beb831741206b0c476ae9ab7037a8355076ad894ca7190048f88aa4636900619

Analysis

max time kernel
181s
max time network
222s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e8c9cd78e052d8b8c17621a7a3275d2.exe
Size

112KB
MD5

3e8c9cd78e052d8b8c17621a7a3275d2
SHA1

8ba5b42541efdb13cc4e151553ee002205c41ccd
SHA256

beb831741206b0c476ae9ab7037a8355076ad894ca7190048f88aa4636900619
SHA512

360424a1715203ffd81b91e71f72d953a9df30281a00ddac41beb360ecaa40a69c919b09b17b2efb9609a61792370bcd13a4d9175424288ca261167f75c0301b
SSDEEP

3072:pzzFsQC2AFG/qNRUHrjwrmhaR5sS+vfv:lzSBS/kULsrmharSv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfnmhnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfbhflj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pddmml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpnppap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbnjfefo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlafaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djmima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glbapoqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jddggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Donecfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jknocljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngoddkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjljd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aefcif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojgikg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pddmml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qlkbka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idnfal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcihgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlafaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3e8c9cd78e052d8b8c17621a7a3275d2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bimach32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpcmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpcmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjljd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfoegm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbdni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcppogqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmfqngcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbhqdhnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmggj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcokpln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jddggb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhqdhnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbekgknb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npabeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npabeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngoddkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Donecfao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfnmhnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3e8c9cd78e052d8b8c17621a7a3275d2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfniikha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdophj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kanffogf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbocng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkqpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfniikha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpbaga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qlkbka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfeiedhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbalaoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npfkqpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmglbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbdni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpbaga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijfbhflj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmglbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdgn32.exe

Executes dropped EXE 50 IoCs

pid	Process
2708	Bbalaoda.exe
2168	Bmfqngcg.exe
1516	Bfoegm32.exe
1248	Bimach32.exe
2412	Donecfao.exe
2192	Hfniikha.exe
2668	Lfaqcclf.exe
2092	Djmima32.exe
4904	Glbapoqh.exe
3996	Mpbaga32.exe
4584	Bdfnmhnj.exe
4608	Bidlqhgc.exe
4356	Jddggb32.exe
1728	Jknocljn.exe
2108	Qlkbka32.exe
2768	Qbekgknb.exe
3020	Aefcif32.exe
1872	Bbhqdhnm.exe
3608	Ibojgikg.exe
3532	Ijfbhflj.exe
1404	Idnfal32.exe
3160	Jplmglbf.exe
1844	Jfffcf32.exe
2380	Jmpnppap.exe
3588	Jdjfmjhm.exe
4436	Kanffogf.exe
3456	Kbocng32.exe
768	Kmegkp32.exe
2652	Kdophj32.exe
632	Kgmlde32.exe
3964	Kilhqq32.exe
4396	Hbnjfefo.exe
4220	Npabeq32.exe
4184	Ngkjbkem.exe
2536	Npcokpln.exe
3632	Ngmggj32.exe
2428	Nngoddkg.exe
544	Npfkqpjk.exe
3104	Ngpcmj32.exe
2876	Nnjljd32.exe
4500	Oqakln32.exe
1616	Ogkcihgj.exe
4620	Onekeb32.exe
784	Ocbdni32.exe
4632	Oqfdgn32.exe
392	Pddmml32.exe
3048	Pfeiedhm.exe
2364	Pnlafaio.exe
2036	Qcppogqo.exe
5116	Qfolkcpb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bbalaoda.exe	3e8c9cd78e052d8b8c17621a7a3275d2.exe
File created	C:\Windows\SysWOW64\Djmima32.exe	Lfaqcclf.exe
File opened for modification	C:\Windows\SysWOW64\Mpbaga32.exe	Glbapoqh.exe
File opened for modification	C:\Windows\SysWOW64\Ibojgikg.exe	Bbhqdhnm.exe
File created	C:\Windows\SysWOW64\Kdophj32.exe	Kmegkp32.exe
File created	C:\Windows\SysWOW64\Edijfd32.dll	Qbekgknb.exe
File opened for modification	C:\Windows\SysWOW64\Kilhqq32.exe	Kgmlde32.exe
File created	C:\Windows\SysWOW64\Idcdeb32.dll	3e8c9cd78e052d8b8c17621a7a3275d2.exe
File created	C:\Windows\SysWOW64\Pmboib32.dll	Qlkbka32.exe
File opened for modification	C:\Windows\SysWOW64\Bbhqdhnm.exe	Aefcif32.exe
File created	C:\Windows\SysWOW64\Ibojgikg.exe	Bbhqdhnm.exe
File created	C:\Windows\SysWOW64\Cedidk32.dll	Onekeb32.exe
File created	C:\Windows\SysWOW64\Donecfao.exe	Bimach32.exe
File created	C:\Windows\SysWOW64\Qbekgknb.exe	Qlkbka32.exe
File opened for modification	C:\Windows\SysWOW64\Aefcif32.exe	Qbekgknb.exe
File opened for modification	C:\Windows\SysWOW64\Kanffogf.exe	Jdjfmjhm.exe
File created	C:\Windows\SysWOW64\Npfkqpjk.exe	Nngoddkg.exe
File opened for modification	C:\Windows\SysWOW64\Onekeb32.exe	Ogkcihgj.exe
File created	C:\Windows\SysWOW64\Agdghm32.dll	Bmfqngcg.exe
File created	C:\Windows\SysWOW64\Cghdlppn.dll	Jfffcf32.exe
File opened for modification	C:\Windows\SysWOW64\Kmegkp32.exe	Kbocng32.exe
File created	C:\Windows\SysWOW64\Kilhqq32.exe	Kgmlde32.exe
File created	C:\Windows\SysWOW64\Ngkjbkem.exe	Npabeq32.exe
File opened for modification	C:\Windows\SysWOW64\Npfkqpjk.exe	Nngoddkg.exe
File created	C:\Windows\SysWOW64\Onekeb32.exe	Ogkcihgj.exe
File created	C:\Windows\SysWOW64\Pddmml32.exe	Oqfdgn32.exe
File created	C:\Windows\SysWOW64\Bbhqdhnm.exe	Aefcif32.exe
File created	C:\Windows\SysWOW64\Knpodbbl.dll	Ijfbhflj.exe
File opened for modification	C:\Windows\SysWOW64\Ogkcihgj.exe	Oqakln32.exe
File created	C:\Windows\SysWOW64\Bmfqngcg.exe	Bbalaoda.exe
File created	C:\Windows\SysWOW64\Ijfbhflj.exe	Ibojgikg.exe
File opened for modification	C:\Windows\SysWOW64\Idnfal32.exe	Ijfbhflj.exe
File opened for modification	C:\Windows\SysWOW64\Kbocng32.exe	Kanffogf.exe
File created	C:\Windows\SysWOW64\Kgmlde32.exe	Kdophj32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbdni32.exe	Onekeb32.exe
File created	C:\Windows\SysWOW64\Jfffcf32.exe	Jplmglbf.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdgn32.exe	Ocbdni32.exe
File opened for modification	C:\Windows\SysWOW64\Bfoegm32.exe	Bmfqngcg.exe
File created	C:\Windows\SysWOW64\Eapccljk.dll	Bimach32.exe
File opened for modification	C:\Windows\SysWOW64\Lfaqcclf.exe	Hfniikha.exe
File created	C:\Windows\SysWOW64\Kgcqil32.dll	Bbhqdhnm.exe
File opened for modification	C:\Windows\SysWOW64\Nngoddkg.exe	Ngmggj32.exe
File created	C:\Windows\SysWOW64\Qdpjqijp.dll	Ngmggj32.exe
File opened for modification	C:\Windows\SysWOW64\Hfniikha.exe	Donecfao.exe
File opened for modification	C:\Windows\SysWOW64\Jknocljn.exe	Jddggb32.exe
File opened for modification	C:\Windows\SysWOW64\Ijfbhflj.exe	Ibojgikg.exe
File created	C:\Windows\SysWOW64\Lckmpaek.dll	Idnfal32.exe
File created	C:\Windows\SysWOW64\Incclnha.dll	Ogkcihgj.exe
File created	C:\Windows\SysWOW64\Dbkfia32.dll	Kdophj32.exe
File created	C:\Windows\SysWOW64\Npcokpln.exe	Ngkjbkem.exe
File created	C:\Windows\SysWOW64\Pahdfp32.dll	Npcokpln.exe
File created	C:\Windows\SysWOW64\Oqakln32.exe	Nnjljd32.exe
File opened for modification	C:\Windows\SysWOW64\Oqakln32.exe	Nnjljd32.exe
File created	C:\Windows\SysWOW64\Bfoegm32.exe	Bmfqngcg.exe
File created	C:\Windows\SysWOW64\Lcafjf32.dll	Kbocng32.exe
File created	C:\Windows\SysWOW64\Ifihbhkb.dll	Kgmlde32.exe
File created	C:\Windows\SysWOW64\Jececi32.dll	Ocbdni32.exe
File opened for modification	C:\Windows\SysWOW64\Qfolkcpb.exe	Qcppogqo.exe
File opened for modification	C:\Windows\SysWOW64\Bmfqngcg.exe	Bbalaoda.exe
File created	C:\Windows\SysWOW64\Bimach32.exe	Bfoegm32.exe
File created	C:\Windows\SysWOW64\Mpbaga32.exe	Glbapoqh.exe
File created	C:\Windows\SysWOW64\Jknocljn.exe	Jddggb32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpnppap.exe	Jfffcf32.exe
File created	C:\Windows\SysWOW64\Kmegkp32.exe	Kbocng32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1692	5116	WerFault.exe	145

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npabeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdbam32.dll"	Oqakln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Algaplmg.dll"	Oqfdgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfeiedhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmpnppap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplmglbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nngoddkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3e8c9cd78e052d8b8c17621a7a3275d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necjpgbn.dll"	Hfniikha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjabbqjp.dll"	Aefcif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohgepflm.dll"	Kilhqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqakln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedidk32.dll"	Onekeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omeqfhai.dll"	Pfeiedhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3e8c9cd78e052d8b8c17621a7a3275d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Donecfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqfkba32.dll"	Djmima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaffkdlc.dll"	Npfkqpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfffcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acjbbk32.dll"	Npabeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdpjqijp.dll"	Ngmggj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcppogqo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djmima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcqil32.dll"	Bbhqdhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glbapoqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cghdlppn.dll"	Jfffcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdophj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jececi32.dll"	Ocbdni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmabgl32.dll"	Bfoegm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfniikha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfaqcclf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edijfd32.dll"	Qbekgknb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfoegm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Donecfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbhqdhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqbmf32.dll"	Jplmglbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kanffogf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npcokpln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qlkbka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbekgknb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bidlqhgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npabeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihqimfil.dll"	Nngoddkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgopje32.dll"	Glbapoqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jddggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjljd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djmima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necbhj32.dll"	Jmpnppap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npcokpln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkcihgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qolnjhjb.dll"	Jknocljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmglbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aefcif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfmjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnnnj32.dll"	Hbnjfefo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpcmj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 2708	4280	3e8c9cd78e052d8b8c17621a7a3275d2.exe	90
PID 4280 wrote to memory of 2708	4280	3e8c9cd78e052d8b8c17621a7a3275d2.exe	90
PID 4280 wrote to memory of 2708	4280	3e8c9cd78e052d8b8c17621a7a3275d2.exe	90
PID 2708 wrote to memory of 2168	2708	Bbalaoda.exe	91
PID 2708 wrote to memory of 2168	2708	Bbalaoda.exe	91
PID 2708 wrote to memory of 2168	2708	Bbalaoda.exe	91
PID 2168 wrote to memory of 1516	2168	Bmfqngcg.exe	92
PID 2168 wrote to memory of 1516	2168	Bmfqngcg.exe	92
PID 2168 wrote to memory of 1516	2168	Bmfqngcg.exe	92
PID 1516 wrote to memory of 1248	1516	Bfoegm32.exe	93
PID 1516 wrote to memory of 1248	1516	Bfoegm32.exe	93
PID 1516 wrote to memory of 1248	1516	Bfoegm32.exe	93
PID 1248 wrote to memory of 2412	1248	Bimach32.exe	95
PID 1248 wrote to memory of 2412	1248	Bimach32.exe	95
PID 1248 wrote to memory of 2412	1248	Bimach32.exe	95
PID 2412 wrote to memory of 2192	2412	Donecfao.exe	96
PID 2412 wrote to memory of 2192	2412	Donecfao.exe	96
PID 2412 wrote to memory of 2192	2412	Donecfao.exe	96
PID 2192 wrote to memory of 2668	2192	Hfniikha.exe	97
PID 2192 wrote to memory of 2668	2192	Hfniikha.exe	97
PID 2192 wrote to memory of 2668	2192	Hfniikha.exe	97
PID 2668 wrote to memory of 2092	2668	Lfaqcclf.exe	98
PID 2668 wrote to memory of 2092	2668	Lfaqcclf.exe	98
PID 2668 wrote to memory of 2092	2668	Lfaqcclf.exe	98
PID 2092 wrote to memory of 4904	2092	Djmima32.exe	99
PID 2092 wrote to memory of 4904	2092	Djmima32.exe	99
PID 2092 wrote to memory of 4904	2092	Djmima32.exe	99
PID 4904 wrote to memory of 3996	4904	Glbapoqh.exe	100
PID 4904 wrote to memory of 3996	4904	Glbapoqh.exe	100
PID 4904 wrote to memory of 3996	4904	Glbapoqh.exe	100
PID 3996 wrote to memory of 4584	3996	Mpbaga32.exe	102
PID 3996 wrote to memory of 4584	3996	Mpbaga32.exe	102
PID 3996 wrote to memory of 4584	3996	Mpbaga32.exe	102
PID 4584 wrote to memory of 4608	4584	Bdfnmhnj.exe	103
PID 4584 wrote to memory of 4608	4584	Bdfnmhnj.exe	103
PID 4584 wrote to memory of 4608	4584	Bdfnmhnj.exe	103
PID 4608 wrote to memory of 4356	4608	Bidlqhgc.exe	104
PID 4608 wrote to memory of 4356	4608	Bidlqhgc.exe	104
PID 4608 wrote to memory of 4356	4608	Bidlqhgc.exe	104
PID 4356 wrote to memory of 1728	4356	Jddggb32.exe	105
PID 4356 wrote to memory of 1728	4356	Jddggb32.exe	105
PID 4356 wrote to memory of 1728	4356	Jddggb32.exe	105
PID 1728 wrote to memory of 2108	1728	Jknocljn.exe	106
PID 1728 wrote to memory of 2108	1728	Jknocljn.exe	106
PID 1728 wrote to memory of 2108	1728	Jknocljn.exe	106
PID 2108 wrote to memory of 2768	2108	Qlkbka32.exe	107
PID 2108 wrote to memory of 2768	2108	Qlkbka32.exe	107
PID 2108 wrote to memory of 2768	2108	Qlkbka32.exe	107
PID 2768 wrote to memory of 3020	2768	Qbekgknb.exe	108
PID 2768 wrote to memory of 3020	2768	Qbekgknb.exe	108
PID 2768 wrote to memory of 3020	2768	Qbekgknb.exe	108
PID 3020 wrote to memory of 1872	3020	Aefcif32.exe	109
PID 3020 wrote to memory of 1872	3020	Aefcif32.exe	109
PID 3020 wrote to memory of 1872	3020	Aefcif32.exe	109
PID 1872 wrote to memory of 3608	1872	Bbhqdhnm.exe	110
PID 1872 wrote to memory of 3608	1872	Bbhqdhnm.exe	110
PID 1872 wrote to memory of 3608	1872	Bbhqdhnm.exe	110
PID 3608 wrote to memory of 3532	3608	Ibojgikg.exe	111
PID 3608 wrote to memory of 3532	3608	Ibojgikg.exe	111
PID 3608 wrote to memory of 3532	3608	Ibojgikg.exe	111
PID 3532 wrote to memory of 1404	3532	Ijfbhflj.exe	112
PID 3532 wrote to memory of 1404	3532	Ijfbhflj.exe	112
PID 3532 wrote to memory of 1404	3532	Ijfbhflj.exe	112
PID 1404 wrote to memory of 3160	1404	Idnfal32.exe	113

C:\Users\Admin\AppData\Local\Temp\3e8c9cd78e052d8b8c17621a7a3275d2.exe
"C:\Users\Admin\AppData\Local\Temp\3e8c9cd78e052d8b8c17621a7a3275d2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\SysWOW64\Bbalaoda.exe
  C:\Windows\system32\Bbalaoda.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\Bmfqngcg.exe
    C:\Windows\system32\Bmfqngcg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\SysWOW64\Bfoegm32.exe
      C:\Windows\system32\Bfoegm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Windows\SysWOW64\Bimach32.exe
        
        C:\Windows\system32\Bimach32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1248
      - C:\Windows\SysWOW64\Donecfao.exe
        
        C:\Windows\system32\Donecfao.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Hfniikha.exe
        
        C:\Windows\system32\Hfniikha.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Lfaqcclf.exe
        
        C:\Windows\system32\Lfaqcclf.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Djmima32.exe
        
        C:\Windows\system32\Djmima32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Glbapoqh.exe
        
        C:\Windows\system32\Glbapoqh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Mpbaga32.exe
        
        C:\Windows\system32\Mpbaga32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Bdfnmhnj.exe
        
        C:\Windows\system32\Bdfnmhnj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Bidlqhgc.exe
        
        C:\Windows\system32\Bidlqhgc.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Jddggb32.exe
        
        C:\Windows\system32\Jddggb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Jknocljn.exe
        
        C:\Windows\system32\Jknocljn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Qlkbka32.exe
        
        C:\Windows\system32\Qlkbka32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Qbekgknb.exe
        
        C:\Windows\system32\Qbekgknb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Aefcif32.exe
        
        C:\Windows\system32\Aefcif32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Bbhqdhnm.exe
        
        C:\Windows\system32\Bbhqdhnm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Ibojgikg.exe
        
        C:\Windows\system32\Ibojgikg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Ijfbhflj.exe
        
        C:\Windows\system32\Ijfbhflj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Idnfal32.exe
        
        C:\Windows\system32\Idnfal32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Jplmglbf.exe
        
        C:\Windows\system32\Jplmglbf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Jfffcf32.exe
        
        C:\Windows\system32\Jfffcf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Jmpnppap.exe
        
        C:\Windows\system32\Jmpnppap.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Jdjfmjhm.exe
        
        C:\Windows\system32\Jdjfmjhm.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Kanffogf.exe
        
        C:\Windows\system32\Kanffogf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Kbocng32.exe
        
        C:\Windows\system32\Kbocng32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\Kmegkp32.exe
        
        C:\Windows\system32\Kmegkp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Kdophj32.exe
        
        C:\Windows\system32\Kdophj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Kgmlde32.exe
        
        C:\Windows\system32\Kgmlde32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Kilhqq32.exe
        
        C:\Windows\system32\Kilhqq32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Hbnjfefo.exe
        
        C:\Windows\system32\Hbnjfefo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Npabeq32.exe
        
        C:\Windows\system32\Npabeq32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Ngkjbkem.exe
        
        C:\Windows\system32\Ngkjbkem.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4184
        
        C:\Windows\SysWOW64\Npcokpln.exe
        
        C:\Windows\system32\Npcokpln.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Ngmggj32.exe
        
        C:\Windows\system32\Ngmggj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Nngoddkg.exe
        
        C:\Windows\system32\Nngoddkg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Npfkqpjk.exe
        
        C:\Windows\system32\Npfkqpjk.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Ngpcmj32.exe
        
        C:\Windows\system32\Ngpcmj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Nnjljd32.exe
        
        C:\Windows\system32\Nnjljd32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Oqakln32.exe
        
        C:\Windows\system32\Oqakln32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Ogkcihgj.exe
        
        C:\Windows\system32\Ogkcihgj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Onekeb32.exe
        
        C:\Windows\system32\Onekeb32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Ocbdni32.exe
        
        C:\Windows\system32\Ocbdni32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Oqfdgn32.exe
        
        C:\Windows\system32\Oqfdgn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Pddmml32.exe
        
        C:\Windows\system32\Pddmml32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:392
        
        C:\Windows\SysWOW64\Pfeiedhm.exe
        
        C:\Windows\system32\Pfeiedhm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Pnlafaio.exe
        
        C:\Windows\system32\Pnlafaio.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\Qcppogqo.exe
        
        C:\Windows\system32\Qcppogqo.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Qfolkcpb.exe
        
        C:\Windows\system32\Qfolkcpb.exe
        51⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 400
        52⤵
        Program crash
        
        PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5116 -ip 5116
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aefcif32.exe

Filesize
112KB

MD5
1973a944eecd92fa996524b1bcafa478

SHA1
2c07a61333c55272e52f2ed1996d191c52a06ae0

SHA256
bc58aed8e6fc020a1bb44afa4616ab6681534b54f35750ab9b16a264d9ad945f

SHA512
823ae80e67dce6d130966b169cd91eb9332bf0422ea441db6f890f28307fa0a04aa5454e4903165e59c81ef737d3a43a885cee89c1cb3764ea422572f2cde12c

Download Submit
C:\Windows\SysWOW64\Bbalaoda.exe

Filesize
112KB

MD5
0a9be0f92c60de5214da9ba2220a5f9f

SHA1
259c58e9c038db67b73596775838e0fb01dbad2b

SHA256
4aa2dbd3e5426e124a0a7c9ad74a29f31591bea35d0e25b7eee6a2fa66ce0300

SHA512
1309871c8dbe2856a4a698aa4f0b383140122ab4a947456cbc85232a3bd654a80f6cfbb0ada942ee0cc941f0ce69ea9315c085b8ce2fe97f073efdf1b30def50

Download Submit
C:\Windows\SysWOW64\Bbhqdhnm.exe

Filesize
112KB

MD5
a272554b406e046a8f414a92ce970812

SHA1
52629c9c3d47b329bf97d082c464b83a1b9e7b98

SHA256
1b7133f1067edae524039701b957419b86f4e6cd1e3dfeb34ea7bdb7abe64af1

SHA512
b58ae0a7a46a9c5164d8a4fb7f87ddf130664464be1699e43c290706fdd86d3229aa2e21180c807104432d9e4fd57c6d2b194ff040d6f53a555c3e19f2d8198b

Download Submit
C:\Windows\SysWOW64\Bdfnmhnj.exe

Filesize
112KB

MD5
9317ca6c9ff7e6d7a1860c192e5665ab

SHA1
736cc60618c4b7defc839d9f3a43941531f2302b

SHA256
3d31a87c73675779c338b128812b11a25c511efb94bb345362aa31b6a21a3ca6

SHA512
25b0645e2e2386da7052db2b8c787ad5edb31642b0c85030fbb2123c7f645acb51f802335b75eb3272cde7912d47c03b4d2c7eb40e89a1ccfcae2494973941e0

Download Submit
C:\Windows\SysWOW64\Bfoegm32.exe

Filesize
112KB

MD5
3a37f3e27dcfbfdf73ad6638e9fe99f0

SHA1
62abc93d6a03ee1afdabd96e63b9580077f85853

SHA256
f6292bd0f9b416eb17cf255a029cbb6348da98f51a91b63f5af20b9c6301ab09

SHA512
699032103555fa968ceb018a560a264b38ab719e31bd1b80585c0d70d0b797a31f0920371c9901136e8d0c21eaff74019bf6a1fbc4edd85e8744f69a329a54e1

Download Submit
C:\Windows\SysWOW64\Bidlqhgc.exe

Filesize
112KB

MD5
97f8c7d8ee4ce54cd032173ac156ce9d

SHA1
ad58320f475d71c384894d715c55ea2ac8c939a4

SHA256
a4f1f5ceb993795dfb987e7169f0ac44945a8eafe0194a31a7895cec4de8241f

SHA512
fe989668e88a3816d606a0a62a344bac40d6013b84a2665ee60994ba10b3ed926450c27f17633dee9329223821d05fb66e6c0b8f32a05f9ae305985778442c81

Download Submit
C:\Windows\SysWOW64\Bimach32.exe

Filesize
112KB

MD5
752ce39a2492a1c3348be5f8cfe784eb

SHA1
bc70cff35d4dd421bb8286dd8406f39ad457811a

SHA256
5148849f028e87cbca231303ded217f0a8198589a2839b79985049b2838fd6b2

SHA512
3b9acddf5c13e10c692e1b89bb98a638a87490635d8282f3b10c0244e6f87a8f22d75acea2f8f2b33d6f344badb7595fed6f63ff998a25a8464eddaa4f3afea8

Download Submit
C:\Windows\SysWOW64\Bmfqngcg.exe

Filesize
112KB

MD5
8cd6239dd1493aaf89ba52e2ffe9e0bd

SHA1
37fedc1b305522fa9e1e43f4970a7c76a237ea33

SHA256
ab3b1375fe99caf7d2180ca3733f63069cfd01d7fbe74b81687ddfbdcda5278b

SHA512
61ca80051f43642ff507bce082b88a6b3cbd418d7fcab4757849330f2526b0a4178350cad606dc8d590f6dc30e2ebf0992ae5251d0778b953841758038b6e4a5

Download Submit
C:\Windows\SysWOW64\Djmima32.exe

Filesize
112KB

MD5
ac25ea7bb9b2abcaf1260c06df9f7192

SHA1
aad19be095c2c85787bf56d2f6b08038e80e30f0

SHA256
e2a1abaa5e44bd336b068ceb8255fc79037d1b8392563139e0b69ef790111b05

SHA512
5d50ea784c1e90e15a33ca6322a063fbf5af7adc01f7136fc84d4759ce579a3f3bc7f77562c54900fa19ea9d08595701966aecd0c9ce01a1d92092f04a97a8c3

Download Submit
C:\Windows\SysWOW64\Donecfao.exe

Filesize
112KB

MD5
0ab6ec23f1455bb94bd4f10b7366e353

SHA1
20f8c8402ea95e892578ab8f5d1cc73fde754219

SHA256
9738e693af10b0900a334b5f26915c057b90c182e267de59e9bcec5b94950041

SHA512
d5c96b018018655ddb1dd442e70d4bd35175560ea140599b1e1611860076c8200b16c3193b834509477ef38d76fbca91e427b199dd59fae6e8c77119586de7a7

Download Submit
C:\Windows\SysWOW64\Glbapoqh.exe

Filesize
112KB

MD5
774cabdab000e482721e559dccaf2913

SHA1
ecd288940c2ab25a51d2251e58e2d7ec8f5dbf51

SHA256
6a28d16365ce2ce3382c915ac95f477bd838408dd968563c475408a344083021

SHA512
1522caee75802bf9c2fcb95ff473020884b0c04ed2d9c0a9723ec9281705b19a69f67f771c5abb3daa883cf00e3d81b36e8254710e4e3491b7d543bf729f830b

Download Submit
C:\Windows\SysWOW64\Hbnjfefo.exe

Filesize
112KB

MD5
ec718bb677006788d45e7c87decead67

SHA1
00155f97266f09774fe5d265e2ea2799c81fa38a

SHA256
72106954c8567e4bb2795bd8a286bb4be6d4cf06774f7c55622f077a034a271d

SHA512
e1b5341a3e946c170f3841aa49d785ea0731b79589acadd4e3d4daf921157cfcca62e399bac9e48759007bc97fc3743c559df9bd98b5471a518e83f55fb61687

Download Submit
C:\Windows\SysWOW64\Hfniikha.exe

Filesize
112KB

MD5
e98bd02eae569fbe53007136fdcdaade

SHA1
ef5f2e9c32e2e0f0748336197f3349ca170ceff5

SHA256
4c4c03b3e9c253ecb9a1f13e4aefb132ed8aedcff21855496dc0e24b95831587

SHA512
485d8049542cc247650435974fc649ca6faf22353935c26d4bab8f79b0199cb38aca1459e0e951f919f14187f78e35e230a96d04cec56203330cf1d9736f75bf

Download Submit
C:\Windows\SysWOW64\Ibojgikg.exe

Filesize
112KB

MD5
ae057c493e9a4a7c88cd16f8116e4595

SHA1
f44fe2480ea90440bb6828b6fbfc5cf8291e9b89

SHA256
958a16e957b2a2394165552bf4b43608beac3a707ee9f94f7afdd672d8a4886a

SHA512
a0a631b52182a74a72f84db797e887671857e7b1d67a6b41ea4bae0c70450c9c176916134afa0093ff68a5ce083129accd8cbfdc09ab8811f4de8e9e0820410f

Download Submit
C:\Windows\SysWOW64\Idnfal32.exe

Filesize
112KB

MD5
b1ca7ee3c89d24dc16b63832392c28ce

SHA1
0e82a28f2e1b162e0fa8cc230def1d640749e607

SHA256
0817d652a9452b946102519bc4e2db2f162f711e59c6435e78abbce8b26a4391

SHA512
52dc6980ad49392d6e5cd308a93820b2694036bf7a860e55b9407644cc8889244e3ef2be282f702367694f29a80e968a0034bd503a8a7152fb4f16e75b15521e

Download Submit
C:\Windows\SysWOW64\Ijfbhflj.exe

Filesize
112KB

MD5
8bc5f1a782ba31943c3e66981b44bd83

SHA1
a668729e0a95094e0b55d44917d71c520cd85f02

SHA256
6cf1c210ac2e0a5a67a268a3dab8346d1f668514cbe0d8657144ab9e10de4f79

SHA512
92fc6770b3aad1e16839279118b06fb73194757fbc455173768d2897f58dcac3d4bef71b7f677bb80f6d42f04e4a180aece80ea14f8fea6c9933c9f1cdf197ff

Download Submit
C:\Windows\SysWOW64\Jddggb32.exe

Filesize
112KB

MD5
54c1a37af2fd4a93654089f2d62afddc

SHA1
4ecde3b829edb6ae2f17bc38a25f6694310ad2d8

SHA256
24d40f394900176742fd35fd310c82a9d888059558efc49d0e030eced642baec

SHA512
66fc29cdcc331d79e935d0372baaea7f6ecdb8a49adb4d936717a8d6ad85eb49998faae38f2f76b78bef30edcebb72d3b24f05726a9755971bc5750c34fe4509

Download Submit
C:\Windows\SysWOW64\Jdjfmjhm.exe

Filesize
112KB

MD5
1008801774f330ad212ba15ef5f3be8b

SHA1
1bc6a46515bce0858e8fc199ee2c8deafc02ab9b

SHA256
327f9dfe3c877cf28084a6816496d7684099aadd9cd363a0369e05162cea4648

SHA512
3d7123f4f282682e6378691967a1e5025f0b489a741c382f50b0d44fd5e767ce7dbe7ad24f7313215eeeb56c55aac5b640d364b700a357e238e5978bf2fdca0c

Download Submit
C:\Windows\SysWOW64\Jfffcf32.exe

Filesize
112KB

MD5
3ac4618641ab926acd5a0ef765701642

SHA1
5e5e1218cbee3838645f5f3c312cc606705d399d

SHA256
02161d7bcead6d56b54f5bb3e511c6694dafd130f43ad2dfb610966fd43d1a42

SHA512
ce3dd8b0e6974964a4be24e934e2f44bab373c2ea67a141433f3cbd74abf4cf509ed90427d6ba2fd3082fac07053e60f641689b90ae7c6c31679600ff4d1d232

Download Submit
C:\Windows\SysWOW64\Jknocljn.exe

Filesize
112KB

MD5
a34a1eb17a47b54bce648dde9366a3e3

SHA1
df3315cbebe79e37eba5163e40a0b41eee75b170

SHA256
13410525d6b5fbf7cdcc1bb083a3c3585eaa51c594b4821492b595664c5665e4

SHA512
9fe182c96233c05e923e53136e2d913f15c45f821fe666fd6e7f896b33540242a1f6a2bfbaf2245a52f37338ea83006ab44fdafec289e10bb8b5b356e09a9efb

Download Submit
C:\Windows\SysWOW64\Jmpnppap.exe

Filesize
112KB

MD5
124a4bec8cffb4c5deba93747d6153ad

SHA1
fbb81a7bb921824a0c7a01dd1e08cd0bb61b8455

SHA256
72e01f2571ca954585c170af2151c0cadf68026f34b16dcf3ca6690f34727659

SHA512
e31686ad032a3e6e1ff55842e66db1e9802f7478200223b309f4569a4cffab16ff3a453674b88933349f088c54d8139cf7b6d1c54490f3d7124b9767287627c7

Download Submit
C:\Windows\SysWOW64\Jplmglbf.exe

Filesize
112KB

MD5
d9665e57b1f43021ec9e42482852deaa

SHA1
22f09b05a930c568f7d18a685df9bccd9a85419a

SHA256
33ebe56285bb915b3f1c0bec14236d04955ee7424b270b3e77222119a5d164ef

SHA512
2a090fc8b940896f32ebe9038d0b79c3cfefd1bb1c57345947b05c0dc23b5d8ec5117325d035ea17d3e7186e75619461951e9227c28da5a41602fb5cdd14b912

Download Submit
C:\Windows\SysWOW64\Kanffogf.exe

Filesize
112KB

MD5
0c3099e973c62ea07aa85c9a4dc41e7a

SHA1
872ca1449f1948fa83206b17d29d9767a06128fa

SHA256
afc1b5881af46ff5b02276261dd00d5e1a2d149e8d84809b79a447dd061578a0

SHA512
c1af9e9e6dc7a0dfd743fa37f128c0d25f9d0cbf48876537ac7c392a0ab6b510f8b229e7643f6ad469ae62a6a417bf4453b77b1776e167dab11ddd3996e8181c

Download Submit
C:\Windows\SysWOW64\Kbocng32.exe

Filesize
112KB

MD5
0ad58c020cf675ccf8b6afef95816477

SHA1
37cab7993e41f62bac6bdba79a0ec84c59cb19bd

SHA256
c1a3419750d3bcb83659c74d76ebc2a3b7da403476e2fdb05437d3ad80bc47de

SHA512
d6e693ad8b4293132e13be036eb1bb3eda3c8720e3e2b49d470171c49da3c08f579a13a4bb99f459283dc751c420a86451e6cfc2a0ef2177cfba4b799f266d4d

Download Submit
C:\Windows\SysWOW64\Kdophj32.exe

Filesize
112KB

MD5
908bcc25cd57f1a9e0a06af80b152be2

SHA1
0a59800c63e29c12de18c8727c289b26502afd18

SHA256
a690b8e61e61d456a244ae2259ef2a8924416311cc48df2a1fe3fa325cb786cf

SHA512
c9687293856a726bc0825f981ceafaf11059b543e446ec47b9242ca0cdb0cfc09df289214c50f8cef498841aced8377351ee2acee3824a3248e5bf6d98b466bb

Download Submit
C:\Windows\SysWOW64\Kgmlde32.exe

Filesize
112KB

MD5
8dbef999badd5f571c08e459ddf355c7

SHA1
ff1f711282e8c5e0e1c48680af74716f0209ede6

SHA256
21e0f8d3209d192adef2ced8855f7cb03dc1ba90fb5924b45b683afc6ebc0b8c

SHA512
001e8eb9abead0a7e72029e7901ef56261dd0d13ecb9a403b79a86536f125585d413581402ae0375e3bdda1bebb586d78076ec7946826096182a31882b07ad69

Download Submit
C:\Windows\SysWOW64\Kilhqq32.exe

Filesize
112KB

MD5
a84090d9735a532a20dc4fcbf8f5263c

SHA1
4145315aa3a7a925fbc3454976364197cff2056e

SHA256
61444847f07b6780ae8b2c8ee836c04589e3d3e518bb251b79061dc12808812c

SHA512
b916cee0e091cf2e4396c1694755902496f97dfd12fba8f6c06f0694c725b1969e8cf63787644ab35e44b2860c2e143e50438f19ae025ac3a7a206618088236f

Download Submit
C:\Windows\SysWOW64\Kmegkp32.exe

Filesize
112KB

MD5
75baed9ba63f3ecdcf99ecfb55573e07

SHA1
5c42cc0610512cc9b0f0a44ec96f3720ce400539

SHA256
c1916e1e9a9bcc9d5caff8080b98d3a44cf29b71853021f7f9aeacbd3ba1f73b

SHA512
57919bf65c6e13d2ad979199a8a98cb33f33ce2b0e809514ec60f99cf4e6e7c1318bf015f09cb36a27d439c42d527e99d78f6ce2f17359e2b4aeb38f937e1b37

Download Submit
C:\Windows\SysWOW64\Lfaqcclf.exe

Filesize
112KB

MD5
d6bfff781cf9a10aff8c9d228739365e

SHA1
22678c44fe793901da7650c526cd82782dbdfd4b

SHA256
7de4e643bd58f49ad99be7b5ac2350800934ec25b68fb8f7f217d97d63b962b2

SHA512
66af5f574c5788d0799315f7762e152021a502f7abb943c5098b5a2d4324ea04d64eaffaf297c7c2ee9d8d7e04d662b7cc8d4a786b57265ab2ea63ae6f172299

Download Submit
C:\Windows\SysWOW64\Mpbaga32.exe

Filesize
112KB

MD5
3af48e9a1de1e9a77420e401c9f1d208

SHA1
b3205f12195ac443ed7e58d138af4291bfa603b7

SHA256
0618cc9009a63ab5e8dd6ce08ac041fe1c57bfec2a5e8b5730ada7284e2653f3

SHA512
b8bedb4a386459ba41b84fb71fae9d91b71fbd448f9321f415828a1854f2b2809f323bd1d787cd0031fdef8313bf03e4874febcddc73582874220d2123ad6044

Download Submit
C:\Windows\SysWOW64\Ocbdni32.exe

Filesize
112KB

MD5
cb62ffbc7b469b8aa69677c6caa34b9b

SHA1
ea6261ee775116a7795bb033e1e0725bf4304d76

SHA256
cfb2a11a4aee1f8cea4c8de78f08eebfd48bcf0278f3dceb0dcecc563454bdcd

SHA512
f951814a6bfcb386d1f53f3868e8584a825aaf38f02c28b39f31ccc9a2c3a6bac89c2484e877f2a58e207e298ca9f4e765551cc6053345fe70b989d2eb280f68

Download Submit
C:\Windows\SysWOW64\Oqakln32.exe

Filesize
112KB

MD5
9bcdc5ea4b01724625b1bf608a91d47c

SHA1
2a454b512128cca4ac40dd2199e69e8ff929d5f4

SHA256
4c713afd61b52b197d25224229be7815b195d036858b12c1c11c455cc87403d1

SHA512
81d71b9c28d89082042ede729d613564c885c323e0b896ce34bd3bf2d4ac00330da558a6d1622f07710dc46353a1710daef853779158eead8e7409ff27ace1d8

Download Submit
C:\Windows\SysWOW64\Qbekgknb.exe

Filesize
112KB

MD5
9a93488ac42fea20744693ce55c7913d

SHA1
6fa2d57233bd82e588d0f8840fb1595bc503fd73

SHA256
097048ba2d7edc1f143211914c0c6ec06b888ee785c1ba5e74e9a225e6a25810

SHA512
107d50bea870f1a0725b0799f99bb9f6e9656b27cfe0cba79a3969b9e489d7d1bc761adb66762585b1f4bde3be59921c82f6abb17c8ab1a3e9e0e0f8d459e4d7

Download Submit
C:\Windows\SysWOW64\Qlkbka32.exe

Filesize
112KB

MD5
bbc2d149b4b56af002b25bd3a960592a

SHA1
dd6158dfde05e964f642a05b184a25118230e35c

SHA256
a0fd476f375c048f9b8e1e7ae002b23073284b81ad65b8f2fda044abe07f808c

SHA512
0915e366f8166b7f31bd9314eec29a6291c57d1c01fea74ff17f1311f509c02236d24f54a4919dbd6b0cb729cec96aea590f857150e7f109112dffdb5dd9b6af

Download Submit
memory/392-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-517-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/544-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/784-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/784-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1248-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1404-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3104-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3160-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-195-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3632-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads