eb68ca5b2cc0301e318db482a21e39a0a47044d0e59a2fdf32c74543fb177f62

Analysis

max time kernel
136s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2023, 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b96d04f518f6de20d520db2138c468f4.exe
Size

96KB
MD5

b96d04f518f6de20d520db2138c468f4
SHA1

b0d24485cf0a0160f56e9274e85c0b2ab4dbc3a9
SHA256

eb68ca5b2cc0301e318db482a21e39a0a47044d0e59a2fdf32c74543fb177f62
SHA512

433445611986ecf35c34bc42cb22b7054b0cec0c9ab088ada5759e5107fbe3760cf64e9b7cd5b0d82fc7462b927fa94c7f794cfb9e6e94feca91cd895a6bf0e9
SSDEEP

1536:bZ/CbarMVqmqXeE6PsdYDHD2Y1OBVnOKZGUJsduV9jojTIvjrH:bxCbaraftvPsdYP2mQVnOKQUad69jc0X

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mapppn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfolacnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b96d04f518f6de20d520db2138c468f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oifppdpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpolbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkmeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Famhmfkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfojdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omdieb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oifppdpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iolhkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	b96d04f518f6de20d520db2138c468f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iolhkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfojdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apeknk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apeknk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpolbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbjddh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbjddh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Famhmfkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mapppn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omdieb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkmeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkpjdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookoaokf.exe

Executes dropped EXE 23 IoCs

pid	Process
3436	Gpolbo32.exe
4012	Iolhkh32.exe
4236	Jhnojl32.exe
1292	Mapppn32.exe
208	Ookoaokf.exe
4640	Oifppdpd.exe
4992	Omdieb32.exe
3296	Pfojdh32.exe
644	Ppikbm32.exe
864	Pbjddh32.exe
2172	Apeknk32.exe
2408	Abjmkf32.exe
2288	Bfkbfd32.exe
4868	Bfolacnc.exe
4976	Bkmeha32.exe
448	Cbkfbcpb.exe
1792	Cmbgdl32.exe
4628	Dkpjdo32.exe
840	Dpalgenf.exe
1240	Famhmfkl.exe
1392	Fcpakn32.exe
1400	Fgqgfl32.exe
4120	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Glkkmjeh.dll	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Jfqqddpi.dll	Famhmfkl.exe
File opened for modification	C:\Windows\SysWOW64\Gpolbo32.exe	b96d04f518f6de20d520db2138c468f4.exe
File created	C:\Windows\SysWOW64\Bpldbefn.dll	Mapppn32.exe
File created	C:\Windows\SysWOW64\Gejqna32.dll	Ookoaokf.exe
File opened for modification	C:\Windows\SysWOW64\Abjmkf32.exe	Apeknk32.exe
File created	C:\Windows\SysWOW64\Kbpkkeen.dll	Bfkbfd32.exe
File created	C:\Windows\SysWOW64\Dcjdilmf.dll	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Bfolacnc.exe	Bfkbfd32.exe
File created	C:\Windows\SysWOW64\Khokadah.dll	Bfolacnc.exe
File created	C:\Windows\SysWOW64\Ookoaokf.exe	Mapppn32.exe
File created	C:\Windows\SysWOW64\Kjmgil32.dll	Omdieb32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkbfd32.exe	Abjmkf32.exe
File opened for modification	C:\Windows\SysWOW64\Iolhkh32.exe	Gpolbo32.exe
File created	C:\Windows\SysWOW64\Mapppn32.exe	Jhnojl32.exe
File opened for modification	C:\Windows\SysWOW64\Mapppn32.exe	Jhnojl32.exe
File created	C:\Windows\SysWOW64\Oifppdpd.exe	Ookoaokf.exe
File opened for modification	C:\Windows\SysWOW64\Pfojdh32.exe	Omdieb32.exe
File opened for modification	C:\Windows\SysWOW64\Famhmfkl.exe	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Khihgadg.dll	Pbjddh32.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Iolhkh32.exe	Gpolbo32.exe
File opened for modification	C:\Windows\SysWOW64\Oifppdpd.exe	Ookoaokf.exe
File created	C:\Windows\SysWOW64\Ejnnldhi.dll	Bkmeha32.exe
File created	C:\Windows\SysWOW64\Dkpjdo32.exe	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Gdmkfp32.dll	Dkpjdo32.exe
File created	C:\Windows\SysWOW64\Famhmfkl.exe	Dpalgenf.exe
File opened for modification	C:\Windows\SysWOW64\Ppikbm32.exe	Pfojdh32.exe
File created	C:\Windows\SysWOW64\Dpalgenf.exe	Dkpjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Dpalgenf.exe	Dkpjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Omdieb32.exe	Oifppdpd.exe
File created	C:\Windows\SysWOW64\Gflonn32.dll	Oifppdpd.exe
File opened for modification	C:\Windows\SysWOW64\Bkmeha32.exe	Bfolacnc.exe
File opened for modification	C:\Windows\SysWOW64\Cmbgdl32.exe	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Fgqgfl32.exe	Fcpakn32.exe
File opened for modification	C:\Windows\SysWOW64\Fgqgfl32.exe	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Fmbdpnaj.dll	b96d04f518f6de20d520db2138c468f4.exe
File created	C:\Windows\SysWOW64\Laiimcij.dll	Jhnojl32.exe
File opened for modification	C:\Windows\SysWOW64\Ookoaokf.exe	Mapppn32.exe
File created	C:\Windows\SysWOW64\Hejeak32.dll	Pfojdh32.exe
File created	C:\Windows\SysWOW64\Abjmkf32.exe	Apeknk32.exe
File created	C:\Windows\SysWOW64\Bkmeha32.exe	Bfolacnc.exe
File opened for modification	C:\Windows\SysWOW64\Jhnojl32.exe	Iolhkh32.exe
File created	C:\Windows\SysWOW64\Pfojdh32.exe	Omdieb32.exe
File opened for modification	C:\Windows\SysWOW64\Apeknk32.exe	Pbjddh32.exe
File created	C:\Windows\SysWOW64\Engdno32.dll	Apeknk32.exe
File created	C:\Windows\SysWOW64\Abocgb32.dll	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Gpolbo32.exe	b96d04f518f6de20d520db2138c468f4.exe
File created	C:\Windows\SysWOW64\Jhnojl32.exe	Iolhkh32.exe
File created	C:\Windows\SysWOW64\Omdieb32.exe	Oifppdpd.exe
File created	C:\Windows\SysWOW64\Pbjddh32.exe	Ppikbm32.exe
File created	C:\Windows\SysWOW64\Apeknk32.exe	Pbjddh32.exe
File created	C:\Windows\SysWOW64\Cmbgdl32.exe	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Ppikbm32.exe	Pfojdh32.exe
File opened for modification	C:\Windows\SysWOW64\Pbjddh32.exe	Ppikbm32.exe
File created	C:\Windows\SysWOW64\Bfkbfd32.exe	Abjmkf32.exe
File opened for modification	C:\Windows\SysWOW64\Cbkfbcpb.exe	Bkmeha32.exe
File created	C:\Windows\SysWOW64\Mgmqkimh.dll	Abjmkf32.exe
File created	C:\Windows\SysWOW64\Cbkfbcpb.exe	Bkmeha32.exe
File opened for modification	C:\Windows\SysWOW64\Dkpjdo32.exe	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Eapjpi32.dll	Ppikbm32.exe
File created	C:\Windows\SysWOW64\Fcpakn32.exe	Famhmfkl.exe
File created	C:\Windows\SysWOW64\Qgiiak32.dll	Gpolbo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2060	4120	WerFault.exe	109

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbjddh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khihgadg.dll"	Pbjddh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpolbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iolhkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laiimcij.dll"	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	b96d04f518f6de20d520db2138c468f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gflonn32.dll"	Oifppdpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfojdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apeknk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmgil32.dll"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfojdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmkfp32.dll"	Dkpjdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	b96d04f518f6de20d520db2138c468f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpldbefn.dll"	Mapppn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engdno32.dll"	Apeknk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbpkkeen.dll"	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khokadah.dll"	Bfolacnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnnldhi.dll"	Bkmeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhnojl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apeknk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll"	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	b96d04f518f6de20d520db2138c468f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgiiak32.dll"	Gpolbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glkkmjeh.dll"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hejeak32.dll"	Pfojdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbjddh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abocgb32.dll"	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhnojl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Famhmfkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eapjpi32.dll"	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b96d04f518f6de20d520db2138c468f4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abjmkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpolbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmqkimh.dll"	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Falmlm32.dll"	Iolhkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfqqddpi.dll"	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iolhkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejqna32.dll"	Ookoaokf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oifppdpd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 3436	5096	b96d04f518f6de20d520db2138c468f4.exe	87
PID 5096 wrote to memory of 3436	5096	b96d04f518f6de20d520db2138c468f4.exe	87
PID 5096 wrote to memory of 3436	5096	b96d04f518f6de20d520db2138c468f4.exe	87
PID 3436 wrote to memory of 4012	3436	Gpolbo32.exe	88
PID 3436 wrote to memory of 4012	3436	Gpolbo32.exe	88
PID 3436 wrote to memory of 4012	3436	Gpolbo32.exe	88
PID 4012 wrote to memory of 4236	4012	Iolhkh32.exe	89
PID 4012 wrote to memory of 4236	4012	Iolhkh32.exe	89
PID 4012 wrote to memory of 4236	4012	Iolhkh32.exe	89
PID 4236 wrote to memory of 1292	4236	Jhnojl32.exe	90
PID 4236 wrote to memory of 1292	4236	Jhnojl32.exe	90
PID 4236 wrote to memory of 1292	4236	Jhnojl32.exe	90
PID 1292 wrote to memory of 208	1292	Mapppn32.exe	91
PID 1292 wrote to memory of 208	1292	Mapppn32.exe	91
PID 1292 wrote to memory of 208	1292	Mapppn32.exe	91
PID 208 wrote to memory of 4640	208	Ookoaokf.exe	92
PID 208 wrote to memory of 4640	208	Ookoaokf.exe	92
PID 208 wrote to memory of 4640	208	Ookoaokf.exe	92
PID 4640 wrote to memory of 4992	4640	Oifppdpd.exe	93
PID 4640 wrote to memory of 4992	4640	Oifppdpd.exe	93
PID 4640 wrote to memory of 4992	4640	Oifppdpd.exe	93
PID 4992 wrote to memory of 3296	4992	Omdieb32.exe	94
PID 4992 wrote to memory of 3296	4992	Omdieb32.exe	94
PID 4992 wrote to memory of 3296	4992	Omdieb32.exe	94
PID 3296 wrote to memory of 644	3296	Pfojdh32.exe	95
PID 3296 wrote to memory of 644	3296	Pfojdh32.exe	95
PID 3296 wrote to memory of 644	3296	Pfojdh32.exe	95
PID 644 wrote to memory of 864	644	Ppikbm32.exe	96
PID 644 wrote to memory of 864	644	Ppikbm32.exe	96
PID 644 wrote to memory of 864	644	Ppikbm32.exe	96
PID 864 wrote to memory of 2172	864	Pbjddh32.exe	97
PID 864 wrote to memory of 2172	864	Pbjddh32.exe	97
PID 864 wrote to memory of 2172	864	Pbjddh32.exe	97
PID 2172 wrote to memory of 2408	2172	Apeknk32.exe	98
PID 2172 wrote to memory of 2408	2172	Apeknk32.exe	98
PID 2172 wrote to memory of 2408	2172	Apeknk32.exe	98
PID 2408 wrote to memory of 2288	2408	Abjmkf32.exe	99
PID 2408 wrote to memory of 2288	2408	Abjmkf32.exe	99
PID 2408 wrote to memory of 2288	2408	Abjmkf32.exe	99
PID 2288 wrote to memory of 4868	2288	Bfkbfd32.exe	100
PID 2288 wrote to memory of 4868	2288	Bfkbfd32.exe	100
PID 2288 wrote to memory of 4868	2288	Bfkbfd32.exe	100
PID 4868 wrote to memory of 4976	4868	Bfolacnc.exe	101
PID 4868 wrote to memory of 4976	4868	Bfolacnc.exe	101
PID 4868 wrote to memory of 4976	4868	Bfolacnc.exe	101
PID 4976 wrote to memory of 448	4976	Bkmeha32.exe	102
PID 4976 wrote to memory of 448	4976	Bkmeha32.exe	102
PID 4976 wrote to memory of 448	4976	Bkmeha32.exe	102
PID 448 wrote to memory of 1792	448	Cbkfbcpb.exe	103
PID 448 wrote to memory of 1792	448	Cbkfbcpb.exe	103
PID 448 wrote to memory of 1792	448	Cbkfbcpb.exe	103
PID 1792 wrote to memory of 4628	1792	Cmbgdl32.exe	104
PID 1792 wrote to memory of 4628	1792	Cmbgdl32.exe	104
PID 1792 wrote to memory of 4628	1792	Cmbgdl32.exe	104
PID 4628 wrote to memory of 840	4628	Dkpjdo32.exe	105
PID 4628 wrote to memory of 840	4628	Dkpjdo32.exe	105
PID 4628 wrote to memory of 840	4628	Dkpjdo32.exe	105
PID 840 wrote to memory of 1240	840	Dpalgenf.exe	106
PID 840 wrote to memory of 1240	840	Dpalgenf.exe	106
PID 840 wrote to memory of 1240	840	Dpalgenf.exe	106
PID 1240 wrote to memory of 1392	1240	Famhmfkl.exe	107
PID 1240 wrote to memory of 1392	1240	Famhmfkl.exe	107
PID 1240 wrote to memory of 1392	1240	Famhmfkl.exe	107
PID 1392 wrote to memory of 1400	1392	Fcpakn32.exe	108

C:\Users\Admin\AppData\Local\Temp\b96d04f518f6de20d520db2138c468f4.exe
"C:\Users\Admin\AppData\Local\Temp\b96d04f518f6de20d520db2138c468f4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\SysWOW64\Gpolbo32.exe
  C:\Windows\system32\Gpolbo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\SysWOW64\Iolhkh32.exe
    C:\Windows\system32\Iolhkh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Windows\SysWOW64\Jhnojl32.exe
      C:\Windows\system32\Jhnojl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4236
    - - C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
      - C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        24⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 412
        25⤵
        Program crash
        
        PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4120 -ip 4120
1⤵
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abjmkf32.exe

Filesize
96KB

MD5
d4df670c6f078b98d56c892917411980

SHA1
3579fc6c5500cead754ded8f72493d1ae4521c85

SHA256
2e88338c40a1b4aa91cd28ff5425ebfcb2b07e6a2b5f9e5aced144ec55b8e6f2

SHA512
099111fb9a37504adc2722666ed7b760e47a8bc184c5e4cd8c89c319b11126d109b7c2ea0b149326a995449b1bb21e9d32e04287b188da3c4a7eff75d513e1d9

Download Submit
C:\Windows\SysWOW64\Abjmkf32.exe

Filesize
96KB

MD5
d4df670c6f078b98d56c892917411980

SHA1
3579fc6c5500cead754ded8f72493d1ae4521c85

SHA256
2e88338c40a1b4aa91cd28ff5425ebfcb2b07e6a2b5f9e5aced144ec55b8e6f2

SHA512
099111fb9a37504adc2722666ed7b760e47a8bc184c5e4cd8c89c319b11126d109b7c2ea0b149326a995449b1bb21e9d32e04287b188da3c4a7eff75d513e1d9

Download Submit
C:\Windows\SysWOW64\Apeknk32.exe

Filesize
96KB

MD5
03418160d1a2cabe824eb6a7628407bd

SHA1
d57425e915669b3e887fb3a0652baac3dae5cb76

SHA256
ae2024965a454794632170a7616b87d3b6399387f6bc9832cc7c02942d97a816

SHA512
71d1bb1aa157c05206652587b1bdf89f384fe415a1ba3c926c806490d4162a8680a466ffd6d3ef81dabf9563ce540dec200f1ad005ba5480544a466b0d1f6b23

Download Submit
C:\Windows\SysWOW64\Apeknk32.exe

Filesize
96KB

MD5
03418160d1a2cabe824eb6a7628407bd

SHA1
d57425e915669b3e887fb3a0652baac3dae5cb76

SHA256
ae2024965a454794632170a7616b87d3b6399387f6bc9832cc7c02942d97a816

SHA512
71d1bb1aa157c05206652587b1bdf89f384fe415a1ba3c926c806490d4162a8680a466ffd6d3ef81dabf9563ce540dec200f1ad005ba5480544a466b0d1f6b23

Download Submit
C:\Windows\SysWOW64\Bfkbfd32.exe

Filesize
96KB

MD5
fbe4e06ad9e86ce37b867e2be69944da

SHA1
afee82d7257dcdd4cefa79a136dd337c09698e17

SHA256
93889fcff1f760a5d79857b3b278592686e41b3127e5420f9f91f660afd729dc

SHA512
b791b1b23d900bd24d3f6480fff04dd8e98b6a16dc6654a3ef6288552d8cf8a672ca115c811fce1a82fcf2a99ff1c530dcd8b01cc95df1b4a2ac8b7a6e4c1eb6

Download Submit
C:\Windows\SysWOW64\Bfkbfd32.exe

Filesize
96KB

MD5
fbe4e06ad9e86ce37b867e2be69944da

SHA1
afee82d7257dcdd4cefa79a136dd337c09698e17

SHA256
93889fcff1f760a5d79857b3b278592686e41b3127e5420f9f91f660afd729dc

SHA512
b791b1b23d900bd24d3f6480fff04dd8e98b6a16dc6654a3ef6288552d8cf8a672ca115c811fce1a82fcf2a99ff1c530dcd8b01cc95df1b4a2ac8b7a6e4c1eb6

Download Submit
C:\Windows\SysWOW64\Bfolacnc.exe

Filesize
96KB

MD5
42245858faf605f9b347f8b998d6b621

SHA1
8d6043c2ebc6cd7f67e5c13e1f6870d22b5fee53

SHA256
cc650d444a95c9538566b9eba1f5dc8c510999a59f79da26e6ead2aac3e102e7

SHA512
30e94b383cf8931fcf43671fe6c609f57832a7562a7e063a22f8853f9fa360e95515caa484a99cdecaf3aca67470f81fbd54bcaa8c8d13d82f5e54db0300dd87

Download Submit
C:\Windows\SysWOW64\Bfolacnc.exe

Filesize
96KB

MD5
42245858faf605f9b347f8b998d6b621

SHA1
8d6043c2ebc6cd7f67e5c13e1f6870d22b5fee53

SHA256
cc650d444a95c9538566b9eba1f5dc8c510999a59f79da26e6ead2aac3e102e7

SHA512
30e94b383cf8931fcf43671fe6c609f57832a7562a7e063a22f8853f9fa360e95515caa484a99cdecaf3aca67470f81fbd54bcaa8c8d13d82f5e54db0300dd87

Download Submit
C:\Windows\SysWOW64\Bkmeha32.exe

Filesize
96KB

MD5
da25d3716fddc5eba44c2309fcc8769d

SHA1
c42ca24e6157672b1951ee87f8c3bcd0a4bc80e3

SHA256
78d7b25584a7d21fcf751f870cc01f2621de1e9458abe6de8d723b094e7fb443

SHA512
0a25ceb964ad84dd033c1c5d6c3a356c89de77c2cbc15d610677a848303bcdbee7aee385058e844acc0756327a38881668b2511d86b32b23817f85af8c003a03

Download Submit
C:\Windows\SysWOW64\Bkmeha32.exe

Filesize
96KB

MD5
da25d3716fddc5eba44c2309fcc8769d

SHA1
c42ca24e6157672b1951ee87f8c3bcd0a4bc80e3

SHA256
78d7b25584a7d21fcf751f870cc01f2621de1e9458abe6de8d723b094e7fb443

SHA512
0a25ceb964ad84dd033c1c5d6c3a356c89de77c2cbc15d610677a848303bcdbee7aee385058e844acc0756327a38881668b2511d86b32b23817f85af8c003a03

Download Submit
C:\Windows\SysWOW64\Bpldbefn.dll

Filesize
7KB

MD5
3e6ce6d93fd8d5eb2e78e684f72a1347

SHA1
f287c89d6bebfb49fddbf05ef2c0d48b5359325d

SHA256
42f6fb6049cc44b69e72f9157fb795a6f3498b3ce40bb3fc196f267a925d08b4

SHA512
8381a8893cab80021f2396ad653b5a899c6e4ff589560b5980ca606c39888f8cdce765db85eb7f3b2d3c91161f8672507844e692d7238428cde83c4aea2ab691

Download Submit
C:\Windows\SysWOW64\Cbkfbcpb.exe

Filesize
96KB

MD5
761320937b6e8d4a7fc06e5c8fd51b12

SHA1
11083e225d88b89571f568c04e1f5abbff2fc0ef

SHA256
dd69c7ceccaca725cd2e740b8464cd8a5d3051248b3a1f49a19ad745e4be0fad

SHA512
7c687c1644ac0ca2467dc180b8ba7a0c2e9936744347af0088477a574ae8ce2fab5847748b2261674276b6b89397f9ba96e93611d641781391023363ec8063db

Download Submit
C:\Windows\SysWOW64\Cbkfbcpb.exe

Filesize
96KB

MD5
761320937b6e8d4a7fc06e5c8fd51b12

SHA1
11083e225d88b89571f568c04e1f5abbff2fc0ef

SHA256
dd69c7ceccaca725cd2e740b8464cd8a5d3051248b3a1f49a19ad745e4be0fad

SHA512
7c687c1644ac0ca2467dc180b8ba7a0c2e9936744347af0088477a574ae8ce2fab5847748b2261674276b6b89397f9ba96e93611d641781391023363ec8063db

Download Submit
C:\Windows\SysWOW64\Cmbgdl32.exe

Filesize
96KB

MD5
2acb63586deadc4280487c0574ca33c6

SHA1
c60dd0d45ebdc9b97b165069def8ec1203aae6c3

SHA256
f5ac5bae5d0ce710aa3c24d806a443d829dc40056903623d581ee798843b8e7e

SHA512
cb17f27af4d756b83fdd9d06f5c84dca3e2d8062dcec4409947996b331618de5b8cc6446d500c41b62335a50a9f3f1b5f7e0be8ffb468eaa0ae97fc060f33884

Download Submit
C:\Windows\SysWOW64\Cmbgdl32.exe

Filesize
96KB

MD5
2acb63586deadc4280487c0574ca33c6

SHA1
c60dd0d45ebdc9b97b165069def8ec1203aae6c3

SHA256
f5ac5bae5d0ce710aa3c24d806a443d829dc40056903623d581ee798843b8e7e

SHA512
cb17f27af4d756b83fdd9d06f5c84dca3e2d8062dcec4409947996b331618de5b8cc6446d500c41b62335a50a9f3f1b5f7e0be8ffb468eaa0ae97fc060f33884

Download Submit
C:\Windows\SysWOW64\Dkpjdo32.exe

Filesize
96KB

MD5
f9427432a30281c3bfb0e6fd0eca3774

SHA1
131bf798c0550ab34b329c113801efb790cb78d5

SHA256
afd44d373ffb02fa9c4ed0cb929baa71044f6927cd92166dd479e7e8c59c646d

SHA512
b58a4a774e56a04aee7ff63236ba86f00c770c0c7c687ee8948c7badd5f3b8ccdea3a0f78388b96262cdc9cb49c3df72f242001ab62d85f4a2b117f9463c1279

Download Submit
C:\Windows\SysWOW64\Dkpjdo32.exe

Filesize
96KB

MD5
f9427432a30281c3bfb0e6fd0eca3774

SHA1
131bf798c0550ab34b329c113801efb790cb78d5

SHA256
afd44d373ffb02fa9c4ed0cb929baa71044f6927cd92166dd479e7e8c59c646d

SHA512
b58a4a774e56a04aee7ff63236ba86f00c770c0c7c687ee8948c7badd5f3b8ccdea3a0f78388b96262cdc9cb49c3df72f242001ab62d85f4a2b117f9463c1279

Download Submit
C:\Windows\SysWOW64\Dpalgenf.exe

Filesize
96KB

MD5
7132dafbb691d95b8eff84ee7334c515

SHA1
d6e74b7e253202828e3d28d035a8e641a6b4fe18

SHA256
ddd177f5f7f2f25dfc212eb74f2e6721ac22fbebd873ab89677ea39c7bb16a5d

SHA512
937b97474935fcc8c9fe9ddbac92ab8a91285ab1cf261d93664fc7ef007ada33c08fba9f1cc7bf22ce94dbd073ee5197db56950fbaadcd15720d4100241a37ee

Download Submit
C:\Windows\SysWOW64\Dpalgenf.exe

Filesize
96KB

MD5
7132dafbb691d95b8eff84ee7334c515

SHA1
d6e74b7e253202828e3d28d035a8e641a6b4fe18

SHA256
ddd177f5f7f2f25dfc212eb74f2e6721ac22fbebd873ab89677ea39c7bb16a5d

SHA512
937b97474935fcc8c9fe9ddbac92ab8a91285ab1cf261d93664fc7ef007ada33c08fba9f1cc7bf22ce94dbd073ee5197db56950fbaadcd15720d4100241a37ee

Download Submit
C:\Windows\SysWOW64\Famhmfkl.exe

Filesize
96KB

MD5
13d6f32cee94883adbd04676a238e374

SHA1
2c90a86690778bf5ac2a9b1a8a38fbe9f1a6c5b8

SHA256
cf135b6a1c2f0f13da728df705e30ed707ee82b042d254a9b382c1bed508ef05

SHA512
35af215618967f1264fd33ec09514a7753cdbd6e33ff56bcf63469d88e6a938f20ce9b6f2ac6421f064b4113b750ab6d2ac612bbe2cc627876064d4c69ac07fe

Download Submit
C:\Windows\SysWOW64\Famhmfkl.exe

Filesize
96KB

MD5
13d6f32cee94883adbd04676a238e374

SHA1
2c90a86690778bf5ac2a9b1a8a38fbe9f1a6c5b8

SHA256
cf135b6a1c2f0f13da728df705e30ed707ee82b042d254a9b382c1bed508ef05

SHA512
35af215618967f1264fd33ec09514a7753cdbd6e33ff56bcf63469d88e6a938f20ce9b6f2ac6421f064b4113b750ab6d2ac612bbe2cc627876064d4c69ac07fe

Download Submit
C:\Windows\SysWOW64\Fcpakn32.exe

Filesize
96KB

MD5
308e370b7995043239e5dbf9a6776679

SHA1
290dea48c6de53d3e813028ab879e14370f51703

SHA256
ea39a9bf95071bee5e8a319e2ea3932388afe9bf527298eba4ba21474fc44081

SHA512
04c8b5ef9b7b92f9ed606bebfef9e9c82aa34eb768de9d5f3376dc64413f7db301f36bf3d243a79bb295d5c39d9e55680199c7ea9702721009d8dcb5634290a0

Download Submit
C:\Windows\SysWOW64\Fcpakn32.exe

Filesize
96KB

MD5
308e370b7995043239e5dbf9a6776679

SHA1
290dea48c6de53d3e813028ab879e14370f51703

SHA256
ea39a9bf95071bee5e8a319e2ea3932388afe9bf527298eba4ba21474fc44081

SHA512
04c8b5ef9b7b92f9ed606bebfef9e9c82aa34eb768de9d5f3376dc64413f7db301f36bf3d243a79bb295d5c39d9e55680199c7ea9702721009d8dcb5634290a0

Download Submit
C:\Windows\SysWOW64\Fgqgfl32.exe

Filesize
96KB

MD5
1edb14485f00f440811936a741e40ce1

SHA1
284a777ef3d7a169f9e50825048af95268cdaa60

SHA256
a130e03e3dd2cbc2b52362dc39d5bbca494956eb82a2d85766842fe56148170d

SHA512
c0f5449d9da6b50d645adb632c0bd7dfed3f82a05955f7bb922f3da7995e126cfb13ef8d9dd40e5dc8623dd6c780becec48c34900f4d9a2cb682ebbe4268ee7f

Download Submit
C:\Windows\SysWOW64\Fgqgfl32.exe

Filesize
96KB

MD5
1edb14485f00f440811936a741e40ce1

SHA1
284a777ef3d7a169f9e50825048af95268cdaa60

SHA256
a130e03e3dd2cbc2b52362dc39d5bbca494956eb82a2d85766842fe56148170d

SHA512
c0f5449d9da6b50d645adb632c0bd7dfed3f82a05955f7bb922f3da7995e126cfb13ef8d9dd40e5dc8623dd6c780becec48c34900f4d9a2cb682ebbe4268ee7f

Download Submit
C:\Windows\SysWOW64\Fgqgfl32.exe

Filesize
96KB

MD5
1edb14485f00f440811936a741e40ce1

SHA1
284a777ef3d7a169f9e50825048af95268cdaa60

SHA256
a130e03e3dd2cbc2b52362dc39d5bbca494956eb82a2d85766842fe56148170d

SHA512
c0f5449d9da6b50d645adb632c0bd7dfed3f82a05955f7bb922f3da7995e126cfb13ef8d9dd40e5dc8623dd6c780becec48c34900f4d9a2cb682ebbe4268ee7f

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
96KB

MD5
dc01c25b7d378ac940e8da205d2af3a5

SHA1
f6f37dd98c3d055cc548f2422a70fbaa9edea379

SHA256
215cb62173cb470c530cc68ceb5606d6f8f5d0c15c813380fc3c184cb463eb88

SHA512
0e2b28792eff4cd9023116433025dfee14144d01e760b7c356c55959928a20d1c0813bbabaa941307d55c65bb521bc926f6893016985f9078cbef4816de1e4e9

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
96KB

MD5
dc01c25b7d378ac940e8da205d2af3a5

SHA1
f6f37dd98c3d055cc548f2422a70fbaa9edea379

SHA256
215cb62173cb470c530cc68ceb5606d6f8f5d0c15c813380fc3c184cb463eb88

SHA512
0e2b28792eff4cd9023116433025dfee14144d01e760b7c356c55959928a20d1c0813bbabaa941307d55c65bb521bc926f6893016985f9078cbef4816de1e4e9

Download Submit
C:\Windows\SysWOW64\Gpolbo32.exe

Filesize
96KB

MD5
efd69ae0d5ce9c9d0e5c6443e894ca83

SHA1
34aa13dd7548610cc858baf02a18bae81eb80f3c

SHA256
1b97ad72c4b09023f864a3ffdf893128f877f73e0e46eaf0b5ea17389bf07b3f

SHA512
e58d2fa87edba2e5798d0ec51f3e31eefdc67f158ca3ca0a4b72f56260037b8b780c9ffde49415cd784c953387965943cc47e90684a1d8bc262c31d2aa3bd21a

Download Submit
C:\Windows\SysWOW64\Gpolbo32.exe

Filesize
96KB

MD5
efd69ae0d5ce9c9d0e5c6443e894ca83

SHA1
34aa13dd7548610cc858baf02a18bae81eb80f3c

SHA256
1b97ad72c4b09023f864a3ffdf893128f877f73e0e46eaf0b5ea17389bf07b3f

SHA512
e58d2fa87edba2e5798d0ec51f3e31eefdc67f158ca3ca0a4b72f56260037b8b780c9ffde49415cd784c953387965943cc47e90684a1d8bc262c31d2aa3bd21a

Download Submit
C:\Windows\SysWOW64\Iolhkh32.exe

Filesize
96KB

MD5
534bccf5290ea8d22519778795d00125

SHA1
ba33fe8c81944b73bf26cb0b397985b372f2c2a8

SHA256
76444c909d4baf9dcc737c01bfa11953467d572c558fcd06979bb467b3ee3bdd

SHA512
11e01dca4d7d9d1c223e1bf702731aa9c6202f5791d20c447534924431bcec4979361b76a1aa39e5d84f909b24e7c104b993cfa104728bb62b5a81d2c09224ef

Download Submit
C:\Windows\SysWOW64\Iolhkh32.exe

Filesize
96KB

MD5
534bccf5290ea8d22519778795d00125

SHA1
ba33fe8c81944b73bf26cb0b397985b372f2c2a8

SHA256
76444c909d4baf9dcc737c01bfa11953467d572c558fcd06979bb467b3ee3bdd

SHA512
11e01dca4d7d9d1c223e1bf702731aa9c6202f5791d20c447534924431bcec4979361b76a1aa39e5d84f909b24e7c104b993cfa104728bb62b5a81d2c09224ef

Download Submit
C:\Windows\SysWOW64\Jhnojl32.exe

Filesize
96KB

MD5
964f9bc76b9ab8bd3e4acffd9028822e

SHA1
45c8089b4c2fd7b57f0da8d58f954f9d0c4f05ea

SHA256
b1941c648e89734b72aea3fe4a0ed12d683c71d17dea794990556515f8a986e5

SHA512
fe4de1cb22dc9182a4cfe8d6ee6fb8fea18c8529a0dd9d85d540b85de7b34cfb57f44427a34a0cbfb3e50b724e9a51f0afec2f7d88cbfc462cc750cf8a51a804

Download Submit
C:\Windows\SysWOW64\Jhnojl32.exe

Filesize
96KB

MD5
964f9bc76b9ab8bd3e4acffd9028822e

SHA1
45c8089b4c2fd7b57f0da8d58f954f9d0c4f05ea

SHA256
b1941c648e89734b72aea3fe4a0ed12d683c71d17dea794990556515f8a986e5

SHA512
fe4de1cb22dc9182a4cfe8d6ee6fb8fea18c8529a0dd9d85d540b85de7b34cfb57f44427a34a0cbfb3e50b724e9a51f0afec2f7d88cbfc462cc750cf8a51a804

Download Submit
C:\Windows\SysWOW64\Mapppn32.exe

Filesize
96KB

MD5
964f9bc76b9ab8bd3e4acffd9028822e

SHA1
45c8089b4c2fd7b57f0da8d58f954f9d0c4f05ea

SHA256
b1941c648e89734b72aea3fe4a0ed12d683c71d17dea794990556515f8a986e5

SHA512
fe4de1cb22dc9182a4cfe8d6ee6fb8fea18c8529a0dd9d85d540b85de7b34cfb57f44427a34a0cbfb3e50b724e9a51f0afec2f7d88cbfc462cc750cf8a51a804

Download Submit
C:\Windows\SysWOW64\Mapppn32.exe

Filesize
96KB

MD5
9639b952a281b424dd3c7ede4e5b2acd

SHA1
40ceb6e32e82aff76cb5423f409cfe9aca393df1

SHA256
7d5a1b7c19686533147a88ebdc1894f6b30fe5209623174a16ab67c4f9f06ee4

SHA512
401bc9783a3bd054cb2967182beecc37bcb942a6fb1e6bd02b5e1f4ec87e048dd5a70259d856d869666e0a7b4883f4dac17cf3a46127530669681663b2c568a4

Download Submit
C:\Windows\SysWOW64\Mapppn32.exe

Filesize
96KB

MD5
9639b952a281b424dd3c7ede4e5b2acd

SHA1
40ceb6e32e82aff76cb5423f409cfe9aca393df1

SHA256
7d5a1b7c19686533147a88ebdc1894f6b30fe5209623174a16ab67c4f9f06ee4

SHA512
401bc9783a3bd054cb2967182beecc37bcb942a6fb1e6bd02b5e1f4ec87e048dd5a70259d856d869666e0a7b4883f4dac17cf3a46127530669681663b2c568a4

Download Submit
C:\Windows\SysWOW64\Oifppdpd.exe

Filesize
96KB

MD5
d5c03c63dad9e2bd1afba7ea708f663a

SHA1
fbf477f4d03d365595d91e7283744c02490d1e66

SHA256
01ac7680b9b911241dee729fa1b20e99fa3a100ec515841f3465758aa816bb00

SHA512
bb4fa84c81649988b0e280d8ab59d8a13db7bf0f3c030947856a5f3427ca20af77045e625accd52b619fd12b7f50914095176b572616b16dd3e10252e2315811

Download Submit
C:\Windows\SysWOW64\Oifppdpd.exe

Filesize
96KB

MD5
d5c03c63dad9e2bd1afba7ea708f663a

SHA1
fbf477f4d03d365595d91e7283744c02490d1e66

SHA256
01ac7680b9b911241dee729fa1b20e99fa3a100ec515841f3465758aa816bb00

SHA512
bb4fa84c81649988b0e280d8ab59d8a13db7bf0f3c030947856a5f3427ca20af77045e625accd52b619fd12b7f50914095176b572616b16dd3e10252e2315811

Download Submit
C:\Windows\SysWOW64\Omdieb32.exe

Filesize
96KB

MD5
c03facc7f34c4a17ff3375f24c2e7b4e

SHA1
5d6aa23edc9b3511d497a08dd593355aa6079184

SHA256
eda5d6497cf96dde4f40588682c043782da68e79d20b29d70e8e8748a231adab

SHA512
2c8d7acb1daeb1ce1c06e7906fdd63407c6343b6fd28d385940f010f4a1e76881450b5c7efbfb9cd6b710cd39ecc16ca20e4b759b64ad72630aa321ef8d166b4

Download Submit
C:\Windows\SysWOW64\Omdieb32.exe

Filesize
96KB

MD5
c03facc7f34c4a17ff3375f24c2e7b4e

SHA1
5d6aa23edc9b3511d497a08dd593355aa6079184

SHA256
eda5d6497cf96dde4f40588682c043782da68e79d20b29d70e8e8748a231adab

SHA512
2c8d7acb1daeb1ce1c06e7906fdd63407c6343b6fd28d385940f010f4a1e76881450b5c7efbfb9cd6b710cd39ecc16ca20e4b759b64ad72630aa321ef8d166b4

Download Submit
C:\Windows\SysWOW64\Ookoaokf.exe

Filesize
96KB

MD5
df857b43822fa1628a55bfd4d8438e54

SHA1
9ff8c02916a656cb4486b5e187956e033571e189

SHA256
1e083698f7f14b6d5b37d4a2446aced9f57b6aad14179a53e3a398c57e3ebc95

SHA512
ca06f1c0e61018bc03e73bd22d2072c89080dccf286d8334b1fd612cfb76be360fd0a57d105bf85030451da71807ea26d8185c10fa8c3fa8a31cec4b72a2284d

Download Submit
C:\Windows\SysWOW64\Ookoaokf.exe

Filesize
96KB

MD5
df857b43822fa1628a55bfd4d8438e54

SHA1
9ff8c02916a656cb4486b5e187956e033571e189

SHA256
1e083698f7f14b6d5b37d4a2446aced9f57b6aad14179a53e3a398c57e3ebc95

SHA512
ca06f1c0e61018bc03e73bd22d2072c89080dccf286d8334b1fd612cfb76be360fd0a57d105bf85030451da71807ea26d8185c10fa8c3fa8a31cec4b72a2284d

Download Submit
C:\Windows\SysWOW64\Pbjddh32.exe

Filesize
96KB

MD5
40fb8520de0073d0c74d29e45f2a99c7

SHA1
29768606bd8499ef00bcd8ab0126462e40503a71

SHA256
cf248647d60dafddf6142e7c30b47769061b2b95d122432d928c9af8fe6ca650

SHA512
2a60d3be00abae63fd199520f9a048ab14f58efd842f5815efd2d536cb1f6410ab4b08f3e51b02ccaec6244f65b59dd3d91ddb8e48a8bec5dcab7a5656ef0581

Download Submit
C:\Windows\SysWOW64\Pbjddh32.exe

Filesize
96KB

MD5
ebceb5e517dc177eddc8ad0e8e7d0467

SHA1
4b3f157b634c31899ced85a051af7b11b6a85056

SHA256
7d45e977f5589f78ce58862af634cd758ddb19bab35153a7242a145f856e9739

SHA512
a2954f300ff0e8dda491070b261b5f417b6ef84086415b9a83dfedddaef27e6362fd4f959f799e4bb6004c4ee8ab29d079e63a81d218c2ffbf5a46bb011f5d80

Download Submit
C:\Windows\SysWOW64\Pbjddh32.exe

Filesize
96KB

MD5
ebceb5e517dc177eddc8ad0e8e7d0467

SHA1
4b3f157b634c31899ced85a051af7b11b6a85056

SHA256
7d45e977f5589f78ce58862af634cd758ddb19bab35153a7242a145f856e9739

SHA512
a2954f300ff0e8dda491070b261b5f417b6ef84086415b9a83dfedddaef27e6362fd4f959f799e4bb6004c4ee8ab29d079e63a81d218c2ffbf5a46bb011f5d80

Download Submit
C:\Windows\SysWOW64\Pfojdh32.exe

Filesize
96KB

MD5
1879f55055139f7ba523b7861ce4b235

SHA1
df775c260f177b50c48a7f97ce7fbdd2e0394f69

SHA256
463c5777d70cf4fd6d58cebc1497f2aa8876c93afe98d8ab72a3c478bb1121b3

SHA512
c0881640b3b95a0676cfe564ac6830673d7a0af4c0a3a1c79424df9dacd9efc3803e932d9f2bb6a6818c52d62eb2adc2db703f7b642940ee9a0c74cbe4399e68

Download Submit
C:\Windows\SysWOW64\Pfojdh32.exe

Filesize
96KB

MD5
1879f55055139f7ba523b7861ce4b235

SHA1
df775c260f177b50c48a7f97ce7fbdd2e0394f69

SHA256
463c5777d70cf4fd6d58cebc1497f2aa8876c93afe98d8ab72a3c478bb1121b3

SHA512
c0881640b3b95a0676cfe564ac6830673d7a0af4c0a3a1c79424df9dacd9efc3803e932d9f2bb6a6818c52d62eb2adc2db703f7b642940ee9a0c74cbe4399e68

Download Submit
C:\Windows\SysWOW64\Ppikbm32.exe

Filesize
96KB

MD5
40fb8520de0073d0c74d29e45f2a99c7

SHA1
29768606bd8499ef00bcd8ab0126462e40503a71

SHA256
cf248647d60dafddf6142e7c30b47769061b2b95d122432d928c9af8fe6ca650

SHA512
2a60d3be00abae63fd199520f9a048ab14f58efd842f5815efd2d536cb1f6410ab4b08f3e51b02ccaec6244f65b59dd3d91ddb8e48a8bec5dcab7a5656ef0581

Download Submit
C:\Windows\SysWOW64\Ppikbm32.exe

Filesize
96KB

MD5
40fb8520de0073d0c74d29e45f2a99c7

SHA1
29768606bd8499ef00bcd8ab0126462e40503a71

SHA256
cf248647d60dafddf6142e7c30b47769061b2b95d122432d928c9af8fe6ca650

SHA512
2a60d3be00abae63fd199520f9a048ab14f58efd842f5815efd2d536cb1f6410ab4b08f3e51b02ccaec6244f65b59dd3d91ddb8e48a8bec5dcab7a5656ef0581

Download Submit
memory/208-203-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/208-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/448-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/448-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/644-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/644-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/840-189-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/840-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/864-197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/864-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1240-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1240-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1292-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1292-204-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1392-187-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1392-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1400-186-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1400-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1792-191-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1792-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2172-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2172-198-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2288-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2288-195-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2408-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2408-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3296-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3296-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3436-206-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3436-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4012-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4012-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4120-185-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4120-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4236-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4236-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4628-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4628-190-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4640-202-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4640-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4868-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4868-194-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4976-193-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4976-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4992-201-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4992-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5096-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5096-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads