.exe	60

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	829ecde3940303410402dcbc0acac8869d1a56b616347521a49c3cd0885705af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqknigk.dll"	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopodm32.dll"	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	829ecde3940303410402dcbc0acac8869d1a56b616347521a49c3cd0885705af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll"	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll"	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll"	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hellne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmekoalh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hiekid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	829ecde3940303410402dcbc0acac8869d1a56b616347521a49c3cd0885705af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll"	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll"	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpfgi32.dll"	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Feeiob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcmgfkeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Feeiob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	829ecde3940303410402dcbc0acac8869d1a56b616347521a49c3cd0885705af.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2144	2700	829ecde3940303410402dcbc0acac8869d1a56b616347521a49c3cd0885705af.exe	28
PID 2700 wrote to memory of 2144	2700	829ecde3940303410402dcbc0acac8869d1a56b616347521a49c3cd0885705af.exe	28
PID 2700 wrote to memory of 2144	2700	829ecde3940303410402dcbc0acac8869d1a56b616347521a49c3cd0885705af.exe	28
PID 2700 wrote to memory of 2144	2700	829ecde3940303410402dcbc0acac8869d1a56b616347521a49c3cd0885705af.exe	28
PID 2144 wrote to memory of 2644	2144	Fcmgfkeg.exe	29
PID 2144 wrote to memory of 2644	2144	Fcmgfkeg.exe	29
PID 2144 wrote to memory of 2644	2144	Fcmgfkeg.exe	29
PID 2144 wrote to memory of 2644	2144	Fcmgfkeg.exe	29
PID 2644 wrote to memory of 2696	2644	Fmekoalh.exe	30
PID 2644 wrote to memory of 2696	2644	Fmekoalh.exe	30
PID 2644 wrote to memory of 2696	2644	Fmekoalh.exe	30
PID 2644 wrote to memory of 2696	2644	Fmekoalh.exe	30
PID 2696 wrote to memory of 2428	2696	Filldb32.exe	31
PID 2696 wrote to memory of 2428	2696	Filldb32.exe	31
PID 2696 wrote to memory of 2428	2696	Filldb32.exe	31
PID 2696 wrote to memory of 2428	2696	Filldb32.exe	31
PID 2428 wrote to memory of 2400	2428	Fdapak32.exe	32
PID 2428 wrote to memory of 2400	2428	Fdapak32.exe	32
PID 2428 wrote to memory of 2400	2428	Fdapak32.exe	32
PID 2428 wrote to memory of 2400	2428	Fdapak32.exe	32
PID 2400 wrote to memory of 2884	2400	Fioija32.exe	33
PID 2400 wrote to memory of 2884	2400	Fioija32.exe	33
PID 2400 wrote to memory of 2884	2400	Fioija32.exe	33
PID 2400 wrote to memory of 2884	2400	Fioija32.exe	33
PID 2884 wrote to memory of 1856	2884	Fddmgjpo.exe	34
PID 2884 wrote to memory of 1856	2884	Fddmgjpo.exe	34
PID 2884 wrote to memory of 1856	2884	Fddmgjpo.exe	34
PID 2884 wrote to memory of 1856	2884	Fddmgjpo.exe	34
PID 1856 wrote to memory of 2720	1856	Feeiob32.exe	35
PID 1856 wrote to memory of 2720	1856	Feeiob32.exe	35
PID 1856 wrote to memory of 2720	1856	Feeiob32.exe	35
PID 1856 wrote to memory of 2720	1856	Feeiob32.exe	35
PID 2720 wrote to memory of 2196	2720	Gpknlk32.exe	36
PID 2720 wrote to memory of 2196	2720	Gpknlk32.exe	36
PID 2720 wrote to memory of 2196	2720	Gpknlk32.exe	36
PID 2720 wrote to memory of 2196	2720	Gpknlk32.exe	36
PID 2196 wrote to memory of 1432	2196	Gbijhg32.exe	37
PID 2196 wrote to memory of 1432	2196	Gbijhg32.exe	37
PID 2196 wrote to memory of 1432	2196	Gbijhg32.exe	37
PID 2196 wrote to memory of 1432	2196	Gbijhg32.exe	37
PID 1432 wrote to memory of 1004	1432	Ghfbqn32.exe	38
PID 1432 wrote to memory of 1004	1432	Ghfbqn32.exe	38
PID 1432 wrote to memory of 1004	1432	Ghfbqn32.exe	38
PID 1432 wrote to memory of 1004	1432	Ghfbqn32.exe	38
PID 1004 wrote to memory of 600	1004	Gopkmhjk.exe	39
PID 1004 wrote to memory of 600	1004	Gopkmhjk.exe	39
PID 1004 wrote to memory of 600	1004	Gopkmhjk.exe	39
PID 1004 wrote to memory of 600	1004	Gopkmhjk.exe	39
PID 600 wrote to memory of 2156	600	Ghhofmql.exe	40
PID 600 wrote to memory of 2156	600	Ghhofmql.exe	40
PID 600 wrote to memory of 2156	600	Ghhofmql.exe	40
PID 600 wrote to memory of 2156	600	Ghhofmql.exe	40
PID 2156 wrote to memory of 1992	2156	Gobgcg32.exe	41
PID 2156 wrote to memory of 1992	2156	Gobgcg32.exe	41
PID 2156 wrote to memory of 1992	2156	Gobgcg32.exe	41
PID 2156 wrote to memory of 1992	2156	Gobgcg32.exe	41
PID 1992 wrote to memory of 1908	1992	Gdopkn32.exe	42
PID 1992 wrote to memory of 1908	1992	Gdopkn32.exe	42
PID 1992 wrote to memory of 1908	1992	Gdopkn32.exe	42
PID 1992 wrote to memory of 1908	1992	Gdopkn32.exe	42
PID 1908 wrote to memory of 2244	1908	Gmgdddmq.exe	43
PID 1908 wrote to memory of 2244	1908	Gmgdddmq.exe	43
PID 1908 wrote to memory of 2244	1908	Gmgdddmq.exe	43
PID 1908 wrote to memory of 2244	1908	Gmgdddmq.exe	43

C:\Users\Admin\AppData\Local\Temp\829ecde3940303410402dcbc0acac8869d1a56b616347521a49c3cd0885705af.exe
"C:\Users\Admin\AppData\Local\Temp\829ecde3940303410402dcbc0acac8869d1a56b616347521a49c3cd0885705af.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\Fcmgfkeg.exe
  C:\Windows\system32\Fcmgfkeg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\Fmekoalh.exe
    C:\Windows\system32\Fmekoalh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\Filldb32.exe
      C:\Windows\system32\Filldb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\Fdapak32.exe
        
        C:\Windows\system32\Fdapak32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\SysWOW64\Fioija32.exe
        
        C:\Windows\system32\Fioija32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Fddmgjpo.exe
        
        C:\Windows\system32\Fddmgjpo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Feeiob32.exe
        
        C:\Windows\system32\Feeiob32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Gpknlk32.exe
        
        C:\Windows\system32\Gpknlk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Gbijhg32.exe
        
        C:\Windows\system32\Gbijhg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Ghfbqn32.exe
        
        C:\Windows\system32\Ghfbqn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Gopkmhjk.exe
        
        C:\Windows\system32\Gopkmhjk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Ghhofmql.exe
        
        C:\Windows\system32\Ghhofmql.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Windows\SysWOW64\Gobgcg32.exe
        
        C:\Windows\system32\Gobgcg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Gmgdddmq.exe
        
        C:\Windows\system32\Gmgdddmq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Gdamqndn.exe
        
        C:\Windows\system32\Gdamqndn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Gkkemh32.exe
        
        C:\Windows\system32\Gkkemh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Gaemjbcg.exe
        
        C:\Windows\system32\Gaemjbcg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Hgbebiao.exe
        
        C:\Windows\system32\Hgbebiao.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Hpkjko32.exe
        
        C:\Windows\system32\Hpkjko32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Hiekid32.exe
        
        C:\Windows\system32\Hiekid32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Hgilchkf.exe
        
        C:\Windows\system32\Hgilchkf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        34⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 140
        35⤵
        Program crash
        
        PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fddmgjpo.exe

Filesize
125KB

MD5
ab15f6886d5f7e8452f645f489ded4f9

SHA1
a2f31559ad98202fba4351ef2b746b3645c220cf

SHA256
b4637109ccf5b9283c9fd63db2dcbe5c1deb3df55e0a83eadee8cd32f6f2a81c

SHA512
b0d9437f4126a13028323f8363df1663999815067b75acdb7e4222818d7947c3565c1b217ff102eb01ab0de50a8a0b352b5f14ffd072fd3e0935b1a2ac589d11

Download Submit
C:\Windows\SysWOW64\Gaemjbcg.exe

Filesize
125KB

MD5
4b57f5c96f32cc6c2dd15715e83925ed

SHA1
7ba9ec484b9798478156f203e0757e92673631f6

SHA256
865f278b3d5f32f3d1eee4284b1e599c2ff54e608a88fe71da3cb3b051891b38

SHA512
c5b1bc88d78ce603f65868dc8bc7338a17135dd7301f4c475b3d48d394be69f392ffcf887411d3a60d4b19e20c50781bd6fde012cc3dc8ecce002ba4f23209c9

Download Submit
C:\Windows\SysWOW64\Gdopkn32.exe

Filesize
125KB

MD5
de5cae35d16745fcd35ec7871db913a1

SHA1
7aeaaf28011cdbdb47ba483ac226c9a337159da7

SHA256
eb5c1da23c327e790adbd8ead338692fab40e3c06cf187572cfd5d7058f6589d

SHA512
610011513a2c37585cae89f7dee940f68d875d8edca774145be2287b764539e1b13117466fdd260ba5e4bb8ccf67291f1cd56daae94ede5c6e68c6561eec853c

Download Submit
C:\Windows\SysWOW64\Ghqknigk.dll

Filesize
7KB

MD5
a59eddb1bed7e4d9360cd387b0cf8e11

SHA1
010b3380a33802850b816c1feb658bbf59c17cd5

SHA256
c19ee14c17b8e1bd01098181099e81df17aa5350a9b71f3e1a2f610b589daae6

SHA512
cfe6dc23d026d470a3683292f30e42f64c38f4137487d1986941f9eafb17c8a65a62fae505237d1f2a190ab32b9f906f4ee371adf2d7f2a1e1f2abb18771cdb0

Download Submit
C:\Windows\SysWOW64\Gkkemh32.exe

Filesize
125KB

MD5
f4207db1aa7b93fac2a68ed477560689

SHA1
fec172b973cbaba490776fe8bdc4579e4e56d86b

SHA256
114f5f1fa037afeeb4b7b2181aa66a4ec3c40a6c7502e748b39681882382bca7

SHA512
3b4a937784fcf579dcc818ba6f0d3fdc396c07861c77086d88a707832ef8e64e272e7d4dfb4f4bdd5524c895b51426fbb98f6a1fab86e0f8b9ea32291e41865c

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
125KB

MD5
994315ef8920ca717918b6955eb0da89

SHA1
4d1d504883743b7f150d082c126be7c6e6b7756f

SHA256
4dc3b3db4f8ec355e376c0a10f16ac0e142501d4df5b4e56af6113425a167947

SHA512
35c2638560eb845804505a059acd30c0cb8470b4aad435da5a4cefc5521b25a7be580be698f74d897ee6b5bb413f4112cc8dbe3683a6acf1c90405b5f739e859

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
125KB

MD5
aeff2e2a9175f453e41f6c58e8756edc

SHA1
2046485d6f3ba03f912cb90228c1975b5dd63c5d

SHA256
897fa81cc3a6e9e46a5081f347b6ead273bdd6ccbe6e84deeaca5587e3f099f9

SHA512
3a6ede9c5c4dccf61b1e01a3ed9dcaed9b091c2dbc22c6131685357f92318ca77b473452dc5405b892b3dd77e85af1d70c6ae31d43a3fed043e45d5c0569adb8

Download Submit
C:\Windows\SysWOW64\Hgbebiao.exe

Filesize
125KB

MD5
49149543ff5a0b1634fb76e744c34e84

SHA1
cc0b22e1f4e8cddc21a5b28c8a25c55b0dd7fd77

SHA256
e07a603be8c8cd4c1fce4902b6e98eccf5f735995379f39a7d640ec1f79ac190

SHA512
68a9dde805ec1e3dd0a56bc2e06db53d49d5a7016f3ebebcb33d0136a20c4fc341d97fdc0765cb81e077e38d08311c6617e22ad3d41773a7bf0b0ec21f0b4c88

Download Submit
C:\Windows\SysWOW64\Hgdbhi32.exe

Filesize
125KB

MD5
3c25a3e95c907e37e4c2160e57f6c264

SHA1
d8593a6e6434ee1026f15906d70c61ff6777241d

SHA256
d8364c7cc6f6196e81b9a2c0c8a01a72b9d1469aa4ed37d3490b88b19d8d3953

SHA512
59b994e74dd46ec33cf96643a440bc5bdc05fcd10ecd8cceadd8b37a892f97584618cadf7edc7f1a15844c33bbecde6b6030b01f90e9ee47aa34743624ec8f23

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
125KB

MD5
56c7abbdb14e94501d71e839d29c8674

SHA1
b59647ecc452d867f9fddded87e0923aca0c8852

SHA256
46879d04e5ee3a27db9b4a8f4784922b1e654360611e326fa317993d15e9daf4

SHA512
cf8badced5f0e5d57a12e8ce15ce36cc5b7a8bee28a0e8dce6252af203bd8ad250822284182c5eceae6b272cd90c2e1eec3b278aad75ec07c1fa7ef1e6fa9358

Download Submit
C:\Windows\SysWOW64\Hgilchkf.exe

Filesize
125KB

MD5
cb76221c47d3255ee155baaf4b2f948a

SHA1
77706727901c29a9c9016c2439c0c5245046680c

SHA256
2e62ee9a21202c0c9c124e79a069b4efb96579e8d38b89bdbd353254325bdb28

SHA512
e7c75ddeca6806d50365c5c1d9313f4ca9fa1acc34eda537d846278f4015f94c61e81f6c129b5cca4d667fdfb261008a986d473c860f6e924b7bcf7eeadf6463

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
125KB

MD5
f033c8c613cd4965733ec7ff13e1d4f8

SHA1
add78116b380ccf3af2863d9266017e66ffd135f

SHA256
ca584acc8e47c0da1f2c0d9b0f9df55359b4ad7d8b95ea6eaefbbee1c5be957c

SHA512
9bd6a6b65bfc47962fe0ec72a6ac432d62812b7937c5ea8c640176c3055eb0338c2e8f686435ddada4263b1e92d0754f2143009c808687628dc5ef2e9f142c30

Download Submit
C:\Windows\SysWOW64\Hiekid32.exe

Filesize
125KB

MD5
d9c0629c0809e403c7ca5595939c97c6

SHA1
64a9c7fd3958c97bdf076408c9aa60e0db71d0d8

SHA256
a3d2174c544299e99bc39533d10d0074dff3c252ba7748c6de2aed7e9b528f4d

SHA512
22e6064c66c765b35e4e98ec165815c688ff431c673883a0548555eccbf6195a8eaf918a7fcefb9df0cac55b0d6a7f93ccaca7fcf655f3fedcfd1553e4b3103a

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe

Filesize
125KB

MD5
9537177271ddf711f00f87fd9e4e7c74

SHA1
0eb6c2d1f8cfea937b7a4a4776d88ab4e199b0a0

SHA256
7d06032838b762799ecfd8b4dbc6e5c662a88b26537832e0317e3ff2e0393b38

SHA512
6343d650b61a01cab4c703561bed8c6c01c0ee57051b36018d1da31511bc89f6c60ec74a4781faedf5c039e9a416ee0cd77028cb529e39affcfdc3f91c2b7f04

Download Submit
C:\Windows\SysWOW64\Hobcak32.exe

Filesize
125KB

MD5
e2017155e9bb58533d0c5d826e70c9be

SHA1
1acb83fc4422447cf30a00e3b101dde32f49827b

SHA256
5d841d30e0c466253ab823b18a847be9411b5e9d123e94ef122c1cc446cd1322

SHA512
c3500ec92311e97569f6867297c43d3339802e97207980c6023c4ae6c2a5171a21a586395319bcd45755afdcd1c4d2d740466ea1a60889630c239ce08d090ef6

Download Submit
C:\Windows\SysWOW64\Hpkjko32.exe

Filesize
125KB

MD5
fc024d03e7607961aa3884e1a9166c42

SHA1
d547f1a1f2c50ccc08cc4ad373cdd9ed82da2c6b

SHA256
5fd21e7a3816e332324564821cb74807d8960e721d16e40f2d62e26cba9d612f

SHA512
6aaf33f1a11251fa7ca40723ec7e70d0f864068311b2c7c8a641f2457f5e6a17c6b5503c9a0f57635fada990307a099c857d56b92ad68d6b6362025895ba13cc

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
125KB

MD5
f65ec26a0f7c86cbddb39d82d7f6c85d

SHA1
a61968dd7be949727d1d1c9865d8bcc42980c303

SHA256
c3395cabcd89f3314f776d60f595f355f92e752829d3d66334c59f943bd92cf2

SHA512
193edff722e8edadac53529d0ca4d03be1aa370ec1820ada9bc5097eaaacd9c558add331a07bc0b16774a662927f438b88840653425a9843504335952e705e28

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
125KB

MD5
b6f20495de5916a56028b08e6ee134cb

SHA1
729d19fb3dbd0c16275fd4b145fc4ce5517aab71

SHA256
fdc9eb04dc2f0b895624f3091270f4e4788eb21b1c53d7d239a218b66bf4b92d

SHA512
ff6e86686335febc113d523893d959d754bb9aedb5d233c86a84513ba687e58c35965c620c1ca7fa19059517466424741f1077adc9bada63e06edb132dc91a48

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
125KB

MD5
2f8897907b0d5ec8630cd5ab603dd1c9

SHA1
41c5d41de270aa6bbd9ed047694dea9b5d689441

SHA256
72be473818b383763bf6e76dbc33c98632edc2a964112c530355f969b006520a

SHA512
90511eabaab1184eee9ad2f511aa01bb1ad35106eb928c8ec4a73c2be42be14fd5a8bebd3b9698b6b4a630ed5077247734bb6015d0059e6813e1ffd93e27521e

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
125KB

MD5
9b9a1cc1a002219c0f49b739fe35f993

SHA1
caaea0e08773ad862426d99a5077fe5005222e20

SHA256
bdf7c884ccb4afaa9cc4a17440a84129cd3aae8a2bfddf6ff1a1189a6b3aa430

SHA512
20d5476bbd8f7327954c4816256d148cfc8e8be37b2fa79767bed85350bc07fe3ccbeaf7fc941e255723ac5c7dccde5ad94c8cae66c7209ba5d0c9a5e02b54a7

Download Submit
\Windows\SysWOW64\Fcmgfkeg.exe

Filesize
125KB

MD5
5718f4872b3dd4482dee340076ae2821

SHA1
3ca7ca951dd29a36d221792f5e1926e804e42fd8

SHA256
895ed5066d6da693735127205b22762f41e71859b535c75f53146129b10b256a

SHA512
ffa243b73d7f5ee37ea4636be6917595cb0470d4f7fbb588a75485f3dfce7a0fc093d84f0cbbe4ae5aef4f65c35107fc32cda373e1078978658ff5b4d574a60a

Download Submit
\Windows\SysWOW64\Fdapak32.exe

Filesize
125KB

MD5
653cb2b006bdfe59ba921e4de5725bcb

SHA1
65deaede8ca23a18d95db6c476b61a3033e4986b

SHA256
3dd2159924a612442f68ddca16b3b376adf0895c31dcb8e9a01937ab0309696c

SHA512
219ccb6ed43ceb139e10305b52a90e86e9d30ff70b444dee4326d5ae0befca42fb99c7d6c608d56ba1620707db7bc5d924bdc05aef1fd0e5fc634acab86ca3b0

Download Submit
\Windows\SysWOW64\Feeiob32.exe

Filesize
125KB

MD5
bb767b6e683dc87ef6423b18d7c08a58

SHA1
8c08ddb2954405863d657aa4c591e4f0ae42b9d1

SHA256
c29058be14be05119069a0c7357b5c790de40aebfb6e9644c3f268ce95d01e64

SHA512
94fafa679630585344bc34fcd2f1b5190b8d2a7308aa3885e5eab3c18c085c74644e36c4f51dbe866a477acc470e21b838bcf075ead1325db5d7d7e76b9f6741

Download Submit
\Windows\SysWOW64\Filldb32.exe

Filesize
125KB

MD5
ebc6d5a05f1a2cc8a35e35d77597f9e4

SHA1
c896b86833dd17f64de40c158245897a054e4bc8

SHA256
3e22f6e99bff0fc322c43be3d2823492c1d823513fd6186d890a3dc9f46b124b

SHA512
a2b5abfaa64514f621a24a397d4d0eb0879787f7393413b28882f8f2a52bd8d2a9d67d6d21927a1ae637fb0aa7137ee5a48baeca23919f860f8bc54c1bf6a186

Download Submit
\Windows\SysWOW64\Fioija32.exe

Filesize
125KB

MD5
82bbc52e9fd5b6908244ff8af92bbadb

SHA1
afd1a7a288156b1d40cda4f4cff649be0af05f87

SHA256
4edd5912348db5d7f823c2ee7d18c2686894c8e8538f922f509c3980c3954bd8

SHA512
d19e089be8e4d04cdb4c43c0ee5dddbc24c13e1496cb27f837860318e33958039ad8d96c4ec045f3f9f45359965fde56235d83881e7ec7df1db59f28b22f6c6d

Download Submit
\Windows\SysWOW64\Fmekoalh.exe

Filesize
125KB

MD5
f75ead96182ec5792f3ca32e62b8722d

SHA1
077b7f7db82bebfabaa10332c9dc73488211662d

SHA256
33f80eefcd6e5440bf02d09422f6d2abde938293cf2820369e97ea0259809455

SHA512
9e1dfb8e611bf1452862dca0b872fd3fba467e17bebbbee10fb38983a80ccb56d68aab3b66d45a9d58f640c17771996ac6f98dfb88f3a0ec7bcd9b46c3639acb

Download Submit
\Windows\SysWOW64\Gbijhg32.exe

Filesize
125KB

MD5
efaf1f749ca4d72f0a297c8188453043

SHA1
66bcd6a752387c90673afbc6e5a1c697744efc0c

SHA256
34deeab5295ac39b83a482fcb2c6b3b4ae83c31e1cd604f1c91ee911d5a57552

SHA512
8f6c2deb50b5e8b79a50d06f7b4be3928d3bdf99dc89f3abc41a71b465f9087ee369a72043892f50bf227cd28a15fb9c6ce524ac5f69cc6dd9c3a0456cef75a2

Download Submit
\Windows\SysWOW64\Gdamqndn.exe

Filesize
125KB

MD5
d3b57d9068005c7d494505669c2df676

SHA1
3a16a5eb4334049ac5ed1be2ba24aae99c14e514

SHA256
d3b65372b0caa511b5b8ebdec475bc4251216d77344ed9b63606710925e888f7

SHA512
046d61af4aedef4c45f143cd85814c882ca5b2ef6f3b1eaffedaa4e84abce6b8dfeec424d527af552dd98ff7db05ee2c60a24a3436aa2f9323d28dbbee17f190

Download Submit
\Windows\SysWOW64\Ghfbqn32.exe

Filesize
125KB

MD5
c0cd24f6d8b29850c8b08504c66a9195

SHA1
a971947b9a46fc4d1de20c67f555d6e90c1e0587

SHA256
7d4a19f467ef0a75389c5e853c1d9113e6195692b2594be3a26e969aa8f04906

SHA512
c40d7ae0fcd98bf26633f28624b042efb3688151357beed069c1f9e422ac443b773757845c2c341eabac358d968cd7e060ada17e159f7363706e5d534a0b71a8

Download Submit
\Windows\SysWOW64\Ghhofmql.exe

Filesize
125KB

MD5
1646775ac48f32c96da2855ba148185f

SHA1
283d2d7f255d40e53550c18cd3a37faac449444a

SHA256
344c381c169f18ab465f6cf65c647d22e91492e0045272d2729ef65bf79c209d

SHA512
977bba41320e86a54fec0f34d5cb46daaad041b65479b1ecbe5075c380285c426d797ce5f928dace3b1354913d705141a3d2965f816ac4fcf7bab6a3205b042f

Download Submit
\Windows\SysWOW64\Gmgdddmq.exe

Filesize
125KB

MD5
a84f88eef1a7b62b6c4ba260055bb8e4

SHA1
e54c1bbfabf658a817901a53ef2d444e771d6db0

SHA256
d37b0d0347335eedbd792174b3cc1299726e1097d452205d0740e225823b831d

SHA512
2f409f4d53ba6f4c53b9ca902d171a39b86a7f0c41ecf4bb0b2a9979d6db49fab285cd2bb8230d31dfc6e7a0e7a7a8e8dbebd35c8c18caf60c7b79b9a2895030

Download Submit
\Windows\SysWOW64\Gobgcg32.exe

Filesize
125KB

MD5
3f00ab716046b8b076e68f36ce1f8fcc

SHA1
7d26c787a73060f549cbda404b9c6666f6f5ac12

SHA256
5bf86d059cc0ca24398991b443574e3096cc8638507e4c98047f92b4a7f8c273

SHA512
7d8d12f5d9455b33fc7e1067f3344dd394fcc8ced7bb94812cc07401943b780fb05d4bfaa8cb7a3597649364f816936798cdcabed579a61e71666f6db7da8def

Download Submit
\Windows\SysWOW64\Gopkmhjk.exe

Filesize
125KB

MD5
f48e30bb678f42736435d144d6741c0c

SHA1
1c7625056786c13d793532ca31ae3581cb4a53fe

SHA256
8397aaa55cda20e3326032ee0f78935463f55d34caf1ea8f49f759700fbafad0

SHA512
2f52c65ab41d01ab25288f97012ee865a417b8cea3c4fb15a35d9cae8cc525b6045d86983396ac656b42c6620284dd31b75ab300b152d3fc0c4084b406ebc755

Download Submit
\Windows\SysWOW64\Gpknlk32.exe

Filesize
125KB

MD5
c1b2a80d0243ff1e5496d5df9da941c9

SHA1
eabb3009a75e81252634afa66ede9d691432b443

SHA256
bcbe4c2cf5be71b12be56e3de802a6530784c2f762fe0c81e09a1790eb25bff6

SHA512
e213ac39b10cdabf5ff2d9229dee4d8f28a633bf6bbe4cb5d1a69b7fd969d06abe0952b1c7856d4b33a0ce662ca6c5be654257ca4ad2c26f7c7d4f9281832ac4

Download Submit
memory/600-160-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/600-411-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/912-290-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/912-298-0x0000000000320000-0x0000000000367000-memory.dmp

Filesize
284KB

Download
memory/912-299-0x0000000000320000-0x0000000000367000-memory.dmp

Filesize
284KB

Download
memory/912-421-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1004-410-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1432-146-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1432-409-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1432-134-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1480-332-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1480-322-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1480-331-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1540-397-0x0000000000270000-0x00000000002B7000-memory.dmp

Filesize
284KB

Download
memory/1540-398-0x0000000000270000-0x00000000002B7000-memory.dmp

Filesize
284KB

Download
memory/1540-392-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1572-268-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1572-278-0x0000000000280000-0x00000000002C7000-memory.dmp

Filesize
284KB

Download
memory/1572-419-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1572-277-0x0000000000280000-0x00000000002C7000-memory.dmp

Filesize
284KB

Download
memory/1740-227-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1740-415-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1740-233-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/1740-234-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/1800-416-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1800-235-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1800-244-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1800-245-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1808-288-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1808-420-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1808-279-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1812-311-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1812-320-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1812-423-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1812-321-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1856-95-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1856-406-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1908-413-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1908-200-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1992-186-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1992-412-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1992-198-0x00000000002E0000-0x0000000000327000-memory.dmp

Filesize
284KB

Download
memory/2128-255-0x00000000002E0000-0x0000000000327000-memory.dmp

Filesize
284KB

Download
memory/2128-256-0x00000000002E0000-0x0000000000327000-memory.dmp

Filesize
284KB

Download
memory/2128-417-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2128-246-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2144-401-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2144-25-0x00000000002E0000-0x0000000000327000-memory.dmp

Filesize
284KB

Download
memory/2144-13-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2156-184-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2196-408-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2244-414-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2244-217-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2244-223-0x00000000002B0000-0x00000000002F7000-memory.dmp

Filesize
284KB

Download
memory/2272-342-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/2272-333-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2272-343-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/2400-77-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2400-74-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2428-62-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2428-404-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2428-54-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2436-366-0x0000000000290000-0x00000000002D7000-memory.dmp

Filesize
284KB

Download
memory/2436-365-0x0000000000290000-0x00000000002D7000-memory.dmp

Filesize
284KB

Download
memory/2436-363-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2588-375-0x0000000000260000-0x00000000002A7000-memory.dmp

Filesize
284KB

Download
memory/2588-376-0x0000000000260000-0x00000000002A7000-memory.dmp

Filesize
284KB

Download
memory/2588-364-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2612-359-0x0000000000310000-0x0000000000357000-memory.dmp

Filesize
284KB

Download
memory/2612-355-0x0000000000310000-0x0000000000357000-memory.dmp

Filesize
284KB

Download
memory/2612-344-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2644-27-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2644-35-0x0000000001FA0000-0x0000000001FE7000-memory.dmp

Filesize
284KB

Download
memory/2644-402-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2656-399-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2696-42-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2696-403-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2700-6-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2700-400-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2700-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2720-120-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2720-407-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2720-109-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2876-382-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2876-387-0x0000000000300000-0x0000000000347000-memory.dmp

Filesize
284KB

Download
memory/2876-386-0x0000000000300000-0x0000000000347000-memory.dmp

Filesize
284KB

Download
memory/2884-89-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/2884-405-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2960-418-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2960-266-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2960-267-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2960-257-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3064-309-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/3064-300-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3064-422-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3064-310-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads