af160ed007ba26e241723c86a0c6763d18d69067263d337a5555baf5df7bb2c3

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 23:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

af160ed007ba26e241723c86a0c6763d18d69067263d337a5555baf5df7bb2c3.exe
Size

59KB
MD5

ce08e500efd5cfd2d550cf4732a84457
SHA1

96a7e0eafaa9b997cb4bb666503ccb33c92447c7
SHA256

af160ed007ba26e241723c86a0c6763d18d69067263d337a5555baf5df7bb2c3
SHA512

300e076756821a7f2aac3929bfe891dfc624c0f3a527eca583d4435dc58492476090f52f7a05a2b0a56e37a287246d356d0543019a2bdf520f59cf725158d886
SSDEEP

768:KOoLXk6LEt8QeLAIj7ttg9X5sBkXYmkLOZxhGfFZ/1H5lQi5nf1fZMEBFELvkVgs:81Ytrqdj7MJqSYZLCU1FNCyVso

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmjdjgjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	af160ed007ba26e241723c86a0c6763d18d69067263d337a5555baf5df7bb2c3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbgmcnhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikpaldog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imfdff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdhmnlcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heocnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbgmcnhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifefimom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iihkpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckjacjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnjab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imfdff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icplcpgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfnphn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icnpmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hobkfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikpaldog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leihbeib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgmha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfnphn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hecmijim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmcojh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobkfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmjdjgjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ildkgc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdhmnlcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpgldhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Heocnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lboeaifi.exe

Executes dropped EXE 48 IoCs

pid	Process
3624	Gdhmnlcj.exe
640	Gcimkc32.exe
4744	Hiefcj32.exe
1460	Hckjacjg.exe
2808	Hmcojh32.exe
4212	Hobkfd32.exe
1272	Heocnk32.exe
2828	Hfnphn32.exe
3752	Hecmijim.exe
2060	Hmjdjgjo.exe
4596	Hbgmcnhf.exe
2488	Ikpaldog.exe
3408	Ifefimom.exe
1584	Ipnjab32.exe
2640	Ildkgc32.exe
4912	Iihkpg32.exe
1852	Icnpmp32.exe
800	Imfdff32.exe
4940	Icplcpgo.exe
3384	Jpgmha32.exe
2520	Jedeph32.exe
1556	Jpijnqkp.exe
1516	Jfcbjk32.exe
4344	Jplfcpin.exe
3864	Jmpgldhg.exe
1772	Jeklag32.exe
2840	Jcllonma.exe
1844	Kdcbom32.exe
3460	Kedoge32.exe
4728	Kefkme32.exe
4164	Kplpjn32.exe
4444	Leihbeib.exe
652	Llcpoo32.exe
4780	Ldjhpl32.exe
1276	Lekehdgp.exe
224	Lboeaifi.exe
4788	Lmdina32.exe
216	Likjcbkc.exe
4684	Lljfpnjg.exe
3744	Lbdolh32.exe
3376	Lingibiq.exe
4312	Miemjaci.exe
1316	Afjlnk32.exe
1704	Aeklkchg.exe
2936	Ajhddjfn.exe
4400	Acqimo32.exe
4076	Dhocqigp.exe
880	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lmdina32.exe	Lboeaifi.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ipnjab32.exe	Ifefimom.exe
File opened for modification	C:\Windows\SysWOW64\Iihkpg32.exe	Ildkgc32.exe
File created	C:\Windows\SysWOW64\Fkgoikdb.dll	Iihkpg32.exe
File created	C:\Windows\SysWOW64\Ejnjpohk.dll	Jcllonma.exe
File opened for modification	C:\Windows\SysWOW64\Jpgmha32.exe	Icplcpgo.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Hiefcj32.exe	Gcimkc32.exe
File created	C:\Windows\SysWOW64\Enoogcin.dll	Heocnk32.exe
File created	C:\Windows\SysWOW64\Choehhlk.dll	Hecmijim.exe
File created	C:\Windows\SysWOW64\Eheqhpfp.dll	Hbgmcnhf.exe
File created	C:\Windows\SysWOW64\Hfnphn32.exe	Heocnk32.exe
File created	C:\Windows\SysWOW64\Llcpoo32.exe	Leihbeib.exe
File opened for modification	C:\Windows\SysWOW64\Likjcbkc.exe	Lmdina32.exe
File opened for modification	C:\Windows\SysWOW64\Lljfpnjg.exe	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Ogibpb32.dll	Likjcbkc.exe
File opened for modification	C:\Windows\SysWOW64\Lbdolh32.exe	Lljfpnjg.exe
File opened for modification	C:\Windows\SysWOW64\Hecmijim.exe	Hfnphn32.exe
File opened for modification	C:\Windows\SysWOW64\Ipnjab32.exe	Ifefimom.exe
File created	C:\Windows\SysWOW64\Npibja32.dll	Imfdff32.exe
File created	C:\Windows\SysWOW64\Ippohl32.dll	Jfcbjk32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Lingibiq.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Lboeaifi.exe	Lekehdgp.exe
File opened for modification	C:\Windows\SysWOW64\Jpijnqkp.exe	Jedeph32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpgldhg.exe	Jplfcpin.exe
File created	C:\Windows\SysWOW64\Nnbnoffm.dll	Jmpgldhg.exe
File created	C:\Windows\SysWOW64\Ldjhpl32.exe	Llcpoo32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Jeklag32.exe	Jmpgldhg.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Dbfmkjoa.dll	Gcimkc32.exe
File created	C:\Windows\SysWOW64\Mpnaemnl.dll	Hmjdjgjo.exe
File created	C:\Windows\SysWOW64\Mfadpi32.dll	Ipnjab32.exe
File created	C:\Windows\SysWOW64\Jpgmha32.exe	Icplcpgo.exe
File created	C:\Windows\SysWOW64\Namdcd32.dll	Kefkme32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Hfnphn32.exe	Heocnk32.exe
File created	C:\Windows\SysWOW64\Hbgmcnhf.exe	Hmjdjgjo.exe
File created	C:\Windows\SysWOW64\Adopjh32.dll	Ildkgc32.exe
File opened for modification	C:\Windows\SysWOW64\Icplcpgo.exe	Imfdff32.exe
File opened for modification	C:\Windows\SysWOW64\Ikpaldog.exe	Hbgmcnhf.exe
File created	C:\Windows\SysWOW64\Madnnmem.dll	Leihbeib.exe
File opened for modification	C:\Windows\SysWOW64\Lekehdgp.exe	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Likjcbkc.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Imfdff32.exe	Icnpmp32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Miemjaci.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Heocnk32.exe	Hobkfd32.exe
File created	C:\Windows\SysWOW64\Hecmijim.exe	Hfnphn32.exe
File created	C:\Windows\SysWOW64\Jpijnqkp.exe	Jedeph32.exe
File created	C:\Windows\SysWOW64\Kedoge32.exe	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Fqqlehck.dll	Hckjacjg.exe
File created	C:\Windows\SysWOW64\Pkfcej32.dll	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Bgpmhl32.dll	Ifefimom.exe
File opened for modification	C:\Windows\SysWOW64\Imfdff32.exe	Icnpmp32.exe
File opened for modification	C:\Windows\SysWOW64\Kedoge32.exe	Kdcbom32.exe
File opened for modification	C:\Windows\SysWOW64\Miemjaci.exe	Lingibiq.exe
File opened for modification	C:\Windows\SysWOW64\Lboeaifi.exe	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Icplcpgo.exe	Imfdff32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
564	880	WerFault.exe	139

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leihbeib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	af160ed007ba26e241723c86a0c6763d18d69067263d337a5555baf5df7bb2c3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	af160ed007ba26e241723c86a0c6763d18d69067263d337a5555baf5df7bb2c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hobkfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifefimom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icnpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmpgldhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiopcppf.dll"	Jpgmha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdelcpg.dll"	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Namdcd32.dll"	Kefkme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngndc32.dll"	af160ed007ba26e241723c86a0c6763d18d69067263d337a5555baf5df7bb2c3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdhmnlcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfadpi32.dll"	Ipnjab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Choehhlk.dll"	Hecmijim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkmacoj.dll"	Jplfcpin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnjpohk.dll"	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hckjacjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfnphn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imfdff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icplcpgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jholncde.dll"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlnnp32.dll"	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhclmi.dll"	Gdhmnlcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hobkfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ildkgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejckel32.dll"	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojleohnl.dll"	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnjafgo.dll"	Hiefcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoogcin.dll"	Heocnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adopjh32.dll"	Ildkgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iihkpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icnpmp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeklag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiefcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipnjab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmjdjgjo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 3624	4268	af160ed007ba26e241723c86a0c6763d18d69067263d337a5555baf5df7bb2c3.exe	88
PID 4268 wrote to memory of 3624	4268	af160ed007ba26e241723c86a0c6763d18d69067263d337a5555baf5df7bb2c3.exe	88
PID 4268 wrote to memory of 3624	4268	af160ed007ba26e241723c86a0c6763d18d69067263d337a5555baf5df7bb2c3.exe	88
PID 3624 wrote to memory of 640	3624	Gdhmnlcj.exe	89
PID 3624 wrote to memory of 640	3624	Gdhmnlcj.exe	89
PID 3624 wrote to memory of 640	3624	Gdhmnlcj.exe	89
PID 640 wrote to memory of 4744	640	Gcimkc32.exe	90
PID 640 wrote to memory of 4744	640	Gcimkc32.exe	90
PID 640 wrote to memory of 4744	640	Gcimkc32.exe	90
PID 4744 wrote to memory of 1460	4744	Hiefcj32.exe	92
PID 4744 wrote to memory of 1460	4744	Hiefcj32.exe	92
PID 4744 wrote to memory of 1460	4744	Hiefcj32.exe	92
PID 1460 wrote to memory of 2808	1460	Hckjacjg.exe	93
PID 1460 wrote to memory of 2808	1460	Hckjacjg.exe	93
PID 1460 wrote to memory of 2808	1460	Hckjacjg.exe	93
PID 2808 wrote to memory of 4212	2808	Hmcojh32.exe	94
PID 2808 wrote to memory of 4212	2808	Hmcojh32.exe	94
PID 2808 wrote to memory of 4212	2808	Hmcojh32.exe	94
PID 4212 wrote to memory of 1272	4212	Hobkfd32.exe	95
PID 4212 wrote to memory of 1272	4212	Hobkfd32.exe	95
PID 4212 wrote to memory of 1272	4212	Hobkfd32.exe	95
PID 1272 wrote to memory of 2828	1272	Heocnk32.exe	96
PID 1272 wrote to memory of 2828	1272	Heocnk32.exe	96
PID 1272 wrote to memory of 2828	1272	Heocnk32.exe	96
PID 2828 wrote to memory of 3752	2828	Hfnphn32.exe	97
PID 2828 wrote to memory of 3752	2828	Hfnphn32.exe	97
PID 2828 wrote to memory of 3752	2828	Hfnphn32.exe	97
PID 3752 wrote to memory of 2060	3752	Hecmijim.exe	99
PID 3752 wrote to memory of 2060	3752	Hecmijim.exe	99
PID 3752 wrote to memory of 2060	3752	Hecmijim.exe	99
PID 2060 wrote to memory of 4596	2060	Hmjdjgjo.exe	100
PID 2060 wrote to memory of 4596	2060	Hmjdjgjo.exe	100
PID 2060 wrote to memory of 4596	2060	Hmjdjgjo.exe	100
PID 4596 wrote to memory of 2488	4596	Hbgmcnhf.exe	101
PID 4596 wrote to memory of 2488	4596	Hbgmcnhf.exe	101
PID 4596 wrote to memory of 2488	4596	Hbgmcnhf.exe	101
PID 2488 wrote to memory of 3408	2488	Ikpaldog.exe	102
PID 2488 wrote to memory of 3408	2488	Ikpaldog.exe	102
PID 2488 wrote to memory of 3408	2488	Ikpaldog.exe	102
PID 3408 wrote to memory of 1584	3408	Ifefimom.exe	103
PID 3408 wrote to memory of 1584	3408	Ifefimom.exe	103
PID 3408 wrote to memory of 1584	3408	Ifefimom.exe	103
PID 1584 wrote to memory of 2640	1584	Ipnjab32.exe	104
PID 1584 wrote to memory of 2640	1584	Ipnjab32.exe	104
PID 1584 wrote to memory of 2640	1584	Ipnjab32.exe	104
PID 2640 wrote to memory of 4912	2640	Ildkgc32.exe	106
PID 2640 wrote to memory of 4912	2640	Ildkgc32.exe	106
PID 2640 wrote to memory of 4912	2640	Ildkgc32.exe	106
PID 4912 wrote to memory of 1852	4912	Iihkpg32.exe	107
PID 4912 wrote to memory of 1852	4912	Iihkpg32.exe	107
PID 4912 wrote to memory of 1852	4912	Iihkpg32.exe	107
PID 1852 wrote to memory of 800	1852	Icnpmp32.exe	108
PID 1852 wrote to memory of 800	1852	Icnpmp32.exe	108
PID 1852 wrote to memory of 800	1852	Icnpmp32.exe	108
PID 800 wrote to memory of 4940	800	Imfdff32.exe	109
PID 800 wrote to memory of 4940	800	Imfdff32.exe	109
PID 800 wrote to memory of 4940	800	Imfdff32.exe	109
PID 4940 wrote to memory of 3384	4940	Icplcpgo.exe	110
PID 4940 wrote to memory of 3384	4940	Icplcpgo.exe	110
PID 4940 wrote to memory of 3384	4940	Icplcpgo.exe	110
PID 3384 wrote to memory of 2520	3384	Jpgmha32.exe	111
PID 3384 wrote to memory of 2520	3384	Jpgmha32.exe	111
PID 3384 wrote to memory of 2520	3384	Jpgmha32.exe	111
PID 2520 wrote to memory of 1556	2520	Jedeph32.exe	112

C:\Users\Admin\AppData\Local\Temp\af160ed007ba26e241723c86a0c6763d18d69067263d337a5555baf5df7bb2c3.exe
"C:\Users\Admin\AppData\Local\Temp\af160ed007ba26e241723c86a0c6763d18d69067263d337a5555baf5df7bb2c3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Windows\SysWOW64\Gdhmnlcj.exe
  C:\Windows\system32\Gdhmnlcj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\SysWOW64\Gcimkc32.exe
    C:\Windows\system32\Gcimkc32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\SysWOW64\Hiefcj32.exe
      C:\Windows\system32\Hiefcj32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4744
    - - C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
      - C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4164
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4788
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4684
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        50⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 404
        51⤵
        Program crash
        
        PID:564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 880 -ip 880
1⤵
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gcimkc32.exe

Filesize
59KB

MD5
373e8de7b4876596cf0bd61676dcb109

SHA1
3b3de9dad2fa61a0829ec9f3fd642bfd96dfb4d2

SHA256
9895d7cd91acac7fc19baf43b002cea26ee1cb17857cc13a262893551bd48aef

SHA512
c531cded445247511d5c9639ca4dd54dd576b46eddd8685b77c7476d0b49dfa81267d881e09b034ce4d1f9a9efffa997afde188c50451c1ac34388c6508b4a3b

Download Submit
C:\Windows\SysWOW64\Gdhmnlcj.exe

Filesize
59KB

MD5
5f0276fd385a6fe129423be81f61900a

SHA1
73d60abe445cc5a60b6cc7d80bd9a308feacb0cd

SHA256
305051be5669fbc1046a3f7ab02f9c02dd844132d1ecdc217673bce257589ad9

SHA512
ea1661afd97bfd37ec3e0022e2bcf6653f7c352ee80de96e718df3893d53078574081b53b34611bc095d50d62b56a007823c0815aff9a8cef79a4eda1e0f1391

Download Submit
C:\Windows\SysWOW64\Hbgmcnhf.exe

Filesize
59KB

MD5
efbc3cb3ffaecb69655323cc2d800593

SHA1
916ff162ed08b17bcbe3e0001f26636473773c88

SHA256
0f0bc16a2131e48bd52bfa0b8d3172373316c21a1afff442626f69aeb590e93b

SHA512
4c4de8a0b1e3f57a02f902307dff0f6268ceabc018b0c1df4cd6c0b9eaed3de8b0d8801cfc670645a76c118a3edca2e91abe32fe92420184ae31f4b25eead7b5

Download Submit
C:\Windows\SysWOW64\Hckjacjg.exe

Filesize
59KB

MD5
4c5fb2893735c0afbbe31ea69e687550

SHA1
cdbca8aa434cc373e6e4059b870f9c5d23be96b2

SHA256
88c015f19957ebd98a34794058d91621f981194a9650fc4f75a26c1bc5c0e485

SHA512
bebd2fcdfa2b483d0fc486e663f15bf6f7a81e6bc59cc0479157974e0e3f0d2b60b1f00c257fb46421f244fc094b5f6c036936cdff97d63eb6962d966412ef0a

Download Submit
C:\Windows\SysWOW64\Hecmijim.exe

Filesize
59KB

MD5
72ff44d1e520e2f03c4ffa0430c4996f

SHA1
30a5eeefa21507b088d8b4105ef2d4caa5df6dd6

SHA256
606b3e76aa9661e95225e6e149cccd00bfecdff04fa159cd1f763f14adfc0af5

SHA512
00a053029c139518f0f20d33e782a817c68d0c3e0ff0383b1faf98b99891dd98f2db6eb75e449b9384311fbe80676e63ff414f7a95539b58099eeb67f44299ee

Download Submit
C:\Windows\SysWOW64\Heocnk32.exe

Filesize
59KB

MD5
c76660e320aa9ad7f6d8aca3e98a0619

SHA1
bd8e4c5f09be643d72f7787b7e84bc19b5bc281a

SHA256
e76ce092cc53f2c64f996dfe2da14c6bd44e1f441813ff69be6304f160fbaa2b

SHA512
808b935c2784502e97a55e20305722605d1abc6965dbc58873b5457d101622afdbca07de8ea81ab951765d8d4ce836a0950ff7a5341058633c9a1c1adc9b7751

Download Submit
C:\Windows\SysWOW64\Hfnphn32.exe

Filesize
59KB

MD5
0a9d5c2e80bde305f05049980e4c034f

SHA1
666bb39b52092f69f416319af89e818a01d669f7

SHA256
fd0d9f40208d7ee5f2167772713bfbc781fbbc876f819eb231fc1351160da4fe

SHA512
6f6ddf168c6e6d98bd4acc05f4a988a7ec3ba263664f8f8b94ddb40e3cdb0b6317793e83ba961df7ef4ec644b1abb3fe4a5b17aa0b143b19838649fc2dc2a51e

Download Submit
C:\Windows\SysWOW64\Hiefcj32.exe

Filesize
59KB

MD5
116418f2b22af0b7b5b4b6ae3d047075

SHA1
d7d8e386ba7b82c866c6b720416900d493475ccf

SHA256
a959ffb708379572cd07e97cbe228e4ddc4af40846bd74215f7fb7dc0151555e

SHA512
2b91f39de89b08f9a6c6eafd63c6cb86cf2143ebaa04b4d20d5d9edef31fc50fc173b32a04ff293c05981125905ffdf43e8416582d412ef978b572286addc7c0

Download Submit
C:\Windows\SysWOW64\Hmcojh32.exe

Filesize
59KB

MD5
650c73436a67333ced9eff69516cd903

SHA1
57d2ebd41a914bf106d46cb5c3bf6dddcadf89b4

SHA256
720738b2d35191eb65a9b13dca749555a1d28ba1e60b6ac53ed91ac94a21e504

SHA512
867c9fab044aa20e5efc232a510031c27eda3722b3a7b4d9f930be34fbad0d3017d06faa27a10ddfb1edc668baf2f21281cc4cc7fca9fc30fb2c5a184f1f5975

Download Submit
C:\Windows\SysWOW64\Hmjdjgjo.exe

Filesize
59KB

MD5
79b32ec6cf08bbca1e0e6671c5abd627

SHA1
a8348f56b295f2a1358dbc269b91488df77edb55

SHA256
266fd23c3dbaa1d4629988c2db2b706d48c00393c4fddd90ad388a570d68bfc6

SHA512
3973d9082c43fbaef6ba5f85173d6e5fd82c7e0cb8fd3ca205ef53a70c7cb6f9f6b9af961256dd0d335e1da63e0bea133d180a37a3f15fb23fb64872cced59a0

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
59KB

MD5
ba90702df71a092105a466fa6e1b53c7

SHA1
cb7575591672f356947461110e5c7d7144c7f042

SHA256
1c17dc8d97b880e0da2f3f935d5d78cdf7307452f4f55804d7a97e5d9cc0269c

SHA512
2a91ac00c69242b29e1a4f75c44c60216107cf6850246b745064c3c5fd4248daa14f81e73f2942b1953e7d390e55a4e88ee06188d94c6561a127923cd9f5d3d3

Download Submit
C:\Windows\SysWOW64\Icnpmp32.exe

Filesize
59KB

MD5
85a498396f5e652ee07450c35c365a0c

SHA1
887253c29b419b8140b6305774ffc7d15a5b2e6b

SHA256
1113a2fd7b0124b5aadfb0d16d059ac7345bcbe27b1740bd0cc1df78d5f14e0f

SHA512
3f1c82775e752332e2bd4bc12ce1a3f97d6192388c32a7e690eae077684065d53c931aefaa1311046306ac8d7dc06522ba8a96760b046c0e21394ab5d829f37a

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
59KB

MD5
97acd776a033bda5b9fb481390a362a3

SHA1
cb6531399101ae64084719094b5b8d146efe9e2a

SHA256
57f385cdd23b7e403f6fd53995860a83fab5c560412d1f21cbd8ab567cc034e6

SHA512
20bdfae0ea8a2c8c62158b0a8ad934a5a402dde7d932acc6ea35b0c6c46e9c2832a6aa28745ec0c1e0a24d965229e3981a70e1a31d9c348d983750396caab67d

Download Submit
C:\Windows\SysWOW64\Ifefimom.exe

Filesize
59KB

MD5
a25ac2be8999084059e3a6a1cc90cfbe

SHA1
24e743072f559d79ea912ba9f8fc240a9043bdcb

SHA256
14f990cacf3b5319626494553a051fe52482420b0689a70a7c8282dd06b14975

SHA512
84308b7ab67027b3e133623968a86d402c4db405cb0a41f7763981563816dd3f690611877e54334f0f29c43916baf8d5ca338c189b8d756e4fda87ada0b9fe91

Download Submit
C:\Windows\SysWOW64\Iihkpg32.exe

Filesize
59KB

MD5
421709f0138eabd35c27c5512c63be07

SHA1
50e4461e44aedb892765df356395e6f3a42055fa

SHA256
0a9e75421fd9cdd33733f67d231163b8f65e428421087a9a19d3de9b64744bfa

SHA512
041a087b669a26630aead0f8b45816434f104bf2894220d48ffc68025fbbe7654df7c8457ad60f465c42bc7b20bafd1c104cd676622ea2288a0e98c1b06014af

Download Submit
C:\Windows\SysWOW64\Ikpaldog.exe

Filesize
59KB

MD5
168a785302b203c3afc4ef375ea8bd7b

SHA1
c8f3b3ad54415d33db13ec81b75174315b0c63fb

SHA256
2dc053559a52b1d7b47fe8e3c98d068f3b1b7f0a104053bd400a6401ed605422

SHA512
c4794a620adfcf1bfd1a9d8c1a605292be61149ac8768fda950b1b0d4fb87359425db2956b5ed1d2c8880903335d250628bebd44a4841294db2048789a6a8c83

Download Submit
C:\Windows\SysWOW64\Ildkgc32.exe

Filesize
59KB

MD5
d29c70185fdbb91916ea20fcc04434ef

SHA1
b40e2c8624fb4fa0b33ac287b738affc22b00edf

SHA256
31230d3c2fae22444191695d4a73b600ce24b4480bc7317b8e46416165ff3362

SHA512
4d3161e1efe8f480df8ad8b9b9f219999af6aee47ed7604dae55354110db51fda5e757357161447340685cad5b7cdfae838c1157836964176a09bb390c04d329

Download Submit
C:\Windows\SysWOW64\Imfdff32.exe

Filesize
59KB

MD5
fe12116c25a8a1556183ce19c633cf1d

SHA1
f7b3e97286174e507675c7712585abe47f598efb

SHA256
eb1cf4da6f6046584b1aa7756034c1e0372f6b20ffd78b98c0eb1f4c681ecc2c

SHA512
8e91e72dbbe3d356b5f365708b33630c30f26b0be1465f84ce7137eaacbce9810a18afe45cec12ec2cdbd1b8366b890444cb9eb913d710c8a676092ef200cb77

Download Submit
C:\Windows\SysWOW64\Ipnjab32.exe

Filesize
59KB

MD5
dfa61bdee2f9a69de78197b1597fb22b

SHA1
10c52449f5f65b4da94dd4bfd290891e1f3633e0

SHA256
cea9f18b9dec13b7c7a7942b85eb44fd8270f95035542ae4afb0e757c1bd59b0

SHA512
9f128682665663a3a04267af951238656d46494199353a28068bf4e95aaad39ceb7f1edd8349e20f025e2b3561533325391dacf7e816492d73c358f07861ce14

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
59KB

MD5
b925e72203a987dc510cc91d96167288

SHA1
48828aa7bbd0f1d64b0c34c286570a97c9c474c8

SHA256
b8c2fd267ae032660af63d45905db30f945bbf46b8240994d1f5255ec7edec1e

SHA512
0da0bfc5e8ce8b755fab6ecdf64fb32a1f943c87a66b8c8759480ddd54de6d49dfc37dadec835181347c809c1887f116600aa91e8ebc345a2ed55e767e0aaeb1

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
59KB

MD5
db4f7c43285c21ab2043bd3c98e9ef5a

SHA1
c9bf4c1b450b44d2c1cb602b39e269012aaefdf4

SHA256
0abc57aafb7179221773f224d872f895476cc91d2fb20a12b220c8452d9b81d4

SHA512
5d4552714738842c5c25521819263e34d692b9820cb07e7d9917c8f851b1fd23e4da48400b63612d8aa8449749316446c9edb7cf4fe4f9af4a2568218bfb0fb3

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
59KB

MD5
5d0eb22a0d5e1e6b172012616079cd32

SHA1
fb3c5ce02d98432f2578cd6e583fa2d20f48909e

SHA256
668a51acb7de52fa88c902e9c0da2a42aca28e39c0fbc4e9dcfb10582c8d52b5

SHA512
13e67f112825582deddec8567771f11f9fe1641982fc60423c4adcbd63c59e212e22b84a31a04d0e1037df7764bc2ecc4fd437064eabfef279579b1ba7b0e676

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
59KB

MD5
cc61392aa85e3262cb97a0ef50fa7dec

SHA1
7bffefce2ff10fb9a6d058ddd3849b63ca4f89c5

SHA256
80f121d5f1eae26d89e880a4a11f39d4eabc7fe4adff4fc3a738744a43ae608b

SHA512
a24494111fe84e68fdd1574159a0681e3081b5529a8d5ea7f9e699f536fdb493a0bd2f19fa9c01eaafbbbc4d2be7523f95862c933ad4563face5ecd89a5bac9e

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
59KB

MD5
a5f89792119b6efca532f9d937445f32

SHA1
f451b1ba2d6bc581b7ae6c6e019c5db98e6e8d24

SHA256
5ffcba9411427eda5579eeb3c018a9b92e1a4241fd585c41ec2a12906ddbc861

SHA512
9ac0e0ea568228e9826886af8c134209d170eeb89920a302fca941e193642818b90df5437589629510ff43fe79ca70e4e19f8f67956b540e714a9acbe2233cbc

Download Submit
C:\Windows\SysWOW64\Jpgmha32.exe

Filesize
59KB

MD5
71650d8145079177b72e687c1b12aa88

SHA1
e5cde7f27d0086e78f9430e4022e10ab5d829f0c

SHA256
5a4d28b720ce8cf089580fe11d9be1fbf0cbc2ea8897ef919763e1bcd6364d37

SHA512
f9017b4c3de2a5794adff131e86a4b1d43ecdbcbd15192f9f697b08ff874b275e841631309a4ce94ae5dc9f0ffc2f9c18c9a3b13fac0a066b97f07ba5c85eddf

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
59KB

MD5
00a6421a1868dd60ab9a606e53335dc5

SHA1
35342ec70627929db2806f9819b6e4e3bdb8793b

SHA256
ba8492c8ec5f02ab4905ccdeadd80abbb34e3e9f48a173bc1ae470d856d51d2a

SHA512
5c2bd47b1803952c5529cb3fb2f52092b937441e5935022d3922ee5194b8cb97a1fa980fb6888d982b41f1204a77607801cb8cfc9425c41d1d3cc0885d9ce4c7

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
59KB

MD5
361183248658338a384e75bd6f7530ca

SHA1
9d7bd3a162a65737d339e00fe1b1acb60ae1f5a9

SHA256
36575b06403fbde4cdf2c41c4ec48c44e51744d4ba88a47547398072acaa8004

SHA512
cfcf59fb27ce10c152a340120a4639749a94b9775ae64743e458d216c962bc6659a39653528bae837d795ae64ecd20644b7eea9e9b45cff8f7d58f5374ea69db

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
59KB

MD5
cd8c5908748e6e48c283a20fe42fd226

SHA1
1ecf588325acb980c69e88ef80a92b5259c33a59

SHA256
777af072b42da724dfb224a9e9ec59fbb55731fec1261d1bb5c103488724875f

SHA512
624125c1e3422e5ef1ed65c88eb685cf3b1e27397ce4c045384407b69531dab2b26e60ff66a1b1ff884bfc984ed1c10be2270ea7ac757ff71fc1e4f0ccf0d1e6

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
59KB

MD5
92e2292dace2c2501a34c37e9a52afc5

SHA1
e79309afb260d51f44ed717a094a7c84ea3be9cd

SHA256
23b16f442d8d0f758b63e6af461862a3c2927979987e5cdd317d5863af7452e4

SHA512
fe4ecd8b25f12e5b4f05a176daa00bd2e1bc3eb39bde4d64ccc91d97c3d452403ea456fcb66445e43fd16d84ab69837e7eff29271174a8a34d47fdcbbc99301d

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
59KB

MD5
67432f8aae4ad22291de9bd7d6d07ff7

SHA1
381f57988fe70fb01d8fd64e4a539aa02369f046

SHA256
b4ef39d442f1ea2fac3d6973b0698543c5ce918e4934ac8012a4beae5106a0f1

SHA512
891544f4c9631076047f75475e1653e29ed8ae6a9a134470654b4c29d6c16a3d5db06f20d934d90e2f393b8487b2bf106904a145ef22556947d7c9e9de8208da

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
59KB

MD5
6f9e0c5f997e9eb7c95fc7cdb341565d

SHA1
cd0a62dd18af01c4517fa8cee865b0180a88e103

SHA256
7bb1c09b05f6a37019b978286a00a24379036e7a089669c63b1ac26cb01241cf

SHA512
c08bee9faa4d328a22baf573af7eee4b09a2eead7a9c89656d926a8a191060989eaee619742a292e366d36ffca2a129e18c91ca8d8b7102f51fdd74c4d2c0d03

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
59KB

MD5
24b8c5eafffbe0b31ba9b968b0ecaa6d

SHA1
3d1a253ae6af637a047e6af21c926870e6a6ccfc

SHA256
e9bfa98f161dfff8b4627c2eb2d45fca21431b8ff35338afb6a613fa48ec97de

SHA512
8c6ba0903c58a5cc67134a196f625952298704b446de6ac3a7fed03da8e0f1fff4440c9029c0e773a85e8b5a0c3a5919d1675b9e390c1f24e0aafa05f6405466

Download Submit
memory/216-292-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/216-365-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/224-280-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/224-366-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/640-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/652-266-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/800-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/880-354-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/880-353-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1272-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1276-274-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1316-322-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1316-360-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1460-31-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1516-183-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1556-176-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1584-111-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1704-328-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1704-359-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1772-208-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1844-224-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1852-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2060-84-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2488-96-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2520-168-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2640-119-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2808-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2828-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2840-215-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2936-358-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2936-334-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3376-310-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3376-362-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3384-160-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3408-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3460-232-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3624-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3744-363-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3744-304-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3752-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3864-200-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3924-341-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3924-356-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4076-349-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4076-355-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4164-248-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4212-47-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4268-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4312-361-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4312-316-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4344-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4400-357-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4400-340-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4444-256-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4596-87-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4684-298-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4684-364-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4728-240-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4744-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4780-272-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4788-286-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4788-367-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4912-128-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4940-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads