05904bb7b8c114a5a72f7a1daceb7967d6089586b77ffbc4835db61d923f09bd

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05904bb7b8c114a5a72f7a1daceb7967d6089586b77ffbc4835db61d923f09bd.exe
Size

89KB
MD5

c73769b52ac5fc04141889563d44b98c
SHA1

c23c70ca5eb6c84a1acd926050daa2deca068f6b
SHA256

05904bb7b8c114a5a72f7a1daceb7967d6089586b77ffbc4835db61d923f09bd
SHA512

a99d92f1fb3ede39c2c1402934be6d9289c21791963f9e5b60afac94ac7dc4680a4e07a718530b216f7fcddc5e7ca5a05d36409c65a4f13714820b0d40d8292b
SSDEEP

1536:0Q4QW4yFS+ZA4fhJe9SKzeeqdBhoxtCSjptXWyhsJojkJjhILc6/lExkg8F:hZyFS+ZAUS3bq2tCSjpzimkJjhILcYl/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pafkgphl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	05904bb7b8c114a5a72f7a1daceb7967d6089586b77ffbc4835db61d923f09bd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obgohklm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gngeik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcjqgnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pimfpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbekii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fecadghc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjknfnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqeioiam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmhdmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncmhko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofjqihnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Foclgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gngeik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibqnkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nblolm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqaiecjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbocfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doccpcja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbgkei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnbeeiji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jidinqpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kekbjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddkbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidinqpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqbala32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibqnkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibcjqgnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmhko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iajdgcab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lckboblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	05904bb7b8c114a5a72f7a1daceb7967d6089586b77ffbc4835db61d923f09bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lomjicei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nckkfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnbeeiji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pafkgphl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doccpcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fecadghc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckkfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofjqihnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpmhdmea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaqhjggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddkbmj32.exe

Executes dropped EXE 50 IoCs

pid	Process
3244	Cpmapodj.exe
3416	Cpbjkn32.exe
4012	Ckgohf32.exe
3716	Ckjknfnh.exe
2984	Ddkbmj32.exe
572	Dbocfo32.exe
5008	Doccpcja.exe
3056	Fbplml32.exe
2664	Foclgq32.exe
5084	Fqeioiam.exe
1640	Fecadghc.exe
4624	Gnnccl32.exe
444	Gaqhjggp.exe
4996	Geoapenf.exe
3212	Gngeik32.exe
4192	Hbgkei32.exe
4868	Hpmhdmea.exe
3424	Hnbeeiji.exe
3448	Ibqnkh32.exe
1988	Ibcjqgnm.exe
3200	Ihpcinld.exe
3104	Iajdgcab.exe
4820	Jidinqpb.exe
2192	Jpegkj32.exe
3676	Kedlip32.exe
4356	Kekbjo32.exe
1588	Kiikpnmj.exe
2240	Lebijnak.exe
4404	Lomjicei.exe
5044	Lckboblp.exe
552	Loacdc32.exe
4536	Mledmg32.exe
5032	Mjlalkmd.exe
1912	Nblolm32.exe
5012	Nckkfp32.exe
1144	Ncmhko32.exe
5132	Nqaiecjd.exe
5172	Nimmifgo.exe
5212	Obgohklm.exe
5256	Ofegni32.exe
5300	Ocihgnam.exe
5340	Ofjqihnn.exe
5380	Obqanjdb.exe
5420	Pqbala32.exe
5460	Pimfpc32.exe
5500	Pbekii32.exe
5540	Pafkgphl.exe
5572	Pplhhm32.exe
5620	Pmphaaln.exe
5660	Pififb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aqjpajgi.dll	Cpbjkn32.exe
File opened for modification	C:\Windows\SysWOW64\Ibcjqgnm.exe	Ibqnkh32.exe
File opened for modification	C:\Windows\SysWOW64\Obgohklm.exe	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Klndfknp.dll	Nqaiecjd.exe
File created	C:\Windows\SysWOW64\Mlmadjhb.dll	Pplhhm32.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Pmphaaln.exe
File created	C:\Windows\SysWOW64\Ddkbmj32.exe	Ckjknfnh.exe
File created	C:\Windows\SysWOW64\Lacaea32.dll	Ckjknfnh.exe
File opened for modification	C:\Windows\SysWOW64\Doccpcja.exe	Dbocfo32.exe
File created	C:\Windows\SysWOW64\Fqeioiam.exe	Foclgq32.exe
File opened for modification	C:\Windows\SysWOW64\Ocihgnam.exe	Ofegni32.exe
File created	C:\Windows\SysWOW64\Blcnqjjo.dll	Pafkgphl.exe
File created	C:\Windows\SysWOW64\Cpmapodj.exe	05904bb7b8c114a5a72f7a1daceb7967d6089586b77ffbc4835db61d923f09bd.exe
File created	C:\Windows\SysWOW64\Jlmmnd32.dll	Lckboblp.exe
File opened for modification	C:\Windows\SysWOW64\Hbgkei32.exe	Gngeik32.exe
File created	C:\Windows\SysWOW64\Blnfhilh.dll	Gngeik32.exe
File created	C:\Windows\SysWOW64\Heffebak.dll	Ihpcinld.exe
File created	C:\Windows\SysWOW64\Doccpcja.exe	Dbocfo32.exe
File created	C:\Windows\SysWOW64\Inmdohhp.dll	Kedlip32.exe
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Pmphaaln.exe
File created	C:\Windows\SysWOW64\Cpiijfll.dll	Ibcjqgnm.exe
File opened for modification	C:\Windows\SysWOW64\Mjlalkmd.exe	Mledmg32.exe
File created	C:\Windows\SysWOW64\Nckkfp32.exe	Nblolm32.exe
File created	C:\Windows\SysWOW64\Ocihgnam.exe	Ofegni32.exe
File opened for modification	C:\Windows\SysWOW64\Cpmapodj.exe	05904bb7b8c114a5a72f7a1daceb7967d6089586b77ffbc4835db61d923f09bd.exe
File opened for modification	C:\Windows\SysWOW64\Cpbjkn32.exe	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Ibqnkh32.exe	Hnbeeiji.exe
File created	C:\Windows\SysWOW64\Hmjbog32.dll	Jidinqpb.exe
File opened for modification	C:\Windows\SysWOW64\Obqanjdb.exe	Ofjqihnn.exe
File created	C:\Windows\SysWOW64\Pimfpc32.exe	Pqbala32.exe
File created	C:\Windows\SysWOW64\Khnhommq.dll	Jpegkj32.exe
File created	C:\Windows\SysWOW64\Loacdc32.exe	Lckboblp.exe
File created	C:\Windows\SysWOW64\Nblolm32.exe	Mjlalkmd.exe
File opened for modification	C:\Windows\SysWOW64\Nckkfp32.exe	Nblolm32.exe
File created	C:\Windows\SysWOW64\Eehnaq32.dll	05904bb7b8c114a5a72f7a1daceb7967d6089586b77ffbc4835db61d923f09bd.exe
File created	C:\Windows\SysWOW64\Dgpamjnb.dll	Geoapenf.exe
File opened for modification	C:\Windows\SysWOW64\Kedlip32.exe	Jpegkj32.exe
File created	C:\Windows\SysWOW64\Pafkgphl.exe	Pbekii32.exe
File created	C:\Windows\SysWOW64\Pplhhm32.exe	Pafkgphl.exe
File created	C:\Windows\SysWOW64\Pcmdgodo.dll	Ckgohf32.exe
File created	C:\Windows\SysWOW64\Fbplml32.exe	Doccpcja.exe
File opened for modification	C:\Windows\SysWOW64\Kiikpnmj.exe	Kekbjo32.exe
File opened for modification	C:\Windows\SysWOW64\Hnbeeiji.exe	Hpmhdmea.exe
File opened for modification	C:\Windows\SysWOW64\Lckboblp.exe	Lomjicei.exe
File opened for modification	C:\Windows\SysWOW64\Fbplml32.exe	Doccpcja.exe
File created	C:\Windows\SysWOW64\Cidcnbjk.dll	Foclgq32.exe
File created	C:\Windows\SysWOW64\Gngeik32.exe	Geoapenf.exe
File opened for modification	C:\Windows\SysWOW64\Ncmhko32.exe	Nckkfp32.exe
File created	C:\Windows\SysWOW64\Fanmld32.dll	Nckkfp32.exe
File created	C:\Windows\SysWOW64\Maenpfhk.dll	Obgohklm.exe
File created	C:\Windows\SysWOW64\Foclgq32.exe	Fbplml32.exe
File created	C:\Windows\SysWOW64\Hnbeeiji.exe	Hpmhdmea.exe
File created	C:\Windows\SysWOW64\Kedlip32.exe	Jpegkj32.exe
File opened for modification	C:\Windows\SysWOW64\Fecadghc.exe	Fqeioiam.exe
File opened for modification	C:\Windows\SysWOW64\Loacdc32.exe	Lckboblp.exe
File created	C:\Windows\SysWOW64\Bkfmmb32.dll	Nblolm32.exe
File created	C:\Windows\SysWOW64\Ncmhko32.exe	Nckkfp32.exe
File created	C:\Windows\SysWOW64\Pqolaipg.dll	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Ckgohf32.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Ckjknfnh.exe	Ckgohf32.exe
File opened for modification	C:\Windows\SysWOW64\Ckjknfnh.exe	Ckgohf32.exe
File created	C:\Windows\SysWOW64\Ofjqihnn.exe	Ocihgnam.exe
File opened for modification	C:\Windows\SysWOW64\Pbekii32.exe	Pimfpc32.exe
File created	C:\Windows\SysWOW64\Jicchk32.dll	Lebijnak.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5720	5660	WerFault.exe	152

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehenqf32.dll"	Dbocfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amcpgoem.dll"	Lomjicei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mledmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdoljdi.dll"	Mledmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nckkfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klndfknp.dll"	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqaiecjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	05904bb7b8c114a5a72f7a1daceb7967d6089586b77ffbc4835db61d923f09bd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Geoapenf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iajdgcab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbekii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Geoapenf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iajdgcab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pimfpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fecadghc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gngeik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nckkfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gnnccl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibcjqgnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbcikkp.dll"	Loacdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjlalkmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofjqihnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Badjai32.dll"	Doccpcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehdpem.dll"	Hbgkei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jidinqpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckjknfnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ihpcinld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmdohhp.dll"	Kedlip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhqamj.dll"	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maenpfhk.dll"	Obgohklm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balgcpkn.dll"	Ofegni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjpajgi.dll"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqeioiam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbgkei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lomjicei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gaqhjggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lebijnak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcnqjjo.dll"	Pafkgphl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gngeik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpmhdmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmmnd32.dll"	Lckboblp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pimfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbgkei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanmld32.dll"	Nckkfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofegni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnkibcle.dll"	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Doccpcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cidcnbjk.dll"	Foclgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpmhdmea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpegkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbplml32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 3244	2688	05904bb7b8c114a5a72f7a1daceb7967d6089586b77ffbc4835db61d923f09bd.exe	101
PID 2688 wrote to memory of 3244	2688	05904bb7b8c114a5a72f7a1daceb7967d6089586b77ffbc4835db61d923f09bd.exe	101
PID 2688 wrote to memory of 3244	2688	05904bb7b8c114a5a72f7a1daceb7967d6089586b77ffbc4835db61d923f09bd.exe	101
PID 3244 wrote to memory of 3416	3244	Cpmapodj.exe	102
PID 3244 wrote to memory of 3416	3244	Cpmapodj.exe	102
PID 3244 wrote to memory of 3416	3244	Cpmapodj.exe	102
PID 3416 wrote to memory of 4012	3416	Cpbjkn32.exe	103
PID 3416 wrote to memory of 4012	3416	Cpbjkn32.exe	103
PID 3416 wrote to memory of 4012	3416	Cpbjkn32.exe	103
PID 4012 wrote to memory of 3716	4012	Ckgohf32.exe	104
PID 4012 wrote to memory of 3716	4012	Ckgohf32.exe	104
PID 4012 wrote to memory of 3716	4012	Ckgohf32.exe	104
PID 3716 wrote to memory of 2984	3716	Ckjknfnh.exe	105
PID 3716 wrote to memory of 2984	3716	Ckjknfnh.exe	105
PID 3716 wrote to memory of 2984	3716	Ckjknfnh.exe	105
PID 2984 wrote to memory of 572	2984	Ddkbmj32.exe	106
PID 2984 wrote to memory of 572	2984	Ddkbmj32.exe	106
PID 2984 wrote to memory of 572	2984	Ddkbmj32.exe	106
PID 572 wrote to memory of 5008	572	Dbocfo32.exe	107
PID 572 wrote to memory of 5008	572	Dbocfo32.exe	107
PID 572 wrote to memory of 5008	572	Dbocfo32.exe	107
PID 5008 wrote to memory of 3056	5008	Doccpcja.exe	108
PID 5008 wrote to memory of 3056	5008	Doccpcja.exe	108
PID 5008 wrote to memory of 3056	5008	Doccpcja.exe	108
PID 3056 wrote to memory of 2664	3056	Fbplml32.exe	109
PID 3056 wrote to memory of 2664	3056	Fbplml32.exe	109
PID 3056 wrote to memory of 2664	3056	Fbplml32.exe	109
PID 2664 wrote to memory of 5084	2664	Foclgq32.exe	110
PID 2664 wrote to memory of 5084	2664	Foclgq32.exe	110
PID 2664 wrote to memory of 5084	2664	Foclgq32.exe	110
PID 5084 wrote to memory of 1640	5084	Fqeioiam.exe	111
PID 5084 wrote to memory of 1640	5084	Fqeioiam.exe	111
PID 5084 wrote to memory of 1640	5084	Fqeioiam.exe	111
PID 1640 wrote to memory of 4624	1640	Fecadghc.exe	112
PID 1640 wrote to memory of 4624	1640	Fecadghc.exe	112
PID 1640 wrote to memory of 4624	1640	Fecadghc.exe	112
PID 4624 wrote to memory of 444	4624	Gnnccl32.exe	113
PID 4624 wrote to memory of 444	4624	Gnnccl32.exe	113
PID 4624 wrote to memory of 444	4624	Gnnccl32.exe	113
PID 444 wrote to memory of 4996	444	Gaqhjggp.exe	114
PID 444 wrote to memory of 4996	444	Gaqhjggp.exe	114
PID 444 wrote to memory of 4996	444	Gaqhjggp.exe	114
PID 4996 wrote to memory of 3212	4996	Geoapenf.exe	115
PID 4996 wrote to memory of 3212	4996	Geoapenf.exe	115
PID 4996 wrote to memory of 3212	4996	Geoapenf.exe	115
PID 3212 wrote to memory of 4192	3212	Gngeik32.exe	116
PID 3212 wrote to memory of 4192	3212	Gngeik32.exe	116
PID 3212 wrote to memory of 4192	3212	Gngeik32.exe	116
PID 4192 wrote to memory of 4868	4192	Hbgkei32.exe	117
PID 4192 wrote to memory of 4868	4192	Hbgkei32.exe	117
PID 4192 wrote to memory of 4868	4192	Hbgkei32.exe	117
PID 4868 wrote to memory of 3424	4868	Hpmhdmea.exe	118
PID 4868 wrote to memory of 3424	4868	Hpmhdmea.exe	118
PID 4868 wrote to memory of 3424	4868	Hpmhdmea.exe	118
PID 3424 wrote to memory of 3448	3424	Hnbeeiji.exe	119
PID 3424 wrote to memory of 3448	3424	Hnbeeiji.exe	119
PID 3424 wrote to memory of 3448	3424	Hnbeeiji.exe	119
PID 3448 wrote to memory of 1988	3448	Ibqnkh32.exe	120
PID 3448 wrote to memory of 1988	3448	Ibqnkh32.exe	120
PID 3448 wrote to memory of 1988	3448	Ibqnkh32.exe	120
PID 1988 wrote to memory of 3200	1988	Ibcjqgnm.exe	121
PID 1988 wrote to memory of 3200	1988	Ibcjqgnm.exe	121
PID 1988 wrote to memory of 3200	1988	Ibcjqgnm.exe	121
PID 3200 wrote to memory of 3104	3200	Ihpcinld.exe	123

C:\Users\Admin\AppData\Local\Temp\05904bb7b8c114a5a72f7a1daceb7967d6089586b77ffbc4835db61d923f09bd.exe
"C:\Users\Admin\AppData\Local\Temp\05904bb7b8c114a5a72f7a1daceb7967d6089586b77ffbc4835db61d923f09bd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\Cpmapodj.exe
  C:\Windows\system32\Cpmapodj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\SysWOW64\Cpbjkn32.exe
    C:\Windows\system32\Cpbjkn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\SysWOW64\Ckgohf32.exe
      C:\Windows\system32\Ckgohf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4012
    - - C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
      - C:\Windows\SysWOW64\Ddkbmj32.exe
        
        C:\Windows\system32\Ddkbmj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Dbocfo32.exe
        
        C:\Windows\system32\Dbocfo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Doccpcja.exe
        
        C:\Windows\system32\Doccpcja.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Fecadghc.exe
        
        C:\Windows\system32\Fecadghc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Gngeik32.exe
        
        C:\Windows\system32\Gngeik32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Hpmhdmea.exe
        
        C:\Windows\system32\Hpmhdmea.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Hnbeeiji.exe
        
        C:\Windows\system32\Hnbeeiji.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Ihpcinld.exe
        
        C:\Windows\system32\Ihpcinld.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        51⤵
        Executes dropped EXE
        
        PID:5660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5660 -s 416
        52⤵
        Program crash
        
        PID:5720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5660 -ip 5660
1⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:5688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ckgohf32.exe

Filesize
89KB

MD5
39c75a20697c092b57f7cb328c3be834

SHA1
1cbec2877b97ff9f3eca9844f34ef722af025651

SHA256
2b55af18eebd08725eea6f44538bc375ef6aec155e5f60e7338f0fab0fe8d4af

SHA512
8ab259cf23288d6d881e8e64c99a68d63178a1f2db9f72cff83ad99b2378262546a315542b717a020f749bdc7ebf1b05b3275db1f6c3ec8b385d4ed5c83b10af

Download Submit
C:\Windows\SysWOW64\Ckjknfnh.exe

Filesize
89KB

MD5
f3634526c035efaac62e416923f16fde

SHA1
5892a52bfbf2971028d02e82f30a55da3233b780

SHA256
4b2e3009258fb26bd8e9844a5eb51fff9b94bcba7cca3b30c5f9af9e1c0a533c

SHA512
6c8ef3c8a2b323f5e62675513a9296ad7f6b64375d2e75d17d391a5a9444797e30d9d02984e1f98b32102fab11f4f1b947f25461456f88fb9d88201e11321351

Download Submit
C:\Windows\SysWOW64\Cpbjkn32.exe

Filesize
89KB

MD5
38bd66136921e6e6aeb7f9c67e07c277

SHA1
785e1f79d9316b58161ea21ab5562b681e6a302d

SHA256
30517ec9e36edb5ecaf9daa895ef299a5cc761a4ad8cd5b6fb436228ae5f0f0b

SHA512
bfe4950418d770454b75cd441c43d10061eac395f292bdc2860184fa5d907182f641b040434d99573ecead6324b51b0c6278f8341557e004c76d825a2900123d

Download Submit
C:\Windows\SysWOW64\Cpmapodj.exe

Filesize
89KB

MD5
5a28f22bff4060930ba4dfb6d2aa8a79

SHA1
feb9c86fa313f9e7da3f574c48e6673b4dc98824

SHA256
7d4070abe2f27b08159cf0fa192d61dc6780dd0527f99f1372f23d8e76a468e0

SHA512
3caadd3d115e68c1962569bb6c0d9655f23703f61db089ec79e7280adcd08cad2cae05bc6fee825d652224410823fd38a7820487e67c27133d35c7a4249b42b0

Download Submit
C:\Windows\SysWOW64\Dbocfo32.exe

Filesize
89KB

MD5
20d35284e0469b514847c4cb26ecb94b

SHA1
a85ccec1b2a63932fff1d81befbf7abd9f43a6bf

SHA256
9eda67a0697e2ea1f4b10299b2de43c22af1644d7de2ec9661e6175fc3e10cda

SHA512
85d7314ff0411b41fd8abf3ffb716407e293efc8aed1e0eb1f81bb31344be6deec9deaa5fb8e4638faca2db88ec27572e653b986e21105a79cad957d98c4301e

Download Submit
C:\Windows\SysWOW64\Ddkbmj32.exe

Filesize
89KB

MD5
cbe62f738ac10f4379e9ac18c53929b1

SHA1
6c4911f672b27b387fb9caff9ff70e736e9f88cd

SHA256
f9f0cfac2392fbb31c717650da62d6d210ad318d4e78daa3bf3584b304c342c1

SHA512
b06bb930d3596d4c6417e204492be6e76e7e4b060e26a1332a9d57a9463443431eaffe1fa8b037cc51f0e44edadcea06541cb6e950680644d6dddc88c9dc0a82

Download Submit
C:\Windows\SysWOW64\Doccpcja.exe

Filesize
89KB

MD5
1f0d4ba09643bdbb3b0ea12eb460da3c

SHA1
21d6f49188fcc1959b5cd64525cc0ad202e65716

SHA256
2a1c418427486dcc28cacfa091e742245784b39d33a6d3691f4562bf52edd837

SHA512
065c0fb5de76ec6c370ed7584442ec196a3ff9d097ce4456f1566c40b0897026119c55f72a8c579f04e449e35e7a9ba2845e2c8030de615ee26a47b8e218243f

Download Submit
C:\Windows\SysWOW64\Fbplml32.exe

Filesize
89KB

MD5
31aa64b3657cc2a47be7a7d9d1d8e262

SHA1
8f76f354b6f0b18f369ecacab35b6350df4e69af

SHA256
cf27c88df77080157e52677c3b48e542692ce781f0597bba3be6dbdd789f54e6

SHA512
4a6e5d125b4f637a4056fc6a06f2afabd496c42e433b7a7f9f8cbf96209c97466cd5671b5256d3a9fa98591d63cdbdba9a75d3bf524a76d3b556db95e65ddc38

Download Submit
C:\Windows\SysWOW64\Fecadghc.exe

Filesize
89KB

MD5
2136cac03f95d1fdfc8502bb6bd250cb

SHA1
133819421161f8aeef23fe97cb673a1114817412

SHA256
935516ee639b934e990af4b49769cdf2499a01d18d9048d4fa72f1c2f2ff0ff7

SHA512
fbd03adefa5be4a4622e29f61cbafad20afafcb69f63a7a757d18c7ad194bbb399e0c1ddb4b2d2709fe359ece3a6f9e59882a2b820456f442d302e7e335c5342

Download Submit
C:\Windows\SysWOW64\Foclgq32.exe

Filesize
89KB

MD5
b15cf0f3c5b1f278a3fb1b416c4b8f62

SHA1
3153fdd3c7fffd0399eb02262bac66eadf50f21a

SHA256
5befd9d1c50ffd21b0091fb4881968dfb3adfe8a079e3d764c4cb865d7630d8b

SHA512
84a2de4a761879f5f313af82055f8706d9a3fa2584a79d1c0a060ef3fa10b549ca50804375463d89043eae5960290e4616a84db9507830c32c6cf39e507383ea

Download Submit
C:\Windows\SysWOW64\Fqeioiam.exe

Filesize
89KB

MD5
e72dbd6d3fb9e065636c038f1bf6c6c2

SHA1
c9b9f063c05175be91b4f50d908d7aa1a6a14da9

SHA256
93fe7b532f53102ed5f68adb113873e23f5a25abb8d470b76ad395fe88bce232

SHA512
3f9cbef010989f2d7603c71873e8f3bd0a757db9a84f450f8babbc7f5138cf5e4a127393a8a6b33bbc62e3dd69c46e1478b078ed6679d9346d1ccdb38b5612dc

Download Submit
C:\Windows\SysWOW64\Gaqhjggp.exe

Filesize
89KB

MD5
ca9798fe819598ca88cf812023c59db0

SHA1
4cfa0b7009ec4669d7b7ef90e74fe252dcaa5acd

SHA256
84befc760a125189071f4aba8b9b8b2cbe70c2ba4217b8135831ea1b01a658f3

SHA512
4f35546cb39bbff4214ce30c242be91861a1222e1d2dba2cc3a2f721b9c2197b33e448316d47dac99ae201f636477efe8370e17291915fe6dfc1cd065a776fca

Download Submit
C:\Windows\SysWOW64\Geoapenf.exe

Filesize
89KB

MD5
b8ef32f4b93505a681315d378d50e003

SHA1
2369cf19758afb17388272ea5b0e1ecd3291ea5d

SHA256
f74bbfdf4bdfee9b3d92438219c1e3c6f9690a55993ce2e40dc0927327638289

SHA512
cf1733231435825077d2f8dbb6d68a74279a44e386d79ea38cc161a4edeeecf24d61fe7fab627e42314625ccbe9feb901d3326216b2590e0b4ff8e93b5269bff

Download Submit
C:\Windows\SysWOW64\Gngeik32.exe

Filesize
89KB

MD5
53237585b68b8630143056ab74e3afd7

SHA1
5c594a3f5e94085b4ae6a59f77941367bb331279

SHA256
165a836ecf8d8e8cb63fdddc1d5b630fcedf74bb452b7180df8e468e40c4799f

SHA512
ffaecc0da20d1d868110ded1f0e1c63155e5da8767d87ee0bf0e29df70e0a7c8ee56d28c60ac15d6f57cefeef5e33c150ae086aa360347aa52cea6f12e4a5426

Download Submit
C:\Windows\SysWOW64\Gnnccl32.exe

Filesize
89KB

MD5
3cfdcd9dcedc46fb8f3545ea94cb94de

SHA1
16f6e124393782b9839c01db71b1103a41407e9a

SHA256
1ed1700dddc44583dcc8131bc77146cda1869c1989e10cab722daaa84c4f8454

SHA512
134c7eb3870467d4b1a4f77b6a4533bdf2af17948b1d1afc8d79e152c731436319d3d856e464532733ad34dfa653dbe610af1e3ee66625d576a59660d8cc1547

Download Submit
C:\Windows\SysWOW64\Gnnccl32.exe

Filesize
64KB

MD5
6cbd425da3a02f71ec5617ec4a1a2131

SHA1
4378e844e62eae8c2501841db4c7ab20a88ced93

SHA256
a249d6d71b902f629152089810021f17b03d863fc64a2bbd336419f8efb4bc0b

SHA512
1094198fbae68288c2aac323bc6f7ff673f1790f25b24ec5014069ef417df010ff1c608c14d346529bf5aabb98fa0674c5ba6255f2028caffc02d13dfdf08d42

Download Submit
C:\Windows\SysWOW64\Hbgkei32.exe

Filesize
89KB

MD5
0ed0c182d3de39957ce477d2f20ac586

SHA1
6bd8ad64dc7accb4522aa9bd2593d28a2c562da1

SHA256
4f604673008bc8739f85a1bae9b2518ce99028886d660612e03676844a7d278c

SHA512
a39c6eebd2084b8a6ca775e8ad75786a2e5253551c9a6b67b7506c69b3e4ddd1ecffff48c466b92e63b67f24404f3d537c074b80e322f2b4cdd988632291d1dc

Download Submit
C:\Windows\SysWOW64\Hnbeeiji.exe

Filesize
89KB

MD5
3bb2beb4ec7324e65a350ad2295e3cf5

SHA1
22cee88c18510a295d6c426cef5a8b238f6c4bde

SHA256
c064161c311eb1bd6f64b5ac1dc868e8084128012548bba4f01cba9777064322

SHA512
99b26a04a71caeaca65b6d9b97a0810a93a5a8b03697fea043be81cc2702dae307a950650c4ee6b8fa2dd669138005e77b170918edf75a3d06905b1c8cce0f16

Download Submit
C:\Windows\SysWOW64\Hpmhdmea.exe

Filesize
89KB

MD5
c6b9abbb57e83466b0deeb65874e3255

SHA1
86d36ddb7483577b2fc8e2be43bdbbb8c47f8798

SHA256
a8eeefe30e6a513f7ed042507462571abc777af6047f93bdfd11b9be9de762b6

SHA512
9b138c2681a4283e4b0824b656b3e480c3bf4cb80cda915f16485914e33b01a9b761f2d4860b0d87c2eff63233fd8f1f4b6b38bcdb9e631e4eb2302e46c9cff3

Download Submit
C:\Windows\SysWOW64\Iajdgcab.exe

Filesize
89KB

MD5
2ce62963181b7af52d3f5f55a97ffe0c

SHA1
70fa1a30fb0d4b3dbb23083a8d18383a9a9a10c1

SHA256
36d4c0b7ae93bca14c3161a47c42e11551c10a36659c0890f0359777cfdbbc5e

SHA512
fdac4e273e181c980accd51e12a9c86886205cd79b632ccc84a537febd91cf5111e9d30041480aee93b7aa0a69389070d0c0dd18cb1f1eda055a810e3c761067

Download Submit
C:\Windows\SysWOW64\Ibcjqgnm.exe

Filesize
89KB

MD5
3f4dfcb11313fac9225ba730f14b2d05

SHA1
d301ede1cbc12783a2088849a7c15cd7cf8d9734

SHA256
e90b34affc407d6fcff805837b0c8b42671dff358660849ff18aacfda14d8965

SHA512
044699e388fa3d7a8b515d1a5b49a58386fef2e4987af3ee129198601faea039d5b1a74c9aa61b2e24c673f8be9e6ca6f4737d27c736803c5d1586f0644a8af4

Download Submit
C:\Windows\SysWOW64\Ibqnkh32.exe

Filesize
89KB

MD5
af44126e162808ce93ff6481fb0cec1b

SHA1
2e512bcb254e02a76af8c6466dba470ffa8414d7

SHA256
07d34b999b5c716b2e822902b10310e6e364f4fe8349b175fe58ee3d035669e3

SHA512
89f86892cdf157d4bea37ffd170b120c727128a6128812b7826008ca2b65d4eb363df550af95cefe33315f69bd999171af125174bd27fbc6a32b342c09e29a45

Download Submit
C:\Windows\SysWOW64\Ihpcinld.exe

Filesize
89KB

MD5
605d4a0995fb481761b32ba9fc6d3246

SHA1
837e4b9de9da12f22737fc91e1bbbb86d97e62d3

SHA256
68073f645587c04a21481f0e4aa1260bfd50757f69cb79f8300eab8377924ad6

SHA512
62281ed917e336336bcee35bd38fb15ced6c1bb1e357002fd7b7e25abbcc3d274bc9f0059ba3c538de1a977725bbbe15fccdeb663d748d1171f84247a8f74e0f

Download Submit
C:\Windows\SysWOW64\Jidinqpb.exe

Filesize
89KB

MD5
63b902bd88111e39828cfe64cd2f7a38

SHA1
4238f6192d18ed86fb8a08bc3c8a2b82a5147da7

SHA256
a81e6705fce04e6f298cedad0e2a9533871fc888415c38961756aca489f05d66

SHA512
4dc4d8d1ebca65efda03b9f4fabfd96e0cf6bcdf3b19e6c295893e289eb959e79fee023e983ab9f39bf92bc40fec53fea3b9d4e6e108770781b83dbfc2e53003

Download Submit
C:\Windows\SysWOW64\Jpegkj32.exe

Filesize
89KB

MD5
9c5ae57006499ab25449a8df8ce9b0da

SHA1
4e93a7aa41f36a04084c0505b3a301e408a89d63

SHA256
64520b7a383057342e57f553d6ca1877ea792686a3bd38c7bd7e755b77718553

SHA512
b8dcd651fcb6fe16912587c2faf8befed2a622e35cb1a9e73f61dfde661451f078345bc647446c6f1aee50515a403b80fbc6acf07c6406e0531ec25368ef64d5

Download Submit
C:\Windows\SysWOW64\Kedlip32.exe

Filesize
89KB

MD5
a49d51e4e1203e0cd65d8b15dc350ca8

SHA1
fdb8594f2d250e5266da0645b9e45f97c8f493dd

SHA256
f4cc3ef1e9584be373a6b7bf1bd9ecbfebd2599868e40fbbefd6e482e22bcc5b

SHA512
779031a30d2122e3a56a99820886d2df49e1898f0dd5106bfaefe33dbf007755c995f199cb094490b3dc9b9673ae65485522deebd2e6572d7966b75ba8cd2b26

Download Submit
C:\Windows\SysWOW64\Kekbjo32.exe

Filesize
89KB

MD5
dd6bcd3cc3055ca5d99633fa8886f12a

SHA1
89f43f878e7378ad15d8aee28fdf019794719af0

SHA256
5e3719d38289ffc0229fd6166837acdf158fb088bcfeaf8c38b04b8eaf8eff71

SHA512
ed9e55b0bb431f5e0dba51294e080d9ce877a303a32cb17deeaf09ce7f54c960619fbbe93e425aace070e9a7b21ff8654ee13d6f0ff19e3c4d81f0da7743115a

Download Submit
C:\Windows\SysWOW64\Kiikpnmj.exe

Filesize
89KB

MD5
ce03ffaa9dbb3f0e573a83d96e08733f

SHA1
58f9439aca08b80eb796b7d1ea475f441cbd3739

SHA256
997e188c5fe4512ade05860f9d74edcf5414172a055375cbdc84fb9503eaee20

SHA512
5db906390b433aacaa61fee58ff04daafa6a31c14928c705097bf8fff0e3847914968619e5fc16d97b74a3fcc72c800abe3c6e3be3a188a5d09515b711cdb980

Download Submit
C:\Windows\SysWOW64\Lacaea32.dll

Filesize
7KB

MD5
bf82c021bbed0e3993d23c023a5f6008

SHA1
39ca76d8e80e1d9027fbd3e6d0edf7c7f4138f1d

SHA256
2afbd69a48e1b7db74f48ade2a4ecfd8a90c9891a57e6927d1fcd501e796fba9

SHA512
35852b1b5735dc46d4c4c7ccc27894d894527e05c3af05762da55af04ae13401971ad79aa71989641db9f39098876b99bce07dc173ad26e25d2a97a4fe813b9a

Download Submit
C:\Windows\SysWOW64\Lckboblp.exe

Filesize
89KB

MD5
927d85625afde9195d04458cc52f38f4

SHA1
a0bf867acf279ef79a3ea8a045adb6d86fa9ef74

SHA256
1431f255658ff7e9f2372ec2b9d6226da2b1ead13bf22607d9b10555f40e72ba

SHA512
3c576a8ec44e00874a9871f8a7089fa1efa62a56a59227f67b01e12dda396bd6eb4434200b23eea8efdfd8fffdaad602939c64e908d9c8c07500c96d751b080a

Download Submit
C:\Windows\SysWOW64\Lebijnak.exe

Filesize
89KB

MD5
80544daaccf79cc2763f893215770f5d

SHA1
b67739f314bd4d962ce5b3de1a29d121f4dbcd1a

SHA256
de889305550e310bf83097083b7ec4621254826f1f1c6e1badf100ed77b8011a

SHA512
b49fc7c2f7717fe85996a6cc276e0dfef8bfc04287869d12875ac8350556e6c5a62739c181a62325d20d0682787f3805f258fd063ca1b4d489a4aee9997798e7

Download Submit
C:\Windows\SysWOW64\Loacdc32.exe

Filesize
89KB

MD5
e5037ab9c79b37b0f1d9b8999454558c

SHA1
bf9fe8fd404ba6e8bc62de5dcd7227d0e5c6583c

SHA256
9368fedd2f53ec145847e4e20baaf491a1cbe67a60b04b4bf23e288f5ac07c36

SHA512
1016bc84eabba23979fc3b4ee96925720ec9d001060f174c379179ec35c40daa2b76313a68e4353fd2dc9f291148dbe329197458f4cd3f6922a6537ff0aa45e5

Download Submit
C:\Windows\SysWOW64\Lomjicei.exe

Filesize
89KB

MD5
efd2f33fc949aa11a0de77c97700bf3f

SHA1
74ab7ed294261b18506bcc028b016c3e34fb43d0

SHA256
f23acda278700ccf5af004ff547dc1bf180ff376b6864266ed0bfd219ee7c6cc

SHA512
cd061993ab09810c83a213e7ba3fcbe5a822ce499e486bc128e5c5bb9ed9ac91b38e233112bfe06f6b5fb02f5949314ecb6c47f66a78eb005d3ed122955365cc

Download Submit
C:\Windows\SysWOW64\Mledmg32.exe

Filesize
89KB

MD5
a5301c01eb6827c026fdb37cdbdccfec

SHA1
611fc5a1cfffaf7c140d4ce9d274c13003301cba

SHA256
8a3b93f62ccc755447273eba0208b2be991882f8c5e288e138b49bd764813908

SHA512
1a5a56aceac9291dabc287da8c23954f129d0971c36c702d10c419e5449d966e3700c9e1d03c19156d8190f1597a533e9727c0c99dd5c3eb65221c41e835d64c

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
89KB

MD5
fc5172f6a72fdad8d62c70430af1cbd5

SHA1
651ed3b812d0aa8368a6ace2da8ab60b0f7cf32d

SHA256
bcfc9ee5171c608a3dd48d13c99cb5332b463629e66b6b19164690de99993ed7

SHA512
a6b74b333fb951c56f6988373413382687793056e4f1c668423ad87f46284d4853aecec2cce9bed2eb23f36aa87bc5d7f181a7fe89a6a71f9d0d76f34ec81190

Download Submit
memory/444-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/552-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/572-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1144-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1144-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1588-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1912-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2688-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3056-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3104-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3200-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3212-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3244-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3416-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3424-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3448-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3676-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3716-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4192-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4356-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4624-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4820-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4868-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5032-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5084-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5132-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5132-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5172-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5172-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5212-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5212-373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5256-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5256-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5300-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5300-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5340-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5340-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5380-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5420-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5420-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5460-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5460-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5500-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5500-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5540-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5572-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5572-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5620-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5660-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5660-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads