b1be0622ce71dbb029eb93cd5eb8f312d1362b63a12c002947562b5dfd8ac1a0

Analysis

max time kernel
138s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1be0622ce71dbb029eb93cd5eb8f312d1362b63a12c002947562b5dfd8ac1a0.exe
Size

45KB
MD5

33c80730115d9e6491fbf1c3be61f5af
SHA1

b9fa78ba618fcf70715c1e2350116277c4a2fca6
SHA256

b1be0622ce71dbb029eb93cd5eb8f312d1362b63a12c002947562b5dfd8ac1a0
SHA512

378b69bfa2f2d73fee69a033d9de131e239cd61cfb72a70d043553b33346bbbf3752885821c8b9773237d1b865ea66436ae50f06bab5ad37574ca389384a6726
SSDEEP

768:mX4TJW8MyuySF9NRWFxm69iRpscte9nG+/1H5S:5A8MyvcWuuAjg0

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apaadpng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cncnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmpolgoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cacckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boihcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b1be0622ce71dbb029eb93cd5eb8f312d1362b63a12c002947562b5dfd8ac1a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b1be0622ce71dbb029eb93cd5eb8f312d1362b63a12c002947562b5dfd8ac1a0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppgegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppgegd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahdpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boihcf32.exe

Executes dropped EXE 20 IoCs

pid	Process
736	Ppgegd32.exe
2520	Pnkbkk32.exe
2628	Pmpolgoi.exe
5012	Pfiddm32.exe
4828	Ahmjjoig.exe
4844	Apjkcadp.exe
2352	Ahdpjn32.exe
3424	Apaadpng.exe
3984	Bdojjo32.exe
2512	Bpfkpp32.exe
1368	Bogkmgba.exe
3180	Boihcf32.exe
4952	Bkphhgfc.exe
4608	Ckbemgcp.exe
1924	Cncnob32.exe
3580	Cocjiehd.exe
4752	Cacckp32.exe
832	Cogddd32.exe
4704	Dojqjdbl.exe
1352	Dkqaoe32.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Iocedcbl.dll	Ahdpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Bpfkpp32.exe	Bdojjo32.exe
File created	C:\Windows\SysWOW64\Gpojkp32.dll	Boihcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ahmjjoig.exe	Pfiddm32.exe
File opened for modification	C:\Windows\SysWOW64\Boihcf32.exe	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dojqjdbl.exe
File opened for modification	C:\Windows\SysWOW64\Apjkcadp.exe	Ahmjjoig.exe
File opened for modification	C:\Windows\SysWOW64\Ckbemgcp.exe	Bkphhgfc.exe
File created	C:\Windows\SysWOW64\Cocjiehd.exe	Cncnob32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Ppgegd32.exe	b1be0622ce71dbb029eb93cd5eb8f312d1362b63a12c002947562b5dfd8ac1a0.exe
File opened for modification	C:\Windows\SysWOW64\Pmpolgoi.exe	Pnkbkk32.exe
File opened for modification	C:\Windows\SysWOW64\Ahdpjn32.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Plikcm32.dll	Apaadpng.exe
File opened for modification	C:\Windows\SysWOW64\Cogddd32.exe	Cacckp32.exe
File opened for modification	C:\Windows\SysWOW64\Cocjiehd.exe	Cncnob32.exe
File created	C:\Windows\SysWOW64\Idaiki32.dll	Pmpolgoi.exe
File opened for modification	C:\Windows\SysWOW64\Bkphhgfc.exe	Boihcf32.exe
File created	C:\Windows\SysWOW64\Oblknjim.dll	Cacckp32.exe
File created	C:\Windows\SysWOW64\Ilgonc32.dll	Ppgegd32.exe
File created	C:\Windows\SysWOW64\Pmpolgoi.exe	Pnkbkk32.exe
File opened for modification	C:\Windows\SysWOW64\Apaadpng.exe	Ahdpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Bdojjo32.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Ampillfk.dll	Bdojjo32.exe
File created	C:\Windows\SysWOW64\Cncnob32.exe	Ckbemgcp.exe
File opened for modification	C:\Windows\SysWOW64\Cacckp32.exe	Cocjiehd.exe
File opened for modification	C:\Windows\SysWOW64\Pnkbkk32.exe	Ppgegd32.exe
File created	C:\Windows\SysWOW64\Ahmjjoig.exe	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Boihcf32.exe	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Apjkcadp.exe	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Bdojjo32.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Pkoaeldi.dll	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Dojqjdbl.exe	Cogddd32.exe
File opened for modification	C:\Windows\SysWOW64\Ppgegd32.exe	b1be0622ce71dbb029eb93cd5eb8f312d1362b63a12c002947562b5dfd8ac1a0.exe
File created	C:\Windows\SysWOW64\Lngqkhda.dll	Pnkbkk32.exe
File created	C:\Windows\SysWOW64\Pfiddm32.exe	Pmpolgoi.exe
File created	C:\Windows\SysWOW64\Oeeape32.dll	Bpfkpp32.exe
File created	C:\Windows\SysWOW64\Ckbemgcp.exe	Bkphhgfc.exe
File created	C:\Windows\SysWOW64\Pnkbkk32.exe	Ppgegd32.exe
File created	C:\Windows\SysWOW64\Ahdpjn32.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Bpfkpp32.exe	Bdojjo32.exe
File created	C:\Windows\SysWOW64\Bogkmgba.exe	Bpfkpp32.exe
File opened for modification	C:\Windows\SysWOW64\Bogkmgba.exe	Bpfkpp32.exe
File created	C:\Windows\SysWOW64\Pnbddbhk.dll	Apjkcadp.exe
File opened for modification	C:\Windows\SysWOW64\Cncnob32.exe	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Cacckp32.exe	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Cogddd32.exe	Cacckp32.exe
File opened for modification	C:\Windows\SysWOW64\Dojqjdbl.exe	Cogddd32.exe
File created	C:\Windows\SysWOW64\Dllfqd32.dll	Cogddd32.exe
File created	C:\Windows\SysWOW64\Eopjfnlo.dll	b1be0622ce71dbb029eb93cd5eb8f312d1362b63a12c002947562b5dfd8ac1a0.exe
File created	C:\Windows\SysWOW64\Kioghlbd.dll	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Apaadpng.exe	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Jlkidpke.dll	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Pghien32.dll	Cncnob32.exe
File created	C:\Windows\SysWOW64\Bkphhgfc.exe	Boihcf32.exe
File created	C:\Windows\SysWOW64\Ibmlia32.dll	Bkphhgfc.exe
File opened for modification	C:\Windows\SysWOW64\Pfiddm32.exe	Pmpolgoi.exe
File created	C:\Windows\SysWOW64\Ejphhm32.dll	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Aamebb32.dll	Cocjiehd.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dojqjdbl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4112	1352	WerFault.exe	110

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b1be0622ce71dbb029eb93cd5eb8f312d1362b63a12c002947562b5dfd8ac1a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b1be0622ce71dbb029eb93cd5eb8f312d1362b63a12c002947562b5dfd8ac1a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllfqd32.dll"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idaiki32.dll"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocedcbl.dll"	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lngqkhda.dll"	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eopjfnlo.dll"	b1be0622ce71dbb029eb93cd5eb8f312d1362b63a12c002947562b5dfd8ac1a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeape32.dll"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoaeldi.dll"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boihcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apaadpng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b1be0622ce71dbb029eb93cd5eb8f312d1362b63a12c002947562b5dfd8ac1a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b1be0622ce71dbb029eb93cd5eb8f312d1362b63a12c002947562b5dfd8ac1a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgonc32.dll"	Ppgegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpojkp32.dll"	Boihcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejphhm32.dll"	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampillfk.dll"	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamebb32.dll"	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b1be0622ce71dbb029eb93cd5eb8f312d1362b63a12c002947562b5dfd8ac1a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioghlbd.dll"	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibmlia32.dll"	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblknjim.dll"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppgegd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbddbhk.dll"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahdpjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfkpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppgegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plikcm32.dll"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghien32.dll"	Cncnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boihcf32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 736	2252	b1be0622ce71dbb029eb93cd5eb8f312d1362b63a12c002947562b5dfd8ac1a0.exe	91
PID 2252 wrote to memory of 736	2252	b1be0622ce71dbb029eb93cd5eb8f312d1362b63a12c002947562b5dfd8ac1a0.exe	91
PID 2252 wrote to memory of 736	2252	b1be0622ce71dbb029eb93cd5eb8f312d1362b63a12c002947562b5dfd8ac1a0.exe	91
PID 736 wrote to memory of 2520	736	Ppgegd32.exe	92
PID 736 wrote to memory of 2520	736	Ppgegd32.exe	92
PID 736 wrote to memory of 2520	736	Ppgegd32.exe	92
PID 2520 wrote to memory of 2628	2520	Pnkbkk32.exe	93
PID 2520 wrote to memory of 2628	2520	Pnkbkk32.exe	93
PID 2520 wrote to memory of 2628	2520	Pnkbkk32.exe	93
PID 2628 wrote to memory of 5012	2628	Pmpolgoi.exe	94
PID 2628 wrote to memory of 5012	2628	Pmpolgoi.exe	94
PID 2628 wrote to memory of 5012	2628	Pmpolgoi.exe	94
PID 5012 wrote to memory of 4828	5012	Pfiddm32.exe	95
PID 5012 wrote to memory of 4828	5012	Pfiddm32.exe	95
PID 5012 wrote to memory of 4828	5012	Pfiddm32.exe	95
PID 4828 wrote to memory of 4844	4828	Ahmjjoig.exe	96
PID 4828 wrote to memory of 4844	4828	Ahmjjoig.exe	96
PID 4828 wrote to memory of 4844	4828	Ahmjjoig.exe	96
PID 4844 wrote to memory of 2352	4844	Apjkcadp.exe	97
PID 4844 wrote to memory of 2352	4844	Apjkcadp.exe	97
PID 4844 wrote to memory of 2352	4844	Apjkcadp.exe	97
PID 2352 wrote to memory of 3424	2352	Ahdpjn32.exe	98
PID 2352 wrote to memory of 3424	2352	Ahdpjn32.exe	98
PID 2352 wrote to memory of 3424	2352	Ahdpjn32.exe	98
PID 3424 wrote to memory of 3984	3424	Apaadpng.exe	99
PID 3424 wrote to memory of 3984	3424	Apaadpng.exe	99
PID 3424 wrote to memory of 3984	3424	Apaadpng.exe	99
PID 3984 wrote to memory of 2512	3984	Bdojjo32.exe	100
PID 3984 wrote to memory of 2512	3984	Bdojjo32.exe	100
PID 3984 wrote to memory of 2512	3984	Bdojjo32.exe	100
PID 2512 wrote to memory of 1368	2512	Bpfkpp32.exe	101
PID 2512 wrote to memory of 1368	2512	Bpfkpp32.exe	101
PID 2512 wrote to memory of 1368	2512	Bpfkpp32.exe	101
PID 1368 wrote to memory of 3180	1368	Bogkmgba.exe	102
PID 1368 wrote to memory of 3180	1368	Bogkmgba.exe	102
PID 1368 wrote to memory of 3180	1368	Bogkmgba.exe	102
PID 3180 wrote to memory of 4952	3180	Boihcf32.exe	103
PID 3180 wrote to memory of 4952	3180	Boihcf32.exe	103
PID 3180 wrote to memory of 4952	3180	Boihcf32.exe	103
PID 4952 wrote to memory of 4608	4952	Bkphhgfc.exe	104
PID 4952 wrote to memory of 4608	4952	Bkphhgfc.exe	104
PID 4952 wrote to memory of 4608	4952	Bkphhgfc.exe	104
PID 4608 wrote to memory of 1924	4608	Ckbemgcp.exe	105
PID 4608 wrote to memory of 1924	4608	Ckbemgcp.exe	105
PID 4608 wrote to memory of 1924	4608	Ckbemgcp.exe	105
PID 1924 wrote to memory of 3580	1924	Cncnob32.exe	106
PID 1924 wrote to memory of 3580	1924	Cncnob32.exe	106
PID 1924 wrote to memory of 3580	1924	Cncnob32.exe	106
PID 3580 wrote to memory of 4752	3580	Cocjiehd.exe	107
PID 3580 wrote to memory of 4752	3580	Cocjiehd.exe	107
PID 3580 wrote to memory of 4752	3580	Cocjiehd.exe	107
PID 4752 wrote to memory of 832	4752	Cacckp32.exe	108
PID 4752 wrote to memory of 832	4752	Cacckp32.exe	108
PID 4752 wrote to memory of 832	4752	Cacckp32.exe	108
PID 832 wrote to memory of 4704	832	Cogddd32.exe	109
PID 832 wrote to memory of 4704	832	Cogddd32.exe	109
PID 832 wrote to memory of 4704	832	Cogddd32.exe	109
PID 4704 wrote to memory of 1352	4704	Dojqjdbl.exe	110
PID 4704 wrote to memory of 1352	4704	Dojqjdbl.exe	110
PID 4704 wrote to memory of 1352	4704	Dojqjdbl.exe	110

C:\Users\Admin\AppData\Local\Temp\b1be0622ce71dbb029eb93cd5eb8f312d1362b63a12c002947562b5dfd8ac1a0.exe
"C:\Users\Admin\AppData\Local\Temp\b1be0622ce71dbb029eb93cd5eb8f312d1362b63a12c002947562b5dfd8ac1a0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\Ppgegd32.exe
  C:\Windows\system32\Ppgegd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\SysWOW64\Pnkbkk32.exe
    C:\Windows\system32\Pnkbkk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\Pmpolgoi.exe
      C:\Windows\system32\Pmpolgoi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
      - C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        21⤵
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 400
        22⤵
        Program crash
        
        PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1352 -ip 1352
1⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahdpjn32.exe

Filesize
45KB

MD5
d895f430cb0664130ba062f739873c31

SHA1
925eb65c04bbaf38a1cc5d372cba7f7ba0bfefda

SHA256
606c763c6a7681d08a5c6b5208c95840bfaa54e9831be10103ddc6a0b43a977b

SHA512
76ba142b59736ebd906766f68311774385ad1b723e595761d1d3587530c3ff1cdfee505b17d458e15482a962cf7b49903bbff88c77fe452a88f8369a89af21a8

Download Submit
C:\Windows\SysWOW64\Ahmjjoig.exe

Filesize
45KB

MD5
55c21fee4ba31b9828c3b88ecda1ecc6

SHA1
29bd234d9b6b5443349d2f51f5c1a2cc603ff7d6

SHA256
3ab821a351a520ed6ec8bc068eaf5aaf3a04dcfe35bf754792587d1c21ff3ebd

SHA512
829d36b6184d03ca9d92ead2a294cf8d27ca36b05ecbf67c14975ca3675a42ee74c159a6f86316b6703b9ab1e8070dbb9540e135838281ee11df58e95dfc8d89

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
45KB

MD5
7c10c9ca2a9c9060e23b8a0c30a3159d

SHA1
6d43333721e7851e1d4e089879967fcfb53daf37

SHA256
8503a931562541ab9cfb86644c7e2dfd02fe76219e1c200e32bb09ed0151484f

SHA512
f7864a3d381b09c359c5964b3138e0b858572a0e74688a8f0cfca7272016df3f05800ab73f31a1bf3646c0c1fcd394d9e3e37d66835d15b6b6ee57eeb5d148ee

Download Submit
C:\Windows\SysWOW64\Apjkcadp.exe

Filesize
45KB

MD5
4c60eee9e00d906260b42d223a22af02

SHA1
80158acaf2dd0c449f3aac9e3c5df3e620c35fb4

SHA256
5e7e84160c4ebeb7bd240469e97947363d63a0c69be0077cc62265a93092be7d

SHA512
c85736049452ad68f2786a0420db9d73660eedcbc9dbe2446a63fef2eab9435c310718ce56ddafb81097d0a27ca5014c0d483d090b2438b8d84ea389548641b8

Download Submit
C:\Windows\SysWOW64\Bdojjo32.exe

Filesize
45KB

MD5
f24341b70a37eaa5d8c73054b045a7fb

SHA1
df3fe4d37fea0d73ed818a908060c60ad4b57354

SHA256
b712b94f06d5061141e36f7f5cacabb739b681fff137cd64362b54a263333c10

SHA512
02d9022e60bd29f198e1de2ee5470ac157e369de38a2a57efc50d2703eceadeaf63159d39a29d607cb26fdcdcdc7bd0a33594c869e685e6e227f607c96263e53

Download Submit
C:\Windows\SysWOW64\Bkphhgfc.exe

Filesize
45KB

MD5
090b79d7339e2168087b905b37ea9158

SHA1
a71f78289e39d229272e71dd768c4330edf3a5ea

SHA256
52e95683d8e0dd7915e92cfac84cb1b06dbadf4af907b3b6c0a6e2c7395a9569

SHA512
64387b31273bb9db5475bfc1f27040f59c04be3dc196f1be1c11da72e92ce864cb02f7a5f3c4575d1672a59b2306ea0916637811e78a0eb5f4a1b012beb907a3

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
45KB

MD5
607f7bed8c6e8e63cf3bfc9f8d77266a

SHA1
e9e510de3531a1d9dced7ce3fbefd94dfcaf890d

SHA256
520d6983aa81095bf9f231ade57455f52a18e54bb7eb2c753ab9d0be93674485

SHA512
f973741a4691db2770207582cf121a1273866521c6cb0cfc77d046d677d1a79f5ad26312f33c3edab90cea17a7c84851ce9bffb4487438ab527806a96e1031af

Download Submit
C:\Windows\SysWOW64\Boihcf32.exe

Filesize
45KB

MD5
71ec4bb96d99f6f4e234e08d60633fa5

SHA1
6f95807ab50d12b5bbaab39294980aa8510dca1c

SHA256
df4dac57a117e32ca053c27c416d26d6860918b43cf6408eeaff20ef13424132

SHA512
c4c8e49c2d250748db5e9f6cdda5851af87b7390ea040e05bc2d6980604954d690acd4d39f1a2492701a46840e7fd8a5661c765841f5fc0c586fd5b147a4c895

Download Submit
C:\Windows\SysWOW64\Bpfkpp32.exe

Filesize
45KB

MD5
97dccd11756ee1bfa45133aaeaed96ea

SHA1
0efb835e13dccb6d182206b2a7f0539af876e371

SHA256
f0226f1c0eef0eff48a0ad0ecf45292d31acdbfd4c6318b82e9c2c45f4bf6eee

SHA512
3d87c370709bbb71c1c8b00ecedcb779ee4f0a432b99ea5e47fffdb45613e19b1e387063137736caf3febd0c52263777a156ace69771f3575d489f1fe7b44353

Download Submit
C:\Windows\SysWOW64\Cacckp32.exe

Filesize
45KB

MD5
3566061673eafa05c706bda288d981fb

SHA1
1117c93f34ade56f17f6d85eedfd754250ce417e

SHA256
5ff61ad8d8985039df25574f7a43305dec874f44cd09dc4eb38673be813e0a26

SHA512
ab345cec34d08b71c52ffdf612c235c459c592adb182335c3e2c2b907d0915dc1b3df2e3f2fd873c07bbf21c277e64296b2a611a2b850778b25903653a0fd67b

Download Submit
C:\Windows\SysWOW64\Ckbemgcp.exe

Filesize
45KB

MD5
ca09227a38eaf9fe725fddb1a7a1ecb3

SHA1
0dfe25337b6dcb2ee90c2f98f5e19774e3325c70

SHA256
7e6e1389e3112f01170ed5b49d4faf40e1c45efd6d5281e28cf9f0f6642f161d

SHA512
5ebdb309d283260a6026940553fc5302492daead130c69e66242472bc640f4732dd60aec31fea0c7be4d8c0d1412789dbb3f07fdd8cc268264b40d3e6465ac3c

Download Submit
C:\Windows\SysWOW64\Cncnob32.exe

Filesize
45KB

MD5
1fac4bcc5f287f2a3379a65fdf732bac

SHA1
df5655fe325279a0acee65bbd93f17fdb4602eeb

SHA256
836ff04d0e8eb9884e0e7fe871ed2d74b1ca7e8c935e2ac5e2afc69fde5642ea

SHA512
3e1912bd2d8a1d950680167ead8eb4a2013260163ae2ac19175201cc39ce1f48c2fc4422478a257bc6b1495be82ed87553bcaa7038317a515fbdfce2c7047c5d

Download Submit
C:\Windows\SysWOW64\Cocjiehd.exe

Filesize
45KB

MD5
32e64031c3c133de5bda0ff2e04f33bd

SHA1
d23fe69254535399b47747dbd889f0320f3b73d1

SHA256
ca8c67759baaf31dd3b2d90a63fa40de1c12bcc175b5efdeae9a2bc5550eb3ef

SHA512
fc1a25d793b472227088ddd9306af847718eba0393d486fc338be029cfed2fbc59952168858b9395c0bb831fb8aba487433949e957cda3cb0f796c26ce1f52f1

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
45KB

MD5
5d71d695a259ba41be5b8bea8ddda56c

SHA1
c6772af0400955b9714c9fe9d4e6d378745358c4

SHA256
882b2985b5f0dd0c399f28d53170e34649a59c12f2fb251064b073d7fceb56c6

SHA512
8ffcff7af8477dfa3457e218401ccbf0d4ee80d3a9f25633bd86ed7ab019a1a606edf178e62af33626a4a22325b65aee0fa096818ec02ed110afcf496925e918

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
45KB

MD5
d66a7171dc1297bc6961fdb55ad5031f

SHA1
a3d4c045156752b51c1ffa0f0ee2695b4fc54dd0

SHA256
7eb18e0114a9a1d82a2688a1ea634d6376a8718fcb0e505e096b2bae40a64d6a

SHA512
04c3766d672b38b4191941ada5c2511900f9cc18f87ffdb94e0e3edfbd5b584d18222ee40ce8ba888b5bf3637ba10b06e458d8941488287192911a77190bd70e

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
45KB

MD5
c0fad5607b67d3b74fcca04e2bed0f99

SHA1
b9a1e9378fa279b1d739413ad4d48a10854bed20

SHA256
ccc8a8c96211851b408d310048593efa927f8f245243860ed3e42a385c7ff94b

SHA512
4863ae4832dfcd11974f3a5e15ede26021e29580448794093c6d2b7c67e9c85d0d6e20a3f46499c212983d88bd2401d0f060da30649df045c9636328dd468aac

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
45KB

MD5
592acaeb31e4a9ebe8db119a74537b9f

SHA1
77e8211da7429eaba0f098e569a078e725704a7f

SHA256
068bb1fcc0e01a42c375d5578d176e0202abb661c014b27a2ef3e1caa134baaf

SHA512
0ac127dbd04ea3c5cc7caf99eae1b89f93e1b194051a38e93e12d481863612cd27ecc6759e00f436eda8704c26bb7327429be1cbd15212a7fbb7e86d43f28e5e

Download Submit
C:\Windows\SysWOW64\Pmpolgoi.exe

Filesize
45KB

MD5
c182e220c9807d0ddb3d2cacbfc4e49f

SHA1
b5f160cdfa779f1e9bfe1c60025546c3d0e17c9f

SHA256
68180b5c9d9c24a6c87f0d0169818b3bfb82161091cfc900c638b11e69047f8b

SHA512
106a101088d756bfcacb4216387025f0d74f84e143d10ece9179c1078c66054f39045b9df89e9a3d75f2b68075c10d7f2d1346bc82f4495466527aaf98154a4b

Download Submit
C:\Windows\SysWOW64\Pnkbkk32.exe

Filesize
45KB

MD5
bb64a59ba757e494d4e5f828899c8702

SHA1
7c5ec50e4ed0ec39f6ecc58d2f05afaffa46051c

SHA256
ca9798d744fbaad25fa1a26ced83f811b470dc1a616614824f23138d83ab6558

SHA512
9b5b415ec0f21d4ab00b8cd3b90219a81081a461cb1e2c8b4fe2366f92b31567c3245fd0290b1a6a61e6e55e3b46940e8f2e22c9d728611457e06dc01ae84dd6

Download Submit
C:\Windows\SysWOW64\Ppgegd32.exe

Filesize
45KB

MD5
5beaaa4a18e3b525fc4037add00b16be

SHA1
cc9e36420c09cda83e22da2ef52e5c94c8918583

SHA256
1fb555954613ec8f5ac6f725362b4b9c81c66d95ea9c96c4f5b935cd265ae7fb

SHA512
5d48929fecde8c3cd34c578e82ce707e2ef84cd22d5e9b58286f759514efb6592c0d00bbfa7ff2cb2b27d20067cfc22480738964dad6775d055e3aa4322c1975

Download Submit
memory/736-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/736-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/832-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/832-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1368-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1368-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-161-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2512-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2512-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3180-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3180-170-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3424-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3424-174-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3580-166-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3580-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3984-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3984-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4704-163-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4704-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4752-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4752-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4828-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4828-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4952-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4952-169-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-178-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads