deeb032f8e6cdc7dee248be52aec3146eb710ad621e3bd0164e771926fef113e

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deeb032f8e6cdc7dee248be52aec3146eb710ad621e3bd0164e771926fef113e.exe
Size

94KB
MD5

4eca43b67924b0f0dcb8a7afaaf2e68e
SHA1

c0781c34a9f55745bc6a90e550b879a2ea4b94be
SHA256

deeb032f8e6cdc7dee248be52aec3146eb710ad621e3bd0164e771926fef113e
SHA512

290561dc0660ade6d5f1d5e47f84e80a4d3706401b43e9e3942ceac784f205883149f78a36f6b91722f1e8df09898345be669fc82237458aad140c7f0d9312ea
SSDEEP

1536:XruXOkeatshfVZ7ZGNfmnGZDaa+oA/PXwRQDHRfRa9HprmRfRZ:7EbeayBMfmnIDatoVeDH5wkpv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbicfoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gangic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hknach32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	deeb032f8e6cdc7dee248be52aec3146eb710ad621e3bd0164e771926fef113e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fmhheqje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fpdhklkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcmgfkeg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmhheqje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnbkddem.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmgdddmq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmgdddmq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcmgfkeg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gieojq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fiaeoang.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghfbqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hknach32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe

Executes dropped EXE 36 IoCs

pid	Process
2136	Fmcoja32.exe
3056	Fcmgfkeg.exe
2688	Fnbkddem.exe
2596	Fpdhklkl.exe
2960	Fmhheqje.exe
2484	Fpfdalii.exe
3040	Fjlhneio.exe
788	Flmefm32.exe
2776	Ffbicfoc.exe
1612	Fiaeoang.exe
1956	Gonnhhln.exe
2168	Gegfdb32.exe
664	Ghfbqn32.exe
268	Gangic32.exe
2236	Gieojq32.exe
2068	Gobgcg32.exe
2248	Gdopkn32.exe
804	Glfhll32.exe
2924	Gmgdddmq.exe
1084	Gacpdbej.exe
1656	Gkkemh32.exe
1880	Gmjaic32.exe
1912	Hknach32.exe
604	Hpkjko32.exe
2836	Hkpnhgge.exe
1240	Hicodd32.exe
2984	Hlakpp32.exe
2580	Hckcmjep.exe
2728	Hobcak32.exe
2664	Hhjhkq32.exe
2464	Hlfdkoin.exe
2920	Hjjddchg.exe
2128	Hlhaqogk.exe
2456	Ieqeidnl.exe
2032	Ioijbj32.exe
2044	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
1484	deeb032f8e6cdc7dee248be52aec3146eb710ad621e3bd0164e771926fef113e.exe
1484	deeb032f8e6cdc7dee248be52aec3146eb710ad621e3bd0164e771926fef113e.exe
2136	Fmcoja32.exe
2136	Fmcoja32.exe
3056	Fcmgfkeg.exe
3056	Fcmgfkeg.exe
2688	Fnbkddem.exe
2688	Fnbkddem.exe
2596	Fpdhklkl.exe
2596	Fpdhklkl.exe
2960	Fmhheqje.exe
2960	Fmhheqje.exe
2484	Fpfdalii.exe
2484	Fpfdalii.exe
3040	Fjlhneio.exe
3040	Fjlhneio.exe
788	Flmefm32.exe
788	Flmefm32.exe
2776	Ffbicfoc.exe
2776	Ffbicfoc.exe
1612	Fiaeoang.exe
1612	Fiaeoang.exe
1956	Gonnhhln.exe
1956	Gonnhhln.exe
2168	Gegfdb32.exe
2168	Gegfdb32.exe
664	Ghfbqn32.exe
664	Ghfbqn32.exe
268	Gangic32.exe
268	Gangic32.exe
2236	Gieojq32.exe
2236	Gieojq32.exe
2068	Gobgcg32.exe
2068	Gobgcg32.exe
2248	Gdopkn32.exe
2248	Gdopkn32.exe
804	Glfhll32.exe
804	Glfhll32.exe
2924	Gmgdddmq.exe
2924	Gmgdddmq.exe
1084	Gacpdbej.exe
1084	Gacpdbej.exe
1656	Gkkemh32.exe
1656	Gkkemh32.exe
1880	Gmjaic32.exe
1880	Gmjaic32.exe
1912	Hknach32.exe
1912	Hknach32.exe
604	Hpkjko32.exe
604	Hpkjko32.exe
2836	Hkpnhgge.exe
2836	Hkpnhgge.exe
1240	Hicodd32.exe
1240	Hicodd32.exe
2984	Hlakpp32.exe
2984	Hlakpp32.exe
2580	Hckcmjep.exe
2580	Hckcmjep.exe
2728	Hobcak32.exe
2728	Hobcak32.exe
2664	Hhjhkq32.exe
2664	Hhjhkq32.exe
2464	Hlfdkoin.exe
2464	Hlfdkoin.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ghfbqn32.exe	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Gmjaic32.exe	Gkkemh32.exe
File opened for modification	C:\Windows\SysWOW64\Hhjhkq32.exe	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Nokeef32.dll	Hckcmjep.exe
File opened for modification	C:\Windows\SysWOW64\Gmgdddmq.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Kcaipkch.dll	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Anllbdkl.dll	Hicodd32.exe
File created	C:\Windows\SysWOW64\Kjpfgi32.dll	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Hlhaqogk.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Chhpdp32.dll	Gieojq32.exe
File created	C:\Windows\SysWOW64\Gdopkn32.exe	Gobgcg32.exe
File opened for modification	C:\Windows\SysWOW64\Glfhll32.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Ohbepi32.dll	Fmhheqje.exe
File created	C:\Windows\SysWOW64\Fjlhneio.exe	Fpfdalii.exe
File created	C:\Windows\SysWOW64\Pnbgan32.dll	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Mhfkbo32.dll	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Glfhll32.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Hpkjko32.exe	Hknach32.exe
File created	C:\Windows\SysWOW64\Hckcmjep.exe	Hlakpp32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjddchg.exe	Hlfdkoin.exe
File opened for modification	C:\Windows\SysWOW64\Fmcoja32.exe	deeb032f8e6cdc7dee248be52aec3146eb710ad621e3bd0164e771926fef113e.exe
File created	C:\Windows\SysWOW64\Bccnbmal.dll	Fnbkddem.exe
File opened for modification	C:\Windows\SysWOW64\Ffbicfoc.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Jnmgmhmc.dll	Fjlhneio.exe
File created	C:\Windows\SysWOW64\Ipjchc32.dll	Flmefm32.exe
File created	C:\Windows\SysWOW64\Hicodd32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Gangic32.exe	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Gobgcg32.exe	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Hkpnhgge.exe	Hpkjko32.exe
File opened for modification	C:\Windows\SysWOW64\Fcmgfkeg.exe	Fmcoja32.exe
File created	C:\Windows\SysWOW64\Flmefm32.exe	Fjlhneio.exe
File created	C:\Windows\SysWOW64\Fiaeoang.exe	Ffbicfoc.exe
File opened for modification	C:\Windows\SysWOW64\Hlfdkoin.exe	Hhjhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Fiaeoang.exe	Ffbicfoc.exe
File created	C:\Windows\SysWOW64\Gegfdb32.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Gkkemh32.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Fmhheqje.exe	Fpdhklkl.exe
File created	C:\Windows\SysWOW64\Ocjcidbb.dll	Gonnhhln.exe
File opened for modification	C:\Windows\SysWOW64\Gkkemh32.exe	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Gacpdbej.exe	Gmgdddmq.exe
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Lghegkoc.dll	deeb032f8e6cdc7dee248be52aec3146eb710ad621e3bd0164e771926fef113e.exe
File opened for modification	C:\Windows\SysWOW64\Fmhheqje.exe	Fpdhklkl.exe
File opened for modification	C:\Windows\SysWOW64\Gangic32.exe	Ghfbqn32.exe
File opened for modification	C:\Windows\SysWOW64\Fjlhneio.exe	Fpfdalii.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Fnbkddem.exe	Fcmgfkeg.exe
File created	C:\Windows\SysWOW64\Fpdhklkl.exe	Fnbkddem.exe
File opened for modification	C:\Windows\SysWOW64\Fpfdalii.exe	Fmhheqje.exe
File created	C:\Windows\SysWOW64\Hjjddchg.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Fcmgfkeg.exe	Fmcoja32.exe
File opened for modification	C:\Windows\SysWOW64\Flmefm32.exe	Fjlhneio.exe
File created	C:\Windows\SysWOW64\Ooghhh32.dll	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Fpfdalii.exe	Fmhheqje.exe
File opened for modification	C:\Windows\SysWOW64\Gmjaic32.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Ghfbqn32.exe	Gegfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Hknach32.exe	Gmjaic32.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Hknach32.exe	Gmjaic32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1936	2044	WerFault.exe	63

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll"	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fpdhklkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll"	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fpdhklkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghegkoc.dll"	deeb032f8e6cdc7dee248be52aec3146eb710ad621e3bd0164e771926fef113e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gangic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccnbmal.dll"	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gangic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Glfhll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll"	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmhheqje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	deeb032f8e6cdc7dee248be52aec3146eb710ad621e3bd0164e771926fef113e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	deeb032f8e6cdc7dee248be52aec3146eb710ad621e3bd0164e771926fef113e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll"	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghfbqn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2136	1484	deeb032f8e6cdc7dee248be52aec3146eb710ad621e3bd0164e771926fef113e.exe	28
PID 1484 wrote to memory of 2136	1484	deeb032f8e6cdc7dee248be52aec3146eb710ad621e3bd0164e771926fef113e.exe	28
PID 1484 wrote to memory of 2136	1484	deeb032f8e6cdc7dee248be52aec3146eb710ad621e3bd0164e771926fef113e.exe	28
PID 1484 wrote to memory of 2136	1484	deeb032f8e6cdc7dee248be52aec3146eb710ad621e3bd0164e771926fef113e.exe	28
PID 2136 wrote to memory of 3056	2136	Fmcoja32.exe	29
PID 2136 wrote to memory of 3056	2136	Fmcoja32.exe	29
PID 2136 wrote to memory of 3056	2136	Fmcoja32.exe	29
PID 2136 wrote to memory of 3056	2136	Fmcoja32.exe	29
PID 3056 wrote to memory of 2688	3056	Fcmgfkeg.exe	30
PID 3056 wrote to memory of 2688	3056	Fcmgfkeg.exe	30
PID 3056 wrote to memory of 2688	3056	Fcmgfkeg.exe	30
PID 3056 wrote to memory of 2688	3056	Fcmgfkeg.exe	30
PID 2688 wrote to memory of 2596	2688	Fnbkddem.exe	31
PID 2688 wrote to memory of 2596	2688	Fnbkddem.exe	31
PID 2688 wrote to memory of 2596	2688	Fnbkddem.exe	31
PID 2688 wrote to memory of 2596	2688	Fnbkddem.exe	31
PID 2596 wrote to memory of 2960	2596	Fpdhklkl.exe	32
PID 2596 wrote to memory of 2960	2596	Fpdhklkl.exe	32
PID 2596 wrote to memory of 2960	2596	Fpdhklkl.exe	32
PID 2596 wrote to memory of 2960	2596	Fpdhklkl.exe	32
PID 2960 wrote to memory of 2484	2960	Fmhheqje.exe	33
PID 2960 wrote to memory of 2484	2960	Fmhheqje.exe	33
PID 2960 wrote to memory of 2484	2960	Fmhheqje.exe	33
PID 2960 wrote to memory of 2484	2960	Fmhheqje.exe	33
PID 2484 wrote to memory of 3040	2484	Fpfdalii.exe	34
PID 2484 wrote to memory of 3040	2484	Fpfdalii.exe	34
PID 2484 wrote to memory of 3040	2484	Fpfdalii.exe	34
PID 2484 wrote to memory of 3040	2484	Fpfdalii.exe	34
PID 3040 wrote to memory of 788	3040	Fjlhneio.exe	35
PID 3040 wrote to memory of 788	3040	Fjlhneio.exe	35
PID 3040 wrote to memory of 788	3040	Fjlhneio.exe	35
PID 3040 wrote to memory of 788	3040	Fjlhneio.exe	35
PID 788 wrote to memory of 2776	788	Flmefm32.exe	36
PID 788 wrote to memory of 2776	788	Flmefm32.exe	36
PID 788 wrote to memory of 2776	788	Flmefm32.exe	36
PID 788 wrote to memory of 2776	788	Flmefm32.exe	36
PID 2776 wrote to memory of 1612	2776	Ffbicfoc.exe	37
PID 2776 wrote to memory of 1612	2776	Ffbicfoc.exe	37
PID 2776 wrote to memory of 1612	2776	Ffbicfoc.exe	37
PID 2776 wrote to memory of 1612	2776	Ffbicfoc.exe	37
PID 1612 wrote to memory of 1956	1612	Fiaeoang.exe	38
PID 1612 wrote to memory of 1956	1612	Fiaeoang.exe	38
PID 1612 wrote to memory of 1956	1612	Fiaeoang.exe	38
PID 1612 wrote to memory of 1956	1612	Fiaeoang.exe	38
PID 1956 wrote to memory of 2168	1956	Gonnhhln.exe	39
PID 1956 wrote to memory of 2168	1956	Gonnhhln.exe	39
PID 1956 wrote to memory of 2168	1956	Gonnhhln.exe	39
PID 1956 wrote to memory of 2168	1956	Gonnhhln.exe	39
PID 2168 wrote to memory of 664	2168	Gegfdb32.exe	40
PID 2168 wrote to memory of 664	2168	Gegfdb32.exe	40
PID 2168 wrote to memory of 664	2168	Gegfdb32.exe	40
PID 2168 wrote to memory of 664	2168	Gegfdb32.exe	40
PID 664 wrote to memory of 268	664	Ghfbqn32.exe	41
PID 664 wrote to memory of 268	664	Ghfbqn32.exe	41
PID 664 wrote to memory of 268	664	Ghfbqn32.exe	41
PID 664 wrote to memory of 268	664	Ghfbqn32.exe	41
PID 268 wrote to memory of 2236	268	Gangic32.exe	42
PID 268 wrote to memory of 2236	268	Gangic32.exe	42
PID 268 wrote to memory of 2236	268	Gangic32.exe	42
PID 268 wrote to memory of 2236	268	Gangic32.exe	42
PID 2236 wrote to memory of 2068	2236	Gieojq32.exe	43
PID 2236 wrote to memory of 2068	2236	Gieojq32.exe	43
PID 2236 wrote to memory of 2068	2236	Gieojq32.exe	43
PID 2236 wrote to memory of 2068	2236	Gieojq32.exe	43

C:\Users\Admin\AppData\Local\Temp\deeb032f8e6cdc7dee248be52aec3146eb710ad621e3bd0164e771926fef113e.exe
"C:\Users\Admin\AppData\Local\Temp\deeb032f8e6cdc7dee248be52aec3146eb710ad621e3bd0164e771926fef113e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SysWOW64\Fmcoja32.exe
  C:\Windows\system32\Fmcoja32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\Fcmgfkeg.exe
    C:\Windows\system32\Fcmgfkeg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\Fnbkddem.exe
      C:\Windows\system32\Fnbkddem.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\Fpdhklkl.exe
        
        C:\Windows\system32\Fpdhklkl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\SysWOW64\Fmhheqje.exe
        
        C:\Windows\system32\Fmhheqje.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Fpfdalii.exe
        
        C:\Windows\system32\Fpfdalii.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Fjlhneio.exe
        
        C:\Windows\system32\Fjlhneio.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Flmefm32.exe
        
        C:\Windows\system32\Flmefm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\Ffbicfoc.exe
        
        C:\Windows\system32\Ffbicfoc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Fiaeoang.exe
        
        C:\Windows\system32\Fiaeoang.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Gonnhhln.exe
        
        C:\Windows\system32\Gonnhhln.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Gegfdb32.exe
        
        C:\Windows\system32\Gegfdb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Ghfbqn32.exe
        
        C:\Windows\system32\Ghfbqn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Gangic32.exe
        
        C:\Windows\system32\Gangic32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\SysWOW64\Gieojq32.exe
        
        C:\Windows\system32\Gieojq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Gobgcg32.exe
        
        C:\Windows\system32\Gobgcg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Glfhll32.exe
        
        C:\Windows\system32\Glfhll32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Gmgdddmq.exe
        
        C:\Windows\system32\Gmgdddmq.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Gkkemh32.exe
        
        C:\Windows\system32\Gkkemh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Gmjaic32.exe
        
        C:\Windows\system32\Gmjaic32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Hknach32.exe
        
        C:\Windows\system32\Hknach32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Hpkjko32.exe
        
        C:\Windows\system32\Hpkjko32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:604
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Hlakpp32.exe
        
        C:\Windows\system32\Hlakpp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        37⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 140
        38⤵
        Program crash
        
        PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fcmgfkeg.exe

Filesize
94KB

MD5
57ac6cf00342f74ea25e687f181c05a4

SHA1
a296fd9f201db04749ddc1b9297cea941d3fba6d

SHA256
7cda8d72cc6532024b3dabbc718a24738173671aac313ce042eeb7a108cd9c91

SHA512
a5d52b3a11b25e8ed714bf9fd8e751ac3f0872f5a33996e3355c013575223cb4ae05268a00bfc31b9fa796a428b09939ee67ae76e3030a8d9adbf0ba499a65b3

Download Submit
C:\Windows\SysWOW64\Fiaeoang.exe

Filesize
94KB

MD5
894c4d3a492e36a852e6d9fdb2c9293b

SHA1
1ca8aa5b13d0be0884d1c9742aae1b6c63c146d0

SHA256
885e910a9e39e01d634b09b1b98c2b3125c4a35e15fbfc251105bc8649c2c66b

SHA512
b212fb2f4eef9cf93e0cb0072201f0bd5f0a32828e5d45d687ceab742dccf802646ca57244e95634d44dd66490ebb48aea41c9656bcc4b4c26e2e952d63005ec

Download Submit
C:\Windows\SysWOW64\Fpdhklkl.exe

Filesize
94KB

MD5
3b6ade4a38c39eec4a57eb8a7560a131

SHA1
aa2c929a3fe58f9c5197528124712fa924601649

SHA256
283545e69eed31fe8db98021c5c8cd87fc3fa0841a7bfc9cfd828f1f33bbd07f

SHA512
4cf66c1ac7c808607aa947637f46b007ec33c5d8e2a405f155bbc31f1925a2751b217e57b6fd94750a54322f474e63efa224ccd97332904ba2b3fb0c57b3bf23

Download Submit
C:\Windows\SysWOW64\Gacpdbej.exe

Filesize
94KB

MD5
53b45874f7884c610f0622ee0335dd36

SHA1
cfb49786c684a47287789b62851ebada35fdc114

SHA256
179047f17b8daaef20674d64c4c722445693164b581a5a6acbe9def8ceed5d2c

SHA512
be9ceb6485c4969152fa6a41bf8b3dec117bf922649c02b0d2cf17c02370f8b30d1a97946589abc69c4d5efa0e27a248da9bd683da55f7acd0f8ce36fe44a50b

Download Submit
C:\Windows\SysWOW64\Gdopkn32.exe

Filesize
94KB

MD5
557ee190a6889b4885ce461d47265f6f

SHA1
f28399adf2a033cfcfe5b097b694e442245c837f

SHA256
8f70aa94d3506520035aabaf0d0851d9130652644e1b033506e5201159c368b4

SHA512
2b151fefe57d702dc55c4a1533c6641dc7f8964a50499a84bbe64fef24b2c2f71f7ef3e56516a0b1715f8ea8ded02ee2d4da920e8d66bb4be5ee18c330655ae7

Download Submit
C:\Windows\SysWOW64\Gegfdb32.exe

Filesize
94KB

MD5
91a0fc0163431a03df2d1a8243d56b73

SHA1
526f593b47334d832c81a85d0573c816782d117d

SHA256
7e23e2562918b7336ed2d89de646ef2b6afd8e168ae6c9dff8169cf46fbfa1d3

SHA512
45b5ae657f801c6905b189c85a935ca5e8d537008f7484a6eacfcf75aa3b543cdc5cfab71540bade040a718c5df42a531710a01e9d0cb9d4c2874e44696b128e

Download Submit
C:\Windows\SysWOW64\Ghfbqn32.exe

Filesize
94KB

MD5
503a5362b9134a7bd779308e4f97c7d2

SHA1
d69787e4f6ba441c03ab0a1418a429bdaf963be0

SHA256
7aaeb55b5ab5a01fa82722a938f592e4b8e1c4f830d0378368af980c204365c5

SHA512
0103cf4448b804ea05a12fef56d6f0e8931b8b6076bdedc16179a5fee991c7c545454939f97467a87badbed8b6215f8169c5a06d5924e5642f61abdec00c2103

Download Submit
C:\Windows\SysWOW64\Gkkemh32.exe

Filesize
94KB

MD5
63860e984ab316746c84d5c5a4582067

SHA1
da690f83d655b7070163fa7af130fbfaaebe0f34

SHA256
ec389b39dde9c2297768e3e4cbfc1b95b372f215c365a23d33215453d1e6376e

SHA512
c8da6f8b3d166691f1a01d2e955b9b84540755c7bd98a580abe94a2becc2da76cd1012e698bad1cc886d3974dc3ce61dbcd9924f80955787f6b60acb34740289

Download Submit
C:\Windows\SysWOW64\Glfhll32.exe

Filesize
94KB

MD5
0c0da74505b3b1a3582876d9570ac3cb

SHA1
5db0c86e8f6ff222f02b46a898c85f6ada649c32

SHA256
4a7fe150826e0fd1bf895bb011f48fe88008fdf70ab2fc7db4c78f8b40bd08f9

SHA512
194d47c83d2c2a5fc57280a5ebaf84e1119fa3830c773264a89276c8b04bfb3ec46901f65d1b4a7c521f129d74432b5da797da6385f5476359032285123c53dd

Download Submit
C:\Windows\SysWOW64\Gmgdddmq.exe

Filesize
94KB

MD5
1c0c10390358317a29f8e44655fba8b2

SHA1
5e5a54c8d0cc77fbce82c6f8528995991cf728c4

SHA256
67505f45cee94269c7f772950717f680432489b839b6b47ed3b9047df2bf47ec

SHA512
091ec77a57fdaed4f0dc12aff67f8e875fd3e299e6c67f528967972452ebbfeccc77abfa39ed97971f0aa8e0e80f21cfb0fed432f754088455e10cacd803999c

Download Submit
C:\Windows\SysWOW64\Gmjaic32.exe

Filesize
94KB

MD5
bf5cb33ccd62f0639cd367131a32c30b

SHA1
c98ec8732a896c373846156785f3295b8fff66a7

SHA256
6dc118835ef2e0c2edd22f67e5af6708ceebb871b1a11ef4bb1708450468d17f

SHA512
83d783e0206f22ff4f16c7e079554fcad6dc3707da8be19ef19922e2dbbb44b44de197c486dd5d42b611d82f54cd1a914e606939dca2c28dbbe6b1698f9ee747

Download Submit
C:\Windows\SysWOW64\Hckcmjep.exe

Filesize
94KB

MD5
1a575e98e71efe76a502b61a31ffc769

SHA1
f89997b7ea5d5c5714295e36a1a5b2ac8843ca51

SHA256
48db83dab879cc97701baf566e90e55b58d1a99664770e215070a1dc0bd2edfb

SHA512
eaa10480ab5ce5f5c5f7fe4250fbfb4315a8a0a2109a157cc061ee027e860e2ab799ac9f3360bd7e65618e015e6fdaee4d6ccd7af164bc46a24c81dd65fe846c

Download Submit
C:\Windows\SysWOW64\Hhjhkq32.exe

Filesize
94KB

MD5
bc08a8fcb733d60e51deef6f7858ab58

SHA1
b73eff09570885da5b292b115acec67ec2c68c49

SHA256
5e283dbf5f615b115c7b7e2cc4793ff2ee5abfa382e5fc5ad75f94e3d4ed0e84

SHA512
8fb94630b4133e4807a733ae11282ef695304b0279cc266822b9616fd9cf898d9081d4b7ee13a94023017f117e1893a66bb96cdab89a6f98f3f9231c03fa2891

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
94KB

MD5
0399b5532fb75f91d264ff7107fc2985

SHA1
5058ef3c7f0905a54604d7c76a8330088a5b741b

SHA256
b9d2f963eafa2f02bbe51365a2bd95374a27cd6c4dafd5551bb7e716f09bddf5

SHA512
5b9bbde44b3dff77457f1dbc8bf6e50b382d0a8036fc6d58553358d2134302ff96ee421be11e1752ee5131b34465269a8287ded9ba661cc21a4ff509db331e18

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
94KB

MD5
e2a4d38918bab3aabe316b4976361c1b

SHA1
4bae178f535b7ff7ae2dd5cced69a86fd62462d4

SHA256
f0b0e37430aef58969b6ff8e02307ffacc344898856baf1d9289d9e2c91e4656

SHA512
1262c19852d2123c772637bc69d3aa7da36d683ae9204056088a487dd4d116d22a41cfe5b50d59bb346769e714d87dcd47a3764bdbe6404221c82e488ce36044

Download Submit
C:\Windows\SysWOW64\Hknach32.exe

Filesize
94KB

MD5
3883323e67d81c792faf46f6d85d337f

SHA1
90a3ecbf9e47bde206a3ba6627a15418dbb2c651

SHA256
ccc3b9f504522123e9f7cb02f28bf5c0496e44effde2b42574ba5c4964a02092

SHA512
4f8a919796c04875934d3ae60f335f3c4edf8e525dcd397c206ca5bcedad799b4134a79fd5868b9fbb5fc3b82dfca598e1abaa97498459806c81655c96f4bd1a

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe

Filesize
94KB

MD5
a57b4a18a30b376866d82454185ea1cc

SHA1
566e0dc677ff7c03fae2ec7b621dfb0aa10cae4d

SHA256
ddde158e534e9a63e4f31ba58be110af7bee705ae72eccc14e97d35facd6f8a3

SHA512
d7a7f70e09ffdf9e6e59a0aa6a4842afcdbfa34006f119dc83d583a38025ba24a9a7f0fddd34c7cb216290f31a4682b12392b6c363d1a7fc46c8302ba9cce712

Download Submit
C:\Windows\SysWOW64\Hlakpp32.exe

Filesize
94KB

MD5
b0ef213891de0719163d7d610e1045d8

SHA1
5506fe7bfad5c9f9b076c10b855f1b83262da7dd

SHA256
ef25e74c75b665eaee5907a9ea011635b1dab9776eb2335a4bca2f559e3eb450

SHA512
51c1485c0a71693f5adb54c38212e0e04f98056c0dee04f7959c3fe075f56399b506d296403224e69863732c11d85ef380597c76876637340c24073c728a6dc3

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
94KB

MD5
d21c6c7c72a475fa0d8d539d4b972658

SHA1
64503d260a251dd50933af5ea827d3f90d795d29

SHA256
54775db0b03382e2b4691e9559097fcf9b129989bd2c270d8d0206a95e8d543a

SHA512
cfd571a8618a7bbf0f782ad41293a1d2d2c4cf8df1cc31454c5c41912a6b1598702b5d49a5fc25b08d71d4c5a49305ad091f29b0ff6af6bc157f7a12b1b7052b

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe

Filesize
94KB

MD5
6bd59d3a58fa9da368f5fc5add2470aa

SHA1
b6564e87d50642a5d835bb17b9ed7c48c29e19e5

SHA256
bcea7d8f40706f3205842732eaf5fdbf89c51229aa98515215a3e21e203e2e7f

SHA512
b5ef1e2fabdbb6f6a0a6327e22e812df96ab1181d00a23c40c00008ba08243b443ff37ffc7e5b5f54cb1a1092245776f60dd8fd06621d37d3e1dac421a7b8bc7

Download Submit
C:\Windows\SysWOW64\Hobcak32.exe

Filesize
94KB

MD5
67a1cb20e1ff03d4b5280500cf077b7c

SHA1
138c3f5d1a44b967f9d9cd07a0f9b21d3b754dba

SHA256
3759f53f61c1bca94c9df7b919686a2526532f46ca9ada84a92fee4806ca53e2

SHA512
cbdf04d2151fc2a2bd87bc8e94f3e79a49e12b3038c8685184cf7c273ceb57419cd5b3e17932a6de053f3f95a24cec0b0cd01b08d9d107cc866970b642a0eb72

Download Submit
C:\Windows\SysWOW64\Hpkjko32.exe

Filesize
94KB

MD5
77dc0df38e5611eee0729b8d7a776682

SHA1
25691ce6c343955e12bb0696c5602e4c2ded2868

SHA256
1a6b3c5ec8388be82086da04e19e045341c7c87a52bbac0d5020f729116694c6

SHA512
de9f555a14311a48ab149439e6952f77a23e6c241b39101037c9641f997eb2c1245f3197c4c3c33189f8e66ac0722dfad32f9159293780372aaa762a07724b78

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
94KB

MD5
ba43ffa39d41540594ca36328cda3b3b

SHA1
c5cac5896f7376585011325613779d92ce7f0639

SHA256
769bd5073a463572f534e8a6933c6234a4ead67fd3eddc7a5406fa72c044e150

SHA512
571bf0c60c6769291c9301773ea414c6ec19ffc7a80f59bbc36ff648350de26e6fafbcbef92bdb7f740da06793730e8637713ceba4799eee786931d199310824

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
94KB

MD5
c4c909c490db1bfdc628ca2c1f2ee392

SHA1
757218d4ef83ba9d56af77fa07b65a591044fd5c

SHA256
a4a1f82cb86c8c9bdc69c66bd3ca3bdf5a95b67cab976a89837ee2966d79d921

SHA512
95e1d5c94fb98d2f7eb9baf8940513d48245cf4008bb1eceddf1a89ab399c7987f6b0142aa5abdd982d2421f437f12baeadcb2fad84d4920f5e40189f008b791

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
94KB

MD5
f8aad39129c4999174bb52d41a5e443d

SHA1
d70ecf6e0093a67870231f73fdf3b208f0be5ca5

SHA256
479fb43fc43f5bd12fe9eb42abfa6780207b99902f2e56746bb6356a517eaccd

SHA512
50656e22c979198edef3be051aaaf1e9bbd5f37d8a9b68efe38cf52a1d45b82801360394072ce43faac9d6ad1acffd5b723f5bb91a863f2a37103cc9f77e2b46

Download Submit
C:\Windows\SysWOW64\Jeccgbbh.dll

Filesize
7KB

MD5
f7d85a5f0adfa75305e26d6e1550bb03

SHA1
c3374c7ee036d089dfa8f588ef563e4baf4fc60d

SHA256
5c80e4db76626e2a2cb17d6bce3dd83aa65c9be0d94d358423db1d42e25ea5e2

SHA512
cb632ffc10948741fefe56d8bbd0557007a8336c858066d0dced97c849947e222c576972eba849bc2ffad98056079b76b6c7c13a278d93579a674759e4ac25c6

Download Submit
\Windows\SysWOW64\Ffbicfoc.exe

Filesize
94KB

MD5
34af1b3c5760b54ee674d49833662182

SHA1
ce5ad3ad24e3174d6644c6949493f67780b3e8c5

SHA256
495299cd414d09706906e19a48cddecea8f5e8261a018d9bd9d8f74bde5e315e

SHA512
2940680e617cb25e3650fbae71619964c396266a4fe678f4b29baa1eb4dabb39b248cf1249ba2e5478a4bbcf9622b70c86f00f38547b04dcc7d30b4b5ea3b7b7

Download Submit
\Windows\SysWOW64\Fjlhneio.exe

Filesize
94KB

MD5
7a422044a5341770d45992e26e28032c

SHA1
4a51148e2ffa7d71e5266a9763a003b6f647a37e

SHA256
5831b0dc345ed9a8d9d3bac0ba8d816aa89831e5f2401da98207bd8b15cb34e0

SHA512
c435019849ccff81eea12da587ee8ca3b53a6e8eb16acb80650d47dd8721443bc2fb2ac477580672db8008f2c8ebb4341b7415fc851b70e618288556239d4a81

Download Submit
\Windows\SysWOW64\Flmefm32.exe

Filesize
94KB

MD5
89eec8c8029b277b439e0622ffa771bb

SHA1
6612097a01bff0e1aa503f8ca4fb8acdbdf1e754

SHA256
9932ffda5f55c19f2efa51da05ae09e2673ef8b0a4f6b777eeeeef60105a0ce6

SHA512
7b9e5e6b64bc07e9f9e521ee94a1739f063c1fba3fc9dddc5376e58b39fd1bb732870e947025050cc4bffe4a94373f25beea5c88baac887e1c93d841876a6a52

Download Submit
\Windows\SysWOW64\Fmcoja32.exe

Filesize
94KB

MD5
a4fc0fea1d438227c682f007627a6018

SHA1
ce7333e593a05978902144de60340c79877fbac2

SHA256
3c9e615f9d5d94605b1175547ed64bbccc7cfea69b21d151eb9064c3df364ce5

SHA512
5b51e7a0b25fefe1c59c86388a0d0d2594f3a2fb1559b83bc32dae7ed9cfe2a7fec18120b6106c2ac0c1020bb2f879550ff87dbb27068f18bdf6751cf7ae0682

Download Submit
\Windows\SysWOW64\Fmhheqje.exe

Filesize
94KB

MD5
fd8b3c6082b9c1cbb0488d27d08faaee

SHA1
04ed4ff923c4f166a3bf7f6439e699317d67e82c

SHA256
2f8436c7265736a4dcb59593778ddd5856cfa754eb89ec11b04a673999754edf

SHA512
3765915243ce3067a640501d282bb11377639123c6656dd4b73ba953adffa52692a5f489cea0d6175a8d4e668ec550e918196235d342d8c31ab5906d5b8bc704

Download Submit
\Windows\SysWOW64\Fnbkddem.exe

Filesize
94KB

MD5
2f6405600f1c2eb21f6d3f0905cf5221

SHA1
124f1887ec4fc4da16a738fcec37552fe24c6c28

SHA256
c9c93ef662d35d26bf72b09513443d71435eecb98a1e216dc11ff8556173866f

SHA512
d86c704137339da49474fc59b86b7a5fcbc2023cc549ec74ba7822ce6f5d1b9e41977e2ea464b98c784795ebead8760cb38352326d164e3f24e7bd0b2953b138

Download Submit
\Windows\SysWOW64\Fpfdalii.exe

Filesize
94KB

MD5
84c08b7f6788b168ba72437e08cf0255

SHA1
374eeefbb12091d97c7c5e646842fb3db50814c6

SHA256
a3b0ae075a9dc5cd5cecca87da7a1ab708c4aa4841f5f9e0d6c7081516c03a26

SHA512
720043753ee6bf65f8bf24d5d6c66a99b3fb74c0c0f1d007eb7a12fb99e61a61c30630bde057314427b7090145d7e639b297cc4b01e3fc668c9081a6c77f017e

Download Submit
\Windows\SysWOW64\Gangic32.exe

Filesize
94KB

MD5
af81747c7143da018ae6574b22abbd6a

SHA1
6c35ac5e7d783fc48a845e4e612a0f6a6f05b49f

SHA256
c10b9a858fcd96e2f6574c53d4031bdddc79fcea9c7b6eee7b0c2a22b1f92088

SHA512
e1fb8a46d94603b95fdb0f6049f4dbae2909631a3f68da884336229c7cea96f31ad285471d8348331e030147df24935c7abd7dadb3bf2fb328ead702980539b0

Download Submit
\Windows\SysWOW64\Gieojq32.exe

Filesize
94KB

MD5
de3fcecfa5216be578ddfb36fa81ddce

SHA1
7faf311f4aca965730e82bb1ce3a9ab2b5b6d368

SHA256
8a3d056151b9b6adaa207165c16519268ecb7f0632a902341c6cf0169903fe06

SHA512
44b2b0e06687524e2889ef386227c111d0eb7857f7cafb3d1212e87d941d4b892d6935e9e3262211579f516895c4a7977c8fd6b22fd6153b7fdef2ae8adcd3be

Download Submit
\Windows\SysWOW64\Gobgcg32.exe

Filesize
94KB

MD5
9aa0a465a652b3ca8dc40a63e517b228

SHA1
364a5f84d7dea0e7ed20cda68203ddba145d4a6b

SHA256
07ed1587468a00f3fccf201a5b7e2c38112e6d0da57900e3648cafc0484a3fc1

SHA512
766067cc31f91f67f241ae815c1ee64d7261c29670ac9aafa4f0c2b6de870298fabe705cfc316b856975fbf5aec05d43b896eb7a7453240c22c03fd380c9a281

Download Submit
\Windows\SysWOW64\Gonnhhln.exe

Filesize
94KB

MD5
6668934077ead46b77c7dd49da34fb24

SHA1
d6f1a83970acf403b8dc6b16a28b99c59793b619

SHA256
a844fa2983bd7e79785d52ba3d58dc23115d8a21b3eb65e94c28e4c81819d60e

SHA512
d195b2ab2a2db44b6bec1643a3514c0a76aac84a177ff9148aaf77b8385ece6b9830984f3cb0dd8354e041ee635d4cea129f21c2550a3fc2adf7f3d6eaa6052d

Download Submit
memory/268-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/268-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/604-306-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/604-307-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/604-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/664-174-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/664-441-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/788-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/788-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/804-250-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/804-446-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/804-249-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1084-268-0x00000000004C0000-0x0000000000501000-memory.dmp

Filesize
260KB

Download
memory/1084-447-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1084-254-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1084-267-0x00000000004C0000-0x0000000000501000-memory.dmp

Filesize
260KB

Download
memory/1240-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1240-324-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/1240-329-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/1484-13-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1484-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1484-6-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1484-429-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1612-140-0x0000000001FE0000-0x0000000002021000-memory.dmp

Filesize
260KB

Download
memory/1612-438-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1612-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1656-275-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1656-273-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1656-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1880-285-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/1880-286-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/1880-276-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1912-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1912-293-0x00000000004D0000-0x0000000000511000-memory.dmp

Filesize
260KB

Download
memory/1956-160-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1956-439-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1956-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-417-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-423-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2032-427-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2044-428-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2068-444-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2068-213-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2128-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2128-405-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2136-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2168-440-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2168-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2236-443-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2236-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2248-445-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2248-226-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2248-232-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2456-416-0x0000000000330000-0x0000000000371000-memory.dmp

Filesize
260KB

Download
memory/2456-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2456-415-0x0000000000330000-0x0000000000371000-memory.dmp

Filesize
260KB

Download
memory/2464-385-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2464-383-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2464-379-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-434-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-92-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2580-350-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2580-351-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2580-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2596-54-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2596-432-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2664-369-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2664-367-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2664-373-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2688-52-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-366-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2728-365-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2776-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2836-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2836-317-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2836-318-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2920-384-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2920-399-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/2920-391-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/2924-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2924-252-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2924-253-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2960-433-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2960-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2984-330-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2984-340-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2984-339-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/3040-435-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3040-94-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3056-44-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/3056-45-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/3056-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3056-26-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads