2ee7eeb55f1994ba7380bf8a3b73693a5bdb0494690da36ab75bfe2d2b02341c

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ee7eeb55f1994ba7380bf8a3b73693a5bdb0494690da36ab75bfe2d2b02341c.exe
Size

55KB
MD5

199c7b5bfd9207ac81e87e230b9f98de
SHA1

2a424c59e40e7e3f538f3510a1f67152f3b18738
SHA256

2ee7eeb55f1994ba7380bf8a3b73693a5bdb0494690da36ab75bfe2d2b02341c
SHA512

7ab4f57d51ff2645891ea058709e3c575c5fdbb0e6be4976d3fd2588315df9520248cd87c31b681a6cab569ee8efec1ba1b7cc1235cbb6c6fb53639e4bdbe59f
SSDEEP

768:kc9YN6BmvL07Q31HCOpalKXSDRy1FsoChWY2018s8O2p/1H5LXdnh:n9wOmqQ3RVaMS1Xr201N2Lj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkedonpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ommceclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnalmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfpell32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdocph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amikgpcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cibain32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iondqhpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfpell32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohidbkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cibain32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2ee7eeb55f1994ba7380bf8a3b73693a5bdb0494690da36ab75bfe2d2b02341c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amkhmoap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnalmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojcpdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calfpk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhmjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amikgpcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmhhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2ee7eeb55f1994ba7380bf8a3b73693a5bdb0494690da36ab75bfe2d2b02341c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmjfodne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qapnmopa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjpjgj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcgdhkem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qapnmopa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljdkll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcoljagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mohidbkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enhifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddhomdje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhmjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calfpk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddcebe32.exe

Executes dropped EXE 43 IoCs

pid	Process
3220	Iondqhpl.exe
4032	Ljdkll32.exe
5004	Mcoljagj.exe
4908	Mfpell32.exe
3552	Mohidbkl.exe
864	Mjpjgj32.exe
3124	Nmaciefp.exe
4732	Nhhdnf32.exe
1972	Njgqhicg.exe
3644	Nbbeml32.exe
376	Nmjfodne.exe
2912	Ommceclc.exe
4992	Ojcpdg32.exe
3392	Obnehj32.exe
4912	Ojhiogdd.exe
4188	Ppikbm32.exe
3612	Pcgdhkem.exe
2556	Pfhmjf32.exe
4924	Qapnmopa.exe
3504	Amikgpcc.exe
2968	Amkhmoap.exe
2900	Abmjqe32.exe
4564	Bdocph32.exe
5020	Bbdpad32.exe
532	Bmidnm32.exe
2116	Cibain32.exe
3920	Calfpk32.exe
4512	Cancekeo.exe
4712	Caqpkjcl.exe
1216	Cacmpj32.exe
4476	Ccdihbgg.exe
5036	Ddcebe32.exe
4856	Dgdncplk.exe
2336	Ddhomdje.exe
3900	Dnqcfjae.exe
4640	Dkedonpo.exe
4884	Ddmhhd32.exe
4612	Enhifi32.exe
5012	Enjfli32.exe
4172	Enopghee.exe
932	Fnalmh32.exe
1136	Fkgillpj.exe
4484	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Njgqhicg.exe	Nhhdnf32.exe
File created	C:\Windows\SysWOW64\Ocgjojai.dll	Nbbeml32.exe
File created	C:\Windows\SysWOW64\Anbgamkp.dll	Bmidnm32.exe
File created	C:\Windows\SysWOW64\Calfpk32.exe	Cibain32.exe
File created	C:\Windows\SysWOW64\Jgjjlakk.dll	Enjfli32.exe
File opened for modification	C:\Windows\SysWOW64\Ojcpdg32.exe	Ommceclc.exe
File opened for modification	C:\Windows\SysWOW64\Amkhmoap.exe	Amikgpcc.exe
File created	C:\Windows\SysWOW64\Aammfkln.dll	Ccdihbgg.exe
File opened for modification	C:\Windows\SysWOW64\Ddcebe32.exe	Ccdihbgg.exe
File opened for modification	C:\Windows\SysWOW64\Dgdncplk.exe	Ddcebe32.exe
File created	C:\Windows\SysWOW64\Dnqcfjae.exe	Ddhomdje.exe
File created	C:\Windows\SysWOW64\Enopghee.exe	Enjfli32.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fkgillpj.exe
File opened for modification	C:\Windows\SysWOW64\Mcoljagj.exe	Ljdkll32.exe
File opened for modification	C:\Windows\SysWOW64\Nmaciefp.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Amikgpcc.exe	Qapnmopa.exe
File created	C:\Windows\SysWOW64\Cibain32.exe	Bmidnm32.exe
File opened for modification	C:\Windows\SysWOW64\Calfpk32.exe	Cibain32.exe
File created	C:\Windows\SysWOW64\Dkedonpo.exe	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Ifcmmg32.dll	Bbdpad32.exe
File created	C:\Windows\SysWOW64\Dnhpfk32.dll	Dkedonpo.exe
File created	C:\Windows\SysWOW64\Fnalmh32.exe	Enopghee.exe
File created	C:\Windows\SysWOW64\Nmaciefp.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Bdocph32.exe	Abmjqe32.exe
File created	C:\Windows\SysWOW64\Cancekeo.exe	Calfpk32.exe
File created	C:\Windows\SysWOW64\Caqpkjcl.exe	Cancekeo.exe
File created	C:\Windows\SysWOW64\Pfhmjf32.exe	Pcgdhkem.exe
File created	C:\Windows\SysWOW64\Eafbac32.dll	Cibain32.exe
File created	C:\Windows\SysWOW64\Ljdkll32.exe	Iondqhpl.exe
File opened for modification	C:\Windows\SysWOW64\Nmjfodne.exe	Nbbeml32.exe
File opened for modification	C:\Windows\SysWOW64\Mfpell32.exe	Mcoljagj.exe
File opened for modification	C:\Windows\SysWOW64\Mjpjgj32.exe	Mohidbkl.exe
File created	C:\Windows\SysWOW64\Bpenhh32.dll	Njgqhicg.exe
File created	C:\Windows\SysWOW64\Aldjigql.dll	Calfpk32.exe
File created	C:\Windows\SysWOW64\Fohhdm32.dll	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Enhifi32.exe	Ddmhhd32.exe
File created	C:\Windows\SysWOW64\Enjfli32.exe	Enhifi32.exe
File created	C:\Windows\SysWOW64\Mfpell32.exe	Mcoljagj.exe
File created	C:\Windows\SysWOW64\Fllhjc32.dll	Obnehj32.exe
File opened for modification	C:\Windows\SysWOW64\Ppikbm32.exe	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Kngmnjok.dll	Pfhmjf32.exe
File created	C:\Windows\SysWOW64\Dpagekkf.dll	Cancekeo.exe
File opened for modification	C:\Windows\SysWOW64\Ddmhhd32.exe	Dkedonpo.exe
File opened for modification	C:\Windows\SysWOW64\Bdocph32.exe	Abmjqe32.exe
File created	C:\Windows\SysWOW64\Ccdihbgg.exe	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Ddmhhd32.exe	Dkedonpo.exe
File created	C:\Windows\SysWOW64\Mohidbkl.exe	Mfpell32.exe
File created	C:\Windows\SysWOW64\Ahhjomjk.dll	Ommceclc.exe
File opened for modification	C:\Windows\SysWOW64\Ojhiogdd.exe	Obnehj32.exe
File opened for modification	C:\Windows\SysWOW64\Qapnmopa.exe	Pfhmjf32.exe
File created	C:\Windows\SysWOW64\Abmjqe32.exe	Amkhmoap.exe
File opened for modification	C:\Windows\SysWOW64\Fkgillpj.exe	Fnalmh32.exe
File opened for modification	C:\Windows\SysWOW64\Cacmpj32.exe	Caqpkjcl.exe
File opened for modification	C:\Windows\SysWOW64\Enjfli32.exe	Enhifi32.exe
File created	C:\Windows\SysWOW64\Ihjoke32.dll	2ee7eeb55f1994ba7380bf8a3b73693a5bdb0494690da36ab75bfe2d2b02341c.exe
File created	C:\Windows\SysWOW64\Fpenlneh.dll	Nhhdnf32.exe
File created	C:\Windows\SysWOW64\Pjphcf32.dll	Nmjfodne.exe
File created	C:\Windows\SysWOW64\Hejeak32.dll	Ojhiogdd.exe
File opened for modification	C:\Windows\SysWOW64\Abmjqe32.exe	Amkhmoap.exe
File created	C:\Windows\SysWOW64\Aafjpc32.dll	Amkhmoap.exe
File created	C:\Windows\SysWOW64\Iplfokdm.dll	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Ipdbmgdb.dll	Iondqhpl.exe
File created	C:\Windows\SysWOW64\Njgqhicg.exe	Nhhdnf32.exe
File created	C:\Windows\SysWOW64\Dbcdbi32.dll	Abmjqe32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4496	4484	WerFault.exe	133

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amkhmoap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mohidbkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcgdhkem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enopghee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgjojai.dll"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pencqe32.dll"	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pedfeccm.dll"	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpenhh32.dll"	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjphcf32.dll"	Nmjfodne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defgao32.dll"	Qapnmopa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enjfli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2ee7eeb55f1994ba7380bf8a3b73693a5bdb0494690da36ab75bfe2d2b02341c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcoljagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnalmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amkhmoap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icembg32.dll"	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binfdh32.dll"	Enhifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qapnmopa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohhdm32.dll"	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iondqhpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iondqhpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cancekeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2ee7eeb55f1994ba7380bf8a3b73693a5bdb0494690da36ab75bfe2d2b02341c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhpfk32.dll"	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damlpgkc.dll"	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbbeml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhhdnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfgnho32.dll"	Pcgdhkem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polcjq32.dll"	Amikgpcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplfokdm.dll"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjjlakk.dll"	Enjfli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2ee7eeb55f1994ba7380bf8a3b73693a5bdb0494690da36ab75bfe2d2b02341c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enhifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2ee7eeb55f1994ba7380bf8a3b73693a5bdb0494690da36ab75bfe2d2b02341c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbgamkp.dll"	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abmjqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfbpdlg.dll"	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enhifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcoljagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdpoomj.dll"	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcblekh.dll"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahhjomjk.dll"	Ommceclc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 3220	3488	2ee7eeb55f1994ba7380bf8a3b73693a5bdb0494690da36ab75bfe2d2b02341c.exe	91
PID 3488 wrote to memory of 3220	3488	2ee7eeb55f1994ba7380bf8a3b73693a5bdb0494690da36ab75bfe2d2b02341c.exe	91
PID 3488 wrote to memory of 3220	3488	2ee7eeb55f1994ba7380bf8a3b73693a5bdb0494690da36ab75bfe2d2b02341c.exe	91
PID 3220 wrote to memory of 4032	3220	Iondqhpl.exe	92
PID 3220 wrote to memory of 4032	3220	Iondqhpl.exe	92
PID 3220 wrote to memory of 4032	3220	Iondqhpl.exe	92
PID 4032 wrote to memory of 5004	4032	Ljdkll32.exe	93
PID 4032 wrote to memory of 5004	4032	Ljdkll32.exe	93
PID 4032 wrote to memory of 5004	4032	Ljdkll32.exe	93
PID 5004 wrote to memory of 4908	5004	Mcoljagj.exe	94
PID 5004 wrote to memory of 4908	5004	Mcoljagj.exe	94
PID 5004 wrote to memory of 4908	5004	Mcoljagj.exe	94
PID 4908 wrote to memory of 3552	4908	Mfpell32.exe	95
PID 4908 wrote to memory of 3552	4908	Mfpell32.exe	95
PID 4908 wrote to memory of 3552	4908	Mfpell32.exe	95
PID 3552 wrote to memory of 864	3552	Mohidbkl.exe	96
PID 3552 wrote to memory of 864	3552	Mohidbkl.exe	96
PID 3552 wrote to memory of 864	3552	Mohidbkl.exe	96
PID 864 wrote to memory of 3124	864	Mjpjgj32.exe	97
PID 864 wrote to memory of 3124	864	Mjpjgj32.exe	97
PID 864 wrote to memory of 3124	864	Mjpjgj32.exe	97
PID 3124 wrote to memory of 4732	3124	Nmaciefp.exe	98
PID 3124 wrote to memory of 4732	3124	Nmaciefp.exe	98
PID 3124 wrote to memory of 4732	3124	Nmaciefp.exe	98
PID 4732 wrote to memory of 1972	4732	Nhhdnf32.exe	99
PID 4732 wrote to memory of 1972	4732	Nhhdnf32.exe	99
PID 4732 wrote to memory of 1972	4732	Nhhdnf32.exe	99
PID 1972 wrote to memory of 3644	1972	Njgqhicg.exe	100
PID 1972 wrote to memory of 3644	1972	Njgqhicg.exe	100
PID 1972 wrote to memory of 3644	1972	Njgqhicg.exe	100
PID 3644 wrote to memory of 376	3644	Nbbeml32.exe	101
PID 3644 wrote to memory of 376	3644	Nbbeml32.exe	101
PID 3644 wrote to memory of 376	3644	Nbbeml32.exe	101
PID 376 wrote to memory of 2912	376	Nmjfodne.exe	102
PID 376 wrote to memory of 2912	376	Nmjfodne.exe	102
PID 376 wrote to memory of 2912	376	Nmjfodne.exe	102
PID 2912 wrote to memory of 4992	2912	Ommceclc.exe	103
PID 2912 wrote to memory of 4992	2912	Ommceclc.exe	103
PID 2912 wrote to memory of 4992	2912	Ommceclc.exe	103
PID 4992 wrote to memory of 3392	4992	Ojcpdg32.exe	104
PID 4992 wrote to memory of 3392	4992	Ojcpdg32.exe	104
PID 4992 wrote to memory of 3392	4992	Ojcpdg32.exe	104
PID 3392 wrote to memory of 4912	3392	Obnehj32.exe	105
PID 3392 wrote to memory of 4912	3392	Obnehj32.exe	105
PID 3392 wrote to memory of 4912	3392	Obnehj32.exe	105
PID 4912 wrote to memory of 4188	4912	Ojhiogdd.exe	106
PID 4912 wrote to memory of 4188	4912	Ojhiogdd.exe	106
PID 4912 wrote to memory of 4188	4912	Ojhiogdd.exe	106
PID 4188 wrote to memory of 3612	4188	Ppikbm32.exe	107
PID 4188 wrote to memory of 3612	4188	Ppikbm32.exe	107
PID 4188 wrote to memory of 3612	4188	Ppikbm32.exe	107
PID 3612 wrote to memory of 2556	3612	Pcgdhkem.exe	108
PID 3612 wrote to memory of 2556	3612	Pcgdhkem.exe	108
PID 3612 wrote to memory of 2556	3612	Pcgdhkem.exe	108
PID 2556 wrote to memory of 4924	2556	Pfhmjf32.exe	109
PID 2556 wrote to memory of 4924	2556	Pfhmjf32.exe	109
PID 2556 wrote to memory of 4924	2556	Pfhmjf32.exe	109
PID 4924 wrote to memory of 3504	4924	Qapnmopa.exe	110
PID 4924 wrote to memory of 3504	4924	Qapnmopa.exe	110
PID 4924 wrote to memory of 3504	4924	Qapnmopa.exe	110
PID 3504 wrote to memory of 2968	3504	Amikgpcc.exe	111
PID 3504 wrote to memory of 2968	3504	Amikgpcc.exe	111
PID 3504 wrote to memory of 2968	3504	Amikgpcc.exe	111
PID 2968 wrote to memory of 2900	2968	Amkhmoap.exe	112

C:\Users\Admin\AppData\Local\Temp\2ee7eeb55f1994ba7380bf8a3b73693a5bdb0494690da36ab75bfe2d2b02341c.exe
"C:\Users\Admin\AppData\Local\Temp\2ee7eeb55f1994ba7380bf8a3b73693a5bdb0494690da36ab75bfe2d2b02341c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\SysWOW64\Iondqhpl.exe
  C:\Windows\system32\Iondqhpl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Windows\SysWOW64\Ljdkll32.exe
    C:\Windows\system32\Ljdkll32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Windows\SysWOW64\Mcoljagj.exe
      C:\Windows\system32\Mcoljagj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
      - C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1136
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        44⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 400
        45⤵
        Program crash
        
        PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4484 -ip 4484
1⤵
PID:544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abmjqe32.exe

Filesize
55KB

MD5
de039cfca5a85c41fbcbfcf229ee7a0e

SHA1
3ab11d4c51ebd96162301603f30a7958074fc0b8

SHA256
27c8364a4d72f88a41a597b9b66bac894b54dacbdc1be1ec0529a6db1a7434f5

SHA512
adab64c3c9a8955ac69ed06f06d17d6f0836e49ff56ab30bd41222ffd35b4465b14142698c97db9f46fbfe9b0e915c92a6422a62fabf46a7356402072eb2953b

Download Submit
C:\Windows\SysWOW64\Amikgpcc.exe

Filesize
55KB

MD5
06a2a7fd5e62d69c3fd3f23aea09985b

SHA1
b573b8b0cbbf1a5dbbe93303e709cc3e24e8c44d

SHA256
b3676723505ee656f81674054cf24fb9c811a00ffbea04ea76b6e9e85895802a

SHA512
cf0075047c41d391445cdb945f1ca3cadc961de7f5e5335cafb28f5f4702210633d913dfbae0ce55f06be43e885d0086e1bb6d5ae0a55aabce8523dfe0d5e883

Download Submit
C:\Windows\SysWOW64\Amkhmoap.exe

Filesize
55KB

MD5
a9b766bd19f89b3671b37acd80c375e4

SHA1
077fcd15fa93361b3af78b80e20bee7dcde4c461

SHA256
3727f152ecfa41d21c50de1c7653a8ba6c61d09c62567da60eab2c451e0fff99

SHA512
5a7e0a6e02ffe494b3ac138a138639d9b34af84ef3708b55e1f9e5e7d07722f8d0c825ad08dde1e696e3fd89d485702ab6e61fde1c061ec59f379dfca74b3fe2

Download Submit
C:\Windows\SysWOW64\Bbdpad32.exe

Filesize
55KB

MD5
10d50b4f342ce0cd72bb3df15310fc64

SHA1
e3aa9bc52e12321459dadd3c3f3a404ee7ba238e

SHA256
419159c109cc3ee3a96245d3b120affb938f77c849c00985ee3e9d800c63b871

SHA512
7d5370273e3d1643c3b2c20d79266c418fd914512b7e3f7454e0bf89c61236fa30793bd22dbeda6aea5b3868730cd619b60214f6934baafc9b084de1d3957da7

Download Submit
C:\Windows\SysWOW64\Bdocph32.exe

Filesize
55KB

MD5
6eb5fa15e310fb4352d8ce76cff14610

SHA1
d9febb3c6b1917089457d9214d81a106bd6a81f0

SHA256
d1b3f978d18625ea63ad75b4ee46e580e1bb495a4c17837fc44e3fa8f44607e9

SHA512
a4ceeb181709f5747cb65b83f2452b6737f416e49cdeb400b07cdb6362df3dddb285586ed0ffbc6678a7e052ef9d096d04111151bbe8e51460e176d9c949da57

Download Submit
C:\Windows\SysWOW64\Bmidnm32.exe

Filesize
55KB

MD5
533bf7671b3c6a734bc259c6998f27b2

SHA1
596c16eda199ac156991ef201a7d38ead1d51b8f

SHA256
09931cd8661d6f8caa2d3b45170887786effe092d9a92566069aa99356f7c25e

SHA512
785e9d9106a26a4b11e33a4e1100b4d2861a01e01ec7c11ce77660680377101e695b5b73076ca70c9619c0b3c0f48bb075ad84e5a546e8576afc65361e2bfb31

Download Submit
C:\Windows\SysWOW64\Cacmpj32.exe

Filesize
55KB

MD5
6e825c0e41d1b1644e3b50f3ec694dad

SHA1
c209cef36a623821cbfc0a575dfcfd7c82a99ba6

SHA256
d1f5260fa330b47bba9e8f981194b0482608b55d9e1c0160876bee1122484b1e

SHA512
7a7abd661bc311df137571d3d2649561f21d831ad314704d099b10c7c81b3d4b3c78a6b791258472c00dfb7092d0984bd1041e746c575fa982b16145c536ba96

Download Submit
C:\Windows\SysWOW64\Calfpk32.exe

Filesize
55KB

MD5
c5a10def6a7490f54b601308fa9b3e36

SHA1
89ac6d4d5a3780b71e79c896d6c64f13d614efd7

SHA256
37b37e09ddf733bbb183097294cbc510656f6408268bfa42a2847d44994ee1db

SHA512
1ff94e0514dd44616ff7f3883db6eb8f79f8d7c94d12fb19dfe268547d5a8c8d9e2d760625d2a625e5cb738d3835c2499f1d56c284814e712f4852cc6a4f8f0b

Download Submit
C:\Windows\SysWOW64\Cancekeo.exe

Filesize
55KB

MD5
4c1dbb694af327d20eebf4ec30e4cd49

SHA1
582d1b0bc4f36204f66e45287e9f8f3fb291772c

SHA256
99d7f8ead293d36e7887272f01c41e3781388a9db16d3be93a9de2e41a11b8d3

SHA512
ff5ccba5bb879a84c2ea3411eb5981f3685229ab14e986b810bed0e2f91affd9b8663e98313ae8a01be0b00c0a17b844bf3b299a961db3504bed270932ef9e51

Download Submit
C:\Windows\SysWOW64\Caqpkjcl.exe

Filesize
55KB

MD5
0f9c13ae1e0c17b2f1032682ff5b0943

SHA1
0b4f8486efcba6a2a8fd4147455434fadc4cdf5b

SHA256
6501bfb017ceec4465bd34795217c35eaee0817bd8553b260dd4b8dc18082a5c

SHA512
b599c03b40df450ce45b1be893b736ecb3ed076d0b9dec76590a32a0938bd556955789b5c4565c6f894ce3b6f865f08e51985965b6e2e921d89d75761ced78d3

Download Submit
C:\Windows\SysWOW64\Ccdihbgg.exe

Filesize
55KB

MD5
3fb6a5acfb0d7b1a46f54f0f86b16786

SHA1
777dac567b7baeefcb49820e72dd382c525fcaa9

SHA256
145ca8b666d61177b8a04f7ca9dac0711c0411aa3c0305594346a5b981d7bdd0

SHA512
2919ddec276b6d5d1911aceb2e1375e8f5aa572a9aebc4733565b803271ef89a2825c6442cb188c9915967b989689c23dadb2d728347efd112581c1bfddb3a19

Download Submit
C:\Windows\SysWOW64\Cibain32.exe

Filesize
55KB

MD5
fcbce35deaa1efb52a8aa80933735968

SHA1
c27be90eee98ebaaf61b01bb63eacfaddddab844

SHA256
8f1aa221f5cd4388fe15e78c33814833a533bf970595299213db5682ca273b68

SHA512
5e04302be81898a3246fd1daf3b214131aa5e2e770a2d6b8a14489c1a0054490816cae037d987996d2fccac488b374879f9cc0515a568d5140714825530cce98

Download Submit
C:\Windows\SysWOW64\Ddcebe32.exe

Filesize
55KB

MD5
911cf1af6f5ca1d71ed904fbf03b1fce

SHA1
b217cce9d53dc908f1d20d6d00f5682312249940

SHA256
81aa87d9b972259fc7d6b8fb90c4ec284fc78555576e2da273b0980b78517a3c

SHA512
3d60e7f7d184328feda9d0d2ee9d317b421d1e8f7fa013cad5b2b39bfb037679bcf65a214cddd304932561c1c50c68e13515003320a3286bbf38207eb79f75d6

Download Submit
C:\Windows\SysWOW64\Enhifi32.exe

Filesize
55KB

MD5
2cd5114f47b7fb24267e12eed6833c6b

SHA1
73a1d89a9af815a0cae908a171bfea935ad06909

SHA256
d0a2ae7b62d2ba20aeba0be3130e551810d010bd3104a1290b448b2795a74fff

SHA512
ef0c0fd9f49ceed9ad6599076e67a1b07716d2bdc42059bd45f655a54670e8f82d4d22588d30d46f4e29b48da73516a8112c56e6ccc9f9bef0ecf0793dbe2525

Download Submit
C:\Windows\SysWOW64\Iondqhpl.exe

Filesize
55KB

MD5
e2bc9d3a69da240656f638e04fd4566c

SHA1
83c8bbf47f1f6e4834dc746577dcd2d65fb5737c

SHA256
2d7bb2693e717d9d1a17970cfffb784461d035858f118d674e18e77e81fd8666

SHA512
563beba8a9094a723dd30d90dc79e025db5a3060be7ae9d4634a3c9c14f7ead703895d4524640da9a63524f06e0f858b07ad5a814afee1516d3148b2cff6a171

Download Submit
C:\Windows\SysWOW64\Ljdkll32.exe

Filesize
55KB

MD5
89ec504cdd50a6ac275e86d1a6a71c19

SHA1
5fe2f187e11e935d14176126316a540d226313ec

SHA256
52edafb7ba1986fabf78ba0f5f3f29cb3ec3a966a5cdd7b020bbbb0b866b4c8a

SHA512
3ac021a346298389014e07ac8eb53771e6ff4cce9efc39c2a978b7e37a5a4e8ff472486e57989e89b1019bc6aebf024e8385de47cdabcff592545a2ebd59544d

Download Submit
C:\Windows\SysWOW64\Mcoljagj.exe

Filesize
55KB

MD5
2ca0c777b908f87616632336b5d6f6f5

SHA1
2e245489d6617eea188b38412b7f89eac96d6176

SHA256
d52781ee76a6de9715d1aea477cc7e96cc98936c5362e74c20e7f8d2f82b7f83

SHA512
fe09f9d96c1fc6de10f9c24460ef3d04e0cd02be265aa59870c3a52156aa1779deec39aad956cac12d90e08138abeb516ef158cc287876318b74a18a92e49ef7

Download Submit
C:\Windows\SysWOW64\Mfpell32.exe

Filesize
55KB

MD5
a6815c0606a398fc6baa661e2a8b8f9a

SHA1
ea0acd823ea0defe711aa848ddeb524ee0cbfb99

SHA256
bebcba0c1f09774a8f9f8e39bbbb2e6b1aa090642bf9ff3437b506ca209046ef

SHA512
28152ba25da47d45fcf2dd39b43e87a5cb53b9737ed60f85f691276c5724a60e881f863f0e867df5224053c6f253f4bea9c1688a696bd49ef32d4abc57291104

Download Submit
C:\Windows\SysWOW64\Mjpjgj32.exe

Filesize
55KB

MD5
fa0038442614e233ab5548ce05984177

SHA1
0e2e54ac09c52907b0630202db136670709cccea

SHA256
33bd1066ba75cfcc6bf3f955abb6828527a27bd55f0dc0a98c1a226e60598434

SHA512
dcde5ffb1a718311df098ac2445b3c9e36e9141bf64724cf82d0fae7b1c823777fa22c903b8bea96af5b99ebed65bd62d93fb941fb3798bb9803b5d6880ed841

Download Submit
C:\Windows\SysWOW64\Mohidbkl.exe

Filesize
55KB

MD5
8582c3fbbc6f7088dc3debcb85ad1d56

SHA1
413a1a2a55af0cf6500962413af3f5e8675ddf95

SHA256
80e889a73f619ccff709f9489cbaf4c97050f569e038a3f510766640eb368310

SHA512
ef1887519f8077b57799674269ecdee276bf491d1439e3fe0c81743bf10367ebb32a7ef6a1c55322a1f6919aeda16605c65b6a44eba36ab0fba65e93a78f19c2

Download Submit
C:\Windows\SysWOW64\Nbbeml32.exe

Filesize
55KB

MD5
1deb62d8d024ac8055791e81b8b8db52

SHA1
86681d0a29df6c4c379d27cabf2b2b4ea0c742a9

SHA256
a9a8e6e3565220a6860c189473d2f1ac06637817b2955c6fce9a21f7e97c3ad1

SHA512
123a28e6b56c19413d3883cae7df67133ec70ee75e9b30da7efab76f0f62de0b4cce98a492f26cfa147de7a0c4934248b7093eae5fe7e4a9d3fcb8ac9b4a6cc4

Download Submit
C:\Windows\SysWOW64\Nhhdnf32.exe

Filesize
55KB

MD5
845ec4522884709c56c98ee2038c870c

SHA1
c5a9a14a85155fb5218b67f6e4051a528c09d325

SHA256
012f1c9432352ea3f54d629cbed3c5d13b85936cd332af87687e5b29d54ef72f

SHA512
f06c665097ebf336ff4c429af033793be26869dc3b054180a281ce782bbf2c75138c6e3d617ac306b25d52389c8a05dd85ed70ec8e5bce132d5f4d71f53411da

Download Submit
C:\Windows\SysWOW64\Njgqhicg.exe

Filesize
55KB

MD5
419d8ec7ffb8cfe65113126408cd460e

SHA1
f6c8a077b0f10e2da1da3390e8f2b808f962e7b2

SHA256
3fdd162e9ac6e076793beafeb077b2bda7c499bb06c422276ea11a6ee1e758e8

SHA512
130e3340e3858b2b402762b3c04c868c5c20828b4e3fb42a3f0194cea104db86cf569684881d7e084398fcc04742620b26906ab5b3a34969edbc46b44d4f8f90

Download Submit
C:\Windows\SysWOW64\Nmaciefp.exe

Filesize
55KB

MD5
56af6a0e5baa2d31df8442bd8d1af424

SHA1
27592655cde90dd655ca2dbf75b812092c7a877d

SHA256
14e4a2a2abdc72b6f4f214a4ad5991d47e8da4aef65b9411da74ac9271967548

SHA512
b7ce59b1d008277cd0f295f0cfbdd1e4d16d1cd9bf10f13f445f513246473a3d7eac40bc37812942ed1b34256ecf27c5249408daff5d03b739951592f0e81aff

Download Submit
C:\Windows\SysWOW64\Nmjfodne.exe

Filesize
55KB

MD5
ca4568b4d746ad81b162a995802df677

SHA1
45d94a7dcfa5b3ddbc6a666ef28b2725c57b8ad8

SHA256
bc1bba64603d557e611a85a8b5ee4dafa70b34bcae5c0d0d90b1982292bb414d

SHA512
d23da9f569fbf6ea086ab50bbf9b701f4b0616dcfa4826635a68bbf4222de09040650a335812d3f6be271979b2e05275073bd45f66dab0e18e850ae0e710c99b

Download Submit
C:\Windows\SysWOW64\Obnehj32.exe

Filesize
55KB

MD5
828c5a1c3c80cfd4e0048696379a5319

SHA1
e261d37b6a25eb793c846639ab482183250e0c78

SHA256
ec0932ee8d93a067d2a38c966ff5cd6f7a8dab555024d44627d96d577eb83071

SHA512
1ba0b6c68fee9e962f4d7b841274adf85a0b45ee080ef75d5f49777a2411ce60a05970285d2255b1ed4f210c4b4503537f369393fd91dd502be418f8af0891db

Download Submit
C:\Windows\SysWOW64\Ojcpdg32.exe

Filesize
55KB

MD5
28ef62609644ded7e29362a7da16290b

SHA1
464b4c9ebce6af0eb92e206b001e299116c4f5d3

SHA256
38ec88a67228f49054cc5ae7f83de98156d954ce38b0cd1da5e6cde42e62bf2a

SHA512
9f25d3064b5ce3da360c9f5e6ae8a5bdc7873452b1a600c0fcf51bc42c9a19121c4b6a23ca40f62bf05c1c902e270dcfac19c1477366962092a37275160792a3

Download Submit
C:\Windows\SysWOW64\Ojhiogdd.exe

Filesize
55KB

MD5
25f63b84625e0ce961405a948b27dd3d

SHA1
a5ed2f8b72dfc382912d7cf5a052f9e067373d91

SHA256
f53b1a208e7687d5682617e0d9ff1d9cc7abfc17b5ed74104f1348009c47d3d7

SHA512
e61cc5f544cb90d8cc0878cbddeb0fcd03dc775b64293387821d84278c34798c17049dd4c26d02c4eed169100df404aea003a67531db75a1fa424e30f02dfc6f

Download Submit
C:\Windows\SysWOW64\Ommceclc.exe

Filesize
55KB

MD5
eec329b28ac936ec1beac2d5938674f3

SHA1
ce31c1116e240cc7696c6496d0963d9cb2c16019

SHA256
6d631767b8330ffd9577375d1d2829c2c57d635755a9e33714693ba60cee9100

SHA512
dd10ff33c689fdc42c9367bec3a56acbf5a13b43ac524b1980de438e37c0585e6d05432fd7162d76189c264da1355d9e61a0837b403e1ebad43e7e627e14be2b

Download Submit
C:\Windows\SysWOW64\Pcgdhkem.exe

Filesize
55KB

MD5
907d586713f7d6d7eabbcb90c4beec62

SHA1
307b5bf06ef1f70b3953eb2fcebf37a3532b951f

SHA256
fb593d1e204349331a2a80c0a8e31f8bf1f853bfc621f4370c3e0ebfb6ff45c3

SHA512
0a55378c91084d99dd8d0e4debe549e148090a151673e2647506216520e6cdb1f2c47884146aceadf626e923748434e69ac1bdf5181a4022e6bb49fd31f02c6c

Download Submit
C:\Windows\SysWOW64\Pfhmjf32.exe

Filesize
55KB

MD5
0303e89dad63697e51550a3f5e37cd41

SHA1
90aa39f9b5b4bbf98fc9273e13fa545e49a4745a

SHA256
198e641a951820f68b26fd06a81c4892f9e559c0083ef07f1ca8711be839b948

SHA512
de6eec69080e815a591716237f1f1ff9fd945c76236096effb292ffc76b3060276e4bbe84eaeb308f00ccbeb3533aae2f86506cc4f6a054100798f7db55b002f

Download Submit
C:\Windows\SysWOW64\Ppikbm32.exe

Filesize
55KB

MD5
88e5e55010690eb9ef4968309aae136f

SHA1
7d3070f8edda414146f09b2935742a924fff7482

SHA256
7cc588ecfc1486fe61636a46d0060461e5bd5fb4f592138532a7ab38b246c749

SHA512
59fc1b4418f5a42bc212dc112c4fcd72f51f9a1e431d34b3f92505ecffa0c90ef1b3372eadf825c217610048ac5ae848ac7609f63fad49721e281cd6b4222f30

Download Submit
C:\Windows\SysWOW64\Qapnmopa.exe

Filesize
55KB

MD5
5e69a11d5d2ea7afc32ba29ff4aa809d

SHA1
24ea015b155e3f853f6939c56e93139ea750fdce

SHA256
12c9a90dac1f3a36057527f90d4945fcc3e45a57895f9e3d7f53caed448e33ed

SHA512
6db63c4209d80ce41cb5830bf9e22a6655379c3a988b51808a46b29785e8daa4005f8f13508ccd815fcfb9908fb1ee7eb0ce22d6a97c4c36a98630fcd14ec1b9

Download Submit
memory/376-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3488-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads