8ba38295aa061b785ad78106f39b2a72d4fcb2c9db9589e21e00159e76c6d0bb

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 23:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8ba38295aa061b785ad78106f39b2a72d4fcb2c9db9589e21e00159e76c6d0bb.exe
Size

487KB
MD5

39716fba3a6357a37c2ba049ae3a170a
SHA1

aa34e746fba57082c441fe49ef353efa93e289f4
SHA256

8ba38295aa061b785ad78106f39b2a72d4fcb2c9db9589e21e00159e76c6d0bb
SHA512

230470d606b667030289c8cc8f2945b6b6dc800292044723de4bc252d9c9491d2c040a6a9d6154bb3dcbbd11850b0c58b156adefa38a065924d583ae95b587e1
SSDEEP

6144:CDKts3CauZAGbM2yJT///NR5f7DM2y/JAQ///NR5fLYG3eujPQ///NR5f:CDKtunoM1z/NzDMTx/NcZ7/N

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coegoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8ba38295aa061b785ad78106f39b2a72d4fcb2c9db9589e21e00159e76c6d0bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mogcihaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmkmjjaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmpcbhji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igdgglfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jenmcggo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgphpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgibpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igdgglfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfnfjehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcgiefen.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfnfjehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibaeen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nncccnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nncccnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adcjop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phajna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmpcbhji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpdnjple.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oclkgccf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klcekpdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mogcihaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adcjop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jinboekc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfeljd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oclkgccf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkgeainn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjkic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoclopne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibaeen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Komhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgdidgjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlpfhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmjkic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilcldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoclopne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iedjmioj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Offnhpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpdnjple.exe

UPX dump on OEP (original entry point) 39 IoCs

resource	yara_rule
behavioral2/files/0x000800000002326a-7.dat	UPX
behavioral2/files/0x000800000002326e-15.dat	UPX
behavioral2/files/0x0008000000023272-24.dat	UPX
behavioral2/files/0x0007000000023275-32.dat	UPX
behavioral2/files/0x0007000000023277-39.dat	UPX
behavioral2/files/0x0007000000023279-47.dat	UPX
behavioral2/files/0x000700000002327b-55.dat	UPX
behavioral2/files/0x000700000002327d-63.dat	UPX
behavioral2/files/0x000700000002327f-71.dat	UPX
behavioral2/files/0x0007000000023281-79.dat	UPX
behavioral2/files/0x00020000000227ea-87.dat	UPX
behavioral2/files/0x0007000000023283-96.dat	UPX
behavioral2/files/0x0007000000023285-103.dat	UPX
behavioral2/files/0x00030000000227e7-111.dat	UPX
behavioral2/files/0x0007000000023288-119.dat	UPX
behavioral2/files/0x000700000002328a-127.dat	UPX
behavioral2/files/0x000700000002328c-135.dat	UPX
behavioral2/files/0x000700000002328e-143.dat	UPX
behavioral2/files/0x0007000000023290-151.dat	UPX
behavioral2/memory/4256-153-0x0000000000400000-0x000000000047B000-memory.dmp	UPX
behavioral2/files/0x0007000000023292-160.dat	UPX
behavioral2/files/0x0007000000023295-167.dat	UPX
behavioral2/memory/1724-168-0x0000000000400000-0x000000000047B000-memory.dmp	UPX
behavioral2/files/0x0007000000023297-176.dat	UPX
behavioral2/files/0x0003000000022d25-183.dat	UPX
behavioral2/files/0x000700000002329a-191.dat	UPX
behavioral2/files/0x0004000000022d20-199.dat	UPX
behavioral2/files/0x000700000002329d-207.dat	UPX
behavioral2/files/0x000700000002329f-215.dat	UPX
behavioral2/files/0x00070000000232a1-223.dat	UPX
behavioral2/files/0x00070000000232a3-231.dat	UPX
behavioral2/files/0x00070000000232a5-240.dat	UPX
behavioral2/files/0x00070000000232a7-247.dat	UPX
behavioral2/files/0x00070000000232a9-254.dat	UPX
behavioral2/memory/2536-255-0x0000000000400000-0x000000000047B000-memory.dmp	UPX
behavioral2/files/0x00070000000232b9-298.dat	UPX
behavioral2/memory/4168-293-0x0000000000400000-0x000000000047B000-memory.dmp	UPX
behavioral2/memory/224-285-0x0000000000400000-0x000000000047B000-memory.dmp	UPX
behavioral2/memory/1816-309-0x0000000000400000-0x000000000047B000-memory.dmp	UPX

Executes dropped EXE 52 IoCs

pid	Process
1496	Hlpfhe32.exe
312	Hmpcbhji.exe
3924	Hoclopne.exe
1364	Ibaeen32.exe
4272	Iedjmioj.exe
1556	Igdgglfl.exe
1720	Ilcldb32.exe
2140	Jenmcggo.exe
2384	Jepjhg32.exe
3100	Jinboekc.exe
2052	Komhll32.exe
3480	Klcekpdo.exe
3792	Kncaec32.exe
3032	Kfnfjehl.exe
3432	Lfeljd32.exe
2108	Lgdidgjg.exe
1988	Lgibpf32.exe
4300	Mogcihaj.exe
4256	Mgphpe32.exe
4932	Mcgiefen.exe
1724	Mmpmnl32.exe
4144	Ncnofeof.exe
4848	Nncccnol.exe
4640	Nmkmjjaa.exe
4480	Offnhpfo.exe
936	Oclkgccf.exe
4476	Ofmdio32.exe
4748	Paeelgnj.exe
1332	Phajna32.exe
3584	Pnplfj32.exe
4216	Qjfmkk32.exe
2536	Qdoacabq.exe
3148	Adcjop32.exe
2184	Aoioli32.exe
4976	Agdcpkll.exe
2344	Aaldccip.exe
224	Agimkk32.exe
4168	Bdmmeo32.exe
1708	Bkgeainn.exe
1568	Bpdnjple.exe
1816	Bacjdbch.exe
4768	Bmjkic32.exe
3732	Bhpofl32.exe
4012	Cpmapodj.exe
3828	Cgifbhid.exe
800	Cglbhhga.exe
4632	Cdpcal32.exe
840	Coegoe32.exe
4452	Cgqlcg32.exe
1480	Dddllkbf.exe
4964	Dahmfpap.exe
3724	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kncaec32.exe	Klcekpdo.exe
File opened for modification	C:\Windows\SysWOW64\Aoioli32.exe	Adcjop32.exe
File created	C:\Windows\SysWOW64\Difebl32.dll	Mogcihaj.exe
File opened for modification	C:\Windows\SysWOW64\Ncnofeof.exe	Mmpmnl32.exe
File created	C:\Windows\SysWOW64\Jhijep32.dll	Coegoe32.exe
File created	C:\Windows\SysWOW64\Lblldc32.dll	Ibaeen32.exe
File opened for modification	C:\Windows\SysWOW64\Ilcldb32.exe	Igdgglfl.exe
File opened for modification	C:\Windows\SysWOW64\Mgphpe32.exe	Mogcihaj.exe
File opened for modification	C:\Windows\SysWOW64\Paeelgnj.exe	Ofmdio32.exe
File created	C:\Windows\SysWOW64\Phajna32.exe	Paeelgnj.exe
File opened for modification	C:\Windows\SysWOW64\Hlpfhe32.exe	8ba38295aa061b785ad78106f39b2a72d4fcb2c9db9589e21e00159e76c6d0bb.exe
File opened for modification	C:\Windows\SysWOW64\Kncaec32.exe	Klcekpdo.exe
File created	C:\Windows\SysWOW64\Ncnofeof.exe	Mmpmnl32.exe
File created	C:\Windows\SysWOW64\Gaagdbfm.dll	Oclkgccf.exe
File created	C:\Windows\SysWOW64\Dahmfpap.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Ilcldb32.exe	Igdgglfl.exe
File created	C:\Windows\SysWOW64\Eanmnefk.dll	Lfeljd32.exe
File created	C:\Windows\SysWOW64\Gdglhf32.dll	Nncccnol.exe
File opened for modification	C:\Windows\SysWOW64\Bkgeainn.exe	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Jjjojj32.dll	Ncnofeof.exe
File opened for modification	C:\Windows\SysWOW64\Qdoacabq.exe	Qjfmkk32.exe
File created	C:\Windows\SysWOW64\Kjamidgd.dll	Adcjop32.exe
File opened for modification	C:\Windows\SysWOW64\Cglbhhga.exe	Cgifbhid.exe
File created	C:\Windows\SysWOW64\Nalhik32.dll	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Ipjijkpg.dll	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Lgibpf32.exe	Lgdidgjg.exe
File opened for modification	C:\Windows\SysWOW64\Lgibpf32.exe	Lgdidgjg.exe
File created	C:\Windows\SysWOW64\Lpmkebjc.dll	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Mgphpe32.exe	Mogcihaj.exe
File opened for modification	C:\Windows\SysWOW64\Offnhpfo.exe	Nmkmjjaa.exe
File created	C:\Windows\SysWOW64\Cpmapodj.exe	Bhpofl32.exe
File created	C:\Windows\SysWOW64\Ichqihli.dll	Agdcpkll.exe
File opened for modification	C:\Windows\SysWOW64\Bmjkic32.exe	Bacjdbch.exe
File created	C:\Windows\SysWOW64\Gpcpel32.dll	Jinboekc.exe
File created	C:\Windows\SysWOW64\Dckajh32.dll	Lgibpf32.exe
File created	C:\Windows\SysWOW64\Cedckdaj.dll	Ofmdio32.exe
File opened for modification	C:\Windows\SysWOW64\Klcekpdo.exe	Komhll32.exe
File created	C:\Windows\SysWOW64\Nmkmjjaa.exe	Nncccnol.exe
File opened for modification	C:\Windows\SysWOW64\Aaldccip.exe	Agdcpkll.exe
File opened for modification	C:\Windows\SysWOW64\Bpdnjple.exe	Bkgeainn.exe
File created	C:\Windows\SysWOW64\Hlpfhe32.exe	8ba38295aa061b785ad78106f39b2a72d4fcb2c9db9589e21e00159e76c6d0bb.exe
File created	C:\Windows\SysWOW64\Ibdlakbf.dll	Hlpfhe32.exe
File created	C:\Windows\SysWOW64\Fogmlp32.dll	Hmpcbhji.exe
File opened for modification	C:\Windows\SysWOW64\Bdmmeo32.exe	Agimkk32.exe
File created	C:\Windows\SysWOW64\Cdpcal32.exe	Cglbhhga.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Hoclopne.exe	Hmpcbhji.exe
File opened for modification	C:\Windows\SysWOW64\Kfnfjehl.exe	Kncaec32.exe
File created	C:\Windows\SysWOW64\Bdmlme32.dll	Mgphpe32.exe
File created	C:\Windows\SysWOW64\Clahmb32.dll	Lgdidgjg.exe
File opened for modification	C:\Windows\SysWOW64\Nncccnol.exe	Ncnofeof.exe
File created	C:\Windows\SysWOW64\Okhbek32.dll	Cpmapodj.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Ljcpchlo.dll	Igdgglfl.exe
File opened for modification	C:\Windows\SysWOW64\Lgdidgjg.exe	Lfeljd32.exe
File created	C:\Windows\SysWOW64\Lqppgj32.dll	Bpdnjple.exe
File created	C:\Windows\SysWOW64\Mcgiefen.exe	Mgphpe32.exe
File created	C:\Windows\SysWOW64\Mmpmnl32.exe	Mcgiefen.exe
File opened for modification	C:\Windows\SysWOW64\Agimkk32.exe	Aaldccip.exe
File created	C:\Windows\SysWOW64\Bjlfmfbi.dll	Cgifbhid.exe
File created	C:\Windows\SysWOW64\Fmamhbhe.dll	Cdpcal32.exe
File opened for modification	C:\Windows\SysWOW64\Komhll32.exe	Jinboekc.exe
File created	C:\Windows\SysWOW64\Pgpecj32.dll	Klcekpdo.exe
File created	C:\Windows\SysWOW64\Mogcihaj.exe	Lgibpf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3616	3724	WerFault.exe	146

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebggoi32.dll"	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckajh32.dll"	Lgibpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjojj32.dll"	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmmeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iedjmioj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oclkgccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgomdnj.dll"	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8ba38295aa061b785ad78106f39b2a72d4fcb2c9db9589e21e00159e76c6d0bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jinboekc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nncccnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmjlphl.dll"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll"	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogmlp32.dll"	Hmpcbhji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdagc32.dll"	Jenmcggo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgdidgjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clahmb32.dll"	Lgdidgjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phajna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljcpchlo.dll"	Igdgglfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfnfjehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofmdio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olieecnn.dll"	Jepjhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jinboekc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Offnhpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll"	Bmjkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihcbd32.dll"	Nmkmjjaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eieijp32.dll"	Ilcldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eanmnefk.dll"	Lfeljd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgdidgjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcgiefen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmpmnl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpdnjple.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jenmcggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpdnjple.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll"	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddipic32.dll"	8ba38295aa061b785ad78106f39b2a72d4fcb2c9db9589e21e00159e76c6d0bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nncccnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcpel32.dll"	Jinboekc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgphpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oclkgccf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adcjop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8ba38295aa061b785ad78106f39b2a72d4fcb2c9db9589e21e00159e76c6d0bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8ba38295aa061b785ad78106f39b2a72d4fcb2c9db9589e21e00159e76c6d0bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lciibdmj.dll"	Hoclopne.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 1496	3412	8ba38295aa061b785ad78106f39b2a72d4fcb2c9db9589e21e00159e76c6d0bb.exe	95
PID 3412 wrote to memory of 1496	3412	8ba38295aa061b785ad78106f39b2a72d4fcb2c9db9589e21e00159e76c6d0bb.exe	95
PID 3412 wrote to memory of 1496	3412	8ba38295aa061b785ad78106f39b2a72d4fcb2c9db9589e21e00159e76c6d0bb.exe	95
PID 1496 wrote to memory of 312	1496	Hlpfhe32.exe	96
PID 1496 wrote to memory of 312	1496	Hlpfhe32.exe	96
PID 1496 wrote to memory of 312	1496	Hlpfhe32.exe	96
PID 312 wrote to memory of 3924	312	Hmpcbhji.exe	97
PID 312 wrote to memory of 3924	312	Hmpcbhji.exe	97
PID 312 wrote to memory of 3924	312	Hmpcbhji.exe	97
PID 3924 wrote to memory of 1364	3924	Hoclopne.exe	98
PID 3924 wrote to memory of 1364	3924	Hoclopne.exe	98
PID 3924 wrote to memory of 1364	3924	Hoclopne.exe	98
PID 1364 wrote to memory of 4272	1364	Ibaeen32.exe	99
PID 1364 wrote to memory of 4272	1364	Ibaeen32.exe	99
PID 1364 wrote to memory of 4272	1364	Ibaeen32.exe	99
PID 4272 wrote to memory of 1556	4272	Iedjmioj.exe	100
PID 4272 wrote to memory of 1556	4272	Iedjmioj.exe	100
PID 4272 wrote to memory of 1556	4272	Iedjmioj.exe	100
PID 1556 wrote to memory of 1720	1556	Igdgglfl.exe	101
PID 1556 wrote to memory of 1720	1556	Igdgglfl.exe	101
PID 1556 wrote to memory of 1720	1556	Igdgglfl.exe	101
PID 1720 wrote to memory of 2140	1720	Ilcldb32.exe	102
PID 1720 wrote to memory of 2140	1720	Ilcldb32.exe	102
PID 1720 wrote to memory of 2140	1720	Ilcldb32.exe	102
PID 2140 wrote to memory of 2384	2140	Jenmcggo.exe	103
PID 2140 wrote to memory of 2384	2140	Jenmcggo.exe	103
PID 2140 wrote to memory of 2384	2140	Jenmcggo.exe	103
PID 2384 wrote to memory of 3100	2384	Jepjhg32.exe	104
PID 2384 wrote to memory of 3100	2384	Jepjhg32.exe	104
PID 2384 wrote to memory of 3100	2384	Jepjhg32.exe	104
PID 3100 wrote to memory of 2052	3100	Jinboekc.exe	105
PID 3100 wrote to memory of 2052	3100	Jinboekc.exe	105
PID 3100 wrote to memory of 2052	3100	Jinboekc.exe	105
PID 2052 wrote to memory of 3480	2052	Komhll32.exe	106
PID 2052 wrote to memory of 3480	2052	Komhll32.exe	106
PID 2052 wrote to memory of 3480	2052	Komhll32.exe	106
PID 3480 wrote to memory of 3792	3480	Klcekpdo.exe	107
PID 3480 wrote to memory of 3792	3480	Klcekpdo.exe	107
PID 3480 wrote to memory of 3792	3480	Klcekpdo.exe	107
PID 3792 wrote to memory of 3032	3792	Kncaec32.exe	108
PID 3792 wrote to memory of 3032	3792	Kncaec32.exe	108
PID 3792 wrote to memory of 3032	3792	Kncaec32.exe	108
PID 3032 wrote to memory of 3432	3032	Kfnfjehl.exe	109
PID 3032 wrote to memory of 3432	3032	Kfnfjehl.exe	109
PID 3032 wrote to memory of 3432	3032	Kfnfjehl.exe	109
PID 3432 wrote to memory of 2108	3432	Lfeljd32.exe	110
PID 3432 wrote to memory of 2108	3432	Lfeljd32.exe	110
PID 3432 wrote to memory of 2108	3432	Lfeljd32.exe	110
PID 2108 wrote to memory of 1988	2108	Lgdidgjg.exe	111
PID 2108 wrote to memory of 1988	2108	Lgdidgjg.exe	111
PID 2108 wrote to memory of 1988	2108	Lgdidgjg.exe	111
PID 1988 wrote to memory of 4300	1988	Lgibpf32.exe	112
PID 1988 wrote to memory of 4300	1988	Lgibpf32.exe	112
PID 1988 wrote to memory of 4300	1988	Lgibpf32.exe	112
PID 4300 wrote to memory of 4256	4300	Mogcihaj.exe	113
PID 4300 wrote to memory of 4256	4300	Mogcihaj.exe	113
PID 4300 wrote to memory of 4256	4300	Mogcihaj.exe	113
PID 4256 wrote to memory of 4932	4256	Mgphpe32.exe	114
PID 4256 wrote to memory of 4932	4256	Mgphpe32.exe	114
PID 4256 wrote to memory of 4932	4256	Mgphpe32.exe	114
PID 4932 wrote to memory of 1724	4932	Mcgiefen.exe	115
PID 4932 wrote to memory of 1724	4932	Mcgiefen.exe	115
PID 4932 wrote to memory of 1724	4932	Mcgiefen.exe	115
PID 1724 wrote to memory of 4144	1724	Mmpmnl32.exe	116

C:\Users\Admin\AppData\Local\Temp\8ba38295aa061b785ad78106f39b2a72d4fcb2c9db9589e21e00159e76c6d0bb.exe
"C:\Users\Admin\AppData\Local\Temp\8ba38295aa061b785ad78106f39b2a72d4fcb2c9db9589e21e00159e76c6d0bb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\SysWOW64\Hlpfhe32.exe
  C:\Windows\system32\Hlpfhe32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\Hmpcbhji.exe
    C:\Windows\system32\Hmpcbhji.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:312
  - - C:\Windows\SysWOW64\Hoclopne.exe
      C:\Windows\system32\Hoclopne.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Komhll32.exe
        
        C:\Windows\system32\Komhll32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        53⤵
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 412
        54⤵
        Program crash
        
        PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 3724 -ip 3724
1⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2432 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:6068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bpdnjple.exe

Filesize
487KB

MD5
a542e41d2cf266a8c05170133b856be3

SHA1
189b829ce10daa63348aaed07ce22311bfcb5aff

SHA256
7ac91812b4269e1cb4f5c0c2d4c739e3cb3ac7795d7fa1cde86f908b1037c33d

SHA512
839cee8f089792a7e617c2520377dd44c35ae1d17a25e94d87179ad4ce0ea530ca4c663f9461f67f50a51a619c8cdc272064f24404cd6b6c94210fd818c1fe6f

Download Submit
C:\Windows\SysWOW64\Hlpfhe32.exe

Filesize
487KB

MD5
b4498e32af62d7a80fcf6aa5b9098bc4

SHA1
29f7ad105796f5cde85d32ef1a98c1477d94de4e

SHA256
cb4d1497177bd9d9c6164be1ad863930d34e22a94f05cc83f58193f1a43fd29f

SHA512
266b2bc8c8f3fab1304d4181ff24f76b7284f3104d39d6ed5290a9bc95364acea5a61ad56d5c11980c34712958d5f36f7dd0fbc7f86aa11b923449e8e21c6aed

Download Submit
C:\Windows\SysWOW64\Hmpcbhji.exe

Filesize
487KB

MD5
5b0b0bb33328762ba023b2b3bb08c066

SHA1
4dd2786f84868fac6dd49605fb6babb194e90460

SHA256
c72a812379f220d196b88a4424d04a3e339cdbde71e96c69e0dcef4e66d23054

SHA512
095ffe79dba703ef81c02ff0dd3187ae8b123aaca17edff75641b4cf1390c09d22e06f9a9cd701fdbe3be12d227d16f22a0979732bb095e19e8c9df11b08329d

Download Submit
C:\Windows\SysWOW64\Hoclopne.exe

Filesize
487KB

MD5
957dd3468573b5ce3751687552a1c668

SHA1
f72b804f6b4cf01bb3405f3be8bd4e4c6e4e98a6

SHA256
eab2b20b5b8eddaa47c54d4f43981f8484b50a66ba378645b9057866575aa5ff

SHA512
f194034b7b47b8c4236d362ae8c6954fb738ac0e0f3091952d83b33df32787d122daa21c90ae6ee93cd93edd0c99ee8e331274b2d97fbde3d3f0f5b7d2ed7d0d

Download Submit
C:\Windows\SysWOW64\Ibaeen32.exe

Filesize
487KB

MD5
a73da0c65a94ec3e7f80b351e45dadb1

SHA1
e32496db83f6060437598242a62be64720539f8a

SHA256
1853bcfd77a21e83afb822e950f79eaa755cf4fd2f72c2654f5b185cf08821f6

SHA512
74b3d7e269c47552542f00da929b2831c92124bcef84c396b9d5dca61657cc83b5ff641e82732e9fd78a5346b9613c9510917c7ac8938ac8dd653acb9827dd98

Download Submit
C:\Windows\SysWOW64\Iedjmioj.exe

Filesize
487KB

MD5
6e11c4754f40e1c91158d2911b845154

SHA1
0f3763116bcace4c812d78c1c421c97ef7d2ed8e

SHA256
c696c839cba87eac3ed3861690dd5f8a2934d40663a3e9e5251139756fd5d751

SHA512
65c4ecd0ef5161761318c0e25bf95f2fdd8f651a4e0e18bf4903d8837e67b7f2b31c72df4c8cfa8b321e15788a13246f0bc76186c5f4ebe294e30513c120020d

Download Submit
C:\Windows\SysWOW64\Igdgglfl.exe

Filesize
487KB

MD5
10fdfab7e3cc912d6aa5f3139b23c330

SHA1
693d9f6286f97c5c1d84875cf9dbebfba9acdab2

SHA256
8c5721162ae0a0f5a7dfeb55c22ef1bf649bc8bba256fcbe1954889c1bac3a77

SHA512
ad48768ad5b9be5f2dd8382c0bad078fdddf159e2130468ed967266f36ee22721d009dc3390a2795f51dfff1babc1a94b2358ed5df42919a2db4ced47dabde80

Download Submit
C:\Windows\SysWOW64\Ilcldb32.exe

Filesize
487KB

MD5
82a11a6de60a092893cddf32a7ef81e1

SHA1
64185dfaabb73061cb16a092a807b4476518642a

SHA256
4933c11fd301218ce227f1a5c4391dcde452d57db3a915f65de568b1e98ea9b5

SHA512
cdeecdb942cd7261e247c3f8de4ad3b57a42c1fa711fb1c735a1d2da092138aed51877c982adaf64e22a9933dfa594d89ffe21e7adeb12f9df72c5ca601e2319

Download Submit
C:\Windows\SysWOW64\Jenmcggo.exe

Filesize
487KB

MD5
d0b48a930acc7ba028ee2c50e58ed980

SHA1
b52cc817810d0b7b428b5418f2e2fafe9a6dcf3b

SHA256
6cca519b34ccaa56bf81ddb5e8cc6688d90b59d0452d27fd63067c60514f42d3

SHA512
b1f13c45b912d801a94613739a5aa41d1dcbe7c3d565709cc5b4c46248bbd9b8152c15ee8ae2a6ae4d41b77bdd44976c238a0c17cf56540ab39cce9769882006

Download Submit
C:\Windows\SysWOW64\Jepjhg32.exe

Filesize
487KB

MD5
b2e75d88c1d7beec96a81299ed9bc3fe

SHA1
cbf11f47807ecf6ee25fdc8e4cb74e1aa8843493

SHA256
9cd01c00a6af5f243b4d47b9a04c37179fdaf8dae59164c1865646820c15cf57

SHA512
152593e5110d3e0e353b8a7493cad9933500c5d9545470a30de5fa6be1177fb7e4c0e0f709d60ee634100b591e9082ba8cb5b7398a6d37df7ebd97726bdbff63

Download Submit
C:\Windows\SysWOW64\Jinboekc.exe

Filesize
487KB

MD5
47ab4c73b54ca35bf093bb268d03f198

SHA1
394dbf5009e72815b0ed2b5042e23ae1932a5a4b

SHA256
f8e7355a180c4733257ab36da60a934b1d9ec872c1a2de9bf206bbbe5ae1e43a

SHA512
fd08b48139428d8517e507a55ec49bc6d1619560d08b3d12f6ef727632e671496491fa5a5d02da35c5a7f18f9ce404b0d54f587801733fba89943a7ef717d0ee

Download Submit
C:\Windows\SysWOW64\Kfnfjehl.exe

Filesize
487KB

MD5
027e012e06c3ab0f7ac8b121ab117e5f

SHA1
5c9aa0f3a565420f796b6620a11373a060f26071

SHA256
43fbc4322ea4463ab8cfb5fb060628211a94dd73db4854f47ee27a61b3b61a64

SHA512
29f743660ad16ec7788ae927d0d7538b6e1a90e96064e48cf0389d30493a32860a01f8d780a9228030333426808542013aced17da244cfca51f7010158cfce05

Download Submit
C:\Windows\SysWOW64\Klcekpdo.exe

Filesize
487KB

MD5
475888f06f0119687204dff003c075bc

SHA1
6d02143e9b78f1d1a4ca80834857ebe9ee41db2a

SHA256
78188dc86ac042917bafdf358d4907ab1c9ae885584d5d7e3dffe3a16d8dbd20

SHA512
d63c297f3765a20e7cb99ef6d32c412390800cd4013edb745f6dc994249e97c63b9d83f691cc4d91676dd7f691c32974ac3e51a3e413c4b92a1740150885c266

Download Submit
C:\Windows\SysWOW64\Kncaec32.exe

Filesize
487KB

MD5
02850195583f053e08a13d2fe687c7de

SHA1
4a99ad3ed82f85ca7eec75930523edd6d7eac403

SHA256
0cb84a04270671d8e1d26ca722a223287a7e094439cf980823411f85d5f3426c

SHA512
be1efb71698a34c0f2583a07c63c2ded0e72a2c57c1c8774dc85f0fed61c32bbf3634ac1b7301b04dc72831f10356283ca18ba9f333051925fdbd6bc14ebe0b7

Download Submit
C:\Windows\SysWOW64\Komhll32.exe

Filesize
487KB

MD5
e8af0df87914cd0ef1c7b7b255fa5972

SHA1
ca70a8de775526196b3351fb3c485e06c030ea15

SHA256
292bddc82497d3ed5556cac36d6632c7695b92a6ef91b3f029a69e886e8bce70

SHA512
9a85d132908a990265b8adc0cdf5892d61bf2085a3236fcc319699304f3813f21344ce8742243f92b1d8509b3f02a6701d0635c5dd02600639434bcf29bd3746

Download Submit
C:\Windows\SysWOW64\Lfeljd32.exe

Filesize
487KB

MD5
00be0883269ab2e2bf69e2c73cd294e7

SHA1
6a9a33ad4ddc59b5452417ca73fa7fdbedfbf8be

SHA256
06cb8718e4fee19e7c8ee67038cd1896ffe5bd72a558157fa559ce5b6327d573

SHA512
3ab4fdd330cb1286ac9c9a31672976ad24ecde86744abf3e212e0c01714cd07377b13dcb55215a1f690aae95b00a6df1e23141fe5de2bb7ec049ce73444723d0

Download Submit
C:\Windows\SysWOW64\Lgdidgjg.exe

Filesize
487KB

MD5
ba3e295ab68f40bf3d5e0fad3dd3d20c

SHA1
60a7da7fa351301b45601d23ec6be89a12148ef1

SHA256
102dd11bd2ce9ca3b36fb4234f71e7c7050c0ef891e4d34a740aa09f8a558a49

SHA512
2053a1dc77af3d557a7b5b63406d26470d25abb13fe5317c43d53e75acc07acb1e302f18e98cba0ad26b27f99d75b367977bcada2fcef32e94f2db59c216fafb

Download Submit
C:\Windows\SysWOW64\Lgibpf32.exe

Filesize
487KB

MD5
223f5f24cce6934b9c09a260cd5a1062

SHA1
4fd47a57443851daa543e54a6b04647d183121f3

SHA256
623ac93d0848bfdde50255828eb597fcfdee13ff1dc96027b8fbe1543e701c4a

SHA512
6792a32d6be52f72666ee659d81bd094614563e142b8c013d370c957c5899e8340d00a7d553b3f151587d0d6338dc9e0648114604b3fe1fc1b97f8e56199075b

Download Submit
C:\Windows\SysWOW64\Mcgiefen.exe

Filesize
487KB

MD5
2d0137fc7808858344290ce406390fa4

SHA1
b0073cf12c8c6ccfcbf75d2117ed6c047a79b570

SHA256
ae3fcf2033bf8256e615d812f8a5d3e9201c8a610c447e1aac4d37d876a46c3c

SHA512
f0e10652e620b68a5024ed2d6234ff2723871204db786b9c29601437decedbe39678cdeddcb80488c9bc9160cae0f292305f48934a8df558abd2b474f0ee68b9

Download Submit
C:\Windows\SysWOW64\Mgphpe32.exe

Filesize
487KB

MD5
d65fecb23873872e06a4f96bbdd5b86b

SHA1
93453774a0519502ffb62592d29feef60f9ca6a5

SHA256
b6dcc5054427f7a57617bed93da05cb953f0fdd071f32cb73a86d437d752a454

SHA512
4bdfa3413aea3cdc17b46db9c92d95478f7622a1d5c31a1b81311ac6b771c71ef700000934203860cef2f1f43f5c56eefca8cfaa0265f5156750165582d6e613

Download Submit
C:\Windows\SysWOW64\Mmpmnl32.exe

Filesize
487KB

MD5
1500dd5ad59ddc8bd747249847d94e93

SHA1
39922adedeb2b861316b93ee6b9581a95306026b

SHA256
09e9312fdb8eaedd1bf2b59e1ff42f2df3bb0dbb8849e0b43b1daf7045605352

SHA512
c0dbf78a33cb070a99458c0eb59551e6776955d77a4533ecdeef0813c9cd8dde9d441a2d145bf8c7e500496f9b41745331d8c6f3d62d938a29409a89104052bb

Download Submit
C:\Windows\SysWOW64\Mogcihaj.exe

Filesize
487KB

MD5
06918d5231d449b5dae0edce4acbbde9

SHA1
5efd57dffd5e8ad5b8f3238d6aa90159520b9202

SHA256
8b6ff79f011944294dfe52ef2ad389251209bea156e9ecbcfd13d7052202b02f

SHA512
031eb0267dcdf3fdbe46bda34a471d27e68ea84aaa14bd739493164e8021a372763e80e55dd66661635f8e9ff098658cfa16423d241ad47d517a01ee7019c867

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe

Filesize
487KB

MD5
414cbf74dcd210616deb6c0c7ccca252

SHA1
75dc7312b7ebb031e1a071c18c3435d0e17e15b1

SHA256
b493a8bad5a8948b1595f7e44b1392bedf8531de29493a1e4c90f935629cb416

SHA512
6b635d6bd728d93c83e1aa8b486d851dd5bf676784d38f65f546f54c4e13fdb39b2c2be58ced4224c0f672d51c4cb8c75096af10b8bff85839bc5a9764fcf2df

Download Submit
C:\Windows\SysWOW64\Nmkmjjaa.exe

Filesize
487KB

MD5
46e901160976d388322a5f6dd2716350

SHA1
76b594bb9a9513ccc0207a47a3049e765fc066e8

SHA256
aa82ed9186bdf9c988cf9b1c9782df19e57b337f2c5345b59939c9e7814d3a02

SHA512
4cecc8a1f1eb63862e7754ccfba24cc9ca73e8cedde3a4979f939d33382265ca5dd3b47eb729d89a5d23e38fca0430c6cc8251c00f8504db4b89146ed67e5202

Download Submit
C:\Windows\SysWOW64\Nncccnol.exe

Filesize
487KB

MD5
d2e83563cd418be583d1e8d4646824ca

SHA1
2f6e862775476a7fe8c0db509ac4202029f1dac1

SHA256
9de2e43b8997210b1a719a171f4b6ce33a02b9a15514f2af86aae86bf38a1c9f

SHA512
cca62ddd88a10a00fdbf6a40c5ba5eb16d63010b794c35a56464df8414311caad03f4971b7290f02c5f9ae51a850b3d528267fdb70b009280fd38e29f73da18a

Download Submit
C:\Windows\SysWOW64\Oclkgccf.exe

Filesize
487KB

MD5
55a8fe3ad2ff3cb528adff50b55c447f

SHA1
aaec6dbf6ef6a3a1a01d5c67ffa6ba62c527d959

SHA256
04278f05fed8effa9678437afc05c792e1fed25cb59e303d9b17226826fba5c7

SHA512
0772d96d914bc4851168044276f5d368a1a071f56982dce6df18c423cdad17a15484962ed3b6158716178a4c1ac6ab7e4da91e7f59400eaae5bdf596a89c55f7

Download Submit
C:\Windows\SysWOW64\Offnhpfo.exe

Filesize
487KB

MD5
ca075bb0fdc917e8983702fc116fe44f

SHA1
7f37666686132835e657a6ce12a08419dae03518

SHA256
5d09c9ff3dc3303c7d279cc61f50354f645991ef2899ad74551443f075052cb0

SHA512
ace87bcced098aa8c3796391649958e9ed49c4b5b11bb6e8f4e55bdd90e735f73baa7b049b07d4e6c0be13228d1e3fb33f9cb335b3665a0b8565c41bb214e2ad

Download Submit
C:\Windows\SysWOW64\Ofmdio32.exe

Filesize
487KB

MD5
5947beabc02d91443efc4d5befd154f5

SHA1
fc98e2bc898c45c406ad781d54721d65f08338b4

SHA256
0811100e8393bc949cf8cfa24c39995d0c4dcd5af60f45a1b407f49fa1503348

SHA512
89ef12e83c3a4097b04bc3b55a9f7600928a5bf652132b8fdcebbd7aa8db484157c0d15e1c070978ca5c3711115786bc81573128b210ea29cc93480e70153fcd

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe

Filesize
487KB

MD5
52d16fb04dfe26250ace538e36f4ae62

SHA1
986fbc0bb5671ec6d95fa227af7063e9a2e97fe3

SHA256
a9c343947c3821888ac7552849578cb3ef6e4a365cd91e5f5319f770d44618ed

SHA512
605d603239153f80af0d0b2dcb457f40476e051e295288a85fbff4b9a79cf5d0ae85c0477ce5db6aa706c985e5eb6fd7144288a8dc4d6a613685b46ca4cbd511

Download Submit
C:\Windows\SysWOW64\Phajna32.exe

Filesize
487KB

MD5
52aa6aa3a76fd5f00fdb18aeea642aa3

SHA1
228b5e58008e1ed8ce029d5ec119c563ae541940

SHA256
9a151c9488e1f05273b88e9593aa0ed7cbd41e55771395fa7c699bc33aaef1ba

SHA512
b51057e1169b3fea02d062b1e99e978fd18880d38980821071b1e29f241e47e1aba8ca775fb1ee2e137ed180265078ae5b90e32432cc4e18ffc2dc5db3750178

Download Submit
C:\Windows\SysWOW64\Pnplfj32.exe

Filesize
487KB

MD5
34ffaaa371f3b48aeae588570b59a52b

SHA1
a909a2ce606a62c9973e58287dff6541e8ae9ab3

SHA256
c7b59ff36aa32d869449e915785532cff7172f05f20a53f2e1d3461e8d364bba

SHA512
abbd88ee92d413226a212001baf5393fe215e5187af5ea3b54fa264929138101c8395aa11c2444ac589c4dc3f0b239346a9e32f4e486e1605f2bad83b08c8d7c

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
487KB

MD5
1496c7c156122fc6058b7ad3d2af9035

SHA1
22dd2e901998951f723bfc6376ce1b7a527cf4d1

SHA256
177ee6982599f43ec2c79330bead785b4ce7395861ed0e0bd5ed135f03b40482

SHA512
944ab90c1002b46e7c0e8f1d8aa6187d45c1ad211c6c705c5e4e693b16a8dc027d59233c5fa7c5b89d6954662d54ed2d4e9bad736b9952ea1f8f5e07114e5f89

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
487KB

MD5
3961565f6afd6138b6a7f7d115616f31

SHA1
db775b78ebae11783c9b4553b369b213eaba4dcd

SHA256
e703d3187eaf13ba5180bf8263e95b31b80d3fd156f28002deeb00a73c9df5a9

SHA512
639a1b5f1f808601421adecca5b46f931c432de1580a1dcfe4792d43461a1881533bc0a8705c96c98efdcfe74a22f1e2b6e44790eea116252449b51336ddbaf9

Download Submit
memory/224-285-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/312-17-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/800-340-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/800-409-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/840-404-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/840-352-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/936-209-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1332-232-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1364-33-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1480-401-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1480-364-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1496-9-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1556-49-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1568-303-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1708-297-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1720-57-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1724-168-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1816-418-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1816-309-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1988-136-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2052-88-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2108-128-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2140-69-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2344-279-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2384-73-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2536-255-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3032-112-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3148-266-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3412-1-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3412-81-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3412-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3432-121-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3480-97-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3724-376-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3724-396-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3732-326-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3732-414-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3792-105-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3828-410-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3828-334-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3924-25-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4012-328-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4012-411-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4144-177-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4168-293-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4216-248-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4256-153-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4272-41-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4300-144-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4452-358-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4452-402-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4476-218-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4480-201-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4632-406-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4632-346-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4640-193-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4748-225-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4768-416-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4768-315-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4848-185-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4932-161-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4964-370-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4964-399-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4976-273-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads