58cf97204dd7024a09a245629cc8adc9f92e1bcda17c0ff66dc1b039023f6023

Analysis

max time kernel
124s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58cf97204dd7024a09a245629cc8adc9f92e1bcda17c0ff66dc1b039023f6023.exe
Size

256KB
MD5

f833debdce0fd3224b538f72959fa1a8
SHA1

a713e1162e76ceaf109156c9c26784934a464c7b
SHA256

58cf97204dd7024a09a245629cc8adc9f92e1bcda17c0ff66dc1b039023f6023
SHA512

d55782b0416239b86f75acd3211a54b31cb5ba4406325ef6424afc4a991cd6d11c74061628b983cf125e971aeb8bb7a314b7440c7d0f568f593479eb03e31ae0
SSDEEP

6144:PG10fK4qQaNxunXe8yhrtMsQBvli+RQFdp:+10fWfvAO8qRMsrOQFn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dglkoeio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lckboblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqcejcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dqpfmlce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dglkoeio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggbcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	58cf97204dd7024a09a245629cc8adc9f92e1bcda17c0ff66dc1b039023f6023.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dggbcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jllhpkfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbbeml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aggpfkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhckcgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dakikoom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoepebho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipkdek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllhpkfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ookoaokf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lckboblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mqhfoebo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caojpaij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbcncibp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	58cf97204dd7024a09a245629cc8adc9f92e1bcda17c0ff66dc1b039023f6023.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlhih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibeoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kibeoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mljmhflh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhckcgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppgomnai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe

Executes dropped EXE 48 IoCs

pid	Process
4052	Afbgkl32.exe
4844	Apjkcadp.exe
1952	Aajhndkb.exe
472	Aggpfkjj.exe
4896	Agimkk32.exe
2292	Amcehdod.exe
4468	Bdfpkm32.exe
4568	Cpmapodj.exe
1708	Cammjakm.exe
116	Caojpaij.exe
884	Cglbhhga.exe
4328	Cnfkdb32.exe
1448	Cgnomg32.exe
2456	Cogddd32.exe
4588	Dkndie32.exe
4396	Ddgibkpc.exe
2028	Dakikoom.exe
1244	Dggbcf32.exe
4436	Dqpfmlce.exe
4392	Dglkoeio.exe
1604	Ehlhih32.exe
2752	Eoepebho.exe
4496	Ipkdek32.exe
2484	Jhnojl32.exe
1980	Jllhpkfk.exe
3368	Khbiello.exe
692	Kibeoo32.exe
1284	Ljbnfleo.exe
4368	Lckboblp.exe
5000	Mfnhfm32.exe
5012	Mofmobmo.exe
3132	Mljmhflh.exe
3936	Mqhfoebo.exe
624	Mbibfm32.exe
4716	Mhckcgpj.exe
2644	Nfihbk32.exe
4204	Nbbeml32.exe
1500	Nqcejcha.exe
5068	Ookoaokf.exe
3440	Omopjcjp.exe
2524	Ojhiogdd.exe
2104	Pbcncibp.exe
1748	Ppgomnai.exe
3192	Pmkofa32.exe
1324	Pcegclgp.exe
852	Paihlpfi.exe
5160	Pakdbp32.exe
5200	Pififb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mhckcgpj.exe	Mbibfm32.exe
File created	C:\Windows\SysWOW64\Fllhjc32.dll	Omopjcjp.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Pakdbp32.exe
File opened for modification	C:\Windows\SysWOW64\Ppgomnai.exe	Pbcncibp.exe
File opened for modification	C:\Windows\SysWOW64\Pakdbp32.exe	Paihlpfi.exe
File created	C:\Windows\SysWOW64\Aggpfkjj.exe	Aajhndkb.exe
File opened for modification	C:\Windows\SysWOW64\Amcehdod.exe	Agimkk32.exe
File created	C:\Windows\SysWOW64\Oblknjim.dll	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Dqpfmlce.exe	Dggbcf32.exe
File created	C:\Windows\SysWOW64\Ipkdek32.exe	Eoepebho.exe
File opened for modification	C:\Windows\SysWOW64\Apjkcadp.exe	Afbgkl32.exe
File opened for modification	C:\Windows\SysWOW64\Jllhpkfk.exe	Jhnojl32.exe
File opened for modification	C:\Windows\SysWOW64\Ljbnfleo.exe	Kibeoo32.exe
File opened for modification	C:\Windows\SysWOW64\Mhckcgpj.exe	Mbibfm32.exe
File created	C:\Windows\SysWOW64\Eoepebho.exe	Ehlhih32.exe
File opened for modification	C:\Windows\SysWOW64\Jhnojl32.exe	Ipkdek32.exe
File created	C:\Windows\SysWOW64\Npakijcp.dll	Mfnhfm32.exe
File created	C:\Windows\SysWOW64\Caojpaij.exe	Cammjakm.exe
File created	C:\Windows\SysWOW64\Qfoaecol.dll	Cammjakm.exe
File opened for modification	C:\Windows\SysWOW64\Cgnomg32.exe	Cnfkdb32.exe
File opened for modification	C:\Windows\SysWOW64\Dakikoom.exe	Ddgibkpc.exe
File opened for modification	C:\Windows\SysWOW64\Dglkoeio.exe	Dqpfmlce.exe
File created	C:\Windows\SysWOW64\Mqhfoebo.exe	Mljmhflh.exe
File created	C:\Windows\SysWOW64\Hpfohk32.dll	Nbbeml32.exe
File created	C:\Windows\SysWOW64\Apjkcadp.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Agimkk32.exe	Aggpfkjj.exe
File opened for modification	C:\Windows\SysWOW64\Cpmapodj.exe	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Mofmobmo.exe	Mfnhfm32.exe
File opened for modification	C:\Windows\SysWOW64\Pbcncibp.exe	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Bmijpchc.dll	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Mmihfl32.dll	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Cglbhhga.exe	Caojpaij.exe
File opened for modification	C:\Windows\SysWOW64\Mljmhflh.exe	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Cammjakm.exe	Cpmapodj.exe
File opened for modification	C:\Windows\SysWOW64\Cammjakm.exe	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Fjoiip32.dll	Mqhfoebo.exe
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Aajhndkb.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Nfihbk32.exe	Mhckcgpj.exe
File opened for modification	C:\Windows\SysWOW64\Omopjcjp.exe	Ookoaokf.exe
File created	C:\Windows\SysWOW64\Ojhiogdd.exe	Omopjcjp.exe
File created	C:\Windows\SysWOW64\Gbhhlfgd.dll	Amcehdod.exe
File opened for modification	C:\Windows\SysWOW64\Ipkdek32.exe	Eoepebho.exe
File created	C:\Windows\SysWOW64\Pekihfdc.dll	Jhnojl32.exe
File opened for modification	C:\Windows\SysWOW64\Ojhiogdd.exe	Omopjcjp.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Jllhpkfk.exe	Jhnojl32.exe
File created	C:\Windows\SysWOW64\Nfenigce.dll	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Nchkcb32.dll	Dkndie32.exe
File created	C:\Windows\SysWOW64\Cnfkdb32.exe	Cglbhhga.exe
File created	C:\Windows\SysWOW64\Anjcohke.dll	Jllhpkfk.exe
File opened for modification	C:\Windows\SysWOW64\Mfnhfm32.exe	Lckboblp.exe
File opened for modification	C:\Windows\SysWOW64\Nqcejcha.exe	Nbbeml32.exe
File created	C:\Windows\SysWOW64\Oajgdm32.dll	Ppgomnai.exe
File created	C:\Windows\SysWOW64\Dglkoeio.exe	Dqpfmlce.exe
File created	C:\Windows\SysWOW64\Gkdinefi.dll	Ehlhih32.exe
File created	C:\Windows\SysWOW64\Goniok32.dll	Eoepebho.exe
File created	C:\Windows\SysWOW64\Mfnhfm32.exe	Lckboblp.exe
File created	C:\Windows\SysWOW64\Mbibfm32.exe	Mqhfoebo.exe
File created	C:\Windows\SysWOW64\Ddgibkpc.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Amcehdod.exe	Agimkk32.exe
File created	C:\Windows\SysWOW64\Dkndie32.exe	Cogddd32.exe
File created	C:\Windows\SysWOW64\Acbldmmh.dll	Khbiello.exe
File opened for modification	C:\Windows\SysWOW64\Nfihbk32.exe	Mhckcgpj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5260	5200	WerFault.exe	145

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jhnojl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jllhpkfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amcehdod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caojpaij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkndie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dglkoeio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhoped32.dll"	Pbcncibp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhlfgd.dll"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goniok32.dll"	Eoepebho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dggbcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqcejcha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	58cf97204dd7024a09a245629cc8adc9f92e1bcda17c0ff66dc1b039023f6023.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgccelpk.dll"	Mljmhflh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pbcncibp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	58cf97204dd7024a09a245629cc8adc9f92e1bcda17c0ff66dc1b039023f6023.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfenigce.dll"	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmijpchc.dll"	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiikeffm.dll"	Dggbcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ehlhih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eoepebho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mljmhflh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcpgp32.dll"	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfohk32.dll"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkdinefi.dll"	Ehlhih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ehlhih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllhjc32.dll"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejphhm32.dll"	Afbgkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mhckcgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajgdm32.dll"	Ppgomnai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlfmfbi.dll"	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbepb32.dll"	Dglkoeio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmnmmb.dll"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll"	Cogddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onahgf32.dll"	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jllhpkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kibeoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Pakdbp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 4052	1000	58cf97204dd7024a09a245629cc8adc9f92e1bcda17c0ff66dc1b039023f6023.exe	95
PID 1000 wrote to memory of 4052	1000	58cf97204dd7024a09a245629cc8adc9f92e1bcda17c0ff66dc1b039023f6023.exe	95
PID 1000 wrote to memory of 4052	1000	58cf97204dd7024a09a245629cc8adc9f92e1bcda17c0ff66dc1b039023f6023.exe	95
PID 4052 wrote to memory of 4844	4052	Afbgkl32.exe	96
PID 4052 wrote to memory of 4844	4052	Afbgkl32.exe	96
PID 4052 wrote to memory of 4844	4052	Afbgkl32.exe	96
PID 4844 wrote to memory of 1952	4844	Apjkcadp.exe	97
PID 4844 wrote to memory of 1952	4844	Apjkcadp.exe	97
PID 4844 wrote to memory of 1952	4844	Apjkcadp.exe	97
PID 1952 wrote to memory of 472	1952	Aajhndkb.exe	98
PID 1952 wrote to memory of 472	1952	Aajhndkb.exe	98
PID 1952 wrote to memory of 472	1952	Aajhndkb.exe	98
PID 472 wrote to memory of 4896	472	Aggpfkjj.exe	99
PID 472 wrote to memory of 4896	472	Aggpfkjj.exe	99
PID 472 wrote to memory of 4896	472	Aggpfkjj.exe	99
PID 4896 wrote to memory of 2292	4896	Agimkk32.exe	100
PID 4896 wrote to memory of 2292	4896	Agimkk32.exe	100
PID 4896 wrote to memory of 2292	4896	Agimkk32.exe	100
PID 2292 wrote to memory of 4468	2292	Amcehdod.exe	101
PID 2292 wrote to memory of 4468	2292	Amcehdod.exe	101
PID 2292 wrote to memory of 4468	2292	Amcehdod.exe	101
PID 4468 wrote to memory of 4568	4468	Bdfpkm32.exe	102
PID 4468 wrote to memory of 4568	4468	Bdfpkm32.exe	102
PID 4468 wrote to memory of 4568	4468	Bdfpkm32.exe	102
PID 4568 wrote to memory of 1708	4568	Cpmapodj.exe	103
PID 4568 wrote to memory of 1708	4568	Cpmapodj.exe	103
PID 4568 wrote to memory of 1708	4568	Cpmapodj.exe	103
PID 1708 wrote to memory of 116	1708	Cammjakm.exe	104
PID 1708 wrote to memory of 116	1708	Cammjakm.exe	104
PID 1708 wrote to memory of 116	1708	Cammjakm.exe	104
PID 116 wrote to memory of 884	116	Caojpaij.exe	105
PID 116 wrote to memory of 884	116	Caojpaij.exe	105
PID 116 wrote to memory of 884	116	Caojpaij.exe	105
PID 884 wrote to memory of 4328	884	Cglbhhga.exe	106
PID 884 wrote to memory of 4328	884	Cglbhhga.exe	106
PID 884 wrote to memory of 4328	884	Cglbhhga.exe	106
PID 4328 wrote to memory of 1448	4328	Cnfkdb32.exe	108
PID 4328 wrote to memory of 1448	4328	Cnfkdb32.exe	108
PID 4328 wrote to memory of 1448	4328	Cnfkdb32.exe	108
PID 1448 wrote to memory of 2456	1448	Cgnomg32.exe	109
PID 1448 wrote to memory of 2456	1448	Cgnomg32.exe	109
PID 1448 wrote to memory of 2456	1448	Cgnomg32.exe	109
PID 2456 wrote to memory of 4588	2456	Cogddd32.exe	110
PID 2456 wrote to memory of 4588	2456	Cogddd32.exe	110
PID 2456 wrote to memory of 4588	2456	Cogddd32.exe	110
PID 4588 wrote to memory of 4396	4588	Dkndie32.exe	111
PID 4588 wrote to memory of 4396	4588	Dkndie32.exe	111
PID 4588 wrote to memory of 4396	4588	Dkndie32.exe	111
PID 4396 wrote to memory of 2028	4396	Ddgibkpc.exe	112
PID 4396 wrote to memory of 2028	4396	Ddgibkpc.exe	112
PID 4396 wrote to memory of 2028	4396	Ddgibkpc.exe	112
PID 2028 wrote to memory of 1244	2028	Dakikoom.exe	113
PID 2028 wrote to memory of 1244	2028	Dakikoom.exe	113
PID 2028 wrote to memory of 1244	2028	Dakikoom.exe	113
PID 1244 wrote to memory of 4436	1244	Dggbcf32.exe	114
PID 1244 wrote to memory of 4436	1244	Dggbcf32.exe	114
PID 1244 wrote to memory of 4436	1244	Dggbcf32.exe	114
PID 4436 wrote to memory of 4392	4436	Dqpfmlce.exe	115
PID 4436 wrote to memory of 4392	4436	Dqpfmlce.exe	115
PID 4436 wrote to memory of 4392	4436	Dqpfmlce.exe	115
PID 4392 wrote to memory of 1604	4392	Dglkoeio.exe	116
PID 4392 wrote to memory of 1604	4392	Dglkoeio.exe	116
PID 4392 wrote to memory of 1604	4392	Dglkoeio.exe	116
PID 1604 wrote to memory of 2752	1604	Ehlhih32.exe	117

C:\Users\Admin\AppData\Local\Temp\58cf97204dd7024a09a245629cc8adc9f92e1bcda17c0ff66dc1b039023f6023.exe
"C:\Users\Admin\AppData\Local\Temp\58cf97204dd7024a09a245629cc8adc9f92e1bcda17c0ff66dc1b039023f6023.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\SysWOW64\Afbgkl32.exe
  C:\Windows\system32\Afbgkl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\SysWOW64\Apjkcadp.exe
    C:\Windows\system32\Apjkcadp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SysWOW64\Aajhndkb.exe
      C:\Windows\system32\Aajhndkb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:472
      - C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Dggbcf32.exe
        
        C:\Windows\system32\Dggbcf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Dqpfmlce.exe
        
        C:\Windows\system32\Dqpfmlce.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Dglkoeio.exe
        
        C:\Windows\system32\Dglkoeio.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Ehlhih32.exe
        
        C:\Windows\system32\Ehlhih32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Eoepebho.exe
        
        C:\Windows\system32\Eoepebho.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3368
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        49⤵
        Executes dropped EXE
        
        PID:5200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 224
        50⤵
        Program crash
        
        PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5200 -ip 5200
1⤵
PID:5232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajhndkb.exe

Filesize
256KB

MD5
ab89a31f17c3a6f022aa8eccc5356637

SHA1
2f036d2c4dcda16032c9149c17133bc0221406ef

SHA256
f952521e0358eff560b68f7b22b40a1377aafdf0a0648386bdcf901654061830

SHA512
9797e6b767404f93779eb5657aea836d2bd491acdbfbe6c1183a1d7f606ccf1419624db4ce55d485b7c3b08f820ec7dfbe8e3c5fc18b0aca5f356b1818d827fd

Download Submit
C:\Windows\SysWOW64\Afbgkl32.exe

Filesize
256KB

MD5
94a9b89865a8969d287076cc509c8db4

SHA1
33b0547ff42b6ec9ec2bb1056fe94671b2b37721

SHA256
eed6fec58618061dbca54682a8382382114089dfc280968c2e2a0b2df9a38b67

SHA512
a5f39211146f3d83da501e73ce677f5d2a196dd59e4963f16e36a1bf9419f8e8116e5932c4952bd5a0a6cd103b1060236ed830f12b60c03c2325ccacbc0b0da7

Download Submit
C:\Windows\SysWOW64\Aggpfkjj.exe

Filesize
256KB

MD5
ec356f26e0ae6e3b68d21faee5628892

SHA1
ca8094affa919b52682c7f8954c9880a23d80f93

SHA256
02c3406c5437f3500dfafddc8b1f820fd3113730f6a17db5184d2a848296de0c

SHA512
8f24b13200f078d038efe800f0cec2d6e91f05ae6eb7d69706211db5ac2614824a920f2dca2817dd4aa19114b6dce3e4adffb5e47d3f55187a631962f20cffde

Download Submit
C:\Windows\SysWOW64\Agimkk32.exe

Filesize
256KB

MD5
3929f24b23fd5a9e478de410cfd877a1

SHA1
5d1e0778b160939088c1df76ca5f4b10bbdbef48

SHA256
c7b220a9935f8e70947a95680c94d30b1fc00a00293c11f247ddb4d555b603fd

SHA512
2e99a586d79bd581aa1a95afe405d52bde82b4b7abe2087780ce1759d974f775167f9be169a67b66fd65e04965085ee74bdc00a097041df4289312736ee2e9b6

Download Submit
C:\Windows\SysWOW64\Amcehdod.exe

Filesize
256KB

MD5
424efbeafa3576e4cb0ada96634f044d

SHA1
791d6b0a576f8f656798c4e0ac9af37afd728e18

SHA256
55c686d24786bce41056b358d433999008900a54b83f7db5cb4fac68ad5c7894

SHA512
81c5a522dcb0de42036945be9677309eba30a2abf78be2408757dc85bb322be8396d5c015ca8872498c2a4c2143e640b96b64ccdb8200314bd70ebd1d3cf77db

Download Submit
C:\Windows\SysWOW64\Apjkcadp.exe

Filesize
256KB

MD5
30a784d62dbe7bedb4cace5f14ca8f95

SHA1
c0f9a11ba6e73296e03e3ee525a606677574f766

SHA256
6e75440026d1d1a23a02293306e0d613ca483b322b54e6398e33bb28f456bbd9

SHA512
dcd780a0e993b3387926bc0e862bf7cc3a1da09e26de5b8ce0ef075803c464e5ba5887c4a73e722e805191407ce909b20a2b7c07a89665e786462773ef2b8e27

Download Submit
C:\Windows\SysWOW64\Bdfpkm32.exe

Filesize
256KB

MD5
b4244744f6f97103c4d6108b015a872a

SHA1
5d05b317555b2bdbf7f110b9ace3d4014c4c8f94

SHA256
f035521e41939586b6da84da50f46831decfeb1b266b235bcca020d268cc4861

SHA512
246cac681254ca5b2ca5d053bf655535a565bc1d66e8bce87d26316d6e41c708af72025bd23570854b2c8c16b75b39a45f4f9942338fcb40ffc6f0fba0f5d35c

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
256KB

MD5
e6776e91797f4af4898d53a5ec4b87ac

SHA1
f3b20a99a75b22d4872c7175b17b1747fe3c1673

SHA256
16b3df797635e420c4be8669e857ccb9f3f150ece69298f46f07b6cfdb50fca8

SHA512
152496c8b1350b322221536a2f32851ff2e90a876942dbdff49c36ea911c9e94af1b02820a4d19a5a286d0c89584402378e206e6dc2892f2fdf49b03990b66c0

Download Submit
C:\Windows\SysWOW64\Caojpaij.exe

Filesize
256KB

MD5
f9d014bfd308df0ab811082f68327ee7

SHA1
70835d3ff36a8fd446191082c9b85e9bd26258b4

SHA256
a0ebf8e44ebf22bc04b95a8cba7fa64212e2517778d514d1b8fb7e7c94313cb0

SHA512
a84f7303ab69d2985d89020209dd4292c32800a2f120f0fb296eeb90da597da5e8487c8038963efce85d6024010480eb6ad2fe1546df7ca76df17d3a7099bca3

Download Submit
C:\Windows\SysWOW64\Cglbhhga.exe

Filesize
256KB

MD5
9fcb5a123ac548fdc0749e7b93a495fb

SHA1
c593b13cc004742f10ab5bb1009596571d97127c

SHA256
981b7edc84d04c85f4a6967d1b96ad2d267aec7bad879b7bd2758453bd67ffbb

SHA512
4724766c1eb7e5e1ccfdec73bc7ef765c5b9d4aff6c79ddd7074e92e7efe3e098324c4791bdaa1ce96ce98d79f2a9bffdca2ac918b3488f5bfbaa1ea173ed89d

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
256KB

MD5
916702b91c158ac71e8915ad2957111f

SHA1
019326a6a1908364b84a00b98ae8b9669981d59b

SHA256
cbef250cd301899f3d2251446cf08794c6f7e07a993169fc62fd85bb576a8cd1

SHA512
85fca685fd8185325eb5d2477914ee1b969a8da9181cf27ba8ee98ba759af80cbc64d9db69439aca4cffc06a03e26c0540de9ae0ccd79088f3b1f9fa742a5a9f

Download Submit
C:\Windows\SysWOW64\Cnfkdb32.exe

Filesize
256KB

MD5
6047ad14c017d5ea65c2ff123d8ed491

SHA1
dc7516bf04328059aae8732027edc75c8feae4ee

SHA256
d826a9d727e3c8c81bd14adbc719ed7a2b08a6e0317e9981314b07c925a334d7

SHA512
6eef68b25c24371a658febcc52525ddce9992b424a2528fd2e31f6e30478bbf6949c9c041fe9d25ed5223c665c51e312171ffe0375c2802ea3484a3c6af5945c

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
256KB

MD5
0e90214c9840b2d6200e29d6ca998128

SHA1
951f4a081adffb14ff47ace30385cf4abbc2bbf9

SHA256
a5a77d7662d590adc52700b9420175831ffee9ea0d9d8d7e6f4bcf7a0bff8ba9

SHA512
8ab4fbef1d27cd1d8703d7448d3b0b744a43501bb2a98ef22cf6af8d83524c2e795d478ab4e88609cfcab1fb0609a29d4a5e37c9a4d9f59a189d575bcfbdc113

Download Submit
C:\Windows\SysWOW64\Cpmapodj.exe

Filesize
256KB

MD5
8bd3886aac66624d9b49fe95573e00af

SHA1
559701f9e06a0d2b3d20281d53b8e3f47d89ee20

SHA256
281bf648c30cfd98d87ebeb5142c17f2dec50046615e56d46f23c46ce0eee01b

SHA512
000bb971ec6daff72b44f8b0327da56af7f059a3817d9108b765334e2239fb11b4ef69da64f2dd7c25392273da127a115b92021b8611259aed22dda0fe0680b3

Download Submit
C:\Windows\SysWOW64\Dakikoom.exe

Filesize
256KB

MD5
337ef2dc846f3bc6e7304822b0aa518f

SHA1
16c7decea9bd6e0c87e3274c1faa7b6801f76b2f

SHA256
21062aa02907b385984b47865ef0cc3d084bfde4d7e3ed67ee27b60091e1280d

SHA512
95f9a5949f54b9ce56d2462d30773cfaafe583ebaa5fd483b95200cae9b27b8eb65d96d465aba5cf46b992021a85c815a7c84344d6199006e29c52a3abd20323

Download Submit
C:\Windows\SysWOW64\Ddgibkpc.exe

Filesize
256KB

MD5
c0261cd808150fd07d9cbeeb2620fd00

SHA1
b954df7897cc45b78f75bc83d90cd60216e11d96

SHA256
ecb12239a13856b7dc869ee0948ca3f27c6c7ffe89511765cc7448d2c9e67a35

SHA512
ab165e444a1c7761a9f5fb767c64961bf865317ce731195d09219cee95281f37fa054303a4f18586ece3976def0534b6a8e64688edd3d22bb6f5392c9dfbaa42

Download Submit
C:\Windows\SysWOW64\Dggbcf32.exe

Filesize
256KB

MD5
bed3dab44909c13c412a12ff1216b402

SHA1
2f50592bffece1e171f0ea9c54de57ff6b9b6e48

SHA256
8373f52adcd0320038984f4450d0893b60f432b349ad1e28a2350328829fb894

SHA512
74a21e104c8afb5f5f39c88a3e4731e8344a05235db9d82131a480dbee27285c0c6541310e485313b0abc1ec2403d20194517d40c9f1cc6336d9dfc3d579c953

Download Submit
C:\Windows\SysWOW64\Dglkoeio.exe

Filesize
256KB

MD5
9866b17d5232fdb68250639e101bc62b

SHA1
c14b1fedf2ebd986cc2091aa7f7cd13832f8621d

SHA256
ec033db04dbff2571e04b6a3d2c49eedfdc2917fdd3096485950b86cd1b8a562

SHA512
66e6b6ac0641314ee15f4931dd499f04d27865f5d39ab080c9e7613c4388563cbe8152cf010a5f111b8018c59cbee1771ad72871544f9de9a7fe81307e1bd82c

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe

Filesize
256KB

MD5
1b997c2bc6b5f93fc5ad1ca900f9671f

SHA1
9f90b0189ec1f570bf7042edc97ae62156b45b5d

SHA256
28a2fd787a842e3a9d73453042a265768b708deb5caa2ddbeaed04d69a810bce

SHA512
ebc6d1ece438525b3994cc688ef27ab31c3e0417d777be4a2e52088ad08a88ffbf9e4512770f1a8564d7b80cead8edcbc7cecf3aebc69609058d8345679e97d6

Download Submit
C:\Windows\SysWOW64\Dqpfmlce.exe

Filesize
256KB

MD5
0b118518f4f82b97ef4a08d30265917f

SHA1
cfe357476589ad2e46743626da4646619f2e5a51

SHA256
6100c4e6fcd46cdaba7a815eea1d926cef262e8ed707b9c63de0c80605fcf3fe

SHA512
1d8c16f9b69a494c331c5db647455d98776b2ba21f37f43f03d62f227dfbaffd744cb9bdb848632de31da4f56fc9b77ba02faf4d5304e1b5422567f38e66cf32

Download Submit
C:\Windows\SysWOW64\Ehlhih32.exe

Filesize
256KB

MD5
00b1dca6df5e1103b65659421376f1e3

SHA1
3f51612b9a8c0244b896d56b6fdc3d7f5bdb6b9e

SHA256
dd968c77a12d74baa804f981cfb9e32cd510ddaa19305d56b5781d560de61ab8

SHA512
44bd4fef76d8b3e6e9a33b7b7259a16b5b910e243cddacab33506af04efa5d36e60f6c26978844e49780643ca67097e8a384e06028c9a07b2925493fd9dc8bd5

Download Submit
C:\Windows\SysWOW64\Eoepebho.exe

Filesize
256KB

MD5
014a1810463a103aeb3a461a3d5b17c4

SHA1
2ae95e6842bdb704a194655e70a4c38409c6d39b

SHA256
d7d127eec0d9592ebca85d636ec8d78c3378a8d38b518e8b8476c42f31dd7eab

SHA512
cf5a014aedc64edab4d0206c0ade7afcc9e85a87c67fe395636fda3499ded5b060f6f59510d20510875ada4fe3247b26789f7218f2aad5e6e3fa8a07037cffe0

Download Submit
C:\Windows\SysWOW64\Ipkdek32.exe

Filesize
256KB

MD5
b8a291174dc6848d374ffdddf4146a97

SHA1
b3f335b657d7b2ee2396c15878d5cc20d4f4d24d

SHA256
99460af8612b0c1fd978949a39259e9f9ceddfe916722a9475c98fbb62ac7bff

SHA512
e271ce959cde96b4640367912754429e9437841a460c1955cc3fbc194be424cffd44602bc702c919c0fd0bfdb76e0621255963499fe8aff7611f455b16b9a166

Download Submit
C:\Windows\SysWOW64\Jhnojl32.exe

Filesize
256KB

MD5
a5be086756f87a2bfbf1df9ff5041c96

SHA1
173b389c55a2cb1dcde6522a54db92f98a349aab

SHA256
ca4236da7a5673332b878ef520eb7b5c9089b527a04425f2ead32b30461b68e1

SHA512
77dbe80ef7c74f19168da3730e4f8eb33af524aa88f335ea53fe73892d6e794a3bc5377d55e16fe6123aa20c0fa7c0f19be33c639b60dce8e1280a5d20fd6496

Download Submit
C:\Windows\SysWOW64\Jllhpkfk.exe

Filesize
256KB

MD5
bc7badeebe6c216d27ac521fc87c4f9f

SHA1
4d8e3a545d89f2ec8d0e15e4c74714951e547dd1

SHA256
b3737dd42d1b99b4bbe22661ae415f3e55abdb8570379f357f57e5564fde9f68

SHA512
83547baca7750d39c78a666df9191266b86d6f67c08386b3b600e821cbf3135035b8c241ca8acdf7671b74d511192e7d8f52a940dee0f2fe66d808aed6533fad

Download Submit
C:\Windows\SysWOW64\Khbiello.exe

Filesize
256KB

MD5
d895a9d905a31f68570917c7cf517f72

SHA1
d17e7127c2c71fcfae9b88cc5547a069ff8fe2a8

SHA256
e1a4f7e34b6e86a0f701129852f98cd95d68c095eb66679fa7eedabed8b95afd

SHA512
4113a9ba62a49abbef27030eb89d3e1d40703072a0f035d6655d933e5bdd1fcfe7cea66aed1332efcd2790f8b94269556a75383e19cf2a5ae774ba542f722e2b

Download Submit
C:\Windows\SysWOW64\Kibeoo32.exe

Filesize
256KB

MD5
03b95afa22651d11fbe34ced6ebccb20

SHA1
f629dd2739b833da78b1d42a66610d9faee80754

SHA256
f2818d2a5d6c17927820267aa474e60c9144757e2584084de25577963fd3a289

SHA512
610c2a9505ccffa9efd8fca5c16813a393a2fd6195c65518845c97ee787742368f43a5f55ac187d1bdb15dc0475c90f07729be9a776705d5e8a483cbdaeab6de

Download Submit
C:\Windows\SysWOW64\Lckboblp.exe

Filesize
256KB

MD5
9b6e1dc1634a7413c49e8b49a8897bbc

SHA1
dc1f44acbb52927d6e936f0476aefd8a2672fc63

SHA256
d9e63339eeb4687f3bf5400511b8d3da4df9d3232d1119c50040d68f09b6f447

SHA512
9101865efcbc4a3428a185a30cb573ca0970e3d4c7492ebda54c1fb28c8bdf3e20a0196d6bf6b98214f8ca507537d32394985702f8fb72dabc0cec64ab879f14

Download Submit
C:\Windows\SysWOW64\Ljbnfleo.exe

Filesize
256KB

MD5
7b2583a60de8a64b907a4c3fada2c5fc

SHA1
5794740fb29795a0458d74cd24737ce2f39abade

SHA256
91634bdbe0d6dcf5c84a646a0c083539745e9c46e34bb5f53622abab030c7356

SHA512
ae4b6570844393feacc9455bee59979b7e340d770521928a86410f4b511e5809106505c11a6593ab9c3235f1b6a232dc6ab3e69aa539c87812cfea7c6476fffa

Download Submit
C:\Windows\SysWOW64\Mfnhfm32.exe

Filesize
256KB

MD5
23da6ec4ecef5939d8a82a112004caca

SHA1
281fe1c6f1146dd6e57ee66604a158a181aae20e

SHA256
95429e619ed3e117f3747af5eee095caccb0f2fa2a10ed738bd05f9e07c6c265

SHA512
3a293f3b3554e6e33108e6d81dacda2e043e55c098f78f60bf7369e766deeb0645f0437805e457616a2e093faf57e4f1bce6a4a9514e1278172647e0099756bf

Download Submit
C:\Windows\SysWOW64\Mljmhflh.exe

Filesize
256KB

MD5
3aa3f55b646fdf41b9dfcde569502c79

SHA1
a77ceb83ac367928241debe850a71c1302a92bb7

SHA256
8a53e634b289e350b45c68ad5aa8f6f9f45cb3e57fdfc17925898f9c5054cad2

SHA512
025d45a3473d6994208cb4ccf4c32188c51d27e791cdae919278ce946445f130e94f6089769de6fae31d59de6f881e65eca3717953c42d65ec214eafafaae3e1

Download Submit
C:\Windows\SysWOW64\Mofmobmo.exe

Filesize
256KB

MD5
5eae45db07ede45e073f27c63cbb6adb

SHA1
92c6cea9df98353006f43ceb60ee48169134826a

SHA256
a8412af913a35e01c720ab73490c06c7a0fdcbc60900772828b36bb37495dbca

SHA512
7de6a6364ab54bbec70b5e6653030ce71e6992caa792dbd32443b6d4eff0167fd5dfc26f780e992928cbb32495aaa6edd44cafc4e8e7d4870b47d085cb073e82

Download Submit
C:\Windows\SysWOW64\Onahgf32.dll

Filesize
7KB

MD5
d734c059b8b1a7386aba1edf99735cb5

SHA1
097f4a8e5ef15fff55e820299e18573c7e987171

SHA256
49b2a153c2892fa9c91a77d18d793ea57107f93bf3a0efd54767c1b647bfe5e9

SHA512
5794d9043b767fd5007b409ae2e0bc2517af54b94847c9484468b3752114a3b01265d817aa62e95929ba5f365560b1607901905b8ab54223802d9a317a74ec69

Download Submit
C:\Windows\SysWOW64\Paihlpfi.exe

Filesize
256KB

MD5
45aab4af50f1eeb21b3fb6114ea540dc

SHA1
36ed6d1e7d6882817dd412d7a5de2763cfcd6b59

SHA256
b0b71c1997120db894668195980ab99cdced52660f8de55e85b49151345b7cc4

SHA512
ca6a9c6ce6bad2dffa72b3e40e1d8645a89f79927ab00e95b469fbf3b2787201f475b4f8427531c39b97450410efcc8265217dd7bf6e008621e6c859249ea655

Download Submit
memory/116-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/472-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/624-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/692-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/852-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/852-355-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/884-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1000-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1244-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1284-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1324-356-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1324-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1448-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1500-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1500-363-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1604-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1708-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1748-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1748-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1952-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1980-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2028-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2104-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2104-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2292-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2456-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2484-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2524-360-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2524-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2644-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2644-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2752-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3132-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3192-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3192-357-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3368-212-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3440-362-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3440-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3936-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3936-367-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4052-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4204-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4204-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4328-100-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4368-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4392-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4396-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4436-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4468-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4496-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4568-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4588-124-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4716-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4716-366-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4844-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4896-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5000-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5012-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5068-361-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5068-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5160-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5160-354-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5200-353-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5200-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads