2af86c02c23882f4d0bee81bc4d746cdf059dbf1fa820ca8661dafd6ad764a56

Analysis

max time kernel
142s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2af86c02c23882f4d0bee81bc4d746cdf059dbf1fa820ca8661dafd6ad764a56.exe
Size

145KB
MD5

fd1a51ad487781f4b79a3489f656b900
SHA1

b7ea16fec3e73aaaeaae60c763c0127a59200718
SHA256

2af86c02c23882f4d0bee81bc4d746cdf059dbf1fa820ca8661dafd6ad764a56
SHA512

ba2e03e7bdbeb334801817d806202a5fad9119aa2c7e9757e7672a0121f7a92de892060a07649e0fe111263bd54bb7b57174fdbad4123aedd104325e2c4cf07d
SSDEEP

1536:NdxQ1k9D54kEetRR13FWFqEy3J30WPrIPrWFFZy6BEVsNo2Ae5JYFnVEyQmEydP:NNF5DEetTWFqD3pFBEV52Ae5aFnVB

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gieojq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2af86c02c23882f4d0bee81bc4d746cdf059dbf1fa820ca8661dafd6ad764a56.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjdbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjdbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjgoce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkgkbipp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkgkbipp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjgoce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpdhklkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fiaeoang.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Facdeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fddmgjpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fioija32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Facdeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiaeoang.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goddhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2af86c02c23882f4d0bee81bc4d746cdf059dbf1fa820ca8661dafd6ad764a56.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpdhklkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Globlmmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe

Executes dropped EXE 31 IoCs

pid	Process
1232	Fjdbnf32.exe
2580	Fjgoce32.exe
2540	Fpdhklkl.exe
2548	Facdeo32.exe
2604	Fdapak32.exe
2480	Fioija32.exe
2900	Fddmgjpo.exe
1544	Fiaeoang.exe
2532	Globlmmj.exe
2156	Gfefiemq.exe
372	Gopkmhjk.exe
784	Gieojq32.exe
976	Gkgkbipp.exe
1724	Gdopkn32.exe
1564	Goddhg32.exe
3064	Gmgdddmq.exe
2020	Gaemjbcg.exe
1796	Hknach32.exe
900	Hmlnoc32.exe
1172	Hkpnhgge.exe
2840	Hicodd32.exe
1284	Hlakpp32.exe
1900	Hejoiedd.exe
3000	Hcnpbi32.exe
1180	Hgilchkf.exe
1516	Hcplhi32.exe
2676	Henidd32.exe
2556	Icbimi32.exe
2620	Ieqeidnl.exe
2464	Ioijbj32.exe
2432	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2400	2af86c02c23882f4d0bee81bc4d746cdf059dbf1fa820ca8661dafd6ad764a56.exe
2400	2af86c02c23882f4d0bee81bc4d746cdf059dbf1fa820ca8661dafd6ad764a56.exe
1232	Fjdbnf32.exe
1232	Fjdbnf32.exe
2580	Fjgoce32.exe
2580	Fjgoce32.exe
2540	Fpdhklkl.exe
2540	Fpdhklkl.exe
2548	Facdeo32.exe
2548	Facdeo32.exe
2604	Fdapak32.exe
2604	Fdapak32.exe
2480	Fioija32.exe
2480	Fioija32.exe
2900	Fddmgjpo.exe
2900	Fddmgjpo.exe
1544	Fiaeoang.exe
1544	Fiaeoang.exe
2532	Globlmmj.exe
2532	Globlmmj.exe
2156	Gfefiemq.exe
2156	Gfefiemq.exe
372	Gopkmhjk.exe
372	Gopkmhjk.exe
784	Gieojq32.exe
784	Gieojq32.exe
976	Gkgkbipp.exe
976	Gkgkbipp.exe
1724	Gdopkn32.exe
1724	Gdopkn32.exe
1564	Goddhg32.exe
1564	Goddhg32.exe
3064	Gmgdddmq.exe
3064	Gmgdddmq.exe
2020	Gaemjbcg.exe
2020	Gaemjbcg.exe
1796	Hknach32.exe
1796	Hknach32.exe
900	Hmlnoc32.exe
900	Hmlnoc32.exe
1172	Hkpnhgge.exe
1172	Hkpnhgge.exe
2840	Hicodd32.exe
2840	Hicodd32.exe
1284	Hlakpp32.exe
1284	Hlakpp32.exe
1900	Hejoiedd.exe
1900	Hejoiedd.exe
3000	Hcnpbi32.exe
3000	Hcnpbi32.exe
1180	Hgilchkf.exe
1180	Hgilchkf.exe
1516	Hcplhi32.exe
1516	Hcplhi32.exe
2676	Henidd32.exe
2676	Henidd32.exe
2556	Icbimi32.exe
2556	Icbimi32.exe
2620	Ieqeidnl.exe
2620	Ieqeidnl.exe
2464	Ioijbj32.exe
2464	Ioijbj32.exe
2260	WerFault.exe
2260	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gkgkbipp.exe	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Goddhg32.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Hknach32.exe
File created	C:\Windows\SysWOW64\Hkkmeglp.dll	Hkpnhgge.exe
File opened for modification	C:\Windows\SysWOW64\Globlmmj.exe	Fiaeoang.exe
File opened for modification	C:\Windows\SysWOW64\Gaemjbcg.exe	Gmgdddmq.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Icbimi32.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Jkamkfgh.dll	Fpdhklkl.exe
File opened for modification	C:\Windows\SysWOW64\Gopkmhjk.exe	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Fpmkde32.dll	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Hicodd32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Fpdhklkl.exe	Fjgoce32.exe
File created	C:\Windows\SysWOW64\Jkoginch.dll	Fjdbnf32.exe
File opened for modification	C:\Windows\SysWOW64\Fdapak32.exe	Facdeo32.exe
File opened for modification	C:\Windows\SysWOW64\Fioija32.exe	Fdapak32.exe
File created	C:\Windows\SysWOW64\Hpqpdnop.dll	Fiaeoang.exe
File opened for modification	C:\Windows\SysWOW64\Gfefiemq.exe	Globlmmj.exe
File opened for modification	C:\Windows\SysWOW64\Gdopkn32.exe	Gkgkbipp.exe
File created	C:\Windows\SysWOW64\Blnhfb32.dll	Gkgkbipp.exe
File created	C:\Windows\SysWOW64\Fjgoce32.exe	Fjdbnf32.exe
File created	C:\Windows\SysWOW64\Gcaciakh.dll	Gmgdddmq.exe
File created	C:\Windows\SysWOW64\Hlakpp32.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Febhomkh.dll	Goddhg32.exe
File created	C:\Windows\SysWOW64\Jgdmei32.dll	Gfefiemq.exe
File opened for modification	C:\Windows\SysWOW64\Hknach32.exe	Gaemjbcg.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Hknach32.exe
File opened for modification	C:\Windows\SysWOW64\Henidd32.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File opened for modification	C:\Windows\SysWOW64\Fjdbnf32.exe	2af86c02c23882f4d0bee81bc4d746cdf059dbf1fa820ca8661dafd6ad764a56.exe
File created	C:\Windows\SysWOW64\Fiaeoang.exe	Fddmgjpo.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hejoiedd.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Bccnbmal.dll	Fjgoce32.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Henidd32.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Lkoabpeg.dll	Gopkmhjk.exe
File created	C:\Windows\SysWOW64\Fdapak32.exe	Facdeo32.exe
File created	C:\Windows\SysWOW64\Fioija32.exe	Fdapak32.exe
File opened for modification	C:\Windows\SysWOW64\Hkpnhgge.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Dchfknpg.dll	2af86c02c23882f4d0bee81bc4d746cdf059dbf1fa820ca8661dafd6ad764a56.exe
File created	C:\Windows\SysWOW64\Gfefiemq.exe	Globlmmj.exe
File created	C:\Windows\SysWOW64\Jpajnpao.dll	Gaemjbcg.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Cmbmkg32.dll	Fddmgjpo.exe
File created	C:\Windows\SysWOW64\Qlidlf32.dll	Fioija32.exe
File created	C:\Windows\SysWOW64\Gopkmhjk.exe	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Qhbpij32.dll	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Fddmgjpo.exe	Fioija32.exe
File created	C:\Windows\SysWOW64\Gdopkn32.exe	Gkgkbipp.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Ghqknigk.dll	Fdapak32.exe
File created	C:\Windows\SysWOW64\Gieojq32.exe	Gopkmhjk.exe
File created	C:\Windows\SysWOW64\Gaemjbcg.exe	Gmgdddmq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2260	2432	WerFault.exe	58

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2af86c02c23882f4d0bee81bc4d746cdf059dbf1fa820ca8661dafd6ad764a56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hknach32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Globlmmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hknach32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpdhklkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fddmgjpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll"	Globlmmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2af86c02c23882f4d0bee81bc4d746cdf059dbf1fa820ca8661dafd6ad764a56.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjgoce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmkde32.dll"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2af86c02c23882f4d0bee81bc4d746cdf059dbf1fa820ca8661dafd6ad764a56.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpdhklkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll"	Gkgkbipp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2af86c02c23882f4d0bee81bc4d746cdf059dbf1fa820ca8661dafd6ad764a56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoginch.dll"	Fjdbnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fiaeoang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll"	Goddhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjdbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll"	Fpdhklkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Hknach32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hgilchkf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1232	2400	2af86c02c23882f4d0bee81bc4d746cdf059dbf1fa820ca8661dafd6ad764a56.exe	28
PID 2400 wrote to memory of 1232	2400	2af86c02c23882f4d0bee81bc4d746cdf059dbf1fa820ca8661dafd6ad764a56.exe	28
PID 2400 wrote to memory of 1232	2400	2af86c02c23882f4d0bee81bc4d746cdf059dbf1fa820ca8661dafd6ad764a56.exe	28
PID 2400 wrote to memory of 1232	2400	2af86c02c23882f4d0bee81bc4d746cdf059dbf1fa820ca8661dafd6ad764a56.exe	28
PID 1232 wrote to memory of 2580	1232	Fjdbnf32.exe	29
PID 1232 wrote to memory of 2580	1232	Fjdbnf32.exe	29
PID 1232 wrote to memory of 2580	1232	Fjdbnf32.exe	29
PID 1232 wrote to memory of 2580	1232	Fjdbnf32.exe	29
PID 2580 wrote to memory of 2540	2580	Fjgoce32.exe	30
PID 2580 wrote to memory of 2540	2580	Fjgoce32.exe	30
PID 2580 wrote to memory of 2540	2580	Fjgoce32.exe	30
PID 2580 wrote to memory of 2540	2580	Fjgoce32.exe	30
PID 2540 wrote to memory of 2548	2540	Fpdhklkl.exe	31
PID 2540 wrote to memory of 2548	2540	Fpdhklkl.exe	31
PID 2540 wrote to memory of 2548	2540	Fpdhklkl.exe	31
PID 2540 wrote to memory of 2548	2540	Fpdhklkl.exe	31
PID 2548 wrote to memory of 2604	2548	Facdeo32.exe	32
PID 2548 wrote to memory of 2604	2548	Facdeo32.exe	32
PID 2548 wrote to memory of 2604	2548	Facdeo32.exe	32
PID 2548 wrote to memory of 2604	2548	Facdeo32.exe	32
PID 2604 wrote to memory of 2480	2604	Fdapak32.exe	33
PID 2604 wrote to memory of 2480	2604	Fdapak32.exe	33
PID 2604 wrote to memory of 2480	2604	Fdapak32.exe	33
PID 2604 wrote to memory of 2480	2604	Fdapak32.exe	33
PID 2480 wrote to memory of 2900	2480	Fioija32.exe	34
PID 2480 wrote to memory of 2900	2480	Fioija32.exe	34
PID 2480 wrote to memory of 2900	2480	Fioija32.exe	34
PID 2480 wrote to memory of 2900	2480	Fioija32.exe	34
PID 2900 wrote to memory of 1544	2900	Fddmgjpo.exe	35
PID 2900 wrote to memory of 1544	2900	Fddmgjpo.exe	35
PID 2900 wrote to memory of 1544	2900	Fddmgjpo.exe	35
PID 2900 wrote to memory of 1544	2900	Fddmgjpo.exe	35
PID 1544 wrote to memory of 2532	1544	Fiaeoang.exe	36
PID 1544 wrote to memory of 2532	1544	Fiaeoang.exe	36
PID 1544 wrote to memory of 2532	1544	Fiaeoang.exe	36
PID 1544 wrote to memory of 2532	1544	Fiaeoang.exe	36
PID 2532 wrote to memory of 2156	2532	Globlmmj.exe	37
PID 2532 wrote to memory of 2156	2532	Globlmmj.exe	37
PID 2532 wrote to memory of 2156	2532	Globlmmj.exe	37
PID 2532 wrote to memory of 2156	2532	Globlmmj.exe	37
PID 2156 wrote to memory of 372	2156	Gfefiemq.exe	38
PID 2156 wrote to memory of 372	2156	Gfefiemq.exe	38
PID 2156 wrote to memory of 372	2156	Gfefiemq.exe	38
PID 2156 wrote to memory of 372	2156	Gfefiemq.exe	38
PID 372 wrote to memory of 784	372	Gopkmhjk.exe	39
PID 372 wrote to memory of 784	372	Gopkmhjk.exe	39
PID 372 wrote to memory of 784	372	Gopkmhjk.exe	39
PID 372 wrote to memory of 784	372	Gopkmhjk.exe	39
PID 784 wrote to memory of 976	784	Gieojq32.exe	40
PID 784 wrote to memory of 976	784	Gieojq32.exe	40
PID 784 wrote to memory of 976	784	Gieojq32.exe	40
PID 784 wrote to memory of 976	784	Gieojq32.exe	40
PID 976 wrote to memory of 1724	976	Gkgkbipp.exe	41
PID 976 wrote to memory of 1724	976	Gkgkbipp.exe	41
PID 976 wrote to memory of 1724	976	Gkgkbipp.exe	41
PID 976 wrote to memory of 1724	976	Gkgkbipp.exe	41
PID 1724 wrote to memory of 1564	1724	Gdopkn32.exe	42
PID 1724 wrote to memory of 1564	1724	Gdopkn32.exe	42
PID 1724 wrote to memory of 1564	1724	Gdopkn32.exe	42
PID 1724 wrote to memory of 1564	1724	Gdopkn32.exe	42
PID 1564 wrote to memory of 3064	1564	Goddhg32.exe	43
PID 1564 wrote to memory of 3064	1564	Goddhg32.exe	43
PID 1564 wrote to memory of 3064	1564	Goddhg32.exe	43
PID 1564 wrote to memory of 3064	1564	Goddhg32.exe	43

C:\Users\Admin\AppData\Local\Temp\2af86c02c23882f4d0bee81bc4d746cdf059dbf1fa820ca8661dafd6ad764a56.exe
"C:\Users\Admin\AppData\Local\Temp\2af86c02c23882f4d0bee81bc4d746cdf059dbf1fa820ca8661dafd6ad764a56.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\Fjdbnf32.exe
  C:\Windows\system32\Fjdbnf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\SysWOW64\Fjgoce32.exe
    C:\Windows\system32\Fjgoce32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\Fpdhklkl.exe
      C:\Windows\system32\Fpdhklkl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\Facdeo32.exe
        
        C:\Windows\system32\Facdeo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\SysWOW64\Fdapak32.exe
        
        C:\Windows\system32\Fdapak32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Fioija32.exe
        
        C:\Windows\system32\Fioija32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Fddmgjpo.exe
        
        C:\Windows\system32\Fddmgjpo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Fiaeoang.exe
        
        C:\Windows\system32\Fiaeoang.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Globlmmj.exe
        
        C:\Windows\system32\Globlmmj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Gfefiemq.exe
        
        C:\Windows\system32\Gfefiemq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Gopkmhjk.exe
        
        C:\Windows\system32\Gopkmhjk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Gieojq32.exe
        
        C:\Windows\system32\Gieojq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\Gkgkbipp.exe
        
        C:\Windows\system32\Gkgkbipp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Goddhg32.exe
        
        C:\Windows\system32\Goddhg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Gmgdddmq.exe
        
        C:\Windows\system32\Gmgdddmq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Gaemjbcg.exe
        
        C:\Windows\system32\Gaemjbcg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Hknach32.exe
        
        C:\Windows\system32\Hknach32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Hlakpp32.exe
        
        C:\Windows\system32\Hlakpp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Hgilchkf.exe
        
        C:\Windows\system32\Hgilchkf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        32⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 140
        33⤵
        Loads dropped DLL
        Program crash
        
        PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fpdhklkl.exe

Filesize
145KB

MD5
bcea81cefe4f080df8a6d6067de95d3e

SHA1
10c81d6484cf065585b8cee702572d1fcab37d63

SHA256
e34004c4e78b66f11ba3bb4e62351c5aabcf969cccb9b1194afc52cc04d4b2fa

SHA512
d15f0fc3b698dcd0cdf9085aba72365c278b34f208e0884957d30fce0ce4406427ba92a0b4c443b020fcd08b1694ff772811c9146b96515937cb509f279d37c6

Download Submit
C:\Windows\SysWOW64\Gaemjbcg.exe

Filesize
145KB

MD5
6c7cba101fe6379d735d99cc20568d48

SHA1
00735989d288655d82dda3d3425edd742f44818e

SHA256
8aaddd75c2217322912a70b226fe3629edb8507113030d2fc7157a4c9510b4a8

SHA512
d85b73e02614eb8869725e72fb4b95538747b78dfa7ce83977eaa65b4e3e06ad487000bf967fb1f3df75af6f31056a2d123fbf6a3b1fc0ca60a86ed74c06e382

Download Submit
C:\Windows\SysWOW64\Gkgkbipp.exe

Filesize
145KB

MD5
2458ccf844d87e2409a0f03af0811106

SHA1
0b16bf2bba4cf0aa6e273b7ab329ca8605760abe

SHA256
53980b294b3a83ebedf61aa1683ffe8c6b0ba47cbcbed38e86980b14db0a2f7c

SHA512
af575b280887174914a8d32d70d37fdc6bb0e01073dda449763e4d61cbf1804864805df5a2d9209e6c405e1f01dc0486fc5b6a6c01da6a90b8fa0e64e474a15e

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
145KB

MD5
ee1021b02692c95a3581c5f195c6e7c4

SHA1
e5c53f5c66b87da5c43c7c36ac0e559bb424daac

SHA256
4615e652964ac14eb818825045f1369ed1ef11d0362116a1595dd829cc235057

SHA512
7f0df05833252918db29acfe4fbac50334cc6ad1467c672aacd7307b2ad0a46f1cd59c4ca8c29c68eb63479e3473d693e8012d2aaaff2dca737f973b5710ccc7

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
145KB

MD5
9aff6d6a35c5f4ac38f5c65607b5cb75

SHA1
bb894e735de57de5005b52806d0fd636819bd4d0

SHA256
47a7c46d3ec25cc43ff20442d2580ae3651528d8dc334bba84434b83124074a9

SHA512
440e9d9960ba2e602d626ac960eda66b25dddb2a92b209dec3d27522639f2424cd023c977eb0e6d3413bc9dfc3edceeaea98e154ba70a94f22aa6ebea8d75356

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
145KB

MD5
b31e2025967d5d2b7a976d6ebdc3c5f0

SHA1
8e28474baa09ca87bdb5e84faae029cfeb2d56c1

SHA256
4b9df32cb559590e7c70c2d400770c326432a45e58f9b5d96fb2b1aa7f8ddeba

SHA512
780418134cd39b407be6cc7b4546100f825c9cd53ad94331ecc03fd35a1234f9f20f5feae060a5d3bd90c0847933ac8f81aca25808292c6bd850fbd6eae9a680

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
145KB

MD5
b7d4f68e28907d046207814f629ea28d

SHA1
d18f9aa01c209f4c0484470b1175070470773b7b

SHA256
b8f0bcc6dd22cb85aeaf1e8286dc07e0ca79e8846976d815e02aba108e14bbef

SHA512
bc7e4c21235bccd49d81e5ca456eec4ce500d89cdb4f0a446a95c957869a0827d6f33c41bfb91fe235a31afc50eef30fd995ffb5bc7e2f7e0b9f95db68786305

Download Submit
C:\Windows\SysWOW64\Hgilchkf.exe

Filesize
145KB

MD5
17cd2c442a26ffdffbfb982c5f1056d5

SHA1
add5e932a5425d078b2d1ccbd81cbf0d3c28a9f7

SHA256
696af2585ef29ee47a08434d4f0049b4502ad7ba69ec808c6448c3e6ef5bcf03

SHA512
541748d22c8c57fb147679c3f63254f242f52703fc3b33bd89f5fe2805407994b4f5ceb9cdc0733dae71db1ac3bc0fbced3c01a1465685dc0b3daf3e04ca902e

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
145KB

MD5
4c2d534f2a43daeaa36e754cb901630e

SHA1
6ebed5778d270035c9e85c30fe317e5aa731c84b

SHA256
4160aabe69e817e443211d7318c3fb4be4c92dce6c401b56287430330f4addb4

SHA512
3dd1fd4b4608b2742510db13cce38fed24ec8c991d6b894808f34a19775591f5711a0c560a1459c5a32116afb8c7bf2a638b7d6761a43f1acf6ae860a74d0922

Download Submit
C:\Windows\SysWOW64\Hknach32.exe

Filesize
145KB

MD5
50bb0f3f1bceb51d5abc80a75db8571d

SHA1
168ea1084efcc158b8d2659e9ab3bcd0db0759ed

SHA256
75c7792a7ac7b43148621508efb8d1516279edebcc87a2e8057a3a48945c29e1

SHA512
fb4522a88025aefcdf5a128d1cf3c6cfc8361e99ad107c5354f845a670a58b1ab8201a232b1f5839abc7033c39b2feb4d71eda54a6496e33c549b1a5d9a054f8

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe

Filesize
145KB

MD5
4135964d27ed7a6a0ee75e0d747aa0a9

SHA1
ffd2c5e88ee057436afff504425549ea7e24d19c

SHA256
9db44159750a69a097aa6caecc5ed44faa20c0ce56f2124f9e6bdecdd559150e

SHA512
5ec720f60c73e3995b8620d7e6770a0f02664b8eefe2955e86ef401920bac2c7dcf4f730edd9156c98546afe0938b180533cd990203c73ba906b9392f277f434

Download Submit
C:\Windows\SysWOW64\Hlakpp32.exe

Filesize
145KB

MD5
083d6272d5f844da2c210fe30e830ba3

SHA1
10e22cb2d6a8d2187119b90c5cad84ba7ef6a84b

SHA256
3c3a8bcc12387ea6f06188fa80f9937539fe1e849f3cf010ac630dab94397925

SHA512
c531e32e0f97a558bc4841bcb312488e699b9888ea83187df580b439baaa6820e9054cdc117e717b853d39ece34b7a028277b4222e9e98ae6c0ecc0b78113d2f

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
145KB

MD5
bae8505819966e12c00796c13d73eb15

SHA1
95e6c450cd58ff9a3f911308827c344a6a49c3aa

SHA256
c1d40232b7289e22354c342c122e8743a27cd16706e7ee1f66ba8a2a668084d1

SHA512
c99fca27ce2b26732865a55fd707c186b0ab159dc8a4ce3aef90cf901c2f8f10421295bbfd41d9d2150622e2613dc76afdbfb5422677526bf3a3b162f700a3ad

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
145KB

MD5
4a1ccb78b3f72f8a38c3141c867f30cf

SHA1
ce4eeef31edcac25d3f8acd45ba1b7fe4b307003

SHA256
62aad5154dcbc547a963c2f3d2a20dd3803f6cac03dbf1dc7df7710351f1f256

SHA512
da76867a5a01c9b7602def56a970698d62160e8e3daacfb2cbf1f2e6024ee7095872b8d73d0c29af6fa6f8fe25e4332c42d866b3331f13a0f0e8b8a84589f735

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
145KB

MD5
bc3556041446b8fc14fa318abe9c2fa8

SHA1
1066a105d8e27ba3c8b4bb6767769cf204cfe093

SHA256
e623a11d3b7ad5eef6140ba24ca90eec81631cff31cec0cced76ae8a1778dd93

SHA512
4c3f83a7f662923a1631bde44dd0ec37ea9ec53e73ff00155e1592f3dfc1c10bfd8ac1203dde0b6175dac5c4a07df4fee62980987528670d296e5dd5d44767a3

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
145KB

MD5
0c8f08301dfb35cfebbe894cc5f95d26

SHA1
26f26dc586fec70ce58ad71339f370b92e50049e

SHA256
1d14bc642a0c335d678476548eaeaccc524169e2d5fcc9acc8a9c56d141e71a4

SHA512
db7e1f3aaa02ed6e82241d22a88df4f3b964925e38d093fbe3fd6f9cb226e0878f8d871f80bbe57604335967553fc6f21cac4afc15761aa4b17caaec4f91d93c

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
145KB

MD5
aa60360850998d49f083d66fbece4c84

SHA1
9a9e4b1e1a9afb173420fced55141038ca3dde55

SHA256
b00564ccc6105a8c0d2954725892e5603b37ee2f57321faabee13aa7dcfb3a14

SHA512
56e8022155fa38de3cfad44abaa81d693d8ed0cd02c44f41bbaf3203379f94184356938f6cb605dcbcea23fcb382abb6d540b23c1e2cb3e88b51b23a387c1a90

Download Submit
\Windows\SysWOW64\Facdeo32.exe

Filesize
145KB

MD5
70a13ddaa1786b14fafa00cddd26472b

SHA1
4302974a96c1119ff68d48d2b87718a57f9b4b0f

SHA256
8572de2bf142d91eaee2fc97760f785c2be3cad2ef822b49028b1e64200739b9

SHA512
db96a88c698175f66ba4686f5b4a47527e049bb4a46dd03ce6e7dc8a2d752df2a20d2bada2e797f3f1b53fa8be7b2072a82d1a0c10aa9588f3c6926937205395

Download Submit
\Windows\SysWOW64\Fdapak32.exe

Filesize
145KB

MD5
8c89b4df58fd9c179c3c0900cb6f9f95

SHA1
a412b402b63d84a3a0829d2a824c8eeb00dd5e14

SHA256
18645b81760269b231f94340e97957d3488a52bbfac8cc9a52d9e21f9a87dddc

SHA512
c0a19a2571468f247fe9f95d70c7d75a832d9a0e0a6777d4c175728960047eeb1b037433a1fbd1905d9a6f27f3c5ef9ee66d4ba8310c1e0d9ddd1dc19afdde3c

Download Submit
\Windows\SysWOW64\Fddmgjpo.exe

Filesize
145KB

MD5
e651e45c1bcd53a148af850c39062b5b

SHA1
75e322b34bcc596397c03a4924f2872843901ed0

SHA256
e0e3accabffe5e72f5beb71c5deaf6d8fd79845449ec2eb03078492c37141c24

SHA512
6c6401efcb5c86b41b1e8b6a4ddcc4d941f46d464639fc64d6d7c27d4246dd55f01f1cc7328f6bc4b8a4105bcd2c02b221bb547df04816d0b3f5ed7d273e570f

Download Submit
\Windows\SysWOW64\Fiaeoang.exe

Filesize
145KB

MD5
33c530752e6b04ec21a50e24bfc50350

SHA1
08c089bddf511d4f036f5fec27e56ab19fc53239

SHA256
cfbb02dae6839b114e777ce584beeb1b3d122505bd8685e7070fdf1716c5e62f

SHA512
99ce58b0d2cc3c774815e76b03997d53d24bf515f569fd9afcf34f50d8059b734ea67c4bfe0de61aaec1fb1a343fa2ac113e56752cfee6c6667e05e46f3d9e61

Download Submit
\Windows\SysWOW64\Fioija32.exe

Filesize
145KB

MD5
f29ccfc4931e6491b07701c1fc50b355

SHA1
d9fd4d0d9335e5b3ebc130afd63f1718ea92f12e

SHA256
6444d4ca1b2a72abe2ed5be17517d79c98edfe626b613ceed8b7a95204fd05af

SHA512
77e112f8863fc8e0d9b477f3020444caf61b20abde8ef67a03de0c7309f7119c3d9ee0b06b7cea27422ced86ac36fe36f5f70b7f593344d3676cfc03beaf9465

Download Submit
\Windows\SysWOW64\Fjdbnf32.exe

Filesize
145KB

MD5
5752eeb0b78bf44cba513c0cece93101

SHA1
43b2787cb43fa309cc4c24401d63c6491f536626

SHA256
19674bc62bd58726c123321fd9843fa971623ae594bc81ebab20da3064d780d1

SHA512
caea9c4e7fafa3948dcee9db3e6e42d3838adbf0bb4a0c8f59ccabfd6d5f9a8a02551913f3f020cc22bc8ec4dc75aee059af72f797b0eb655b96c214c16ef878

Download Submit
\Windows\SysWOW64\Fjgoce32.exe

Filesize
145KB

MD5
4473d1d7e8ccf455ca6e8cc39ffccc7b

SHA1
973ff23cbc44b1937ba8e933642116d51dfa92f0

SHA256
8b8c33645eedbdb90b4708e7f3b348534e1bd979613d75bdbc350e5e948fecc9

SHA512
98636984a370f61099676a80506f40ba7052a112d83e882e8e86c38821e0a478687aae8df2c94a078557ce89f9d79c8685426a0e5f2826dd172ab8ea7f50f29e

Download Submit
\Windows\SysWOW64\Gdopkn32.exe

Filesize
145KB

MD5
a53452224a350c9d313c84a386f2e7e2

SHA1
f2363abf6237c7143eeab0e210ff8bdbc0b6a4da

SHA256
160d169220f6b5311958785ec373961472f829039e8f3851c9adcc7fd1a7f33d

SHA512
de5b5f4e2028e84d61703899165008987309f225730539ca7357884df68f1442af496bffa12820ffb28e509eedb188edd0489879cd354fb5f7e12f08d30d1d79

Download Submit
\Windows\SysWOW64\Gfefiemq.exe

Filesize
145KB

MD5
3f15b133b1ed4b8aa6838f42ef9bd5ce

SHA1
468d87b0598a3d4e6a569d270bb035e1a4cce3d6

SHA256
b6d02efe35ddb6963a66d971bfd35731c3f078e756f395d0e0b424110a24d807

SHA512
4ccf653b6afb9877e366e6e8023fe457732786b67092b27749ab1f8f58c07fe56a94850bb1d12b329fa392eb1040bd642e1e2f5ef75fb557a1ae3654d9d71fa3

Download Submit
\Windows\SysWOW64\Gieojq32.exe

Filesize
145KB

MD5
fbda0b01e0f65a71ca8841d04b3d2b66

SHA1
b89ca8e86dec94a5430f24e5971fb398bab64509

SHA256
ce10e97d752b8b8bba4701ab3e94fb9c873f7a463439ffd5b142608aac1edbdc

SHA512
40104a3ccf16d896da6dd0507c3823f568529e808783f5a7687e49c6777308c3acb767a25bc9d09ea278ff3aa278a9c141bcaea248192b9b8ff9001a5569f242

Download Submit
\Windows\SysWOW64\Globlmmj.exe

Filesize
145KB

MD5
74ff70147a60735e2a79a001516f05d6

SHA1
8b8e6ae14b47d9af19a2869dfe352b5626a2eaf2

SHA256
9679acd7ed8a4a9552b4cc248a8ba81123044ef4b5faf8d1dc76824eb8902a8d

SHA512
dd655d8426f680562729fb1c5b563a82578cc0ea952b3e5f9abb2194c085828f794a4fbcb054955365c16ca127e0ab531cae38541b6f77174df03c8bb7df10c1

Download Submit
\Windows\SysWOW64\Gmgdddmq.exe

Filesize
145KB

MD5
c188e66d0e25b9af02c6649ab7906aed

SHA1
4a8b5e30148be94cf1d54dc43a49fe56b61c0433

SHA256
301a1b6e383e9d862cc8a1d3761339b187047cfd740f98cc81df93e0e3b8ab84

SHA512
c732ef718533ae2be734f4a60da7eab860571b76e93aa12c8ca57e468cc543e08025b8731828b5f828ccc08f2aa9998b609f3f7daacce82c208a607492711591

Download Submit
\Windows\SysWOW64\Goddhg32.exe

Filesize
145KB

MD5
b84fd4f8e294872644a7b02b95dc9a4b

SHA1
25410d931fa9aff694130f8a9896a83507d7d050

SHA256
9c8a377055b9acd7e0ada246c78c12d903e95c6a64de46481abafa53fa7488b9

SHA512
d6a7e83a309810efc8e719d5b661bcc8124379fbc247478b69b63bc86409aebd05f20f31d9c8f6e8474a7709be3750b3d84b812cf2ac40e91e037ad3ea5a69e8

Download Submit
\Windows\SysWOW64\Gopkmhjk.exe

Filesize
145KB

MD5
c768cc943221b60e50aa68c3bea637e9

SHA1
8a066f2e51eaa31995523b99cc5522137df86125

SHA256
6fe0cc611a83f5d45ff7df0cc59dd10ae967f4a88cd649a5a5f4aacbed8f5287

SHA512
ea93e40c3fc7c97e3a9bb341b5aaf1fbd7bedea9063870e961f335f90fda1e45ca1637446f030b5dd66525807fd55507a9fe1d0c7865f99cf5601a1051dd8f07

Download Submit
memory/372-466-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/372-151-0x00000000005E0000-0x000000000062E000-memory.dmp

Filesize
312KB

Download
memory/372-144-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/784-163-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/784-468-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/900-255-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/900-246-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/900-482-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/900-260-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/976-183-0x0000000001F40000-0x0000000001F8E000-memory.dmp

Filesize
312KB

Download
memory/976-171-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/976-470-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1172-267-0x0000000000250000-0x000000000029E000-memory.dmp

Filesize
312KB

Download
memory/1172-484-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1172-262-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1172-266-0x0000000000250000-0x000000000029E000-memory.dmp

Filesize
312KB

Download
memory/1180-325-0x0000000000260000-0x00000000002AE000-memory.dmp

Filesize
312KB

Download
memory/1180-494-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1180-312-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1232-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1232-21-0x0000000000260000-0x00000000002AE000-memory.dmp

Filesize
312KB

Download
memory/1232-446-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1284-289-0x0000000001F40000-0x0000000001F8E000-memory.dmp

Filesize
312KB

Download
memory/1284-285-0x0000000001F40000-0x0000000001F8E000-memory.dmp

Filesize
312KB

Download
memory/1284-278-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1284-488-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1516-332-0x00000000003B0000-0x00000000003FE000-memory.dmp

Filesize
312KB

Download
memory/1516-326-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1516-496-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1516-331-0x00000000003B0000-0x00000000003FE000-memory.dmp

Filesize
312KB

Download
memory/1544-106-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1544-460-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1564-198-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1564-474-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1564-210-0x0000000000250000-0x000000000029E000-memory.dmp

Filesize
312KB

Download
memory/1564-209-0x0000000000250000-0x000000000029E000-memory.dmp

Filesize
312KB

Download
memory/1724-472-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1796-480-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1796-239-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1796-244-0x0000000000300000-0x000000000034E000-memory.dmp

Filesize
312KB

Download
memory/1796-245-0x0000000000300000-0x000000000034E000-memory.dmp

Filesize
312KB

Download
memory/1900-290-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1900-299-0x0000000000250000-0x000000000029E000-memory.dmp

Filesize
312KB

Download
memory/1900-300-0x0000000000250000-0x000000000029E000-memory.dmp

Filesize
312KB

Download
memory/1900-490-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2020-478-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2020-233-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2020-238-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2020-224-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2156-464-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2400-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2400-6-0x0000000000260000-0x00000000002AE000-memory.dmp

Filesize
312KB

Download
memory/2400-444-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2432-376-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2464-374-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/2464-375-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/2464-373-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2464-506-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2480-456-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2532-462-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2532-128-0x0000000000250000-0x000000000029E000-memory.dmp

Filesize
312KB

Download
memory/2532-118-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2540-40-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2540-450-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2548-53-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2548-452-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2556-352-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2556-500-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2556-353-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2580-38-0x0000000000250000-0x000000000029E000-memory.dmp

Filesize
312KB

Download
memory/2580-448-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2604-75-0x0000000000250000-0x000000000029E000-memory.dmp

Filesize
312KB

Download
memory/2604-454-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2604-66-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2620-502-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2620-368-0x0000000000290000-0x00000000002DE000-memory.dmp

Filesize
312KB

Download
memory/2620-372-0x0000000000290000-0x00000000002DE000-memory.dmp

Filesize
312KB

Download
memory/2620-354-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2676-347-0x0000000000250000-0x000000000029E000-memory.dmp

Filesize
312KB

Download
memory/2676-346-0x0000000000250000-0x000000000029E000-memory.dmp

Filesize
312KB

Download
memory/2676-333-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2676-498-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2840-284-0x00000000002D0000-0x000000000031E000-memory.dmp

Filesize
312KB

Download
memory/2840-268-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2840-277-0x00000000002D0000-0x000000000031E000-memory.dmp

Filesize
312KB

Download
memory/2840-486-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2900-92-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2900-458-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3000-311-0x0000000001F70000-0x0000000001FBE000-memory.dmp

Filesize
312KB

Download
memory/3000-492-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3000-304-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3000-310-0x0000000001F70000-0x0000000001FBE000-memory.dmp

Filesize
312KB

Download
memory/3064-476-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3064-212-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3064-223-0x0000000000280000-0x00000000002CE000-memory.dmp

Filesize
312KB

Download
memory/3064-222-0x0000000000280000-0x00000000002CE000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads