9b419aaeb6ed1e68009c7b12488999890be18c8e437d29614e68937474c783ec

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 22:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9b419aaeb6ed1e68009c7b12488999890be18c8e437d29614e68937474c783ec.exe
Size

80KB
MD5

d022a539c23c1ff0c61c7f68a620f0d8
SHA1

2b83d7749d06a70c58fe44971f3d90a062774cff
SHA256

9b419aaeb6ed1e68009c7b12488999890be18c8e437d29614e68937474c783ec
SHA512

e31e1eb5a45193b448fc7cec75924367fbe36461e27b9d6527c1827480059ef4f840a8e533c5377f696cc7cec3953d760754592cbaefe68327ed96159181958c
SSDEEP

1536:qS4aD2kBHesLUPk2Rs7GuT72LRJ9VqDlzVxyh+CbxMa:qS4aDtf2R8LTYRJ9IDlRxyhTb7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhacojl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faigdn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gikaio32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmpkjkma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmmkcoap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjdhbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdniqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmnace32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giieco32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enhacojl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmkcoap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhomd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niikceid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggcffhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpqpjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmpgio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkjcplpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpqdkf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fllnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fllnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlljjjnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecqqpgli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eccmffjf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpqdkf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpcqaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fepiimfg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlljjjnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nigome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9b419aaeb6ed1e68009c7b12488999890be18c8e437d29614e68937474c783ec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Effcma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpqpjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giieco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eplkpgnh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmpkjkma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fglipi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbcfadgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhomd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjcplpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9b419aaeb6ed1e68009c7b12488999890be18c8e437d29614e68937474c783ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmpgio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbkknojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpcqaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gikaio32.exe

Executes dropped EXE 46 IoCs

pid	Process
1792	Dfdjhndl.exe
2312	Dbkknojp.exe
3032	Dggcffhg.exe
2696	Eqpgol32.exe
2436	Endhhp32.exe
2744	Ecqqpgli.exe
2492	Ejkima32.exe
2356	Eccmffjf.exe
1664	Enhacojl.exe
112	Ejobhppq.exe
524	Eplkpgnh.exe
2664	Effcma32.exe
1264	Fmpkjkma.exe
2748	Fpqdkf32.exe
1512	Fglipi32.exe
1160	Fpcqaf32.exe
2808	Fepiimfg.exe
2328	Fllnlg32.exe
2152	Fmmkcoap.exe
1144	Faigdn32.exe
1068	Gffoldhp.exe
2000	Gmpgio32.exe
2616	Gjdhbc32.exe
2896	Gpqpjj32.exe
2832	Giieco32.exe
1552	Gdniqh32.exe
2824	Gikaio32.exe
1608	Gbcfadgl.exe
1856	Hlljjjnm.exe
2660	Hbhomd32.exe
2628	Kkjcplpa.exe
2936	Mdcpdp32.exe
2588	Mpjqiq32.exe
2484	Nhaikn32.exe
2364	Ngdifkpi.exe
1948	Nibebfpl.exe
1028	Nmnace32.exe
2400	Nplmop32.exe
2476	Ngfflj32.exe
1976	Nmpnhdfc.exe
2864	Ndjfeo32.exe
572	Ngibaj32.exe
2524	Nigome32.exe
1644	Nmbknddp.exe
2124	Niikceid.exe
1852	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
2072	9b419aaeb6ed1e68009c7b12488999890be18c8e437d29614e68937474c783ec.exe
2072	9b419aaeb6ed1e68009c7b12488999890be18c8e437d29614e68937474c783ec.exe
1792	Dfdjhndl.exe
1792	Dfdjhndl.exe
2312	Dbkknojp.exe
2312	Dbkknojp.exe
3032	Dggcffhg.exe
3032	Dggcffhg.exe
2696	Eqpgol32.exe
2696	Eqpgol32.exe
2436	Endhhp32.exe
2436	Endhhp32.exe
2744	Ecqqpgli.exe
2744	Ecqqpgli.exe
2492	Ejkima32.exe
2492	Ejkima32.exe
2356	Eccmffjf.exe
2356	Eccmffjf.exe
1664	Enhacojl.exe
1664	Enhacojl.exe
112	Ejobhppq.exe
112	Ejobhppq.exe
524	Eplkpgnh.exe
524	Eplkpgnh.exe
2664	Effcma32.exe
2664	Effcma32.exe
1264	Fmpkjkma.exe
1264	Fmpkjkma.exe
2748	Fpqdkf32.exe
2748	Fpqdkf32.exe
1512	Fglipi32.exe
1512	Fglipi32.exe
1160	Fpcqaf32.exe
1160	Fpcqaf32.exe
2808	Fepiimfg.exe
2808	Fepiimfg.exe
2328	Fllnlg32.exe
2328	Fllnlg32.exe
2152	Fmmkcoap.exe
2152	Fmmkcoap.exe
1144	Faigdn32.exe
1144	Faigdn32.exe
1068	Gffoldhp.exe
1068	Gffoldhp.exe
2000	Gmpgio32.exe
2000	Gmpgio32.exe
2616	Gjdhbc32.exe
2616	Gjdhbc32.exe
2896	Gpqpjj32.exe
2896	Gpqpjj32.exe
2832	Giieco32.exe
2832	Giieco32.exe
1552	Gdniqh32.exe
1552	Gdniqh32.exe
2824	Gikaio32.exe
2824	Gikaio32.exe
1608	Gbcfadgl.exe
1608	Gbcfadgl.exe
1856	Hlljjjnm.exe
1856	Hlljjjnm.exe
2660	Hbhomd32.exe
2660	Hbhomd32.exe
2628	Kkjcplpa.exe
2628	Kkjcplpa.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gikaio32.exe	Gdniqh32.exe
File opened for modification	C:\Windows\SysWOW64\Nmnace32.exe	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Iieipa32.dll	Fllnlg32.exe
File created	C:\Windows\SysWOW64\Aobmncbj.dll	Faigdn32.exe
File created	C:\Windows\SysWOW64\Fibkpd32.dll	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Nigome32.exe	Ngibaj32.exe
File opened for modification	C:\Windows\SysWOW64\Ecqqpgli.exe	Endhhp32.exe
File created	C:\Windows\SysWOW64\Eplkpgnh.exe	Ejobhppq.exe
File created	C:\Windows\SysWOW64\Fpcqaf32.exe	Fglipi32.exe
File opened for modification	C:\Windows\SysWOW64\Niikceid.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Dggcffhg.exe	Dbkknojp.exe
File created	C:\Windows\SysWOW64\Ejobhppq.exe	Enhacojl.exe
File created	C:\Windows\SysWOW64\Fglipi32.exe	Fpqdkf32.exe
File created	C:\Windows\SysWOW64\Hbhomd32.exe	Hlljjjnm.exe
File created	C:\Windows\SysWOW64\Pbefefec.dll	Hbhomd32.exe
File created	C:\Windows\SysWOW64\Diceon32.dll	Mpjqiq32.exe
File opened for modification	C:\Windows\SysWOW64\Ngdifkpi.exe	Nhaikn32.exe
File created	C:\Windows\SysWOW64\Nplmop32.exe	Nmnace32.exe
File opened for modification	C:\Windows\SysWOW64\Ejkima32.exe	Ecqqpgli.exe
File opened for modification	C:\Windows\SysWOW64\Fmpkjkma.exe	Effcma32.exe
File created	C:\Windows\SysWOW64\Gjdhbc32.exe	Gmpgio32.exe
File created	C:\Windows\SysWOW64\Gfkdmglc.dll	Mdcpdp32.exe
File created	C:\Windows\SysWOW64\Aabagnfc.dll	Eqpgol32.exe
File opened for modification	C:\Windows\SysWOW64\Fpcqaf32.exe	Fglipi32.exe
File created	C:\Windows\SysWOW64\Gffoldhp.exe	Faigdn32.exe
File opened for modification	C:\Windows\SysWOW64\Giieco32.exe	Gpqpjj32.exe
File opened for modification	C:\Windows\SysWOW64\Gdniqh32.exe	Giieco32.exe
File opened for modification	C:\Windows\SysWOW64\Enhacojl.exe	Eccmffjf.exe
File created	C:\Windows\SysWOW64\Fepiimfg.exe	Fpcqaf32.exe
File created	C:\Windows\SysWOW64\Gpgmpikn.dll	Hlljjjnm.exe
File created	C:\Windows\SysWOW64\Hhijaf32.dll	Dggcffhg.exe
File opened for modification	C:\Windows\SysWOW64\Endhhp32.exe	Eqpgol32.exe
File created	C:\Windows\SysWOW64\Imehcohk.dll	Ejkima32.exe
File created	C:\Windows\SysWOW64\Nhffdaei.dll	Fpcqaf32.exe
File opened for modification	C:\Windows\SysWOW64\Hlljjjnm.exe	Gbcfadgl.exe
File opened for modification	C:\Windows\SysWOW64\Mdcpdp32.exe	Kkjcplpa.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File created	C:\Windows\SysWOW64\Jfiilbkl.dll	Dfdjhndl.exe
File created	C:\Windows\SysWOW64\Affcmdmb.dll	Eplkpgnh.exe
File created	C:\Windows\SysWOW64\Kmjolo32.dll	Fpqdkf32.exe
File created	C:\Windows\SysWOW64\Nmbknddp.exe	Nigome32.exe
File opened for modification	C:\Windows\SysWOW64\Effcma32.exe	Eplkpgnh.exe
File opened for modification	C:\Windows\SysWOW64\Fllnlg32.exe	Fepiimfg.exe
File created	C:\Windows\SysWOW64\Lmnppf32.dll	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Enhacojl.exe	Eccmffjf.exe
File created	C:\Windows\SysWOW64\Oqaedifk.dll	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Ngoohnkj.dll	Nigome32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Niikceid.exe
File created	C:\Windows\SysWOW64\Ebpopmpp.dll	Fmmkcoap.exe
File created	C:\Windows\SysWOW64\Jmianb32.dll	Gpqpjj32.exe
File created	C:\Windows\SysWOW64\Mpjqiq32.exe	Mdcpdp32.exe
File opened for modification	C:\Windows\SysWOW64\Fepiimfg.exe	Fpcqaf32.exe
File opened for modification	C:\Windows\SysWOW64\Faigdn32.exe	Fmmkcoap.exe
File created	C:\Windows\SysWOW64\Gkdjlion.dll	Gikaio32.exe
File created	C:\Windows\SysWOW64\Hlljjjnm.exe	Gbcfadgl.exe
File created	C:\Windows\SysWOW64\Jdjfho32.dll	9b419aaeb6ed1e68009c7b12488999890be18c8e437d29614e68937474c783ec.exe
File opened for modification	C:\Windows\SysWOW64\Ejobhppq.exe	Enhacojl.exe
File created	C:\Windows\SysWOW64\Ahoanjcc.dll	Ejobhppq.exe
File opened for modification	C:\Windows\SysWOW64\Ndjfeo32.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Ngibaj32.exe	Ndjfeo32.exe
File opened for modification	C:\Windows\SysWOW64\Nigome32.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Aeaceffc.dll	Kkjcplpa.exe
File created	C:\Windows\SysWOW64\Nmnace32.exe	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Nmpnhdfc.exe	Ngfflj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpqdkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iieipa32.dll"	Fllnlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gikaio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbhomd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aabagnfc.dll"	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmpkjkma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godgob32.dll"	Gbcfadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhijaf32.dll"	Dggcffhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampehe32.dll"	Eccmffjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eccmffjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affcmdmb.dll"	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecqqpgli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkjcplpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	9b419aaeb6ed1e68009c7b12488999890be18c8e437d29614e68937474c783ec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dggcffhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqpgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fglipi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fepiimfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbcfadgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfdjhndl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Effcma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gffoldhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkdjlion.dll"	Gikaio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imehcohk.dll"	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbefefec.dll"	Hbhomd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incbogkn.dll"	Nmnace32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlljjjnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Endhhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fglipi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fepiimfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gffoldhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	9b419aaeb6ed1e68009c7b12488999890be18c8e437d29614e68937474c783ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll"	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhffdaei.dll"	Fpcqaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbkknojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpcqaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fllnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobmncbj.dll"	Faigdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjfho32.dll"	9b419aaeb6ed1e68009c7b12488999890be18c8e437d29614e68937474c783ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll"	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fllnlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmpgio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmpnhdfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 1792	2072	9b419aaeb6ed1e68009c7b12488999890be18c8e437d29614e68937474c783ec.exe	28
PID 2072 wrote to memory of 1792	2072	9b419aaeb6ed1e68009c7b12488999890be18c8e437d29614e68937474c783ec.exe	28
PID 2072 wrote to memory of 1792	2072	9b419aaeb6ed1e68009c7b12488999890be18c8e437d29614e68937474c783ec.exe	28
PID 2072 wrote to memory of 1792	2072	9b419aaeb6ed1e68009c7b12488999890be18c8e437d29614e68937474c783ec.exe	28
PID 1792 wrote to memory of 2312	1792	Dfdjhndl.exe	29
PID 1792 wrote to memory of 2312	1792	Dfdjhndl.exe	29
PID 1792 wrote to memory of 2312	1792	Dfdjhndl.exe	29
PID 1792 wrote to memory of 2312	1792	Dfdjhndl.exe	29
PID 2312 wrote to memory of 3032	2312	Dbkknojp.exe	30
PID 2312 wrote to memory of 3032	2312	Dbkknojp.exe	30
PID 2312 wrote to memory of 3032	2312	Dbkknojp.exe	30
PID 2312 wrote to memory of 3032	2312	Dbkknojp.exe	30
PID 3032 wrote to memory of 2696	3032	Dggcffhg.exe	31
PID 3032 wrote to memory of 2696	3032	Dggcffhg.exe	31
PID 3032 wrote to memory of 2696	3032	Dggcffhg.exe	31
PID 3032 wrote to memory of 2696	3032	Dggcffhg.exe	31
PID 2696 wrote to memory of 2436	2696	Eqpgol32.exe	32
PID 2696 wrote to memory of 2436	2696	Eqpgol32.exe	32
PID 2696 wrote to memory of 2436	2696	Eqpgol32.exe	32
PID 2696 wrote to memory of 2436	2696	Eqpgol32.exe	32
PID 2436 wrote to memory of 2744	2436	Endhhp32.exe	33
PID 2436 wrote to memory of 2744	2436	Endhhp32.exe	33
PID 2436 wrote to memory of 2744	2436	Endhhp32.exe	33
PID 2436 wrote to memory of 2744	2436	Endhhp32.exe	33
PID 2744 wrote to memory of 2492	2744	Ecqqpgli.exe	34
PID 2744 wrote to memory of 2492	2744	Ecqqpgli.exe	34
PID 2744 wrote to memory of 2492	2744	Ecqqpgli.exe	34
PID 2744 wrote to memory of 2492	2744	Ecqqpgli.exe	34
PID 2492 wrote to memory of 2356	2492	Ejkima32.exe	35
PID 2492 wrote to memory of 2356	2492	Ejkima32.exe	35
PID 2492 wrote to memory of 2356	2492	Ejkima32.exe	35
PID 2492 wrote to memory of 2356	2492	Ejkima32.exe	35
PID 2356 wrote to memory of 1664	2356	Eccmffjf.exe	36
PID 2356 wrote to memory of 1664	2356	Eccmffjf.exe	36
PID 2356 wrote to memory of 1664	2356	Eccmffjf.exe	36
PID 2356 wrote to memory of 1664	2356	Eccmffjf.exe	36
PID 1664 wrote to memory of 112	1664	Enhacojl.exe	37
PID 1664 wrote to memory of 112	1664	Enhacojl.exe	37
PID 1664 wrote to memory of 112	1664	Enhacojl.exe	37
PID 1664 wrote to memory of 112	1664	Enhacojl.exe	37
PID 112 wrote to memory of 524	112	Ejobhppq.exe	38
PID 112 wrote to memory of 524	112	Ejobhppq.exe	38
PID 112 wrote to memory of 524	112	Ejobhppq.exe	38
PID 112 wrote to memory of 524	112	Ejobhppq.exe	38
PID 524 wrote to memory of 2664	524	Eplkpgnh.exe	39
PID 524 wrote to memory of 2664	524	Eplkpgnh.exe	39
PID 524 wrote to memory of 2664	524	Eplkpgnh.exe	39
PID 524 wrote to memory of 2664	524	Eplkpgnh.exe	39
PID 2664 wrote to memory of 1264	2664	Effcma32.exe	40
PID 2664 wrote to memory of 1264	2664	Effcma32.exe	40
PID 2664 wrote to memory of 1264	2664	Effcma32.exe	40
PID 2664 wrote to memory of 1264	2664	Effcma32.exe	40
PID 1264 wrote to memory of 2748	1264	Fmpkjkma.exe	41
PID 1264 wrote to memory of 2748	1264	Fmpkjkma.exe	41
PID 1264 wrote to memory of 2748	1264	Fmpkjkma.exe	41
PID 1264 wrote to memory of 2748	1264	Fmpkjkma.exe	41
PID 2748 wrote to memory of 1512	2748	Fpqdkf32.exe	42
PID 2748 wrote to memory of 1512	2748	Fpqdkf32.exe	42
PID 2748 wrote to memory of 1512	2748	Fpqdkf32.exe	42
PID 2748 wrote to memory of 1512	2748	Fpqdkf32.exe	42
PID 1512 wrote to memory of 1160	1512	Fglipi32.exe	43
PID 1512 wrote to memory of 1160	1512	Fglipi32.exe	43
PID 1512 wrote to memory of 1160	1512	Fglipi32.exe	43
PID 1512 wrote to memory of 1160	1512	Fglipi32.exe	43

C:\Users\Admin\AppData\Local\Temp\9b419aaeb6ed1e68009c7b12488999890be18c8e437d29614e68937474c783ec.exe
"C:\Users\Admin\AppData\Local\Temp\9b419aaeb6ed1e68009c7b12488999890be18c8e437d29614e68937474c783ec.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\Dfdjhndl.exe
  C:\Windows\system32\Dfdjhndl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\SysWOW64\Dbkknojp.exe
    C:\Windows\system32\Dbkknojp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\Dggcffhg.exe
      C:\Windows\system32\Dggcffhg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\SysWOW64\Eqpgol32.exe
        
        C:\Windows\system32\Eqpgol32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\Endhhp32.exe
        
        C:\Windows\system32\Endhhp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Ecqqpgli.exe
        
        C:\Windows\system32\Ecqqpgli.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Ejkima32.exe
        
        C:\Windows\system32\Ejkima32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Eccmffjf.exe
        
        C:\Windows\system32\Eccmffjf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Enhacojl.exe
        
        C:\Windows\system32\Enhacojl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Ejobhppq.exe
        
        C:\Windows\system32\Ejobhppq.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Eplkpgnh.exe
        
        C:\Windows\system32\Eplkpgnh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\SysWOW64\Effcma32.exe
        
        C:\Windows\system32\Effcma32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Fmpkjkma.exe
        
        C:\Windows\system32\Fmpkjkma.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Fpqdkf32.exe
        
        C:\Windows\system32\Fpqdkf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Fglipi32.exe
        
        C:\Windows\system32\Fglipi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Fpcqaf32.exe
        
        C:\Windows\system32\Fpcqaf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Fepiimfg.exe
        
        C:\Windows\system32\Fepiimfg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Fllnlg32.exe
        
        C:\Windows\system32\Fllnlg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Fmmkcoap.exe
        
        C:\Windows\system32\Fmmkcoap.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\Faigdn32.exe
        
        C:\Windows\system32\Faigdn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Gffoldhp.exe
        
        C:\Windows\system32\Gffoldhp.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Gmpgio32.exe
        
        C:\Windows\system32\Gmpgio32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Gjdhbc32.exe
        
        C:\Windows\system32\Gjdhbc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2616
        
        C:\Windows\SysWOW64\Gpqpjj32.exe
        
        C:\Windows\system32\Gpqpjj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Giieco32.exe
        
        C:\Windows\system32\Giieco32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\Gdniqh32.exe
        
        C:\Windows\system32\Gdniqh32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\Gikaio32.exe
        
        C:\Windows\system32\Gikaio32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Gbcfadgl.exe
        
        C:\Windows\system32\Gbcfadgl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Hlljjjnm.exe
        
        C:\Windows\system32\Hlljjjnm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Hbhomd32.exe
        
        C:\Windows\system32\Hbhomd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Kkjcplpa.exe
        
        C:\Windows\system32\Kkjcplpa.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Mdcpdp32.exe
        
        C:\Windows\system32\Mdcpdp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Mpjqiq32.exe
        
        C:\Windows\system32\Mpjqiq32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Nhaikn32.exe
        
        C:\Windows\system32\Nhaikn32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Ngdifkpi.exe
        
        C:\Windows\system32\Ngdifkpi.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Nibebfpl.exe
        
        C:\Windows\system32\Nibebfpl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Nmnace32.exe
        
        C:\Windows\system32\Nmnace32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Nplmop32.exe
        
        C:\Windows\system32\Nplmop32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Ngfflj32.exe
        
        C:\Windows\system32\Ngfflj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\Nmpnhdfc.exe
        
        C:\Windows\system32\Nmpnhdfc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Ndjfeo32.exe
        
        C:\Windows\system32\Ndjfeo32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Nigome32.exe
        
        C:\Windows\system32\Nigome32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Nmbknddp.exe
        
        C:\Windows\system32\Nmbknddp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Niikceid.exe
        
        C:\Windows\system32\Niikceid.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        47⤵
        Executes dropped EXE
        
        PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dggcffhg.exe

Filesize
80KB

MD5
a31ca6dab5ccd597a7b6086bc66095b0

SHA1
02e6e0ce0c8cf40e3f76754d647f3a95b0e3a549

SHA256
9f9b311f72237a6063617d42a8a628ff361062673e63fd5b401b3224b646b6a4

SHA512
c42c5d0d35ad428de55572f902d7b117d31681c64bf4d0acda6474506919214de5953b46005ef162a7dbd58bdfbbf3537a2b6174b6e58eee4b8d96beb9c8fbae

Download Submit
C:\Windows\SysWOW64\Ecqqpgli.exe

Filesize
80KB

MD5
7eff8460edc248b32bd1296eca0aaf81

SHA1
e879b408a4d1225ac7a9f1c7090d965d772e1f84

SHA256
bf37fd40e36a5de02efea2ca1e48cc6c267114fb76b84b2f48c139f1349d4efa

SHA512
a9393051ff54ee6913e948596acd08bc23c94c3e15eb57fafbbe42cbedd3251e2c03d3031db2a3c750e2cfbaaed69901c9d16615e66ef78b8cc13f2b3fa5a62e

Download Submit
C:\Windows\SysWOW64\Ejobhppq.exe

Filesize
80KB

MD5
482c9ab8d736185bcb55ac379fbecf87

SHA1
1b8bfbcdacdcab8452ba4bffcfcb3f610897efcb

SHA256
117febf0bde6822c1c34b5d9b88d9fd2469725b136987887c8aeb77404f35e99

SHA512
6c2c88bea69dd21a7fe93418c28b4451da6fd398c108048e3051a23d2c80ae2043fbb5ab31fa8b2313a091c7a60dce091e4aacfac844b48994549e9c30963465

Download Submit
C:\Windows\SysWOW64\Endhhp32.exe

Filesize
80KB

MD5
784d7975d27c8e1612aa1303ef3413e7

SHA1
30ba5a2e319b8e158457dcd6baaccafe16f7735d

SHA256
ab691a8158b149ea09fd02860f8894bc5384709912cbeb7d4b56c00b776eeb50

SHA512
2bb1ff842e27961aa8b613f25ffe095ba55d1fc509e94a2fbf883578f2b0e3eb02b9987722f5a5031546d59b11c130c5bc6bc53be532c89a8009d10e048ae2b0

Download Submit
C:\Windows\SysWOW64\Eplkpgnh.exe

Filesize
80KB

MD5
5e085c3a4b681afc5101ad42d8a6d38f

SHA1
a7b77bb549360e9cfc24bf495b81242d3aaa717a

SHA256
a342d3efb2f04ad071050edbea4691efbf983663c901047622e46604853d46e0

SHA512
c385a85dceb0275c44d282cf4af70b49986c5c531f084445be7cc83de9b7a14c5fbf78331c09c657724c27a9968534d6ed40d45933ab4b8c4556cf002ca426e4

Download Submit
C:\Windows\SysWOW64\Faigdn32.exe

Filesize
80KB

MD5
497c9f200bca4a97a4c1a58e63d27a38

SHA1
9b8af91d078a0dd80c368044be465234240dbf44

SHA256
2ec29fde7131222da19fafee36a40deef973a2db9d2d977cc3b499b1405e538b

SHA512
20da7d1ef7825974d5c90a873f1e74fa9fa2cc9257091a660cd58061ab8d14ef10bba07d1ab796710bcac9df03b6ad9b049923cd993f00ec5a75fe686a559d73

Download Submit
C:\Windows\SysWOW64\Fepiimfg.exe

Filesize
80KB

MD5
c6167034d1790d0575fe5beced9e7be6

SHA1
0afca5a567201d26929ca5370c68574d6de27a37

SHA256
4ff7b41b36a10bcbad127215f70ab341861d4b339810f24332f75ad4dc608c5d

SHA512
f652adbf6325c26172daf586529133345509aca7768f8d9a48892e323bcb2d837d7e638a759313d7a5397098cdd96f505184c3f34c0fa319dd8778943dac6eac

Download Submit
C:\Windows\SysWOW64\Fglipi32.exe

Filesize
80KB

MD5
5b5a3e7d62b73fd0420998b1f103891e

SHA1
35f7783d606b9c8811921060f353c285ac627114

SHA256
999cdef1723a747be25bb281259d5b2102076828fa0341e0c3653847b0674374

SHA512
8a5525aee0b205c44ddced4cb59b09c5b86ea1a9daabf4e76b98a6b0c510d0c0021242876e84ad4baf017c52351c530546f054beed11eaa78b52b35395911a9e

Download Submit
C:\Windows\SysWOW64\Fllnlg32.exe

Filesize
80KB

MD5
5240c2f45a157666057357525682396d

SHA1
923b2f933c43e02eb5053c86fc7f1bb3e6b424c0

SHA256
c3f092df0e6c2ff82f69ea9399cd43a260741814c4ab940e87d0f09f3d6f0a0c

SHA512
b6e35a5e702165fb73eb04f285381933ef6b66c8bd2da358ec4c28377fdd524e62bc0f0085c3db51cd3503bb410761b726e368d8da9a669a7320473f2bda50c4

Download Submit
C:\Windows\SysWOW64\Fmmkcoap.exe

Filesize
80KB

MD5
117a982d0e06d6bed83812df6500dd7f

SHA1
9c31cd715f7d026c5ec2dcb89ae8691a0f9600d4

SHA256
f5720795e43aed1cc38eaeefc7d95c310c6d9c2c38e28649e9adb790351f9222

SHA512
19776b9b7a45358d5332f5d6039c98d286eebdf486066de077f3861e1d40f899bd7063095d46d9d095cb29aef34cf0986211a2b09d877879794c687fcc223618

Download Submit
C:\Windows\SysWOW64\Fpqdkf32.exe

Filesize
80KB

MD5
2a7fea4b3a1deeb6d1416de93f92d164

SHA1
3d4b13ee7d2367e5a27bd3e21faf14545ee85f2c

SHA256
c9ed2986bb1cf12eb9d75102ace9a055a33d1982e77898166a461936f79db9df

SHA512
7ba1ef367195d404cc2f4bd15d5d365d8c3247ed16fea6cb99902d6525c23fb1627c7236faa091b60860a52209a632d7fbc9f48c79f26610f3b8fc90bf350518

Download Submit
C:\Windows\SysWOW64\Gbcfadgl.exe

Filesize
80KB

MD5
d81d018119c05ed59c9084d4ee2ef271

SHA1
4915ba8677bd9c36b53667aaba5a9c2a8c27e2e2

SHA256
0e22b6b15ec6c711f69d0d70b6514fc4f4752dd22c8761d729eace8439036493

SHA512
ae9f8b43e76eea6540c4f1a70a16d8f621d3fe23fa5d3d8a76cb7707954a049688591ff516a6c09835e000f0254510fa617aac7c2db20f37852fa4d5e960a6e8

Download Submit
C:\Windows\SysWOW64\Gdniqh32.exe

Filesize
80KB

MD5
e06fc5f3ebea722399390347d2dcadf7

SHA1
3beccb64c8dd40da726e11b625a2dd4e97e3ee6e

SHA256
0629b5d53b0a83bfe978f0857b9d2eeee201546fee01278b7613835525ea91a7

SHA512
b155ce91c62c1feae68f3897a74c3bb6357ee141037fc714de8c87e27d494c3cca7c3a5cfb589413ab4c692f99818ccb398e8d1b1fbd5b0f2a876243edc3f67d

Download Submit
C:\Windows\SysWOW64\Gffoldhp.exe

Filesize
80KB

MD5
44df1379f8dbcccbfb161580dfd7bab2

SHA1
a3458a9d35f2396fcd85a109f09395f9fa658651

SHA256
c7d711c906e6ce0aeda9199ca568f8f7c2427ed6f44f681768fdc07fa1dc8a84

SHA512
29c29148295b06306f5dd41e1625a2a3080611509eaa522181897935fa8f498ed3df871639e04e3595621a98cb20c3b1150a702d8908705fc37f3820f4ea4748

Download Submit
C:\Windows\SysWOW64\Giieco32.exe

Filesize
80KB

MD5
3c28e629094c15e53d3e244f9a911a52

SHA1
71b0516a551206e2bd40c77f0592e896abf1b305

SHA256
06cbe2c42fc0a5ee26c284b95e70f06bc034369fcedfb6003164de1935d9babe

SHA512
974f7601eae965940bfad513b13f675e38479c5bbcd92b9e4f6e69cc87d2dc1386839c375483d60d0654c6948506a67ce2df76f7a65fe3bedcc893ecdc828b4c

Download Submit
C:\Windows\SysWOW64\Gikaio32.exe

Filesize
80KB

MD5
018054b273f8918de73ee81f97cbff58

SHA1
818af90aa158d47b95646b6fd8b0047df324e193

SHA256
753e829b0e73b287a5b0cea25dd899891886b792f12dbe0d5a362e3797fe7d35

SHA512
54e8a8e341b6a7d495300701dd4d2bc2233123b97c378a29eab9e412f39202ca95a2dabebcc089b3b39a6f7ec6a3a1af42f38a73e5fb4df6bd6738bbc98a6987

Download Submit
C:\Windows\SysWOW64\Gjdhbc32.exe

Filesize
80KB

MD5
8466e970a921c64567f840c44aa183a6

SHA1
8d096add0411d25eb00ba0c341a583c04baa0eef

SHA256
afc0df060cfa47325eb9674ec66567bb21feb19bacc40ebbb924a697e6caf1f0

SHA512
6522ad2a6ba666071a3d50cabf4bc57da18930b99f2d046eb1c98688305d65d7efc3cbf2738bb5a675b4cfba008cad15c3dabb1a3a5232500dbe09141fb63b55

Download Submit
C:\Windows\SysWOW64\Gmpgio32.exe

Filesize
80KB

MD5
8db2118f79c2c5188ffa87d9e0dc0bfa

SHA1
c86f046174e56bd954e09c4c51a14dbdc11e8593

SHA256
d71177551b26a84c40118c7a6da9f6af35e27a4c41614250f945a0d164f887da

SHA512
1350c2be93fcfe53688c424e08ecc1f1cae20b4cfeafadb32b222f7d433a6594e389f1edf59bbdd40a53168428b39721916d5ad14a905d079883bb446ffd3e3b

Download Submit
C:\Windows\SysWOW64\Gpqpjj32.exe

Filesize
80KB

MD5
d85b15093a52d6c3a2f29e03f282412b

SHA1
9632091a913850dd9d3e2afac75c195996705100

SHA256
872628d0b87c0d29aaa189cda186fba2e830f7b4ce365cd854cadab5ac619f90

SHA512
51c4428f6c289a1c84f78bd2d570d2d40f6f7934bf4ed39c333fb941d8f38cd28da523a1491e2065f1edd56fc9faeb7cd0b76564cc44db1b765dcda3f0954151

Download Submit
C:\Windows\SysWOW64\Hbhomd32.exe

Filesize
80KB

MD5
2864a568dd20a52402cbb7b3ab2a6743

SHA1
7190c2d3bc71166355dd1dfa9db14a73335d53d3

SHA256
784517932a1e0e7831697c6e48a70ca227fd4349451b4f577d966063908dfdaa

SHA512
ec22d6137b98df77bf00224da49a6a9948b8ec32529f9dd898fef0f4f09c16113e52e03d19ccea5d2fa5a856c930e49e82a989205a0d4c79da0fd878d3844789

Download Submit
C:\Windows\SysWOW64\Hlljjjnm.exe

Filesize
80KB

MD5
72501b16ebac9844ba8c0bd934866fb7

SHA1
a09a61066f99add35ea892ab2f1e64d1aa181b5d

SHA256
98efa7ea7c29c555312c2564a8e3482f7b99c504848f577fe51123a8bb1a1f64

SHA512
5a3f7fec9373e0feb7cd221d8ddfd9f78581ded7722a3ebb468fa1e50ad2664506bdd48b748063c5672ae32579adb6114854ccc55dc7004631b86a68c21aadaf

Download Submit
C:\Windows\SysWOW64\Kkjcplpa.exe

Filesize
80KB

MD5
131fb4e9a89b2a57039671efd569b318

SHA1
55b41ae597bcda34ccdeb9bda8aac9e55378df0a

SHA256
a229ea93f48b369e7ce479254cc06724270022309cbbc64693d6d285891e9b24

SHA512
cc278a96a111c898ca37772f2763f9cb742133ef81d79d851ba2baa42c4e3e28c466b37b0daa67edf06d43a3df18f5ce9e3b647b4c7ade91d4a67ade6d66a6c4

Download Submit
C:\Windows\SysWOW64\Mdcpdp32.exe

Filesize
80KB

MD5
f20f79e509722a18a0f42e534257e3f8

SHA1
469a7b74ab2ea2c7ef9c6e42ee4aa0612cac5a5f

SHA256
6f1b308fc29657fa28430e5a7e2d55f3cade8c1c55af8e2470c91c4cf540bef9

SHA512
eb2fb29ebdb03fb5a6abe6ab1dd63281d5d37ae8d815c746cc4f8883f5968dd41883b1d7f6367c8000a3fb786ad266209b72fcebf0bf4c36abed3f7a2632b1d1

Download Submit
C:\Windows\SysWOW64\Mpjqiq32.exe

Filesize
80KB

MD5
769cae7792153265e6b6cbedc82caa34

SHA1
395e477c43071bac04936f18f619779da4c65ad7

SHA256
066751a5374b243a5e843e88b8c6490a1754324a97551dd9f2dfc3cc40e6a80d

SHA512
581fc3aae149c9f23df83b7e2770e819e56ce41d88b0a627447dd922b875c2714036362082538866a35ccc26a43824d9aea12a5c0271d682f5cb40920cef9796

Download Submit
C:\Windows\SysWOW64\Ndjfeo32.exe

Filesize
80KB

MD5
75ee152bf63c6b92a59177895f9f66da

SHA1
aee6d6112a2bdd014305beec6c01512f6b3ebc9e

SHA256
4e57e0154ee98cb8a2b5c34e768ddfe97e7f94f88c659b64bffb1ec4b990727b

SHA512
b05b68aa30f179484a04b95d3c9a754ef652b89d7ac529dbe6c1ce0314da7c83057abdaff2c2b4fd0116868fedc423c79fa17d1b8f31a36842f62fb07dcb6fbd

Download Submit
C:\Windows\SysWOW64\Ngdifkpi.exe

Filesize
80KB

MD5
1c1171d4a1091b9a38e0456059568564

SHA1
be17b297113b7959fcaff35bbf8af4a01327b9e8

SHA256
97d00505ec9038076313822a1f801f2a7e44a14f66a789fe0151bdf47fe3f531

SHA512
3d26454ab8adb2401e89ff99efac7de0635da3c0e8e35c4a5924a5e312a21e92915a6a1580af9c6e4d9629655982234d6150697fb04135d6ace7f73ab314f08c

Download Submit
C:\Windows\SysWOW64\Ngfflj32.exe

Filesize
80KB

MD5
935110096f75f8dfa03c066107468998

SHA1
13ddb755d2a1c9292adb265a356611f34a6560bf

SHA256
4d8547bfd4ee4a4994512dca2c019c1f834f4669188ac5dcae634dcbdc0b3971

SHA512
8e377c8a0adf1fba7aa2d7a012720918c05799fe2e2ad54aba22e877fc65a84f4449129a64e749259d3c655515425431182a62adf4e77915e26de4f2913be338

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
80KB

MD5
7dd0ba355bffc9c31648390de358d535

SHA1
8beb609ede2b0b4d8b24fff275ad28950f3dd24a

SHA256
6ab22660dc0f0ecfadf8af189f35cd9b88535a18bf9d9f1a5c2a22dd7a692e0d

SHA512
0786c9bf68f53ecc4eb610c940cf0d43d1c3e022c58a66c7ef3f41a9d963ce75e95d53a1e321052877559168a87218b9cc618ce937cb98c8768876d23c0bc902

Download Submit
C:\Windows\SysWOW64\Nhaikn32.exe

Filesize
80KB

MD5
231de9044897327c449f8ba4818f5d54

SHA1
4e69cc45ea6c61ee7c9910e21369d1e843a8a6e9

SHA256
b9706f47c7bef7451ea688e5228737f6f7f3ea9923d3cab3ad8631ab95262f16

SHA512
d6b7b9c3129782da9d136e42e22a8071d7f3ec12cfd8b17a6db1c52c264c5d2fc3d5390ae8cec44067dd80f65389b5feb7acebcf1eb237e43d60af87561d12f6

Download Submit
C:\Windows\SysWOW64\Nibebfpl.exe

Filesize
80KB

MD5
07362b8dca7f9efba62cf4e1952c8935

SHA1
318151db0f35322a21e98d962d3492aed2d9aae3

SHA256
c03bfc5b11bb9f2a45d79a7d4d113109f8f278a2783f4d4dff592c6c1019176b

SHA512
c5ade5830ef449f7f0aefc46016f7f1a739fb168127199452c204aee0cb94636c98f794071ad99bc8e5eb8f4631caba33c4d7d87da3f6fed5a99ee3a0ceb2cb7

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
80KB

MD5
60f2bd242a438aea687f68b8f94971c1

SHA1
88a068fc8390a850223e26b7d58ad55d2114831a

SHA256
603479c0023a1b06b907deb41cbb05445c712cbb588e103c0e7947aa565a2a0e

SHA512
2ca454dc75520765efd831ae110569650a52ab53ce842371b9bef62bcd9bbd0cc4694eae29e1788dc3d52b2ed0536c3ce26e9e4c9eb9f626da50ca2d94d6bb48

Download Submit
C:\Windows\SysWOW64\Niikceid.exe

Filesize
80KB

MD5
4f4f8d7b669cfad060cc673df3b3e57b

SHA1
ad82cd2680d7e3be785c520c5e2098954138b13d

SHA256
d7811584c7f4e3a9075e7f254e1299078057e3812225fee4a310547e3ad7486b

SHA512
124589596d8135ad616848194aef2a608c22c660539d2429c7c534a64f88e8ae9cc6bef37787fa5fa75fce8fdb58eba93fc0b96a83e31403679caa852db56edc

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
80KB

MD5
a95b57831c8b46123bea7dcace1ecadf

SHA1
1f0631a6bbb66f67d317e30f7c1a25e4a5620053

SHA256
5ea242d820d7b37558c58bbc61444c3c5aea0ddea8eb8323a816f75e0c63aad7

SHA512
b9559ee6af6bc08af1961afef3c28a751398f002a730095f9de5c4576f48ccb60c21bd80002af8f6146165ea20ad44d18f56f373f92ff51e15872f63fb1930ec

Download Submit
C:\Windows\SysWOW64\Nmbknddp.exe

Filesize
80KB

MD5
7db1601cca3c701e9ae007bb3e841bb8

SHA1
047a8486de1660629564ee38718a7899424f506b

SHA256
0c5f08303c1ccb27cbdca5be25acde68a5590c9c636e2649ca4eae0335e868df

SHA512
8d42ede89508ac779f68985dd2b2ce8ec127cb07d8356872bec8bb0ce46b157829c461aff52d1c9a3ce5da724750ab6ab98544b63dac328f184619fa7e2603a6

Download Submit
C:\Windows\SysWOW64\Nmnace32.exe

Filesize
80KB

MD5
f685608a202ddf4cb1187b7025b05582

SHA1
1dbb4621bde8d508a63bb89196eebad78b660538

SHA256
669ac0e461209cd180d3be65fcb7d326cc73294c2e6c3ec396020e4dba191e18

SHA512
66cdf64ce24405589c6c2924e41b27e7b0a31cfdb648e1399825f8ff969f74ee797e78ca82dd9a0707bc08350a5b9a0ba40709d5644eefba88336342b4e67464

Download Submit
C:\Windows\SysWOW64\Nmpnhdfc.exe

Filesize
80KB

MD5
2f82f125419d63807fa566294537e601

SHA1
dd51c8aa557ca59d3aed7776f49e2fa81d7be13c

SHA256
a79baab287a8f384a24ce663abcbefec4f7c1cb30e725ba4dfc4fbb55bddc8cb

SHA512
55a57c7a5428b88606ebc6fc420a2c01f58930bd044bcece2a69675f7137d8d7dac9e6bcb86e940bad35a6b27386777e19b12de48cd3b241ae41703a357df129

Download Submit
C:\Windows\SysWOW64\Nplmop32.exe

Filesize
80KB

MD5
6f434ad38777e62191f33d62a899d091

SHA1
0c16beb06d48b56f30639cbc36ea9a3a2b0c2b42

SHA256
e3c6cc42c541d3073637957896e2e31eee3992b4f09ad11249f51cb7b00735e3

SHA512
b23eb2f316efde9a8195b71c159cd84d4403db2e1525ef5a8008f63c652c883a14565cddc537db59cbcf79f39d7364b33f54ec4b2f104e6235bf9655d2816cd3

Download Submit
\Windows\SysWOW64\Dbkknojp.exe

Filesize
80KB

MD5
c5ec1bd6cab1415fd285bfa0adae3e35

SHA1
450564bf7c4b032ab1e0cba4cad224ae9a51c19d

SHA256
1fdcbe653f0241b261169523e1bb53245c60d5af66082198cd0c689ee0cf98af

SHA512
e173ea9ce8bdca67112c83bbe425f31f70b7cae391649e7467a0ddb1fb1c78910d6be6a7b60382b3e113f7346c1b150e1f152ededc25ad2355ca8298883a59e9

Download Submit
\Windows\SysWOW64\Dfdjhndl.exe

Filesize
80KB

MD5
1278e4a0aafd6f16433b91c013d92e10

SHA1
623c9b9953b93160c805d23ce9357c591cac350d

SHA256
3b04ddef23d943fb4a9fcce2f6eb159275880275584ce1876987f6d36460cb14

SHA512
94cb448a87fa98b44cb5c05b111434340c7dbb4adc3938631b71a9fa946b3b126439f9f2770a2a46d2af6a79924f7d6490aedb26d153ec2d504180d1b49255d1

Download Submit
\Windows\SysWOW64\Eccmffjf.exe

Filesize
80KB

MD5
979759d1517e67fbd91c6183386ceadf

SHA1
75d85b5a316d589836435887bf6d96f71ab49047

SHA256
d1153b227993f4f13b6490fa2259ec74704ee0e6f5c66217abc75aba0e0b2f59

SHA512
40c2c2ca1ee9918bade6a1d261cbce8c10c7362f92673ef854027c4fe91940e725dbf4f2225a61ff4f282f029cfdec77997c78091a93cf860b273296b51aa181

Download Submit
\Windows\SysWOW64\Effcma32.exe

Filesize
80KB

MD5
cfff7778ffb1afc370b7487f034df8fe

SHA1
12bef682e5bd9b2aca1b72f64126d4ef9a09daa4

SHA256
9c6debd143693e11edb4e0605d8bebde68e62d1148afb65fdb79d0d93de983ee

SHA512
aa17aae6c3b0d04d8173633e14a3878c90d25a8b57b53b536f3467b407e5504ef8630fa33e66966bd930bfe818a977e4e0df5a82ba170022057b3890d72d0c82

Download Submit
\Windows\SysWOW64\Ejkima32.exe

Filesize
80KB

MD5
8b496f79ea5ae6f5d05f1779db654237

SHA1
263550dd9c05eca8dc4392c9017fe090a0ecfef3

SHA256
8dfd98f7c4c00fbf3a3f00c6efda0832fffeab7b16ba0cb02af2c6024c0fb302

SHA512
15cfe3fc60ae913d5f339fbda1fbac2d81cfdf9275d5db3bce04c3681dbf204bca53bdd0ea79e5828f7ac91af17c822323780f85aad163362d42a57885f1097a

Download Submit
\Windows\SysWOW64\Enhacojl.exe

Filesize
80KB

MD5
c2a9484ddf6c997be6898cc12f988714

SHA1
c737cf7f9dee944601970eb02dd03dace125fffb

SHA256
3b6b066f1a634d17829e550f83b87140d7c01f45f107279d65f0549f123fe034

SHA512
e21f8ef07c04bf7d7d5d4af3763b180dca7ddff39e9a610a3e8867057de0c84457e3faaf8e6c9a75d045a39ef36418527967dc43bb0f2ba648ff9ad3bf5a1eee

Download Submit
\Windows\SysWOW64\Eqpgol32.exe

Filesize
80KB

MD5
db9745739cf1aa24c5eb569f20e078e5

SHA1
2a3262327ff9920b7b3d9a9295e8ff55066dfdab

SHA256
faf979d0360fcef419019fe7eee4ca2b8180599d4450c3951d71b6efde89c09a

SHA512
012d535f9600d056ea6e0f562819fa94702696bd1e2d2122fe317844d8a56fedaaa0078c88071ed813f49118ae1de5331eb3dc6fcff2576d6cbaaeb3c75f82af

Download Submit
\Windows\SysWOW64\Fmpkjkma.exe

Filesize
80KB

MD5
92340112adcdbda2554f0047d4f9f448

SHA1
96168dbcfaa696437246da81dea1fab4c5333178

SHA256
ce941dcac7fee279bd4376b62d44bfd128eb61398ded15c91fd80c1e4e12c31e

SHA512
fe4e5eac5b42dcad4324250462e8d610cd70a43cbcc62b154826e3ba6b1a3c07e1ba910fd57d9f412a66d9000e6bca3d1452f11f437bd6c72a690b43e0575017

Download Submit
\Windows\SysWOW64\Fpcqaf32.exe

Filesize
80KB

MD5
87b9fdbdeaa9092133b5e90086651539

SHA1
c5b1e4fe1a366ae0cfec2d066f9cbfb1cee34181

SHA256
455cc5160b363bdd350f24ddc741c5d78036c6fbda59af282e8aea6e2f87b18e

SHA512
6fae3a9bfcb3209427c0b644f0ac7fececc0ab9798c545d06036aa6d9117281c50ff9e41592526eb4e7adb3097635928e1e2686c6e5cccb360f6be2bf21eee38

Download Submit
memory/112-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/524-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1068-338-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/1068-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1068-283-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/1144-262-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1144-277-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1144-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1160-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1264-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1552-326-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/1552-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1552-350-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/1608-352-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1608-353-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1608-337-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1664-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1792-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1856-360-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/1856-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1856-364-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2000-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2000-297-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2000-339-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2072-13-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2072-6-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2072-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2152-272-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2152-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2152-252-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2312-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-239-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/2328-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-268-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/2356-113-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2356-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2356-125-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2436-67-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2492-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2616-346-0x0000000001BA0000-0x0000000001BE0000-memory.dmp

Filesize
256KB

Download
memory/2616-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2616-345-0x0000000001BA0000-0x0000000001BE0000-memory.dmp

Filesize
256KB

Download
memory/2628-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2660-374-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2660-370-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2664-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-186-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2664-178-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2696-59-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2824-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2824-335-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2824-351-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2832-312-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2832-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2832-349-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2896-347-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2896-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-306-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/3032-53-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/3032-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads