9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe
Size

128KB
MD5

bf162d4b59bb700c2d19cd7b66ef13de
SHA1

25ff5d222940ceee4d9d7d018d24b3a66386542a
SHA256

9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37
SHA512

4b9b13cfd7e32551242c6655eed207006b92b1ead87efecf53bdd614c23b081c53854e98e74fb0caf922f8c2706dfb9fef415c8cce7047694df167ac83b04312
SSDEEP

3072:vzGy2jJd4T8myVqP4HRMQH2qC7ZQOlzSLUK6MwGsGnDc9nhViX:b6jP4Tfy44HRMQWfdQOhwJ6MwGsy

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgjfkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migbnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gepehphc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhckpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkfagfop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcpjmcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhloponc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmbdnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdildlie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfpclh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhhfdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmbdnn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdgdempa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmebnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moanaiie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfjha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lclnemgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mencccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlljjjnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gepehphc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhckpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Magqncba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niikceid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmdadnkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haiccald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcpjmcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaldcb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migbnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjakmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjdhbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkfagfop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaldcb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgocb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmdadnkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlljjjnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoopae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmebnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgjfkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjakmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbiqfied.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodgel32.exe

Executes dropped EXE 42 IoCs

pid	Process
3020	Gjakmc32.exe
2596	Gjdhbc32.exe
2648	Gmbdnn32.exe
2548	Gmdadnkh.exe
1712	Gepehphc.exe
2804	Hlljjjnm.exe
1208	Haiccald.exe
2696	Hhckpk32.exe
1980	Hdildlie.exe
2044	Hoopae32.exe
2312	Hdlhjl32.exe
2436	Hkfagfop.exe
576	Hmfjha32.exe
1732	Jdgdempa.exe
2920	Kgcpjmcb.exe
908	Kaldcb32.exe
436	Kbkameaf.exe
2248	Lclnemgd.exe
328	Lmebnb32.exe
2000	Lgjfkk32.exe
1276	Lmgocb32.exe
984	Lfpclh32.exe
2192	Laegiq32.exe
584	Lfbpag32.exe
1688	Lpjdjmfp.exe
1168	Lbiqfied.exe
2720	Mpmapm32.exe
1616	Mffimglk.exe
2640	Mhhfdo32.exe
2480	Moanaiie.exe
2708	Migbnb32.exe
2408	Mencccop.exe
2488	Mhloponc.exe
3004	Mgalqkbk.exe
2684	Magqncba.exe
2092	Ngdifkpi.exe
1632	Ngfflj32.exe
2052	Niebhf32.exe
644	Nigome32.exe
1728	Nodgel32.exe
1664	Niikceid.exe
372	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
2460	9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe
2460	9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe
3020	Gjakmc32.exe
3020	Gjakmc32.exe
2596	Gjdhbc32.exe
2596	Gjdhbc32.exe
2648	Gmbdnn32.exe
2648	Gmbdnn32.exe
2548	Gmdadnkh.exe
2548	Gmdadnkh.exe
1712	Gepehphc.exe
1712	Gepehphc.exe
2804	Hlljjjnm.exe
2804	Hlljjjnm.exe
1208	Haiccald.exe
1208	Haiccald.exe
2696	Hhckpk32.exe
2696	Hhckpk32.exe
1980	Hdildlie.exe
1980	Hdildlie.exe
2044	Hoopae32.exe
2044	Hoopae32.exe
2312	Hdlhjl32.exe
2312	Hdlhjl32.exe
2436	Hkfagfop.exe
2436	Hkfagfop.exe
576	Hmfjha32.exe
576	Hmfjha32.exe
1732	Jdgdempa.exe
1732	Jdgdempa.exe
2920	Kgcpjmcb.exe
2920	Kgcpjmcb.exe
908	Kaldcb32.exe
908	Kaldcb32.exe
436	Kbkameaf.exe
436	Kbkameaf.exe
2248	Lclnemgd.exe
2248	Lclnemgd.exe
328	Lmebnb32.exe
328	Lmebnb32.exe
2000	Lgjfkk32.exe
2000	Lgjfkk32.exe
1276	Lmgocb32.exe
1276	Lmgocb32.exe
984	Lfpclh32.exe
984	Lfpclh32.exe
2192	Laegiq32.exe
2192	Laegiq32.exe
584	Lfbpag32.exe
584	Lfbpag32.exe
1688	Lpjdjmfp.exe
1688	Lpjdjmfp.exe
1168	Lbiqfied.exe
1168	Lbiqfied.exe
2720	Mpmapm32.exe
2720	Mpmapm32.exe
1616	Mffimglk.exe
1616	Mffimglk.exe
2640	Mhhfdo32.exe
2640	Mhhfdo32.exe
2480	Moanaiie.exe
2480	Moanaiie.exe
2708	Migbnb32.exe
2708	Migbnb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gjakmc32.exe	9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe
File created	C:\Windows\SysWOW64\Hdlhjl32.exe	Hoopae32.exe
File opened for modification	C:\Windows\SysWOW64\Hkfagfop.exe	Hdlhjl32.exe
File created	C:\Windows\SysWOW64\Lmgocb32.exe	Lgjfkk32.exe
File created	C:\Windows\SysWOW64\Lfpclh32.exe	Lmgocb32.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Gkcfcoqm.dll	Lfbpag32.exe
File opened for modification	C:\Windows\SysWOW64\Mhloponc.exe	Mencccop.exe
File created	C:\Windows\SysWOW64\Gepehphc.exe	Gmdadnkh.exe
File created	C:\Windows\SysWOW64\Kgcpjmcb.exe	Jdgdempa.exe
File opened for modification	C:\Windows\SysWOW64\Hoopae32.exe	Hdildlie.exe
File opened for modification	C:\Windows\SysWOW64\Hdlhjl32.exe	Hoopae32.exe
File created	C:\Windows\SysWOW64\Eokjlf32.dll	Hkfagfop.exe
File created	C:\Windows\SysWOW64\Gjdhbc32.exe	Gjakmc32.exe
File created	C:\Windows\SysWOW64\Hoikeh32.dll	Gmdadnkh.exe
File created	C:\Windows\SysWOW64\Magqncba.exe	Mgalqkbk.exe
File created	C:\Windows\SysWOW64\Lfbpag32.exe	Laegiq32.exe
File opened for modification	C:\Windows\SysWOW64\Nigome32.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Hlljjjnm.exe	Gepehphc.exe
File opened for modification	C:\Windows\SysWOW64\Mgalqkbk.exe	Mhloponc.exe
File opened for modification	C:\Windows\SysWOW64\Niebhf32.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File created	C:\Windows\SysWOW64\Godgob32.dll	Gepehphc.exe
File created	C:\Windows\SysWOW64\Hkfagfop.exe	Hdlhjl32.exe
File created	C:\Windows\SysWOW64\Laegiq32.exe	Lfpclh32.exe
File created	C:\Windows\SysWOW64\Khqpfa32.dll	Laegiq32.exe
File created	C:\Windows\SysWOW64\Mhloponc.exe	Mencccop.exe
File opened for modification	C:\Windows\SysWOW64\Ngdifkpi.exe	Magqncba.exe
File created	C:\Windows\SysWOW64\Fbpljhnf.dll	Magqncba.exe
File created	C:\Windows\SysWOW64\Hdildlie.exe	Hhckpk32.exe
File opened for modification	C:\Windows\SysWOW64\Moanaiie.exe	Mhhfdo32.exe
File created	C:\Windows\SysWOW64\Hendhe32.dll	Migbnb32.exe
File created	C:\Windows\SysWOW64\Dhffckeo.dll	Mhloponc.exe
File created	C:\Windows\SysWOW64\Hljdna32.dll	Ngdifkpi.exe
File opened for modification	C:\Windows\SysWOW64\Laegiq32.exe	Lfpclh32.exe
File opened for modification	C:\Windows\SysWOW64\Nodgel32.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Jhnlkifo.dll	Gjakmc32.exe
File created	C:\Windows\SysWOW64\Hloopaak.dll	Jdgdempa.exe
File created	C:\Windows\SysWOW64\Mhhfdo32.exe	Mffimglk.exe
File created	C:\Windows\SysWOW64\Higeofeq.dll	9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe
File created	C:\Windows\SysWOW64\Jdgdempa.exe	Hmfjha32.exe
File opened for modification	C:\Windows\SysWOW64\Kgcpjmcb.exe	Jdgdempa.exe
File created	C:\Windows\SysWOW64\Lbiqfied.exe	Lpjdjmfp.exe
File opened for modification	C:\Windows\SysWOW64\Lbiqfied.exe	Lpjdjmfp.exe
File opened for modification	C:\Windows\SysWOW64\Gepehphc.exe	Gmdadnkh.exe
File opened for modification	C:\Windows\SysWOW64\Jdgdempa.exe	Hmfjha32.exe
File created	C:\Windows\SysWOW64\Lclnemgd.exe	Kbkameaf.exe
File created	C:\Windows\SysWOW64\Lmebnb32.exe	Lclnemgd.exe
File created	C:\Windows\SysWOW64\Mffimglk.exe	Mpmapm32.exe
File opened for modification	C:\Windows\SysWOW64\Mffimglk.exe	Mpmapm32.exe
File opened for modification	C:\Windows\SysWOW64\Lfpclh32.exe	Lmgocb32.exe
File created	C:\Windows\SysWOW64\Fnqkpajk.dll	Mencccop.exe
File created	C:\Windows\SysWOW64\Qpehocqo.dll	Hhckpk32.exe
File opened for modification	C:\Windows\SysWOW64\Hmfjha32.exe	Hkfagfop.exe
File opened for modification	C:\Windows\SysWOW64\Kaldcb32.exe	Kgcpjmcb.exe
File opened for modification	C:\Windows\SysWOW64\Lclnemgd.exe	Kbkameaf.exe
File opened for modification	C:\Windows\SysWOW64\Lfbpag32.exe	Laegiq32.exe
File created	C:\Windows\SysWOW64\Ngfflj32.exe	Ngdifkpi.exe
File created	C:\Windows\SysWOW64\Nodgel32.exe	Nigome32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File opened for modification	C:\Windows\SysWOW64\Hhckpk32.exe	Haiccald.exe
File created	C:\Windows\SysWOW64\Jpfppg32.dll	Lclnemgd.exe
File created	C:\Windows\SysWOW64\Ngdifkpi.exe	Magqncba.exe
File created	C:\Windows\SysWOW64\Cnjgia32.dll	Nigome32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godgob32.dll"	Gepehphc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjdhbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkcfcoqm.dll"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niikceid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmdadnkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haiccald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhckpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bohnbn32.dll"	Kgcpjmcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdildlie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdcie32.dll"	Lmebnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfblnnh.dll"	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqpfa32.dll"	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poceplpj.dll"	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hloopaak.dll"	Jdgdempa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpfppg32.dll"	Lclnemgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfdghbq.dll"	Lgjfkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhhfdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nigome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migbnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkfagfop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmgocb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laegiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmgocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhloponc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjdhbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdildlie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmfjha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnelabi.dll"	Haiccald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokjlf32.dll"	Hkfagfop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnecbc32.dll"	Lmgocb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaldcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhnlkifo.dll"	Gjakmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gepehphc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlljjjnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdlhjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjakmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gamgjj32.dll"	Hoopae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmfjha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qagnqken.dll"	Hdlhjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmebnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hendhe32.dll"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll"	Nodgel32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 3020	2460	9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe	28
PID 2460 wrote to memory of 3020	2460	9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe	28
PID 2460 wrote to memory of 3020	2460	9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe	28
PID 2460 wrote to memory of 3020	2460	9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe	28
PID 3020 wrote to memory of 2596	3020	Gjakmc32.exe	29
PID 3020 wrote to memory of 2596	3020	Gjakmc32.exe	29
PID 3020 wrote to memory of 2596	3020	Gjakmc32.exe	29
PID 3020 wrote to memory of 2596	3020	Gjakmc32.exe	29
PID 2596 wrote to memory of 2648	2596	Gjdhbc32.exe	30
PID 2596 wrote to memory of 2648	2596	Gjdhbc32.exe	30
PID 2596 wrote to memory of 2648	2596	Gjdhbc32.exe	30
PID 2596 wrote to memory of 2648	2596	Gjdhbc32.exe	30
PID 2648 wrote to memory of 2548	2648	Gmbdnn32.exe	31
PID 2648 wrote to memory of 2548	2648	Gmbdnn32.exe	31
PID 2648 wrote to memory of 2548	2648	Gmbdnn32.exe	31
PID 2648 wrote to memory of 2548	2648	Gmbdnn32.exe	31
PID 2548 wrote to memory of 1712	2548	Gmdadnkh.exe	32
PID 2548 wrote to memory of 1712	2548	Gmdadnkh.exe	32
PID 2548 wrote to memory of 1712	2548	Gmdadnkh.exe	32
PID 2548 wrote to memory of 1712	2548	Gmdadnkh.exe	32
PID 1712 wrote to memory of 2804	1712	Gepehphc.exe	33
PID 1712 wrote to memory of 2804	1712	Gepehphc.exe	33
PID 1712 wrote to memory of 2804	1712	Gepehphc.exe	33
PID 1712 wrote to memory of 2804	1712	Gepehphc.exe	33
PID 2804 wrote to memory of 1208	2804	Hlljjjnm.exe	34
PID 2804 wrote to memory of 1208	2804	Hlljjjnm.exe	34
PID 2804 wrote to memory of 1208	2804	Hlljjjnm.exe	34
PID 2804 wrote to memory of 1208	2804	Hlljjjnm.exe	34
PID 1208 wrote to memory of 2696	1208	Haiccald.exe	35
PID 1208 wrote to memory of 2696	1208	Haiccald.exe	35
PID 1208 wrote to memory of 2696	1208	Haiccald.exe	35
PID 1208 wrote to memory of 2696	1208	Haiccald.exe	35
PID 2696 wrote to memory of 1980	2696	Hhckpk32.exe	36
PID 2696 wrote to memory of 1980	2696	Hhckpk32.exe	36
PID 2696 wrote to memory of 1980	2696	Hhckpk32.exe	36
PID 2696 wrote to memory of 1980	2696	Hhckpk32.exe	36
PID 1980 wrote to memory of 2044	1980	Hdildlie.exe	37
PID 1980 wrote to memory of 2044	1980	Hdildlie.exe	37
PID 1980 wrote to memory of 2044	1980	Hdildlie.exe	37
PID 1980 wrote to memory of 2044	1980	Hdildlie.exe	37
PID 2044 wrote to memory of 2312	2044	Hoopae32.exe	38
PID 2044 wrote to memory of 2312	2044	Hoopae32.exe	38
PID 2044 wrote to memory of 2312	2044	Hoopae32.exe	38
PID 2044 wrote to memory of 2312	2044	Hoopae32.exe	38
PID 2312 wrote to memory of 2436	2312	Hdlhjl32.exe	39
PID 2312 wrote to memory of 2436	2312	Hdlhjl32.exe	39
PID 2312 wrote to memory of 2436	2312	Hdlhjl32.exe	39
PID 2312 wrote to memory of 2436	2312	Hdlhjl32.exe	39
PID 2436 wrote to memory of 576	2436	Hkfagfop.exe	40
PID 2436 wrote to memory of 576	2436	Hkfagfop.exe	40
PID 2436 wrote to memory of 576	2436	Hkfagfop.exe	40
PID 2436 wrote to memory of 576	2436	Hkfagfop.exe	40
PID 576 wrote to memory of 1732	576	Hmfjha32.exe	41
PID 576 wrote to memory of 1732	576	Hmfjha32.exe	41
PID 576 wrote to memory of 1732	576	Hmfjha32.exe	41
PID 576 wrote to memory of 1732	576	Hmfjha32.exe	41
PID 1732 wrote to memory of 2920	1732	Jdgdempa.exe	42
PID 1732 wrote to memory of 2920	1732	Jdgdempa.exe	42
PID 1732 wrote to memory of 2920	1732	Jdgdempa.exe	42
PID 1732 wrote to memory of 2920	1732	Jdgdempa.exe	42
PID 2920 wrote to memory of 908	2920	Kgcpjmcb.exe	43
PID 2920 wrote to memory of 908	2920	Kgcpjmcb.exe	43
PID 2920 wrote to memory of 908	2920	Kgcpjmcb.exe	43
PID 2920 wrote to memory of 908	2920	Kgcpjmcb.exe	43

C:\Users\Admin\AppData\Local\Temp\9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe
"C:\Users\Admin\AppData\Local\Temp\9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\SysWOW64\Gjakmc32.exe
  C:\Windows\system32\Gjakmc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\Gjdhbc32.exe
    C:\Windows\system32\Gjdhbc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\Gmbdnn32.exe
      C:\Windows\system32\Gmbdnn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\Gmdadnkh.exe
        
        C:\Windows\system32\Gmdadnkh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\SysWOW64\Gepehphc.exe
        
        C:\Windows\system32\Gepehphc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Hlljjjnm.exe
        
        C:\Windows\system32\Hlljjjnm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Haiccald.exe
        
        C:\Windows\system32\Haiccald.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Hhckpk32.exe
        
        C:\Windows\system32\Hhckpk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Hdildlie.exe
        
        C:\Windows\system32\Hdildlie.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Hoopae32.exe
        
        C:\Windows\system32\Hoopae32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Hdlhjl32.exe
        
        C:\Windows\system32\Hdlhjl32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Hkfagfop.exe
        
        C:\Windows\system32\Hkfagfop.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Hmfjha32.exe
        
        C:\Windows\system32\Hmfjha32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\SysWOW64\Jdgdempa.exe
        
        C:\Windows\system32\Jdgdempa.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Kgcpjmcb.exe
        
        C:\Windows\system32\Kgcpjmcb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Kaldcb32.exe
        
        C:\Windows\system32\Kaldcb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Kbkameaf.exe
        
        C:\Windows\system32\Kbkameaf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Lclnemgd.exe
        
        C:\Windows\system32\Lclnemgd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Lmebnb32.exe
        
        C:\Windows\system32\Lmebnb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:328
        
        C:\Windows\SysWOW64\Lgjfkk32.exe
        
        C:\Windows\system32\Lgjfkk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Lmgocb32.exe
        
        C:\Windows\system32\Lmgocb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Lfpclh32.exe
        
        C:\Windows\system32\Lfpclh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:984
        
        C:\Windows\SysWOW64\Laegiq32.exe
        
        C:\Windows\system32\Laegiq32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Lfbpag32.exe
        
        C:\Windows\system32\Lfbpag32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:584
        
        C:\Windows\SysWOW64\Lpjdjmfp.exe
        
        C:\Windows\system32\Lpjdjmfp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Lbiqfied.exe
        
        C:\Windows\system32\Lbiqfied.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Mpmapm32.exe
        
        C:\Windows\system32\Mpmapm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Mffimglk.exe
        
        C:\Windows\system32\Mffimglk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Mhhfdo32.exe
        
        C:\Windows\system32\Mhhfdo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Moanaiie.exe
        
        C:\Windows\system32\Moanaiie.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2480
        
        C:\Windows\SysWOW64\Migbnb32.exe
        
        C:\Windows\system32\Migbnb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Mencccop.exe
        
        C:\Windows\system32\Mencccop.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Mhloponc.exe
        
        C:\Windows\system32\Mhloponc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Mgalqkbk.exe
        
        C:\Windows\system32\Mgalqkbk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Magqncba.exe
        
        C:\Windows\system32\Magqncba.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Ngdifkpi.exe
        
        C:\Windows\system32\Ngdifkpi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\Ngfflj32.exe
        
        C:\Windows\system32\Ngfflj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Nigome32.exe
        
        C:\Windows\system32\Nigome32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Niikceid.exe
        
        C:\Windows\system32\Niikceid.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        43⤵
        Executes dropped EXE
        
        PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gjakmc32.exe

Filesize
75KB

MD5
5f21b3289919bd35a3149c924d553995

SHA1
33470e064290e5a42f0c445c8465ffb9790f7496

SHA256
a291953527686cc5fe2b8e57f0d73c2730d6196148fbec1cea37de589553314d

SHA512
7adc49f148dd786fe84851812fe6b4d6afcaadcffad2f8e01fcc32aa2f2c3e55b44198e2efd2dd002a3086f0505cab81e5aec181bdee9cc266e7471fd2c1d2b5

Download Submit
C:\Windows\SysWOW64\Gjdhbc32.exe

Filesize
128KB

MD5
3accd3499b966a0c9291c211c056ec9f

SHA1
3c37bf995fb1adc976fc4100d294b46cc86474ac

SHA256
7db92f79b2d339c53241eaa155d9445c0ca07965eda6b0eea0633167ab6a37af

SHA512
1b0560c9a38ebb62bf59810d8e6c2c786b17193f3b554b480a5d3a9ee090a9e4ebe8ae5773a400f3aa03ff527746e4495a9fc91fd7623fdf6b9aa526b5164e1d

Download Submit
C:\Windows\SysWOW64\Gmbdnn32.exe

Filesize
128KB

MD5
d42e6d9b23a5b08540d803804377d22b

SHA1
aa7b6fec3e29f414b513555cc0fef6d4b5b52b90

SHA256
f19fb350095d771ed835201735c1cdf1ffb1291b38e00643fe6b62112da3e8ad

SHA512
3fe40e3d2748c05e5c3ec03c73832d5fc27475d11a72f96cb610458e2723def322c0134a12d28d277e5db67ddc189cd5d1e876f90a7cfe1857a28ff602b8af02

Download Submit
C:\Windows\SysWOW64\Gmdadnkh.exe

Filesize
128KB

MD5
a89e037d851b046d63230674346c3942

SHA1
425362aa329d982d0d9e9c39afc0a3ea1d3e9c0f

SHA256
8fe46c85514825b2e0cbf3236809f831979b6874161138b8c5e5eceeb34644ba

SHA512
f6a67b08d9dd9d726c3029fc44234a573271023fd58bb053b53eebe0d3c2736e8c37694385715849c7208d1835635524096a955e5b92765536d921584c097b19

Download Submit
C:\Windows\SysWOW64\Haiccald.exe

Filesize
128KB

MD5
9ced1a427fcb2d7dd029777b15181779

SHA1
86cf357c1268706b69c9e4ad6a264a74821b82d8

SHA256
537c167d13afb828d64f26dd8c1428227a9db5b499c06dfd1061704af23abb09

SHA512
a9982e54d419968311cc9f94b69bcd42c60c38fb52ab3b35c661b16dedbb3b850daf650209b2863a0f8653a0a98cac0f51efe73e39b1d658b3878aefc5d8283c

Download Submit
C:\Windows\SysWOW64\Hdildlie.exe

Filesize
128KB

MD5
cfb7664c3d9a53ee91e2ec80113c2212

SHA1
9b51c107b93cfac9169d1c1118ae3aa714792a51

SHA256
92e78ce3a12e1b3254caee3d97d7488c25cb43f8eb5e689eec652656c8e79b52

SHA512
054c4a18b33cd65251d02355f3a0b239b8ea9bfbd7ab7c856527c468eb1ba93afb08a3255350274d83941517fa601014611c75408f83b20541de39825a58fac0

Download Submit
C:\Windows\SysWOW64\Hdlhjl32.exe

Filesize
128KB

MD5
a65301816fecd8d5c112483f3e909108

SHA1
517c279721f84e84e19c2eda75572ab268f16c82

SHA256
baf7a454a3b4198e2fc9307a96c110b852d0337151513886a29eadb7835e69d2

SHA512
f44648441312c536b9166b6b19ba387b059a6ec6c92a2a0c16c98d0db910231ac93947df578ac2e881d479077c44c2ba9ceef3c64e5ad1ac8b5f2d561c1f4705

Download Submit
C:\Windows\SysWOW64\Hhckpk32.exe

Filesize
128KB

MD5
44d04cd894996797e2e1a023eb36242e

SHA1
2aaac7258c5493b25d23f84f7084122bd87f237b

SHA256
1ae673236ad92776b7fd1dfe7af765ffb3e81c506a06293ff371655e1df5e4c4

SHA512
a42635db1124ffe4f047d234bdd2a26eaa714535350617ed50113071c8cf6ca178ac220713f1cd85db481db72118057331175635f6d2866f62bc9feef343ea4d

Download Submit
C:\Windows\SysWOW64\Hkfagfop.exe

Filesize
128KB

MD5
ee6e0ac9eb38d7f0a207ef391770bd4d

SHA1
9f0af34ca7d9e241465c055d535f21c6ddf776b6

SHA256
013c3b5b08464f2fdd584cdb6d3e2ae4ee2adca78bc940f697e2ea34b4f3416c

SHA512
a1625d066f5ceda8d4918c9488df772d2c252103870d2929b6f0a92d03602e2b0a7a0f78089567c62f724404e2a143c540bb54dc7f1a2c7de9f2a6881f2c085c

Download Submit
C:\Windows\SysWOW64\Hlljjjnm.exe

Filesize
128KB

MD5
0b7d03867e70b2decdd59155fec10d77

SHA1
832c185b7e6afc30ef664291d7bacd8a7bad8e2d

SHA256
301df116ff8beac703a67d4834b1fe0587373c925826cbd1cd2bb06fc606c753

SHA512
a6e2e806049a832949d4bb301eda0af57e496ee697467da1031cb1a15cf1eacc146ea4dfc3a7b50a1db1c761684ae1277d8d808637211f88f8dbe20fcdda3f03

Download Submit
C:\Windows\SysWOW64\Hoopae32.exe

Filesize
128KB

MD5
a7833be9d8909dadc9d22e4001daea89

SHA1
ec26aaf6302deee8160aced0665df0989f7aaf92

SHA256
bf510f972db7dcf527c6407484b0e404de2cf78642087273663d038d64bb3168

SHA512
46ba4ed07768e712b9b14312fcb83a18571cb5a0f36442fa8979b431abb23df6816c631dfc2edefb5d39b3f3e3dd5d8ed234eac91048d26fe2ca2175e0a64607

Download Submit
C:\Windows\SysWOW64\Kaldcb32.exe

Filesize
128KB

MD5
2e131f8d467c612bed4e41c852dc6e22

SHA1
f56b581bfa2555c0ecadc31d0dd4f932927ea2fd

SHA256
addd94cc971036afbfac6672d515c0dffb787a5b0e29a7ae38a0ce592e4a3879

SHA512
32c09f8aff2d66a71a8df64a2d6b70128f2e104d82701a8a7ef810922e60384a59058d68dc5f334c23bad9ed8771dc56a0f08febf53082994d231d47b3e1d188

Download Submit
C:\Windows\SysWOW64\Kbkameaf.exe

Filesize
128KB

MD5
6d4f67f35653680b7236772b9fb6989a

SHA1
a5b0f4186dd06a6a27f88cec95680d23a33d6480

SHA256
12704bf493788ef196c1669f33b7d05060d1fc3d0590c4f1274ea3a5e831f014

SHA512
e3eb16f0cc852e4be7b92e197a6cb1fb2b2d09f0b6765a940021620d48fc7aa7410c27f611148c9823056dc70265b8be621f9c504e6ff81322145581d60bd812

Download Submit
C:\Windows\SysWOW64\Kgcpjmcb.exe

Filesize
128KB

MD5
6836bcff6c45c8f3e5c9b46f49233f10

SHA1
c116ccff084d07dd29ba96f09c8abbeccf5231da

SHA256
73c969bd06eb7839ff7c94b7f7a7f2503054c86232b76830999b4a28d9e90772

SHA512
741ac250ec30a7a659ba4d1596dde1bcf191b2ee0a4233361baa4e80291e075faa1346c8493f94096e55a7fa6c4857dec0b697cac776b137dc815e133d1c634c

Download Submit
C:\Windows\SysWOW64\Laegiq32.exe

Filesize
128KB

MD5
612371ef8bcc4969dd7bd181e00644fc

SHA1
90248bd922d7aa789d1eb07b64eea045c0c2019f

SHA256
27f8d4a57156cf043764799aa6a155d5f43aa6e0232b523079ce1de8335c0f67

SHA512
b75af5a711fd723225076e8bc4214a51720ee389bc3afc35805698bbf7e60c7149b4e66d8f8760d2b5bf168b07df8f52e38e1f753ae5eea682e57be451c58d5d

Download Submit
C:\Windows\SysWOW64\Lbiqfied.exe

Filesize
128KB

MD5
dc0e615e440b5ae7e7fd69558e3f2199

SHA1
a423f19d3ef8ce0844c83fae5e18342e9a31df57

SHA256
f45047d5e551ffe3d19d5b27dfcad5d1d3a1de57d4913bb220f9be1747c57cab

SHA512
26256174dc51a69d77713b5658f5ede0b70875d684744415b9275efb7b4f0cd2d7bafd8d1a1876b52172cc535a0d8cca8257fded257b55f835450bd1d948cd62

Download Submit
C:\Windows\SysWOW64\Lclnemgd.exe

Filesize
128KB

MD5
5ee19d864d444cac7adf61105137cb79

SHA1
000541f4591075f43a3373074032234537e88bb0

SHA256
8f1f30bb2d058f3aa497be02840dddca7afbc26e42735d1615109104864423bf

SHA512
727de900f4bd0a436b5dfae9edb73ede311ba12caec9c52eb89ee3aebe77e80658ff187e8c16a558b1c97ed0270f9257464590430823e6f0b17ef653dc6e60be

Download Submit
C:\Windows\SysWOW64\Lfbpag32.exe

Filesize
128KB

MD5
04b8b9b0393a9b79e3900879386ec6bc

SHA1
c91ce904bbc469365aab718748507f6f19deb839

SHA256
56d659e3cba854d57c115b5ca473ba7e8daf436ce0bd0dd3ad590fff2f63b257

SHA512
bbc53446f5d83e5573fd937c6d2a4a806404f3574ddfe4e3be4aacf4cba3497f2813c4d10ba1377dc055c15d8a9b519d147117f39c1419cce30aa0d0b4a357b4

Download Submit
C:\Windows\SysWOW64\Lfpclh32.exe

Filesize
128KB

MD5
08767be09a3cf5a01c02516ecb4b464f

SHA1
208e44c67f767c72f49ac3e6ae4ca8e87562766e

SHA256
fa00edfd2503a73545a17fa20d745b99a80266b3ad02fa78ccc018843c572643

SHA512
ec412cfa0cefa5c3b80210b44acbfe2da4302790e22d7e874458d89701e8d2f62d8d4f8de362919725538dbbfac32b436d461747ca833b22b866a0a0f02f4667

Download Submit
C:\Windows\SysWOW64\Lgjfkk32.exe

Filesize
128KB

MD5
4c0d5398c697527c65070390372543c3

SHA1
1ba25f9ba98887b010c4cd845443760f8ab6ab06

SHA256
a720ab1c0a3ecb4cb40ac39f44e52738cf68a95911ea576a80e57dba73d0723d

SHA512
e7f3fedb7896a3fb44e6fd61e6998eaf448e7c51b27c72da3d503fb16e318f1f1c8dfe0604a972d39698bc4c5d08483c9b0d6c398098ba3489dd6016816342f7

Download Submit
C:\Windows\SysWOW64\Lmebnb32.exe

Filesize
128KB

MD5
0880b47411e4ccd7edc830d674013cf9

SHA1
631aca07070f4243899294616fee43056e4efb20

SHA256
238a57602270a1693c850ffabb837d38815dcdf734b36bb3eaa29308084df84d

SHA512
7f00ed84d982af94ab7b692fc26f9c9b4baab383efaa64af89c4a9c444ec4d74b81b6db527054850fc831da86e8bb8a6ebc557d466ca99892584c34323ec2ea7

Download Submit
C:\Windows\SysWOW64\Lmgocb32.exe

Filesize
128KB

MD5
d6a1fc91a02b931a448a910fbb86f73b

SHA1
0ecf5915d095c33e661bddc01851789ab56aea24

SHA256
22951170afebafc217e412537920a28fb7455b3f08717a3cc2539044853cd97f

SHA512
98f18826422e789190b6ece0c472f0bf48a35160e26a611d0307c32098bcd69ca9d218ba15eea08145a8ab39f92598aab986221b38f5156d7c7525a786df6cf1

Download Submit
C:\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
128KB

MD5
06975b3daa5dd5b304f74e413b482af3

SHA1
3b4da05e185a59e1262afc2fe06c28f942462143

SHA256
0573e98de7cd0859b09d61b06c8f3bda5f4d4a372fd0621bc3867f87db5826c9

SHA512
1f35b5c6db76643a37c76e909f71c3b32a6391059db9d8c66df355d065a58bfe6c9165fd5a4bed553b1d656a9cda91d0d15bfbf4388bb6b774df819389e2a0ba

Download Submit
C:\Windows\SysWOW64\Magqncba.exe

Filesize
128KB

MD5
2419c4f0d6261be85454628577f484a0

SHA1
ec708ea474091db0cd4a69e6b1bd41a0b952fa01

SHA256
0ca6311a6b20a35fbad726cfd7131354c52bd27277d92a4ea63b5ab327574e7b

SHA512
ff71c567df785cefba5fa179599ea47dd36a2342134c078b41cb02c174915b688a46dfdb89dfd3d82fc618d090f76e4d2a90b825082dddc5605e5169656b46c4

Download Submit
C:\Windows\SysWOW64\Mencccop.exe

Filesize
128KB

MD5
f18dcb153d6bd8fb2caf0c6c45753e61

SHA1
3a94d8d3dcb2630e30969cf0fed25df006352688

SHA256
07c8731e6fed47cf034601d5b15fdd4a9267707be2706af9df458e9d0f9117b9

SHA512
c422fb9e5025fbbfa3243343c57e2d1b4c387878fa2d9ae1293fcdfb273c33a5aa9b36f54d57c2c3a3e1f07466f5c713e81e3a2d743387d494218a0418fbc20c

Download Submit
C:\Windows\SysWOW64\Mffimglk.exe

Filesize
128KB

MD5
05ffad0581cf5f587185e094fa5d2fb3

SHA1
e3e2899bae83413dd8f95431eec49d7b456b0e00

SHA256
815262a0cb472f2a44afd728a698b0d22a0100742e7255c277d42ab77814cbcc

SHA512
46855f54c208a3757e6e3c9daa09b77b32d995f4eb4177e6c421f20c84df1a9a7e22296b17d6ec4991c56458b5421179d7bf0be261acb5a6e6f022c2ba8903c3

Download Submit
C:\Windows\SysWOW64\Mgalqkbk.exe

Filesize
128KB

MD5
d0eaccb68a7a8198cc3c2f4ee9ac6b2b

SHA1
75ffbbc5dd8d56cd0e1ef7e1b47d82ae94e70c0c

SHA256
cfec4a006b31d4eaec855cea7ffd41c2df50948fa5e888b9f2ace6cb4e62cfc1

SHA512
624b3b4ac4e9fc4a0479e2a646ec82e85a61930b950a84359aa9fc65d0dec8b342a756822574392c274ce1c5d5b2f69def2ec71c5387d3fe19400b2812fac289

Download Submit
C:\Windows\SysWOW64\Mhhfdo32.exe

Filesize
128KB

MD5
3aacae5ae5f5f9b68f6100f5f4f800c3

SHA1
9492050200c3c58de3b7ad0b2d1964853c0cd999

SHA256
7156ad72f81ac2b5b9f0f15593f3a2cf59add5d8d36068b694254d7853f22c62

SHA512
4e5f4e66c2bf903404a209e50acdf87a7ee643c2cf93df566aea84c166c35dba740ea1a51b1f89559b6eb483a34d4650f2da87c98fa53a551ff11fb1ff666e19

Download Submit
C:\Windows\SysWOW64\Mhloponc.exe

Filesize
128KB

MD5
30da3a9aa8def0b6e335a952224b0954

SHA1
36a3769967f0252ab1a5904a13496ec3c90e9c28

SHA256
4a7c6496b6b39c6d4effe47fba110c6585e2b097278ed50281c150c4344bfabf

SHA512
acb2b95f88fc5ab3d5ebc22d9086d3f892c05a83a1bd378c0cdfaacd4e7656be8322ac3991f72184dfe8f476d05f95528c21f3aaa360a8ffa89508145afe28cd

Download Submit
C:\Windows\SysWOW64\Migbnb32.exe

Filesize
128KB

MD5
b986813ce069880d5c15bf35b9a0f5df

SHA1
941ee01c874bc13b55f8d8420ef3e57176330ce0

SHA256
fa995ae8e17c70a14ce5de54db95d6e40d79ed1e79b69d5671d9d057792b53e8

SHA512
daefdaadd880901be2016415bc7c3cb57f1bc4cf152e3300b8c7bd3ba537fa5c580070ee4a9955f504e675ba9f0904a0b8eebfce72af6af58fc16d0ef524046a

Download Submit
C:\Windows\SysWOW64\Moanaiie.exe

Filesize
128KB

MD5
e970a38f128b0cc7650055aafa3bde11

SHA1
c76cb1261f7c87108d0ea1e2433e723a68a6abbe

SHA256
044a73383dbbc9a2b6c1eafe0373c4ba6acce5e4aaf27c1b053f56839197107e

SHA512
0ad1da36b4ffc85b085710264b77954c90f072931139723af00f297b60adfd9e339da7c08c670d1a140df54bad7c04a1adae9e44deccececaa61ad39df816e2a

Download Submit
C:\Windows\SysWOW64\Mpmapm32.exe

Filesize
128KB

MD5
c70985a4f04f44405efde462eb0b70ec

SHA1
8943c09383efef0db96a3784cfbd11ceeb90b1b3

SHA256
e107f224861ecebee1a9426d563c111e46a3ef7724efc1b6ab73e3c4d4a0b029

SHA512
ebee48e1ce9b3965b76690908ba6bc797f7ab80635bc62b04801c561d96723727c05692f6e5a5c60db42e3c4829e993877ac6e5ff5aaed014b50feca937a96a0

Download Submit
C:\Windows\SysWOW64\Ngdifkpi.exe

Filesize
128KB

MD5
ced74b4676b1a7fbcc836b3048fb9c22

SHA1
bc1a5c79b6c820119acc1efaee1245ce9cd1f464

SHA256
a01fe9fc9af79adb872070af264ddd15f26952b9356c5be3f4d1d4791f0468c3

SHA512
6aea8be996cda5c5c7025f3fa8a01869e41f4b0db699e7422212cd6b19acc9b9ff636c0b028d8acb009032ad99203cf4bcb0a040fcfac266ff2b332644ba9970

Download Submit
C:\Windows\SysWOW64\Ngfflj32.exe

Filesize
128KB

MD5
8e93d37dab11e9449c545e1dc604009f

SHA1
0b20869699391a9ad730ff06e6b10dcf8b9ee397

SHA256
76902cc47c3350f3f24b7c94e820806807e909c1c2cbd6888ae040bfc4bb2883

SHA512
12a0dc99095286299a7965b70ec36eb1b68e67a94d30ed5f06dbbe60b3d3e58f3e0adb178dc75c5f5481351d9ecd419c5a60c4be1455b15d4e89918c61e4526b

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
128KB

MD5
89bb671f59de37ddaa7e8c1600f945af

SHA1
11d0b6fdab443bbb1879d1f9a8f312a87e075cff

SHA256
388801cb875732900a15b7cf7ef8466642b8082fd2ed42d39478b063aaa4a941

SHA512
39d414ed2127b3eb5e6fd58fc717aafc763cd08140bcc632dc69182750bc8302c39a4dbb34e9d4146793ed72bcbec2c297b7709c6290d271411ce271efccc3ad

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
128KB

MD5
ff5ba8a2e1285a25d20622388f056a2a

SHA1
e7321ebdeff46efb1ceac2432f979ca24cdfed6b

SHA256
59a57bbc5e64b7879bb6c3915653d05cff3ac46b3481ccad2ae1f2fa464de5ac

SHA512
30d76f62b72e0f7fe7ec3fba05a7379779beab3d4877c7a0fd31e7a3b7bb7335eed4248e675b756ffdef992a073511fc7763a5e25084cc682ea759061e0ae828

Download Submit
C:\Windows\SysWOW64\Niikceid.exe

Filesize
128KB

MD5
180a3e2fb6556ecc25f791826e5d466f

SHA1
407795680837e1166aba79ec1c4af5adffc75460

SHA256
90d0ea759aee98551502ed165faa978fd2a9318b592c2f7a087e1b4eebfb90e2

SHA512
230e2d45b1f6f1a6335887073fb64ed0b8668b3aabca91f63843dac156c6a44262f52061c8eae4fb3eac0824a3198a96f109bc3a0041623a6fd196cfc262e7a8

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
128KB

MD5
3fc1e42382aebf2120926ac7dbe5baa6

SHA1
36c7adae99f4dc79d229346b4d60e72b39ad62b3

SHA256
232f8267903a39256128841591bcc4f817c48721ce5f2dd1aa3ae299bbf47ae7

SHA512
0bf0bd4b41e07f2a7520c0b898dd02f53335a307c7c41569e6579bcb83e6837289a75216dbc7f7458768ce5ccdc96e0a103aa6403ca4f98ff0c6df1e288ce7fe

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
128KB

MD5
5162eec495b68401c7bf2c50ac85d6fa

SHA1
6223b19dce13702006241382f0a6d5e2e0eaa368

SHA256
9422465b0e5f0110301bd1a043c52859c7b8caa6ebf188e64c1390c18c0b81e6

SHA512
4f2fac97a9b2d1f63a60a7247b26d00bc4be5ef64688b1a69b65b64bda42db54e042f6351fc904a3f335acf66e2b7d6371fa2a8538566032d1ec9de79f45680a

Download Submit
\Windows\SysWOW64\Gepehphc.exe

Filesize
128KB

MD5
835186288349b17407c7506529582935

SHA1
ed08005f53c5f3485a0461c9f3fba8c1dddec7da

SHA256
7499da242a17eebc49adf30b67d55d49de1bef2930555fb6eba56040b6673111

SHA512
b040f112f4a09ab6d33b673e58c75b5aa686cac6fa789750b745fc9b38802c6d4729304e1d29cebd1f9fb936201fdc3af1f7776935912e8c2c8fbf89db5e1af7

Download Submit
\Windows\SysWOW64\Gjakmc32.exe

Filesize
128KB

MD5
543ee1d1ef6d8c5c3ce8807b30915f91

SHA1
408d64c4ed551d49a05bc795dca062b3f4ac8618

SHA256
be3d21b5a710647fbc13ddae0d26cd962374bc0a014efaf721a31161107040c2

SHA512
36d33331e51101e65abab743ae906e49bf63110511bbdbea32f37dc8260b0dcb19221433273eb0913110b2a0879284b6b4c46b6cf981ea266f3730f274b1e3f8

Download Submit
\Windows\SysWOW64\Hmfjha32.exe

Filesize
128KB

MD5
93236450ed4a169c507acf1a263a9c41

SHA1
2c085096cceea8391163a52d14cb5f76330f5d37

SHA256
4d715c1c859c025b43f5867e28cd940f1cc515e48349c582e3ca7531939086b5

SHA512
b0f95cf4a188954e0115812454fe0615798db4e41b8532ed122d9bb594fd00f092ba5dfa7ab60e03dbfe3bfe3ad48c16a1505efe93a006a67f91af029bc9221e

Download Submit
\Windows\SysWOW64\Jdgdempa.exe

Filesize
128KB

MD5
b4544820333553b42ea3fbcc9c8fcc15

SHA1
b80bb8e3a71e43f1033fbcfc352002de4d0d362f

SHA256
6f7d2497cf95f7da67875a02e4d35aa6d60c478f7484fcd6789b5d82394b2f1c

SHA512
8a4c076ba6eaa53555da52f85903ac2cbd6a8e57529021df776c7c27a95f5b8ed090a10878943ebcff0efa94d1585de6f4ad158f8524611cc29fea92ce30bf6a

Download Submit
memory/328-267-0x0000000000230000-0x0000000000271000-memory.dmp

Filesize
260KB

Download
memory/328-258-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/436-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/576-181-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/576-400-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/576-192-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/584-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/908-238-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/984-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/984-304-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/984-426-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1168-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1208-106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1276-431-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1276-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1276-277-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1616-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1632-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1688-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1712-68-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1712-253-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1712-76-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1732-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1732-381-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1732-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1732-207-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1980-131-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2000-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2044-146-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-420-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2192-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2248-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2312-165-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2312-158-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-401-0x0000000000230000-0x0000000000271000-memory.dmp

Filesize
260KB

Download
memory/2408-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2436-180-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2436-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2460-6-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2460-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2460-173-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2480-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2488-391-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2548-59-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2596-185-0x00000000002C0000-0x0000000000301000-memory.dmp

Filesize
260KB

Download
memory/2596-57-0x00000000002C0000-0x0000000000301000-memory.dmp

Filesize
260KB

Download
memory/2596-52-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2596-60-0x00000000002C0000-0x0000000000301000-memory.dmp

Filesize
260KB

Download
memory/2640-351-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2648-58-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2684-411-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2708-370-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2708-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2804-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2920-386-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2920-233-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2920-219-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3004-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3020-183-0x00000000003A0000-0x00000000003E1000-memory.dmp

Filesize
260KB

Download
memory/3020-182-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3020-32-0x00000000003A0000-0x00000000003E1000-memory.dmp

Filesize
260KB

Download
memory/3020-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads