400e3c4d223454f7ea4aac0d40b45bcdb10bad6acfa942ec18d57968a64b2adb

Analysis

max time kernel
111s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96c7a26cff8f4527e3fe1eca2b5da68a_JC.exe
Size

556KB
MD5

96c7a26cff8f4527e3fe1eca2b5da68a
SHA1

692110c6ee4d5b5dc3eae4b3e6d62f579217e77d
SHA256

400e3c4d223454f7ea4aac0d40b45bcdb10bad6acfa942ec18d57968a64b2adb
SHA512

ce1ec979a9d6944c8ef9ffa0df29212b5366e07c663850e0d47f133b16ea8b49294cb6544aacd91c0bab4bd46ee0c4c8d3f39cd7aedcb5d858c22aba81f52af5
SSDEEP

12288:jkf0Df7aOlxzr3cOK3TajRfXFMKNxr9Z7tEGVqT4Df:j4If7aOlxzLyTajRfXFMKNxr9Z7tEGVJ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mimbfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhafcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohdlpa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cqghcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbgafqla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbgafqla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbnmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghbkdald.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hepoddcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfabok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghbkdald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilcjgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpinac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpmfpid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhafcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdgehobe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijigfaol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omjnhiiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnenchoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hifaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pphckb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdgehobe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjpmfpid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfabok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pphckb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnienqbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hommhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hepoddcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mimbfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	96c7a26cff8f4527e3fe1eca2b5da68a_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omjnhiiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahkkhnpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijigfaol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfcmhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohdlpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hifaic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpinac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpbaga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjeaog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahkkhnpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiobbgcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilcjgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjcccm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfcmhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hommhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cqghcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnienqbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eiobbgcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjcccm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpbaga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	96c7a26cff8f4527e3fe1eca2b5da68a_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnenchoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjeaog32.exe

Executes dropped EXE 27 IoCs

pid	Process
2056	Lfcmhc32.exe
1648	Nhafcd32.exe
832	Omjnhiiq.exe
2180	Ohdlpa32.exe
4616	Pnenchoc.exe
1540	Pphckb32.exe
4564	Qjeaog32.exe
1576	Ahkkhnpg.exe
4196	Bdgehobe.exe
2392	Cqghcn32.exe
1328	Dnienqbi.exe
5076	Eiobbgcl.exe
3724	Fbnmkk32.exe
3736	Ghbkdald.exe
4964	Hifaic32.exe
3604	Hepoddcc.exe
2568	Hommhi32.exe
1792	Ilcjgm32.exe
1196	Ijigfaol.exe
868	Jjpmfpid.exe
3008	Kbgafqla.exe
1256	Kjcccm32.exe
3440	Lpinac32.exe
956	Mpbaga32.exe
680	Mimbfg32.exe
1876	Nfabok32.exe
3252	Nleaha32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nhafcd32.exe	Lfcmhc32.exe
File created	C:\Windows\SysWOW64\Ahkkhnpg.exe	Qjeaog32.exe
File opened for modification	C:\Windows\SysWOW64\Ahkkhnpg.exe	Qjeaog32.exe
File created	C:\Windows\SysWOW64\Dnienqbi.exe	Cqghcn32.exe
File created	C:\Windows\SysWOW64\Eoeoqoni.dll	Kbgafqla.exe
File opened for modification	C:\Windows\SysWOW64\Lfcmhc32.exe	96c7a26cff8f4527e3fe1eca2b5da68a_JC.exe
File created	C:\Windows\SysWOW64\Jhjoiniq.dll	Omjnhiiq.exe
File created	C:\Windows\SysWOW64\Bdgehobe.exe	Ahkkhnpg.exe
File created	C:\Windows\SysWOW64\Cqghcn32.exe	Bdgehobe.exe
File created	C:\Windows\SysWOW64\Fbnmkk32.exe	Eiobbgcl.exe
File created	C:\Windows\SysWOW64\Kbgafqla.exe	Jjpmfpid.exe
File created	C:\Windows\SysWOW64\Jhcdgo32.dll	Mpbaga32.exe
File created	C:\Windows\SysWOW64\Mihjhq32.dll	Dnienqbi.exe
File created	C:\Windows\SysWOW64\Lkehlmll.dll	Ilcjgm32.exe
File created	C:\Windows\SysWOW64\Ljdjpm32.dll	Nhafcd32.exe
File opened for modification	C:\Windows\SysWOW64\Pnenchoc.exe	Ohdlpa32.exe
File created	C:\Windows\SysWOW64\Hceook32.dll	Cqghcn32.exe
File created	C:\Windows\SysWOW64\Eiobbgcl.exe	Dnienqbi.exe
File opened for modification	C:\Windows\SysWOW64\Mpbaga32.exe	Lpinac32.exe
File created	C:\Windows\SysWOW64\Gehhom32.dll	Lfcmhc32.exe
File opened for modification	C:\Windows\SysWOW64\Omjnhiiq.exe	Nhafcd32.exe
File created	C:\Windows\SysWOW64\Pnenchoc.exe	Ohdlpa32.exe
File opened for modification	C:\Windows\SysWOW64\Ilcjgm32.exe	Hommhi32.exe
File opened for modification	C:\Windows\SysWOW64\Ijigfaol.exe	Ilcjgm32.exe
File opened for modification	C:\Windows\SysWOW64\Lpinac32.exe	Kjcccm32.exe
File created	C:\Windows\SysWOW64\Lfcmhc32.exe	96c7a26cff8f4527e3fe1eca2b5da68a_JC.exe
File created	C:\Windows\SysWOW64\Omjnhiiq.exe	Nhafcd32.exe
File opened for modification	C:\Windows\SysWOW64\Pphckb32.exe	Pnenchoc.exe
File created	C:\Windows\SysWOW64\Ghbkdald.exe	Fbnmkk32.exe
File created	C:\Windows\SysWOW64\Hifaic32.exe	Ghbkdald.exe
File created	C:\Windows\SysWOW64\Hommhi32.exe	Hepoddcc.exe
File created	C:\Windows\SysWOW64\Ijigfaol.exe	Ilcjgm32.exe
File created	C:\Windows\SysWOW64\Kmoiki32.dll	Ijigfaol.exe
File opened for modification	C:\Windows\SysWOW64\Mimbfg32.exe	Mpbaga32.exe
File created	C:\Windows\SysWOW64\Nfabok32.exe	Mimbfg32.exe
File created	C:\Windows\SysWOW64\Pphckb32.exe	Pnenchoc.exe
File opened for modification	C:\Windows\SysWOW64\Ghbkdald.exe	Fbnmkk32.exe
File created	C:\Windows\SysWOW64\Mgopje32.dll	Lpinac32.exe
File opened for modification	C:\Windows\SysWOW64\Nfabok32.exe	Mimbfg32.exe
File created	C:\Windows\SysWOW64\Ohdlpa32.exe	Omjnhiiq.exe
File opened for modification	C:\Windows\SysWOW64\Ohdlpa32.exe	Omjnhiiq.exe
File created	C:\Windows\SysWOW64\Qjeaog32.exe	Pphckb32.exe
File created	C:\Windows\SysWOW64\Eaohkjak.dll	Qjeaog32.exe
File opened for modification	C:\Windows\SysWOW64\Bdgehobe.exe	Ahkkhnpg.exe
File created	C:\Windows\SysWOW64\Ggehilne.dll	Fbnmkk32.exe
File opened for modification	C:\Windows\SysWOW64\Hepoddcc.exe	Hifaic32.exe
File created	C:\Windows\SysWOW64\Hoecdo32.dll	Hepoddcc.exe
File created	C:\Windows\SysWOW64\Jjpmfpid.exe	Ijigfaol.exe
File opened for modification	C:\Windows\SysWOW64\Jjpmfpid.exe	Ijigfaol.exe
File opened for modification	C:\Windows\SysWOW64\Qjeaog32.exe	Pphckb32.exe
File opened for modification	C:\Windows\SysWOW64\Cqghcn32.exe	Bdgehobe.exe
File created	C:\Windows\SysWOW64\Eghdmn32.dll	Kjcccm32.exe
File created	C:\Windows\SysWOW64\Mpbaga32.exe	Lpinac32.exe
File created	C:\Windows\SysWOW64\Hepoddcc.exe	Hifaic32.exe
File opened for modification	C:\Windows\SysWOW64\Kjcccm32.exe	Kbgafqla.exe
File opened for modification	C:\Windows\SysWOW64\Nleaha32.exe	Nfabok32.exe
File created	C:\Windows\SysWOW64\Dafhdj32.dll	Ohdlpa32.exe
File created	C:\Windows\SysWOW64\Jabajbcd.dll	Ahkkhnpg.exe
File opened for modification	C:\Windows\SysWOW64\Fbnmkk32.exe	Eiobbgcl.exe
File created	C:\Windows\SysWOW64\Nleaha32.exe	Nfabok32.exe
File created	C:\Windows\SysWOW64\Nhafcd32.exe	Lfcmhc32.exe
File created	C:\Windows\SysWOW64\Fkgeam32.dll	Pnenchoc.exe
File opened for modification	C:\Windows\SysWOW64\Hifaic32.exe	Ghbkdald.exe
File opened for modification	C:\Windows\SysWOW64\Kbgafqla.exe	Jjpmfpid.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5072	3252	WerFault.exe	112

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	96c7a26cff8f4527e3fe1eca2b5da68a_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabajbcd.dll"	Ahkkhnpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eiobbgcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hepoddcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpbaga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mimbfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkefjhnn.dll"	Eiobbgcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggehilne.dll"	Fbnmkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hifaic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilcjgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmoiki32.dll"	Ijigfaol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	96c7a26cff8f4527e3fe1eca2b5da68a_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfcmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafhdj32.dll"	Ohdlpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cqghcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbgafqla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfabok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhafcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjoiniq.dll"	Omjnhiiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbnmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpbaga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnenchoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahkkhnpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnienqbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghbkdald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkehlmll.dll"	Ilcjgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjpmfpid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfcmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cqghcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	96c7a26cff8f4527e3fe1eca2b5da68a_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhafcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbnmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmepf32.dll"	Hommhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hommhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoeoqoni.dll"	Kbgafqla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kjcccm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ohdlpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjeodp32.dll"	Pphckb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gehhom32.dll"	Lfcmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljdjpm32.dll"	Nhafcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Omjnhiiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgeam32.dll"	Pnenchoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdgehobe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejanihcl.dll"	Bdgehobe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hommhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpinac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	96c7a26cff8f4527e3fe1eca2b5da68a_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pphckb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjeaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoecdo32.dll"	Hepoddcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijigfaol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgopje32.dll"	Lpinac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnienqbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghbkdald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnonap32.dll"	Ghbkdald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hepoddcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	96c7a26cff8f4527e3fe1eca2b5da68a_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjeaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hceook32.dll"	Cqghcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mihjhq32.dll"	Dnienqbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eiobbgcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonqoi32.dll"	Hifaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hifaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijigfaol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 2056	3228	96c7a26cff8f4527e3fe1eca2b5da68a_JC.exe	84
PID 3228 wrote to memory of 2056	3228	96c7a26cff8f4527e3fe1eca2b5da68a_JC.exe	84
PID 3228 wrote to memory of 2056	3228	96c7a26cff8f4527e3fe1eca2b5da68a_JC.exe	84
PID 2056 wrote to memory of 1648	2056	Lfcmhc32.exe	85
PID 2056 wrote to memory of 1648	2056	Lfcmhc32.exe	85
PID 2056 wrote to memory of 1648	2056	Lfcmhc32.exe	85
PID 1648 wrote to memory of 832	1648	Nhafcd32.exe	86
PID 1648 wrote to memory of 832	1648	Nhafcd32.exe	86
PID 1648 wrote to memory of 832	1648	Nhafcd32.exe	86
PID 832 wrote to memory of 2180	832	Omjnhiiq.exe	87
PID 832 wrote to memory of 2180	832	Omjnhiiq.exe	87
PID 832 wrote to memory of 2180	832	Omjnhiiq.exe	87
PID 2180 wrote to memory of 4616	2180	Ohdlpa32.exe	88
PID 2180 wrote to memory of 4616	2180	Ohdlpa32.exe	88
PID 2180 wrote to memory of 4616	2180	Ohdlpa32.exe	88
PID 4616 wrote to memory of 1540	4616	Pnenchoc.exe	89
PID 4616 wrote to memory of 1540	4616	Pnenchoc.exe	89
PID 4616 wrote to memory of 1540	4616	Pnenchoc.exe	89
PID 1540 wrote to memory of 4564	1540	Pphckb32.exe	90
PID 1540 wrote to memory of 4564	1540	Pphckb32.exe	90
PID 1540 wrote to memory of 4564	1540	Pphckb32.exe	90
PID 4564 wrote to memory of 1576	4564	Qjeaog32.exe	91
PID 4564 wrote to memory of 1576	4564	Qjeaog32.exe	91
PID 4564 wrote to memory of 1576	4564	Qjeaog32.exe	91
PID 1576 wrote to memory of 4196	1576	Ahkkhnpg.exe	92
PID 1576 wrote to memory of 4196	1576	Ahkkhnpg.exe	92
PID 1576 wrote to memory of 4196	1576	Ahkkhnpg.exe	92
PID 4196 wrote to memory of 2392	4196	Bdgehobe.exe	93
PID 4196 wrote to memory of 2392	4196	Bdgehobe.exe	93
PID 4196 wrote to memory of 2392	4196	Bdgehobe.exe	93
PID 2392 wrote to memory of 1328	2392	Cqghcn32.exe	94
PID 2392 wrote to memory of 1328	2392	Cqghcn32.exe	94
PID 2392 wrote to memory of 1328	2392	Cqghcn32.exe	94
PID 1328 wrote to memory of 5076	1328	Dnienqbi.exe	95
PID 1328 wrote to memory of 5076	1328	Dnienqbi.exe	95
PID 1328 wrote to memory of 5076	1328	Dnienqbi.exe	95
PID 5076 wrote to memory of 3724	5076	Eiobbgcl.exe	96
PID 5076 wrote to memory of 3724	5076	Eiobbgcl.exe	96
PID 5076 wrote to memory of 3724	5076	Eiobbgcl.exe	96
PID 3724 wrote to memory of 3736	3724	Fbnmkk32.exe	97
PID 3724 wrote to memory of 3736	3724	Fbnmkk32.exe	97
PID 3724 wrote to memory of 3736	3724	Fbnmkk32.exe	97
PID 3736 wrote to memory of 4964	3736	Ghbkdald.exe	99
PID 3736 wrote to memory of 4964	3736	Ghbkdald.exe	99
PID 3736 wrote to memory of 4964	3736	Ghbkdald.exe	99
PID 4964 wrote to memory of 3604	4964	Hifaic32.exe	100
PID 4964 wrote to memory of 3604	4964	Hifaic32.exe	100
PID 4964 wrote to memory of 3604	4964	Hifaic32.exe	100
PID 3604 wrote to memory of 2568	3604	Hepoddcc.exe	101
PID 3604 wrote to memory of 2568	3604	Hepoddcc.exe	101
PID 3604 wrote to memory of 2568	3604	Hepoddcc.exe	101
PID 2568 wrote to memory of 1792	2568	Hommhi32.exe	103
PID 2568 wrote to memory of 1792	2568	Hommhi32.exe	103
PID 2568 wrote to memory of 1792	2568	Hommhi32.exe	103
PID 1792 wrote to memory of 1196	1792	Ilcjgm32.exe	104
PID 1792 wrote to memory of 1196	1792	Ilcjgm32.exe	104
PID 1792 wrote to memory of 1196	1792	Ilcjgm32.exe	104
PID 1196 wrote to memory of 868	1196	Ijigfaol.exe	105
PID 1196 wrote to memory of 868	1196	Ijigfaol.exe	105
PID 1196 wrote to memory of 868	1196	Ijigfaol.exe	105
PID 868 wrote to memory of 3008	868	Jjpmfpid.exe	106
PID 868 wrote to memory of 3008	868	Jjpmfpid.exe	106
PID 868 wrote to memory of 3008	868	Jjpmfpid.exe	106
PID 3008 wrote to memory of 1256	3008	Kbgafqla.exe	107

C:\Users\Admin\AppData\Local\Temp\96c7a26cff8f4527e3fe1eca2b5da68a_JC.exe
"C:\Users\Admin\AppData\Local\Temp\96c7a26cff8f4527e3fe1eca2b5da68a_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\SysWOW64\Lfcmhc32.exe
  C:\Windows\system32\Lfcmhc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\Nhafcd32.exe
    C:\Windows\system32\Nhafcd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\SysWOW64\Omjnhiiq.exe
      C:\Windows\system32\Omjnhiiq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:832
    - - C:\Windows\SysWOW64\Ohdlpa32.exe
        
        C:\Windows\system32\Ohdlpa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
      - C:\Windows\SysWOW64\Pnenchoc.exe
        
        C:\Windows\system32\Pnenchoc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Pphckb32.exe
        
        C:\Windows\system32\Pphckb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Qjeaog32.exe
        
        C:\Windows\system32\Qjeaog32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Ahkkhnpg.exe
        
        C:\Windows\system32\Ahkkhnpg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Bdgehobe.exe
        
        C:\Windows\system32\Bdgehobe.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Cqghcn32.exe
        
        C:\Windows\system32\Cqghcn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Dnienqbi.exe
        
        C:\Windows\system32\Dnienqbi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Eiobbgcl.exe
        
        C:\Windows\system32\Eiobbgcl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Fbnmkk32.exe
        
        C:\Windows\system32\Fbnmkk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Ghbkdald.exe
        
        C:\Windows\system32\Ghbkdald.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Hifaic32.exe
        
        C:\Windows\system32\Hifaic32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Hepoddcc.exe
        
        C:\Windows\system32\Hepoddcc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Hommhi32.exe
        
        C:\Windows\system32\Hommhi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Ilcjgm32.exe
        
        C:\Windows\system32\Ilcjgm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Ijigfaol.exe
        
        C:\Windows\system32\Ijigfaol.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Jjpmfpid.exe
        
        C:\Windows\system32\Jjpmfpid.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Kbgafqla.exe
        
        C:\Windows\system32\Kbgafqla.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Kjcccm32.exe
        
        C:\Windows\system32\Kjcccm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Lpinac32.exe
        
        C:\Windows\system32\Lpinac32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Mpbaga32.exe
        
        C:\Windows\system32\Mpbaga32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Mimbfg32.exe
        
        C:\Windows\system32\Mimbfg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Nfabok32.exe
        
        C:\Windows\system32\Nfabok32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Nleaha32.exe
        
        C:\Windows\system32\Nleaha32.exe
        28⤵
        Executes dropped EXE
        
        PID:3252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 412
        29⤵
        Program crash
        
        PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3252 -ip 3252
1⤵
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahkkhnpg.exe

Filesize
556KB

MD5
da95e097eb7f503e477f32525b63b674

SHA1
127e7fe4ecbc25139e301e7be2cf6a1698da593a

SHA256
4837dc19ec4d2dab2155637b27f33d548b181b8841e31f820aebebc2fad2194e

SHA512
495a02929ca7c53878bd8fab41fe48dd9b289ae6ba9d45099c27147ca8ae0b7d4f546f5907c1cb932b7159f8b7ec9e3b3b2f40c81e78d8f2439d614c76a43841

Download Submit
C:\Windows\SysWOW64\Ahkkhnpg.exe

Filesize
556KB

MD5
da95e097eb7f503e477f32525b63b674

SHA1
127e7fe4ecbc25139e301e7be2cf6a1698da593a

SHA256
4837dc19ec4d2dab2155637b27f33d548b181b8841e31f820aebebc2fad2194e

SHA512
495a02929ca7c53878bd8fab41fe48dd9b289ae6ba9d45099c27147ca8ae0b7d4f546f5907c1cb932b7159f8b7ec9e3b3b2f40c81e78d8f2439d614c76a43841

Download Submit
C:\Windows\SysWOW64\Bdgehobe.exe

Filesize
556KB

MD5
b9b5fc2892dd5f7c9a0ee8c4a12cae5f

SHA1
77d756a718b0fd18fbf4d86477ba4628c2377265

SHA256
a0094edac278915efb957b2e1c0c0857ae43da3146442728eed4fcb95fc374f0

SHA512
dc604e3cf807a39dd8c08e0cf065d4662bd7ef37b30eb6e1acb478d40b54acc22699e4f520047ed53134bd7c6174546b0d6c0025a9fa81ce0bf23ada285ec4ae

Download Submit
C:\Windows\SysWOW64\Bdgehobe.exe

Filesize
556KB

MD5
b9b5fc2892dd5f7c9a0ee8c4a12cae5f

SHA1
77d756a718b0fd18fbf4d86477ba4628c2377265

SHA256
a0094edac278915efb957b2e1c0c0857ae43da3146442728eed4fcb95fc374f0

SHA512
dc604e3cf807a39dd8c08e0cf065d4662bd7ef37b30eb6e1acb478d40b54acc22699e4f520047ed53134bd7c6174546b0d6c0025a9fa81ce0bf23ada285ec4ae

Download Submit
C:\Windows\SysWOW64\Cqghcn32.exe

Filesize
556KB

MD5
1718b0a62e0e65f1c47ad5e34c2ba4b9

SHA1
d09afdae3163a0d3c8c92b1724688e83cc7bea12

SHA256
9a64409554340e1b36c0d546666308ca9c4e65640899b0bd487aa69f8b06a953

SHA512
7ecd45546ae1b906078ffd09b65920d3b67ba5b858e4421658ac68ed58acf0b42487b234c8a1a1ed66bc753b94afa6a1f9e0bb0122f570f7bf2fb78d624731db

Download Submit
C:\Windows\SysWOW64\Cqghcn32.exe

Filesize
556KB

MD5
1718b0a62e0e65f1c47ad5e34c2ba4b9

SHA1
d09afdae3163a0d3c8c92b1724688e83cc7bea12

SHA256
9a64409554340e1b36c0d546666308ca9c4e65640899b0bd487aa69f8b06a953

SHA512
7ecd45546ae1b906078ffd09b65920d3b67ba5b858e4421658ac68ed58acf0b42487b234c8a1a1ed66bc753b94afa6a1f9e0bb0122f570f7bf2fb78d624731db

Download Submit
C:\Windows\SysWOW64\Dafhdj32.dll

Filesize
7KB

MD5
962d9590b70b9f768ce57bce8354ee0a

SHA1
720e6e1c46a8fb348efb208bbb3ffe85ccdeac08

SHA256
c2a9d5a8667024557c6f44aba28115cda5772a9ffe24eeb24c8512ef95c9d9b6

SHA512
2064e4921cc472de2cd0b1e99429418f2bbbab2e41c19dc72004fdee857085df50b5f4ee7e2795e6091b5c3ebecf175fba977c26fab205e75f87e3ea1c1c1fdb

Download Submit
C:\Windows\SysWOW64\Dnienqbi.exe

Filesize
556KB

MD5
1718b0a62e0e65f1c47ad5e34c2ba4b9

SHA1
d09afdae3163a0d3c8c92b1724688e83cc7bea12

SHA256
9a64409554340e1b36c0d546666308ca9c4e65640899b0bd487aa69f8b06a953

SHA512
7ecd45546ae1b906078ffd09b65920d3b67ba5b858e4421658ac68ed58acf0b42487b234c8a1a1ed66bc753b94afa6a1f9e0bb0122f570f7bf2fb78d624731db

Download Submit
C:\Windows\SysWOW64\Dnienqbi.exe

Filesize
556KB

MD5
890b72d450717c2f4c1205eb9aca0032

SHA1
6b62c5de33bb7c4f0d629c1bab9510e4102990e1

SHA256
7ce9a4999601a1813e58d4955b98072d4018aeb39b87c61a62cb59fd119f65ee

SHA512
ff010c72aa49106052e0d80c1fa5570ed825a991562745a63a2db7521cc10042f81f9e94e0fe5729a8292870fc9aff2528c99a302911e2262dea7deed313482b

Download Submit
C:\Windows\SysWOW64\Dnienqbi.exe

Filesize
556KB

MD5
890b72d450717c2f4c1205eb9aca0032

SHA1
6b62c5de33bb7c4f0d629c1bab9510e4102990e1

SHA256
7ce9a4999601a1813e58d4955b98072d4018aeb39b87c61a62cb59fd119f65ee

SHA512
ff010c72aa49106052e0d80c1fa5570ed825a991562745a63a2db7521cc10042f81f9e94e0fe5729a8292870fc9aff2528c99a302911e2262dea7deed313482b

Download Submit
C:\Windows\SysWOW64\Eiobbgcl.exe

Filesize
556KB

MD5
e0bc0fafaa997a578233a4820aa8633a

SHA1
16525a27f77284e7e97e59781f81d4128c295841

SHA256
9bf00da7f51bdb1fcda481ed9770ba9dc7903944bb5a3aef6b0614cdffb69e57

SHA512
78bc613a5d81fce4d79db7b38fc94a2795395ea0161f672ed54db8206eb7b0c0df1eb96ab38cf8dd65b2c7bc35b0b39258cd322fd04b4667a460f173d1f00e92

Download Submit
C:\Windows\SysWOW64\Eiobbgcl.exe

Filesize
556KB

MD5
e0bc0fafaa997a578233a4820aa8633a

SHA1
16525a27f77284e7e97e59781f81d4128c295841

SHA256
9bf00da7f51bdb1fcda481ed9770ba9dc7903944bb5a3aef6b0614cdffb69e57

SHA512
78bc613a5d81fce4d79db7b38fc94a2795395ea0161f672ed54db8206eb7b0c0df1eb96ab38cf8dd65b2c7bc35b0b39258cd322fd04b4667a460f173d1f00e92

Download Submit
C:\Windows\SysWOW64\Fbnmkk32.exe

Filesize
556KB

MD5
ee171074b817ccfc64cd25cf98830440

SHA1
3a02dd126a282844128608aa9947ed4e12f61a03

SHA256
215745b3fe641309fbc1b096d923f006b122866ecf4cad0756e5dc46ad0945b9

SHA512
603f8bba899da1837b2c08f7b535a5008ea55cbc5b83d8a656e668ca6a6d5873c2df2744409562fb02e9c2c0bdfab414638e3b13e472686db10fcd214b5a4247

Download Submit
C:\Windows\SysWOW64\Fbnmkk32.exe

Filesize
556KB

MD5
ee171074b817ccfc64cd25cf98830440

SHA1
3a02dd126a282844128608aa9947ed4e12f61a03

SHA256
215745b3fe641309fbc1b096d923f006b122866ecf4cad0756e5dc46ad0945b9

SHA512
603f8bba899da1837b2c08f7b535a5008ea55cbc5b83d8a656e668ca6a6d5873c2df2744409562fb02e9c2c0bdfab414638e3b13e472686db10fcd214b5a4247

Download Submit
C:\Windows\SysWOW64\Fbnmkk32.exe

Filesize
556KB

MD5
e0bc0fafaa997a578233a4820aa8633a

SHA1
16525a27f77284e7e97e59781f81d4128c295841

SHA256
9bf00da7f51bdb1fcda481ed9770ba9dc7903944bb5a3aef6b0614cdffb69e57

SHA512
78bc613a5d81fce4d79db7b38fc94a2795395ea0161f672ed54db8206eb7b0c0df1eb96ab38cf8dd65b2c7bc35b0b39258cd322fd04b4667a460f173d1f00e92

Download Submit
C:\Windows\SysWOW64\Ghbkdald.exe

Filesize
556KB

MD5
53ba7feb522a32afc8ade99761a032bb

SHA1
8d9ba0f9866141e0ffaff009bdd9aeec9d3fea63

SHA256
3392761e0e367c450bb675aa06ff6da63cfe7632009fe9a8f565fb65c19cef7e

SHA512
dc8636516d020d26ef9e35b3653bb5999c130a68fd562f244b32d9cde1fe89ea6a1abf3d483cb8f0771f3ce3f4ae010b0a95c7f1d510d0b824ddc24b402fb7bf

Download Submit
C:\Windows\SysWOW64\Ghbkdald.exe

Filesize
556KB

MD5
53ba7feb522a32afc8ade99761a032bb

SHA1
8d9ba0f9866141e0ffaff009bdd9aeec9d3fea63

SHA256
3392761e0e367c450bb675aa06ff6da63cfe7632009fe9a8f565fb65c19cef7e

SHA512
dc8636516d020d26ef9e35b3653bb5999c130a68fd562f244b32d9cde1fe89ea6a1abf3d483cb8f0771f3ce3f4ae010b0a95c7f1d510d0b824ddc24b402fb7bf

Download Submit
C:\Windows\SysWOW64\Hepoddcc.exe

Filesize
556KB

MD5
e2d6d6a4959a6e07f34cfe96f582be5b

SHA1
ae68533fe2cb9b42b002d73fc07744ae001d67bb

SHA256
a552787a696dcefc8af3cb9c887a275d05c30b0213d8982cc05f414e16d5fb67

SHA512
dd796e1999e9163272ef7fec71d18c510aac21cd8a24e425428a5a4c9f080946a713965583a6c9704ab4b156d95aaed24c6dddc55e5ed7d4893a82eaa6f7681e

Download Submit
C:\Windows\SysWOW64\Hepoddcc.exe

Filesize
556KB

MD5
e2d6d6a4959a6e07f34cfe96f582be5b

SHA1
ae68533fe2cb9b42b002d73fc07744ae001d67bb

SHA256
a552787a696dcefc8af3cb9c887a275d05c30b0213d8982cc05f414e16d5fb67

SHA512
dd796e1999e9163272ef7fec71d18c510aac21cd8a24e425428a5a4c9f080946a713965583a6c9704ab4b156d95aaed24c6dddc55e5ed7d4893a82eaa6f7681e

Download Submit
C:\Windows\SysWOW64\Hifaic32.exe

Filesize
556KB

MD5
04674b4a7fb4dc5f5917ad9e6dff8adc

SHA1
8f17466498b596cad635571cd0007a2337ccc79f

SHA256
deaf6e4f7b13886004364ea716e12d0406c6aa9ff0eea3c119b2053ab63f6176

SHA512
8c990e1829acdaf673475d45ee5466d0f985a5bd6fbd3f3b17213af5e5f1257f8d8d9120cc467cfe4c36312f5662eb6b21271bdb8e5fcd177a9d925b4aaaed96

Download Submit
C:\Windows\SysWOW64\Hifaic32.exe

Filesize
556KB

MD5
04674b4a7fb4dc5f5917ad9e6dff8adc

SHA1
8f17466498b596cad635571cd0007a2337ccc79f

SHA256
deaf6e4f7b13886004364ea716e12d0406c6aa9ff0eea3c119b2053ab63f6176

SHA512
8c990e1829acdaf673475d45ee5466d0f985a5bd6fbd3f3b17213af5e5f1257f8d8d9120cc467cfe4c36312f5662eb6b21271bdb8e5fcd177a9d925b4aaaed96

Download Submit
C:\Windows\SysWOW64\Hommhi32.exe

Filesize
556KB

MD5
6a030fda7a0fd6026676f532fd1e024f

SHA1
93a715c70251ff3443c283fd736384acd299ffc2

SHA256
203b4e91af37b70fe486bed656bd4e8301d535ccaa3d7b9333740e343d28e3fa

SHA512
af5e73fec163507cc378737652f4409f9c42df8a51ed543f7117ee68c622aad153b7cd52e7054c826f3ec31c51de9db54bc0fe4ef412cc446719c12c2c35db86

Download Submit
C:\Windows\SysWOW64\Hommhi32.exe

Filesize
556KB

MD5
6a030fda7a0fd6026676f532fd1e024f

SHA1
93a715c70251ff3443c283fd736384acd299ffc2

SHA256
203b4e91af37b70fe486bed656bd4e8301d535ccaa3d7b9333740e343d28e3fa

SHA512
af5e73fec163507cc378737652f4409f9c42df8a51ed543f7117ee68c622aad153b7cd52e7054c826f3ec31c51de9db54bc0fe4ef412cc446719c12c2c35db86

Download Submit
C:\Windows\SysWOW64\Ijigfaol.exe

Filesize
556KB

MD5
49d7f459ae0fe073d45df8063ae2c75e

SHA1
fc1c310c45f83aab9cc87f25d4f736508af9e2e5

SHA256
be48ee08d6dd5d5d07bd67a154d8d6a9d40c14f97de3174b0664ce814ecd6bf7

SHA512
fc871b8810066bda714ff30c4161ef2d5129af80361dccd94c6f4aa83f92628924053027757c862447a333c73ff438bf96bce0c299ebebc3c881844f63443630

Download Submit
C:\Windows\SysWOW64\Ijigfaol.exe

Filesize
556KB

MD5
49d7f459ae0fe073d45df8063ae2c75e

SHA1
fc1c310c45f83aab9cc87f25d4f736508af9e2e5

SHA256
be48ee08d6dd5d5d07bd67a154d8d6a9d40c14f97de3174b0664ce814ecd6bf7

SHA512
fc871b8810066bda714ff30c4161ef2d5129af80361dccd94c6f4aa83f92628924053027757c862447a333c73ff438bf96bce0c299ebebc3c881844f63443630

Download Submit
C:\Windows\SysWOW64\Ilcjgm32.exe

Filesize
556KB

MD5
cbc59b5421ea748f863a4af92c8fe915

SHA1
6d61f1c55e4c7b6dfd44ffc40ce99d2faeb8f1e5

SHA256
6d28325f4fbc1ca93e39229d67c59759f65e1932c5af31a23e15ac30a5a0d675

SHA512
034062a9e9e93bbc014104d94d2c1ae3e3303199fdb289e889d1b42ec32fd8860b3444dca6173601d1125862eb79f8501d553ba8d848b113b4f4dab9664fb0b8

Download Submit
C:\Windows\SysWOW64\Ilcjgm32.exe

Filesize
556KB

MD5
cbc59b5421ea748f863a4af92c8fe915

SHA1
6d61f1c55e4c7b6dfd44ffc40ce99d2faeb8f1e5

SHA256
6d28325f4fbc1ca93e39229d67c59759f65e1932c5af31a23e15ac30a5a0d675

SHA512
034062a9e9e93bbc014104d94d2c1ae3e3303199fdb289e889d1b42ec32fd8860b3444dca6173601d1125862eb79f8501d553ba8d848b113b4f4dab9664fb0b8

Download Submit
C:\Windows\SysWOW64\Jjpmfpid.exe

Filesize
556KB

MD5
fefe12aa8ff6cfcc6bd715f6f5972f12

SHA1
77418099f890b0583da182a7c65c9fc4f9c91687

SHA256
38fb8ea73af781d1bc05d043e80660448ee21c10be4f0b9d1758c5085295fb13

SHA512
426d0da7e81bce6d05b178ac2263f51a8dafd5bdeb9a02dc7cca6f82d154b08336ac540c192993400e37a9521612e59b4705ca21f10ccdf80ce43a8592ff4123

Download Submit
C:\Windows\SysWOW64\Jjpmfpid.exe

Filesize
556KB

MD5
fefe12aa8ff6cfcc6bd715f6f5972f12

SHA1
77418099f890b0583da182a7c65c9fc4f9c91687

SHA256
38fb8ea73af781d1bc05d043e80660448ee21c10be4f0b9d1758c5085295fb13

SHA512
426d0da7e81bce6d05b178ac2263f51a8dafd5bdeb9a02dc7cca6f82d154b08336ac540c192993400e37a9521612e59b4705ca21f10ccdf80ce43a8592ff4123

Download Submit
C:\Windows\SysWOW64\Kbgafqla.exe

Filesize
556KB

MD5
fefe12aa8ff6cfcc6bd715f6f5972f12

SHA1
77418099f890b0583da182a7c65c9fc4f9c91687

SHA256
38fb8ea73af781d1bc05d043e80660448ee21c10be4f0b9d1758c5085295fb13

SHA512
426d0da7e81bce6d05b178ac2263f51a8dafd5bdeb9a02dc7cca6f82d154b08336ac540c192993400e37a9521612e59b4705ca21f10ccdf80ce43a8592ff4123

Download Submit
C:\Windows\SysWOW64\Kbgafqla.exe

Filesize
556KB

MD5
c27f2bad19a7f823ada6ac6abdbece52

SHA1
51be50a9236e819d6c6fe67adb32c8a220f4b4b6

SHA256
d0fcb1d2e6687e598cd80bf27db3f2b94fbb417e2997b6b393cd0627f3bb6b0c

SHA512
a1f7e7015cdf4ac1c9f031115ef644b34859b17c61f964aa8d38b739609c80cc3b6cbfccbfea627dac74cdb7482110e8cab22c529be302c56af63ee4c7ab942d

Download Submit
C:\Windows\SysWOW64\Kbgafqla.exe

Filesize
556KB

MD5
c27f2bad19a7f823ada6ac6abdbece52

SHA1
51be50a9236e819d6c6fe67adb32c8a220f4b4b6

SHA256
d0fcb1d2e6687e598cd80bf27db3f2b94fbb417e2997b6b393cd0627f3bb6b0c

SHA512
a1f7e7015cdf4ac1c9f031115ef644b34859b17c61f964aa8d38b739609c80cc3b6cbfccbfea627dac74cdb7482110e8cab22c529be302c56af63ee4c7ab942d

Download Submit
C:\Windows\SysWOW64\Kjcccm32.exe

Filesize
556KB

MD5
bb28de5fcd8c674f8dd6969a6def7073

SHA1
c3c29097354e5eea5e7e192999519b6a35704347

SHA256
9f01237b99e8ff21f58dbc932eab56b7ddd3efd5aca4087cb661439225832c43

SHA512
d129ccb572b99168d1644a90f763b46b18b8bb890f6ef0b02c5115d301bd265c5e5894fb7ae55de64ec17eafbf4792270fac14a22319975fa5be9d488d682d89

Download Submit
C:\Windows\SysWOW64\Kjcccm32.exe

Filesize
556KB

MD5
bb28de5fcd8c674f8dd6969a6def7073

SHA1
c3c29097354e5eea5e7e192999519b6a35704347

SHA256
9f01237b99e8ff21f58dbc932eab56b7ddd3efd5aca4087cb661439225832c43

SHA512
d129ccb572b99168d1644a90f763b46b18b8bb890f6ef0b02c5115d301bd265c5e5894fb7ae55de64ec17eafbf4792270fac14a22319975fa5be9d488d682d89

Download Submit
C:\Windows\SysWOW64\Lfcmhc32.exe

Filesize
556KB

MD5
1a2d63742ebdbe1536c1110cc94a5f1a

SHA1
49ea597265954df7792f638023c564aa5fe1550f

SHA256
4516755b5500fc675afc745a3d63abc43b83e5fe716811a0c7bcb84f56e00629

SHA512
dc57a19ca098edaae6f24478a3b67f73f02564cd5db8baec21d9b8d676ab80f05b961b2b5a2817e23fc0039c08dfd2944494944abf99d54208fe89c4a370402d

Download Submit
C:\Windows\SysWOW64\Lfcmhc32.exe

Filesize
556KB

MD5
1a2d63742ebdbe1536c1110cc94a5f1a

SHA1
49ea597265954df7792f638023c564aa5fe1550f

SHA256
4516755b5500fc675afc745a3d63abc43b83e5fe716811a0c7bcb84f56e00629

SHA512
dc57a19ca098edaae6f24478a3b67f73f02564cd5db8baec21d9b8d676ab80f05b961b2b5a2817e23fc0039c08dfd2944494944abf99d54208fe89c4a370402d

Download Submit
C:\Windows\SysWOW64\Lpinac32.exe

Filesize
556KB

MD5
a8a5329949cc5f5bb4f71fb55ae647fb

SHA1
0f5699a726d52698a41b1ff972a4b0b8886c01b9

SHA256
515d38d0ed19c6bcaa1fa1c7754e8cf3b3642706ed4fe73f6b8ce268cadb3df7

SHA512
b3bc3e1371463b9e6de4b559a6c24a94e121f4d5978fcb05a7332a78c24c66aa8a2c5a5f1ac3d6c21c0371242d4f0efc82f4dea1cabd76b4bdbbad3474cb4cf7

Download Submit
C:\Windows\SysWOW64\Lpinac32.exe

Filesize
556KB

MD5
a8a5329949cc5f5bb4f71fb55ae647fb

SHA1
0f5699a726d52698a41b1ff972a4b0b8886c01b9

SHA256
515d38d0ed19c6bcaa1fa1c7754e8cf3b3642706ed4fe73f6b8ce268cadb3df7

SHA512
b3bc3e1371463b9e6de4b559a6c24a94e121f4d5978fcb05a7332a78c24c66aa8a2c5a5f1ac3d6c21c0371242d4f0efc82f4dea1cabd76b4bdbbad3474cb4cf7

Download Submit
C:\Windows\SysWOW64\Mimbfg32.exe

Filesize
556KB

MD5
2cb64cbe209734cf1a545708349cf514

SHA1
cec386ffa92ba3c8f49464f7080abf69e9f21f39

SHA256
17d02631ec701870386b731e9a258561bf273bc25c387253c6d238dc6167bf7a

SHA512
dd7df8114b8c0d6705c924ff3f4c6cce7fba10668c0588195ec0dc89c02c73e39bc701cb8d06e4bb32404307aa57ba5dc2905b9bc80e1b8f9ad8e106edd41f09

Download Submit
C:\Windows\SysWOW64\Mimbfg32.exe

Filesize
556KB

MD5
2cb64cbe209734cf1a545708349cf514

SHA1
cec386ffa92ba3c8f49464f7080abf69e9f21f39

SHA256
17d02631ec701870386b731e9a258561bf273bc25c387253c6d238dc6167bf7a

SHA512
dd7df8114b8c0d6705c924ff3f4c6cce7fba10668c0588195ec0dc89c02c73e39bc701cb8d06e4bb32404307aa57ba5dc2905b9bc80e1b8f9ad8e106edd41f09

Download Submit
C:\Windows\SysWOW64\Mpbaga32.exe

Filesize
556KB

MD5
50927b97b1f978e1d1e431ab28493a7d

SHA1
a36171d924c75163c6cf20ed53316019ea3acc4b

SHA256
898aa5ad962494b872e3acf4f3b7f2f9c9b6dd189f3eea2ee43d33e7f0bb0a11

SHA512
482b2d3c302b19f25b9c4b813947554d4df1d34f9063bac1d98733d79ad07368730a47ce35db047ee8b85637c8c0f38c42b974a9921d6348c61cb19bb318df20

Download Submit
C:\Windows\SysWOW64\Mpbaga32.exe

Filesize
556KB

MD5
50927b97b1f978e1d1e431ab28493a7d

SHA1
a36171d924c75163c6cf20ed53316019ea3acc4b

SHA256
898aa5ad962494b872e3acf4f3b7f2f9c9b6dd189f3eea2ee43d33e7f0bb0a11

SHA512
482b2d3c302b19f25b9c4b813947554d4df1d34f9063bac1d98733d79ad07368730a47ce35db047ee8b85637c8c0f38c42b974a9921d6348c61cb19bb318df20

Download Submit
C:\Windows\SysWOW64\Nfabok32.exe

Filesize
556KB

MD5
57fc7f35f4f4aad969be01a4125f76d0

SHA1
e2907c508228726def288f1dc0a48b1b1b178ab7

SHA256
879442e3e9d3195ac4bf5cddcbf11b1fc386c24076eb55d51e01a8d908905570

SHA512
31f66d89bbe2402a31c474c87923456fa0315405aaca5a8fdea7a6b2716b2b4a2312ecae52889b38c8815505dc42af9754b980a782e998f2d04577347b4d240e

Download Submit
C:\Windows\SysWOW64\Nfabok32.exe

Filesize
556KB

MD5
57fc7f35f4f4aad969be01a4125f76d0

SHA1
e2907c508228726def288f1dc0a48b1b1b178ab7

SHA256
879442e3e9d3195ac4bf5cddcbf11b1fc386c24076eb55d51e01a8d908905570

SHA512
31f66d89bbe2402a31c474c87923456fa0315405aaca5a8fdea7a6b2716b2b4a2312ecae52889b38c8815505dc42af9754b980a782e998f2d04577347b4d240e

Download Submit
C:\Windows\SysWOW64\Nhafcd32.exe

Filesize
556KB

MD5
b36e79abbb551a5e038874d6e12c4848

SHA1
c5a5ae92478403f8e8fe4f6b8a6b9d15593ec8d8

SHA256
7ac514b6c8df119839f6a8475935533fa79b8e97b3482e8b2ae0709fe08f9ff1

SHA512
8469425df2f7836b4266e5d4be075569d83772882ce5a335cfc02f6ff0877ea51d9285a999034a58dfb415dbe5990616b3a505c23474bb95f77da984bcf18389

Download Submit
C:\Windows\SysWOW64\Nhafcd32.exe

Filesize
556KB

MD5
b36e79abbb551a5e038874d6e12c4848

SHA1
c5a5ae92478403f8e8fe4f6b8a6b9d15593ec8d8

SHA256
7ac514b6c8df119839f6a8475935533fa79b8e97b3482e8b2ae0709fe08f9ff1

SHA512
8469425df2f7836b4266e5d4be075569d83772882ce5a335cfc02f6ff0877ea51d9285a999034a58dfb415dbe5990616b3a505c23474bb95f77da984bcf18389

Download Submit
C:\Windows\SysWOW64\Nleaha32.exe

Filesize
556KB

MD5
281a3d2d9bc1b3b4220ef20d80d1d3dd

SHA1
d2eaf505348f4c8b76da7c227a85b56fe281879b

SHA256
094a62b1cf538ac72850ccfc09a4f841cba9815b96245a353633578c1838ffd9

SHA512
63c638d57b5512ebba4a0f080b0c4720572313984d0e34065ae2db02845c47b109c11424679012ba19056fa7c2eb0216f93b215ff934218f042bc27c6e2a2b79

Download Submit
C:\Windows\SysWOW64\Nleaha32.exe

Filesize
556KB

MD5
281a3d2d9bc1b3b4220ef20d80d1d3dd

SHA1
d2eaf505348f4c8b76da7c227a85b56fe281879b

SHA256
094a62b1cf538ac72850ccfc09a4f841cba9815b96245a353633578c1838ffd9

SHA512
63c638d57b5512ebba4a0f080b0c4720572313984d0e34065ae2db02845c47b109c11424679012ba19056fa7c2eb0216f93b215ff934218f042bc27c6e2a2b79

Download Submit
C:\Windows\SysWOW64\Ohdlpa32.exe

Filesize
556KB

MD5
5835cbb5c72fb5153936e49ca732373e

SHA1
73cccd2b9649b45775d5597f97b6a341a2e89fcf

SHA256
19c2bc681375973a930c9b5646dafd0d46c2ccd4be2900d16032f6d6f0cc6727

SHA512
89ca2f8fc7c9e12375169c5f5631a479b02e24d3d64fd89ccd6442b339cd304ae58ab437239280d4f77059adad71a68848620b175b01632916bc5bd9bfe57981

Download Submit
C:\Windows\SysWOW64\Ohdlpa32.exe

Filesize
556KB

MD5
5835cbb5c72fb5153936e49ca732373e

SHA1
73cccd2b9649b45775d5597f97b6a341a2e89fcf

SHA256
19c2bc681375973a930c9b5646dafd0d46c2ccd4be2900d16032f6d6f0cc6727

SHA512
89ca2f8fc7c9e12375169c5f5631a479b02e24d3d64fd89ccd6442b339cd304ae58ab437239280d4f77059adad71a68848620b175b01632916bc5bd9bfe57981

Download Submit
C:\Windows\SysWOW64\Omjnhiiq.exe

Filesize
556KB

MD5
35fb402607e18764cdecd6eb4be0c7d7

SHA1
08ab82f670e531f0d4bda9e970313bb836403169

SHA256
7c3e376f2c74e3d329814be0054675da6ff4171de8ed4f4bda2497f5d6d3633e

SHA512
c140836b839dcdde8e178ebc673c62b1c3a5f071ab1173dec0abd91d98afc0c2bae3b4e61abc42ca3609d46177edb94511377716c58607f2ab3e4dbf259034c3

Download Submit
C:\Windows\SysWOW64\Omjnhiiq.exe

Filesize
556KB

MD5
35fb402607e18764cdecd6eb4be0c7d7

SHA1
08ab82f670e531f0d4bda9e970313bb836403169

SHA256
7c3e376f2c74e3d329814be0054675da6ff4171de8ed4f4bda2497f5d6d3633e

SHA512
c140836b839dcdde8e178ebc673c62b1c3a5f071ab1173dec0abd91d98afc0c2bae3b4e61abc42ca3609d46177edb94511377716c58607f2ab3e4dbf259034c3

Download Submit
C:\Windows\SysWOW64\Pnenchoc.exe

Filesize
556KB

MD5
c860bab9b432efd3fcc2f16bf49d54d8

SHA1
296117ec2237b921fd4a313e05fc66142ce67268

SHA256
50b541936bb231028befe1328b0a825e094e1f2e9082df29e6d0f0185cec16ca

SHA512
16a86b7cfe3bcea10b1a6f829073c3f60ada126a60485ea1569d0d3d7a7ae6492232f0197988f03c51a34117c37f89381608885719ed8136ffde7b53840c4204

Download Submit
C:\Windows\SysWOW64\Pnenchoc.exe

Filesize
556KB

MD5
c860bab9b432efd3fcc2f16bf49d54d8

SHA1
296117ec2237b921fd4a313e05fc66142ce67268

SHA256
50b541936bb231028befe1328b0a825e094e1f2e9082df29e6d0f0185cec16ca

SHA512
16a86b7cfe3bcea10b1a6f829073c3f60ada126a60485ea1569d0d3d7a7ae6492232f0197988f03c51a34117c37f89381608885719ed8136ffde7b53840c4204

Download Submit
C:\Windows\SysWOW64\Pphckb32.exe

Filesize
556KB

MD5
36f8c2a8273102a23b3001411c9a8e0d

SHA1
e73f6f352f183681e45dbf5202f498e7cc68a5ca

SHA256
d9a1da263e4d5c8a6dcf2e5bb68e801551dbd92c00cc57a6859b4ffd643000c0

SHA512
14c5442ca61c0521fb8eb9e9014a013945199f5863cc6977f5f62e86f4000146390546152fbf0efedf9d4a256b09894c4580e708d110ad826423148f98cac3f4

Download Submit
C:\Windows\SysWOW64\Pphckb32.exe

Filesize
556KB

MD5
36f8c2a8273102a23b3001411c9a8e0d

SHA1
e73f6f352f183681e45dbf5202f498e7cc68a5ca

SHA256
d9a1da263e4d5c8a6dcf2e5bb68e801551dbd92c00cc57a6859b4ffd643000c0

SHA512
14c5442ca61c0521fb8eb9e9014a013945199f5863cc6977f5f62e86f4000146390546152fbf0efedf9d4a256b09894c4580e708d110ad826423148f98cac3f4

Download Submit
C:\Windows\SysWOW64\Qjeaog32.exe

Filesize
556KB

MD5
8c36a2a4525bb36d79498c6fd3d0d984

SHA1
6981d37e17c1b5b4a0763a5b988eefd000fe498d

SHA256
3169c18d0b48aec19b073db0dbec363a29a154a0054bbe7c028f4004cc1fcc50

SHA512
497639744c13c6f644ca55eef4929d36e15798a8472946b4f500c0b9d10d6a508ec55bf7c853dd9c0278511f77f80ee96aaaf984687352b638b48fe4ddc2656d

Download Submit
C:\Windows\SysWOW64\Qjeaog32.exe

Filesize
556KB

MD5
8c36a2a4525bb36d79498c6fd3d0d984

SHA1
6981d37e17c1b5b4a0763a5b988eefd000fe498d

SHA256
3169c18d0b48aec19b073db0dbec363a29a154a0054bbe7c028f4004cc1fcc50

SHA512
497639744c13c6f644ca55eef4929d36e15798a8472946b4f500c0b9d10d6a508ec55bf7c853dd9c0278511f77f80ee96aaaf984687352b638b48fe4ddc2656d

Download Submit
memory/680-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/680-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/832-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/832-222-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/868-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/868-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/956-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/956-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1196-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1196-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1256-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1256-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1328-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1328-228-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1540-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1540-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1576-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1576-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1648-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1648-219-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1792-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1792-235-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1876-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1876-243-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2056-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2056-218-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2180-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2180-220-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2392-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2392-227-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2568-234-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2568-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3008-238-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3008-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3228-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3228-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3252-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3252-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3440-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3440-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3604-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3604-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3724-230-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3724-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3736-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3736-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4196-226-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4196-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4564-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4564-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4616-221-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4616-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4964-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4964-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5076-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5076-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads