ce1a3d1fb94dbb461d43f3495e9fbd2476eaeeac5e5e42af23061c5e5960d486

Analysis

max time kernel
152s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce1a3d1fb94dbb461d43f3495e9fbd2476eaeeac5e5e42af23061c5e5960d486.exe
Size

74KB
MD5

4d26779d7a0c34054759979ed9352d3c
SHA1

560ae940d4d284df1196488311d3fa2a55c89032
SHA256

ce1a3d1fb94dbb461d43f3495e9fbd2476eaeeac5e5e42af23061c5e5960d486
SHA512

01ea7781b9a27f4ce3ab04bd12247c562e390f0f6ac27307c2d049fc7ffacbe3d131a00103bce6902e33df727b39bf0c8ccb42a35b9ccd991fcf73f78af9b6c9
SSDEEP

1536:tDIJRKV6aHoOpI3QkAp2yeW7vpTljsPsSKSKIXGhj9Ge64e+0fpc4:xSauIljsUuNXoj9hYp5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Geanfelc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koajmepf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mledmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nodiqp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gegkpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnblnlhl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqmhqapg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccggl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcclncbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llcghg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcfbkpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkbgjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daollh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apaadpng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koajmepf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhgonidg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekonpckp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcjjhdjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibeoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdknpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haidfpki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obgohklm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjlcjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecgodpgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fofilp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obgohklm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaaiahei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbgjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daollh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ce1a3d1fb94dbb461d43f3495e9fbd2476eaeeac5e5e42af23061c5e5960d486.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klggli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njbgmjgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abcgjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidfpki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ielfgmnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhgonidg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibeoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejqldci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjnnbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjfli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecdbop32.exe

Executes dropped EXE 64 IoCs

pid	Process
4624	Pagbaglh.exe
4488	Qjfmkk32.exe
4104	Qpeahb32.exe
4356	Akblfj32.exe
4432	Adkqoohc.exe
3104	Apaadpng.exe
3504	Bpdnjple.exe
2280	Bacjdbch.exe
3696	Bgpcliao.exe
5008	Boihcf32.exe
644	Cgifbhid.exe
3056	Dnmaea32.exe
2392	Dhgonidg.exe
3632	Dkhgod32.exe
4704	Ekonpckp.exe
2008	Eqncnj32.exe
456	Fofilp32.exe
888	Fkmjaa32.exe
4808	Gegkpf32.exe
1616	Gnblnlhl.exe
4456	Gacepg32.exe
760	Geanfelc.exe
3452	Hhaggp32.exe
1416	Hehdfdek.exe
4612	Hejqldci.exe
716	Iojkeh32.exe
4400	Jhkbdmbg.exe
2500	Kibeoo32.exe
1716	Kcjjhdjb.exe
4732	Koajmepf.exe
5064	Klggli32.exe
4688	Lcclncbh.exe
2632	Lllagh32.exe
4444	Lchfib32.exe
2232	Llcghg32.exe
2404	Mledmg32.exe
5012	Mofmobmo.exe
4684	Mjnnbk32.exe
2832	Mcfbkpab.exe
3200	Njbgmjgl.exe
2908	Nodiqp32.exe
4916	Obgohklm.exe
4392	Oqmhqapg.exe
4856	Pjjfdfbb.exe
4300	Pjlcjf32.exe
2472	Pmmlla32.exe
4664	Abcgjg32.exe
4440	Affikdfn.exe
2052	Babcil32.exe
5144	Ciihjmcj.exe
5184	Cildom32.exe
5228	Dkkaiphj.exe
5268	Dnljkk32.exe
5308	Dkpjdo32.exe
5348	Dkbgjo32.exe
5388	Daollh32.exe
5428	Eaaiahei.exe
5468	Ekimjn32.exe
5512	Ecdbop32.exe
5556	Enjfli32.exe
5596	Ecgodpgb.exe
5640	Eqkondfl.exe
5680	Egegjn32.exe
5720	Fkemfl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fiplni32.dll	Babcil32.exe
File opened for modification	C:\Windows\SysWOW64\Gkoplk32.exe	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Pmmfoj32.dll	Gdiakp32.exe
File opened for modification	C:\Windows\SysWOW64\Fofilp32.exe	Eqncnj32.exe
File opened for modification	C:\Windows\SysWOW64\Iojkeh32.exe	Hejqldci.exe
File created	C:\Windows\SysWOW64\Abocgb32.dll	Dnljkk32.exe
File created	C:\Windows\SysWOW64\Agolng32.dll	Obgohklm.exe
File created	C:\Windows\SysWOW64\Bfajnjho.dll	Abcgjg32.exe
File opened for modification	C:\Windows\SysWOW64\Eqkondfl.exe	Ecgodpgb.exe
File opened for modification	C:\Windows\SysWOW64\Gcjdam32.exe	Gkoplk32.exe
File opened for modification	C:\Windows\SysWOW64\Jldkeeig.exe	Janghmia.exe
File created	C:\Windows\SysWOW64\Lqppgj32.dll	Bpdnjple.exe
File opened for modification	C:\Windows\SysWOW64\Gegkpf32.exe	Fkmjaa32.exe
File created	C:\Windows\SysWOW64\Ahkdgl32.dll	Dkbgjo32.exe
File created	C:\Windows\SysWOW64\Baampdgc.dll	Fofilp32.exe
File opened for modification	C:\Windows\SysWOW64\Dnljkk32.exe	Dkkaiphj.exe
File opened for modification	C:\Windows\SysWOW64\Kcjjhdjb.exe	Kibeoo32.exe
File created	C:\Windows\SysWOW64\Pabcflhd.dll	Lcclncbh.exe
File opened for modification	C:\Windows\SysWOW64\Llcghg32.exe	Lchfib32.exe
File created	C:\Windows\SysWOW64\Fofilp32.exe	Eqncnj32.exe
File created	C:\Windows\SysWOW64\Jhkbdmbg.exe	Iojkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Gdknpp32.exe	Gdiakp32.exe
File opened for modification	C:\Windows\SysWOW64\Qpeahb32.exe	Qjfmkk32.exe
File created	C:\Windows\SysWOW64\Klfhhpnk.dll	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Najlgpeb.dll	Leoejh32.exe
File opened for modification	C:\Windows\SysWOW64\Ielfgmnj.exe	Haidfpki.exe
File created	C:\Windows\SysWOW64\Ecpfpo32.dll	Bacjdbch.exe
File opened for modification	C:\Windows\SysWOW64\Ecgodpgb.exe	Enjfli32.exe
File created	C:\Windows\SysWOW64\Ckjfdocc.dll	Pmmlla32.exe
File created	C:\Windows\SysWOW64\Babcil32.exe	Affikdfn.exe
File opened for modification	C:\Windows\SysWOW64\Gdiakp32.exe	Gcjdam32.exe
File opened for modification	C:\Windows\SysWOW64\Haidfpki.exe	Hccggl32.exe
File opened for modification	C:\Windows\SysWOW64\Hhaggp32.exe	Geanfelc.exe
File opened for modification	C:\Windows\SysWOW64\Pjlcjf32.exe	Pjjfdfbb.exe
File created	C:\Windows\SysWOW64\Knnele32.dll	Koajmepf.exe
File created	C:\Windows\SysWOW64\Pjjfdfbb.exe	Oqmhqapg.exe
File created	C:\Windows\SysWOW64\Alapqh32.dll	Mcfbkpab.exe
File created	C:\Windows\SysWOW64\Hccggl32.exe	Gndbie32.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lahbei32.exe
File created	C:\Windows\SysWOW64\Dhgonidg.exe	Dnmaea32.exe
File opened for modification	C:\Windows\SysWOW64\Fkmjaa32.exe	Fofilp32.exe
File created	C:\Windows\SysWOW64\Abcgjg32.exe	Pmmlla32.exe
File opened for modification	C:\Windows\SysWOW64\Fjmfmh32.exe	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Hlpihhpj.dll	Geanfelc.exe
File opened for modification	C:\Windows\SysWOW64\Mledmg32.exe	Llcghg32.exe
File opened for modification	C:\Windows\SysWOW64\Abcgjg32.exe	Pmmlla32.exe
File opened for modification	C:\Windows\SysWOW64\Enjfli32.exe	Ecdbop32.exe
File created	C:\Windows\SysWOW64\Fjocbhbo.exe	Fjmfmh32.exe
File opened for modification	C:\Windows\SysWOW64\Janghmia.exe	Ibgmaqfl.exe
File opened for modification	C:\Windows\SysWOW64\Bgpcliao.exe	Bacjdbch.exe
File opened for modification	C:\Windows\SysWOW64\Pjjfdfbb.exe	Oqmhqapg.exe
File created	C:\Windows\SysWOW64\Ipamlopb.dll	Lllagh32.exe
File created	C:\Windows\SysWOW64\Pkbcikkp.dll	Llcghg32.exe
File created	C:\Windows\SysWOW64\Pjlcjf32.exe	Pjjfdfbb.exe
File created	C:\Windows\SysWOW64\Pfgbakef.dll	Pjlcjf32.exe
File opened for modification	C:\Windows\SysWOW64\Fkemfl32.exe	Egegjn32.exe
File opened for modification	C:\Windows\SysWOW64\Boihcf32.exe	Bgpcliao.exe
File created	C:\Windows\SysWOW64\Koajmepf.exe	Kcjjhdjb.exe
File opened for modification	C:\Windows\SysWOW64\Egegjn32.exe	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Mofmobmo.exe	Mledmg32.exe
File created	C:\Windows\SysWOW64\Anijgd32.dll	Eaaiahei.exe
File created	C:\Windows\SysWOW64\Bigpblgh.dll	Cildom32.exe
File created	C:\Windows\SysWOW64\Eibmbgdm.dll	Gnblnlhl.exe
File created	C:\Windows\SysWOW64\Lfojfj32.dll	Hhaggp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5704	6056	WerFault.exe	188

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qpeahb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lchfib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nodiqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nailkcbb.dll"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdjlcnk.dll"	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Geanfelc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Koajmepf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcclncbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Obgohklm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Affikdfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngekilj.dll"	Hejqldci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iojkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abocgb32.dll"	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebekb32.dll"	Fkmjaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gegkpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhkbdmbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcclncbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqkondfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqncnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mledmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mledmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajnjho.dll"	Abcgjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocedcbl.dll"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hehdfdek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	ce1a3d1fb94dbb461d43f3495e9fbd2476eaeeac5e5e42af23061c5e5960d486.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll"	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbldmmh.dll"	Jhkbdmbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcjjhdjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eaaiahei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmfbkh32.dll"	Gkoplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gnblnlhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhaggp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kibeoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll"	Apaadpng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ce1a3d1fb94dbb461d43f3495e9fbd2476eaeeac5e5e42af23061c5e5960d486.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lielhgaa.dll"	Akblfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hehdfdek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcjdam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ce1a3d1fb94dbb461d43f3495e9fbd2476eaeeac5e5e42af23061c5e5960d486.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkplq32.dll"	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjfdocc.dll"	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cildom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmocfo32.dll"	Pagbaglh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njbgmjgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njbgmjgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojglddfj.dll"	Janghmia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klggli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Haidfpki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pagbaglh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcfbkpab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 4624	4536	ce1a3d1fb94dbb461d43f3495e9fbd2476eaeeac5e5e42af23061c5e5960d486.exe	101
PID 4536 wrote to memory of 4624	4536	ce1a3d1fb94dbb461d43f3495e9fbd2476eaeeac5e5e42af23061c5e5960d486.exe	101
PID 4536 wrote to memory of 4624	4536	ce1a3d1fb94dbb461d43f3495e9fbd2476eaeeac5e5e42af23061c5e5960d486.exe	101
PID 4624 wrote to memory of 4488	4624	Pagbaglh.exe	102
PID 4624 wrote to memory of 4488	4624	Pagbaglh.exe	102
PID 4624 wrote to memory of 4488	4624	Pagbaglh.exe	102
PID 4488 wrote to memory of 4104	4488	Qjfmkk32.exe	103
PID 4488 wrote to memory of 4104	4488	Qjfmkk32.exe	103
PID 4488 wrote to memory of 4104	4488	Qjfmkk32.exe	103
PID 4104 wrote to memory of 4356	4104	Qpeahb32.exe	104
PID 4104 wrote to memory of 4356	4104	Qpeahb32.exe	104
PID 4104 wrote to memory of 4356	4104	Qpeahb32.exe	104
PID 4356 wrote to memory of 4432	4356	Akblfj32.exe	105
PID 4356 wrote to memory of 4432	4356	Akblfj32.exe	105
PID 4356 wrote to memory of 4432	4356	Akblfj32.exe	105
PID 4432 wrote to memory of 3104	4432	Adkqoohc.exe	106
PID 4432 wrote to memory of 3104	4432	Adkqoohc.exe	106
PID 4432 wrote to memory of 3104	4432	Adkqoohc.exe	106
PID 3104 wrote to memory of 3504	3104	Apaadpng.exe	107
PID 3104 wrote to memory of 3504	3104	Apaadpng.exe	107
PID 3104 wrote to memory of 3504	3104	Apaadpng.exe	107
PID 3504 wrote to memory of 2280	3504	Bpdnjple.exe	108
PID 3504 wrote to memory of 2280	3504	Bpdnjple.exe	108
PID 3504 wrote to memory of 2280	3504	Bpdnjple.exe	108
PID 2280 wrote to memory of 3696	2280	Bacjdbch.exe	109
PID 2280 wrote to memory of 3696	2280	Bacjdbch.exe	109
PID 2280 wrote to memory of 3696	2280	Bacjdbch.exe	109
PID 3696 wrote to memory of 5008	3696	Bgpcliao.exe	110
PID 3696 wrote to memory of 5008	3696	Bgpcliao.exe	110
PID 3696 wrote to memory of 5008	3696	Bgpcliao.exe	110
PID 5008 wrote to memory of 644	5008	Boihcf32.exe	111
PID 5008 wrote to memory of 644	5008	Boihcf32.exe	111
PID 5008 wrote to memory of 644	5008	Boihcf32.exe	111
PID 644 wrote to memory of 3056	644	Cgifbhid.exe	112
PID 644 wrote to memory of 3056	644	Cgifbhid.exe	112
PID 644 wrote to memory of 3056	644	Cgifbhid.exe	112
PID 3056 wrote to memory of 2392	3056	Dnmaea32.exe	113
PID 3056 wrote to memory of 2392	3056	Dnmaea32.exe	113
PID 3056 wrote to memory of 2392	3056	Dnmaea32.exe	113
PID 2392 wrote to memory of 3632	2392	Dhgonidg.exe	114
PID 2392 wrote to memory of 3632	2392	Dhgonidg.exe	114
PID 2392 wrote to memory of 3632	2392	Dhgonidg.exe	114
PID 3632 wrote to memory of 4704	3632	Dkhgod32.exe	115
PID 3632 wrote to memory of 4704	3632	Dkhgod32.exe	115
PID 3632 wrote to memory of 4704	3632	Dkhgod32.exe	115
PID 4704 wrote to memory of 2008	4704	Ekonpckp.exe	116
PID 4704 wrote to memory of 2008	4704	Ekonpckp.exe	116
PID 4704 wrote to memory of 2008	4704	Ekonpckp.exe	116
PID 2008 wrote to memory of 456	2008	Eqncnj32.exe	117
PID 2008 wrote to memory of 456	2008	Eqncnj32.exe	117
PID 2008 wrote to memory of 456	2008	Eqncnj32.exe	117
PID 456 wrote to memory of 888	456	Fofilp32.exe	118
PID 456 wrote to memory of 888	456	Fofilp32.exe	118
PID 456 wrote to memory of 888	456	Fofilp32.exe	118
PID 888 wrote to memory of 4808	888	Fkmjaa32.exe	119
PID 888 wrote to memory of 4808	888	Fkmjaa32.exe	119
PID 888 wrote to memory of 4808	888	Fkmjaa32.exe	119
PID 4808 wrote to memory of 1616	4808	Gegkpf32.exe	120
PID 4808 wrote to memory of 1616	4808	Gegkpf32.exe	120
PID 4808 wrote to memory of 1616	4808	Gegkpf32.exe	120
PID 1616 wrote to memory of 4456	1616	Gnblnlhl.exe	121
PID 1616 wrote to memory of 4456	1616	Gnblnlhl.exe	121
PID 1616 wrote to memory of 4456	1616	Gnblnlhl.exe	121
PID 4456 wrote to memory of 760	4456	Gacepg32.exe	122

C:\Users\Admin\AppData\Local\Temp\ce1a3d1fb94dbb461d43f3495e9fbd2476eaeeac5e5e42af23061c5e5960d486.exe
"C:\Users\Admin\AppData\Local\Temp\ce1a3d1fb94dbb461d43f3495e9fbd2476eaeeac5e5e42af23061c5e5960d486.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\SysWOW64\Pagbaglh.exe
  C:\Windows\system32\Pagbaglh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\SysWOW64\Qjfmkk32.exe
    C:\Windows\system32\Qjfmkk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\SysWOW64\Qpeahb32.exe
      C:\Windows\system32\Qpeahb32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4104
    - - C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
      - C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Dhgonidg.exe
        
        C:\Windows\system32\Dhgonidg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Ekonpckp.exe
        
        C:\Windows\system32\Ekonpckp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Gegkpf32.exe
        
        C:\Windows\system32\Gegkpf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Gnblnlhl.exe
        
        C:\Windows\system32\Gnblnlhl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Geanfelc.exe
        
        C:\Windows\system32\Geanfelc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Hhaggp32.exe
        
        C:\Windows\system32\Hhaggp32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Hehdfdek.exe
        
        C:\Windows\system32\Hehdfdek.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Hejqldci.exe
        
        C:\Windows\system32\Hejqldci.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Iojkeh32.exe
        
        C:\Windows\system32\Iojkeh32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        38⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4684
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Affikdfn.exe
        
        C:\Windows\system32\Affikdfn.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2052
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        51⤵
        Executes dropped EXE
        
        PID:5144
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5308
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5388
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Gkoplk32.exe
        
        C:\Windows\system32\Gkoplk32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Gdknpp32.exe
        
        C:\Windows\system32\Gdknpp32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5968
        
        C:\Windows\SysWOW64\Gndbie32.exe
        
        C:\Windows\system32\Gndbie32.exe
        72⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Hccggl32.exe
        
        C:\Windows\system32\Hccggl32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Haidfpki.exe
        
        C:\Windows\system32\Haidfpki.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Ielfgmnj.exe
        
        C:\Windows\system32\Ielfgmnj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5196
        
        C:\Windows\SysWOW64\Ibgmaqfl.exe
        
        C:\Windows\system32\Ibgmaqfl.exe
        76⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        80⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        81⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        85⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 412
        86⤵
        Program crash
        
        PID:5704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6056 -ip 6056
1⤵
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:5772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adkqoohc.exe

Filesize
74KB

MD5
b8987cdd536165286bc1a96b58bf3784

SHA1
7571165b8b5f95aab46a5fdf7245cf67481b5733

SHA256
9c13c59ddd3ce684cd558e59c09d28012df64fd21e15229c25c1e2fd7360f788

SHA512
2bf8e31203f920ecc9656d9487eba28dddf38a4c59bbb40f9eb9d6c4d4aeddfe284c2cceb1114c21df7913add5f4e40689b9b5cf8ae21997e287686ee4c0be2f

Download Submit
C:\Windows\SysWOW64\Akblfj32.exe

Filesize
74KB

MD5
490ac2b9413240ad5c0a94c23055c5c4

SHA1
59ffb3236ad13c616cd1d08c582a524de36989d9

SHA256
1ab698fe9af3bf0af7e097ac8825e86c20dee6a77445312d185e2e1996342928

SHA512
bb3d65314a1cbe552db35796bef352b2c28a5a5d06ce7a9c5028b9162528775248a671680d4a9322ca70ce4029fe3327fa4074814f670959eb4a7cc9e78d3602

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
74KB

MD5
4a38f41d19b75eb637bff4b19f30b3f2

SHA1
84b5d886e44821134c5d2c4a1aa24d66f4062f1e

SHA256
feac2250c2a498f0e2b61de359f8f3b049ea62b37ac276813bbdbdf09048a240

SHA512
ba9dfff5d12be955f703a01025a1424268292157af0954b8973661a53848cb046502772095856f8566cf91c999be9e0d86a2d63aef5c6fe256b0cbf1372e8cde

Download Submit
C:\Windows\SysWOW64\Bacjdbch.exe

Filesize
74KB

MD5
de169a385488a36d0735d6887f0c8741

SHA1
dcc3d06ca706b5866261b7484c3e6d95f9494048

SHA256
17da31d9b6168123c460d6debdd2ce259ae0175a3b2b19d6663762e27c5677d8

SHA512
a84b57302b33f083afc7903a9f3dba226e76f444dd1c90329e17e2cf4ebfb746a28bc7395a9adda15b69a60b02237f97e18030b9b71c135bd8f0a88dfb768650

Download Submit
C:\Windows\SysWOW64\Bgpcliao.exe

Filesize
74KB

MD5
cfff724a9ee00a10e986675a44a00c82

SHA1
080539fce680895ad3747c8c369ec43ce8366bc6

SHA256
41d514da18421470d9ec583cf1c8c1061d1336da2baa8c2a005bb5c167be575d

SHA512
5bd9b11d841a59e09f0326adbc4a7942e58ef83bced8a381664b67a6f9a3a38c025e7394e49678e9e8f78f1d005cedae77ac7cc328e54566404327c3db22220f

Download Submit
C:\Windows\SysWOW64\Boihcf32.exe

Filesize
74KB

MD5
319e34cdb93ffd1edca846128147d761

SHA1
36a6c98db465270f2a928f3b14cc7a795f09540a

SHA256
04688ee6c0185d1543128abddcafe94c49bdbeb47d22a4266377642716594dc0

SHA512
936f41ba593f28f18d42a86824c106a8ca50aa42531ae5f5f14cea2bbdfc5345e24e8a6c424a810aaeb7208973f18ebfbc9606ebac37f85f6e378db9607d5bfe

Download Submit
C:\Windows\SysWOW64\Bpdnjple.exe

Filesize
74KB

MD5
81fe9a973d012d7dc12ba2d87055733e

SHA1
5bcc6f0003cab67f78e801bd96e58b6a5116f275

SHA256
d7aa2651dbba771a0b2f2d1ae67e2823097d577678502b791968bb154109aac0

SHA512
24acb7c99c6c93b092905b09c84d81bd1ba302097e59aa3bf95b37198a79295189b54b7e352c75b86bcabc892ff88620feab474a621fb1c97666bd08b490fb80

Download Submit
C:\Windows\SysWOW64\Cgifbhid.exe

Filesize
74KB

MD5
a56c0498be1f6be5d665b399fb8ba335

SHA1
62ca4c6cfd81aae58b3f72a821ad5c61dab87cdb

SHA256
cd3899ff850e090417ed3bb8b19bef70fd1c823a785f6452789a207bee955a44

SHA512
6b95fc8f3ad3b1e5f5cff2ce9967ccec2310e206e217a55a1346e348b84e1b0b92def03d059f4e84ef4be880617fa1600e0a6b38c99c338bbc20448fb65b67be

Download Submit
C:\Windows\SysWOW64\Dhgonidg.exe

Filesize
74KB

MD5
d3c12a34ecacc7f835acb7d60c6b4fcc

SHA1
a2a070e5bc35d2ddb471ddd49034570d6b3ddc47

SHA256
22086fb33488f62b410d3b4a3d2f82ff157615d36416cc9436319ba793ba1c64

SHA512
51e606f730c56136a45d3a2064ef18cee892fab58d3bd36ebb6ab2ab1c1c5431f28ef3f37383be3335612c4c1e72bd89956054c9ca93edbe258fe7b217f84df8

Download Submit
C:\Windows\SysWOW64\Dkhgod32.exe

Filesize
74KB

MD5
6d79ef95c55a22e664491078cdc658c1

SHA1
538eb2b135d609606953249d2940edc74e4b2a4f

SHA256
b13a52cc4b7a21e4c90e39e9059faa64487333a10d8447aa2424a0158e199d78

SHA512
eed4708a8cde81df11c23fe80acb3004fd070d93e7fcb4e15f004fa6407482e6eea817509202a73e0d938f77021081967ff4a39e2e3009707208624a3f90613c

Download Submit
C:\Windows\SysWOW64\Dnmaea32.exe

Filesize
74KB

MD5
402cd568a2e69c0da5f5181803463a2d

SHA1
d94834fac843bd22d0971eff315cea784ce2930d

SHA256
a1c2f86eab7d315033a590659b23bb7eba891cb7c781d331caaa9c47fe7c3630

SHA512
8e06867cf87c97ef9cf9a2a7a14581d836d702e05014d3cb0ee659f88477f2ee3ae7d1ddf65f3b46e68756698580b49aa4fc55ed77324e807ddae7a75d27cdc1

Download Submit
C:\Windows\SysWOW64\Ekonpckp.exe

Filesize
74KB

MD5
73b2cd87f81bd5e23de4abc022fb95f1

SHA1
94f53df0de1dd41eb9ca4d73005ab817ecdb27e1

SHA256
71dc172dad28eeb5bf2aa923a5a48820c17a367c055329182b576cd7276167df

SHA512
3f9c054f2b44fbe2744f2d541ea5d87167b3c09de811a3ccadd675460bd58fb14f10233288764500bc903d8fa924ed62682f8f7a59d83517bce1e7d05368eedf

Download Submit
C:\Windows\SysWOW64\Eqncnj32.exe

Filesize
74KB

MD5
92924075a0dffffede4510a0b2db52da

SHA1
8f4c739a0e6670453dedbfd443185fd425189878

SHA256
c2a3759ceb18fcaf692ce5f49b483c9f0b9895c1a88f581951e3f976d7ea5b63

SHA512
44ac46b017119de6bf719ea9f360c899c878cf96e331f0d28cae51884604d74ad0977a1d5f352cfdfadb24f9918f048d8b76cf42f092a732c23851352b2fc8c7

Download Submit
C:\Windows\SysWOW64\Fkemfl32.exe

Filesize
74KB

MD5
33c071bd6e1a62068576599f3dd1287d

SHA1
80d6579eb1455d1980731aa060801c324e50d84e

SHA256
45bd2c380616e3f643383680108f5d76ea1a7cc3a76ba8cf34ac38904f5bf08a

SHA512
62202ba64c80025513950d0b81f517268197cedbfc5029a9d0f201ea9a8d39c892fb627d0f37e8e791a234c28536f36f6f0864b1462cef03aa4ac05a128cefb8

Download Submit
C:\Windows\SysWOW64\Fkmjaa32.exe

Filesize
74KB

MD5
f78935d311c5c312ad599e1ba667a7c6

SHA1
7b6ea976c21bf8f186ee0871814d6ef590ead9e7

SHA256
8c31eb2a188136d6ebe86d16b629aea076bda0e500fb544704056cb478349c25

SHA512
51a737e81a9742c7ea59db2b427a8df09eb6bacc609d92a5006a131eed8cc8e6d4a08333c9ee1747904213f02bd0b5612736af4129fa5f934d86cb4906ff3a95

Download Submit
C:\Windows\SysWOW64\Fofilp32.exe

Filesize
74KB

MD5
05eeeb17c907c9154a1f073dc634cb62

SHA1
4b0e21490cf0409da65d7d6f15ef5149d94310b3

SHA256
be41ef39914097762bd8ebfc0ad6e0b3fac544a5af6aaf85ee9a279485107bb4

SHA512
a0ee7d2c3d6a06bca32f00b58a6268806e80ce807b63a149f1d625f931f6d73a499448bb4d0857658519b5e85364d5368e8d15bcdd6e19af5bf8eac74f4542ca

Download Submit
C:\Windows\SysWOW64\Gacepg32.exe

Filesize
74KB

MD5
9896974b537336bca9a43daf04357a07

SHA1
793d5dac4cecce3b1895915675ba58eacbef49c5

SHA256
9687ca5366a2b5b88c83264104ecdf2354ed89beb08c9e57e7b815d3aa8eff9f

SHA512
136ee7dd68a733a86619938bc99c3844e312a61d64e7ebfebd2fa260ba654f8516b538cc63f65217c6725b8f2a9c7e0432b81d159c482a60abef13f73f8d520e

Download Submit
C:\Windows\SysWOW64\Gdknpp32.exe

Filesize
74KB

MD5
a30e9c2a5b2c7736f3a94e6c89f1f9cd

SHA1
8bed2081a78100b3b16cb33b72a54cbf6c44c3f1

SHA256
ac081a2f46c15c0794fbc5436c15b5f1c88ce92ca1da078a438e496c0d7c4d76

SHA512
484884fba62a972bdbe7aefeb236428291fa23b61a0929cc99cbbc06670aa08fdf2f3aced15451419214468ef6fb919d27bb6f8b4d82e00b1c60a2a840cafd33

Download Submit
C:\Windows\SysWOW64\Geanfelc.exe

Filesize
74KB

MD5
65115db6286d2f0ec55d2f856cc8d1a7

SHA1
f6485157e8831805a61dd4749c76b669dff23f5a

SHA256
524446ecfd6fbfd37a9cae1e8dbb3d2dbc4d1fe3d29c140570800c8ae130c761

SHA512
e0e4a4ccddfe92ddd5fd6f3089399990a65234e754a09620e8de1d9eed87b13478affe9f6886380a3c1da3cb4aff988348369395d4c114b3315a663c86345f73

Download Submit
C:\Windows\SysWOW64\Gegkpf32.exe

Filesize
74KB

MD5
2a4e233b07c98173a1d99c6b7ee074c4

SHA1
7e0852f44a214ec18e0b7587b2c37cbfe109f64c

SHA256
8aaab40b28159c3db517758b3776fbab9a64b32218289f1effc5542907ec95d7

SHA512
7b60b2aa3dbdecb5c452515c43feecd71e5091abb1da241e195b33c7f409bc7631b5e5dd9b9be10c7c3228c6cc2d6940fdc4bbffd935fd6dcc910f4e33c20c63

Download Submit
C:\Windows\SysWOW64\Gnblnlhl.exe

Filesize
74KB

MD5
c06f4b7222a5204bade11f8b9d2a4b05

SHA1
73ee1e0f097c043a0a79fcc3173905d885076de2

SHA256
4c97f577e1a477a66046012c1c107db60ebef947822639b2f07386e75fa9356e

SHA512
0a378f343f59d106eeee411dd9f095b32f411326b9c35917a50b5fccb8944b3ac35a79ef2c476f13b6488b8b041afedb66c6bf38b796b938890acf1825ee0d71

Download Submit
C:\Windows\SysWOW64\Hehdfdek.exe

Filesize
74KB

MD5
bf59e556ca16f83db63f2da09b7fe540

SHA1
beb921ca0bde5ec11be12a2e1401a6704afd24ac

SHA256
ed0293f56f229f2eceebf168d9e5ffc33175924707150e80350e96ce11462d67

SHA512
14fdcd0349311eb2d47da74948ca6b1c8c3c8fa348819f4870b6b0c12f113b8255de309e88d1a6ffea35ba771699576470a85c3c816f24abb58d41778071cfd0

Download Submit
C:\Windows\SysWOW64\Hejqldci.exe

Filesize
74KB

MD5
0347bc02005e7bab9a54b85a5ae1f5a3

SHA1
57e594cae6509d5fe62cfbdc0ffb703921110298

SHA256
e328304d9a7fd7f953b2bad15697e83157d307a3c3c171163018e3c50f4cca9f

SHA512
a650c87913a00e5a65ae3ead8330490ed940393be722c0ea55c35ef805846d09fa3539289256e31b043b1e26ccbfbbfacec8aa115aaba5e050c6e23031684880

Download Submit
C:\Windows\SysWOW64\Hhaggp32.exe

Filesize
74KB

MD5
89e90066625fa763ab73d6ea73d09c7a

SHA1
53c041c07b065d4c1b6cac0a5212b6e3842f5aeb

SHA256
10212fce14bb379baed0497f213842d1492df8839afdad9b7dbb3220795c5647

SHA512
6b27b00366e613910bb78860615ebe5a6b9926de784931d9b28d43c38b99607e527bd396a5930b6865a978cff28fa7aa746c661fa59273d1d60fdcfb45be4fe7

Download Submit
C:\Windows\SysWOW64\Iojkeh32.exe

Filesize
74KB

MD5
13017cfd2df5791ed775c08f5e446c31

SHA1
e55d760919af8e633aa9608c7e01924b068c1a7c

SHA256
3676678a13c68383d49ba30b50346377eddef6f002fd52c73fd782a5be3c8c36

SHA512
71f0c194ac17a8f848dd5e43bccffcf53a774b1d9e04ba9985d2eb80eb8e6928fb2aab5a12cf51e0760c7b75808cc331777440d8de8397f292906ef216410d94

Download Submit
C:\Windows\SysWOW64\Jhkbdmbg.exe

Filesize
74KB

MD5
0018193cc69015381eb02b6df3c50e15

SHA1
097dfc514b6df078b535979369e048a30180ba3d

SHA256
83786206d33d2eb04ac9f304a60f6db12660bbbcb3ca51b5caad742ff911b087

SHA512
0838b02fa7a71a453ac737142e06a688aef695e3edda225a2646852d205658b7871c7ed5c76ec12df1d9a46dd036c9fe7af3d2a563b4fdf4a665f02a62c489e9

Download Submit
C:\Windows\SysWOW64\Kcjjhdjb.exe

Filesize
74KB

MD5
eb114c50f6e52bd1a62b194d8f1e6ad7

SHA1
5ab5fea9ab092c6f754838a3eace32bf1b92cff6

SHA256
0ff2de1261d9551a1ff3849be83ed3bd4c39c7c40cde40779845e83103924798

SHA512
a43db4f0befacdf4ae996b7418ec27c675b31363dfa3ed011a58741e9996c05683ae7d6b738bb52834c54954e04e6991954dce78495cfe660e999e5dd9c05124

Download Submit
C:\Windows\SysWOW64\Kibeoo32.exe

Filesize
74KB

MD5
00b5e13f513730d7266304b7c88e0e52

SHA1
e30ad34cf3d3532cdda20ea5eeabeb15c117f5c5

SHA256
4ecf4e471f42c65463d41e60ee074a82bf578cd872876367e104be9a504d4a25

SHA512
788bf0e74a4eb23af61d108a99bf7fb1a9bb6d8f99296f6c6f70706d6f40fb7315672a5939f1e340173a67d9bdbe58069835a7e8998b0168bf67e62fb0f93138

Download Submit
C:\Windows\SysWOW64\Klggli32.exe

Filesize
74KB

MD5
0305ae00838b22caa58467f4a15a2b92

SHA1
090198033bafe5cc2fe22f94fb1e70ccd70ba0f7

SHA256
584cee50d5658bcd517a6d8f590faeaeeb8b390f4b32608073b9077c55f21afb

SHA512
154db1bbfd15297bd537ede6190d8d7878c34be99249ef44bb77bc64d45d62666b0657095319ba28897c1fd344d8bbe8521d22cc53095df8da62b494df5e0756

Download Submit
C:\Windows\SysWOW64\Koajmepf.exe

Filesize
74KB

MD5
b35a2fea63cf78969aa0ac091fa115df

SHA1
41c1445d85fdcf597f419a6be112ccf418d32561

SHA256
48c5f1b83818a6fdf5b5a5ff27b0bbf3ff3eb928ef15632d2cb8e3314950e5de

SHA512
861c895739d2e6f33a187ee1d152ee842f7b843bece842a0c0b768cc8956e2ad70ca49991700a719708a85b1c8781e290804cf5b95c4f233e6b184b011eb7466

Download Submit
C:\Windows\SysWOW64\Lcclncbh.exe

Filesize
74KB

MD5
31328315769af6d9dbb5f90a1054243c

SHA1
df021fdfadcd0304465d37874da20332a1b3dfbe

SHA256
3c49144c1dd291af7478453495b1bd040694450072e9befb1f48404032c8e608

SHA512
c43fb2fca172db4145951471cf1f6655902c6535cefdd4a9038fabf63f19dd46162fafc56cbfda1ee06ee88a10f08017e48820f32177968d5033c251ea04dc3c

Download Submit
C:\Windows\SysWOW64\Lchfib32.exe

Filesize
74KB

MD5
e0fce8bcc9bd2d9282517feaacaea93c

SHA1
45034b5f71505f7db7c79d83443cd1b6dade1112

SHA256
2076095c911cbffea3a3ba42109e05194e3799c775bc5304ccaf079ca7310ca7

SHA512
2a196f122f8d4883d6b49d23c9f31309e02a4994fc7d789820765aa9d2963e6f46a7cee9ccb36d4699b352b354eedc04fd9ce433f742c53eb63521499cc3d05b

Download Submit
C:\Windows\SysWOW64\Lielhgaa.dll

Filesize
7KB

MD5
c014ec43d1bc15ee389bf98c1800c80d

SHA1
9287afecf815bd0b979ed0058357edfa6dfb2a22

SHA256
cd65a6440d1f5bacaf1beea119823554a156f6031e793df4ceeb047190803079

SHA512
fb03fabe834afe06eb47c05525da59bf032f90a77e7670b641f109f5e23dcffbc9ea72294e4d4af5bb1d9012ac385477afa6a0fee534d45cf0f27953cb4e7a08

Download Submit
C:\Windows\SysWOW64\Oqmhqapg.exe

Filesize
74KB

MD5
135ad4f873cab92d3e123079ac03c6c5

SHA1
4f270906ebde88defd69dbf656e625ac53b5cb83

SHA256
b4d905f8f1cf7a17c03a23b81cc178aeee9733b0edf4ac0d628699cc58af26ef

SHA512
234c4b1cf331f821aa43ce31b558ae147c5e42d2e6aaf0874b210657ec2a3ae336d016a3b1fdafbaa0fa9216278c25fd7663a8a4535353120a397e08fa68677c

Download Submit
C:\Windows\SysWOW64\Pagbaglh.exe

Filesize
74KB

MD5
74efbdde4c6824b9a363aff1af5919d0

SHA1
98c67a345785c8fe82c976d66ecedd66ec543050

SHA256
f210579c599eda5e2f5aec07d378193ea900697f12c57123e992053f1d1cfe3c

SHA512
12d8c55ae09ad6a235fcd8b314279d437b075eec2dca72c2dac32bec3496dbc339bb4f051bf9231cfc3cf4ffd834df1f4802246f7001c0274c5c881f14bf8d76

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
74KB

MD5
fc81d2aba8b15f1c7c771726f1b54841

SHA1
a1a1d5ed5044b9b9c179e4fc3dfc320bd0f387d7

SHA256
0c70ad6038a52103bb5076f2649d5431189c4f57358041112dc4645c611cfceb

SHA512
591e0f950cd7ad6b34fa60a5c9f300cd2860ece8de82c862bb19e370beed48bbbe056b0ecf2f627e534bb887a64c9cae70dfa5cae259ba182d7528438d14f527

Download Submit
C:\Windows\SysWOW64\Qpeahb32.exe

Filesize
74KB

MD5
cca165ca41d1feec027c75c9335b8e39

SHA1
477b20247de91eb26f2e529984b000106c059b9e

SHA256
e4ae539e1b3db8fee4faaf10dc3ab370daf5a0cba2bb3a0bc93e7949cc4bc242

SHA512
a1b9fd2a1f671aa194dac44cf87f1c4ad08d4bfc3826c00eb7c15454eabd4a24e78ae2b0f00bc64d2761bf361d0984a211cfbf3638b33dab2ca3f9b25826b6a3

Download Submit
memory/456-140-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/644-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/716-207-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/760-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/888-144-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1416-196-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1616-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1716-232-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2008-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2052-362-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2232-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2280-64-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2392-104-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2404-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2472-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2500-224-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2632-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2832-298-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2908-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3056-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3104-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3200-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3452-184-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3504-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3632-112-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3696-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4104-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4300-334-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4356-32-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4392-322-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4400-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4432-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4440-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4444-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4456-168-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4488-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4536-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4612-200-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4624-8-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4664-350-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4684-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4688-256-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4704-119-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4732-239-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4808-152-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4856-328-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4916-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5008-80-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5012-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5064-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5144-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5184-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5228-380-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5268-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5308-388-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5348-394-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5388-400-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5428-410-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5468-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5512-418-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5556-424-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5596-430-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5640-436-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5680-442-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads