6a25308ed0ac44a76c20b651aab0ee9c73198ec8c2bc93bf313f1ca0522bf828

Analysis

max time kernel
209s
max time network
222s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00fedb0adba5d5d0402709552100e25a.exe
Size

145KB
MD5

00fedb0adba5d5d0402709552100e25a
SHA1

1d1a651f9159b65e9e81469cffef62d31bc794c9
SHA256

6a25308ed0ac44a76c20b651aab0ee9c73198ec8c2bc93bf313f1ca0522bf828
SHA512

29288a60cf12751d40decd3c75396ed596b1d45c5df054d2ba9fc355a594fcc28243ecd32630483305753fd9aa3011cc4802a34b56ed6eb899f6477d91f1132e
SSDEEP

1536:FaJb8GYOOjUgh9dsF2Y10IL+Qf0C/8NWNURonkWEF+t2KTn8+hAntZjqwGEgG:FapxOZrIlmUfz8YKRonkWEh+h63

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejgdim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npnjcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbgbione.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjnjjlog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqhbgf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efgono32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecphbckp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imcqki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjagmnfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epjfehbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecphbckp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faeihogj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imcqki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhbhke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebnocpfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchpibng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mchpibng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fgldoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ggfobofl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhihm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qhpkee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkdhcqcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qahpnkfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adihpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijekidpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhpkee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqjolfda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fblldn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqmlbfbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjahfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgldoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qaecikhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjefao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Elagjihh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fblldn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjccel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqalfgll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpdbhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Monpnbeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijekidpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejgdim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfbaka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	00fedb0adba5d5d0402709552100e25a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjefao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jffodc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggfobofl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgbione.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjccel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcimmn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Faeihogj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	00fedb0adba5d5d0402709552100e25a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elagjihh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efnennjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpdbhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjahfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcimmn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Foapkfco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anamiljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pllppnnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qahpnkfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpjfng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efgono32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbiooolb.exe

Executes dropped EXE 54 IoCs

pid	Process
3636	Obnnnc32.exe
2448	Ggfobofl.exe
4260	Pphckb32.exe
4388	Jjefao32.exe
4520	Pllppnnm.exe
4628	Gpjfng32.exe
4464	Dagiba32.exe
4200	Epjfehbd.exe
1696	Efgono32.exe
2976	Elagjihh.exe
3948	Ebnocpfp.exe
2072	Ecmlmcmb.exe
4420	Ejgdim32.exe
3792	Eqalfgll.exe
5052	Ecphbckp.exe
3656	Efnennjc.exe
1692	Fhonpi32.exe
2472	Fbgbione.exe
3312	Fjnjjlog.exe
5068	Fqhbgf32.exe
4144	Fbiooolb.exe
564	Ficgkico.exe
1636	Fqjolfda.exe
3684	Fblldn32.exe
1312	Fjccel32.exe
2264	Fqmlbfbo.exe
3664	Kpdbhn32.exe
2448	Gkdhcqcj.exe
3432	Poajdlcq.exe
4904	Mchpibng.exe
404	Mjahfl32.exe
2616	Ekhncp32.exe
1128	Lcimmn32.exe
4448	Npnjcm32.exe
4964	Felkmnci.exe
5048	Foapkfco.exe
4464	Fqblbo32.exe
3492	Fgldoi32.exe
5040	Faeihogj.exe
4416	Mfbaka32.exe
1644	Pjhihm32.exe
4276	Monpnbeh.exe
3108	Ijekidpf.exe
3740	Jffodc32.exe
4896	Imcqki32.exe
4628	Qaecikhd.exe
4152	Qhpkee32.exe
4552	Qjagmnfp.exe
4572	Qahpnkfb.exe
2392	Qhbhke32.exe
4048	Aajldk32.exe
1416	Adihpf32.exe
2964	Anamiljc.exe
4052	Aqfoefco.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fkanbk32.dll	Fqhbgf32.exe
File created	C:\Windows\SysWOW64\Kpdbhn32.exe	Fqmlbfbo.exe
File opened for modification	C:\Windows\SysWOW64\Gkdhcqcj.exe	Kpdbhn32.exe
File opened for modification	C:\Windows\SysWOW64\Monpnbeh.exe	Pjhihm32.exe
File created	C:\Windows\SysWOW64\Cklmbbeg.dll	Pphckb32.exe
File created	C:\Windows\SysWOW64\Dagiba32.exe	Gpjfng32.exe
File created	C:\Windows\SysWOW64\Ejgdim32.exe	Ecmlmcmb.exe
File created	C:\Windows\SysWOW64\Eqalfgll.exe	Ejgdim32.exe
File created	C:\Windows\SysWOW64\Imcqki32.exe	Jffodc32.exe
File created	C:\Windows\SysWOW64\Qhpkee32.exe	Qaecikhd.exe
File opened for modification	C:\Windows\SysWOW64\Adihpf32.exe	Aajldk32.exe
File created	C:\Windows\SysWOW64\Hfgnle32.dll	Fqmlbfbo.exe
File opened for modification	C:\Windows\SysWOW64\Pjhihm32.exe	Mfbaka32.exe
File created	C:\Windows\SysWOW64\Ekgdpd32.dll	Qahpnkfb.exe
File opened for modification	C:\Windows\SysWOW64\Aqfoefco.exe	Anamiljc.exe
File created	C:\Windows\SysWOW64\Obnnnc32.exe	00fedb0adba5d5d0402709552100e25a.exe
File created	C:\Windows\SysWOW64\Ecmlmcmb.exe	Ebnocpfp.exe
File created	C:\Windows\SysWOW64\Fbiooolb.exe	Fqhbgf32.exe
File created	C:\Windows\SysWOW64\Fqjolfda.exe	Ficgkico.exe
File opened for modification	C:\Windows\SysWOW64\Fbgbione.exe	Fhonpi32.exe
File opened for modification	C:\Windows\SysWOW64\Npnjcm32.exe	Lcimmn32.exe
File created	C:\Windows\SysWOW64\Faeihogj.exe	Fgldoi32.exe
File opened for modification	C:\Windows\SysWOW64\Imcqki32.exe	Jffodc32.exe
File opened for modification	C:\Windows\SysWOW64\Qhbhke32.exe	Qahpnkfb.exe
File opened for modification	C:\Windows\SysWOW64\Elagjihh.exe	Efgono32.exe
File opened for modification	C:\Windows\SysWOW64\Ebnocpfp.exe	Elagjihh.exe
File created	C:\Windows\SysWOW64\Hjfgdeic.dll	Ecphbckp.exe
File created	C:\Windows\SysWOW64\Ficgkico.exe	Fbiooolb.exe
File created	C:\Windows\SysWOW64\Chagfjcp.dll	Fqblbo32.exe
File created	C:\Windows\SysWOW64\Cfoece32.dll	Elagjihh.exe
File created	C:\Windows\SysWOW64\Ongamagn.dll	Kpdbhn32.exe
File created	C:\Windows\SysWOW64\Olhgka32.dll	Gkdhcqcj.exe
File opened for modification	C:\Windows\SysWOW64\Mchpibng.exe	Poajdlcq.exe
File created	C:\Windows\SysWOW64\Hnkphffo.dll	Jjefao32.exe
File opened for modification	C:\Windows\SysWOW64\Dagiba32.exe	Gpjfng32.exe
File opened for modification	C:\Windows\SysWOW64\Fblldn32.exe	Fqjolfda.exe
File opened for modification	C:\Windows\SysWOW64\Ejgdim32.exe	Ecmlmcmb.exe
File created	C:\Windows\SysWOW64\Fqmlbfbo.exe	Fjccel32.exe
File created	C:\Windows\SysWOW64\Doigjkgl.dll	Mchpibng.exe
File created	C:\Windows\SysWOW64\Qaecikhd.exe	Imcqki32.exe
File created	C:\Windows\SysWOW64\Olmdlhhc.dll	Anamiljc.exe
File created	C:\Windows\SysWOW64\Ggfobofl.exe	Obnnnc32.exe
File opened for modification	C:\Windows\SysWOW64\Jjefao32.exe	Pphckb32.exe
File created	C:\Windows\SysWOW64\Gepmno32.dll	Pllppnnm.exe
File opened for modification	C:\Windows\SysWOW64\Eqalfgll.exe	Ejgdim32.exe
File opened for modification	C:\Windows\SysWOW64\Ecphbckp.exe	Eqalfgll.exe
File opened for modification	C:\Windows\SysWOW64\Efnennjc.exe	Ecphbckp.exe
File opened for modification	C:\Windows\SysWOW64\Fqblbo32.exe	Foapkfco.exe
File created	C:\Windows\SysWOW64\Mjhpaj32.dll	Ebnocpfp.exe
File created	C:\Windows\SysWOW64\Lcimmn32.exe	Ekhncp32.exe
File opened for modification	C:\Windows\SysWOW64\Qhpkee32.exe	Qaecikhd.exe
File created	C:\Windows\SysWOW64\Mlikhapb.dll	Qhpkee32.exe
File opened for modification	C:\Windows\SysWOW64\Fjnjjlog.exe	Fbgbione.exe
File created	C:\Windows\SysWOW64\Fqhbgf32.exe	Fjnjjlog.exe
File created	C:\Windows\SysWOW64\Icdegeca.dll	Fjnjjlog.exe
File created	C:\Windows\SysWOW64\Fqblbo32.exe	Foapkfco.exe
File created	C:\Windows\SysWOW64\Kjqaid32.dll	Qhbhke32.exe
File created	C:\Windows\SysWOW64\Npmmhcpj.dll	Aajldk32.exe
File created	C:\Windows\SysWOW64\Pllppnnm.exe	Jjefao32.exe
File opened for modification	C:\Windows\SysWOW64\Ecmlmcmb.exe	Ebnocpfp.exe
File opened for modification	C:\Windows\SysWOW64\Ficgkico.exe	Fbiooolb.exe
File created	C:\Windows\SysWOW64\Bnlfli32.dll	Lcimmn32.exe
File created	C:\Windows\SysWOW64\Fecdmheb.dll	Qaecikhd.exe
File created	C:\Windows\SysWOW64\Ecphbckp.exe	Eqalfgll.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npmmhcpj.dll"	Aajldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Appnhq32.dll"	Adihpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklmbbeg.dll"	Pphckb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqalfgll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efcnhmeg.dll"	Fbiooolb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Poajdlcq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqblbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npnjcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfbaka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gglbnnlc.dll"	Imcqki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpjfng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdegeca.dll"	Fjnjjlog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbiooolb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgembdei.dll"	Fblldn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggkbopp.dll"	Npnjcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqhbgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdaen32.dll"	Monpnbeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkekagc.dll"	Ijekidpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijekidpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjagmnfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ggfobofl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Elagjihh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebnocpfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehhjekgq.dll"	Poajdlcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mchpibng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dagiba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhgka32.dll"	Gkdhcqcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qaecikhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aajldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adihpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	00fedb0adba5d5d0402709552100e25a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Felkmnci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Foapkfco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pphckb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epjfehbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmkdd32.dll"	Ekhncp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcimmn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Faeihogj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jffodc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ggfobofl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Elagjihh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olejbnna.dll"	Fhonpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjahfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekhncp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjagmnfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fblldn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqmlbfbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqblbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imcqki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imcqki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	00fedb0adba5d5d0402709552100e25a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onbmmkpn.dll"	Gpjfng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongamagn.dll"	Kpdbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkpgnoa.dll"	Mfbaka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anamiljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	00fedb0adba5d5d0402709552100e25a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjobhcc.dll"	Epjfehbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgdeic.dll"	Ecphbckp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qaecikhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pphckb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efgono32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbgbione.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eihijk32.dll"	Fbgbione.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqjolfda.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 3636	2964	00fedb0adba5d5d0402709552100e25a.exe	88
PID 2964 wrote to memory of 3636	2964	00fedb0adba5d5d0402709552100e25a.exe	88
PID 2964 wrote to memory of 3636	2964	00fedb0adba5d5d0402709552100e25a.exe	88
PID 3636 wrote to memory of 2448	3636	Obnnnc32.exe	92
PID 3636 wrote to memory of 2448	3636	Obnnnc32.exe	92
PID 3636 wrote to memory of 2448	3636	Obnnnc32.exe	92
PID 2448 wrote to memory of 4260	2448	Ggfobofl.exe	93
PID 2448 wrote to memory of 4260	2448	Ggfobofl.exe	93
PID 2448 wrote to memory of 4260	2448	Ggfobofl.exe	93
PID 4260 wrote to memory of 4388	4260	Pphckb32.exe	94
PID 4260 wrote to memory of 4388	4260	Pphckb32.exe	94
PID 4260 wrote to memory of 4388	4260	Pphckb32.exe	94
PID 4388 wrote to memory of 4520	4388	Jjefao32.exe	95
PID 4388 wrote to memory of 4520	4388	Jjefao32.exe	95
PID 4388 wrote to memory of 4520	4388	Jjefao32.exe	95
PID 4520 wrote to memory of 4628	4520	Pllppnnm.exe	96
PID 4520 wrote to memory of 4628	4520	Pllppnnm.exe	96
PID 4520 wrote to memory of 4628	4520	Pllppnnm.exe	96
PID 4628 wrote to memory of 4464	4628	Gpjfng32.exe	98
PID 4628 wrote to memory of 4464	4628	Gpjfng32.exe	98
PID 4628 wrote to memory of 4464	4628	Gpjfng32.exe	98
PID 4464 wrote to memory of 4200	4464	Dagiba32.exe	100
PID 4464 wrote to memory of 4200	4464	Dagiba32.exe	100
PID 4464 wrote to memory of 4200	4464	Dagiba32.exe	100
PID 4200 wrote to memory of 1696	4200	Epjfehbd.exe	101
PID 4200 wrote to memory of 1696	4200	Epjfehbd.exe	101
PID 4200 wrote to memory of 1696	4200	Epjfehbd.exe	101
PID 1696 wrote to memory of 2976	1696	Efgono32.exe	102
PID 1696 wrote to memory of 2976	1696	Efgono32.exe	102
PID 1696 wrote to memory of 2976	1696	Efgono32.exe	102
PID 2976 wrote to memory of 3948	2976	Elagjihh.exe	103
PID 2976 wrote to memory of 3948	2976	Elagjihh.exe	103
PID 2976 wrote to memory of 3948	2976	Elagjihh.exe	103
PID 3948 wrote to memory of 2072	3948	Ebnocpfp.exe	117
PID 3948 wrote to memory of 2072	3948	Ebnocpfp.exe	117
PID 3948 wrote to memory of 2072	3948	Ebnocpfp.exe	117
PID 2072 wrote to memory of 4420	2072	Ecmlmcmb.exe	104
PID 2072 wrote to memory of 4420	2072	Ecmlmcmb.exe	104
PID 2072 wrote to memory of 4420	2072	Ecmlmcmb.exe	104
PID 4420 wrote to memory of 3792	4420	Ejgdim32.exe	116
PID 4420 wrote to memory of 3792	4420	Ejgdim32.exe	116
PID 4420 wrote to memory of 3792	4420	Ejgdim32.exe	116
PID 3792 wrote to memory of 5052	3792	Eqalfgll.exe	105
PID 3792 wrote to memory of 5052	3792	Eqalfgll.exe	105
PID 3792 wrote to memory of 5052	3792	Eqalfgll.exe	105
PID 5052 wrote to memory of 3656	5052	Ecphbckp.exe	106
PID 5052 wrote to memory of 3656	5052	Ecphbckp.exe	106
PID 5052 wrote to memory of 3656	5052	Ecphbckp.exe	106
PID 3656 wrote to memory of 1692	3656	Efnennjc.exe	107
PID 3656 wrote to memory of 1692	3656	Efnennjc.exe	107
PID 3656 wrote to memory of 1692	3656	Efnennjc.exe	107
PID 1692 wrote to memory of 2472	1692	Fhonpi32.exe	115
PID 1692 wrote to memory of 2472	1692	Fhonpi32.exe	115
PID 1692 wrote to memory of 2472	1692	Fhonpi32.exe	115
PID 2472 wrote to memory of 3312	2472	Fbgbione.exe	114
PID 2472 wrote to memory of 3312	2472	Fbgbione.exe	114
PID 2472 wrote to memory of 3312	2472	Fbgbione.exe	114
PID 3312 wrote to memory of 5068	3312	Fjnjjlog.exe	108
PID 3312 wrote to memory of 5068	3312	Fjnjjlog.exe	108
PID 3312 wrote to memory of 5068	3312	Fjnjjlog.exe	108
PID 5068 wrote to memory of 4144	5068	Fqhbgf32.exe	113
PID 5068 wrote to memory of 4144	5068	Fqhbgf32.exe	113
PID 5068 wrote to memory of 4144	5068	Fqhbgf32.exe	113
PID 4144 wrote to memory of 564	4144	Fbiooolb.exe	112

C:\Users\Admin\AppData\Local\Temp\00fedb0adba5d5d0402709552100e25a.exe
"C:\Users\Admin\AppData\Local\Temp\00fedb0adba5d5d0402709552100e25a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\Obnnnc32.exe
  C:\Windows\system32\Obnnnc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\SysWOW64\Ggfobofl.exe
    C:\Windows\system32\Ggfobofl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\SysWOW64\Pphckb32.exe
      C:\Windows\system32\Pphckb32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4260
    - - C:\Windows\SysWOW64\Jjefao32.exe
        
        C:\Windows\system32\Jjefao32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4388
      - C:\Windows\SysWOW64\Pllppnnm.exe
        
        C:\Windows\system32\Pllppnnm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Gpjfng32.exe
        
        C:\Windows\system32\Gpjfng32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Dagiba32.exe
        
        C:\Windows\system32\Dagiba32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Epjfehbd.exe
        
        C:\Windows\system32\Epjfehbd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Efgono32.exe
        
        C:\Windows\system32\Efgono32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Elagjihh.exe
        
        C:\Windows\system32\Elagjihh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Ebnocpfp.exe
        
        C:\Windows\system32\Ebnocpfp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Ecmlmcmb.exe
        
        C:\Windows\system32\Ecmlmcmb.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2072

C:\Windows\SysWOW64\Ejgdim32.exe
C:\Windows\system32\Ejgdim32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\SysWOW64\Eqalfgll.exe
  C:\Windows\system32\Eqalfgll.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3792

C:\Windows\SysWOW64\Ecphbckp.exe
C:\Windows\system32\Ecphbckp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SysWOW64\Efnennjc.exe
  C:\Windows\system32\Efnennjc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\SysWOW64\Fhonpi32.exe
    C:\Windows\system32\Fhonpi32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\SysWOW64\Fbgbione.exe
      C:\Windows\system32\Fbgbione.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2472

C:\Windows\SysWOW64\Fqhbgf32.exe
C:\Windows\system32\Fqhbgf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\Fbiooolb.exe
  C:\Windows\system32\Fbiooolb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4144

C:\Windows\SysWOW64\Fjccel32.exe
C:\Windows\system32\Fjccel32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1312
- C:\Windows\SysWOW64\Fqmlbfbo.exe
  C:\Windows\system32\Fqmlbfbo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:2264
- - C:\Windows\SysWOW64\Kpdbhn32.exe
    C:\Windows\system32\Kpdbhn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:3664
  - - C:\Windows\SysWOW64\Gkdhcqcj.exe
      C:\Windows\system32\Gkdhcqcj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      PID:2448
    - - C:\Windows\SysWOW64\Poajdlcq.exe
        
        C:\Windows\system32\Poajdlcq.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3432
      - C:\Windows\SysWOW64\Mchpibng.exe
        
        C:\Windows\system32\Mchpibng.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Mjahfl32.exe
        
        C:\Windows\system32\Mjahfl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Ekhncp32.exe
        
        C:\Windows\system32\Ekhncp32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Lcimmn32.exe
        
        C:\Windows\system32\Lcimmn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Npnjcm32.exe
        
        C:\Windows\system32\Npnjcm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Felkmnci.exe
        
        C:\Windows\system32\Felkmnci.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Foapkfco.exe
        
        C:\Windows\system32\Foapkfco.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Fqblbo32.exe
        
        C:\Windows\system32\Fqblbo32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Fgldoi32.exe
        
        C:\Windows\system32\Fgldoi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\Faeihogj.exe
        
        C:\Windows\system32\Faeihogj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Mfbaka32.exe
        
        C:\Windows\system32\Mfbaka32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Pjhihm32.exe
        
        C:\Windows\system32\Pjhihm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\Monpnbeh.exe
        
        C:\Windows\system32\Monpnbeh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Ijekidpf.exe
        
        C:\Windows\system32\Ijekidpf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Jffodc32.exe
        
        C:\Windows\system32\Jffodc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Imcqki32.exe
        
        C:\Windows\system32\Imcqki32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Qaecikhd.exe
        
        C:\Windows\system32\Qaecikhd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Qhpkee32.exe
        
        C:\Windows\system32\Qhpkee32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4152
        
        C:\Windows\SysWOW64\Qjagmnfp.exe
        
        C:\Windows\system32\Qjagmnfp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Qahpnkfb.exe
        
        C:\Windows\system32\Qahpnkfb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Qhbhke32.exe
        
        C:\Windows\system32\Qhbhke32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\Aajldk32.exe
        
        C:\Windows\system32\Aajldk32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Adihpf32.exe
        
        C:\Windows\system32\Adihpf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Anamiljc.exe
        
        C:\Windows\system32\Anamiljc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Aqfoefco.exe
        
        C:\Windows\system32\Aqfoefco.exe
        30⤵
        Executes dropped EXE
        
        PID:4052

C:\Windows\SysWOW64\Fblldn32.exe
C:\Windows\system32\Fblldn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3684

C:\Windows\SysWOW64\Fqjolfda.exe
C:\Windows\system32\Fqjolfda.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1636

C:\Windows\SysWOW64\Ficgkico.exe
C:\Windows\system32\Ficgkico.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:564

C:\Windows\SysWOW64\Fjnjjlog.exe
C:\Windows\system32\Fjnjjlog.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anamiljc.exe

Filesize
145KB

MD5
67be17b675a021b33659ab6b6b75053b

SHA1
9841243a3d3739e5c6115239ace7d541dfcee22f

SHA256
df50cdb38fd53243ed26a4e64bf6be1bc69d175ca6235960b18b0357879b3653

SHA512
15f63269f68f1591aba479c06d18b8e3f88f76d87a3705007703660d14dc74366dc27bc131c5b31ccc0c7b46b489e20d20ae1f0d0ae1867048b70b28875199a0

Download Submit
C:\Windows\SysWOW64\Dagiba32.exe

Filesize
145KB

MD5
03a3157dfb1cd3de1efce6a696c63c3e

SHA1
f4c91ac93f00034f9e9ba8f4a435510ae6bed63d

SHA256
ca462411d3a2a82caadb6036ac1b86a754e47e1d799dbb6837cf4ee180af944a

SHA512
b9946533222516c4f5f783e385eabab83b4a6f6791895881b1691fde95294c30ab732194ff740d8dccf34da94ab969c1196af8428ba9f736dc81faaeca597972

Download Submit
C:\Windows\SysWOW64\Ebnocpfp.exe

Filesize
123KB

MD5
84fc82419618c2301227e3bacdacf9bd

SHA1
52b42a6f84945021da248f089c8fc003fb37024d

SHA256
bfc3fcc69756987723b509a664761288f04d6b8eab3094da8e9a17e58330dbe6

SHA512
492f7dbf9672067395448d12fca06169dea3a0cf3607c66b13b61b00050fc3712847c67ea509e2513bc17d7572c2f1064147966256ef9eee65459b819fda3dc7

Download Submit
C:\Windows\SysWOW64\Ebnocpfp.exe

Filesize
80KB

MD5
b80a135251512ddaf0a255c4f9f4ad5e

SHA1
bd5cbb35769613bdbd4b3ed89673e56ae1f761f1

SHA256
3c5a1ec251457d96bacb5f5fc2c8d53119acd78a6cea183e39aedf7762cc9b8d

SHA512
10111027f1db5e79c4e9513ef19ae137cfa80662fe77e0a48d3839002a250d79ed9c99b68363c5b04637efc2a3288f5ae723acc30ab2a570a563e455bdc62051

Download Submit
C:\Windows\SysWOW64\Ecmlmcmb.exe

Filesize
145KB

MD5
bbfe033acc71bf28802008dfa5cfc2c0

SHA1
7b259bd1aea3ecd5c84a4d90e8f229e7edd0beb9

SHA256
289989cf3c29e10a7b2e34f78db15b0804861de05fa79daa1ab3cdffe734ee19

SHA512
2fc913a41038fc1b660fcfd415234a18e3ce8b451a1c37daabfbbf1127f3a6c1af983702be2fb896e4ae846191fb72bbe97558a9e327338633e9b84bb538e590

Download Submit
C:\Windows\SysWOW64\Ecphbckp.exe

Filesize
145KB

MD5
aa9e7e54152feef41c64ea7419c5c491

SHA1
b9f47ec2a95eb396b76a208e5b5e24d33b6284c5

SHA256
c99db45a5f3d77f89f8b9d3a8acf361986fcf1b261b4cd1bd5d30aca029adbd2

SHA512
b82aab5be386feb14d08f84fe0f7b4e9616e8700c2c14767845ad3843db1ac9fffdf8f8e8672528209c87afa45baec069ac9c2c0a8fabc3b5995a0fdfea28bf0

Download Submit
C:\Windows\SysWOW64\Efgono32.exe

Filesize
145KB

MD5
8bac55ecf5b6acfdb2e855226be072fa

SHA1
a963310764e491e98d92bad37de4ae24cee4f23c

SHA256
4b0467fc94977c486dc530064e09220f916bb952f914da6434d37b701d0c2ad3

SHA512
0e4e9521734f0718d032292a229b5d770cbb67a193172d44efd3962f4a5e3c2e3a655d0c833d4708f4aabb398570ea10930063308acbc82d78b87cca0a43dec3

Download Submit
C:\Windows\SysWOW64\Efgono32.exe

Filesize
128KB

MD5
34a022075740ec9a2ac38129621b348b

SHA1
3b6b27b57d5434a8d6760b69966510abd18c8440

SHA256
13a117bf5621f3372de7ce51b7f396ace2470e29b8d292a97e117a5ebf5e239d

SHA512
44880b1758b3ec07c6f589fdba88295063abd2c16e93329246595857ae9bf342dcd6f92f9adca2bdb75016acdc083375106ed8a1ed4245d1f47353aad9353185

Download Submit
C:\Windows\SysWOW64\Efnennjc.exe

Filesize
145KB

MD5
a5a34dd9f8209bb9308dda3190ee4935

SHA1
3312777e675d4140d7509d088f3827e0463d395a

SHA256
450019db7714eb248ab86e4aedc2c1e7cb5a3e8c08530b85e281f2bd128f4764

SHA512
791b51bfd16852f3c072c58f1c7f8660af4671e09e40f295b7ccaf4359fbd70d79d19db801054a7f1645d2c66c0b85701c880c65a69e3a40df2540af6db5c915

Download Submit
C:\Windows\SysWOW64\Ejgdim32.exe

Filesize
145KB

MD5
d27e340101e4bf9ac65469cf7d5c1579

SHA1
33149f0f4b4ca8e595a36143aebf4b81b119e781

SHA256
d0d9ea0ae82077e784ad4f8837623d3734236d4667e899e6e271727b75efe1a6

SHA512
cb786892d07a383a4b26a111ed4a75f60fa9dc0ba0da412de6f6cde1d65553fbc3942371471f02ddaa2879330889c784debfcebc0fb78a696bc2286e42e1ae0f

Download Submit
C:\Windows\SysWOW64\Ekhncp32.exe

Filesize
145KB

MD5
635a82d905ced16cd80a618612b0c390

SHA1
6c131e5d52cfd1a68b7dd6f42b3314a7f7ea8e21

SHA256
d4bfc8180cb06298dabb351a9c55ef4a36bcdc19c7b3800060d7b1aa183f51ca

SHA512
dffae05e8a1648c2c6a376955635aa5398765b0e3e007c662a053438c801c236379b93b097b3b64fbde845a4beb3134f1fc37aa6f780a7f903527ec772ef5169

Download Submit
C:\Windows\SysWOW64\Elagjihh.exe

Filesize
121KB

MD5
80e11b0b265dda865b52e13e63664147

SHA1
3d6e137cfdfc60880725c0d787c06d53cc4e807a

SHA256
e65e916eda7cf349352aaa769b680a0e63db364f8d9adfd8e80e45c77ad13879

SHA512
ff63ae0c75b5778cc6170d35526cc4f52bc81ef9966db2e09a29f1bdbbdf596fa16993bb9b9d972456834a4cee551ae6a3b7e1d82cde20f64c86f56c235f37a5

Download Submit
C:\Windows\SysWOW64\Elagjihh.exe

Filesize
145KB

MD5
a437efe6c0a6e8b0e58ca1f043b2736b

SHA1
92873781a093ce0d594a066474308136299696ce

SHA256
025f780995eea914cb5808006bc1b90848042eded69ae4ac983c86105c1d9f38

SHA512
546d24fbf58952ceb822f2389ad129ea27a6f03509fce9e4eb8750ab5085d0ebe5238afc44b86afccdde81f7ed5517400033f95ac1017b205ccdc5519276e109

Download Submit
C:\Windows\SysWOW64\Epjfehbd.exe

Filesize
145KB

MD5
c811e72164e113ba859d359541ce335e

SHA1
ce23799be419aa65d107b6d8caa8aad130977dd6

SHA256
5e44df89094206b38272fe8ef76f2efc90df26f3a0b2e9a0d09bf4f1e3eedb70

SHA512
88079474d96dfb7dfcfd7a0e6a8732af074198601447d006667001695ed1cfe1e2611338f53553f93fd5851ded824038149b081cf1eafed04d611d13d61f5277

Download Submit
C:\Windows\SysWOW64\Eqalfgll.exe

Filesize
145KB

MD5
bd0f951b4f72bd60288fa0360d3f08ec

SHA1
e87920a3af57ae896ede53022d17e66d20bff8a0

SHA256
95d48daf919c0add35e7e3f5cef3e6edb02f20d17eb4c47a7d665fc402803078

SHA512
c847fc362e2f5d05c5abe9524c4abd0f1f1de67b2f4e305a2cfa1b57c9825ce52da1553089f06695333441614ac93394b6f3fcc6e70e0c4e81bcb2800af44d83

Download Submit
C:\Windows\SysWOW64\Fbgbione.exe

Filesize
145KB

MD5
0f2711f3d6aa949d9a9f7609b084f3ff

SHA1
5557a3d6ec2ac246c3cf1aff6ff1b11c2fc52473

SHA256
6d1aa9a536265e77b20b777256d0272183f03e0753ffd2b9343b051303444828

SHA512
bf101d7bb28116fb50aeed9d1c424afc603ce9cab03d70d39d5aa4a63f879b84fa96423fb52ee3da3f9197f0aeb50ad595ed1e1f943516fe2169170ea743da94

Download Submit
C:\Windows\SysWOW64\Fbiooolb.exe

Filesize
145KB

MD5
f8071ea5541b02c4059b604e2920ed83

SHA1
9c502fc814bebff91ac1adce76b14db9fa1a4552

SHA256
c4da6edb71ba89810c5f36a78c0fe34cf76b9e60d3304fe54edb0552e9c7be24

SHA512
2332ecae130946d7e644c40ee88958da4da1ac406d36e6426e6772aa57fdfa6b35fe8e8698e8bbcb3b4012b6fa3de1174db302603862673dc6717b51bc054ea6

Download Submit
C:\Windows\SysWOW64\Fblldn32.exe

Filesize
145KB

MD5
ccd7ceb30217591acdf5871b9c397b7d

SHA1
662688f5974ba49fc261de9672191dd70b095e3c

SHA256
f9e251272b49a77e41bd65b15bc4a4f82ab1b7fde54918b681bb7e847e517096

SHA512
ffc470cd703072fec8b0f44459069f5da9b2e23d4882bde43292ce2b8bcee0d4804e909c7609ba56ad0cb6262bff9f53da12b481382c45095c09f711005fd8ba

Download Submit
C:\Windows\SysWOW64\Fhonpi32.exe

Filesize
145KB

MD5
1380f2e8b86bfd6b95b633a2b90cda33

SHA1
08d63690fa7f28641a098344416434ce914126d9

SHA256
d7b8c0b28e9311c68389d6493783f778bb3ce5420bb366b985735e22ae022fd0

SHA512
fc0bab5263ddc120e07a77c8ed37d328803560a9d2e0427e5845e3658745c8ec00e1d66b9748225b1216a1fc3b792b1bfc0c3ee468ae1187d57684ecddf5c7fd

Download Submit
C:\Windows\SysWOW64\Ficgkico.exe

Filesize
145KB

MD5
2160cc39c4f8613cb97ed7ae2dfceb68

SHA1
0c4ea8c95b03ea4ec221b303cfaec2847e820094

SHA256
c627e5388cdc3218148937eb637166d71d133e5e98a4793f9d22e3b987281591

SHA512
1afa10f24e4cbbde5c0783b6b481e159e9282c7490b0b1244ac8b22bad4a3e17c3539ba2d815004ff3fb58688b7682e0438b628d1bc9f62a91fdd89193d42d5f

Download Submit
C:\Windows\SysWOW64\Fjccel32.exe

Filesize
145KB

MD5
d4b881570e3f64d002d63253734cd26f

SHA1
9678593ada58202d8daf84f607e1efcee56db14b

SHA256
0cb7327946895f67c68642ffc07e7a5cf64f4f711a008f5f2eb6e3b5f8c5eff7

SHA512
0edcc2595d5bae0a19e76be9f7013875747715956146fd7dec07713273096c5ec8fbbbba1e87d8e82ce849b9a5d80860a6831bbda7e452d2ffe2e1b87c7bc225

Download Submit
C:\Windows\SysWOW64\Fjnjjlog.exe

Filesize
145KB

MD5
f603a52b1a3c37b0c4a68d8e4c000d0c

SHA1
ac897eb2b0413a6c5e5fcb24b04535ab36884258

SHA256
7fb9debf3c7dee86e8f41c2f11aef9e599922b0fbdc53eee9bb5d4df6e4904d4

SHA512
988ef86d89d90849302dd93c1966eb6dab49831c3a667d0a3194819e41fb8002176db4f7e88e61cb2a49ec3b763740c6965b792dfdf43cbdb408b89f76e00d7a

Download Submit
C:\Windows\SysWOW64\Fqhbgf32.exe

Filesize
145KB

MD5
8cba471e80b7e2089a38f34e775ab2c2

SHA1
f02202c181f429e428d89606205b4ed2c9755982

SHA256
1a65145e8e4ca8c7f406aea1e217c5b44ead47f632aeacb5dcb3553cb3df68d7

SHA512
b75d589490694ad54570aa3c9710eb7af162c1c28e54c568341cab055327254d0eb6b5ee026730306f1dc658e511ff853f3b5bca5bf22eb96c2dcffb63db402f

Download Submit
C:\Windows\SysWOW64\Fqjolfda.exe

Filesize
145KB

MD5
d91cb4641a028df759346860403dda4e

SHA1
a2c8d121b83febdd453f650cd303272fa4482d84

SHA256
91ce6f05b3887e0f4036dd83c151ace89aad81711867bbda828325c0dbbd5bf8

SHA512
359cfbc97319569631b0ac86cba6fd9e88991ef79a33b8edf9e7147f39da44f5351aae5f733332ca768861f6ac8c1a20d1c90f84c150e3f5c6f8d51d92187204

Download Submit
C:\Windows\SysWOW64\Fqmlbfbo.exe

Filesize
145KB

MD5
548687f922f3d0ad1630af0656fd86ba

SHA1
2d92c4815eade2cb9d8ddaf214b124ac96d5ffd0

SHA256
eaa34a6c836369dffe1e57ab4f9fc03ea93d00d2e26aa1b27376cc40601ec38d

SHA512
2c9bad4731b747195c453a6a3c1dba5c6c08236c0157c24ce190fe58c8e463ae6457b6eaa8f6027d64bf8affe6a0073bd66817d2dabc0d1a46c7688a6eeea67b

Download Submit
C:\Windows\SysWOW64\Ggfobofl.exe

Filesize
145KB

MD5
0d909d30d011e03322cdec7adb28fd7a

SHA1
4bcce13c6949585380a57bd1dde128ae3d766f5d

SHA256
244effadeb2dce1313e19563f919e6ad036a3f3c5eaef918ecbb55af5d980c00

SHA512
4d15ac1b8537b595bb321ebb6acabf65f22fc138f7fc1a113049f6c309f61e0460ed522b5a8714b032b88d55253c1766c53bd232f8ce982051818f2fe2bdcb6a

Download Submit
C:\Windows\SysWOW64\Gkdhcqcj.exe

Filesize
145KB

MD5
ef66c2c9233109044446e33187b73de2

SHA1
226ebdb4a55d588f83fd5dc0997028733fc792be

SHA256
8b47c9a2d0d13c2ff7b9fab63b87e394728fc71c32a24732f33cfa8256e81ab9

SHA512
6062d54925ed3b357da9da9cd52ba3e118630f4770d14ed7ad294a11d73b2ee5b0825c52fb2cba24fc2d62b0a84e8ec3cf29e441c37a2d208bcff367fa4d70d7

Download Submit
C:\Windows\SysWOW64\Gpjfng32.exe

Filesize
145KB

MD5
37493871a8a7c68c7bf3e1da5570581b

SHA1
63e4280123e34f760e7592126aa99392cecb6d0b

SHA256
b16d28da14bdbdb28d9e000239a9aac94e089923c3f2d5ffc68ffe302153d3d5

SHA512
18ff923dd07c5ca68992265e6459f720e178f90cc8f3739dcd0d7e9976600fa35e3d09f982193f8824e5249f94c931fc9f1efd9fffbcaf056cf9cbd41899c84f

Download Submit
C:\Windows\SysWOW64\Hnkphffo.dll

Filesize
7KB

MD5
44bf66b559a626f452704a8abcf1a152

SHA1
8a4d4a689ef22840002ac19e462f459e0c2b36f7

SHA256
b63d6ee65a4c13ef935e8d6a4bcb3a114f11343754c6d90913f1e558da615a0a

SHA512
9f38db7e97d384cd1c75c0a38e5bf91d6a2bfab5e96b863238d3d82218161c9b308f3d60fa57dc1eec3dd6de0cef76406948c9b26c9bf33179db5b8e576e0be9

Download Submit
C:\Windows\SysWOW64\Ijekidpf.exe

Filesize
64KB

MD5
d22ceb83cc093d2c348c017914434df7

SHA1
e7c506b3d28f440c046293d9888fd2f3638588a2

SHA256
d4b39bd6e297c722785d20458720d25429ea6658676c0147c0c1a53639b7c191

SHA512
828ca7b827ee7ab6fd538ad544b1d930213d7673f650765f95ee4d8cb88632ccc2fd32016eed944f9bf9499ec88bc976201cd4a5b5a46d6b4077f19ce772a831

Download Submit
C:\Windows\SysWOW64\Jjefao32.exe

Filesize
145KB

MD5
9685ae4f29a28515b95ae943335415e2

SHA1
60e06c2bf17747431d5cd29612c766799aa655a6

SHA256
cead9ff5c3716a0ac9627917dcaec55cfd9be6ea81b13b72b5c1eabdfea7f179

SHA512
aa258b5afcf9696ac4bbbd5436ab74c2f3b8d35f8f548f26e837e88ad48b9e8ed7529592cf5a151c73509a604b3ab98093f833c9f1d171c433460798a3a41f0c

Download Submit
C:\Windows\SysWOW64\Kpdbhn32.exe

Filesize
145KB

MD5
a0c1414f09fe75be8da98f6d167fa5fa

SHA1
a8b477e1e6b0a8a68ec7b07f4895d4a33fb7f0cb

SHA256
df0a73f8b56668cdda66df7000959bc3ede319e93db3044967e2aeb2101def7c

SHA512
e9de4cb8a24cd578fcdb9a333f8d2de96e0c3e99d41a91a2be9b37a9257af47c602d472fa5186fefb07cfe9960c934d0b8ce71d34ac8fac15f5c6ae6a52e11d9

Download Submit
C:\Windows\SysWOW64\Mchpibng.exe

Filesize
145KB

MD5
624133db0bc1d45c6b524a6b0885d7f1

SHA1
1788c0331bf470073e941bb1b95910c517775107

SHA256
6217fb21aa1bd6e6c3f7038349f0715f41e082042eb3b7bbd0c4ce6822561f22

SHA512
971268074f750063051446811278607058befff2a71816d5f5fe2fcd2da776183c8c3398aac97ea5206216d71e05aaf16d20fbc16ee3115452601349c8887950

Download Submit
C:\Windows\SysWOW64\Mjahfl32.exe

Filesize
145KB

MD5
fbed297468982f8a66d96f79b6aec659

SHA1
e7632d1623cdd7016aea5cfcd16845078eee880c

SHA256
83d240670075874cdedecb6abc3d164f86d9e05c154863ed26bbbe93e375e21b

SHA512
cf6abe9e818943f8b223dbce8a06f43faebcf1500201cec7cb7eedfdc923b08359e3879f0940c7fd314e7c8830a5965a799af63f2925d3d350f0d1c28a46d68d

Download Submit
C:\Windows\SysWOW64\Obnnnc32.exe

Filesize
145KB

MD5
04df0eee86e828c63368cb30f9e03a00

SHA1
8002a502133c260c97a9d97041637837a0df00e1

SHA256
9de0c43d5eba3c0f97aafe659a2795bfec533fa5930f9588d6544d70f3e24c17

SHA512
87981f3873b8cc25cd3f949d583cadd3add4c3dac682ba8c1357b2f423546de7127b67b54e725a1b48f0610f0080f7c0f0038e735b86bf1cfeab5c10cee48930

Download Submit
C:\Windows\SysWOW64\Pllppnnm.exe

Filesize
145KB

MD5
4dd07c1229bfdddda718e2a710546e54

SHA1
230dae1084c5e09508e266af9b03865fc2fef4f7

SHA256
54b4c4d3f24403e2942e1b0b721cc25750bcfe2d2dbe427a3240d526fa4cb85d

SHA512
4f9def0865127f6853fca57ec1d29a7b3cd41985848aefc3f92188d69bf59028fd017ba64082bbb5e447802e1e9733231371d9e50c744b4036ba3c6ee1857423

Download Submit
C:\Windows\SysWOW64\Poajdlcq.exe

Filesize
145KB

MD5
d900564a23f66c81edbebc1e6fead626

SHA1
b49fb78254b8de177bff50d9d803ccd9db5d0b9f

SHA256
0b6e86512c0440c908eac205e9d0795a451852266ea034c0a8bdce7de3109159

SHA512
3fdb70d2d81ba6c0bd768b61200c3e0b028bdd46f43b55d2796a3d967191b3d45ea96181c61d9a96bc120c2ab1694422d850b90e4836494b45bf6d5d28128bda

Download Submit
C:\Windows\SysWOW64\Pphckb32.exe

Filesize
145KB

MD5
3a20469d2d4335a0b1f7da5ae6a37be4

SHA1
9f8d24fc4b8d36897ebe97e49347b40faa012f58

SHA256
1c2b110fe3159e3f6448ff0a65450f71c7ec0ec47bd1da45bda24687c3b955d7

SHA512
ea8e1e96c26fabdf82ace99afa190e23e13284ec382f24a1e437eeb67c8ae2bf4e27c54027fd475a96d5af6386a78965356804a692b088727441d1e8e2f269b4

Download Submit
memory/404-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1312-218-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1312-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2072-118-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-535-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3492-498-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3492-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3636-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3636-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3656-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3656-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3684-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3684-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3792-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4048-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4152-517-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4200-86-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4520-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4520-50-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-523-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-529-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-487-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads