235c8fc10a78905ee326ba953638597b7ad53163033923302c649044f13b04a7

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

235c8fc10a78905ee326ba953638597b7ad53163033923302c649044f13b04a7.exe
Size

305KB
MD5

3afd764a2415fe179377e3a1732ef544
SHA1

6cc64f243b5571c875e36de6f3f111d3ab2cb28f
SHA256

235c8fc10a78905ee326ba953638597b7ad53163033923302c649044f13b04a7
SHA512

8d03b5613b99bb4d774b6ec596d053ac28412dd26235efa10fe7a6a8039f1d4c824d707fb2c91dcf46dd4c886da4d26706658dbb9bd8985688eba1ea5c585aa9
SSDEEP

3072:jlunMDJCQ6f/6HM+wvHz+lc802eS5pAgYIqGvJ6887lbyMGjXF1kqaholmtbCQV1:jAnIpNH9OHKlc85dZMGXF5ahdt3b0668

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmfplibd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpnoncim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqimikfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nopfpgip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbohpn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpchib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfkpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjkic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpgind32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplobcpp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akkffkhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	235c8fc10a78905ee326ba953638597b7ad53163033923302c649044f13b04a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmdcfidg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfhbga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phajna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmiikh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmjkic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibjli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcelpggq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omnjojpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ompfej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Palklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hibjli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhkfkmmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aagkhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aagkhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hffken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nopfpgip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qhjmdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hifcgion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpnoncim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddgibkpc.exe

Executes dropped EXE 61 IoCs

pid	Process
5016	Gmdcfidg.exe
3752	Gmfplibd.exe
3664	Gpgind32.exe
2756	Hibjli32.exe
5080	Hffken32.exe
3624	Hpnoncim.exe
828	Hifcgion.exe
1864	Hbohpn32.exe
1688	Hpchib32.exe
900	Lgibpf32.exe
1532	Mcelpggq.exe
4052	Mqimikfj.exe
4484	Mfeeabda.exe
4180	Mfhbga32.exe
3432	Nopfpgip.exe
3248	Ncnofeof.exe
4048	Nfohgqlg.exe
1640	Nadleilm.exe
1552	Njmqnobn.exe
3140	Omnjojpo.exe
3692	Ompfej32.exe
1000	Ojfcdnjc.exe
4332	Ogjdmbil.exe
2736	Ocaebc32.exe
4416	Pmiikh32.exe
400	Pnifekmd.exe
2112	Phajna32.exe
4632	Pplobcpp.exe
4080	Palklf32.exe
1384	Pnplfj32.exe
1160	Qfkqjmdg.exe
1376	Qaqegecm.exe
2268	Qhjmdp32.exe
1280	Akkffkhk.exe
1836	Ahofoogd.exe
2848	Aagkhd32.exe
4660	Ahaceo32.exe
4088	Aajhndkb.exe
4996	Aonhghjl.exe
3340	Ahfmpnql.exe
1992	Apaadpng.exe
4312	Bhkfkmmg.exe
4624	Boenhgdd.exe
4112	Bpfkpp32.exe
4552	Bgpcliao.exe
4900	Bmjkic32.exe
660	Bgbpaipl.exe
3152	Bahdob32.exe
5056	Bgelgi32.exe
2780	Cpmapodj.exe
2688	Conanfli.exe
2476	Cponen32.exe
3016	Coqncejg.exe
3764	Cdmfllhn.exe
896	Caageq32.exe
4276	Cgnomg32.exe
2304	Cgqlcg32.exe
1460	Dddllkbf.exe
3988	Dojqjdbl.exe
5020	Ddgibkpc.exe
3400	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hpchib32.exe	Hbohpn32.exe
File opened for modification	C:\Windows\SysWOW64\Boenhgdd.exe	Bhkfkmmg.exe
File opened for modification	C:\Windows\SysWOW64\Coqncejg.exe	Cponen32.exe
File opened for modification	C:\Windows\SysWOW64\Pnplfj32.exe	Palklf32.exe
File created	C:\Windows\SysWOW64\Apaadpng.exe	Ahfmpnql.exe
File opened for modification	C:\Windows\SysWOW64\Mfhbga32.exe	Mfeeabda.exe
File opened for modification	C:\Windows\SysWOW64\Ncnofeof.exe	Nopfpgip.exe
File created	C:\Windows\SysWOW64\Pmpockdl.dll	Ahofoogd.exe
File opened for modification	C:\Windows\SysWOW64\Palklf32.exe	Pplobcpp.exe
File created	C:\Windows\SysWOW64\Cgqlcg32.exe	Cgnomg32.exe
File opened for modification	C:\Windows\SysWOW64\Mqimikfj.exe	Mcelpggq.exe
File opened for modification	C:\Windows\SysWOW64\Nopfpgip.exe	Mfhbga32.exe
File created	C:\Windows\SysWOW64\Jhpicj32.dll	Njmqnobn.exe
File opened for modification	C:\Windows\SysWOW64\Pmiikh32.exe	Ocaebc32.exe
File created	C:\Windows\SysWOW64\Jhijep32.dll	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Fpejkd32.dll	235c8fc10a78905ee326ba953638597b7ad53163033923302c649044f13b04a7.exe
File opened for modification	C:\Windows\SysWOW64\Pplobcpp.exe	Phajna32.exe
File created	C:\Windows\SysWOW64\Qaqegecm.exe	Qfkqjmdg.exe
File opened for modification	C:\Windows\SysWOW64\Apaadpng.exe	Ahfmpnql.exe
File created	C:\Windows\SysWOW64\Bgelgi32.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Ddgibkpc.exe	Dojqjdbl.exe
File opened for modification	C:\Windows\SysWOW64\Hibjli32.exe	Gpgind32.exe
File created	C:\Windows\SysWOW64\Pqhfnd32.dll	Hbohpn32.exe
File created	C:\Windows\SysWOW64\Ogjdmbil.exe	Ojfcdnjc.exe
File created	C:\Windows\SysWOW64\Akkffkhk.exe	Qhjmdp32.exe
File created	C:\Windows\SysWOW64\Dgfpihkg.dll	Ojfcdnjc.exe
File created	C:\Windows\SysWOW64\Bgpcliao.exe	Bpfkpp32.exe
File created	C:\Windows\SysWOW64\Ebggoi32.dll	Bgpcliao.exe
File opened for modification	C:\Windows\SysWOW64\Cpmapodj.exe	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Hpchib32.exe	Hbohpn32.exe
File opened for modification	C:\Windows\SysWOW64\Lgibpf32.exe	Hpchib32.exe
File created	C:\Windows\SysWOW64\Clahmb32.dll	Hpchib32.exe
File created	C:\Windows\SysWOW64\Mcelpggq.exe	Lgibpf32.exe
File created	C:\Windows\SysWOW64\Cgnomg32.exe	Caageq32.exe
File opened for modification	C:\Windows\SysWOW64\Cgqlcg32.exe	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Igafkb32.dll	Pplobcpp.exe
File opened for modification	C:\Windows\SysWOW64\Bhkfkmmg.exe	Apaadpng.exe
File opened for modification	C:\Windows\SysWOW64\Bmjkic32.exe	Bgpcliao.exe
File opened for modification	C:\Windows\SysWOW64\Caageq32.exe	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Ahofoogd.exe	Akkffkhk.exe
File created	C:\Windows\SysWOW64\Ampillfk.dll	Boenhgdd.exe
File created	C:\Windows\SysWOW64\Mqimikfj.exe	Mcelpggq.exe
File created	C:\Windows\SysWOW64\Cjceejee.dll	Phajna32.exe
File created	C:\Windows\SysWOW64\Fgjimp32.dll	Palklf32.exe
File created	C:\Windows\SysWOW64\Mkfefigf.dll	Qfkqjmdg.exe
File opened for modification	C:\Windows\SysWOW64\Aonhghjl.exe	Aajhndkb.exe
File created	C:\Windows\SysWOW64\Bahdob32.exe	Bgbpaipl.exe
File created	C:\Windows\SysWOW64\Jgddkelm.dll	Bahdob32.exe
File opened for modification	C:\Windows\SysWOW64\Cponen32.exe	Conanfli.exe
File created	C:\Windows\SysWOW64\Hffken32.exe	Hibjli32.exe
File created	C:\Windows\SysWOW64\Ncnofeof.exe	Nopfpgip.exe
File created	C:\Windows\SysWOW64\Pmiikh32.exe	Ocaebc32.exe
File opened for modification	C:\Windows\SysWOW64\Aajhndkb.exe	Ahaceo32.exe
File created	C:\Windows\SysWOW64\Aagkhd32.exe	Ahofoogd.exe
File created	C:\Windows\SysWOW64\Bpfkpp32.exe	Boenhgdd.exe
File created	C:\Windows\SysWOW64\Nalhik32.dll	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Hibjli32.exe	Gpgind32.exe
File created	C:\Windows\SysWOW64\Afeknhab.dll	Hffken32.exe
File created	C:\Windows\SysWOW64\Omnjojpo.exe	Njmqnobn.exe
File opened for modification	C:\Windows\SysWOW64\Qaqegecm.exe	Qfkqjmdg.exe
File created	C:\Windows\SysWOW64\Gmfplibd.exe	Gmdcfidg.exe
File created	C:\Windows\SysWOW64\Klkfenfk.dll	Gmfplibd.exe
File created	C:\Windows\SysWOW64\Pqknpl32.dll	Gpgind32.exe
File created	C:\Windows\SysWOW64\Nphihiif.dll	Ompfej32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4924	3400	WerFault.exe	151

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehmok32.dll"	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	235c8fc10a78905ee326ba953638597b7ad53163033923302c649044f13b04a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilpobpd.dll"	Mfeeabda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojfcdnjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdjofbi.dll"	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmijpchc.dll"	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjieo32.dll"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmjkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mqimikfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpicj32.dll"	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll"	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mfhbga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nadleilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphihiif.dll"	Ompfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobhb32.dll"	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmfplibd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkfenfk.dll"	Gmfplibd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmfplibd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahaceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Omnjojpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	235c8fc10a78905ee326ba953638597b7ad53163033923302c649044f13b04a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hohahelb.dll"	Hpnoncim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfeeabda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqknpl32.dll"	Gpgind32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgagea32.dll"	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baiinofi.dll"	Nadleilm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aagkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahfmpnql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhkfkmmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpnoncim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mqimikfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdmlfj.dll"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpfpo32.dll"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgddkelm.dll"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pplobcpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll"	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hibjli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hffken32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 5016	2116	235c8fc10a78905ee326ba953638597b7ad53163033923302c649044f13b04a7.exe	91
PID 2116 wrote to memory of 5016	2116	235c8fc10a78905ee326ba953638597b7ad53163033923302c649044f13b04a7.exe	91
PID 2116 wrote to memory of 5016	2116	235c8fc10a78905ee326ba953638597b7ad53163033923302c649044f13b04a7.exe	91
PID 5016 wrote to memory of 3752	5016	Gmdcfidg.exe	92
PID 5016 wrote to memory of 3752	5016	Gmdcfidg.exe	92
PID 5016 wrote to memory of 3752	5016	Gmdcfidg.exe	92
PID 3752 wrote to memory of 3664	3752	Gmfplibd.exe	93
PID 3752 wrote to memory of 3664	3752	Gmfplibd.exe	93
PID 3752 wrote to memory of 3664	3752	Gmfplibd.exe	93
PID 3664 wrote to memory of 2756	3664	Gpgind32.exe	94
PID 3664 wrote to memory of 2756	3664	Gpgind32.exe	94
PID 3664 wrote to memory of 2756	3664	Gpgind32.exe	94
PID 2756 wrote to memory of 5080	2756	Hibjli32.exe	95
PID 2756 wrote to memory of 5080	2756	Hibjli32.exe	95
PID 2756 wrote to memory of 5080	2756	Hibjli32.exe	95
PID 5080 wrote to memory of 3624	5080	Hffken32.exe	96
PID 5080 wrote to memory of 3624	5080	Hffken32.exe	96
PID 5080 wrote to memory of 3624	5080	Hffken32.exe	96
PID 3624 wrote to memory of 828	3624	Hpnoncim.exe	97
PID 3624 wrote to memory of 828	3624	Hpnoncim.exe	97
PID 3624 wrote to memory of 828	3624	Hpnoncim.exe	97
PID 828 wrote to memory of 1864	828	Hifcgion.exe	98
PID 828 wrote to memory of 1864	828	Hifcgion.exe	98
PID 828 wrote to memory of 1864	828	Hifcgion.exe	98
PID 1864 wrote to memory of 1688	1864	Hbohpn32.exe	99
PID 1864 wrote to memory of 1688	1864	Hbohpn32.exe	99
PID 1864 wrote to memory of 1688	1864	Hbohpn32.exe	99
PID 1688 wrote to memory of 900	1688	Hpchib32.exe	100
PID 1688 wrote to memory of 900	1688	Hpchib32.exe	100
PID 1688 wrote to memory of 900	1688	Hpchib32.exe	100
PID 900 wrote to memory of 1532	900	Lgibpf32.exe	101
PID 900 wrote to memory of 1532	900	Lgibpf32.exe	101
PID 900 wrote to memory of 1532	900	Lgibpf32.exe	101
PID 1532 wrote to memory of 4052	1532	Mcelpggq.exe	102
PID 1532 wrote to memory of 4052	1532	Mcelpggq.exe	102
PID 1532 wrote to memory of 4052	1532	Mcelpggq.exe	102
PID 4052 wrote to memory of 4484	4052	Mqimikfj.exe	103
PID 4052 wrote to memory of 4484	4052	Mqimikfj.exe	103
PID 4052 wrote to memory of 4484	4052	Mqimikfj.exe	103
PID 4484 wrote to memory of 4180	4484	Mfeeabda.exe	104
PID 4484 wrote to memory of 4180	4484	Mfeeabda.exe	104
PID 4484 wrote to memory of 4180	4484	Mfeeabda.exe	104
PID 4180 wrote to memory of 3432	4180	Mfhbga32.exe	105
PID 4180 wrote to memory of 3432	4180	Mfhbga32.exe	105
PID 4180 wrote to memory of 3432	4180	Mfhbga32.exe	105
PID 3432 wrote to memory of 3248	3432	Nopfpgip.exe	106
PID 3432 wrote to memory of 3248	3432	Nopfpgip.exe	106
PID 3432 wrote to memory of 3248	3432	Nopfpgip.exe	106
PID 3248 wrote to memory of 4048	3248	Ncnofeof.exe	107
PID 3248 wrote to memory of 4048	3248	Ncnofeof.exe	107
PID 3248 wrote to memory of 4048	3248	Ncnofeof.exe	107
PID 4048 wrote to memory of 1640	4048	Nfohgqlg.exe	108
PID 4048 wrote to memory of 1640	4048	Nfohgqlg.exe	108
PID 4048 wrote to memory of 1640	4048	Nfohgqlg.exe	108
PID 1640 wrote to memory of 1552	1640	Nadleilm.exe	109
PID 1640 wrote to memory of 1552	1640	Nadleilm.exe	109
PID 1640 wrote to memory of 1552	1640	Nadleilm.exe	109
PID 1552 wrote to memory of 3140	1552	Njmqnobn.exe	110
PID 1552 wrote to memory of 3140	1552	Njmqnobn.exe	110
PID 1552 wrote to memory of 3140	1552	Njmqnobn.exe	110
PID 3140 wrote to memory of 3692	3140	Omnjojpo.exe	111
PID 3140 wrote to memory of 3692	3140	Omnjojpo.exe	111
PID 3140 wrote to memory of 3692	3140	Omnjojpo.exe	111
PID 3692 wrote to memory of 1000	3692	Ompfej32.exe	112

C:\Users\Admin\AppData\Local\Temp\235c8fc10a78905ee326ba953638597b7ad53163033923302c649044f13b04a7.exe
"C:\Users\Admin\AppData\Local\Temp\235c8fc10a78905ee326ba953638597b7ad53163033923302c649044f13b04a7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\Gmdcfidg.exe
  C:\Windows\system32\Gmdcfidg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\SysWOW64\Gmfplibd.exe
    C:\Windows\system32\Gmfplibd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\SysWOW64\Gpgind32.exe
      C:\Windows\system32\Gpgind32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3664
    - - C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Hpnoncim.exe
        
        C:\Windows\system32\Hpnoncim.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1280
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:660
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        62⤵
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 424
        63⤵
        Program crash
        
        PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3400 -ip 3400
1⤵
PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3800 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajhndkb.exe

Filesize
305KB

MD5
6113ab0bfb3ce034cd3623393496f5fe

SHA1
d4f30f218c9b26202851cb37e34aed32361a9d12

SHA256
8029faf6ef60a1ffc1d1552cdb021e9208b3bb0fac87abcbab889c1d688ab62c

SHA512
a5c9dc8b0a69585def5cb62eab4cd705c8c3db88c861bbb7e2721af02423cbdcc10096569b6fdfafa9773c17c29e0b552a397cb8445e161a54074c211e485301

Download Submit
C:\Windows\SysWOW64\Ahfmpnql.exe

Filesize
305KB

MD5
3d405ac7cebcf53c23bf734a8433842c

SHA1
506d407aa6197d028adda91f01b6db013f8f4a68

SHA256
27b947873342fd2d44a3ede498d7b1d8c87dfc567673c1ba09aa1ebfe8c8bc02

SHA512
1960e3a54cc4eee3908c6b3be661e910a64e945c1f1fb5ff28ce5013b126ad96dd2ab37db787bce1b2f5e852cd4b8be61648ae239d954ca76c77aced25e65abf

Download Submit
C:\Windows\SysWOW64\Bgbpaipl.exe

Filesize
305KB

MD5
35b438988258c38a70ace939ca94b64a

SHA1
77344e1af32c84f7784f70c40f65b85a405a0106

SHA256
1a91891ac0bd31d8c9a890f51dd7df0aa2a74f1e68eec6659dbbb04ff5a14507

SHA512
6d9b91a72391e22bfab101086377bf34cf67ec2d98e23fae826dec1e56584038e1164a072b47886fd4f5acac5598254eaff55b628d5b7d3fd81f90dfc7d37aa5

Download Submit
C:\Windows\SysWOW64\Boenhgdd.exe

Filesize
305KB

MD5
9caca36245f03d080747a571d4290929

SHA1
571315834f98ea71b58b6f67e54d0895c584fcb8

SHA256
4242b1f03481f3ae544e72d21d4d3c2aca7fe3015562eb52374506ad10d54f22

SHA512
dda46d8ce26aa6332237c8af42b11ed253bcc97afc725d960c451b5781df0a0c67718593ae343868c885d63d227a59e0bff61439153452990cfc9a2879769e78

Download Submit
C:\Windows\SysWOW64\Cgqlcg32.exe

Filesize
305KB

MD5
6cd267162f1179b3707dc265f2d582de

SHA1
646ec8a2d1998545fda6065cb4e08f95efd3ca15

SHA256
7ece205b3783a89f6745cbc31e0cf56c923f70ec9c755d10269925a6eef854fd

SHA512
5e504dc9956e0b078a204f33e24b7d7b7cddba24263dc5ffd3bd1f9d078fa9e659f5994c6abeecad9b83ae4185e1a6c09ed0f5170e4d7a53a87758c99df1ba53

Download Submit
C:\Windows\SysWOW64\Coqncejg.exe

Filesize
305KB

MD5
ed17833522845e534a7ce343fe0874f3

SHA1
780b7f68ed87cb0d22075ebc8693db87211ffda9

SHA256
55b423b21badf321451a037ec3633c5343727b1a42948b66fb2b6b879c060b21

SHA512
50246ac51464e12c0e155601b2944ad58c9576238878f5af0b99056c379711a84d479247ff006f230f47a21dbac9a0f4ae7603d934ec7fc6fd4b2083e054ad08

Download Submit
C:\Windows\SysWOW64\Gmdcfidg.exe

Filesize
305KB

MD5
481bcc8c1d055b99503cfd517488bc5a

SHA1
90ceced4f9518cd43bc3359bc39c29e983f839be

SHA256
7e5dd059e29cfab40abcb949cab86da8a912070062b390128062362d9b498e2c

SHA512
332ff72447c86f7965d730e988205335c9e5dece9d1a30edc6841f41b1c5111bfcab2804fbd092188931496dc71e89384e56c49cb2089c935a42bf52f149d28f

Download Submit
C:\Windows\SysWOW64\Gmfplibd.exe

Filesize
305KB

MD5
1903043e64b32ed3427fa03d6a37bda6

SHA1
23779101f7c3b4047758c85ae4e33f02dcb8861a

SHA256
309bc24b3d63681f8772265472a2a36dedf664dad22529ff9efc5d602122e8a0

SHA512
86f5f4437b8021cc3f9fc68398fdb76b29c9f3511114cd6752611d371bdaea1ccdf4a355832204a4c1e2bad8af55f2c08d389a5d29f27aea4f273f51be2ce4b1

Download Submit
C:\Windows\SysWOW64\Gpgind32.exe

Filesize
305KB

MD5
6a9bce977050470177a4c6c68b285277

SHA1
368a432e06ab0b25c1978c87237ec152e8edd324

SHA256
665603527e6ee5569c7681d12db12cf47a14a529154713315b7f434f6d2b1bfd

SHA512
fbc325f83c85a046d93819c083319f7d9090b0da660aade91e00b8d53b04b2e588537bc5ecbe82ffc81f65744cf5311ec20f5a6873d360ab155fb71f56ebff05

Download Submit
C:\Windows\SysWOW64\Hbohpn32.exe

Filesize
305KB

MD5
0abcaf4b674b7accf9bf2651ad841eef

SHA1
5abed3ea5c84675316f2acf37126e5adaa1e9ead

SHA256
adb8e09d928e09dfff1c68d344ae0d53c84ceaca474814b709d6a293e6766081

SHA512
2ecf2c270deed26c59c3a489c33a0566290b8522882fc567383cf40cb3e6423180cbc7a66220b3a140bc6a267453a83e2da9cf241e3cc1d22f7fcb0b4995b04d

Download Submit
C:\Windows\SysWOW64\Hffken32.exe

Filesize
305KB

MD5
b8fbdc2eb69098be790bbf3e23d96142

SHA1
31d740eb0d873e3a8c7f3fbf978022ae3ff0dbae

SHA256
3c61dce844d98dd7871ad16b483e6e0986134c02dd390ad38568ead11d6ecf8f

SHA512
1058ce65015ad2752ba9db2adec1d0c309e403c514b4c5aa819b4c02ab37e583857ba8771372cb3c23a981713215c825d902f4c693a1fad5cd4a4867edc2fbb5

Download Submit
C:\Windows\SysWOW64\Hibjli32.exe

Filesize
305KB

MD5
ed64f079a8bf9d7dddc24c80269675fe

SHA1
3c6db83a8dfd4a5c319182f16f07f72c40d3f565

SHA256
c0d238c51cb6199637a80154f94adf43913799cbcaecb563ca40d3a67b744f97

SHA512
f656ace8c7c51b31a5da4f5e7bc459e14f54429f864f4bc3e2014e5261c6f92b0a0cd3826abbf539d70d26367215ad5f0dff0e1726df48882def6213b70d2c28

Download Submit
C:\Windows\SysWOW64\Hifcgion.exe

Filesize
305KB

MD5
eb0188bffd4ca3d9a9eca6677568efe0

SHA1
fb6f5a44cb97702ca1e842c8e2a8f49696911de3

SHA256
268b6331e058b759c00bed5c5031f11cd1c3f85e58c9697df2d6cdceec461486

SHA512
3294eb3e80621df87e1491876e6934215214d07efded5fe7b5f95be5aadb87419ce2f4cb923aa0bc9e0d890a885e90e0d3903b3c2b9746b6d6e62ce14f55f74a

Download Submit
C:\Windows\SysWOW64\Hpchib32.exe

Filesize
305KB

MD5
f6d10f13026acaf27937e94400718693

SHA1
170d155040a5217199fd15f44bb9230c87153cfb

SHA256
bea9e822becd93fb6068513a1a94d88b1520f1e7ef4c3b7e39746cca741ac5e7

SHA512
75c5eae07a4a525fa7278c13210fe19a28b4189783cf64ab30b7a5676c8904f48115916cd6851ede05e56c66b312f57a3951e5f9653ce967ae31162349a47b5a

Download Submit
C:\Windows\SysWOW64\Hpnoncim.exe

Filesize
305KB

MD5
b6d411c2fc571884bf4901b4951df4bc

SHA1
d38d172f278eb0f85fd6bfb97c040a49a4899e11

SHA256
3905f07dfa420ef3261a16894a921578606a309f8a1c4791a47b54edd8945203

SHA512
4d0b0e4aaa4356ba4369f609bd240b00207383412ecc49bf6b8b18006fde87a08a7b83356d568a9f71c1d5cb196d56039f960d209173be3702284a0f46f68117

Download Submit
C:\Windows\SysWOW64\Kmhjapnj.dll

Filesize
7KB

MD5
d4bc1836f023dead1d5a53f35bc7487c

SHA1
fce647a72852f645f314ccef0923c9718ff9ac97

SHA256
ddcc201f90fe9855422dbf77b66757216b4c6048be2a137e567ac85d43a8e191

SHA512
d175bbdadcc58d642215f58fa147d763cb0b88c94588648806941cd4f1faed7a8fed2830288ecbf613fe40182d7717b3c28704984d2874647635a715555ccefe

Download Submit
C:\Windows\SysWOW64\Lgibpf32.exe

Filesize
305KB

MD5
c4fb6de0fff0c1661fa5ea4b15c493d6

SHA1
9c1c301ff34eee359a0371286462aeac62689e73

SHA256
ea1463c5e9aae936700a43a875a8bb47afce3d1b86ebf157eba5e8ea4e9dbfcd

SHA512
6bd7bfd951545993c2f5d165d1f7aa305b84b4310c1b3f06707a759cde51bec1b6bfca3cae83594deb950d2096278c8a9f1be69869eee2909a65aa62662c2bbc

Download Submit
C:\Windows\SysWOW64\Mcelpggq.exe

Filesize
305KB

MD5
450554a05a9b4455c03f14bd5458a3c7

SHA1
bbd5f6bc00cdfafd16e8d2e530ccbb80af0090f8

SHA256
6375c242333f0c416dcdd94f67c9a2457b208d20127a5cfaa6187254cb0f5807

SHA512
1a2127e3c1b3daeb1a7898789a7cbcb2296a9e8727a8884e9dc739191a27fc92989ccb0e7d33365654043654f8a3c0246bb378367f114aaa9663fb14733adefa

Download Submit
C:\Windows\SysWOW64\Mfeeabda.exe

Filesize
305KB

MD5
32308a24a3a7cc9356b59feebd4ca66e

SHA1
d49ffe1f49493b4720001ec2cf5487b0ed077815

SHA256
73afaa6dff3578993f23e878b6961244995ed8b525a0bfa6041fc51622e44f24

SHA512
ce2a2e85bdb8ffd30a51bb9991fd3e5f160d800fc804e714c87dce348737aab6614da91e0936965fe289570b3127d8ff802fceaedb08316f6b9c6605696673d9

Download Submit
C:\Windows\SysWOW64\Mfhbga32.exe

Filesize
305KB

MD5
9de2b797781822e95716599c94bb5c44

SHA1
e50c98e5d51bc73c248e33d20e7ec3787638dc82

SHA256
86acb64aa230f20cdc687e0ed5b14e69ec39a1fb190f3a5fd6b812693cfcf29b

SHA512
bd1afe9791fbfc4c86f36d1528401ade135b3f77439ad169d467e8fa2ace5a10e39ba113a071295451d6e09988d7a6a435582222d109d01da8a6723d1c2f2bc6

Download Submit
C:\Windows\SysWOW64\Mqimikfj.exe

Filesize
305KB

MD5
a2c27934d423f2f7a6b2dbce2382ecbc

SHA1
5773e8fcab6a29c9af33ebcf2f3e76924145fef2

SHA256
150bfda5e840bb966b35668d252eb61012e1f8212b4a9fc88de7351d56529d0b

SHA512
85d1d9901be383e6b15ac3701c2642129de4d2a0f846540d30e6928f8d1a9b5c4d29a84d71f869208c9e292c92c1fe426579e765ef882bafd27add718f84eb11

Download Submit
C:\Windows\SysWOW64\Nadleilm.exe

Filesize
305KB

MD5
36e4ed21000acbb09889b13df7150dad

SHA1
d1a1bfa4bbe70775418130c6922be0d32d88a685

SHA256
48331a912d7643c0ec0c080b2b571949aaab493f9663bbd1b73887f8e26a4341

SHA512
c1144cbc33b241a1815452b81edfdaead10b757b69335371f0a58728b27deb3bac2b4dd7df82fa1746471e08b06117a5ab685378ae28132e46327d0a842db842

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe

Filesize
305KB

MD5
653c249baf931e7bacbcbc4d17b63c5e

SHA1
3f13280f3b381c9c14919e78033c25037f447f04

SHA256
79e438dc8d951af766007059213b4b48ef34b2dcf6bc3b70e157470884cbb777

SHA512
157e87d441e9887c5b955e3cc54b0957a28fac89dfabaf9dc8c8a997df309f0171551ff9c663f57e986894c3160aae38d1d9529228fecc926035cefb97bf3061

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe

Filesize
305KB

MD5
08723cfe55183edd0772c76f71b6a86c

SHA1
2e996e083d2c3870a467e0bdec75b1f940b909a0

SHA256
76c8b90baf74cad91a3b369f1e51b07016c787fa91c851ae2ad05cba11d18dad

SHA512
7a6749abfad4a78206f3c8fe86b9382ffa68a70cf3e2f80a115de8355cab41e1c15dca8c1508d3ac5b21dfd4c18df5f42392c0b4bcf1dd1802bd30b99ea6d1f8

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
305KB

MD5
d2cd7d4d37201ebbcee41b05926f8720

SHA1
dcc1e0bd680ae6c9257963a0c02c067b5fdebd7e

SHA256
7ce034742b5329f2d94b586eb13c632003839b12a4d914b66fccbe8e309ff77e

SHA512
22c529cd6340b45f604a8d6aeb56c5678dc7363c8d6d2f5ef92df1bdb71e20f60386465d34d1a457b6d95b121e53c91848ce51252606f106adcb762a3e4f5d56

Download Submit
C:\Windows\SysWOW64\Njmqnobn.exe

Filesize
305KB

MD5
a2f927fef61081a66c1709b8216f4763

SHA1
c6dee36d4e86687fdf2460fa3b7b5f2bfddbd39f

SHA256
4002742628a738f0955b9d2308c968ee39463bbe8cf6c600e19cca480b682c9c

SHA512
f8a41230c4018258325d50ec19f06301676561bcecf73eccacc4e713595ab4af38cabc6c658133f2815cabe49443547ef591e3c7e0715b99d38d88b366fd6545

Download Submit
C:\Windows\SysWOW64\Nopfpgip.exe

Filesize
305KB

MD5
f384df40e0cfa816ac20d52e37ec5488

SHA1
ad393ef7ad023a992d4aea36a745242bfe878151

SHA256
c5f35b82dff65c99de09a8820eb8d2a1a85d5d58b15aa62d7a301e0e16993108

SHA512
ec1b54daded9f6051999e99e52e3aa020fc23bd4197e73251ba633f30b49cedadc2217c93621efb163aa3a0f8b9e854f246617756ae3f3ebae8bc0e30fdc3727

Download Submit
C:\Windows\SysWOW64\Ocaebc32.exe

Filesize
305KB

MD5
3f0c4596d232a370c219b584f653b67f

SHA1
e5f74c8b4ee446289a176ba24c0ff8ffcc80d5e0

SHA256
e1275a0da78a6859e557cb3b538c816af710c97d81e7f04795b13e561e0b2aea

SHA512
2004d465696b4a72827f2e41d894e728891b94da13a5c3399ee770afc9f21e2043c8fafe61beb606b9e05a45411d14d771687ce6da4f18bbdacbb12bae96f927

Download Submit
C:\Windows\SysWOW64\Ogjdmbil.exe

Filesize
305KB

MD5
06afc2d9a17968112b7e6eb4dbd12828

SHA1
5305607c9f638e58d1dafb668e92ad53b2fe4dbb

SHA256
241f43a0d428e42def2fa7a25fea854a73821db02906027df533d5b306c52eb5

SHA512
e26b35f163d0a06aec227fa5bf5afa71c9bb31fee2e22a23ab18ad7e497a80a524ae64bedb16a152b19deb0be7c95a8da5bd5c5626b20dd9a45c86914610bf5a

Download Submit
C:\Windows\SysWOW64\Ojfcdnjc.exe

Filesize
305KB

MD5
08818136e18b4c9b461b5d1707468496

SHA1
40f47c21f42ac7a72f7013b2484ae441c2a68634

SHA256
0b3b999ce194ca20b90d511e4dec1c64ff14e55e9e67c05e8afc8f4c161e7a9c

SHA512
577fa2724cba1c441bd7ad2ebb63ffa3b76af58d4726b7772c8a91cab25e9009962e58095efeb8f782e619e2427c3438d13621f64084b04dde3aa0a46a4b4a4b

Download Submit
C:\Windows\SysWOW64\Omnjojpo.exe

Filesize
305KB

MD5
d33aec6992a01156214a3b624558b503

SHA1
4a0f631f07b2b08c81b23fde28b32a2a220dc20f

SHA256
0f79cffaa7353953765c832532879598fd672f9cfe58928a0939c2f7019beb1f

SHA512
39bcd4d40b8d40cd6c641fade6b1b81cb75dc97acddb45112c22ffcdb14a6a4243b9f005b7bbc38d408d5c3f6084b2b1ec0e1c33af6270edf37721a0ebef410b

Download Submit
C:\Windows\SysWOW64\Ompfej32.exe

Filesize
305KB

MD5
8517f0d77a82d454e25eafcef73956a1

SHA1
9d0e9997b68ebdd95cc005b191f694aeaff09823

SHA256
81b43056605ddcdbd6cbc20d8500ded460460a0431860b37f84082afb92596af

SHA512
993bdeac6e78cfd3be5ec610e751af4fb51d552da990fec2ca82e9be5de58a070288b4ee934d4874844b055d2d17b63cbfdd2af939dfecbf53a77970661844a5

Download Submit
C:\Windows\SysWOW64\Ompfej32.exe

Filesize
305KB

MD5
16ea1454dd19eecbea33296ab5eb9871

SHA1
41c9c6a5c9d67118efcd1dd9194f61e510f7c7bd

SHA256
f9d9521a809bb4907f81d9a07d170cf694fd0739eab7d725e18bf80e83e0efd0

SHA512
6be7c5681744624b0f6bb6546adfe7e9fa99fe38fbdb93f48de330c4f2a4c1b1e1203d9d1ddda73d644d7c5d9ca3c605631311cc0c8e3fe0224129b380909380

Download Submit
C:\Windows\SysWOW64\Palklf32.exe

Filesize
305KB

MD5
cc70124117e526aba27bf78f609bbcb5

SHA1
e38b5191b3d242ee574c9d787e75b4ecd7316e06

SHA256
834af91e333447f2ec4b819cc5831a982b0ff4159b582a94dee0c29a65576d84

SHA512
7fe43979c4a8dee8d311a0584caad649ae12c027eed2ce0c580a8e93b4378002146d483daf9549fad09372e11f43b9742dc9f32a64d76690f8cb17fe0f7bec69

Download Submit
C:\Windows\SysWOW64\Phajna32.exe

Filesize
305KB

MD5
04ddce70ca3b444122cc42fc59b1b316

SHA1
e897272f56ccff01a31313d997ed942f025aa538

SHA256
2b7d05bbba573a35b824ccb40719f44555b19d8c3574297ccf7fb28be9c1133d

SHA512
3cebf6b074908fc45c1aa979c07120ad4b9e68fb8651199713214623a25090c498cb6be928e3b9b5bba51a013d64ce5740d5b27cccb4eeed17c89f47e4a74747

Download Submit
C:\Windows\SysWOW64\Pmiikh32.exe

Filesize
305KB

MD5
cafd52c7d5babfe3ea0461757a453b4b

SHA1
03fd7471d0a8587a71f43ac59f37190499c7a6a3

SHA256
007daf95244498f7efba26c83e7aa3502db4b2e2ce0e12fb20a8cd9871c006c2

SHA512
8759955b5305a2433dd411be4dff9d2c287d925766fa4fccefba8e2524b784d5a1b0de1e7a7d97f13904c338846eeb022ee9ea9cacface63359be1b939e90c46

Download Submit
C:\Windows\SysWOW64\Pnifekmd.exe

Filesize
305KB

MD5
20f8bb20cb34bcc4db3e9a9b3d835fec

SHA1
d4c2761341fde196aa383296b4a52dde120d036c

SHA256
ee4c004ae5a80053c04e0c5724e8894a87b3620b20f1431c19b7db6d751d6ea4

SHA512
5191a32a52f14ff0ef7bb1972acdfa4a6b7e23a019bef2ea401ced6552828d78d0d5ef2af993109a8025eefe50f9938eb1ea11bcdc98912348d512f5ce64ce67

Download Submit
C:\Windows\SysWOW64\Pnplfj32.exe

Filesize
305KB

MD5
4b9a7e879151ba0a373a7ed461f72261

SHA1
a255915c59a1b998d90f860c45d68f4c1811ecaf

SHA256
c09ba13c8ec9eb875f43be116a5d5882646ce613776a4d0b60e9ba7d19a65167

SHA512
8ae3b3a766eb6db13479db7ff456c912150b5cddeebe56995ea760ef18bc6bc61e7c58f5a88451f23a9c6c60114b539deaaf4b1fc4367cd6f032844313ffdd1a

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
305KB

MD5
7ff30713fae44145ab1815aed95a8538

SHA1
b971912f4715df40ae90c814d694239ec88521a5

SHA256
2a21ac92860f1856d88a1ae9078404aa6d28533d6215e43d6af4af7801448689

SHA512
6b5bc57cb0e7d5f9617acaa18f2e19b463fb6e2b14129c12eafb07c749b77427a26f6cbd5ba02e3bb863d0cca7aa894db9ab2b6b942d740ceb997217904d19aa

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
305KB

MD5
2ec1ab7f563aaae0b3f01d14681d4534

SHA1
bd021beb125a54e5037598d089f9907bbe64a689

SHA256
9d773cb54decd13e3cf0f97cbf6c386bdddfb5a2755afc89159d9304e290bf8d

SHA512
ddd275c6f0fb0bcd5db9649ee9e44b6b156c7cb6f29a75c45f9372f8abbc37369b0bb15883705a7f282637a054165504ac46782d991d2e10b95b145d48217e8e

Download Submit
C:\Windows\SysWOW64\Qfkqjmdg.exe

Filesize
305KB

MD5
4b8ecaf2d7f6d17684d481cb0422bd80

SHA1
844dce9a94742bee201d5ae0a78d8495ce4d9639

SHA256
3aadb86284c090019033fa43b92c2d44c6217f0e4d6d48570e2dcc643879f974

SHA512
1d600ad696cc7956aad952b6c91fa566d7c4ba4f9490624e9b275a3c14dfe93faeb8b991f2eef6e79856ff4b6bf2999d771e3ebc5705b42c622c02ea3baec9dc

Download Submit
C:\Windows\SysWOW64\Qhjmdp32.exe

Filesize
305KB

MD5
3c8716f2b00cfd48598575c4d5758c81

SHA1
44faccef14408559031020fb9370a86553dac9e5

SHA256
e31caf94cfbf1564cb8ce7585ccdbc7984dd21bcae47b8f1b4877b1348b741bf

SHA512
72540c113e7ca8445b12c6285d48521d0b0edf1a050eb5195ef9b454c75e52be6e7080d3c3422c56fe30f326fbbff2537ff6616862c404cee0c650e5449c2a4b

Download Submit
memory/400-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/660-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/828-60-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/896-398-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/900-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1000-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1160-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1280-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1376-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1384-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1460-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1532-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1552-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1640-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1688-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1836-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1864-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1992-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2112-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2116-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2268-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2304-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2476-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2688-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2736-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2756-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2780-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2848-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3016-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3140-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3152-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3248-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3340-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3400-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3400-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3432-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3624-52-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3664-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3692-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3752-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3764-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3988-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4048-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4052-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4080-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4088-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4112-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4180-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4276-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4312-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4332-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4416-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4484-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4552-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4624-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4632-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4660-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4900-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4996-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5020-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5020-432-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5056-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads