21cfba66268c9bf57e007a5bdc0c73515d7d746617d653091e8011cfaf3105e0

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21cfba66268c9bf57e007a5bdc0c73515d7d746617d653091e8011cfaf3105e0.exe
Size

136KB
MD5

4610e7fd29c8e0c6b81d06f787418de1
SHA1

23c36ea1a3a928111504934387f1a883b6fdfab5
SHA256

21cfba66268c9bf57e007a5bdc0c73515d7d746617d653091e8011cfaf3105e0
SHA512

4cef87097de4c6ccf9f9872d412708bb5770b1dc1b9867bacda014fda07b203551bf95e061e57b34bb7686a41008af17abb933c98a9dcd9138727c453d38ce67
SSDEEP

3072:QhJhzSQ/sohLwdNbw+Y92xQuohLwdNbw5bxH0zVWccA:uJhd/sohxd2Quohdbd0zscj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckkfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbajeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enemaimp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbajeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckkfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggkipii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooibkpmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Padnaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afappe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfaigclq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqgojmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eddnic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afappe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdaile32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofegni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdaile32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enemaimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaceghcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omfekbdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiiflaoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banjnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofegni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaceghcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcgdhkem.exe

Executes dropped EXE 50 IoCs

pid	Process
4420	Mbibfm32.exe
4536	Nckkfp32.exe
4860	Ncmhko32.exe
2348	Nmfmde32.exe
4316	Njjmni32.exe
1928	Ncbafoge.exe
2132	Ooibkpmi.exe
3300	Ofegni32.exe
2988	Oqklkbbi.exe
4068	Ockdmmoj.exe
3496	Ocnabm32.exe
2548	Omfekbdh.exe
4656	Padnaq32.exe
3636	Pfagighf.exe
1528	Pbhgoh32.exe
4436	Pcgdhkem.exe
4212	Pakdbp32.exe
3552	Qiiflaoo.exe
5004	Qbajeg32.exe
5056	Acqgojmb.exe
876	Afappe32.exe
1324	Abhqefpg.exe
4628	Banjnm32.exe
2032	Bmdkcnie.exe
2832	Babcil32.exe
2424	Bfaigclq.exe
1396	Bdeiqgkj.exe
2088	Cpljehpo.exe
1476	Ckbncapd.exe
3504	Cgiohbfi.exe
2720	Cdmoafdb.exe
2568	Caqpkjcl.exe
4856	Cdaile32.exe
1852	Dmjmekgn.exe
4548	Dgbanq32.exe
4172	Dkpjdo32.exe
3356	Dggkipii.exe
5092	Dnqcfjae.exe
2128	Dncpkjoc.exe
3908	Enemaimp.exe
4888	Eaceghcg.exe
4732	Eddnic32.exe
4884	Edfknb32.exe
4948	Fjeplijj.exe
4024	Fcneeo32.exe
3500	Fjjjgh32.exe
4544	Fcbnpnme.exe
608	Fdbkja32.exe
832	Fklcgk32.exe
4636	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bdbbme32.dll	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Dggkipii.exe	Dkpjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fklcgk32.exe
File opened for modification	C:\Windows\SysWOW64\Ofegni32.exe	Ooibkpmi.exe
File created	C:\Windows\SysWOW64\Omfekbdh.exe	Ocnabm32.exe
File created	C:\Windows\SysWOW64\Fdakcc32.dll	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Dpagekkf.dll	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Edfknb32.exe	Eddnic32.exe
File opened for modification	C:\Windows\SysWOW64\Fklcgk32.exe	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Gggikgqe.dll	Ncbafoge.exe
File opened for modification	C:\Windows\SysWOW64\Padnaq32.exe	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Enfhldel.dll	Qiiflaoo.exe
File created	C:\Windows\SysWOW64\Ckbncapd.exe	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Clbidkde.dll	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Fbjbac32.dll	Eaceghcg.exe
File created	C:\Windows\SysWOW64\Nckkfp32.exe	Mbibfm32.exe
File opened for modification	C:\Windows\SysWOW64\Nckkfp32.exe	Mbibfm32.exe
File created	C:\Windows\SysWOW64\Ockdmmoj.exe	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Bihice32.dll	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Bfaigclq.exe	Babcil32.exe
File created	C:\Windows\SysWOW64\Bdeiqgkj.exe	Bfaigclq.exe
File created	C:\Windows\SysWOW64\Gbjlkd32.dll	Fjjjgh32.exe
File created	C:\Windows\SysWOW64\Fjoiip32.dll	21cfba66268c9bf57e007a5bdc0c73515d7d746617d653091e8011cfaf3105e0.exe
File opened for modification	C:\Windows\SysWOW64\Afappe32.exe	Acqgojmb.exe
File created	C:\Windows\SysWOW64\Cpljehpo.exe	Bdeiqgkj.exe
File opened for modification	C:\Windows\SysWOW64\Dmjmekgn.exe	Cdaile32.exe
File created	C:\Windows\SysWOW64\Dgbanq32.exe	Dmjmekgn.exe
File opened for modification	C:\Windows\SysWOW64\Fcbnpnme.exe	Fjjjgh32.exe
File created	C:\Windows\SysWOW64\Ofegni32.exe	Ooibkpmi.exe
File opened for modification	C:\Windows\SysWOW64\Ockdmmoj.exe	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Eiahpo32.dll	Ckbncapd.exe
File opened for modification	C:\Windows\SysWOW64\Dggkipii.exe	Dkpjdo32.exe
File created	C:\Windows\SysWOW64\Fcneeo32.exe	Fjeplijj.exe
File created	C:\Windows\SysWOW64\Pcgdhkem.exe	Pbhgoh32.exe
File created	C:\Windows\SysWOW64\Dnqcfjae.exe	Dggkipii.exe
File opened for modification	C:\Windows\SysWOW64\Fcneeo32.exe	Fjeplijj.exe
File created	C:\Windows\SysWOW64\Eaceghcg.exe	Enemaimp.exe
File opened for modification	C:\Windows\SysWOW64\Pakdbp32.exe	Pcgdhkem.exe
File opened for modification	C:\Windows\SysWOW64\Qiiflaoo.exe	Pmbegqjk.exe
File created	C:\Windows\SysWOW64\Npgqep32.dll	Dncpkjoc.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Oqklkbbi.exe	Ofegni32.exe
File created	C:\Windows\SysWOW64\Pbhgoh32.exe	Pfagighf.exe
File created	C:\Windows\SysWOW64\Daqfhf32.dll	Cgiohbfi.exe
File opened for modification	C:\Windows\SysWOW64\Ncmhko32.exe	Nckkfp32.exe
File created	C:\Windows\SysWOW64\Iaidib32.dll	Ocnabm32.exe
File created	C:\Windows\SysWOW64\Pfagighf.exe	Padnaq32.exe
File created	C:\Windows\SysWOW64\Icifhjkc.dll	Afappe32.exe
File created	C:\Windows\SysWOW64\Eacdhhjj.dll	Edfknb32.exe
File created	C:\Windows\SysWOW64\Pencqe32.dll	Pbhgoh32.exe
File created	C:\Windows\SysWOW64\Cgiohbfi.exe	Ckbncapd.exe
File created	C:\Windows\SysWOW64\Fcbnpnme.exe	Fjjjgh32.exe
File created	C:\Windows\SysWOW64\Bkfmmb32.dll	Mbibfm32.exe
File created	C:\Windows\SysWOW64\Nmfmde32.exe	Ncmhko32.exe
File opened for modification	C:\Windows\SysWOW64\Ooibkpmi.exe	Ncbafoge.exe
File created	C:\Windows\SysWOW64\Deaiemli.dll	Pcgdhkem.exe
File created	C:\Windows\SysWOW64\Qiiflaoo.exe	Pmbegqjk.exe
File created	C:\Windows\SysWOW64\Abocgb32.dll	Dgbanq32.exe
File opened for modification	C:\Windows\SysWOW64\Pcgdhkem.exe	Pbhgoh32.exe
File opened for modification	C:\Windows\SysWOW64\Edfknb32.exe	Eddnic32.exe
File opened for modification	C:\Windows\SysWOW64\Ckbncapd.exe	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Cdaile32.exe	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Dkpjdo32.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Aehojk32.dll	Eddnic32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3088	4636	WerFault.exe	144

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgqdaoi.dll"	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbibfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqgojmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ooibkpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omfekbdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Padnaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmbegqjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfmmb32.dll"	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanmld32.dll"	Nckkfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qiiflaoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pedfeccm.dll"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edfknb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	21cfba66268c9bf57e007a5bdc0c73515d7d746617d653091e8011cfaf3105e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncbafoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaidib32.dll"	Ocnabm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcfndog.dll"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dggkipii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanpie32.dll"	Qbajeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdeeipfp.dll"	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggikgqe.dll"	Ncbafoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofegni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	21cfba66268c9bf57e007a5bdc0c73515d7d746617d653091e8011cfaf3105e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqgojmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcanfh32.dll"	Bmdkcnie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdbbme32.dll"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbhiiol.dll"	Banjnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maenpfhk.dll"	Ooibkpmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkpla32.dll"	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbajeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daqfhf32.dll"	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eddnic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncmhko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdaile32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 4420	4908	21cfba66268c9bf57e007a5bdc0c73515d7d746617d653091e8011cfaf3105e0.exe	94
PID 4908 wrote to memory of 4420	4908	21cfba66268c9bf57e007a5bdc0c73515d7d746617d653091e8011cfaf3105e0.exe	94
PID 4908 wrote to memory of 4420	4908	21cfba66268c9bf57e007a5bdc0c73515d7d746617d653091e8011cfaf3105e0.exe	94
PID 4420 wrote to memory of 4536	4420	Mbibfm32.exe	95
PID 4420 wrote to memory of 4536	4420	Mbibfm32.exe	95
PID 4420 wrote to memory of 4536	4420	Mbibfm32.exe	95
PID 4536 wrote to memory of 4860	4536	Nckkfp32.exe	96
PID 4536 wrote to memory of 4860	4536	Nckkfp32.exe	96
PID 4536 wrote to memory of 4860	4536	Nckkfp32.exe	96
PID 4860 wrote to memory of 2348	4860	Ncmhko32.exe	97
PID 4860 wrote to memory of 2348	4860	Ncmhko32.exe	97
PID 4860 wrote to memory of 2348	4860	Ncmhko32.exe	97
PID 2348 wrote to memory of 4316	2348	Nmfmde32.exe	98
PID 2348 wrote to memory of 4316	2348	Nmfmde32.exe	98
PID 2348 wrote to memory of 4316	2348	Nmfmde32.exe	98
PID 4316 wrote to memory of 1928	4316	Njjmni32.exe	99
PID 4316 wrote to memory of 1928	4316	Njjmni32.exe	99
PID 4316 wrote to memory of 1928	4316	Njjmni32.exe	99
PID 1928 wrote to memory of 2132	1928	Ncbafoge.exe	100
PID 1928 wrote to memory of 2132	1928	Ncbafoge.exe	100
PID 1928 wrote to memory of 2132	1928	Ncbafoge.exe	100
PID 2132 wrote to memory of 3300	2132	Ooibkpmi.exe	101
PID 2132 wrote to memory of 3300	2132	Ooibkpmi.exe	101
PID 2132 wrote to memory of 3300	2132	Ooibkpmi.exe	101
PID 3300 wrote to memory of 2988	3300	Ofegni32.exe	102
PID 3300 wrote to memory of 2988	3300	Ofegni32.exe	102
PID 3300 wrote to memory of 2988	3300	Ofegni32.exe	102
PID 2988 wrote to memory of 4068	2988	Oqklkbbi.exe	103
PID 2988 wrote to memory of 4068	2988	Oqklkbbi.exe	103
PID 2988 wrote to memory of 4068	2988	Oqklkbbi.exe	103
PID 4068 wrote to memory of 3496	4068	Ockdmmoj.exe	104
PID 4068 wrote to memory of 3496	4068	Ockdmmoj.exe	104
PID 4068 wrote to memory of 3496	4068	Ockdmmoj.exe	104
PID 3496 wrote to memory of 2548	3496	Ocnabm32.exe	105
PID 3496 wrote to memory of 2548	3496	Ocnabm32.exe	105
PID 3496 wrote to memory of 2548	3496	Ocnabm32.exe	105
PID 2548 wrote to memory of 4656	2548	Omfekbdh.exe	106
PID 2548 wrote to memory of 4656	2548	Omfekbdh.exe	106
PID 2548 wrote to memory of 4656	2548	Omfekbdh.exe	106
PID 4656 wrote to memory of 3636	4656	Padnaq32.exe	107
PID 4656 wrote to memory of 3636	4656	Padnaq32.exe	107
PID 4656 wrote to memory of 3636	4656	Padnaq32.exe	107
PID 3636 wrote to memory of 1528	3636	Pfagighf.exe	108
PID 3636 wrote to memory of 1528	3636	Pfagighf.exe	108
PID 3636 wrote to memory of 1528	3636	Pfagighf.exe	108
PID 1528 wrote to memory of 4436	1528	Pbhgoh32.exe	109
PID 1528 wrote to memory of 4436	1528	Pbhgoh32.exe	109
PID 1528 wrote to memory of 4436	1528	Pbhgoh32.exe	109
PID 4436 wrote to memory of 4212	4436	Pcgdhkem.exe	110
PID 4436 wrote to memory of 4212	4436	Pcgdhkem.exe	110
PID 4436 wrote to memory of 4212	4436	Pcgdhkem.exe	110
PID 764 wrote to memory of 3552	764	Pmbegqjk.exe	112
PID 764 wrote to memory of 3552	764	Pmbegqjk.exe	112
PID 764 wrote to memory of 3552	764	Pmbegqjk.exe	112
PID 3552 wrote to memory of 5004	3552	Qiiflaoo.exe	113
PID 3552 wrote to memory of 5004	3552	Qiiflaoo.exe	113
PID 3552 wrote to memory of 5004	3552	Qiiflaoo.exe	113
PID 5004 wrote to memory of 5056	5004	Qbajeg32.exe	114
PID 5004 wrote to memory of 5056	5004	Qbajeg32.exe	114
PID 5004 wrote to memory of 5056	5004	Qbajeg32.exe	114
PID 5056 wrote to memory of 876	5056	Acqgojmb.exe	115
PID 5056 wrote to memory of 876	5056	Acqgojmb.exe	115
PID 5056 wrote to memory of 876	5056	Acqgojmb.exe	115
PID 876 wrote to memory of 1324	876	Afappe32.exe	116

C:\Users\Admin\AppData\Local\Temp\21cfba66268c9bf57e007a5bdc0c73515d7d746617d653091e8011cfaf3105e0.exe
"C:\Users\Admin\AppData\Local\Temp\21cfba66268c9bf57e007a5bdc0c73515d7d746617d653091e8011cfaf3105e0.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\SysWOW64\Mbibfm32.exe
  C:\Windows\system32\Mbibfm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\SysWOW64\Nckkfp32.exe
    C:\Windows\system32\Nckkfp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Windows\SysWOW64\Ncmhko32.exe
      C:\Windows\system32\Ncmhko32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4860
    - - C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
      - C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        19⤵
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Qbajeg32.exe
        
        C:\Windows\system32\Qbajeg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Afappe32.exe
        
        C:\Windows\system32\Afappe32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        24⤵
        Executes dropped EXE
        
        PID:1324
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4172
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:608
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:832
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        52⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 408
        53⤵
        Program crash
        
        PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4636 -ip 4636
1⤵
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:5808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abhqefpg.exe

Filesize
136KB

MD5
0213491dd7ac7d14216301b3a3e72b1d

SHA1
95fa4d8faeac24734b8a959e5212c1cdcad45175

SHA256
e96c34fe12f61aa1d621487fc853bc76e5f145c6b3798fa0736cae0eb09b0dad

SHA512
85e8fc49df78f60efdd00f0504d85f5b74013188dd8b405283ca26146bcef32b49da508b98678a8c45d719d8e07ce97a5fdfd1d485f2a59acf8767d653740e9a

Download Submit
C:\Windows\SysWOW64\Acqgojmb.exe

Filesize
136KB

MD5
dc9714e20fd23d8e185568a4f6724703

SHA1
7ec8dec3c6468f67d68517dd66ad0d1d899f3c54

SHA256
edc320b096fcb578eea9c227c5b3ca6b9acb8fa3d437c6119946879a1a37a68b

SHA512
44d5ff241c6d3ef331d676860312ff087d7abfb19167458478ebeba51425af825a6351ab564bbeefcd1c8241ecdaa9bc09080f79afb89b2dfccc5e3dded5cb60

Download Submit
C:\Windows\SysWOW64\Afappe32.exe

Filesize
136KB

MD5
4b3d92a084a70c6379ae0c9421e4c79c

SHA1
5ce5b465b32642dd20f1b3afaa4603c0a5fa883e

SHA256
00d8332472734b93ef897e4ceee25f653af11e70414f4446039b9288a1dacb58

SHA512
0194842e9512cc3fe2f3de4437784755dc4d73174c13c3b77542570f732745c8ee4451f748cd1715dd50189ffcab399b65c8468124a55f577bed95501f5c66d5

Download Submit
C:\Windows\SysWOW64\Babcil32.exe

Filesize
136KB

MD5
9e9a3e6d7e8cc72cd7adfa09fe6da4c3

SHA1
455934fc525dccba19d360357e439d2dc322e69b

SHA256
8a01bc32ab3caad3c66db2aee9e980893c549bb7c809056fc72e334fe44f4754

SHA512
3c17e3ced419c39a120d36e631636eb1f61c5b1384cf680eef1719fb763eb7ad7ac2c44e07ee1003bbaf5fb0e88993ff5b858bfefd0e2c5dc14aa933bfd339d9

Download Submit
C:\Windows\SysWOW64\Banjnm32.exe

Filesize
136KB

MD5
44b93c0255d7a8a209ac5348ed6c9ffe

SHA1
4c8d2c073c2785b64176a2c3b7c585f118613f82

SHA256
7110975df057e11f67b00f357ac1b77c4dedea8299c7ae69365d9cf9419fa921

SHA512
4dcc354f8f868326db959c3daea6eefad157c47c2eb9159421a199288c2bf655cba5ae1e6825d5dfc1d96690b430db503df19bc655bd547369afd88f246f479a

Download Submit
C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
136KB

MD5
63613fb023ebaa99972763c01fd82e51

SHA1
f25b28cd37bd68e0ed124084adab3e9d0d917855

SHA256
24830447eae37d3afc1d0f06407426bebe6bf48c10fc4bf97904a737fec3b78c

SHA512
dd75930995686ab9abb372a250e4474ee1af093965acb6373b3df11efa901d2fde670ebb0826cb1f8cf111b36d44d001e68fe3c376e4826afd1a00b99906c3b4

Download Submit
C:\Windows\SysWOW64\Bfaigclq.exe

Filesize
136KB

MD5
e7f8e8f0b54716e47b0e48a2594a39e0

SHA1
fc6788c211d8133a57f0bd927dca75704f2c3093

SHA256
9e09ec762ab2afc02f116a7bd8a3401f9efb0cbaa0359d8cb649ff61f2965b70

SHA512
54b5f20921e4527c3e548a5860aaabee7dad6894b6acaf9d3ce38ccad434d16b7f8da8dd9e68a7bbfd8ad53fc41c382c0933f536cbdae8d277eff7703ca121e1

Download Submit
C:\Windows\SysWOW64\Bmdkcnie.exe

Filesize
136KB

MD5
7cf77e8c87fc27e100832d2ad667fabe

SHA1
0cd83fa271501f72e8758e7cce8a79bf814320a7

SHA256
896d1520d2f04cb68b2588b25d91d4a056da52ca76155cda2a8d341b67c59b90

SHA512
115906c5a23844a05fb6b1be717b367d38a7e3663eecb858ec2300cd455d23368607c639ec87a3b2060a20b93ed514917e84da2588f5589b0e6b6eceb7a6a273

Download Submit
C:\Windows\SysWOW64\Caqpkjcl.exe

Filesize
136KB

MD5
b8bc2a5544fdd7215e2421b3e9a98bb6

SHA1
80fb5f960e87d77e5c27a25d2966a8750b082eb8

SHA256
66394967441030264d898e5c452ae3bf410963917a98855430ecf11dde4532d5

SHA512
78a3a9becd45caedf92b5d4e4f44ca761e869d2a4e2da60fbc8cd8c198c696c469c7038837bc2ac5b8e6dc4216df1208136efd6c7f15d52ad2213e4f973ed459

Download Submit
C:\Windows\SysWOW64\Cdaile32.exe

Filesize
136KB

MD5
303a242c0f209ab0c3548704623fd0d2

SHA1
15a3871975571a8fdf286aa48282844445845979

SHA256
3c422758a2b457de9ced5b95094cde1b938cc7126fce4e1d495de68554aa69b7

SHA512
977e49f5b23db58fc8982133885b1ed2a10ddca6665cba0ba0b6217700baf82c3802fdc07ccb74539205a7c2a7b39e5921fb9ff89c1e7251d61e59c5073be61e

Download Submit
C:\Windows\SysWOW64\Cdmoafdb.exe

Filesize
136KB

MD5
d57920a73ff26d79ca3d67f01bb1fecd

SHA1
168051ee5e04628f37f7c557ef29b37856f651d0

SHA256
91073c5920b7e2355ec5f762152b62d58490e0568edf3e22567f953de6d04dd9

SHA512
aefedbcce1ac8516c925996d469630911276e5c010a0162efc023c2d60c6d248f3214a0bb10d68382c965b56755c2b5a4f82cd09c7699d5c0030ae45ccd3813d

Download Submit
C:\Windows\SysWOW64\Cgiohbfi.exe

Filesize
136KB

MD5
ee6afaf3719fe5cd0188465b0727039a

SHA1
4c48128d03b118d4c976c1bacdcb5c9e78dd60de

SHA256
2b6d0065b03b0db9cc3a91a0f08a42d3467e3a0ea3343991941e8e7bc08eb9a7

SHA512
cd0a611a8c84eeb333731a0384429dfa21167701ae53756752587be26fabcb199c2bac6ff269f1762c70a3b6998219439b5d3530ea5990dbcfabe1986c42eb0a

Download Submit
C:\Windows\SysWOW64\Ckbncapd.exe

Filesize
63KB

MD5
c03ad5e403c6c1218861f4888bcec304

SHA1
6bf77505d76918a28aa049bfdbb4e6ff8e0a835b

SHA256
b763dd5c8e7f915fda72b838b27a4720b9bbe65993d31274832be91425fdd6b8

SHA512
cd72aec6613c709a146b1f97acb440ecd6d9fbf9a813d2c68a1a89e8d21e40b896ba2b87020d666c93b0ebd4b7ac5ada89bf64cad1f6b9bc6ac7f751e143b7c3

Download Submit
C:\Windows\SysWOW64\Ckbncapd.exe

Filesize
136KB

MD5
f4533c381005084a9e9685c07ea9422f

SHA1
9526ec75e9eafaf665faff0894bce4615bba0960

SHA256
de6c734d15c32816d5f201fd1c35ec1eec94c17162a1b7dcee278ed37d22f07d

SHA512
3831b26f708f8e8302d43432dc4886f7e1f549bf7bb36852d41ce6be153a0dbd589547ab8d644141365d8b7601106fa02c993875ace333b8933bf97be7f81e37

Download Submit
C:\Windows\SysWOW64\Cpljehpo.exe

Filesize
136KB

MD5
e88f546ae8963746b64242575f64eb1a

SHA1
418a7df896c8df6a7c86d2ec7ddaa85798b1e1b0

SHA256
34545dc3a2f084072f67b758aa6699e91290128b3ea6b1cae6db81710b262b11

SHA512
f74786f1caee0261b141c8ef0a01b7af7a2c19f4021474a5fa3c865e8fac87ad72d65be4a59ca09c59947ba8d2008ea500b8b1f372696f702741f147ec8f4e1c

Download Submit
C:\Windows\SysWOW64\Mbibfm32.exe

Filesize
136KB

MD5
de4ddf3611dc41aa874b067bc2df3a95

SHA1
539a2ff0bd4f64420b8a5f3c91d1b4a7a7291e1d

SHA256
bc9f8bcafb62c3d9bd3a4fc068078af4127735e1376d58e6d985b3d79973ad5f

SHA512
79d6c0e3e0cac88240c9885de67fb9f5a62d72b6ac13c1d17b4029c04c6106b49e6f2984f5ec5b845d535884c27641b2cbf648302abd51c92ef44732272a2ba3

Download Submit
C:\Windows\SysWOW64\Ncbafoge.exe

Filesize
136KB

MD5
51a39fe5393df599b6f6b338c4f56281

SHA1
de3c593b85fe67072e7d23152c7e3dc1a6fc4afb

SHA256
cffe9e010087bea65cd108cfec6934c024091ef6d239efab42efee99f03c045a

SHA512
5ec943e05079ceccd1a9c4ec08b8a0c025ada57a943ac367cd771751941788f4cf3129b434883e8233e729e411a15a72d43ed86512235cf631a42226f7d31195

Download Submit
C:\Windows\SysWOW64\Nckkfp32.exe

Filesize
136KB

MD5
cb887d1a430dd309bbd17e4a49ade017

SHA1
62f016a68754dae44b302b138ade581d66f2c9ab

SHA256
209fc5838c3d73025c46ea33e31c10f496bb5a39c9daf1e8a55b31a6655c7596

SHA512
c3640cb2764c70219eed28be4c265f2fd9e0d77e2e563ccfabf72173724b0694bf4eb0fd8ad190438f29adb664b59d18670de5c22d278a3599e6eec5216dbe34

Download Submit
C:\Windows\SysWOW64\Ncmhko32.exe

Filesize
136KB

MD5
b180b118d73051f1c9f0e3be8ae072f3

SHA1
5e15c9d6eb3842cb2efed5d04084638520432030

SHA256
e339a1fc9778a0e179f360d0819a6f1360cc499fe0367e05c50fd50794372eee

SHA512
3c3d6d71d1e0696ec6e6a6a922296d515279b276b4a660026d4f6c8ca8d6b38cc3df8dd39b841657340ab4c607409614c85c0af8b068b07576c89dc68f517bb2

Download Submit
C:\Windows\SysWOW64\Njjmni32.exe

Filesize
136KB

MD5
73ed2d0c1cbe2f415ae39477db9e555d

SHA1
43e1d9d3000677079a5f647a35e02c600372b979

SHA256
36eaea489b68a5a37a87fae07901eba7c6752a3d782fb4b3f4822bf44e5fc8b5

SHA512
89e2f717423d3e88382189356a7aa1ad16df412f0f2516a2e3b1fad691a96fde71dbc863402d2a7e2cea7d3b5a00054ce79d67803dfd6782422647ac6cee208b

Download Submit
C:\Windows\SysWOW64\Nmfmde32.exe

Filesize
136KB

MD5
0b4c57c4ce6395697163685337b764fd

SHA1
246728408c28bbe853465d81f14db8ca952d0751

SHA256
c3bf8a421478d36ba3735871720284ce7fc6c39716727dfc7289e9b8e1a5b7fa

SHA512
3c67772d2782b3cc38d94bc138f40694c9d3843c92813d2dcc5e090ae298dbf3b2a0c44d09c68d094bf6b4043cb01638ae725d556fabc3fdb34a2ff299ccbd71

Download Submit
C:\Windows\SysWOW64\Ockdmmoj.exe

Filesize
136KB

MD5
a41ec2052f4baa8409550fd931b4ee90

SHA1
a876f4c1ee8349ee2a6cc7d027bc0efb0a499fce

SHA256
45aebcceb9e50c009d26c974f381b0b201902926b297a502ff1a039f8f27d62c

SHA512
f3a55d7935b3e9b667afcaf89217b6714900dad053ddc9504b2d5eabac7e9e0a7e3069d1a3c53e35a0ca2e5994019de7fb46b50809d81fee4e6c2061d3ebf4e3

Download Submit
C:\Windows\SysWOW64\Ocnabm32.exe

Filesize
136KB

MD5
95e63866abed25bf804a2bc49e9221a3

SHA1
f75965995525d671bc67425d4bd408f8939a87f1

SHA256
d1f152fd214f71dd90acbd04c0c6bc0f51d4a78115b5d20e010dc6bc671f9d80

SHA512
7aa3774bde5dd971870454a0a1f19bd7515045706a2b4551c58213afd68203c720b39f5416026c2bf5e96d7531d234adcf58dc9d6d65b4e89688a6f22dfca63f

Download Submit
C:\Windows\SysWOW64\Ofegni32.exe

Filesize
136KB

MD5
cc878da5f23300cb7f2111394522a007

SHA1
b318137c16cf52be433323a016d8ccbad9abfb42

SHA256
a6936d041396b99f5d2ca47aa83384865f85b014d63e371aeb7b8594816f16cd

SHA512
b8cf739141ace4b5198aaecf75c3c08fe5f0df01f84f7bfbe29fff93b92e75f58f2a1ee32139abac6525565ff8c3a84511f59feea1f5443f5939be63c0bc51d7

Download Submit
C:\Windows\SysWOW64\Omfekbdh.exe

Filesize
136KB

MD5
92ba53b5951ab43fee93b2a6afc965c3

SHA1
6376d158f0fe1f629c3f06727ae60f58c1bd96d4

SHA256
cbe59c43c82d02cdfc9933535219ddbded5e6b6717c0097a6cc170785b66678b

SHA512
ce8bb578eae7f5a68d7b125cd54a2bdf90def4f34b0c198ff81192c46f9270936173cdd414caa6914a0a78a5bca5c6ddd37fa05422b74eaec735cfcde7911d14

Download Submit
C:\Windows\SysWOW64\Ooibkpmi.exe

Filesize
136KB

MD5
28ff1ebbfc22081cdd3b82cfc3c12283

SHA1
cc7d746d600e774c1f832dcaad6f2cecb10cc0cf

SHA256
877bb6675a0fde15eca7459f3816d6d38e5c6efc14fc0b17f7db1801b4d2b22b

SHA512
1b5666a0fe650e328fcbbb468ed73ae450b71b43237a755c29195b26afd1c675e98b7fad816128196420f448425d47782c08166ff72a7b918f92d10b97afbe2c

Download Submit
C:\Windows\SysWOW64\Oqklkbbi.exe

Filesize
136KB

MD5
91e13250751d776ce7d34a5624d25c9d

SHA1
51ece5f09d18e1fe6c7e2ac6e6c89e5f7fb7c90f

SHA256
2ba60b6db8059247022863b18504581c730af997ecc9b127c88874c1983160dd

SHA512
68fccbdd6c5e5325ae387275f43a0671828d93591feb367229ecb4705865f41162b7d769d4bb6d7f1ab54610bcadd14c00fefc9d93ae5507c240202b4e33d9b0

Download Submit
C:\Windows\SysWOW64\Padnaq32.exe

Filesize
136KB

MD5
10ccad20898bd0bacbad40bbfa7ca454

SHA1
1fb671b7fa9d8f261ad7da36826f18b3e33790ca

SHA256
dbdd691fc720801503f1d1ad3d4e6b706780b0a8a46c47fb17ae48126f60111e

SHA512
921755f2cd21121befba511de14263be694ecf577aba49d58ed31874049b5e905871d9f8b980d13c8c5bb03393b59deacbbaaf04de9a5d27479b31f20a2dcb9a

Download Submit
C:\Windows\SysWOW64\Pakdbp32.exe

Filesize
136KB

MD5
6c8eba3e33a67f1ec32a6705477c5622

SHA1
650d15e0ed41b0986d345b3426ef7885c81ef09c

SHA256
dd4aa861ec503ea70ba6b2bd068e6bc3fb3edd6affd4f2f22df4245808035587

SHA512
a726c26f7eac351d904a8b40afbef3db6f4ef8f1b8ad77a6cb29b3d6df49c29f4164a2855fd987626e2817e986a7f4bf1127b3737080c7707b8bf080d8cb7131

Download Submit
C:\Windows\SysWOW64\Pbhgoh32.exe

Filesize
136KB

MD5
c26805679309b84c04e4323eea10ef40

SHA1
9e6be20c712e3ae19a83b248e5db9f8efbea3baf

SHA256
84873fee6eb11fa41021494502e8d145ad80a5e1cfd836bc9d911d7f353ed89f

SHA512
2147fda2bb19371d08cb7430d5d350df2da489ce4cb64af2ef7409e56de9ce7b1efd0ab3e21ed49941e12c87783a97bc7f39cdae97d442653d36c72c0437a0cf

Download Submit
C:\Windows\SysWOW64\Pcgdhkem.exe

Filesize
136KB

MD5
be16658c6aadf2512d5427313a5267ee

SHA1
bb173438c96f5e59b0c524d4527603256c493eb9

SHA256
ccb4ef65fd57091fc84ae8db224bb51dc774ce08726e000f6aa5e387b651d154

SHA512
5570698da43034dcab5c038039a9b78648400eef569c43159bf8ad7853fad9cbb6a33eea4d330e6311b3ac5e867d876d9daf3855897a9dd30a4c914698d062cd

Download Submit
C:\Windows\SysWOW64\Pfagighf.exe

Filesize
136KB

MD5
57fd563c85b13a4665fa67f54a9a88cb

SHA1
f21648d45a861164b8dbb5b71b287185ffb391d7

SHA256
1f01f381dc70177c6bf1f70052014aa571b604a174c6009240ae08f1d30de4e0

SHA512
b55f8372650901d727ca3251a8bc9b8cca348422e243a9d555a59ff6d38ef4b461b662beffb71d9d0670a53bcb30cb1d09d175d69309513306c122c5905910f6

Download Submit
C:\Windows\SysWOW64\Qbajeg32.exe

Filesize
136KB

MD5
df32b4fa72a44e4d9855b33dccb8d308

SHA1
00278d02dd3a1c11d0a028c8a5d02ac506d70757

SHA256
7dc67e89586c3140d03f0428017778a67c7f68fb9fa37b5a106540ab2dad89f0

SHA512
7b466291fc8dda16e78dbbc4cbd7556ecf87f15f07cc293bfb7189b021a55c9922e1b8b03c84ff7fcf1f17f17eda532cc73742a7ecc8c29245e29d2a0e5a59bb

Download Submit
C:\Windows\SysWOW64\Qiiflaoo.exe

Filesize
136KB

MD5
c4fbc39ab87c0a859583e450243e08be

SHA1
9ea46f89a8e5bd3c449337b62ca85cb44b553367

SHA256
ae7c8a61e59adc0af7a8dbe521f25895824b031b1cfe7f6e0e1965be60e346ed

SHA512
f90469d4092a4a052dae2f6ba02edb49fe83ce8b712e25bf4bcf8c6232437995aafa214dd97d3865d1f3e54503ca3712469a7bc2e8851fecc4e363801cdbc4b0

Download Submit
memory/608-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/608-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/832-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/832-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads