4a3f289c6adb0168729ab33539b132e6d429c9bae79f9eea0aadfad6dde71ac9

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a3f289c6adb0168729ab33539b132e6d429c9bae79f9eea0aadfad6dde71ac9.exe
Size

168KB
MD5

08180a32b890ab5e4a412876992581ba
SHA1

e36cab0543c36382a17e91b6407fe89dc3f6d5dd
SHA256

4a3f289c6adb0168729ab33539b132e6d429c9bae79f9eea0aadfad6dde71ac9
SHA512

0810b7a5b43f5a0a939d7f88b1dda2302ee3d65addcd1b110306ba5e24cb9dd69b574bb0b932b34ac3dc6d3779c4f78edde37981ec35fd3fbd2d38eb7ec7489f
SSDEEP

3072:QFJIrW4eVqZ2fQkbn1vVAva63HePH/RAPJis2Ht3IjXn32HaJt:VW4eg4fQkjxqvak+PH/RARMHGb3fJt

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmoijje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Digehphc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiokinbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlbcnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kngkqbgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llmhaold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chlflabp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Illfdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmeede32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adikdfna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gncchb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aggpfkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmkigh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbpjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbcke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiokinbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onapdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knenkbio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgpni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Digehphc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmkigh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllokajf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eejeiocj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Felbnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffnknafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hifcgion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Illfdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4a3f289c6adb0168729ab33539b132e6d429c9bae79f9eea0aadfad6dde71ac9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adikdfna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkaobnio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jngbjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boihcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blielbfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpkibf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kncaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glbjggof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kegpifod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgflcifg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hemdlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmeede32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngqagcag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cleegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efblbbqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hifcgion.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npgmpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmjdm32.exe

Executes dropped EXE 64 IoCs

pid	Process
2832	Adikdfna.exe
2200	Blielbfi.exe
4812	Bnmoijje.exe
2788	Bkaobnio.exe
2208	Bheplb32.exe
2628	Cleegp32.exe
524	Chlflabp.exe
4836	Cbdjeg32.exe
4620	Cfbcke32.exe
2012	Dmohno32.exe
3548	Dheibpje.exe
5076	Digehphc.exe
4256	Dijbno32.exe
1516	Eiokinbk.exe
4404	Efblbbqd.exe
456	Eejeiocj.exe
4904	Felbnn32.exe
764	Feoodn32.exe
3212	Ffnknafg.exe
2008	Flmqlg32.exe
2272	Fpkibf32.exe
4316	Glbjggof.exe
1840	Gncchb32.exe
3800	Gpbpbecj.exe
3976	Hmkigh32.exe
2340	Hbhboolf.exe
852	Hlbcnd32.exe
3948	Hifcgion.exe
4308	Hemdlj32.exe
1480	Illfdc32.exe
4928	Jghpbk32.exe
4508	Jleijb32.exe
1216	Jmeede32.exe
964	Jngbjd32.exe
488	Jllokajf.exe
1328	Kegpifod.exe
1796	Kgflcifg.exe
4120	Kncaec32.exe
4272	Knenkbio.exe
1960	Kngkqbgl.exe
4572	Loighj32.exe
3376	Lfbped32.exe
3916	Llmhaold.exe
4936	Lcgpni32.exe
5128	Lnldla32.exe
5172	Lomqcjie.exe
5212	Lggejg32.exe
5256	Lcnfohmi.exe
5304	Mcbpjg32.exe
5356	Mnmmboed.exe
5396	Npgmpf32.exe
5436	Ngqagcag.exe
5500	Ogcnmc32.exe
5552	Oanokhdb.exe
5600	Onapdl32.exe
5652	Ojhpimhp.exe
5696	Pjmjdm32.exe
5752	Pfdjinjo.exe
5792	Paiogf32.exe
5836	Pffgom32.exe
5880	Ppahmb32.exe
5924	Qobhkjdi.exe
5968	Qfmmplad.exe
6012	Amjbbfgo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Llmhaold.exe	Lfbped32.exe
File opened for modification	C:\Windows\SysWOW64\Lomqcjie.exe	Lnldla32.exe
File created	C:\Windows\SysWOW64\Mkfoeejd.dll	Onapdl32.exe
File created	C:\Windows\SysWOW64\Akcaoeoo.dll	Eiokinbk.exe
File created	C:\Windows\SysWOW64\Hlbcnd32.exe	Hbhboolf.exe
File opened for modification	C:\Windows\SysWOW64\Flmqlg32.exe	Ffnknafg.exe
File created	C:\Windows\SysWOW64\Eepmqdbn.dll	Qfmmplad.exe
File opened for modification	C:\Windows\SysWOW64\Llmhaold.exe	Lfbped32.exe
File created	C:\Windows\SysWOW64\Oonnoglh.dll	Lnldla32.exe
File created	C:\Windows\SysWOW64\Kbjodaqj.dll	Flmqlg32.exe
File created	C:\Windows\SysWOW64\Hifcgion.exe	Hlbcnd32.exe
File created	C:\Windows\SysWOW64\Cponen32.exe	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Cgifbhid.exe	Cponen32.exe
File created	C:\Windows\SysWOW64\Lcnfohmi.exe	Lggejg32.exe
File created	C:\Windows\SysWOW64\Npgmpf32.exe	Mnmmboed.exe
File created	C:\Windows\SysWOW64\Knenkbio.exe	Kncaec32.exe
File opened for modification	C:\Windows\SysWOW64\Lnldla32.exe	Lcgpni32.exe
File opened for modification	C:\Windows\SysWOW64\Glbjggof.exe	Fpkibf32.exe
File opened for modification	C:\Windows\SysWOW64\Hlbcnd32.exe	Hbhboolf.exe
File opened for modification	C:\Windows\SysWOW64\Kngkqbgl.exe	Knenkbio.exe
File created	C:\Windows\SysWOW64\Hmkqgckn.dll	Lfbped32.exe
File created	C:\Windows\SysWOW64\Cpkhqmjb.dll	Cgifbhid.exe
File opened for modification	C:\Windows\SysWOW64\Adikdfna.exe	4a3f289c6adb0168729ab33539b132e6d429c9bae79f9eea0aadfad6dde71ac9.exe
File created	C:\Windows\SysWOW64\Cmpmfmao.dll	4a3f289c6adb0168729ab33539b132e6d429c9bae79f9eea0aadfad6dde71ac9.exe
File created	C:\Windows\SysWOW64\Fpkibf32.exe	Flmqlg32.exe
File created	C:\Windows\SysWOW64\Kffonkgk.dll	Kegpifod.exe
File opened for modification	C:\Windows\SysWOW64\Dmohno32.exe	Cfbcke32.exe
File created	C:\Windows\SysWOW64\Dheibpje.exe	Dmohno32.exe
File opened for modification	C:\Windows\SysWOW64\Oanokhdb.exe	Ogcnmc32.exe
File opened for modification	C:\Windows\SysWOW64\Lcnfohmi.exe	Lggejg32.exe
File created	C:\Windows\SysWOW64\Apgnjp32.dll	Pfdjinjo.exe
File opened for modification	C:\Windows\SysWOW64\Ppahmb32.exe	Pffgom32.exe
File created	C:\Windows\SysWOW64\Apmhiq32.exe	Agdcpkll.exe
File created	C:\Windows\SysWOW64\Bpfkpp32.exe	Bpdnjple.exe
File opened for modification	C:\Windows\SysWOW64\Dkndie32.exe	Ckgohf32.exe
File opened for modification	C:\Windows\SysWOW64\Dijbno32.exe	Digehphc.exe
File opened for modification	C:\Windows\SysWOW64\Jleijb32.exe	Jghpbk32.exe
File created	C:\Windows\SysWOW64\Mcbpjg32.exe	Lcnfohmi.exe
File created	C:\Windows\SysWOW64\Oanokhdb.exe	Ogcnmc32.exe
File opened for modification	C:\Windows\SysWOW64\Illfdc32.exe	Hemdlj32.exe
File created	C:\Windows\SysWOW64\Lggejg32.exe	Lomqcjie.exe
File opened for modification	C:\Windows\SysWOW64\Amjbbfgo.exe	Qfmmplad.exe
File opened for modification	C:\Windows\SysWOW64\Afbgkl32.exe	Amjbbfgo.exe
File created	C:\Windows\SysWOW64\Bkamodje.dll	Bgpcliao.exe
File created	C:\Windows\SysWOW64\Fimgpahk.dll	Cfbcke32.exe
File opened for modification	C:\Windows\SysWOW64\Dheibpje.exe	Dmohno32.exe
File created	C:\Windows\SysWOW64\Cleegp32.exe	Bheplb32.exe
File created	C:\Windows\SysWOW64\Ampillfk.dll	Bpdnjple.exe
File created	C:\Windows\SysWOW64\Jleijb32.exe	Jghpbk32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbpjg32.exe	Lcnfohmi.exe
File opened for modification	C:\Windows\SysWOW64\Npgmpf32.exe	Mnmmboed.exe
File created	C:\Windows\SysWOW64\Dempqa32.dll	Npgmpf32.exe
File opened for modification	C:\Windows\SysWOW64\Amcehdod.exe	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Bpdnjple.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Blielbfi.exe	Adikdfna.exe
File created	C:\Windows\SysWOW64\Ofpnmakg.dll	Efblbbqd.exe
File created	C:\Windows\SysWOW64\Ecpfpo32.dll	Bpfkpp32.exe
File created	C:\Windows\SysWOW64\Bkphhgfc.exe	Boihcf32.exe
File created	C:\Windows\SysWOW64\Hfjjlc32.dll	Felbnn32.exe
File created	C:\Windows\SysWOW64\Mnpofk32.dll	Ckgohf32.exe
File created	C:\Windows\SysWOW64\Ekbmje32.dll	Apmhiq32.exe
File created	C:\Windows\SysWOW64\Iohmnmmb.dll	Adkqoohc.exe
File opened for modification	C:\Windows\SysWOW64\Jghpbk32.exe	Illfdc32.exe
File created	C:\Windows\SysWOW64\Kbmimp32.dll	Lomqcjie.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5528	5332	WerFault.exe	183

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoaeldi.dll"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojncj32.dll"	Eejeiocj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hemdlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accimdgp.dll"	Jghpbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgpecj32.dll"	Kgflcifg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkaobnio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lomqcjie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfpnk32.dll"	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blielbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dijbno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loighj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncpgam32.dll"	Llmhaold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbmje32.dll"	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimgpahk.dll"	Cfbcke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemikcpm.dll"	Knenkbio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcnfohmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojhpimhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll"	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbmemif.dll"	Bkaobnio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpbpbecj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hifcgion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjofoqdn.dll"	Hifcgion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jongga32.dll"	Fpkibf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojhpimhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgnjp32.dll"	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpojkp32.dll"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkchlonc.dll"	Chlflabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmohno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keiifian.dll"	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklinjmj.dll"	Dheibpje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpibgp32.dll"	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjfmcmai.dll"	Cbdjeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jllokajf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngqagcag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaafabl.dll"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkaobnio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dijbno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofpnmakg.dll"	Efblbbqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Feoodn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhkmbmp.dll"	Ngqagcag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdcpkll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4a3f289c6adb0168729ab33539b132e6d429c9bae79f9eea0aadfad6dde71ac9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glbjggof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmkigh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jngbjd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jllokajf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnldla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adikdfna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bheplb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgijcij.dll"	Loighj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmimp32.dll"	Lomqcjie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdjeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dheibpje.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 2832	3904	4a3f289c6adb0168729ab33539b132e6d429c9bae79f9eea0aadfad6dde71ac9.exe	96
PID 3904 wrote to memory of 2832	3904	4a3f289c6adb0168729ab33539b132e6d429c9bae79f9eea0aadfad6dde71ac9.exe	96
PID 3904 wrote to memory of 2832	3904	4a3f289c6adb0168729ab33539b132e6d429c9bae79f9eea0aadfad6dde71ac9.exe	96
PID 2832 wrote to memory of 2200	2832	Adikdfna.exe	97
PID 2832 wrote to memory of 2200	2832	Adikdfna.exe	97
PID 2832 wrote to memory of 2200	2832	Adikdfna.exe	97
PID 2200 wrote to memory of 4812	2200	Blielbfi.exe	98
PID 2200 wrote to memory of 4812	2200	Blielbfi.exe	98
PID 2200 wrote to memory of 4812	2200	Blielbfi.exe	98
PID 4812 wrote to memory of 2788	4812	Bnmoijje.exe	100
PID 4812 wrote to memory of 2788	4812	Bnmoijje.exe	100
PID 4812 wrote to memory of 2788	4812	Bnmoijje.exe	100
PID 2788 wrote to memory of 2208	2788	Bkaobnio.exe	101
PID 2788 wrote to memory of 2208	2788	Bkaobnio.exe	101
PID 2788 wrote to memory of 2208	2788	Bkaobnio.exe	101
PID 2208 wrote to memory of 2628	2208	Bheplb32.exe	102
PID 2208 wrote to memory of 2628	2208	Bheplb32.exe	102
PID 2208 wrote to memory of 2628	2208	Bheplb32.exe	102
PID 2628 wrote to memory of 524	2628	Cleegp32.exe	103
PID 2628 wrote to memory of 524	2628	Cleegp32.exe	103
PID 2628 wrote to memory of 524	2628	Cleegp32.exe	103
PID 524 wrote to memory of 4836	524	Chlflabp.exe	104
PID 524 wrote to memory of 4836	524	Chlflabp.exe	104
PID 524 wrote to memory of 4836	524	Chlflabp.exe	104
PID 4836 wrote to memory of 4620	4836	Cbdjeg32.exe	105
PID 4836 wrote to memory of 4620	4836	Cbdjeg32.exe	105
PID 4836 wrote to memory of 4620	4836	Cbdjeg32.exe	105
PID 4620 wrote to memory of 2012	4620	Cfbcke32.exe	106
PID 4620 wrote to memory of 2012	4620	Cfbcke32.exe	106
PID 4620 wrote to memory of 2012	4620	Cfbcke32.exe	106
PID 2012 wrote to memory of 3548	2012	Dmohno32.exe	107
PID 2012 wrote to memory of 3548	2012	Dmohno32.exe	107
PID 2012 wrote to memory of 3548	2012	Dmohno32.exe	107
PID 3548 wrote to memory of 5076	3548	Dheibpje.exe	108
PID 3548 wrote to memory of 5076	3548	Dheibpje.exe	108
PID 3548 wrote to memory of 5076	3548	Dheibpje.exe	108
PID 5076 wrote to memory of 4256	5076	Digehphc.exe	109
PID 5076 wrote to memory of 4256	5076	Digehphc.exe	109
PID 5076 wrote to memory of 4256	5076	Digehphc.exe	109
PID 4256 wrote to memory of 1516	4256	Dijbno32.exe	110
PID 4256 wrote to memory of 1516	4256	Dijbno32.exe	110
PID 4256 wrote to memory of 1516	4256	Dijbno32.exe	110
PID 1516 wrote to memory of 4404	1516	Eiokinbk.exe	111
PID 1516 wrote to memory of 4404	1516	Eiokinbk.exe	111
PID 1516 wrote to memory of 4404	1516	Eiokinbk.exe	111
PID 4404 wrote to memory of 456	4404	Efblbbqd.exe	112
PID 4404 wrote to memory of 456	4404	Efblbbqd.exe	112
PID 4404 wrote to memory of 456	4404	Efblbbqd.exe	112
PID 456 wrote to memory of 4904	456	Eejeiocj.exe	113
PID 456 wrote to memory of 4904	456	Eejeiocj.exe	113
PID 456 wrote to memory of 4904	456	Eejeiocj.exe	113
PID 4904 wrote to memory of 764	4904	Felbnn32.exe	114
PID 4904 wrote to memory of 764	4904	Felbnn32.exe	114
PID 4904 wrote to memory of 764	4904	Felbnn32.exe	114
PID 764 wrote to memory of 3212	764	Feoodn32.exe	115
PID 764 wrote to memory of 3212	764	Feoodn32.exe	115
PID 764 wrote to memory of 3212	764	Feoodn32.exe	115
PID 3212 wrote to memory of 2008	3212	Ffnknafg.exe	116
PID 3212 wrote to memory of 2008	3212	Ffnknafg.exe	116
PID 3212 wrote to memory of 2008	3212	Ffnknafg.exe	116
PID 2008 wrote to memory of 2272	2008	Flmqlg32.exe	117
PID 2008 wrote to memory of 2272	2008	Flmqlg32.exe	117
PID 2008 wrote to memory of 2272	2008	Flmqlg32.exe	117
PID 2272 wrote to memory of 4316	2272	Fpkibf32.exe	118

C:\Users\Admin\AppData\Local\Temp\4a3f289c6adb0168729ab33539b132e6d429c9bae79f9eea0aadfad6dde71ac9.exe
"C:\Users\Admin\AppData\Local\Temp\4a3f289c6adb0168729ab33539b132e6d429c9bae79f9eea0aadfad6dde71ac9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\SysWOW64\Adikdfna.exe
  C:\Windows\system32\Adikdfna.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\Blielbfi.exe
    C:\Windows\system32\Blielbfi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\SysWOW64\Bnmoijje.exe
      C:\Windows\system32\Bnmoijje.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4812
    - - C:\Windows\SysWOW64\Bkaobnio.exe
        
        C:\Windows\system32\Bkaobnio.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\SysWOW64\Bheplb32.exe
        
        C:\Windows\system32\Bheplb32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Cleegp32.exe
        
        C:\Windows\system32\Cleegp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Chlflabp.exe
        
        C:\Windows\system32\Chlflabp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Cfbcke32.exe
        
        C:\Windows\system32\Cfbcke32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Digehphc.exe
        
        C:\Windows\system32\Digehphc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Ffnknafg.exe
        
        C:\Windows\system32\Ffnknafg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Hemdlj32.exe
        
        C:\Windows\system32\Hemdlj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Jleijb32.exe
        
        C:\Windows\system32\Jleijb32.exe
        33⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:488
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4120
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\Loighj32.exe
        
        C:\Windows\system32\Loighj32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3376
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5304
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        55⤵
        Executes dropped EXE
        
        PID:5552
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        60⤵
        Executes dropped EXE
        
        PID:5792
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        66⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        74⤵
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        75⤵
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        76⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        80⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        82⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        85⤵
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        86⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5332 -s 400
        87⤵
        Program crash
        
        PID:5528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5332 -ip 5332
1⤵
PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:5676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adikdfna.exe

Filesize
168KB

MD5
fb00c113806612ffb95ffcdfde107605

SHA1
c21c6e6443c4b1356eabff2cb8c066552860e7d0

SHA256
4709bbf1d3c7ed73c23b3285b469c709079a644d0baef250c78b4b8afd2bc1fa

SHA512
37ee3dc07c7643df602da1b6c9e13ac080ccc100df2527c3d20ec945c72b197e8423e2cb67cd6dc8a709f0a33b5a7f961d13d67c3e193289140fff4180967f80

Download Submit
C:\Windows\SysWOW64\Agdcpkll.exe

Filesize
168KB

MD5
5766d0fc7f6ed544f2d2632b51b4a33f

SHA1
a71acf97fe2acabffd22fe07817c2bff95ddefe2

SHA256
d670b3206e98f00b88a6368cf01a62061b6f69a09b2f5e79ff8c96b0eb6d07ba

SHA512
255a5f909fdd34737e3ccc6fa4806a9c9f1a83c2f6e5e8d7e6a2c272c8be33e8e9deafc7f491ce20f41530867c7cbf88ae5e2ec3b71610ba324d9c4d9a0442fc

Download Submit
C:\Windows\SysWOW64\Bheplb32.exe

Filesize
168KB

MD5
bfbfcb7ee240906c7fb7c3f18173c174

SHA1
d9d6b1da8d8c682bf4dc7e6a20b2da1d1e28292e

SHA256
e0f2f9d2806c155b132c9bd87bc9c0234da11dd16c1551fb316199792408477c

SHA512
a57c282bb6242bf5eb1ff0044a14b0b68f7519342a0d4aaf2da17bef496ed86c6c7422cf2f0ab957a5211e338a6012bdf4c7e9ef0e9ab6bb7fe3f38c64eb510b

Download Submit
C:\Windows\SysWOW64\Bkaobnio.exe

Filesize
168KB

MD5
55505e7e494c9ab1aaa2413ea4b2936f

SHA1
f64d661c128a60070821027d0c8fd18038a9244d

SHA256
8b61bffc88e1e48ec037568af3ba4c3f4c032438f6e7e5886d5bbd73b21c17af

SHA512
6adb3db9859e6dacc8575d3c0eb16ec7023d2b1c957389f9e128132a3786874598f46fbc3fda6950a429b0fce947a9140be39324ae8bb9f5e567371b5632b8d7

Download Submit
C:\Windows\SysWOW64\Blielbfi.exe

Filesize
168KB

MD5
af0ee3c318f03f523ec69b6a958d89ef

SHA1
ebaed39a1524e0d88b2bfe45150e48deb330780f

SHA256
8d0701b66a6b71b4e6db8d4a866cbd2f3c43245c382084a953f14887e7bee9bd

SHA512
dd63d452a8cf45e7b05d0073670b54d20cb8dd3bbd09d607c9e88fccd99ec50bc1c23ffbe11ee8acd95eb9a64bfb950eec5f69006799caa4cf1912c15b0d13fa

Download Submit
C:\Windows\SysWOW64\Bnmoijje.exe

Filesize
168KB

MD5
922ae76ae4c5a8c41db3db7c0718660c

SHA1
80215485285dfa1526370bf10431a8d8ef585a30

SHA256
4bb81f4ba17d93521b5232786b6d548ab8913fac5ea75a0543ef6dfe73ec14e2

SHA512
9a6bbba8808e4e430e59597bba559af44ed38e4165ce90c7ab3970834e066f492291be7c1f2fb09279ea60e9536ff959b7e368ed748f08284f879df17de49fd0

Download Submit
C:\Windows\SysWOW64\Cbdjeg32.exe

Filesize
168KB

MD5
62ff76504b8aa367fb2ee092e4eeb56b

SHA1
85fbecc5faced46054de381b4112accf9aeb9a4a

SHA256
2d24e8742261fe161e9a97ac70192ff13ade4489b6b1dcb46b7d44940c06ade4

SHA512
021f57674d7380cbb159e563a55d6607d2ce8b56c774833e68c7abee56b228ceb722615ab9b751910d708adc43d34a408e632c3cee76361f0efcb520f86f7350

Download Submit
C:\Windows\SysWOW64\Cfbcke32.exe

Filesize
168KB

MD5
d0fbbe12651a3a626f1c123010133edd

SHA1
6359efed42cf7b22d6e16934a5a7b0b0d37ded72

SHA256
ce94b033f31a2e16c785a12fe8d5c7b15bff13ee2dda2f26c061cd7a63932d07

SHA512
1b9d2569dc6031770e0a6c5dcc7cfc4fe5e057b32d741df42840d8252311f1778e8e3f8220393ba119ce6ba89d399e4e3b0a3dd6e138fcb8b19ec42f2376099c

Download Submit
C:\Windows\SysWOW64\Chlflabp.exe

Filesize
168KB

MD5
14986e84cdc03a7d66784bef39acccfe

SHA1
4e8f5ae09fbf4e12e89f906c6724f10a1cd23a06

SHA256
7ee9173687c1f8375cd4b95929a072c51dad78109d1022aa12bd34040bdd6a34

SHA512
4fead6b16bb38472aac61cbe43d88c4a7b1cc4f73f9f0f02f752fbb0ac0af0731e75ce1980c6877866ca48856a66b2040a067b61c41400f480a35b3c8fcb59c6

Download Submit
C:\Windows\SysWOW64\Cleegp32.exe

Filesize
168KB

MD5
20cd4fad4ee85cd66de2d108689f647c

SHA1
e0a13484cd626f6034a4a1dde3aab85d69849994

SHA256
8a3bd1eed573989e427550aa50aca50360a74b61f31dc892dd292d156a203889

SHA512
420ff68b5ae46fec65d653d6a556b633da412e5fc8ca705737b2b130d37aebf2d972dd996078077908f9fb23cbc113d01bb9f80005a4a53b4c9a44afbf856e46

Download Submit
C:\Windows\SysWOW64\Cpbjkn32.exe

Filesize
168KB

MD5
d8249380d37c186ae7d63f8e4b557f37

SHA1
629f029a697961e6326050526317e95862181cd9

SHA256
0a793bddf4702c18c6eadd77d305ad537ca1f108e97629a85faedd7fa9f4e8cf

SHA512
476deca4bf8e7730795e1b487b0597b06d5c41c65254d4709b4fa0cdcd75e2259b7544e3b480b782b5f90d5552e7334594d42bf067ac296d51e2b0e9fa938969

Download Submit
C:\Windows\SysWOW64\Dheibpje.exe

Filesize
168KB

MD5
34fc1dba86de57784c29f29b21e32c8b

SHA1
20e6720d59e02286b46b3db8e2dfed89ae62f5b6

SHA256
3a3b16ff068644be17cbb66bfcf5e1b897834ff76bb4a812e03c2230b804624d

SHA512
ed9e000174fc731331c2d38b7a30f2233868dca905193c85d6569244b55605e27b403af5635a49706905159250d786799d01c3fe2aa27092b18cca7432bf36b9

Download Submit
C:\Windows\SysWOW64\Digehphc.exe

Filesize
168KB

MD5
24b6d215702629dd3d5f3692a143bbae

SHA1
4e54d4c25e5939b308cb89440d5edde0da50ab9e

SHA256
afa8d3dab2e34a1696fe339393e08eb092c4919a0a8858cb2ecea1bd96b59e84

SHA512
2a64fb646f77a7855ddcfc58ac200a7a058b729e2146e57398ab9619796e99f1ee7468e289a99645555fd8fa02a5fe3c6b53c71577d961ec36f9e98bccad2a66

Download Submit
C:\Windows\SysWOW64\Dijbno32.exe

Filesize
168KB

MD5
f7f1e4aeb147e2a21fa491208d01fd15

SHA1
ad377ea11d4fa6c17ecbb1479beafdfdb802a79c

SHA256
dc4ec91f7c3f95944bb703546ca36588c97aeaf6136101be55038aa113463fa1

SHA512
c7b3f920bebc29ec37f0d4e28ef1123570db5c3eea93eb0c30229ac7cf03aa582345162a1c7c9324df2a0ec221edff83f24a9c7957392da3610bf522fe105c70

Download Submit
C:\Windows\SysWOW64\Dmohno32.exe

Filesize
168KB

MD5
4e14b63099c577682b9ca80419bec1ca

SHA1
a7770ea51e1eb5bb22ee1a22eeccf2d802a38abf

SHA256
0dba61f69d61a16d924f9f14ca42ca99cde85e902cca14ae75a0d6709fa49cc0

SHA512
8e5d12950444f25b6762e7bbd3cfdfab8d461915873c37314374bf62cbd966cf030b1130a560904ac07dc288285973024d3b2a4f2eb2313474c7669b6999a7f9

Download Submit
C:\Windows\SysWOW64\Eejeiocj.exe

Filesize
168KB

MD5
c2ac3a2bca630a867b4ac65f438a510f

SHA1
268bd567513a406f8b77d9fc388cd5b8d3581e11

SHA256
772e7b6abea313e91660b2d76f529d00af262618070df5ee48d385e947beb523

SHA512
d7a85a16e72c522adf7cf182b49ac9b2968f2db8bcab0e1a49ee1cc2ad627b020f4b1b742ac0202a3601ab9bc7c3867c5ccf5697b33ff09f2b006b74d24cf214

Download Submit
C:\Windows\SysWOW64\Efblbbqd.exe

Filesize
168KB

MD5
9de0122588b05f7fd5e8ea2f1dcce94f

SHA1
7a3c7ce6e8ec4372b257da1a90a6fc6c6bbbc949

SHA256
ba29f00b344d6d59ac57bdd9ff804ac398b44b49c95e1547f429ec248038aa7b

SHA512
59a33e9b1ed2c58e3cfdf4ba27c405679383082f72f3611d224016b9911f0de31778737186302428c6b3062ce544bf8da735831196fcf69ca75c76d030817356

Download Submit
C:\Windows\SysWOW64\Eiokinbk.exe

Filesize
168KB

MD5
94bff198712695bd1bc4d3398ddc4a27

SHA1
6efbea2ad22c4f1a42460bd2d59b9b13f317fa05

SHA256
4b6f561ecb8096b02978d33b4258a7a881b6636d9afc7ccf719564f07556e8a6

SHA512
feae0b1ca2dedcab3b1ad9947248328b69e734ae2f666defeb19777fdaa2c25c47d0d0044ec49d6febbbb6c4ba9a616b3a7aa292923afacb6176ec461c122a4d

Download Submit
C:\Windows\SysWOW64\Felbnn32.exe

Filesize
168KB

MD5
57c02a7ff79061e5740c9de49c095f53

SHA1
5eb9556513b54bd864cdc127c7f6d08f52797757

SHA256
d47c9ebf63c9a2f02e45bc45a672eb056ca967951869b2a604ed6869e75d2641

SHA512
5b93beb535c59433cac768b28cc1cd809e88eabe1b1139971c71eec3786c28368ec88155f6b565dd9d0d405e147d917b3374f02f6dae0881a649de8e13b0227d

Download Submit
C:\Windows\SysWOW64\Feoodn32.exe

Filesize
168KB

MD5
1a1b9c20db017f0e775e18763fef08d9

SHA1
9dfc54a339189b6292a334443c50a85102cc8447

SHA256
cb540179b434b26a50f108c32f67045d0ca3069edcac9aae89404e5c9f7f9857

SHA512
1952454d7b711a97a5253a9181c765e9872602fe45047d41e4f69d570bbd0dda011827421883e691cbc23258fa47265cd9df2285a2e495e56050797881f71d61

Download Submit
C:\Windows\SysWOW64\Ffnknafg.exe

Filesize
128KB

MD5
9f20baac49aef67b68c6718142169a99

SHA1
cdab16396b3f82d8a895dc3b3c4dc73d10078d40

SHA256
0a895b54cb6e60822418745a7ef9aa70be79b5eec2f78a5ae9c56b719f74a383

SHA512
685372aba19f85d7694e794fd337de62b34c01d839531478eb159fe51b4c0fac985df7d4d190d078b766c0214e43dcc9bcbfc9dc0d73a692be81d0d142ae3b3e

Download Submit
C:\Windows\SysWOW64\Ffnknafg.exe

Filesize
168KB

MD5
6feea9cee0d6ff75987cbc64454bbd3a

SHA1
79c23e1014a08f5fadbbc06ec5b9c605fac12fb1

SHA256
668f334e6604f9866dc3de47b2910afaa6bb26191f242f349189cfaa6fccf925

SHA512
188e9b623ee02103733cdf7996b53ab25a21d15ded20b324ca438cce692548ed8e550c1a4a24cc4d737331e2f690e330af493070e44151a7efb3d30b93fbb5cf

Download Submit
C:\Windows\SysWOW64\Flmqlg32.exe

Filesize
168KB

MD5
6ebce19b694930675905ec48cd9e827c

SHA1
8ddb9056919cf6bc12d0d351b8af6a0856bb988d

SHA256
0886810cec5d42f97405c24d10512f52a13fff9517f678190570d577888526ce

SHA512
01b45faf7d86eefedfdda495fbb0c51ce94d9103dece3df7322792f54e6a9be7af06f4026f0571b44b9588dc03c322c1c873df40cb1eb98505e8ba653b7b7821

Download Submit
C:\Windows\SysWOW64\Fpkibf32.exe

Filesize
168KB

MD5
d2f83d3002bd3ff9e60e04fa1af40014

SHA1
6c80470113f325a38d19732f5cfebf59b05fb348

SHA256
f8f32c0a4e0a7a75548345047ba41339f8c5ba3f698a432fb53c5b8afe80638f

SHA512
0f2ae6ed581fe83cfd1ec6b24ef74d5e85a84af6814119b610ffe5162a1c822d6ce7fffaf2781e3102541b0c31abc4fd74fc0adda4421b4270bc2bc2aaa48fb7

Download Submit
C:\Windows\SysWOW64\Glbjggof.exe

Filesize
168KB

MD5
23860561b1512696658e06fbb381ef2f

SHA1
b07d18fc68263da5c9d477d0d5c8bf49d17bc863

SHA256
42c0b0acd6c424ace7178141a821e0385518718dd4faf4cd57ea32e557344800

SHA512
f7a18bf757a08754b90b7b857d7b8516b97c5e4bfea651485bc10f90e14c96a24f7dc77b2f0935f3c0f95346751f350b5857bf5bd4e058998372123c51dd6150

Download Submit
C:\Windows\SysWOW64\Gncchb32.exe

Filesize
168KB

MD5
48a61a24f3da452c486462685908f949

SHA1
bbb7d5ddf25a50c0a7e47d5c6337ff84e21dc613

SHA256
a80c3da71938edc4477f2ba51e828312829c5b7925d8007318ce2b0527fcc07c

SHA512
b986072f6a7e7c7951df6a9b8c7da9159f8f143062fcc111af0439fc87ff76452a473d5e110d5b309784284f39f2d469eb113316b586350399b8dcaae71ecd8a

Download Submit
C:\Windows\SysWOW64\Gpbpbecj.exe

Filesize
168KB

MD5
ec66cf6cda27abcbfad7595908d8e7b7

SHA1
7e1cca5cd04e76ce8243ee1a0b7bcddb91e610ee

SHA256
52563138979a9515b49662dc4ddf6ee8b550bc6fbc1ee1665ea354530df6f27b

SHA512
8552048855413026e1d19528e59294acd5a34868fb08765afbb390957921cfd30fdd5f9f003727997d7150e6dab50dda721c5ac7bb4d535b7d1e2cf869dcb99d

Download Submit
C:\Windows\SysWOW64\Hbhboolf.exe

Filesize
168KB

MD5
0f4efb23885fb33fb831e7e2fb8d248e

SHA1
2ea65d6820620a6f045b23dcf5a441d470fe4633

SHA256
e2e0c2b52a7ccd7f4273427af6a75a33115a254660fe3111eb2b1cadca57d327

SHA512
9265fc8eca06dbc1ccf1fa312f50d0a66505c41d7081e95535cf73e977ea5b48ab6f679d76956ce3cc52afb655162bb4885e355649223bc75ad67501aa951b59

Download Submit
C:\Windows\SysWOW64\Hemdlj32.exe

Filesize
168KB

MD5
31c0bfd6d2f97f5868dc5225eafb5635

SHA1
28750e17d1cfcc1bb1087cb999ffc21da02f7f55

SHA256
5699d6555070c45357e2434baa8cd67f163ecca0da76db8e02bb0d9e84a856d6

SHA512
0b3e9354eb7840b63256ecb080d20d61eaccfa311d62eeb3f607afad6230b51cea41cf8c86da9978cc3765ccd4bd5317ae7542b0918d2cf9d074ecba56971e69

Download Submit
C:\Windows\SysWOW64\Hifcgion.exe

Filesize
168KB

MD5
ebbda296e28e0be7a5759f81667df1d1

SHA1
8d6c95d6f86c8e54e865e69636e1e19765ce0899

SHA256
2e87ec6c4b4ba98fe250a7c0159c709219917501f20c0d647f3d3923e57bb150

SHA512
c6a968f92ec2bf99e0de317c8924dcbbf8b8a84e06fc6bf680d0c0d1f6d0fe1ee5ea3e207460a49f1c873c4898dbb00d1506b9e2e0ee6a8662c43049a2f6ae74

Download Submit
C:\Windows\SysWOW64\Hlbcnd32.exe

Filesize
168KB

MD5
5e6637b05f09fee052d5f356b0260a58

SHA1
b84d98abb070cbd1a220d43124dfd8cf782cd2ba

SHA256
ea953aa6c2ef0afbaf23c3ef41ddefce55a9e09a849d4536d16ad8e5262c50f7

SHA512
0c43a794f0bd440224bca83d8dac926a34cab5c922264350cd0167096fa8b044e6b49bc800e6f6082e9232389f079f782d570be67f471e741aad34b6b29058f7

Download Submit
C:\Windows\SysWOW64\Hmkigh32.exe

Filesize
168KB

MD5
d2a6056caed37a3b5852b1875f5ed279

SHA1
d7a36eb76e2efcea995d18aee72df3206b958d6c

SHA256
4cc03d537f394f86ddfd7dd056905ad2b06e35dcd1a6e3b08074978660d5c8c3

SHA512
005a6461709fbdb1ddf2c505018ecadda337bfd490005e89f3b66331b7dd1240be2ebcd17ef01866dbf897b84ea2511d06531d82451e38af38ddcf5c05aef35d

Download Submit
C:\Windows\SysWOW64\Illfdc32.exe

Filesize
168KB

MD5
b84b038b58de0d1e4ec41c0ba350512e

SHA1
875fcbb2b0ff6ee32bbe40eb0d1d7e3a9d66b788

SHA256
c18f5684142269665a3b47f57f011b91bf071f57eb80647f086f26beaf2c0571

SHA512
b796268cc8477c9b1147960373e2b29590b572081b80f446141811c247bf230bde4fd8631f2be879ae4f2bb68b57808dfd91307dfd1bca642dad157331b45da4

Download Submit
C:\Windows\SysWOW64\Jghpbk32.exe

Filesize
168KB

MD5
97bdd354ba2ba9a940fd276b40fd744c

SHA1
02bebc75a13e808ac8456bfa34ebc70bf575d0de

SHA256
6ab3587164c12d794f1a8903a76d0308c02ea6987e6e467f62053914f1e359d7

SHA512
a195d63b3c40b4bc7bba91f521092857d20ae6f7862f289d499010d244013c9881a92d69d445a6663104f0de84285291001487886ccd2962ab275fb63c9d4043

Download Submit
C:\Windows\SysWOW64\Jleijb32.exe

Filesize
168KB

MD5
c45f2b4fb2f45064c4f0aa08c0b53567

SHA1
0a7df2b3db931a24e1b5f52f38a7f5e56d2fb40c

SHA256
85c2d85cac00736ea3c65e8c2a4341c568a14cb60dcc25350777318fb7e877e5

SHA512
cb452a83d94bd2896ea2d21c61a2440f4909238282b7a7cc7c9725080d875ad999e545f2860f5d2ef9fc416dcb666ba8ef349dadda8700db63f4a82ea37eb4c1

Download Submit
memory/456-140-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/488-300-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/524-62-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/764-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/764-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/852-237-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/964-289-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1216-288-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1328-307-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1480-257-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1516-205-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1516-118-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1796-309-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1840-198-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1840-281-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2008-175-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2012-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2012-170-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2200-99-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2200-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2208-130-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2208-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2272-184-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2340-306-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2340-222-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2628-49-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2628-134-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2788-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2788-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2832-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2832-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3212-249-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3212-162-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3548-179-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3548-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3800-207-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3800-287-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3904-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3904-61-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3904-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3948-241-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3948-315-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3976-295-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3976-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4120-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4256-197-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4256-109-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4272-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4308-254-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4316-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4316-189-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4404-131-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4508-279-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4620-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4620-73-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4812-107-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4812-25-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4836-66-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4836-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4904-230-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4904-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4928-270-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5076-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5076-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads