46ef16125545b35d2358f59aab6e605604254305e5751273433967197f96fc64

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2024, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c35d32ba7765476298d434f72ad26bdd.exe
Size

187KB
MD5

c35d32ba7765476298d434f72ad26bdd
SHA1

55da5988088d0cf2ea5d8f39d4d8d881a625c2ac
SHA256

46ef16125545b35d2358f59aab6e605604254305e5751273433967197f96fc64
SHA512

1681eeb41bc701b49a5e718e45abad5654ab724a4b494b37808207b5078330855cb0582527a1806ab3e2bbbd007153399240273b901023a23260bac844852b77
SSDEEP

3072:dndqCb5LYYekEe+a4Y4LRvVgtRQ2c+tlB5xpWJLM77OkeCK2+hDueH:dvLY5ku3Y4FvV+tbFOLM77OLLt

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkmefd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcicmqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpgmha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfcicmqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c35d32ba7765476298d434f72ad26bdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	TrustedInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcbpab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hioiji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leihbeib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgmha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcbpab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	TrustedInstaller.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kikame32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe

Executes dropped EXE 64 IoCs

pid	Process
3440	Hcbpab32.exe
1868	Hioiji32.exe
5112	Hkmefd32.exe
2520	Hfcicmqp.exe
3296	Icgjmapi.exe
2448	Icifbang.exe
3656	Iifokh32.exe
1328	Ippggbck.exe
2544	TrustedInstaller.exe
3864	Ilidbbgl.exe
1576	Jpgmha32.exe
2868	Jmmjgejj.exe
1472	Jcioiood.exe
1608	Jmbdbd32.exe
3868	Jcllonma.exe
4004	Kiidgeki.exe
3880	Klgqcqkl.exe
3292	Kdnidn32.exe
4560	Kikame32.exe
2756	Kfoafi32.exe
876	Kmijbcpl.exe
3112	Kfankifm.exe
2844	Kedoge32.exe
4620	backgroundTaskHost.exe
4416	Kbhoqj32.exe
908	Kefkme32.exe
3764	Klqcioba.exe
4404	BackgroundTransferHost.exe
3508	Leihbeib.exe
752	Lpnlpnih.exe
4088	Lekehdgp.exe
2356	Llemdo32.exe
1936	Ldleel32.exe
2480	Liimncmf.exe
4784	Lbabgh32.exe
2532	Lljfpnjg.exe
1496	Lgokmgjm.exe
1912	Mdckfk32.exe
2396	Mipcob32.exe
1964	Mpjlklok.exe
4216	Mibpda32.exe
2540	Mplhql32.exe
1068	Ngbpidjh.exe
3312	Nnlhfn32.exe
4776	BackgroundTransferHost.exe
1344	Njciko32.exe
2664	Ndhmhh32.exe
1712	svchost.exe
3748	Nnqbanmo.exe
5144	Oponmilc.exe
5184	Ogifjcdp.exe
5224	Opakbi32.exe
5264	Ogkcpbam.exe
5304	Odocigqg.exe
5344	Ojllan32.exe
5384	Ofcmfodb.exe
5424	Olmeci32.exe
5468	Ocgmpccl.exe
5508	Pnlaml32.exe
5552	Pdfjifjo.exe
5592	Pjcbbmif.exe
5632	Pdifoehl.exe
5680	Pggbkagp.exe
5720	Pncgmkmj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Njciko32.exe	BackgroundTransferHost.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	svchost.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Kmkfhc32.exe	Kedoge32.exe
File created	C:\Windows\SysWOW64\Leihbeib.exe	BackgroundTransferHost.exe
File opened for modification	C:\Windows\SysWOW64\Leihbeib.exe	BackgroundTransferHost.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	Ngbpidjh.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Hcbpab32.exe	c35d32ba7765476298d434f72ad26bdd.exe
File opened for modification	C:\Windows\SysWOW64\Jcioiood.exe	Jmmjgejj.exe
File created	C:\Windows\SysWOW64\Imllie32.dll	Kmijbcpl.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Jpgmha32.exe	Ilidbbgl.exe
File created	C:\Windows\SysWOW64\Kefkme32.exe	Kbhoqj32.exe
File created	C:\Windows\SysWOW64\Klqcioba.exe	Kefkme32.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Fbnkjc32.dll	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Lekehdgp.exe	Lpnlpnih.exe
File opened for modification	C:\Windows\SysWOW64\Lgokmgjm.exe	Lljfpnjg.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Mplhql32.exe	Mibpda32.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Jcllonma.exe	Jmbdbd32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhoqj32.exe	backgroundTaskHost.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Kmijbcpl.exe	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Opakbi32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Iifokh32.exe	Icifbang.exe
File created	C:\Windows\SysWOW64\Ldleel32.exe	Llemdo32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Ilidbbgl.exe	TrustedInstaller.exe
File created	C:\Windows\SysWOW64\Gijloo32.dll	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ihlnnp32.dll	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Jphopllo.dll	Liimncmf.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Oponmilc.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Icgjmapi.exe	Hfcicmqp.exe
File created	C:\Windows\SysWOW64\Mdckfk32.exe	Lgokmgjm.exe
File opened for modification	C:\Windows\SysWOW64\Mibpda32.exe	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Kmkfhc32.exe	Kedoge32.exe
File created	C:\Windows\SysWOW64\Ogibpb32.dll	Lbabgh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5496	1616	WerFault.exe	108

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieakglmn.dll"	Hioiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdejo32.dll"	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkmefd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icifbang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	TrustedInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnkjc32.dll"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjnop32.dll"	Iifokh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okokppbk.dll"	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	c35d32ba7765476298d434f72ad26bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iccbgbmg.dll"	Icifbang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpgmha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecaobgnf.dll"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canidb32.dll"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceacpg32.dll"	Hfcicmqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abckpb32.dll"	Ilidbbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdphnlp.dll"	c35d32ba7765476298d434f72ad26bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icifbang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ippggbck.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 3440	3604	c35d32ba7765476298d434f72ad26bdd.exe	22
PID 3604 wrote to memory of 3440	3604	c35d32ba7765476298d434f72ad26bdd.exe	22
PID 3604 wrote to memory of 3440	3604	c35d32ba7765476298d434f72ad26bdd.exe	22
PID 3440 wrote to memory of 1868	3440	Hcbpab32.exe	23
PID 3440 wrote to memory of 1868	3440	Hcbpab32.exe	23
PID 3440 wrote to memory of 1868	3440	Hcbpab32.exe	23
PID 1868 wrote to memory of 5112	1868	Hioiji32.exe	129
PID 1868 wrote to memory of 5112	1868	Hioiji32.exe	129
PID 1868 wrote to memory of 5112	1868	Hioiji32.exe	129
PID 5112 wrote to memory of 2520	5112	Hkmefd32.exe	128
PID 5112 wrote to memory of 2520	5112	Hkmefd32.exe	128
PID 5112 wrote to memory of 2520	5112	Hkmefd32.exe	128
PID 2520 wrote to memory of 3296	2520	Hfcicmqp.exe	127
PID 2520 wrote to memory of 3296	2520	Hfcicmqp.exe	127
PID 2520 wrote to memory of 3296	2520	Hfcicmqp.exe	127
PID 3296 wrote to memory of 2448	3296	Icgjmapi.exe	26
PID 3296 wrote to memory of 2448	3296	Icgjmapi.exe	26
PID 3296 wrote to memory of 2448	3296	Icgjmapi.exe	26
PID 2448 wrote to memory of 3656	2448	Icifbang.exe	125
PID 2448 wrote to memory of 3656	2448	Icifbang.exe	125
PID 2448 wrote to memory of 3656	2448	Icifbang.exe	125
PID 3656 wrote to memory of 1328	3656	Iifokh32.exe	27
PID 3656 wrote to memory of 1328	3656	Iifokh32.exe	27
PID 3656 wrote to memory of 1328	3656	Iifokh32.exe	27
PID 1328 wrote to memory of 2544	1328	Ippggbck.exe	200
PID 1328 wrote to memory of 2544	1328	Ippggbck.exe	200
PID 1328 wrote to memory of 2544	1328	Ippggbck.exe	200
PID 2544 wrote to memory of 3864	2544	TrustedInstaller.exe	29
PID 2544 wrote to memory of 3864	2544	TrustedInstaller.exe	29
PID 2544 wrote to memory of 3864	2544	TrustedInstaller.exe	29
PID 3864 wrote to memory of 1576	3864	Ilidbbgl.exe	30
PID 3864 wrote to memory of 1576	3864	Ilidbbgl.exe	30
PID 3864 wrote to memory of 1576	3864	Ilidbbgl.exe	30
PID 1576 wrote to memory of 2868	1576	Jpgmha32.exe	124
PID 1576 wrote to memory of 2868	1576	Jpgmha32.exe	124
PID 1576 wrote to memory of 2868	1576	Jpgmha32.exe	124
PID 2868 wrote to memory of 1472	2868	Jmmjgejj.exe	31
PID 2868 wrote to memory of 1472	2868	Jmmjgejj.exe	31
PID 2868 wrote to memory of 1472	2868	Jmmjgejj.exe	31
PID 1472 wrote to memory of 1608	1472	Jcioiood.exe	32
PID 1472 wrote to memory of 1608	1472	Jcioiood.exe	32
PID 1472 wrote to memory of 1608	1472	Jcioiood.exe	32
PID 1608 wrote to memory of 3868	1608	Jmbdbd32.exe	123
PID 1608 wrote to memory of 3868	1608	Jmbdbd32.exe	123
PID 1608 wrote to memory of 3868	1608	Jmbdbd32.exe	123
PID 3868 wrote to memory of 4004	3868	Jcllonma.exe	122
PID 3868 wrote to memory of 4004	3868	Jcllonma.exe	122
PID 3868 wrote to memory of 4004	3868	Jcllonma.exe	122
PID 4004 wrote to memory of 3880	4004	Kiidgeki.exe	33
PID 4004 wrote to memory of 3880	4004	Kiidgeki.exe	33
PID 4004 wrote to memory of 3880	4004	Kiidgeki.exe	33
PID 3880 wrote to memory of 3292	3880	Klgqcqkl.exe	121
PID 3880 wrote to memory of 3292	3880	Klgqcqkl.exe	121
PID 3880 wrote to memory of 3292	3880	Klgqcqkl.exe	121
PID 3292 wrote to memory of 4560	3292	Kdnidn32.exe	120
PID 3292 wrote to memory of 4560	3292	Kdnidn32.exe	120
PID 3292 wrote to memory of 4560	3292	Kdnidn32.exe	120
PID 4560 wrote to memory of 2756	4560	Kikame32.exe	34
PID 4560 wrote to memory of 2756	4560	Kikame32.exe	34
PID 4560 wrote to memory of 2756	4560	Kikame32.exe	34
PID 2756 wrote to memory of 876	2756	Kfoafi32.exe	119
PID 2756 wrote to memory of 876	2756	Kfoafi32.exe	119
PID 2756 wrote to memory of 876	2756	Kfoafi32.exe	119
PID 876 wrote to memory of 3112	876	Kmijbcpl.exe	35

C:\Users\Admin\AppData\Local\Temp\c35d32ba7765476298d434f72ad26bdd.exe
"C:\Users\Admin\AppData\Local\Temp\c35d32ba7765476298d434f72ad26bdd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Windows\SysWOW64\Hcbpab32.exe
  C:\Windows\system32\Hcbpab32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\SysWOW64\Hioiji32.exe
    C:\Windows\system32\Hioiji32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\SysWOW64\Hkmefd32.exe
      C:\Windows\system32\Hkmefd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5112

C:\Windows\SysWOW64\Icifbang.exe
C:\Windows\system32\Icifbang.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\Iifokh32.exe
  C:\Windows\system32\Iifokh32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3656

C:\Windows\SysWOW64\Ippggbck.exe
C:\Windows\system32\Ippggbck.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SysWOW64\Ipbdmaah.exe
  C:\Windows\system32\Ipbdmaah.exe
  2⤵
  PID:2544
- - C:\Windows\SysWOW64\Ilidbbgl.exe
    C:\Windows\system32\Ilidbbgl.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3864
  - - C:\Windows\SysWOW64\Jpgmha32.exe
      C:\Windows\system32\Jpgmha32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1576
    - - C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868

C:\Windows\SysWOW64\Jcioiood.exe
C:\Windows\system32\Jcioiood.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\SysWOW64\Jmbdbd32.exe
  C:\Windows\system32\Jmbdbd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\Jcllonma.exe
    C:\Windows\system32\Jcllonma.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3868

C:\Windows\SysWOW64\Klgqcqkl.exe
C:\Windows\system32\Klgqcqkl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Windows\SysWOW64\Kdnidn32.exe
  C:\Windows\system32\Kdnidn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3292

C:\Windows\SysWOW64\Kfoafi32.exe
C:\Windows\system32\Kfoafi32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\Kmijbcpl.exe
  C:\Windows\system32\Kmijbcpl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:876

C:\Windows\SysWOW64\Kfankifm.exe
C:\Windows\system32\Kfankifm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3112
- C:\Windows\SysWOW64\Kedoge32.exe
  C:\Windows\system32\Kedoge32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:2844

C:\Windows\SysWOW64\Kbhoqj32.exe
C:\Windows\system32\Kbhoqj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4416
- C:\Windows\SysWOW64\Kefkme32.exe
  C:\Windows\system32\Kefkme32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:908

C:\Windows\SysWOW64\Klqcioba.exe
C:\Windows\system32\Klqcioba.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3764
- C:\Windows\SysWOW64\Lbjlfi32.exe
  C:\Windows\system32\Lbjlfi32.exe
  2⤵
  PID:4404

C:\Windows\SysWOW64\Ldleel32.exe
C:\Windows\system32\Ldleel32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1936
- C:\Windows\SysWOW64\Liimncmf.exe
  C:\Windows\system32\Liimncmf.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2480
- - C:\Windows\SysWOW64\Lbabgh32.exe
    C:\Windows\system32\Lbabgh32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4784
  - - C:\Windows\SysWOW64\Lljfpnjg.exe
      C:\Windows\system32\Lljfpnjg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      PID:2532
    - - C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
      - C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        10⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1068
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3312

C:\Windows\SysWOW64\Llemdo32.exe
C:\Windows\system32\Llemdo32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2356

C:\Windows\SysWOW64\Lekehdgp.exe
C:\Windows\system32\Lekehdgp.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4088

C:\Windows\SysWOW64\Njciko32.exe
C:\Windows\system32\Njciko32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1344
- C:\Windows\SysWOW64\Ndhmhh32.exe
  C:\Windows\system32\Ndhmhh32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:2664
- - C:\Windows\SysWOW64\Nfjjppmm.exe
    C:\Windows\system32\Nfjjppmm.exe
    3⤵
    PID:1712

C:\Windows\SysWOW64\Ogifjcdp.exe
C:\Windows\system32\Ogifjcdp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5184
- C:\Windows\SysWOW64\Opakbi32.exe
  C:\Windows\system32\Opakbi32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:5224
- - C:\Windows\SysWOW64\Ogkcpbam.exe
    C:\Windows\system32\Ogkcpbam.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:5264
  - - C:\Windows\SysWOW64\Odocigqg.exe
      C:\Windows\system32\Odocigqg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      PID:5304
    - - C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5344
      - C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5384

C:\Windows\SysWOW64\Olmeci32.exe
C:\Windows\system32\Olmeci32.exe
1⤵
- Executes dropped EXE
PID:5424
- C:\Windows\SysWOW64\Ocgmpccl.exe
  C:\Windows\system32\Ocgmpccl.exe
  2⤵
  - Executes dropped EXE
  PID:5468
- - C:\Windows\SysWOW64\Pnlaml32.exe
    C:\Windows\system32\Pnlaml32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    PID:5508
  - - C:\Windows\SysWOW64\Pdfjifjo.exe
      C:\Windows\system32\Pdfjifjo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      PID:5552
    - - C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5592
      - C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        10⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        11⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        12⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        13⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6008
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        16⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        19⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        22⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        23⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        26⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        28⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        29⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        30⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2040

C:\Windows\SysWOW64\Oponmilc.exe
C:\Windows\system32\Oponmilc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5144

C:\Windows\SysWOW64\Nnqbanmo.exe
C:\Windows\system32\Nnqbanmo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3748

C:\Windows\SysWOW64\Ncianepl.exe
C:\Windows\system32\Ncianepl.exe
1⤵
PID:4776

C:\Windows\SysWOW64\Lpnlpnih.exe
C:\Windows\system32\Lpnlpnih.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:752

C:\Windows\SysWOW64\Leihbeib.exe
C:\Windows\system32\Leihbeib.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3508

C:\Windows\SysWOW64\Djdmffnn.exe
C:\Windows\system32\Djdmffnn.exe
1⤵
- Modifies registry class
PID:5492
- C:\Windows\SysWOW64\Dmcibama.exe
  C:\Windows\system32\Dmcibama.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Modifies registry class
  PID:5664
- - C:\Windows\SysWOW64\Ddmaok32.exe
    C:\Windows\system32\Ddmaok32.exe
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    PID:3816
  - - C:\Windows\SysWOW64\Daqbip32.exe
      C:\Windows\system32\Daqbip32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:1528
    - - C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2964

C:\Windows\SysWOW64\Dkifae32.exe
C:\Windows\system32\Dkifae32.exe
1⤵
- Drops file in System32 directory
PID:5832
- C:\Windows\SysWOW64\Dmgbnq32.exe
  C:\Windows\system32\Dmgbnq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Modifies registry class
  PID:5952
- - C:\Windows\SysWOW64\Deokon32.exe
    C:\Windows\system32\Deokon32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Drops file in System32 directory
    PID:6124
  - - C:\Windows\SysWOW64\Dhmgki32.exe
      C:\Windows\system32\Dhmgki32.exe
      4⤵
      Drops file in System32 directory
      Modifies registry class
      PID:5296

C:\Windows\SysWOW64\Dogogcpo.exe
C:\Windows\system32\Dogogcpo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5460
- C:\Windows\SysWOW64\Daekdooc.exe
  C:\Windows\system32\Daekdooc.exe
  2⤵
  PID:5820
- - C:\Windows\SysWOW64\Dgbdlf32.exe
    C:\Windows\system32\Dgbdlf32.exe
    3⤵
    PID:3340

C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
1⤵
PID:1616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 408
  2⤵
  - Program crash
  PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1616 -ip 1616
1⤵
PID:6056

C:\Windows\SysWOW64\Kmkfhc32.exe
C:\Windows\system32\Kmkfhc32.exe
1⤵
PID:4620

C:\Windows\SysWOW64\Kikame32.exe
C:\Windows\system32\Kikame32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SysWOW64\Kiidgeki.exe
C:\Windows\system32\Kiidgeki.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\Icgjmapi.exe
C:\Windows\system32\Icgjmapi.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\SysWOW64\Hfcicmqp.exe
C:\Windows\system32\Hfcicmqp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1712

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4620

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hcbpab32.exe

Filesize
187KB

MD5
1bc28b6b70966eac1ad8cd2dee9a4d32

SHA1
23ba2a7d44b9cd32c5405749126b5fbd919e6e01

SHA256
ff69872a08e3991d741bb829c2aa3bade7753ddc92492c795ca2393227d73647

SHA512
93bb9cd5171d3e4e8ff7b98f8b4aac3f25e92f2a7bbd9137830a36ee1c58c7f00f97235f2c3847290d059d6488c75e16574fd86e76018b10527fb120d9ae5458

Download Submit
C:\Windows\SysWOW64\Hioiji32.exe

Filesize
187KB

MD5
e8d98802009d4e82647cbb908c7e5c0a

SHA1
f2d38a21f3d12763aaeb1de9e298be7c25ece986

SHA256
c40f6a5e854d2fb0b3599dba2aa3ec718a62b27ae54d744b18b0e70d7b45ee44

SHA512
03720a54effc921cb86976de149be2eaeb45031227c8c9f75530845269615150053d5ff538a56b7c688c92f6635539c1f64d2100ef1ead087f315bad57ba62df

Download Submit
C:\Windows\SysWOW64\Hioiji32.exe

Filesize
50KB

MD5
9a21d6c9c8eac3fe85f0513e76133a4d

SHA1
b1f7bab10dd1518125df8c2bf878b90a98a45ee7

SHA256
4359dcb5c89d1df34b8a0100602045c8de86fe81b1cd823da0d7676379e46be7

SHA512
a5daf6001bd3ffa4663a2fd0abe0197c87831c458c09deaed172807428e474b7bae42ea8cfa01d31caef1c6ecdc0dc661d60e284aabf1c0c135814a2dd42f613

Download Submit
C:\Windows\SysWOW64\Hkmefd32.exe

Filesize
92KB

MD5
86d2c8f7c0b945d7629f380938f11844

SHA1
95407df7543b84b976e1f94994e3049476428390

SHA256
5ebbcdb4fe1c2a1581f6ea617ae42730a24ccfdbb7d05c6ca9cfbd5fb003f79a

SHA512
284685d4100e27ec62746f55b4aa0aeee7f486a8ce2c2a9e91b24dc10ac386666aa7a95f60259a5283652df034e0cc117e336cf30cf4a934ee60f0056da27011

Download Submit
memory/752-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-723-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-719-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1068-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1344-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1576-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-716-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3112-715-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3112-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3296-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-722-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3656-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3764-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3880-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-724-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4216-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-717-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5144-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5184-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5224-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5264-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5304-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5344-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5384-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5424-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5468-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5508-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5552-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5592-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5632-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5680-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads