e1198d3b20835302e6d4bfc396c0a1c963e3d569cc19e6bd023fb6484606f2ad

Analysis

max time kernel
158s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1198d3b20835302e6d4bfc396c0a1c963e3d569cc19e6bd023fb6484606f2ad.exe
Size

402KB
MD5

cb915b3df540e6cad23320ebb37e0023
SHA1

d263d0f19a5e54d8a1399098100af6b42e9ef28e
SHA256

e1198d3b20835302e6d4bfc396c0a1c963e3d569cc19e6bd023fb6484606f2ad
SHA512

30e338c3b9b6f04250d4ffc4ebf26d87db365a8ba03844089708e63001368d11a3cfe885ee341ac8fee2b076483b4f2f8953d4103173e8849f7476d4f862b4ef
SSDEEP

6144:iQnM7sF/WRwHEPvTpN0xHuwdkAj51VezfHZ3neNZpGkXo+TCCYOs5PHdC:iQnssF/WpU

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e1198d3b20835302e6d4bfc396c0a1c963e3d569cc19e6bd023fb6484606f2ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jnpjlajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haodle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilibdmgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iefphb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhgiim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Khiofk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllagh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmodajm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofjqihnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggepalof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilibdmgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amnebo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ooibkpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ampaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afappe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdopjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjhmhhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfbaalbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofjqihnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afockelf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdopjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jhgiim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiphjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkmeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jocnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kiphjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjlalkmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkmeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Haidfpki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jocnlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mfbaalbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ggepalof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnpjlajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbebbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcegclgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afockelf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Loofnccf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooibkpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgdncplk.exe

Executes dropped EXE 46 IoCs

pid	Process
2920	Haodle32.exe
4192	Ilibdmgp.exe
2248	Iefphb32.exe
1856	Jhgiim32.exe
1348	Jocnlg32.exe
4840	Kiphjo32.exe
4772	Khiofk32.exe
2876	Lljdai32.exe
1956	Lllagh32.exe
32	Loofnccf.exe
4632	Lcmodajm.exe
1096	Mhjhmhhd.exe
3916	Mjlalkmd.exe
532	Mfbaalbi.exe
4168	Mjpjgj32.exe
876	Nqoloc32.exe
316	Nbebbk32.exe
3420	Ooibkpmi.exe
1528	Oonlfo32.exe
2532	Ofjqihnn.exe
5028	Ppdbgncl.exe
2232	Pcegclgp.exe
4996	Pidlqb32.exe
4476	Afockelf.exe
4564	Afappe32.exe
4784	Amnebo32.exe
4748	Ampaho32.exe
3512	Bdocph32.exe
624	Bfolacnc.exe
3572	Bkmeha32.exe
4604	Cdhffg32.exe
4944	Cmbgdl32.exe
4852	Cgmhcaac.exe
1076	Dgpeha32.exe
548	Dgdncplk.exe
1100	Dpalgenf.exe
1836	Edaaccbj.exe
1480	Fdbkja32.exe
2644	Ggccllai.exe
4976	Ggepalof.exe
4300	Haidfpki.exe
1952	Inidkb32.exe
3952	Jnpjlajn.exe
1392	Jdopjh32.exe
1232	Jhmhpfmi.exe
1728	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lllagh32.exe	Lljdai32.exe
File created	C:\Windows\SysWOW64\Mfbaalbi.exe	Mjlalkmd.exe
File created	C:\Windows\SysWOW64\Nbebbk32.exe	Nqoloc32.exe
File created	C:\Windows\SysWOW64\Cknmplfo.dll	Ooibkpmi.exe
File created	C:\Windows\SysWOW64\Lcckiibj.dll	Afappe32.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Jhmhpfmi.exe
File created	C:\Windows\SysWOW64\Mhbacd32.dll	Khiofk32.exe
File created	C:\Windows\SysWOW64\Haidfpki.exe	Ggepalof.exe
File opened for modification	C:\Windows\SysWOW64\Khiofk32.exe	Kiphjo32.exe
File opened for modification	C:\Windows\SysWOW64\Jnpjlajn.exe	Inidkb32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmodajm.exe	Loofnccf.exe
File opened for modification	C:\Windows\SysWOW64\Ooibkpmi.exe	Nbebbk32.exe
File opened for modification	C:\Windows\SysWOW64\Ampaho32.exe	Amnebo32.exe
File created	C:\Windows\SysWOW64\Dcjdilmf.dll	Cdhffg32.exe
File created	C:\Windows\SysWOW64\Dgpeha32.exe	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Ekjali32.dll	Iefphb32.exe
File opened for modification	C:\Windows\SysWOW64\Lllagh32.exe	Lljdai32.exe
File opened for modification	C:\Windows\SysWOW64\Afockelf.exe	Pidlqb32.exe
File created	C:\Windows\SysWOW64\Enalem32.dll	Ilibdmgp.exe
File created	C:\Windows\SysWOW64\Gcmjja32.dll	Jhgiim32.exe
File created	C:\Windows\SysWOW64\Kiphjo32.exe	Jocnlg32.exe
File created	C:\Windows\SysWOW64\Mjpjgj32.exe	Mfbaalbi.exe
File opened for modification	C:\Windows\SysWOW64\Mjpjgj32.exe	Mfbaalbi.exe
File created	C:\Windows\SysWOW64\Gggikgqe.dll	Nbebbk32.exe
File opened for modification	C:\Windows\SysWOW64\Ofjqihnn.exe	Oonlfo32.exe
File created	C:\Windows\SysWOW64\Ncmkcc32.dll	Afockelf.exe
File created	C:\Windows\SysWOW64\Aadafn32.dll	Nqoloc32.exe
File opened for modification	C:\Windows\SysWOW64\Ggepalof.exe	Ggccllai.exe
File opened for modification	C:\Windows\SysWOW64\Jdopjh32.exe	Jnpjlajn.exe
File created	C:\Windows\SysWOW64\Deocpk32.dll	Haodle32.exe
File created	C:\Windows\SysWOW64\Abbqppqg.dll	Jocnlg32.exe
File opened for modification	C:\Windows\SysWOW64\Nqoloc32.exe	Mjpjgj32.exe
File opened for modification	C:\Windows\SysWOW64\Afappe32.exe	Afockelf.exe
File created	C:\Windows\SysWOW64\Bfolacnc.exe	Bdocph32.exe
File created	C:\Windows\SysWOW64\Cmbgdl32.exe	Cdhffg32.exe
File opened for modification	C:\Windows\SysWOW64\Inidkb32.exe	Haidfpki.exe
File created	C:\Windows\SysWOW64\Jhgiim32.exe	Iefphb32.exe
File opened for modification	C:\Windows\SysWOW64\Dgdncplk.exe	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Cjeejn32.dll	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Khiofk32.exe	Kiphjo32.exe
File opened for modification	C:\Windows\SysWOW64\Cgmhcaac.exe	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Idkobdie.dll	Kiphjo32.exe
File created	C:\Windows\SysWOW64\Dgdncplk.exe	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Fdbkja32.exe	Edaaccbj.exe
File opened for modification	C:\Windows\SysWOW64\Ggccllai.exe	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Lljdai32.exe	Khiofk32.exe
File created	C:\Windows\SysWOW64\Oonlfo32.exe	Ooibkpmi.exe
File created	C:\Windows\SysWOW64\Klhhpb32.dll	Oonlfo32.exe
File created	C:\Windows\SysWOW64\Mfnlgh32.dll	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Pnfceopp.dll	Ggepalof.exe
File created	C:\Windows\SysWOW64\Ggccllai.exe	Fdbkja32.exe
File opened for modification	C:\Windows\SysWOW64\Lljdai32.exe	Khiofk32.exe
File opened for modification	C:\Windows\SysWOW64\Mjlalkmd.exe	Mhjhmhhd.exe
File created	C:\Windows\SysWOW64\Ebdoljdi.dll	Mhjhmhhd.exe
File created	C:\Windows\SysWOW64\Onnnbnbp.dll	Ppdbgncl.exe
File created	C:\Windows\SysWOW64\Gbhibfek.dll	Pcegclgp.exe
File created	C:\Windows\SysWOW64\Pnlhmpgg.dll	Bkmeha32.exe
File created	C:\Windows\SysWOW64\Gdmkfp32.dll	Dgdncplk.exe
File opened for modification	C:\Windows\SysWOW64\Jocnlg32.exe	Jhgiim32.exe
File created	C:\Windows\SysWOW64\Lcmodajm.exe	Loofnccf.exe
File opened for modification	C:\Windows\SysWOW64\Ppdbgncl.exe	Ofjqihnn.exe
File opened for modification	C:\Windows\SysWOW64\Dpalgenf.exe	Dgdncplk.exe
File created	C:\Windows\SysWOW64\Edaaccbj.exe	Dpalgenf.exe
File opened for modification	C:\Windows\SysWOW64\Fdbkja32.exe	Edaaccbj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5220	1728	WerFault.exe	142

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afockelf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcdbi32.dll"	Ampaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbpkkeen.dll"	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdilmf.dll"	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjali32.dll"	Iefphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhhpb32.dll"	Oonlfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgilf32.dll"	Mfbaalbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ppdbgncl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogeigbeb.dll"	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ilibdmgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjja32.dll"	Jhgiim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abbqppqg.dll"	Jocnlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ggepalof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kiphjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amnebo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhbacd32.dll"	Khiofk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcmodajm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denlcd32.dll"	Haidfpki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jhgiim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofjqihnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjeejn32.dll"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfbpdlg.dll"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mfbaalbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnlgh32.dll"	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmcfjdp.dll"	Mjpjgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Haidfpki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Haodle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Khiofk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdohflaf.dll"	Lllagh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmkcc32.dll"	Afockelf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpqiega.dll"	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oonlfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enalem32.dll"	Ilibdmgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnoeb32.dll"	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njonjm32.dll"	Amnebo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kiphjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khokadah.dll"	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iankhggi.dll"	Lcmodajm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ppdbgncl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabcflhd.dll"	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ggccllai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmkfp32.dll"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Khiofk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 2920	4708	e1198d3b20835302e6d4bfc396c0a1c963e3d569cc19e6bd023fb6484606f2ad.exe	97
PID 4708 wrote to memory of 2920	4708	e1198d3b20835302e6d4bfc396c0a1c963e3d569cc19e6bd023fb6484606f2ad.exe	97
PID 4708 wrote to memory of 2920	4708	e1198d3b20835302e6d4bfc396c0a1c963e3d569cc19e6bd023fb6484606f2ad.exe	97
PID 2920 wrote to memory of 4192	2920	Haodle32.exe	98
PID 2920 wrote to memory of 4192	2920	Haodle32.exe	98
PID 2920 wrote to memory of 4192	2920	Haodle32.exe	98
PID 4192 wrote to memory of 2248	4192	Ilibdmgp.exe	99
PID 4192 wrote to memory of 2248	4192	Ilibdmgp.exe	99
PID 4192 wrote to memory of 2248	4192	Ilibdmgp.exe	99
PID 2248 wrote to memory of 1856	2248	Iefphb32.exe	100
PID 2248 wrote to memory of 1856	2248	Iefphb32.exe	100
PID 2248 wrote to memory of 1856	2248	Iefphb32.exe	100
PID 1856 wrote to memory of 1348	1856	Jhgiim32.exe	101
PID 1856 wrote to memory of 1348	1856	Jhgiim32.exe	101
PID 1856 wrote to memory of 1348	1856	Jhgiim32.exe	101
PID 1348 wrote to memory of 4840	1348	Jocnlg32.exe	102
PID 1348 wrote to memory of 4840	1348	Jocnlg32.exe	102
PID 1348 wrote to memory of 4840	1348	Jocnlg32.exe	102
PID 4840 wrote to memory of 4772	4840	Kiphjo32.exe	103
PID 4840 wrote to memory of 4772	4840	Kiphjo32.exe	103
PID 4840 wrote to memory of 4772	4840	Kiphjo32.exe	103
PID 4772 wrote to memory of 2876	4772	Khiofk32.exe	104
PID 4772 wrote to memory of 2876	4772	Khiofk32.exe	104
PID 4772 wrote to memory of 2876	4772	Khiofk32.exe	104
PID 2876 wrote to memory of 1956	2876	Lljdai32.exe	105
PID 2876 wrote to memory of 1956	2876	Lljdai32.exe	105
PID 2876 wrote to memory of 1956	2876	Lljdai32.exe	105
PID 1956 wrote to memory of 32	1956	Lllagh32.exe	106
PID 1956 wrote to memory of 32	1956	Lllagh32.exe	106
PID 1956 wrote to memory of 32	1956	Lllagh32.exe	106
PID 32 wrote to memory of 4632	32	Loofnccf.exe	107
PID 32 wrote to memory of 4632	32	Loofnccf.exe	107
PID 32 wrote to memory of 4632	32	Loofnccf.exe	107
PID 4632 wrote to memory of 1096	4632	Lcmodajm.exe	108
PID 4632 wrote to memory of 1096	4632	Lcmodajm.exe	108
PID 4632 wrote to memory of 1096	4632	Lcmodajm.exe	108
PID 1096 wrote to memory of 3916	1096	Mhjhmhhd.exe	109
PID 1096 wrote to memory of 3916	1096	Mhjhmhhd.exe	109
PID 1096 wrote to memory of 3916	1096	Mhjhmhhd.exe	109
PID 3916 wrote to memory of 532	3916	Mjlalkmd.exe	110
PID 3916 wrote to memory of 532	3916	Mjlalkmd.exe	110
PID 3916 wrote to memory of 532	3916	Mjlalkmd.exe	110
PID 532 wrote to memory of 4168	532	Mfbaalbi.exe	111
PID 532 wrote to memory of 4168	532	Mfbaalbi.exe	111
PID 532 wrote to memory of 4168	532	Mfbaalbi.exe	111
PID 4168 wrote to memory of 876	4168	Mjpjgj32.exe	112
PID 4168 wrote to memory of 876	4168	Mjpjgj32.exe	112
PID 4168 wrote to memory of 876	4168	Mjpjgj32.exe	112
PID 876 wrote to memory of 316	876	Nqoloc32.exe	113
PID 876 wrote to memory of 316	876	Nqoloc32.exe	113
PID 876 wrote to memory of 316	876	Nqoloc32.exe	113
PID 316 wrote to memory of 3420	316	Nbebbk32.exe	114
PID 316 wrote to memory of 3420	316	Nbebbk32.exe	114
PID 316 wrote to memory of 3420	316	Nbebbk32.exe	114
PID 3420 wrote to memory of 1528	3420	Ooibkpmi.exe	115
PID 3420 wrote to memory of 1528	3420	Ooibkpmi.exe	115
PID 3420 wrote to memory of 1528	3420	Ooibkpmi.exe	115
PID 1528 wrote to memory of 2532	1528	Oonlfo32.exe	116
PID 1528 wrote to memory of 2532	1528	Oonlfo32.exe	116
PID 1528 wrote to memory of 2532	1528	Oonlfo32.exe	116
PID 2532 wrote to memory of 5028	2532	Ofjqihnn.exe	117
PID 2532 wrote to memory of 5028	2532	Ofjqihnn.exe	117
PID 2532 wrote to memory of 5028	2532	Ofjqihnn.exe	117
PID 5028 wrote to memory of 2232	5028	Ppdbgncl.exe	118

C:\Users\Admin\AppData\Local\Temp\e1198d3b20835302e6d4bfc396c0a1c963e3d569cc19e6bd023fb6484606f2ad.exe
"C:\Users\Admin\AppData\Local\Temp\e1198d3b20835302e6d4bfc396c0a1c963e3d569cc19e6bd023fb6484606f2ad.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\SysWOW64\Haodle32.exe
  C:\Windows\system32\Haodle32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\Ilibdmgp.exe
    C:\Windows\system32\Ilibdmgp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Windows\SysWOW64\Iefphb32.exe
      C:\Windows\system32\Iefphb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2248
    - - C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
      - C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Afappe32.exe
        
        C:\Windows\system32\Afappe32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Ampaho32.exe
        
        C:\Windows\system32\Ampaho32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Ggccllai.exe
        
        C:\Windows\system32\Ggccllai.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Ggepalof.exe
        
        C:\Windows\system32\Ggepalof.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Haidfpki.exe
        
        C:\Windows\system32\Haidfpki.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Inidkb32.exe
        
        C:\Windows\system32\Inidkb32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\Jdopjh32.exe
        
        C:\Windows\system32\Jdopjh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        47⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 412
        48⤵
        Program crash
        
        PID:5220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1728 -ip 1728
1⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:5928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afappe32.exe

Filesize
402KB

MD5
88fe92fb8f065d661ee1544e795138a7

SHA1
a65dd7d0417699749fdc7b55e76eede5c16c9300

SHA256
6249414aea78c4177615885f4ff50d82f54efd85a1064765a4384b7acd287779

SHA512
115660ec5f3bf2db3f88c172e36c98e076ec8d4cf10629696c7442fae27aa46333f88f330310f2b4d1147506d4594cc1c46d27e87a4e80d9baa254958cac7666

Download Submit
C:\Windows\SysWOW64\Afockelf.exe

Filesize
402KB

MD5
64e8ce4d6f710d8e685fcd0df483bcf4

SHA1
f190f2d43765c1a64fe5a0f130a1093eeaaf5e76

SHA256
1fb8eb60ba66d71fff792973dc3c3968b851bdf7b95b8e5a51b024b769293eea

SHA512
b2b8dc09251f3995d7dd9eb16adb54c9aed610276226f6baea10d02740888fb1ef1626833fab0d440d0cc7f0188aa378962587f0e065dda76638fbf98a022ed5

Download Submit
C:\Windows\SysWOW64\Amnebo32.exe

Filesize
402KB

MD5
c04ce7aa1c1f3fac189c349a671707fb

SHA1
b4870b3c5157b7be8f5337e7a39ca126adf6e45e

SHA256
b74a3eae3d7bfa46150d898b994e802e747c08b25ac1811a7bb40d0a6903e45e

SHA512
e32caf983da6e455f2de28a296db2d2e332f9225b42eb355d1d99e823f35ae83efa44e964457c8a752772f932e5848551ac2a9ccf17a95b3c6671be2119017b5

Download Submit
C:\Windows\SysWOW64\Ampaho32.exe

Filesize
402KB

MD5
2b1bd106ec619672f88991a04cd2793b

SHA1
7f696e85ea8f86996560adcb4efc7d285b7d44b1

SHA256
d3b0a6a6ffb6d15b530e574f7f584d6f0718ea915dd9bb89cafcd9f498dc3fb1

SHA512
befda6b5b86f3d22ad36d2cafdf871f3042c3f1c0f40192aced72906c6f8acac534d63bd3b2913b565b4b230c38b96de4b922feebae0e732beca903bd3d47545

Download Submit
C:\Windows\SysWOW64\Bdocph32.exe

Filesize
402KB

MD5
6265998170b78a6e72b34692b2eeeabd

SHA1
2f8d184fd95c7a1d78a24c342769b49d9b8d2bc7

SHA256
bb9c56282076ac0a1f29b4baa74fee1e9313f6353ef6b862600fc75d31e6bdcd

SHA512
24ac3e7e112588d1b1d81aa05dcf5c850087d216bba7af6e5aa738646324dd681f7ada76614cca0d96c2499cdf01d1c918b41a84a48a6f215e8eb986727da648

Download Submit
C:\Windows\SysWOW64\Bdocph32.exe

Filesize
402KB

MD5
3a22f649287d0d5aee5abb4e58716775

SHA1
c378851787c04bf2a880d7621b3e74fa6d1f0887

SHA256
7e35e06329e7a0894423cbf902780d9bad726606dda89cf4e6a65af73c7ef854

SHA512
32a44a02a8f8ccc5ab84b6f9d26d9b24dc68c52804be13b4094ce241193a6ff5c5806d223a7d07081d5b8a1d1fc53e78570c4442b35ca526c2f64558372868c9

Download Submit
C:\Windows\SysWOW64\Bfolacnc.exe

Filesize
402KB

MD5
bb43e86b883208c4edaa86e33ceda0e9

SHA1
ffb9617baecaa5497c59ca91b37af281f73084da

SHA256
3cdc387a99a1568b26d33eb492a7fd747e016dd9df7e0e03e183b667e629d27c

SHA512
41f4353352234d0cf01fa6604f004992ef66ea4fb48dc4775d98816f900edad2bb33855c1ee8873d3714063e3bd9c9823eef5ebc00e249d148f85282f4184cc1

Download Submit
C:\Windows\SysWOW64\Bkmeha32.exe

Filesize
64KB

MD5
74c4d4046f026d20feb158fa9df8b9d6

SHA1
8a92ed630378a4f53ba2c1030ac2ffe1261b1427

SHA256
31e9c131d47cd0af4151eb248503b59af067684a388dca62e408ce9a7ace7796

SHA512
ff9ded7802ff8960d17de770a5b1f946501ac096ea1ae82e78d18092b0fcd6e6a5ac8339619fcc31f37a5f9153ebd9de639e62c7433ee0d0ddd53e719caa082f

Download Submit
C:\Windows\SysWOW64\Bkmeha32.exe

Filesize
402KB

MD5
c867f13c4f8f4a7ec15397d74b34bb2c

SHA1
a1abd83a00399acfedb01730ca9fd1fd35eb0451

SHA256
9ba33d279b8c1acb8eb4cc5d771f401a6b0595947ef012bace840657f156089e

SHA512
8c2c7bd3190c3437654cf31fa9ad8ebe7511f9f4dcb3017952acd929bdcee0172466634085ad1996fdaa3747973cb49b76f8b19863bef9aac9a8b17852a1ac1c

Download Submit
C:\Windows\SysWOW64\Cdhffg32.exe

Filesize
402KB

MD5
fbf25829ce4012b5daa550cadef339ed

SHA1
e31824deec6cd0c37ee1b3d8dab3ce539cec1f2c

SHA256
2b726f9c71602d2ce2d301dcd443d1601b11e356c9f9a17f3b404fca19b4b398

SHA512
0499d3faaf3b5a9cd41ecd209c940efedf6abfe97d4b0851270d93c8c9e774c027ecabd04431306ef722c7fed5b18c7a3843426646fc6ac75a3347dcc713a037

Download Submit
C:\Windows\SysWOW64\Cmbgdl32.exe

Filesize
402KB

MD5
4bce36c9dfe35a6cd5997c568eb5503f

SHA1
494f2beca18c90bd5c2a88fab54963936b0c1d10

SHA256
4cd6edebb0d2f02ba7d3cb0d3c8e01c5ffdf0a7e33c6a0b91e542bd7a6096888

SHA512
811542f23340e4cfeb4c9255bc169876094d44cdd0609b0b3a9c7065331a6b19c3ba6033e066fc920a690f5780576b6e6402a22fb8fb0932673de85a14a3853d

Download Submit
C:\Windows\SysWOW64\Dgdncplk.exe

Filesize
402KB

MD5
36bc2285f588fc5aab2e06312c67d52d

SHA1
9f6392ae5a9b3d822855950d7e33421e0b7e1aa4

SHA256
74d281098ee9fed1afec00aa8b5de25b7e142f70880600fdb8dea47127c42d4b

SHA512
73827ef64bb7827fcb7baf8cbdf24dd1f6bb92957a0b59741a6e1aeb0c64df0efebdb20683c24d2ec570368c50a9e50f350c05084680a25b0735eb28e7102ef7

Download Submit
C:\Windows\SysWOW64\Gcmjja32.dll

Filesize
7KB

MD5
033bc2354b8ec53133075d155d82840c

SHA1
7c6af87411a27a14d2247b1abe98d3734f68ec52

SHA256
29c0aae001b37d7badc0aeb0f027d8279c573d5be866ed0f6b7daf17524e88e0

SHA512
82d4a578c61e060bc788bb24ee57e75d331422834d13bab5d41332806ccd7d8a3fea8c68703475f8f19455e3f7064e74763b442d8d53d582b02e0aafe892cf7d

Download Submit
C:\Windows\SysWOW64\Ggccllai.exe

Filesize
402KB

MD5
f4479956acfca6af987a58cf06b49257

SHA1
69b1403e0fe6e7ccd29f5744d57e9e059ef74b5d

SHA256
17c8aab21529b0e2aa4f0aa062e63190ea93881d0f5332f70bdbefcd003cff6a

SHA512
bbcded2b6b505c388c19a93d9ddcb8039e16fc168d6865b8792312467ed3966b904c124e4d6a6066e0331eae6e6d54b4500e2ad1ac3ef732675632d0d3223c29

Download Submit
C:\Windows\SysWOW64\Haodle32.exe

Filesize
320KB

MD5
aecb1980517206e86a53efb7937cff54

SHA1
8ecbfb1645bf5682b4691452810e810b6e4fe8e5

SHA256
16362f1a82b67b22f5e7378e23832ac08e47bdd5c710ab6e587a63e299368a1a

SHA512
89c944d0c6fb36f00f611603bcfa0b5f1c9560db98223cfca23a6990778ec6a8edab11024bf2a7c82369c90cd2cb0b9cd0c1d4c2d3bf19f4cbf89bf4c52cc19d

Download Submit
C:\Windows\SysWOW64\Haodle32.exe

Filesize
402KB

MD5
0b23e27f3cd79c29bc8151fe7f556149

SHA1
2fbbcbfa11cfaa837721fe8301791cb625086106

SHA256
86afffe2fe7c66db7d81ee197c4f90e9a85b9063f395e33ea9888fe980dba9d1

SHA512
662b43517ed30a86ebba19d44569f0b7042d0a961ed6bae3a64c03c97de473ffe068a0a76a4dbc954bb24f47bc5b749a977b4ab227a9edae90c8be498dcba4c6

Download Submit
C:\Windows\SysWOW64\Iefphb32.exe

Filesize
402KB

MD5
280cdf7b318787f8027ce157f50ac70a

SHA1
2ac03172458b05af8beecfbce0e9938800a4b8e8

SHA256
2896f58e6c5e4ec1f2681b745b20b6ede3f9cb6738c08fb9abcab5691270cdd5

SHA512
d2ec6e4db25df1529a76e966f803550afb41aaa6184b90983f34ec28ed0475164f709ffd82bb90c01d967c3d5b7ef930d776ff6ef0f4b987dd899b94473a8373

Download Submit
C:\Windows\SysWOW64\Ilibdmgp.exe

Filesize
402KB

MD5
3c8f8d0d20740f2cbb16c8a5e2eec18b

SHA1
be20957c127d813aede2d435f97e2f1a650fdf04

SHA256
7debaeed9b12179ff8ba9bee38570c0f1198f2a1dca407f6dcd53ae7cfee0aa4

SHA512
2946ec4fe7733a8674dca78d48920bff8e8d920a054862e6962d39eb6774cf2b8e59256f19528573102fc26732eda90ae6f5645fd2e88a4c7c9f95015f15df08

Download Submit
C:\Windows\SysWOW64\Jhgiim32.exe

Filesize
402KB

MD5
932d843fadc96834a07a0511a99b1718

SHA1
faf30bfcf81f42cad73804a509436dedbc4f66f4

SHA256
df495be1125eb03b04d3cdb651c35ca95b751c07a7eb15f19ec6b04e2a148776

SHA512
1df4ab7eb71b21d6dff6da2fd209fe0176c002d5daf72d1c284d43bca17823c1796ce64ebf53a258598d2f2c0b51a4c46aeeec79b987baebc6a8a653871fbc1a

Download Submit
C:\Windows\SysWOW64\Jocnlg32.exe

Filesize
402KB

MD5
fea08ff459267f0dc92b4400c04b7bf9

SHA1
bafb2fa3e6c0d1ecb8abc94c85640db956fa05d8

SHA256
0f4c58b88ecc99724a4d5310f3ff6ce75babdf3d7f00c4c3fe0c8835d2662cc0

SHA512
f01854c37d1352916b4e4baaada8c54d92045c796401c1ff5f535c341404c3e3c2f9bcafaba958d5ba52e18483b20633879f305e09759bd8df4a10cae4aa9950

Download Submit
C:\Windows\SysWOW64\Khiofk32.exe

Filesize
402KB

MD5
40990c3139cd9cb48f4abc2c672206e8

SHA1
158e236ae7e4a09f6f2b7a9e36ddf30ef66a0e3e

SHA256
57fb2fe3d311f7071117f574a917a8905cf360f714b22de38b2ddfb52da01e5e

SHA512
35df0cacdc85006b18b0376ff22e4457bfd0010ab0370310116c36cefb1a150fdf04ec59da564e075f501297f07eb7d03130a26c382971d5f92a1bacf07671dc

Download Submit
C:\Windows\SysWOW64\Kiphjo32.exe

Filesize
402KB

MD5
a8d62945b4b2244f64c3aac2ab999ec5

SHA1
5d45dc84c11cdd5c2d3fc2a817c536dfd72a29df

SHA256
d32a0cec8c93224b5d243bce5bdae58e29017a30b9483b50cd929f402eb9fe85

SHA512
5ccb86aeaa1d7ad79aae13a65f05fc379fc6d642323e99231805565ea487be86084bf516bb92225e5b3bd4d4353a4326532819dcf2dc0c456b4b42a2ce15bf04

Download Submit
C:\Windows\SysWOW64\Lcmodajm.exe

Filesize
402KB

MD5
17cbebae272ff477c5d515aae27cb2fc

SHA1
ca06045f44fad9601e492eb6cd67d212fa170161

SHA256
ad760f010870529990e7f415ab161d052fb0eb62b63e6d096ae60d26cc4d2a26

SHA512
5efb88c0c4bba3f087d001afea61dcd684987e8f2600889a5a7f1151051582441cc53ee0d560a6a6213f9c2b2280a29a3fb084b6440394c6d4affb1679b6edcb

Download Submit
C:\Windows\SysWOW64\Lljdai32.exe

Filesize
245KB

MD5
6376ba96e264e96392617812c781b1cb

SHA1
36d8fb3302d3550ad00c55029cb7144d3e4d889b

SHA256
e82f9d53d93c8211a32dad387b83d6ccbd969029574885ace94274afe63acd57

SHA512
14940f1b912c42178cd11c4c36bc19e57bfbb2c7b1e61a10aacca05aecf4999b8966adf832c7e01ff4b73905e08185fc18fdf24ff9d3a7a394ae2cef9cf86f50

Download Submit
C:\Windows\SysWOW64\Lljdai32.exe

Filesize
229KB

MD5
b3b0437c38e372095d1e8ef5fc351d93

SHA1
85615ff83e41f288dd7583af60ff07638f9f82df

SHA256
f92152819eb14b01daee570d3c54cabce8035730d0ed09138165aa8295f0c2f4

SHA512
fc93794e295398c4f6e7e860fde0f8928230a4e5f99d1caeaf0881ae96ca8f561ee42d6f42ba24bee7fdf5caff164abec3ff0d8fe2ebf16de4da63fd94c2d545

Download Submit
C:\Windows\SysWOW64\Lllagh32.exe

Filesize
402KB

MD5
c7cf7e605052c20d08b9200e52267fc5

SHA1
ca1b8f2c845c2dd7b58a1e9e476f5a1654140299

SHA256
70a50800e7420597bfd4d9899bb5541118a676e71ccbba3f1a399fe51b5c9512

SHA512
8c052ebfaac40c7ee637fa3afc8e7eb0b6db68dcfaceb930937d583f1c028d5382b3497f58ff27caabde5fc95ee69c4a86dc29727850d5de34c42c8383b326ed

Download Submit
C:\Windows\SysWOW64\Loofnccf.exe

Filesize
402KB

MD5
cc0dc2ae94d6756d3152dfc4b2af4725

SHA1
ad1516d5a1cdc9ba06ca5bc97114cb40a6d040b6

SHA256
d3a443fcdf814578e26897ba94e1430f424fe7cf8ec90f4a4a9f22e76d7a3f53

SHA512
d26702d38004f4a432da64c0814a763272fc790dce0438facafa49036bf68d46b5c7c30f39b285fcb41a9344b476bde5fd707f980be246c1bf245ce3943c47df

Download Submit
C:\Windows\SysWOW64\Mfbaalbi.exe

Filesize
402KB

MD5
59dc2f2cabf0c31c029e221a577a8a88

SHA1
ae288291594fe5c2046e16bfd859eed3727d7be9

SHA256
9cad3262a498836db677d84e4781e175d61056257e9c21f44416c934a5afa2fb

SHA512
bfa25435d3a55cbf3a7d85ded6e5c315bae1809585eafed91d94250020f8698257c738a82273da6822e1cb694ccfdf90ffefcba8f117a06c8ff0045b77e28749

Download Submit
C:\Windows\SysWOW64\Mhjhmhhd.exe

Filesize
402KB

MD5
8c32381e96e269f7602d78680a93449f

SHA1
5c30267a1041d41a0495a86af8be1d798e264eb0

SHA256
54b37548cd05e3d01dd247dfdef686c2a6c4bf106554cd85aa7b571843f98944

SHA512
3eabb12d3eb505faa497427ce62428e78bd2f0923cef41fc6d7bb56872130a3f05e2df113757f3165dfbf5ff8359a09a7b2376cf46b79a4529128896f8f790e1

Download Submit
C:\Windows\SysWOW64\Mjlalkmd.exe

Filesize
402KB

MD5
35d87d9cad19f94a628f1e25e216d532

SHA1
a00bac200dd631eeb1e06e09f1e965707cbdde36

SHA256
c88380989c583879bdf6dc69cb71745a35c7dc747b7459a97b90ffebc040516c

SHA512
2bd8b98162b334dacc5796193742a3a9b2fb7951091e57164a450a3402b75b1baf0f57bb3bcaadc6a3a7acea672ea3984e8f5e329e35ba60e3680d60078af73b

Download Submit
C:\Windows\SysWOW64\Mjpjgj32.exe

Filesize
402KB

MD5
90ae9f2270b77b05ccd40fbf953765ff

SHA1
775de4d8967cfbd264b6cd842eed57066002e082

SHA256
7ffd584a9ab71b3aa1c3776e294091d4314210f24060782322abc9efa14380af

SHA512
dfaddf3f550dd520909ef4bf36bc303f07bcf0a719d433016229bbfdafd8a31c1ef591b63731d31b679c7e7eb8d46c9ee29c0ce7e5a7343055bd9f36150824e5

Download Submit
C:\Windows\SysWOW64\Nbebbk32.exe

Filesize
402KB

MD5
6dec221609d65d15004e6e08489dae8c

SHA1
c9d32289d13b515e3127506f75cf554fda70c845

SHA256
779bdcf5ad9722cf5a500649fa56efccee695e586955de11195dc91d4220f725

SHA512
f9cad7c82ca87a2916f92c4b7569495afefe924490fbb3c9b6d657c1cb8e1ebc916a8121c31187de5e15a9356dd24253dac2c6773ed3ddbbce5ed9e4bbed16d8

Download Submit
C:\Windows\SysWOW64\Nqoloc32.exe

Filesize
402KB

MD5
0a2e1f3e37606f48da9e7660f9adc9a5

SHA1
5eb2b080922ec734588b1b21a1300bc68eb7b85b

SHA256
be4b08c64f98c4ee482ad9247ea86d80f1bbe67f5636205121b854277de46bd5

SHA512
c845032ce1de975d26af0330c1de1f8bc6654f4da1be9fb9d4f893b7f3b3e9f60f2d3a5467052b32ad06a054911e3413922f20060a8d9d6828a80ed2d24b85ab

Download Submit
C:\Windows\SysWOW64\Ofjqihnn.exe

Filesize
74KB

MD5
cdb58ba4f8619939e58654d44cc26d1b

SHA1
eb080b667d075d9e8a5723151e91e3e7e1373450

SHA256
abcb16a9ff98c8e4592fca4ca7a045613a0c96423c04ecbb7de06ccc74cba878

SHA512
8b3303a9848b21b721554d84d4f3915fb4d2ff122e933b434b7118323b6e1862970afe84c975121de40811fca5c416aad3db20c8ba810a2c9c088b57e3a9e564

Download Submit
C:\Windows\SysWOW64\Ofjqihnn.exe

Filesize
16KB

MD5
e4ab13084d088a96bf02dc171d319db6

SHA1
da0bd71fbcdd10afa3b6dc06df120e7064ebdf5c

SHA256
441d412f03638b89c743df81bd7b0a3accb416027d5059baf43c9c7aedad338c

SHA512
c22d7f03177108ffd7677d554dd715b8916cb666f7c8c371b66ffbf106a5a76f78c84ae24a56d9c0e2be98a2d4901f9164ebdd25105cec822f9a93bc05124a59

Download Submit
C:\Windows\SysWOW64\Ooibkpmi.exe

Filesize
329KB

MD5
1c794bdad8d3bda08125d6d9a2307aca

SHA1
8d138a93aefaacdaf2491ec2c751513e53c606aa

SHA256
5c6960187a891416c11c109307c57322d6a6dea7e8f7a2707047a40628ed25c3

SHA512
7dd6af29280f84d92e339abadb6fc014e760ef1c8960d711282b74b0b2c616239975ad215e70b2f36b6a4b5ee1e3084a7d318eff13de4d4d344e7091867d3705

Download Submit
C:\Windows\SysWOW64\Ooibkpmi.exe

Filesize
402KB

MD5
721b09904e25166e6690ee0fddcc1f3c

SHA1
3e5d18f5cd43f18dfe6342129cae723de16152f1

SHA256
dea53307843d4443b853eb3d1220445d6203b0fdf26baad58395d2474d96c6ca

SHA512
07f4a290696d3087fdd2b76058786e320796071b2bb8ad32a0292f43c45b1213b0722c422540e33237851c146e35f54240a1fafc5a73721978638773f4c0fc30

Download Submit
C:\Windows\SysWOW64\Ooibkpmi.exe

Filesize
171KB

MD5
f6e5bf55a20da983af7dc7198b9ebacc

SHA1
607693ada67a82e3cefe8f5c0c0375ff31cc4c61

SHA256
e61e3b9781f2341f52b1a4a2204205b9d37fe4f3fa87c7c7066402a0411ab94b

SHA512
c4c08ec234f6b4eb109934c2df7bb655189074db46b99fb2212e3c85bb248741d508953cd3d5756ed2e059c57d58228f00e5a0240488ddaf13be4ebe235415c0

Download Submit
C:\Windows\SysWOW64\Oonlfo32.exe

Filesize
126KB

MD5
4df44db66a3f8983d8d8304d2f34782e

SHA1
eef6e1e6431a957c8cda19fc1123840058942c9b

SHA256
d3ed3ed53b97dd7e4ebde319388536161cf32c7a470edcafda4a0b4f247e7ca0

SHA512
ce4eb1a72657e6cde45e39f4894739b3108a63c32bff36e2f3ca34e1f332f04307317d5594b9400abd31f989580860680507d2837c68c94c4a61a30d9d090bb5

Download Submit
C:\Windows\SysWOW64\Oonlfo32.exe

Filesize
274KB

MD5
8ab7c6d6efa0c2ea2f643b3e09e0b154

SHA1
c977e7263f101b33f7df95875dfafd742a9744f3

SHA256
6b75494d173a9f3c7c104498fcfc3b01f7a029d097b3ccd78a790855fb24ab3c

SHA512
ab9af190011dcfa2522716244755ab558983bf087b046d26c081bd337e9b48ebb860ccadd3d329bc1cba896c09afa85e635b0e7aecd372ffca86dfbcea7ff6e9

Download Submit
C:\Windows\SysWOW64\Pcegclgp.exe

Filesize
402KB

MD5
7db4ce06807b3e26ce2c104105bb8037

SHA1
182c6b07edb2960ef07669fd2d9f08c220d550db

SHA256
f65271e84ef9fc0ac3d2f65b930615fb73bf343fe791ba813b9c1351e0653857

SHA512
5d335a7d412523ce3651da080864db5189834274ee8f28da32a24e8973660d68abe143c4e8677f371d213591d8d294613386c9673b118317f729c8d3a6acc32c

Download Submit
C:\Windows\SysWOW64\Pidlqb32.exe

Filesize
402KB

MD5
c48782eb0daf9f78188cace5bd0521f9

SHA1
55cb35087fbbe9fa6241ce3f1f97b5f65767409c

SHA256
b5e37b67d08c29c467bca831d44aa24d2ce16cebd7f38bb0ac23c4ac5e69bcd7

SHA512
2fc57554a8530e9fa23c8ce79d23455c58d1e96751868e10676eb70d0a3a0c490b5f59c189e85b9c2a25d53650768586d2615c7b8c70ee8a54ff873ce1fdc8e0

Download Submit
C:\Windows\SysWOW64\Ppdbgncl.exe

Filesize
402KB

MD5
3f1f5cebd8c4fbbddc91a93e712b632c

SHA1
caf5ea69f711a66a52fac5c0d4cc885182fff15d

SHA256
e5d569dfa02f6ec026733d46f962297b61f69edaa3924bb99b3282e8fde8ecc6

SHA512
7ab30bcf20edcc4f657cae367f088d404801d5bab6a74e3afe111b81a81987eac63cc7a82b47ef80feafd804596a1602f3245c5e800bf23442d08211e0a0d334

Download Submit
memory/32-80-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/316-136-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/532-113-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/548-274-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/548-428-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/624-436-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/624-232-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/876-129-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1076-426-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1076-268-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1096-101-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1100-422-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1100-280-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1232-354-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1232-406-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1348-41-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1392-338-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1392-405-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1480-292-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1480-419-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1728-402-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1728-355-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1836-420-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1836-286-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1856-32-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1952-324-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1952-413-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1956-72-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2232-180-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2248-23-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2532-160-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2644-298-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2644-416-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2876-65-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2920-8-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3420-145-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3512-225-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3572-435-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3572-240-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3916-105-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3952-408-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3952-326-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4168-121-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4192-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4300-415-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4300-315-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4476-192-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4564-200-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4604-432-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4604-248-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4632-89-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4708-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4748-216-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4772-57-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4784-208-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4840-49-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4852-262-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4852-430-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4944-256-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4944-433-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4976-414-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4976-304-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4996-184-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5028-167-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads