ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2024 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe
Size

232KB
MD5

ebfb3e439f41c104a2e766e0a935c1e3
SHA1

7782ef5da85102f17f74a9be1984e82d8426a060
SHA256

ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000
SHA512

1de8502ad3d49938644472a9a586f6661e699cd0d6d595c81fd7ed687d7c54231d318ea8699816657d19fe8ba8cbff0922ae68446e6c33c94506408f2b0c047f
SSDEEP

3072:yXkZy180sVt7nG8+V+07usluTXp6UF5wzec+tZOnU1/s5HH0AU/yRvS3u121Tzlz:MbcVt7nGX36s21L7/s50z/Wa3/PNlPX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kidben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppnenlka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaebef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaebef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlofcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlppno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipkdek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ommceclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhnhajba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpapnfhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aiplmq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afcmfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhaggp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kakmna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiphjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilnlom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oiccje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpolbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbnaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhegig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqcejcha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aiplmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbldphde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhqcgnk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmdblp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmfefni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhnhajba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlalkmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiphjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmfefni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdocph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbldphde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibcjqgnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilnlom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpapnfhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcjqgnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbeml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiccje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhildae.exe

Executes dropped EXE 44 IoCs

pid	Process
4304	Gpolbo32.exe
4744	Gaebef32.exe
2284	Hhaggp32.exe
3404	Hlppno32.exe
1100	Hbldphde.exe
4664	Hbnaeh32.exe
2132	Ibcjqgnm.exe
2988	Ilnlom32.exe
4668	Ipkdek32.exe
920	Jihbip32.exe
4044	Jhnojl32.exe
3696	Kiphjo32.exe
756	Kakmna32.exe
4912	Kidben32.exe
4832	Lhnhajba.exe
3924	Laiipofp.exe
3076	Ljbnfleo.exe
4580	Lpochfji.exe
1516	Mpapnfhg.exe
2604	Mlhqcgnk.exe
3700	Mjlalkmd.exe
1920	Mlofcf32.exe
4568	Nhegig32.exe
4064	Nfihbk32.exe
1572	Noblkqca.exe
4400	Njgqhicg.exe
3480	Nbbeml32.exe
3592	Nqcejcha.exe
3116	Ommceclc.exe
788	Oiccje32.exe
316	Opbean32.exe
4420	Pcpnhl32.exe
728	Pplhhm32.exe
3392	Ppnenlka.exe
4472	Qmdblp32.exe
3692	Qfmfefni.exe
1136	Aiplmq32.exe
3988	Afcmfe32.exe
3008	Ampaho32.exe
2816	Bdocph32.exe
1800	Binhnomg.exe
972	Bbhildae.exe
500	Daeifj32.exe
264	Diqnjl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ghcfpl32.dll	Mlofcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ommceclc.exe	Nqcejcha.exe
File created	C:\Windows\SysWOW64\Hlpihhpj.dll	Gaebef32.exe
File created	C:\Windows\SysWOW64\Faoiogei.dll	Mpapnfhg.exe
File created	C:\Windows\SysWOW64\Jihbip32.exe	Ipkdek32.exe
File opened for modification	C:\Windows\SysWOW64\Mjlalkmd.exe	Mlhqcgnk.exe
File created	C:\Windows\SysWOW64\Likage32.dll	Oiccje32.exe
File created	C:\Windows\SysWOW64\Lpochfji.exe	Ljbnfleo.exe
File created	C:\Windows\SysWOW64\Mlhqcgnk.exe	Mpapnfhg.exe
File created	C:\Windows\SysWOW64\Mnokmd32.dll	Bbhildae.exe
File created	C:\Windows\SysWOW64\Hlppno32.exe	Hhaggp32.exe
File created	C:\Windows\SysWOW64\Lhnhajba.exe	Kidben32.exe
File created	C:\Windows\SysWOW64\Ebdoljdi.dll	Mlhqcgnk.exe
File created	C:\Windows\SysWOW64\Ipecicga.dll	Bdocph32.exe
File opened for modification	C:\Windows\SysWOW64\Hbldphde.exe	Hlppno32.exe
File created	C:\Windows\SysWOW64\Abbqppqg.dll	Jhnojl32.exe
File created	C:\Windows\SysWOW64\Bpenhh32.dll	Njgqhicg.exe
File created	C:\Windows\SysWOW64\Opbean32.exe	Oiccje32.exe
File opened for modification	C:\Windows\SysWOW64\Pcpnhl32.exe	Opbean32.exe
File created	C:\Windows\SysWOW64\Ipkdek32.exe	Ilnlom32.exe
File opened for modification	C:\Windows\SysWOW64\Nbbeml32.exe	Njgqhicg.exe
File created	C:\Windows\SysWOW64\Higplnpb.dll	Aiplmq32.exe
File opened for modification	C:\Windows\SysWOW64\Njgqhicg.exe	Noblkqca.exe
File opened for modification	C:\Windows\SysWOW64\Opbean32.exe	Oiccje32.exe
File created	C:\Windows\SysWOW64\Lgidjfjk.dll	Ppnenlka.exe
File created	C:\Windows\SysWOW64\Qhjgbbnj.dll	Qfmfefni.exe
File created	C:\Windows\SysWOW64\Dbcdbi32.dll	Ampaho32.exe
File created	C:\Windows\SysWOW64\Pggdhe32.dll	Hhaggp32.exe
File created	C:\Windows\SysWOW64\Kidben32.exe	Kakmna32.exe
File created	C:\Windows\SysWOW64\Ipimhnjc.dll	Qmdblp32.exe
File opened for modification	C:\Windows\SysWOW64\Ampaho32.exe	Afcmfe32.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Daeifj32.exe
File opened for modification	C:\Windows\SysWOW64\Hhaggp32.exe	Gaebef32.exe
File created	C:\Windows\SysWOW64\Jgbfjmkq.dll	Mjlalkmd.exe
File created	C:\Windows\SysWOW64\Ommceclc.exe	Nqcejcha.exe
File created	C:\Windows\SysWOW64\Qfmfefni.exe	Qmdblp32.exe
File opened for modification	C:\Windows\SysWOW64\Afcmfe32.exe	Aiplmq32.exe
File created	C:\Windows\SysWOW64\Panlem32.dll	Hbldphde.exe
File opened for modification	C:\Windows\SysWOW64\Nhegig32.exe	Mlofcf32.exe
File opened for modification	C:\Windows\SysWOW64\Noblkqca.exe	Nfihbk32.exe
File created	C:\Windows\SysWOW64\Qmdblp32.exe	Ppnenlka.exe
File created	C:\Windows\SysWOW64\Hbldphde.exe	Hlppno32.exe
File created	C:\Windows\SysWOW64\Lckggdbo.dll	Ibcjqgnm.exe
File opened for modification	C:\Windows\SysWOW64\Jihbip32.exe	Ipkdek32.exe
File created	C:\Windows\SysWOW64\Nbbeml32.exe	Njgqhicg.exe
File created	C:\Windows\SysWOW64\Ppnenlka.exe	Pplhhm32.exe
File opened for modification	C:\Windows\SysWOW64\Qmdblp32.exe	Ppnenlka.exe
File created	C:\Windows\SysWOW64\Fmbdpnaj.dll	ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe
File created	C:\Windows\SysWOW64\Gaebef32.exe	Gpolbo32.exe
File created	C:\Windows\SysWOW64\Ghnllm32.dll	Nfihbk32.exe
File created	C:\Windows\SysWOW64\Pcpnhl32.exe	Opbean32.exe
File created	C:\Windows\SysWOW64\Hlkbkddd.dll	Pplhhm32.exe
File created	C:\Windows\SysWOW64\Dognaofl.dll	Kakmna32.exe
File created	C:\Windows\SysWOW64\Apjfbb32.dll	Laiipofp.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Daeifj32.exe
File opened for modification	C:\Windows\SysWOW64\Kakmna32.exe	Kiphjo32.exe
File created	C:\Windows\SysWOW64\Hanpdgfl.dll	Kiphjo32.exe
File opened for modification	C:\Windows\SysWOW64\Ljbnfleo.exe	Laiipofp.exe
File opened for modification	C:\Windows\SysWOW64\Nqcejcha.exe	Nbbeml32.exe
File created	C:\Windows\SysWOW64\Qckcba32.dll	Opbean32.exe
File created	C:\Windows\SysWOW64\Pplhhm32.exe	Pcpnhl32.exe
File opened for modification	C:\Windows\SysWOW64\Gpolbo32.exe	ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe
File created	C:\Windows\SysWOW64\Falmlm32.dll	Jihbip32.exe
File opened for modification	C:\Windows\SysWOW64\Binhnomg.exe	Bdocph32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2964	264	WerFault.exe	142

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokomfqg.dll"	Hbnaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibcjqgnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emlmcm32.dll"	Lhnhajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpapnfhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Falmlm32.dll"	Jihbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fefmmcgh.dll"	Ommceclc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdocph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Binhnomg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaebef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpochfji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcominjm.dll"	Binhnomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggdhe32.dll"	Hhaggp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipkdek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foniaq32.dll"	Kidben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpnkbfj.dll"	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfmfefni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aiplmq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlppno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlglnp32.dll"	Ipkdek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhnojl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqcejcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjphcf32.dll"	Nqcejcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbnaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiphjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcfpl32.dll"	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpolbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilnlom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kidben32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgidjfjk.dll"	Ppnenlka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampaho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhaggp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbfjmkq.dll"	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfmfefni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbdco32.dll"	Hlppno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kiphjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppnenlka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlpihhpj.dll"	Gaebef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lckggdbo.dll"	Ibcjqgnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hanpdgfl.dll"	Kiphjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhnhajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faoiogei.dll"	Mpapnfhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njonjm32.dll"	Afcmfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbldphde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laiipofp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 4304	4612	ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe	98
PID 4612 wrote to memory of 4304	4612	ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe	98
PID 4612 wrote to memory of 4304	4612	ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe	98
PID 4304 wrote to memory of 4744	4304	Gpolbo32.exe	99
PID 4304 wrote to memory of 4744	4304	Gpolbo32.exe	99
PID 4304 wrote to memory of 4744	4304	Gpolbo32.exe	99
PID 4744 wrote to memory of 2284	4744	Gaebef32.exe	100
PID 4744 wrote to memory of 2284	4744	Gaebef32.exe	100
PID 4744 wrote to memory of 2284	4744	Gaebef32.exe	100
PID 2284 wrote to memory of 3404	2284	Hhaggp32.exe	101
PID 2284 wrote to memory of 3404	2284	Hhaggp32.exe	101
PID 2284 wrote to memory of 3404	2284	Hhaggp32.exe	101
PID 3404 wrote to memory of 1100	3404	Hlppno32.exe	102
PID 3404 wrote to memory of 1100	3404	Hlppno32.exe	102
PID 3404 wrote to memory of 1100	3404	Hlppno32.exe	102
PID 1100 wrote to memory of 4664	1100	Hbldphde.exe	103
PID 1100 wrote to memory of 4664	1100	Hbldphde.exe	103
PID 1100 wrote to memory of 4664	1100	Hbldphde.exe	103
PID 4664 wrote to memory of 2132	4664	Hbnaeh32.exe	104
PID 4664 wrote to memory of 2132	4664	Hbnaeh32.exe	104
PID 4664 wrote to memory of 2132	4664	Hbnaeh32.exe	104
PID 2132 wrote to memory of 2988	2132	Ibcjqgnm.exe	105
PID 2132 wrote to memory of 2988	2132	Ibcjqgnm.exe	105
PID 2132 wrote to memory of 2988	2132	Ibcjqgnm.exe	105
PID 2988 wrote to memory of 4668	2988	Ilnlom32.exe	106
PID 2988 wrote to memory of 4668	2988	Ilnlom32.exe	106
PID 2988 wrote to memory of 4668	2988	Ilnlom32.exe	106
PID 4668 wrote to memory of 920	4668	Ipkdek32.exe	107
PID 4668 wrote to memory of 920	4668	Ipkdek32.exe	107
PID 4668 wrote to memory of 920	4668	Ipkdek32.exe	107
PID 920 wrote to memory of 4044	920	Jihbip32.exe	108
PID 920 wrote to memory of 4044	920	Jihbip32.exe	108
PID 920 wrote to memory of 4044	920	Jihbip32.exe	108
PID 4044 wrote to memory of 3696	4044	Jhnojl32.exe	109
PID 4044 wrote to memory of 3696	4044	Jhnojl32.exe	109
PID 4044 wrote to memory of 3696	4044	Jhnojl32.exe	109
PID 3696 wrote to memory of 756	3696	Kiphjo32.exe	110
PID 3696 wrote to memory of 756	3696	Kiphjo32.exe	110
PID 3696 wrote to memory of 756	3696	Kiphjo32.exe	110
PID 756 wrote to memory of 4912	756	Kakmna32.exe	111
PID 756 wrote to memory of 4912	756	Kakmna32.exe	111
PID 756 wrote to memory of 4912	756	Kakmna32.exe	111
PID 4912 wrote to memory of 4832	4912	Kidben32.exe	113
PID 4912 wrote to memory of 4832	4912	Kidben32.exe	113
PID 4912 wrote to memory of 4832	4912	Kidben32.exe	113
PID 4832 wrote to memory of 3924	4832	Lhnhajba.exe	114
PID 4832 wrote to memory of 3924	4832	Lhnhajba.exe	114
PID 4832 wrote to memory of 3924	4832	Lhnhajba.exe	114
PID 3924 wrote to memory of 3076	3924	Laiipofp.exe	115
PID 3924 wrote to memory of 3076	3924	Laiipofp.exe	115
PID 3924 wrote to memory of 3076	3924	Laiipofp.exe	115
PID 3076 wrote to memory of 4580	3076	Ljbnfleo.exe	116
PID 3076 wrote to memory of 4580	3076	Ljbnfleo.exe	116
PID 3076 wrote to memory of 4580	3076	Ljbnfleo.exe	116
PID 4580 wrote to memory of 1516	4580	Lpochfji.exe	117
PID 4580 wrote to memory of 1516	4580	Lpochfji.exe	117
PID 4580 wrote to memory of 1516	4580	Lpochfji.exe	117
PID 1516 wrote to memory of 2604	1516	Mpapnfhg.exe	118
PID 1516 wrote to memory of 2604	1516	Mpapnfhg.exe	118
PID 1516 wrote to memory of 2604	1516	Mpapnfhg.exe	118
PID 2604 wrote to memory of 3700	2604	Mlhqcgnk.exe	119
PID 2604 wrote to memory of 3700	2604	Mlhqcgnk.exe	119
PID 2604 wrote to memory of 3700	2604	Mlhqcgnk.exe	119
PID 3700 wrote to memory of 1920	3700	Mjlalkmd.exe	120

C:\Users\Admin\AppData\Local\Temp\ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe
"C:\Users\Admin\AppData\Local\Temp\ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\SysWOW64\Gpolbo32.exe
  C:\Windows\system32\Gpolbo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\SysWOW64\Gaebef32.exe
    C:\Windows\system32\Gaebef32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\SysWOW64\Hhaggp32.exe
      C:\Windows\system32\Hhaggp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3404
      - C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:728
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Qmdblp32.exe
        
        C:\Windows\system32\Qmdblp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Ampaho32.exe
        
        C:\Windows\system32\Ampaho32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:500
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        45⤵
        Executes dropped EXE
        
        PID:264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 400
        46⤵
        Program crash
        
        PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 264 -ip 264
1⤵
PID:4288

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 4f51ad40805b589f6c1d78b874e08d19 63aft7S5gEy89N64R+gU1A.0.1.0.0.0
1⤵
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Binhnomg.exe

Filesize
232KB

MD5
b01124fa5b9e4bb18ff84648b070a2de

SHA1
a921bbb625d6ad661fcd3c7b063e55338fee4dc6

SHA256
9ec4f6a480c7d97f9828b8933265da1b982b232f768d36dc4ed2135738002661

SHA512
ed581106673c15ed5b561418561579541f031901264d6950bde09768d873f44e4c7fdb942ac4ae4c441cfe19f707a9f00b85f806ad0c89e56720e88f22612dfb

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
232KB

MD5
f0e488d869d07c027c14bb922b17c1fe

SHA1
39a87d3b394c3a1356c77ef6413711d69250c831

SHA256
6ec4d79d76af90b418c963578f12b4006be140801a3853e9251054d0b0ca5db6

SHA512
672902ff97ff3f8eafc774cecaf975cbf1a0bc1920a8fe73271d463ba7a84caa3c8f2d020de185de20eef7632adebb309b41b689211ee4848191faf359ec56cb

Download Submit
C:\Windows\SysWOW64\Gaebef32.exe

Filesize
232KB

MD5
033a4664b3f6f3ca29d2dd7f35ec41b1

SHA1
c772dc46fe96d2e4588c6c9c7f7f5febc1f03867

SHA256
795a5557497a4f2523e693f5b3e1e9704cf7bef958464334196c19a4a48c647e

SHA512
81728f8379132b56f7a66d4a09d2b94a57093a0ab8b17243a8cae9dd13c51012672840d2a71b236482a9d30fb127069c88e014670bc27a8b537b9aa2d385828c

Download Submit
C:\Windows\SysWOW64\Gpolbo32.exe

Filesize
232KB

MD5
e05e166b99af2bc60d6c208e8a794571

SHA1
39af20a66d19e22749377d2bacf6a854e0eae666

SHA256
24c42616d0fdcae172c84e781c2fb761a28d4bffe8231248112ff7e48af48b9b

SHA512
775c4230b47229676b8c3a0ec5403ce706f476703322202ef8b0b538c20bb31bd05e396603b56f3380f4c1b318b57df93b4934055b3bdd350c4d16e477f2a441

Download Submit
C:\Windows\SysWOW64\Hbldphde.exe

Filesize
232KB

MD5
785afc506df5162cfb8f2a6726c4183f

SHA1
1b9d835921d818563f4b71364485db6a8a46ad1c

SHA256
856e4d1447f0c463fe6ab00c5495f49996e1cb4dd1f56df96faf3446942b9f5b

SHA512
eb19e2743f47a8963426e09af30f6764f24f5a0a610534625e1dd3f052be477006ae174569687bc915dd5c80565aa2a1fac39f69171b33fd4159f9e71a1718f5

Download Submit
C:\Windows\SysWOW64\Hbnaeh32.exe

Filesize
232KB

MD5
a33cb96eef026345d1c85337a130e4b8

SHA1
ad6e48fa0a8542788713ddd492d309e35533db2b

SHA256
f39379ba0c379992a4463d7796505fb54711037e38d804390229cb70033f929a

SHA512
03130b1027538f0196ad1d31370e7a5c842c8836faa658232ac863d83167d0204b5980590af834aff8618ce1b625eace167b51e40ad6deed6d3b52f5a976701e

Download Submit
C:\Windows\SysWOW64\Hhaggp32.exe

Filesize
232KB

MD5
4bda4a7315041d5ea425b4a2bfb57bb5

SHA1
7b7c82f64c5be1f0a0d0cec9c660e5d247e96c85

SHA256
fb9ed7d6d9240fc7776b80201446794eafdceb524dafe959e6842097fb9296c6

SHA512
3aea9d333cf4b5de400da5c33ab6c09deaefa85ffeaa8613cee71ee6adecce997669cbcb44c52ace27d044eea3dd6f81f55c22d89ffb21528fab8437ee0e32ef

Download Submit
C:\Windows\SysWOW64\Hlppno32.exe

Filesize
232KB

MD5
f5aadd2a062ddd453a61f63a95ccb2da

SHA1
6ba61faa322ce4b950e820e2880fd9a4bb09bfcf

SHA256
b7193b78e5c195a907f9c4e77e8cbb9446e2e4ef277546dbab0da55911cc1c8a

SHA512
dbb2894414d593efe6b1a9fb53965706192b86ee4e2de904687511db50bf7dd1585813297b67e3bab90c23d84bee5cf888d0525b346369fbce4d95dff80a07d8

Download Submit
C:\Windows\SysWOW64\Ibcjqgnm.exe

Filesize
232KB

MD5
d5f1bf56a2b3ed9b1486a5d1453bdfb2

SHA1
09f4d6b6809b06ce4216ed81d41215856dfb9ef8

SHA256
a453b88b3fe8dcb7c2d3597d60f2233788e6d74bd0915cf92c7fa5cad0bce26f

SHA512
eb1ea721353f5c3846792a8217470672eabcf0b2d8fe917125e3cbbd156842f96417fa896fe5118e2080e167334bbd5d828dee4afed6431b13b4e741277bf77a

Download Submit
C:\Windows\SysWOW64\Ilnlom32.exe

Filesize
232KB

MD5
dd280287171d5a394c0521eb52773cf3

SHA1
c7e657aac1170ad99d4417afab6fe5ab69e81ceb

SHA256
4b02a3f5142fa6a1a2643344c57807efb190144f6df104b6bf0369447425e4d1

SHA512
d11d15e75d984af71ae2394e4ab6b7b776db0de7ac781da48aa1df58c09f003eea5dee6365bfb75da32c96dfa92de2afedda5d3452ed0d8392c759d85f71a5ee

Download Submit
C:\Windows\SysWOW64\Ipkdek32.exe

Filesize
232KB

MD5
bffd85a2349f3d574970bc5abf5fd1a0

SHA1
e6841e80ec1a642f1729186b081ca8c02def9b21

SHA256
9a9e91e7ce50d915228213c9965a25f93de46bd75f6b4655f1cfa9071c7b4085

SHA512
abcfe253d148ab79b789aebd6a316b63faab5c8015603a58f2da5b7d8f34c0c38715e7c75d8d2f5a008174cab953a6014003eaa0373944ffdd16975bac0176bb

Download Submit
C:\Windows\SysWOW64\Jhnojl32.exe

Filesize
232KB

MD5
f5045a53946480af0dcb5bd5fc8aa80f

SHA1
5e69a7a92cdc7375f5fd0021d43bd2ba6b7fc329

SHA256
0895dc9235680147c420f7e5e36cb24e3fd18d1e26b2e14dcee64e8d1eb5d00e

SHA512
4adf4aa6617c1ececaeb7fefd9f16f743e06c75c56ab33840f07a33a8f6f9aea569ecd5a0e94550dbda39a83f69f38c93380730d3ac558c7356c34d380491d2d

Download Submit
C:\Windows\SysWOW64\Jihbip32.exe

Filesize
232KB

MD5
6f10e7bd03d2d2b3cc588c01770d60fd

SHA1
f97185aec9c30f6da4ceda5fa93b8b98e06d15f8

SHA256
f0e97f78ca1d08eb5a6bc4960d71086df45153b37fcd7599613b3b09418643fa

SHA512
664e823677b2ecec3a745639e6f39332e9f576692d0255b4ce175cc36d018bdbaa0c259dfe9bbd639d261b3bcf6abd7eb47ce8591446d2afb835e39fe0b067e7

Download Submit
C:\Windows\SysWOW64\Kakmna32.exe

Filesize
232KB

MD5
0065a9c13fcddff6d060a7fe2bee6b3f

SHA1
8810e3d56a1b73d5fd74e5bbf88a1aac1ddc9a33

SHA256
3d456f5b228432c697746431b5e591772ded8eb985e0e5d8b154651fbcf58cb3

SHA512
83929b5be4c481b86b5d21b10356c7055f71765827f5505a6a1241a4dcb47a697ac42475f2c2f99cfbc34bdd1e5d0066e537f1c554792b40d1ce6647efd53edf

Download Submit
C:\Windows\SysWOW64\Kidben32.exe

Filesize
232KB

MD5
69f11ccf3d55a2957b5e61aae4258642

SHA1
d8c8173380d14f95925df743c8bdf61207c0f9a6

SHA256
3acac7a4f2676794f865199e6456bec3f699c7cbb1c52cd3b611583ab8d65198

SHA512
5d3b47bb21e72c940e44b99c588c7c9ccadc1d7c2487437b6756fe6cf6ee6f84d177f464fbb15cc3e94a4ca0b85a33a9f533aafca119e0fcfc8a8e9eb75f3089

Download Submit
C:\Windows\SysWOW64\Kidben32.exe

Filesize
177KB

MD5
83884e791a3d4dfc57c3b738266b3b50

SHA1
3cd3ac0e59bb3c53bb76d0ca8b4478289b93076d

SHA256
36281d7974cee73e4bb42234cb51023b2b69aa0fd729239b8d150112f008574d

SHA512
4b47ed4392afe8dc077733446d90b6db130604c0be39aba17c7f7aa16e61b9a787b8007d88f6d5b33e75bcce4bb884ac25e7c9d3b1059f4ff1351cd4dc1f3be8

Download Submit
C:\Windows\SysWOW64\Kiphjo32.exe

Filesize
232KB

MD5
fdf68c5e08248a9c8f3280dca025ffe0

SHA1
4f10ebde1284dcbf35b9339fb6b924e5e1df4e9e

SHA256
fc46dfb67f6787e48fd1f895332af561d18f8155cc627293e1d7bb7206d7fcb7

SHA512
3102843a0db2bbd9e4cf243c883f66491fe6d95ea21a818c8ae8b5b3754a88ae68b3b7eee77439cb5b2db392d38b1c084c17271e4e28e2fedbeaba235436f97d

Download Submit
C:\Windows\SysWOW64\Laiipofp.exe

Filesize
232KB

MD5
9f2793d5742099e1a81d8cbc5527ca51

SHA1
f726c058f9a4e3e8313649318f0cd10682cfca08

SHA256
6dc8f203fbca2cc298d80c6d73840148aa5b3ee466b0cd3860ee42cd1d0f7ebf

SHA512
9de4615b411e3ab0910350b5a0195148e2aa056fbeaac10ca29efba0672a2f04e13a810705cb264ef5fc627feecbd1833b933728a966e3330fe93c5a0287fd81

Download Submit
C:\Windows\SysWOW64\Lhnhajba.exe

Filesize
232KB

MD5
f94c64d671b702500c342585c3cd106a

SHA1
b839bdaac577b61d0b4b5ee40bdd5e897b4d6aaa

SHA256
4387956b81bd26cbf5582fe4a0434f58a55997a4d6ba4b78c298dc8493d52e2e

SHA512
b1d5d96d3899f566bbf623d7e6f4b18e535c750c173d31ec41036775d173bbc904e3a1785331ba29591d33cbc8bb90c02f4f2c004db19d192c9c72076c7c8952

Download Submit
C:\Windows\SysWOW64\Ljbnfleo.exe

Filesize
232KB

MD5
d4c766b9d28f75c36cff338a6227aa71

SHA1
6a21113e8d3c34bd8ecdc566b80c7e5cd68c347d

SHA256
bea7b241de79f1418e5ea2796251c79902806791484779daf8accc07be856153

SHA512
4f53e5c3a43845c1defa5cc6149747699fc75fd8bde0b83fc38a14c3fd5126d71eadb1a1a67b1ca9abfd6e52f2e4d9f9101210ddf6e9819b8578bface9938c85

Download Submit
C:\Windows\SysWOW64\Lpochfji.exe

Filesize
232KB

MD5
d4482d3450a1a3635d23ac7394c2bef4

SHA1
a369b7edf44826e11735dce9378be3a15aae75b2

SHA256
fef4a08b022770d0db0d952de67ccf9864df230b1d62382159968f40281c40af

SHA512
fce96fee32c9d7d4f39f00aaa838f457610423c0c28ee1f10037d5b255c996f4a289ca9d931f86301900e36a9c6afbfa8bb39b0d38aacfdef4030594b390c26e

Download Submit
C:\Windows\SysWOW64\Mjlalkmd.exe

Filesize
232KB

MD5
a586e321c1282f87054e5b1b2b8f1223

SHA1
6fb76bd34452dec25928692fe030f120099e6da6

SHA256
a0157158513038c20498885fa5642a0672781483ee47cd62d02fb8524496809e

SHA512
6e92f9b89a5e6f8f581395d11afa51697e663d30142a5d831423512a6407757d4c99c4058e9708da5c509c68e50b70345ac2496b91ca9719b627a820d4270faf

Download Submit
C:\Windows\SysWOW64\Mjlalkmd.exe

Filesize
232KB

MD5
7468e12af24ad3e601a28234bb11b4ac

SHA1
fabf7fa40ecd5a8aa58c4a08f94cac765edc8cc5

SHA256
e357eaa91290affb2e0f2c8416513b416e240d5f7d29085989f72e1eebd017b7

SHA512
438928a49f02659c7097faf2efe197e06722c0e682062a491acabb08d64b218cdb6b999c33cc9e4508093305b1109b9d584fae764a06ff01e5b0742ab39d6221

Download Submit
C:\Windows\SysWOW64\Mlofcf32.exe

Filesize
232KB

MD5
fb337bebc62fc328458f325b6d67d187

SHA1
42901feffda7d66f2526d3f111fb6d28f53bfd33

SHA256
9be5adc346b4ac8c339b1445920a3c3ff19a0d70906cbc633239cc7848946a86

SHA512
e6de1bb34c019439060c40271913188d888b5fcfe00cd8229209898e4340e537415ee321d1ea2d321030455f84b5b1f075ae0929ed9d3b03b3c3488f49ad97f3

Download Submit
C:\Windows\SysWOW64\Mpapnfhg.exe

Filesize
232KB

MD5
5f8a88a4384f992673f7ceeb4c3eed8c

SHA1
3d7488af682c03ece115c8014a7861a9aadccc66

SHA256
5ac7e1a8918420c22bccbde5dc075e37078208c61643a19f8d919bf82a775f1c

SHA512
3aadebff4382de9f07dda18ff6970c3370a5ea916386f02526ad95673ea8e8ccbb59944744bae21aeb7ae85bb4e5d35d0d4bf002f63784a932f21254700b80cf

Download Submit
C:\Windows\SysWOW64\Nbbeml32.exe

Filesize
183KB

MD5
669dcf9b3039dbcc49036e00d4f5d1b7

SHA1
7535b878cf4beb6b52ec07cf30b8f196de6f59d0

SHA256
cab6e98af264cde3f1ed71643df1f0c383587012ea5b7fcffba5573097e038df

SHA512
87e7d42a1d967fbce1471991ef5b5eb3906240518ceda9e0d31147da072182bcae22f6c9ab2bb3f8d0e2f53fa2cdae88f52097f7dc6e129b5293777507f42b5b

Download Submit
C:\Windows\SysWOW64\Nbbeml32.exe

Filesize
57KB

MD5
b1cd37844361ea52398c9fec5b91aaaf

SHA1
a1b38be8e4425b4aebc558421f0ffb2f27a4cb32

SHA256
97a554475e1f0e179b0fe9f0c739bf912f7390de3bf76f0499c41ef1151ff05a

SHA512
205d72816b35b291624d17e4701a284a3feac3e102039f9571c5081daf983da3e630ee717ab35a3eb0466d156177ad19df76a684d1e03b3c0d919f3e8d11b280

Download Submit
C:\Windows\SysWOW64\Nfihbk32.exe

Filesize
232KB

MD5
5533b928bf877e52d680c26553f29063

SHA1
b3fe9ebb145576cfa7d8da60c998622f45bad069

SHA256
b5c46530a0f195c91a13dcf55605dee62bc2d5c54a74ddb82ef7430758d0b004

SHA512
559e9aff5f2edffe8738f7a12f2a7a7e7530e775186ae6346546fc7814fa7f939032768325fe871076f316284b4bcef44bbfd6b44220ed3dbc96d354ce9b626d

Download Submit
C:\Windows\SysWOW64\Nhegig32.exe

Filesize
232KB

MD5
20b6d235845a272aedef4a4ed44d3412

SHA1
7a0dd35222910a0148c7d2eee2008a8a349afb97

SHA256
cb6f3ad98a27c8fe2378749f4269808bc213825e46fb84af4fdf47a34ff9ad4d

SHA512
405e0221f454829f652562400489f9eba2fae916411a47435f23788c50c7443d981459d6203f24bbdc961c7dc0c4ce130cb4c4a010eab8f3fa94c96978957af6

Download Submit
C:\Windows\SysWOW64\Njgqhicg.exe

Filesize
232KB

MD5
bae1efccb1e2fe731e7cec7a37def69d

SHA1
7ef426fce2e421f6428c83882c814a4864dd4a7b

SHA256
e34419e9c96dfa6fdabd9359423681fdac0241af5bac04f1172cfb83c40cd8a4

SHA512
26165d16e557a2e191f8da56fc13f20a8b5d19c9101fecaa26f75ff1ea49162c41a5c3ae5030c5c02d8ceeec8feda02c1cca4337a8c56c3900e267cd650c27ac

Download Submit
C:\Windows\SysWOW64\Njgqhicg.exe

Filesize
66KB

MD5
1f0b03c3a70510e2eacc867b206e30eb

SHA1
143bab6ebbf1bc4413b82162123c086a14eb44ea

SHA256
30414f5eb8e54ed58794d3dc8b8d4b63f66322d205ddf861bb3080edb18a6643

SHA512
065d119414fc6615724c67be0988be6a816c00b22280bb1eeaf359819cde24e69d74955ebbc0d12a7f30b24c7d7a2697f7f27e43b3cfdfae390a38a1d96b95e5

Download Submit
C:\Windows\SysWOW64\Noblkqca.exe

Filesize
209KB

MD5
8362fb2574b0b2b1e7115bab96aaf350

SHA1
ab48063747af5ac0395a557243f1fe8140119b26

SHA256
048fd4faf7b19ebb7c028d236ce3a6aa4e684f46c5c7ac1f4f814799285bfd22

SHA512
7c16a33dad27810581ef58baa3cb23a130c2f2ca11dce61decdb1a0254ce18fbf8259fe46224e097ef1696ba3dae0f419fa1495429c5a2cd6be4299de4aef4b4

Download Submit
C:\Windows\SysWOW64\Noblkqca.exe

Filesize
232KB

MD5
0b68e76cb71981cf7d5803782b0aec98

SHA1
ed5d884db00d76a4cdb134995c64c1c5c01602c5

SHA256
8a398ed394cdc2f7c8a81a29a42c2f40c1738242d6e87b64ad0ad573e304cac9

SHA512
5fcf937dd1175543f85b4829eecb6dc08ffd77ff0c082cece93c4bbb1a82cbe16eb2a2fbbc1b03605cdee9c3934383a027a1ed6365434a5b0189fbd81a3e3b66

Download Submit
C:\Windows\SysWOW64\Nqcejcha.exe

Filesize
84KB

MD5
c2a96ce63a29dc03fa78a00ac82230fd

SHA1
6924d905ad918214997e145bcbe508dcc3344a88

SHA256
d4f79eeb2241dbe39758bf3234a5dd45e8a19fd29e68ba81c8486e2cd47cb8c8

SHA512
ff5c813650c6675feca0b3ff90ee597268cd1a060340527dc78e5b2b28d6253f8610b6c9a9f0695371c1da3200142a7c0fbcf1dea18ece247cf116faed5b4927

Download Submit
C:\Windows\SysWOW64\Nqcejcha.exe

Filesize
57KB

MD5
2d2f36ae590322d37b6f91ea62fb0390

SHA1
e30bb4e8597e912d89c4ba27017ab78786232aa8

SHA256
e1c1d0f7bcf987987d993e0d2ef6480fc360fda624e28d16a24d4ed1ec1bba7d

SHA512
755f59d534ec9398b7741c1c60e6054f92502c0073a427affe87b4a595aa53f76b659356608e843c7341c0f21d543c6a88a7cca75c8751bd0e27de4395fbe921

Download Submit
C:\Windows\SysWOW64\Oiccje32.exe

Filesize
1KB

MD5
b3e1bd30e7b9c2542267131691868f9d

SHA1
4413603d34ccd56a4a853bbd5afebe55aa7b2a71

SHA256
b042608b2d23bd0d80e0efaeefe71e196a29d320d0011daa987ff901b9317218

SHA512
951c9db05ae6298284c31f99ceaf92859a8bfc6f643b958d67a8ed87b21d4fa2884afbededc18ab5b27f5c86e592d82839ee61e2cb2ba3892ebb3f46b479a499

Download Submit
C:\Windows\SysWOW64\Oiccje32.exe

Filesize
232KB

MD5
ebf6dc636c7d4bdcf0edea961103e3df

SHA1
e8766b7decdcb777fbf75cf4344060e05f35d585

SHA256
fb01b62fbcc79e2a6a67e8d47bed7fbfd1318275083190d8efd2cf35b9c7ddb1

SHA512
77269a5b9a05220de85891852347195d35a3bb946ffd5bf519063795cfbc284b9b7af5a9a64ace7e6f58db16c7de910dd06b54a199bae04b0cc1432bcd1011fe

Download Submit
C:\Windows\SysWOW64\Ommceclc.exe

Filesize
90KB

MD5
4236132185301a8152eed93dce4cd186

SHA1
8937400486eed659770c1c4a1fb2b7cd5ca682a8

SHA256
3409285b2068ec9a9b972e832c347c53a569b55903e77344254e645958b5cec6

SHA512
e20de837a7fff5e6b61332472d8725ec78a0b3b502db63806724ec463a91b3d3208ffff89dd995d70c5eabd68cd17797ac6f8e6464fed0ce92b9cb8f23a56e8b

Download Submit
C:\Windows\SysWOW64\Ommceclc.exe

Filesize
14KB

MD5
6c53857a77d697770fcf8eaadc7122b2

SHA1
b3a2425d605cdada17e474904501ab94b0e7651d

SHA256
561f4240b5c6541c4260c4dae4acfd41a4e9452b45c017a778e8dcb25819eb06

SHA512
54b52e651e658d15b3f4a26625003af77a0fb2cfeeb00b2ea77d1ae6ac6cf3eaece29287e4275700bb52c83f7a2a7ea58f1e93608ac6c95bd1eeba0dcdc57fc4

Download Submit
C:\Windows\SysWOW64\Ommceclc.exe

Filesize
57KB

MD5
bea2fc0f512ca74b0fc03d92bfab6dce

SHA1
e8d18fdad2ff188f74c731170a9ba9f68ab622b3

SHA256
a89122f754f51d935450db3d2108de60c7b8a2a22df16905322235fd3c69397a

SHA512
c1738c9848f1eaf70cd06993f4011cb4ddd3bc7bbbcba38e72545d4f560d812baf8d77029280a355cfe9bc55d9013cb690d49b9d34d20ee9fa02d6c33f9da1bf

Download Submit
C:\Windows\SysWOW64\Opbean32.exe

Filesize
232KB

MD5
6d5c89abdfc53b4713d700e63b50e6cb

SHA1
3e73aa54ff95471db64650bd3a9a82951159a77e

SHA256
a0672c1913212d96c8191a450d27c94bc045b4696ba0d2c3598f00778b750e1a

SHA512
00d233480a519e8515d92b9b2069d29d885830c5daf23b4e90e555da42f5bae741ebf99dea37f2821f38866ff1260f59c965f61cdb5e3269175a806c047f53d1

Download Submit
C:\Windows\SysWOW64\Pcpnhl32.exe

Filesize
232KB

MD5
c296c4ad979773db6279e85150fe30f6

SHA1
b02b5da33b4f602610f208fcb808559f912389ab

SHA256
a23b875364e3b9acce4b271da9b7b2995a3136c5c10163799e25f6ba8e38a941

SHA512
6663b80dfc1d4ab9b4532fb39442001cad473f7fda410bfcd3e90e1a8e9ea38b88aeaea91b7824d3a4aa3e95d141dd2cf3d3c4bd6297dabf805042270efceac7

Download Submit
C:\Windows\SysWOW64\Pplhhm32.exe

Filesize
232KB

MD5
baefac9b6edf51771f4ba0d610f7ff0c

SHA1
3253faaf8980ead8ce5e7451bd9ee739bc05146b

SHA256
7b3ed894cee6f1928b2db9afb7949f334728e5ef56a18b30394cf18d2b4b6679

SHA512
c24e40011c457c08d419ac18b7d4a4802bba47845f9fd5a8c731727270f65208bcc7284134d818fc9440a846e48f04113129c03873f7ff1a3eba9fafd6bbecf9

Download Submit
C:\Windows\SysWOW64\Qfmfefni.exe

Filesize
134KB

MD5
4e78b9a6b90b71b63b6629c07b05233a

SHA1
2a02686aeee7294544e564029592699fb84e3854

SHA256
f15af30cdfb609983da28602f200abda5b36fb875ada2a0d02bab2c3d98dad37

SHA512
d20bf407621637fa87e52e6a8f1b765449503eea11c3c064bfd047104d0588dac3150ad075c5eb07586db3f243a60e9ed703752e4a0f8bec8ec314af189fff86

Download Submit
memory/264-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/264-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/316-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/316-361-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/500-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/500-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/728-373-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/728-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/756-105-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/756-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/788-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/788-360-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/920-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/920-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/972-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/972-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1100-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1100-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-369-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-349-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-153-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1572-355-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1572-201-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1920-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1920-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2132-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2132-337-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2284-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2284-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-161-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-366-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2988-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2988-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-367-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3076-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3076-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3392-372-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3392-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3404-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3404-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3480-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3480-217-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3592-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3592-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3692-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3692-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3696-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3696-342-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3700-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3700-169-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-129-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3988-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3988-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4044-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4044-89-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4064-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4064-354-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4304-330-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4304-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4400-209-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4400-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4472-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4472-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-348-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4612-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4612-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4664-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4664-336-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4668-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4744-331-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4744-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4832-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4832-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4912-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4912-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads