c8e9d09ad447ee95b879b7a55829d94a1aac2ecc6546942b9e08f7e3e5709088

Analysis

max time kernel
142s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe
Size

400KB
MD5

15282a5c1d8e03a448ebc0b70e702a4c
SHA1

b0ace68b21297d0e28d9be701ec587f9e0de0cb3
SHA256

f6375abc46dcbce112a1e3ba861c41334dba32a4957dc4d7ef8b46da979ffadd
SHA512

1bde2938591cb4eda5e1718b28c69aab9f7b7f978fb583183dafe2a5b630231b13c26f695f510d7a3dd61a53ea843ae8a27bac3967e58b38f5c5a7e306ef2091
SSDEEP

6144:6u/L2rwCO+xqtDyB8LoedCFJ369BJ369vpui6yYPaIGckvNP9T9pui6yYPaIGckv:7uYtyWUedCv2EpV6yYPaNFZpV6yYPo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Hgilchkf.exeIhoafpmp.exeIknnbklc.exeHpmgqnfl.exeGgpimica.exeHjhhocjj.exeIcbimi32.exeFiaeoang.exeGpmjak32.exeHckcmjep.exe[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exeGobgcg32.exeHnojdcfi.exeHnagjbdf.exeHhmepp32.exeGdopkn32.exeGacpdbej.exeHlcgeo32.exeHcplhi32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggpimica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gacpdbej.exe

Executes dropped EXE 19 IoCs

Processes:

Fiaeoang.exeGpmjak32.exeGobgcg32.exeGdopkn32.exeGacpdbej.exeGgpimica.exeHnojdcfi.exeHpmgqnfl.exeHckcmjep.exeHnagjbdf.exeHlcgeo32.exeHgilchkf.exeHjhhocjj.exeHcplhi32.exeHhmepp32.exeIcbimi32.exeIhoafpmp.exeIknnbklc.exeIagfoe32.exe

pid	process
2568	Fiaeoang.exe
2692	Gpmjak32.exe
2744	Gobgcg32.exe
2740	Gdopkn32.exe
2528	Gacpdbej.exe
2916	Ggpimica.exe
1544	Hnojdcfi.exe
2800	Hpmgqnfl.exe
2452	Hckcmjep.exe
1884	Hnagjbdf.exe
2360	Hlcgeo32.exe
1440	Hgilchkf.exe
1684	Hjhhocjj.exe
2264	Hcplhi32.exe
1400	Hhmepp32.exe
1112	Icbimi32.exe
404	Ihoafpmp.exe
1704	Iknnbklc.exe
1476	Iagfoe32.exe

Loads dropped DLL 42 IoCs

Processes:

[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exeFiaeoang.exeGpmjak32.exeGobgcg32.exeGdopkn32.exeGacpdbej.exeGgpimica.exeHnojdcfi.exeHpmgqnfl.exeHckcmjep.exeHnagjbdf.exeHlcgeo32.exeHgilchkf.exeHjhhocjj.exeHcplhi32.exeHhmepp32.exeIcbimi32.exeIhoafpmp.exeIknnbklc.exeWerFault.exe

pid	process
2556	[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe
2556	[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe
2568	Fiaeoang.exe
2568	Fiaeoang.exe
2692	Gpmjak32.exe
2692	Gpmjak32.exe
2744	Gobgcg32.exe
2744	Gobgcg32.exe
2740	Gdopkn32.exe
2740	Gdopkn32.exe
2528	Gacpdbej.exe
2528	Gacpdbej.exe
2916	Ggpimica.exe
2916	Ggpimica.exe
1544	Hnojdcfi.exe
1544	Hnojdcfi.exe
2800	Hpmgqnfl.exe
2800	Hpmgqnfl.exe
2452	Hckcmjep.exe
2452	Hckcmjep.exe
1884	Hnagjbdf.exe
1884	Hnagjbdf.exe
2360	Hlcgeo32.exe
2360	Hlcgeo32.exe
1440	Hgilchkf.exe
1440	Hgilchkf.exe
1684	Hjhhocjj.exe
1684	Hjhhocjj.exe
2264	Hcplhi32.exe
2264	Hcplhi32.exe
1400	Hhmepp32.exe
1400	Hhmepp32.exe
1112	Icbimi32.exe
1112	Icbimi32.exe
404	Ihoafpmp.exe
404	Ihoafpmp.exe
1704	Iknnbklc.exe
1704	Iknnbklc.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe

Drops file in System32 directory 57 IoCs

Processes:

Hhmepp32.exeGgpimica.exeHckcmjep.exeHgilchkf.exeGacpdbej.exeGpmjak32.exeHjhhocjj.exeIhoafpmp.exeIknnbklc.exeGobgcg32.exeGdopkn32.exeHnagjbdf.exe[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exeIcbimi32.exeHpmgqnfl.exeHlcgeo32.exeHnojdcfi.exeFiaeoang.exeHcplhi32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Hnojdcfi.exe	Ggpimica.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Fenhecef.dll	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Njgcpp32.dll	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Odpegjpg.dll	Ggpimica.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Chhpdp32.dll	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Iknnbklc.exe	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Gdopkn32.exe	Gobgcg32.exe
File opened for modification	C:\Windows\SysWOW64\Gacpdbej.exe	Gdopkn32.exe
File opened for modification	C:\Windows\SysWOW64\Ggpimica.exe	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Eqpofkjo.dll	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Cmbmkg32.dll	[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Icbimi32.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Hpmgqnfl.exe
File opened for modification	C:\Windows\SysWOW64\Hjhhocjj.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Nbniiffi.dll	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hjhhocjj.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Hmhfjo32.dll	Fiaeoang.exe
File created	C:\Windows\SysWOW64\Ggpimica.exe	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Fiaeoang.exe	[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe
File created	C:\Windows\SysWOW64\Hnojdcfi.exe	Ggpimica.exe
File created	C:\Windows\SysWOW64\Fiaeoang.exe	[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe
File created	C:\Windows\SysWOW64\Hgilchkf.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hgilchkf.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Hjhhocjj.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Cabknqko.dll	Hpmgqnfl.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Gpmjak32.exe	Fiaeoang.exe
File created	C:\Windows\SysWOW64\Hckcmjep.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hnojdcfi.exe
File opened for modification	C:\Windows\SysWOW64\Gdopkn32.exe	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Blnhfb32.dll	Gobgcg32.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hckcmjep.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Gobgcg32.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Hgpdcgoc.dll	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Gpmjak32.exe	Fiaeoang.exe
File created	C:\Windows\SysWOW64\Gobgcg32.exe	Gpmjak32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1296 1476 WerFault.exe Iagfoe32.exe

pid	pid_target	process	target process
1296	1476	WerFault.exe	Iagfoe32.exe

Modifies registry class 60 IoCs

Processes:

Ggpimica.exeHlcgeo32.exeIhoafpmp.exe[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exeGacpdbej.exeHpmgqnfl.exeHnagjbdf.exeHckcmjep.exeHcplhi32.exeIcbimi32.exeIknnbklc.exeGdopkn32.exeFiaeoang.exeHhmepp32.exeHnojdcfi.exeHgilchkf.exeGobgcg32.exeGpmjak32.exeHjhhocjj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll"	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll"	[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hckcmjep.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2556 wrote to memory of 2568	2556	[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe	Fiaeoang.exe
PID 2556 wrote to memory of 2568	2556	[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe	Fiaeoang.exe
PID 2556 wrote to memory of 2568	2556	[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe	Fiaeoang.exe
PID 2556 wrote to memory of 2568	2556	[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe	Fiaeoang.exe
PID 2568 wrote to memory of 2692	2568	Fiaeoang.exe	Gpmjak32.exe
PID 2568 wrote to memory of 2692	2568	Fiaeoang.exe	Gpmjak32.exe
PID 2568 wrote to memory of 2692	2568	Fiaeoang.exe	Gpmjak32.exe
PID 2568 wrote to memory of 2692	2568	Fiaeoang.exe	Gpmjak32.exe
PID 2692 wrote to memory of 2744	2692	Gpmjak32.exe	Gobgcg32.exe
PID 2692 wrote to memory of 2744	2692	Gpmjak32.exe	Gobgcg32.exe
PID 2692 wrote to memory of 2744	2692	Gpmjak32.exe	Gobgcg32.exe
PID 2692 wrote to memory of 2744	2692	Gpmjak32.exe	Gobgcg32.exe
PID 2744 wrote to memory of 2740	2744	Gobgcg32.exe	Gdopkn32.exe
PID 2744 wrote to memory of 2740	2744	Gobgcg32.exe	Gdopkn32.exe
PID 2744 wrote to memory of 2740	2744	Gobgcg32.exe	Gdopkn32.exe
PID 2744 wrote to memory of 2740	2744	Gobgcg32.exe	Gdopkn32.exe
PID 2740 wrote to memory of 2528	2740	Gdopkn32.exe	Gacpdbej.exe
PID 2740 wrote to memory of 2528	2740	Gdopkn32.exe	Gacpdbej.exe
PID 2740 wrote to memory of 2528	2740	Gdopkn32.exe	Gacpdbej.exe
PID 2740 wrote to memory of 2528	2740	Gdopkn32.exe	Gacpdbej.exe
PID 2528 wrote to memory of 2916	2528	Gacpdbej.exe	Ggpimica.exe
PID 2528 wrote to memory of 2916	2528	Gacpdbej.exe	Ggpimica.exe
PID 2528 wrote to memory of 2916	2528	Gacpdbej.exe	Ggpimica.exe
PID 2528 wrote to memory of 2916	2528	Gacpdbej.exe	Ggpimica.exe
PID 2916 wrote to memory of 1544	2916	Ggpimica.exe	Hnojdcfi.exe
PID 2916 wrote to memory of 1544	2916	Ggpimica.exe	Hnojdcfi.exe
PID 2916 wrote to memory of 1544	2916	Ggpimica.exe	Hnojdcfi.exe
PID 2916 wrote to memory of 1544	2916	Ggpimica.exe	Hnojdcfi.exe
PID 1544 wrote to memory of 2800	1544	Hnojdcfi.exe	Hpmgqnfl.exe
PID 1544 wrote to memory of 2800	1544	Hnojdcfi.exe	Hpmgqnfl.exe
PID 1544 wrote to memory of 2800	1544	Hnojdcfi.exe	Hpmgqnfl.exe
PID 1544 wrote to memory of 2800	1544	Hnojdcfi.exe	Hpmgqnfl.exe
PID 2800 wrote to memory of 2452	2800	Hpmgqnfl.exe	Hckcmjep.exe
PID 2800 wrote to memory of 2452	2800	Hpmgqnfl.exe	Hckcmjep.exe
PID 2800 wrote to memory of 2452	2800	Hpmgqnfl.exe	Hckcmjep.exe
PID 2800 wrote to memory of 2452	2800	Hpmgqnfl.exe	Hckcmjep.exe
PID 2452 wrote to memory of 1884	2452	Hckcmjep.exe	Hnagjbdf.exe
PID 2452 wrote to memory of 1884	2452	Hckcmjep.exe	Hnagjbdf.exe
PID 2452 wrote to memory of 1884	2452	Hckcmjep.exe	Hnagjbdf.exe
PID 2452 wrote to memory of 1884	2452	Hckcmjep.exe	Hnagjbdf.exe
PID 1884 wrote to memory of 2360	1884	Hnagjbdf.exe	Hlcgeo32.exe
PID 1884 wrote to memory of 2360	1884	Hnagjbdf.exe	Hlcgeo32.exe
PID 1884 wrote to memory of 2360	1884	Hnagjbdf.exe	Hlcgeo32.exe
PID 1884 wrote to memory of 2360	1884	Hnagjbdf.exe	Hlcgeo32.exe
PID 2360 wrote to memory of 1440	2360	Hlcgeo32.exe	Hgilchkf.exe
PID 2360 wrote to memory of 1440	2360	Hlcgeo32.exe	Hgilchkf.exe
PID 2360 wrote to memory of 1440	2360	Hlcgeo32.exe	Hgilchkf.exe
PID 2360 wrote to memory of 1440	2360	Hlcgeo32.exe	Hgilchkf.exe
PID 1440 wrote to memory of 1684	1440	Hgilchkf.exe	Hjhhocjj.exe
PID 1440 wrote to memory of 1684	1440	Hgilchkf.exe	Hjhhocjj.exe
PID 1440 wrote to memory of 1684	1440	Hgilchkf.exe	Hjhhocjj.exe
PID 1440 wrote to memory of 1684	1440	Hgilchkf.exe	Hjhhocjj.exe
PID 1684 wrote to memory of 2264	1684	Hjhhocjj.exe	Hcplhi32.exe
PID 1684 wrote to memory of 2264	1684	Hjhhocjj.exe	Hcplhi32.exe
PID 1684 wrote to memory of 2264	1684	Hjhhocjj.exe	Hcplhi32.exe
PID 1684 wrote to memory of 2264	1684	Hjhhocjj.exe	Hcplhi32.exe
PID 2264 wrote to memory of 1400	2264	Hcplhi32.exe	Hhmepp32.exe
PID 2264 wrote to memory of 1400	2264	Hcplhi32.exe	Hhmepp32.exe
PID 2264 wrote to memory of 1400	2264	Hcplhi32.exe	Hhmepp32.exe
PID 2264 wrote to memory of 1400	2264	Hcplhi32.exe	Hhmepp32.exe
PID 1400 wrote to memory of 1112	1400	Hhmepp32.exe	Icbimi32.exe
PID 1400 wrote to memory of 1112	1400	Hhmepp32.exe	Icbimi32.exe
PID 1400 wrote to memory of 1112	1400	Hhmepp32.exe	Icbimi32.exe
PID 1400 wrote to memory of 1112	1400	Hhmepp32.exe	Icbimi32.exe

C:\Users\Admin\AppData\Local\Temp\[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe
"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]15282a5c1d8e03a448ebc0b70e702a4c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\Fiaeoang.exe
  C:\Windows\system32\Fiaeoang.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\Gpmjak32.exe
    C:\Windows\system32\Gpmjak32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\Gobgcg32.exe
      C:\Windows\system32\Gobgcg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Ggpimica.exe
        
        C:\Windows\system32\Ggpimica.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Hpmgqnfl.exe
        
        C:\Windows\system32\Hpmgqnfl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Hgilchkf.exe
        
        C:\Windows\system32\Hgilchkf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Iknnbklc.exe
        
        C:\Windows\system32\Iknnbklc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        20⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 140
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Elpbcapg.dll

Filesize
7KB

MD5
7e61ea8365f15740a8e493d35306698b

SHA1
e78ef57936a4b65207ecb1edd7982b9e2199992c

SHA256
6c2b3cd376131d828c2fa8d23efe4d549d1d29e1da4223a773688cacd0f33b5d

SHA512
21e5d07c803b21d4a479bc91f2aaff50546c3bc8baa73d5a4483e804c1afd1e1c73e3e9cec3a485716eb632c8b2c1ecb1fa1fc75f09e5f2581d02f7956d655f0

Download Submit
C:\Windows\SysWOW64\Gdopkn32.exe

Filesize
400KB

MD5
e9e133dd2ae88be6263f2ab5dd1da4e8

SHA1
0865325632cab78e09ba7c183ce00de0cf55959e

SHA256
af16c11f9d85cc94aba3183a4d779b7834011158a5c5b36c9e1838cbbe3fb494

SHA512
79e2501b3caaa60248b663f5abe1060c06b2bc73825f39d0a1323c7e33a4d159d992af893a58c0f335ba19234c0708252570c26bd8027122ce0f227b43928842

Download Submit
C:\Windows\SysWOW64\Gpmjak32.exe

Filesize
400KB

MD5
edc4fc9f71620654f80b33c1939f4cab

SHA1
955d54dcc2f9b9bbd5ccccd3731509343a64f6b0

SHA256
a98a9f4b25da88b75ca061b54f46b9c2eb3d32917a7d29010028fee0c9d2f752

SHA512
4b40d2a42c1cc6ab45cba09cd6c693f5ed4add8c60f1fc54363c0fe69314c681281a8b95af4329bef4113cf9b53820622319d31a9caa28672d17c083013c61c7

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
400KB

MD5
2e7775d327ea4c6b93243d88019fbb1d

SHA1
94771205f2a2647bce3dd5262d427031e7ffd81f

SHA256
aaaef232eeec8e1105109691ea62462e5b63408f79892e4215f3d0b75616c0cb

SHA512
45f6ea78226adf871d8e84600d7c9708ff8d3204d0b9d65e4316990a3c10fd3ae5c245fa21d626ae41693c7200d157343ce25872cf2937a709e441c68d034d6f

Download Submit
C:\Windows\SysWOW64\Hgilchkf.exe

Filesize
400KB

MD5
4883bb5228962293c378a0088c5dc17b

SHA1
5602b54b0892b33f9e9dcfc95900b8d1d9f9da7b

SHA256
a6be4c674e24c68f5b399bf75e99c79895fff56ab711af36ef18bdf497f1b921

SHA512
8524f3217cfd6de44b9dfae59616f5ca5e5ebbac00370fb63d2fc6d404f475d8201b2ba9bb0b349db0ba376d7eda4bd9991eaac1f0978d3582033753df86924e

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
400KB

MD5
c68648bc1dd559c5c14c1c35d09126f1

SHA1
ed407ea7dd3089443c87adaefeea6dd1abb0ccaf

SHA256
12722f7e53e0685bb62f464a00139cb0735357e33984ee654e4cd4980e53ebe7

SHA512
62ceda0f979f8a9df69e87b9e2db88ff3130be272363e2c5696ead1386f67e20539177f604f43dde4aa7679ca2c1ef11e52bc5f492e85880e41762acdb07edb2

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe

Filesize
400KB

MD5
af42cb9704707c1005a03a4b9c0f22c0

SHA1
2a6e3014e645eccaf8f9035e5bd76326903ff9dc

SHA256
2236578b47be2d0e6154622fb331eabd9fa12d72b6c52461f39a084c2842267b

SHA512
e8d725a43e2d10b817e538b992c3fb36e50197d4387f56580ddc931bc8bd5e54de4331db1bc817cb365f7f2630eebcb7c22c5f1b8e7a466de9abd7c9cecf85a6

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
400KB

MD5
495cfcaae75361e2fe4f494dbdb03313

SHA1
51158c68bd70dd1649473eef7c9f82ab73110764

SHA256
641601fd6778d7601da56c02467cf513a7e581ec76e563c6d09a6761cc7b71e0

SHA512
caabd2f5d770e40dd9a15017f5feb0ab09e166e63e2730d2ed0274196ed493e7714f21ac6f7de687d208e6ed0112403dafa9ae922ceef8c13557996b45a36a4b

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
400KB

MD5
8653dd9be5ec0e5acac48e21951d8b1d

SHA1
2890ea02e01dba00cd276c71e73c141bcb807c5f

SHA256
29374c662f9f4651165764d52c723b4142d6da5801f00a282de7b32ff3712fea

SHA512
ef881146cea5102638aa3ad3a4c881a7ab7149ca903ac6c4275db79085923ccb63885357fea5a19567a3876ca7b01717017ddeab775e4bad18f782c23cb6cd9d

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe

Filesize
400KB

MD5
8bb0a5b1132dc965a7918180285914b3

SHA1
3a96ba03b8320b33481b54395f87fb3f6ea0c1f8

SHA256
5f5d589888f14f02e05a6579bc9828bab8222632f3d45af45d327d4749212bcd

SHA512
a933bcbfcf5512eff06594fcc217f330e02fe3d4d73a39fdadaaf6660957766fa4392bb6d6614044b6fe2bc0c27057c59e755438ad95eabc05aa1556aaa7fce9

Download Submit
C:\Windows\SysWOW64\Hpmgqnfl.exe

Filesize
400KB

MD5
963400d9c074d99e5482025f65170f51

SHA1
9ace5f5b49d95c32170efa2acdef41e73a4c36f0

SHA256
c00c599a2ae5f4792bcb86c1afd7b42006216312270c9bebb4c1ed7f61039ee4

SHA512
180fd8e7eeda233b4a16e849582d271690902c274d27f67ac3e5c7ab65e18288bc8594c1ca6e740c654ee980005a8760157fe6e20548a312d43960d58786dfd1

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
400KB

MD5
d6d48216ee03411d8e3de0236bd51dfc

SHA1
43ee07d8da5b18362f2d9d0fddf5e18b3d2e20b2

SHA256
95ad1ac927967236cfa8cd114bceafea74e10c574ca4d820484511e74da4496d

SHA512
35e150be4ad074077e99a65f98e1806034ca8289803e6f2750c1f9d4154fda95fc610580474f4a1814fdbc77e592a62031b8cedc285b173ddfc1a9b9ec16b77d

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
400KB

MD5
2fc4b06c0d3225e37fc65598a3e0d8cd

SHA1
ee93d7500fde89099f491593412512da42e48786

SHA256
20133655fe697cdfa643659214569831db897ea33b1affb8287df460310c6a2f

SHA512
878dd54838abd3f2378ab076c48c6f13ac80c0dc0bbc3b7f4ac0dc775536c465df43de19758c529a2bc635c646b47a65fba084314b49f98d4b4822a55f557df4

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
400KB

MD5
ce1f050a6ece1c4081847699cfd970d7

SHA1
93b124435b8b79335bb57b5f01309f04bf47da2d

SHA256
5cb3264f5874afbc1996dc268f5e1a1727c1fbbd62f50a80b8a4a9d99a8880af

SHA512
25b519031d4d8899536929b617b5932a10c0f24cd4e92cb33277aa49fe8c1236c9b2312eae7c3de42e9a7605e4720b96fc128329b6c87012c6601c2d45acc44a

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe

Filesize
400KB

MD5
6e4f8e615384ea6bd0d450fa9a463b3a

SHA1
0c91afee940b3f6fc1bff9b255b3317411a4d3bf

SHA256
38d3b76528a07baefc7887f84dbd09a5ff7917acceca98274cefa5a4159a6341

SHA512
a50e9958bde7b94b2397410c6cf1b05b3e4b20ac87e4ea9b0a19982566446c77d45856878afd850ff84acdecff3f02e72fad7d53d4f26a8cc34156b7208ee5c0

Download Submit
\Windows\SysWOW64\Fiaeoang.exe

Filesize
400KB

MD5
b0d350a19b7d4be9d9697ebf3564f816

SHA1
a4962846ead2d56af256102eab601041bba0822a

SHA256
11fbbabca1374a671a7aa7e318c8183512e14fea449284360525ddf0d1f70ce6

SHA512
363f05eeaa2045f711bb3c28ecfe930c79622c48a15cc8ca49e13d4404a86b7b67bb64b5ea3b4b4ef07fe4911cac720fe6bcc8f3ca7ef712d6bea79de706f7c3

Download Submit
\Windows\SysWOW64\Gacpdbej.exe

Filesize
400KB

MD5
eddd6d1c2693e845d15076a49c4da6b4

SHA1
b200254b8f054b19dc0c5fdd6149a70357723383

SHA256
01d4b6eb04bf4fd813789bc318003a4fc46f2b39a91de22d5c0e6d7f8752efdf

SHA512
1caeb3f5b1840fa24922e11b465a65cae04c7f1b6857a673daae74bb71e465d8a082a76879af5e1f087c59ce0dda29a482dc0e2a9008e6279dbd4d237e4d9de2

Download Submit
\Windows\SysWOW64\Ggpimica.exe

Filesize
400KB

MD5
3c9f9c58a393f6e5d18ae6693744d4ab

SHA1
e439af51026da804028689023a74394235500f43

SHA256
c9e59e2157b4b10440c34aa7c39c767af8946227695e11ecbde8cff9bec67d67

SHA512
aee209f6c7b8b21af8d4ef1e4605f52ccefaded0f12de15efd00b52124cb808d4c2fdd03f3f1ee0a6ef97df5ab4508fb9022f9dd7f00107ae8d9115b76994522

Download Submit
\Windows\SysWOW64\Gobgcg32.exe

Filesize
400KB

MD5
252f9121cc7ac71e617451226ded385c

SHA1
84c49340c3827d6a3bbe74de3c675e74f2c782fc

SHA256
2cfbf099fe503940556def941857cbb9db83b2fccd3d5b4199f31302e68fa6f0

SHA512
e01bb54ea4ce1ba4b9732ceb132d46a6d6f026978b7eaa0cd0215bd82d8f25052ec802c134d7732881109d5fc4b187a7f48f6be1f508a608f3a5f56b0de3649c

Download Submit
\Windows\SysWOW64\Hckcmjep.exe

Filesize
400KB

MD5
328bd3444025b810127028f74259c84e

SHA1
b275e0db6622e54444162866a78c1b31aba7992f

SHA256
4f8ff08ac479a452f316b954a825caa5ceeeafabef72b9d35576cfaecc358dc3

SHA512
15e9b1f2cc8fb581fb6865099faf73dd13126c8d808fef8c4fb32971edf36e0d71342f0ae81cdda64e44ccaf27b2cf17c035ecba40b65b5211f2a16ecf90bbf0

Download Submit
memory/404-246-0x00000000004B0000-0x000000000050A000-memory.dmp

Filesize
360KB

Download
memory/404-241-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/404-337-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1112-225-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1112-232-0x0000000000320000-0x000000000037A000-memory.dmp

Filesize
360KB

Download
memory/1112-239-0x0000000000320000-0x000000000037A000-memory.dmp

Filesize
360KB

Download
memory/1112-332-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1400-212-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1400-224-0x0000000000250000-0x00000000002AA000-memory.dmp

Filesize
360KB

Download
memory/1400-330-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1440-181-0x0000000000370000-0x00000000003CA000-memory.dmp

Filesize
360KB

Download
memory/1440-324-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1440-168-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1476-258-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1544-314-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1544-104-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1684-182-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1684-195-0x00000000002B0000-0x000000000030A000-memory.dmp

Filesize
360KB

Download
memory/1684-326-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1704-256-0x0000000000380000-0x00000000003DA000-memory.dmp

Filesize
360KB

Download
memory/1704-257-0x0000000000380000-0x00000000003DA000-memory.dmp

Filesize
360KB

Download
memory/1704-247-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1704-339-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1884-153-0x00000000002D0000-0x000000000032A000-memory.dmp

Filesize
360KB

Download
memory/1884-320-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1884-141-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2264-328-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2264-211-0x0000000000250000-0x00000000002AA000-memory.dmp

Filesize
360KB

Download
memory/2264-204-0x0000000000250000-0x00000000002AA000-memory.dmp

Filesize
360KB

Download
memory/2264-196-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2360-167-0x0000000000370000-0x00000000003CA000-memory.dmp

Filesize
360KB

Download
memory/2360-154-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2360-322-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2452-126-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2452-139-0x0000000000620000-0x000000000067A000-memory.dmp

Filesize
360KB

Download
memory/2452-318-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2528-75-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2528-84-0x00000000002A0000-0x00000000002FA000-memory.dmp

Filesize
360KB

Download
memory/2528-310-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2556-0-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2556-6-0x0000000000250000-0x00000000002AA000-memory.dmp

Filesize
360KB

Download
memory/2556-300-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2568-27-0x00000000004D0000-0x000000000052A000-memory.dmp

Filesize
360KB

Download
memory/2568-26-0x00000000004D0000-0x000000000052A000-memory.dmp

Filesize
360KB

Download
memory/2568-302-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2568-13-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2692-35-0x00000000002E0000-0x000000000033A000-memory.dmp

Filesize
360KB

Download
memory/2692-304-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2692-42-0x00000000002E0000-0x000000000033A000-memory.dmp

Filesize
360KB

Download
memory/2692-28-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2740-308-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2740-57-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2740-64-0x0000000000250000-0x00000000002AA000-memory.dmp

Filesize
360KB

Download
memory/2744-306-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2744-43-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2744-56-0x0000000000250000-0x00000000002AA000-memory.dmp

Filesize
360KB

Download
memory/2800-124-0x00000000002D0000-0x000000000032A000-memory.dmp

Filesize
360KB

Download
memory/2800-112-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2800-316-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2916-85-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2916-312-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2916-93-0x0000000000250000-0x00000000002AA000-memory.dmp

Filesize
360KB

Download