8de8997a5c512cb72fe2797b7fa1c9ae546462697d27650a7918cc066fc0ce07

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8de8997a5c512cb72fe2797b7fa1c9ae546462697d27650a7918cc066fc0ce07.exe
Size

1.7MB
MD5

c983fd4f48a9c21afcdf01ac65aa6862
SHA1

1022502e4d64fc0046594c30342fcbc7d71f1567
SHA256

8de8997a5c512cb72fe2797b7fa1c9ae546462697d27650a7918cc066fc0ce07
SHA512

037d019073e66559fa867b5c2c3349a4887ff5027996ac50a08e8e03f24dc1db94a399409a6958f0cfa373c1924e495b028eea37a23b69ff964fb58b4179725e
SSDEEP

49152:Xix7/ix7yix7/ix7Xcix7/ix7yix7/ix7:XU/UyU/UXcU/UyU/U

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feoodn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eeelnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhmbdle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laiipofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8de8997a5c512cb72fe2797b7fa1c9ae546462697d27650a7918cc066fc0ce07.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeelnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iliinc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnegbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekonpckp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jadgnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gflhoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fiqjke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iacngdgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iahgad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cienon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjfmkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhhdnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhikci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhoeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oikjkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imkbnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8de8997a5c512cb72fe2797b7fa1c9ae546462697d27650a7918cc066fc0ce07.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oikjkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jngbjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Komhll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejhef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhmbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gojiiafp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnegbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiqjke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Komhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oakbehfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfkkqmiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhoeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhikci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giljfddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omalpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feqeog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laiipofp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gflhoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jngbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imkbnf32.exe

Executes dropped EXE 53 IoCs

pid	Process
1460	Eeelnp32.exe
4636	Ekdnei32.exe
4988	Feoodn32.exe
2412	Fmmmfj32.exe
4296	Gflhoo32.exe
1436	Gojiiafp.exe
4064	Iliinc32.exe
2860	Imkbnf32.exe
1692	Jngbjd32.exe
4940	Komhll32.exe
3756	Mnegbp32.exe
3428	Ncqlkemc.exe
1548	Oakbehfe.exe
1136	Pdenmbkk.exe
4592	Qjfmkk32.exe
2652	Akkffkhk.exe
4140	Bphgeo32.exe
4356	Cammjakm.exe
4428	Cnjdpaki.exe
836	Dhikci32.exe
4400	Ekonpckp.exe
4568	Feqeog32.exe
464	Fiqjke32.exe
4672	Gejhef32.exe
3148	Giljfddl.exe
3848	Iacngdgj.exe
3592	Iahgad32.exe
3968	Jadgnb32.exe
1944	Kbhmbdle.exe
2348	Laiipofp.exe
1372	Mfkkqmiq.exe
2188	Mjlalkmd.exe
3992	Nhhdnf32.exe
3348	Nbebbk32.exe
1684	Oqhoeb32.exe
2944	Omalpc32.exe
4312	Oikjkc32.exe
1008	Ppikbm32.exe
2916	Pidlqb32.exe
772	Qpbnhl32.exe
4536	Abcgjg32.exe
4660	Acccdj32.exe
860	Adepji32.exe
4196	Abjmkf32.exe
3456	Bfkbfd32.exe
4044	Bdocph32.exe
1444	Bfolacnc.exe
2680	Bgdemb32.exe
3648	Cienon32.exe
532	Cpacqg32.exe
4404	Ccblbb32.exe
1524	Ddcebe32.exe
2092	Diqnjl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bphgeo32.exe	Akkffkhk.exe
File created	C:\Windows\SysWOW64\Nlbkmokh.dll	Dhikci32.exe
File created	C:\Windows\SysWOW64\Ffdihjbp.dll	Giljfddl.exe
File created	C:\Windows\SysWOW64\Ijcomn32.dll	Laiipofp.exe
File created	C:\Windows\SysWOW64\Omalpc32.exe	Oqhoeb32.exe
File opened for modification	C:\Windows\SysWOW64\Oikjkc32.exe	Omalpc32.exe
File created	C:\Windows\SysWOW64\Ckjfdocc.dll	Qpbnhl32.exe
File opened for modification	C:\Windows\SysWOW64\Gflhoo32.exe	Fmmmfj32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkbfd32.exe	Abjmkf32.exe
File created	C:\Windows\SysWOW64\Cammjakm.exe	Bphgeo32.exe
File created	C:\Windows\SysWOW64\Fiqjke32.exe	Feqeog32.exe
File created	C:\Windows\SysWOW64\Gejhef32.exe	Fiqjke32.exe
File opened for modification	C:\Windows\SysWOW64\Ppikbm32.exe	Oikjkc32.exe
File created	C:\Windows\SysWOW64\Adepji32.exe	Acccdj32.exe
File created	C:\Windows\SysWOW64\Mkddhfnh.dll	Bfolacnc.exe
File opened for modification	C:\Windows\SysWOW64\Cienon32.exe	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Oakbehfe.exe	Ncqlkemc.exe
File opened for modification	C:\Windows\SysWOW64\Fiqjke32.exe	Feqeog32.exe
File created	C:\Windows\SysWOW64\Mnegbp32.exe	Komhll32.exe
File opened for modification	C:\Windows\SysWOW64\Mnegbp32.exe	Komhll32.exe
File opened for modification	C:\Windows\SysWOW64\Ncqlkemc.exe	Mnegbp32.exe
File opened for modification	C:\Windows\SysWOW64\Laiipofp.exe	Kbhmbdle.exe
File created	C:\Windows\SysWOW64\Hejeak32.dll	Oikjkc32.exe
File created	C:\Windows\SysWOW64\Acccdj32.exe	Abcgjg32.exe
File created	C:\Windows\SysWOW64\Gflhoo32.exe	Fmmmfj32.exe
File created	C:\Windows\SysWOW64\Amdcghbo.dll	Imkbnf32.exe
File created	C:\Windows\SysWOW64\Gjecbd32.dll	Akkffkhk.exe
File created	C:\Windows\SysWOW64\Bfolacnc.exe	Bdocph32.exe
File created	C:\Windows\SysWOW64\Cienon32.exe	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Cpacqg32.exe	Cienon32.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Ddcebe32.exe
File opened for modification	C:\Windows\SysWOW64\Gojiiafp.exe	Gflhoo32.exe
File created	C:\Windows\SysWOW64\Ifolcq32.dll	Komhll32.exe
File opened for modification	C:\Windows\SysWOW64\Gejhef32.exe	Fiqjke32.exe
File created	C:\Windows\SysWOW64\Gojiiafp.exe	Gflhoo32.exe
File created	C:\Windows\SysWOW64\Pdenmbkk.exe	Oakbehfe.exe
File opened for modification	C:\Windows\SysWOW64\Cammjakm.exe	Bphgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Bgdemb32.exe	Bfolacnc.exe
File created	C:\Windows\SysWOW64\Hnmanm32.dll	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Nppbddqg.dll	Cpacqg32.exe
File created	C:\Windows\SysWOW64\Fmmmfj32.exe	Feoodn32.exe
File opened for modification	C:\Windows\SysWOW64\Imkbnf32.exe	Iliinc32.exe
File opened for modification	C:\Windows\SysWOW64\Akkffkhk.exe	Qjfmkk32.exe
File opened for modification	C:\Windows\SysWOW64\Abjmkf32.exe	Adepji32.exe
File opened for modification	C:\Windows\SysWOW64\Ekdnei32.exe	Eeelnp32.exe
File opened for modification	C:\Windows\SysWOW64\Fmmmfj32.exe	Feoodn32.exe
File created	C:\Windows\SysWOW64\Ncqlkemc.exe	Mnegbp32.exe
File opened for modification	C:\Windows\SysWOW64\Abcgjg32.exe	Qpbnhl32.exe
File created	C:\Windows\SysWOW64\Engdno32.dll	Adepji32.exe
File created	C:\Windows\SysWOW64\Ekdnei32.exe	Eeelnp32.exe
File created	C:\Windows\SysWOW64\Akkffkhk.exe	Qjfmkk32.exe
File created	C:\Windows\SysWOW64\Emlmcm32.dll	Kbhmbdle.exe
File created	C:\Windows\SysWOW64\Pjhfcm32.dll	Pidlqb32.exe
File created	C:\Windows\SysWOW64\Imkbnf32.exe	Iliinc32.exe
File created	C:\Windows\SysWOW64\Mckmcadl.dll	Nbebbk32.exe
File created	C:\Windows\SysWOW64\Mgpilmfi.dll	Gejhef32.exe
File created	C:\Windows\SysWOW64\Laiipofp.exe	Kbhmbdle.exe
File created	C:\Windows\SysWOW64\Bdocph32.exe	Bfkbfd32.exe
File opened for modification	C:\Windows\SysWOW64\Bfolacnc.exe	Bdocph32.exe
File created	C:\Windows\SysWOW64\Ccblbb32.exe	Cpacqg32.exe
File opened for modification	C:\Windows\SysWOW64\Jngbjd32.exe	Imkbnf32.exe
File created	C:\Windows\SysWOW64\Fdahdiml.dll	Iliinc32.exe
File created	C:\Windows\SysWOW64\Dbcdbi32.dll	Bfkbfd32.exe
File opened for modification	C:\Windows\SysWOW64\Ddcebe32.exe	Ccblbb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3824	2092	WerFault.exe	143

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gejhef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjfdocc.dll"	Qpbnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcjeh32.dll"	8de8997a5c512cb72fe2797b7fa1c9ae546462697d27650a7918cc066fc0ce07.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Feoodn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imkbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadafn32.dll"	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acccdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpacqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gflhoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jngbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbkmokh.dll"	Dhikci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndfnlpc.dll"	Oqhoeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjhfcm32.dll"	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnoigkk.dll"	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aammfkln.dll"	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hejeak32.dll"	Oikjkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Komhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oakbehfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoibcl32.dll"	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eeelnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cammjakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iacngdgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iahgad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcdbi32.dll"	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdocph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpacqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmmmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qikoka32.dll"	Gflhoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll"	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhibfek.dll"	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cienon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8de8997a5c512cb72fe2797b7fa1c9ae546462697d27650a7918cc066fc0ce07.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmmmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifolcq32.dll"	Komhll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oakbehfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngckdnpn.dll"	Fiqjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oikjkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgfnm32.dll"	Iahgad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpbnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8de8997a5c512cb72fe2797b7fa1c9ae546462697d27650a7918cc066fc0ce07.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gojiiafp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpbnhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acccdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binlfp32.dll"	Mnegbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekonpckp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmophg32.dll"	Gojiiafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iacngdgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfkkqmiq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 1460	3232	8de8997a5c512cb72fe2797b7fa1c9ae546462697d27650a7918cc066fc0ce07.exe	91
PID 3232 wrote to memory of 1460	3232	8de8997a5c512cb72fe2797b7fa1c9ae546462697d27650a7918cc066fc0ce07.exe	91
PID 3232 wrote to memory of 1460	3232	8de8997a5c512cb72fe2797b7fa1c9ae546462697d27650a7918cc066fc0ce07.exe	91
PID 1460 wrote to memory of 4636	1460	Eeelnp32.exe	92
PID 1460 wrote to memory of 4636	1460	Eeelnp32.exe	92
PID 1460 wrote to memory of 4636	1460	Eeelnp32.exe	92
PID 4636 wrote to memory of 4988	4636	Ekdnei32.exe	93
PID 4636 wrote to memory of 4988	4636	Ekdnei32.exe	93
PID 4636 wrote to memory of 4988	4636	Ekdnei32.exe	93
PID 4988 wrote to memory of 2412	4988	Feoodn32.exe	94
PID 4988 wrote to memory of 2412	4988	Feoodn32.exe	94
PID 4988 wrote to memory of 2412	4988	Feoodn32.exe	94
PID 2412 wrote to memory of 4296	2412	Fmmmfj32.exe	95
PID 2412 wrote to memory of 4296	2412	Fmmmfj32.exe	95
PID 2412 wrote to memory of 4296	2412	Fmmmfj32.exe	95
PID 4296 wrote to memory of 1436	4296	Gflhoo32.exe	96
PID 4296 wrote to memory of 1436	4296	Gflhoo32.exe	96
PID 4296 wrote to memory of 1436	4296	Gflhoo32.exe	96
PID 1436 wrote to memory of 4064	1436	Gojiiafp.exe	97
PID 1436 wrote to memory of 4064	1436	Gojiiafp.exe	97
PID 1436 wrote to memory of 4064	1436	Gojiiafp.exe	97
PID 4064 wrote to memory of 2860	4064	Iliinc32.exe	98
PID 4064 wrote to memory of 2860	4064	Iliinc32.exe	98
PID 4064 wrote to memory of 2860	4064	Iliinc32.exe	98
PID 2860 wrote to memory of 1692	2860	Imkbnf32.exe	99
PID 2860 wrote to memory of 1692	2860	Imkbnf32.exe	99
PID 2860 wrote to memory of 1692	2860	Imkbnf32.exe	99
PID 1692 wrote to memory of 4940	1692	Jngbjd32.exe	100
PID 1692 wrote to memory of 4940	1692	Jngbjd32.exe	100
PID 1692 wrote to memory of 4940	1692	Jngbjd32.exe	100
PID 4940 wrote to memory of 3756	4940	Komhll32.exe	101
PID 4940 wrote to memory of 3756	4940	Komhll32.exe	101
PID 4940 wrote to memory of 3756	4940	Komhll32.exe	101
PID 3756 wrote to memory of 3428	3756	Mnegbp32.exe	102
PID 3756 wrote to memory of 3428	3756	Mnegbp32.exe	102
PID 3756 wrote to memory of 3428	3756	Mnegbp32.exe	102
PID 3428 wrote to memory of 1548	3428	Ncqlkemc.exe	103
PID 3428 wrote to memory of 1548	3428	Ncqlkemc.exe	103
PID 3428 wrote to memory of 1548	3428	Ncqlkemc.exe	103
PID 1548 wrote to memory of 1136	1548	Oakbehfe.exe	104
PID 1548 wrote to memory of 1136	1548	Oakbehfe.exe	104
PID 1548 wrote to memory of 1136	1548	Oakbehfe.exe	104
PID 1136 wrote to memory of 4592	1136	Pdenmbkk.exe	105
PID 1136 wrote to memory of 4592	1136	Pdenmbkk.exe	105
PID 1136 wrote to memory of 4592	1136	Pdenmbkk.exe	105
PID 4592 wrote to memory of 2652	4592	Qjfmkk32.exe	106
PID 4592 wrote to memory of 2652	4592	Qjfmkk32.exe	106
PID 4592 wrote to memory of 2652	4592	Qjfmkk32.exe	106
PID 2652 wrote to memory of 4140	2652	Akkffkhk.exe	107
PID 2652 wrote to memory of 4140	2652	Akkffkhk.exe	107
PID 2652 wrote to memory of 4140	2652	Akkffkhk.exe	107
PID 4140 wrote to memory of 4356	4140	Bphgeo32.exe	108
PID 4140 wrote to memory of 4356	4140	Bphgeo32.exe	108
PID 4140 wrote to memory of 4356	4140	Bphgeo32.exe	108
PID 4356 wrote to memory of 4428	4356	Cammjakm.exe	109
PID 4356 wrote to memory of 4428	4356	Cammjakm.exe	109
PID 4356 wrote to memory of 4428	4356	Cammjakm.exe	109
PID 4428 wrote to memory of 836	4428	Cnjdpaki.exe	110
PID 4428 wrote to memory of 836	4428	Cnjdpaki.exe	110
PID 4428 wrote to memory of 836	4428	Cnjdpaki.exe	110
PID 836 wrote to memory of 4400	836	Dhikci32.exe	111
PID 836 wrote to memory of 4400	836	Dhikci32.exe	111
PID 836 wrote to memory of 4400	836	Dhikci32.exe	111
PID 4400 wrote to memory of 4568	4400	Ekonpckp.exe	112

C:\Users\Admin\AppData\Local\Temp\8de8997a5c512cb72fe2797b7fa1c9ae546462697d27650a7918cc066fc0ce07.exe
"C:\Users\Admin\AppData\Local\Temp\8de8997a5c512cb72fe2797b7fa1c9ae546462697d27650a7918cc066fc0ce07.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Windows\SysWOW64\Eeelnp32.exe
  C:\Windows\system32\Eeelnp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\Ekdnei32.exe
    C:\Windows\system32\Ekdnei32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Windows\SysWOW64\Feoodn32.exe
      C:\Windows\system32\Feoodn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
      - C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Komhll32.exe
        
        C:\Windows\system32\Komhll32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Ekonpckp.exe
        
        C:\Windows\system32\Ekonpckp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Feqeog32.exe
        
        C:\Windows\system32\Feqeog32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Giljfddl.exe
        
        C:\Windows\system32\Giljfddl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3148
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Iahgad32.exe
        
        C:\Windows\system32\Iahgad32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        33⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        54⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 212
        55⤵
        Program crash
        
        PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2092 -ip 2092
1⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abjmkf32.exe

Filesize
1.7MB

MD5
a160ecb2af26fa6ab4a9aa2c6af5e893

SHA1
02689bfa4cb9f6eddae34cdb4f7084e5c09c48b1

SHA256
4ec963f0b969001ded6187cdbf980b185b6ce463ef47d9d5e774bf1a51b2f7e2

SHA512
80d8537bbc909413f796762c3e2f5b1e60b169fc2f142842309bcc58afbd12dd8c2aa83a30a9d2ea3b019199358e4adfe39e785fef085c8c6512babc72fb03e5

Download Submit
C:\Windows\SysWOW64\Akkffkhk.exe

Filesize
1.7MB

MD5
e4e9b585cdfc65d58b5cbb9999f90d85

SHA1
6056034cf6b442953fb7c7a60fd7f4a25d041910

SHA256
ae9dd8ecd179a5f8e825812e0c7f568a1fea6a82da999a66831de17a3578221d

SHA512
ad3517551015f346a677ef345c11964cec5a243e79d84ccd3ca93bc078fe07025e6f370b54c78b8960c125d4140d0bb66ec0a2cbd758ec1d69e1a490dad59b65

Download Submit
C:\Windows\SysWOW64\Bfolacnc.exe

Filesize
1.7MB

MD5
18371e17f20fc6b6e801ff4f0916a7de

SHA1
36ddff1cf9f88fdec8856780d23f5e2360b44a2c

SHA256
3de55703ba21f69ef1fc6666f7e838a1359356756b2ddd15c85f72a66484ca7f

SHA512
c031f70fb5b8f5208af29032a6b3a72b3cd4e31454dca09f64fbac8ea835b2be2e16eb4b14721beee262b4af94988663ab1440e8afe5e74f920d383e1e6eeec4

Download Submit
C:\Windows\SysWOW64\Bgdemb32.exe

Filesize
1.7MB

MD5
5eac31ee4b726a97f49d070c63b80f8d

SHA1
9436cb6d7046cff7347245cc6486dae9d8bb00a5

SHA256
20624b84541a41b5fb5966e58de704f9b8aaa9aa54ce7a0081405cf88ccf0f83

SHA512
4deb0266355a52d7d5e6a6c2c1ea69ba6c5882fa94ed052cd7868d7b43198f2c651e558910d152ef64a9d6cb401902bbab2cd957bc92794b7ac39a8de04697ae

Download Submit
C:\Windows\SysWOW64\Bphgeo32.exe

Filesize
1.7MB

MD5
5636b38cab1294d6fbdbeecde32a1baf

SHA1
4651db919073cda0d992baae5db0469edc0a2365

SHA256
960082823c9c109c15f122c1e5f0158e6ba93d1db6aaae36cc6b6f09a6512846

SHA512
ca378f027fa2e89b5268dee61ed43f0e8a435f24d11bd658757df386555ce34f674f197f4705d8897d8af86215ecd0e85688bb7bbdf08ec50388da2e0adc1c08

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
1.7MB

MD5
24ab5894931dc85a42b952e2370d5313

SHA1
32542e54d0f11ba40aeb5849f547a5b2dbb16083

SHA256
e2a18de7ec410bc9d810c201d95698aeaf03afa84108b70d334c8105806b59ab

SHA512
1a8d1f1c3907492e8dccbe820ad7dc720edaaf7011811d4cd44595fefbdc780c03d682b107bbae0c3d07baeab498b4a316c7820f4bdd5732fd8707b39be12651

Download Submit
C:\Windows\SysWOW64\Ccblbb32.exe

Filesize
1.7MB

MD5
2a60410e67043a5a6f172e6c31ae1154

SHA1
69c78916abf064145643ec09236b1d9d22b527b4

SHA256
e315c2ee5efd9a7ccb0cc611c240304a351fe01a3cf73a6639c1ab0900e76692

SHA512
017f359a4f1912849942a57e288246860c21c67ca5b85a270ea8fced821b92c4c21822770ffebd70b86f9cb9b59df9b2025cbf1427360753b5cd31fa6ebb6b78

Download Submit
C:\Windows\SysWOW64\Cnjdpaki.exe

Filesize
1.7MB

MD5
9128ead6fd07c2704a44e96def15b04e

SHA1
67ab747e2c0af7d7e1bbce5bafad915cdb1fef4a

SHA256
78d1aace810a2c4f5da400292df88d370d3fac5d3b6a572bd0e30da389cbf9a8

SHA512
42b0b2550d2273361b58f8073366f4683ec58bd9ba8c17a6e3acc88d7fe060d566f0e89b2af1b4ed821d3cf9eac25c56596597c36cec5bfeb905db13c4f8f1c3

Download Submit
C:\Windows\SysWOW64\Dhikci32.exe

Filesize
1.7MB

MD5
11530a697d58c2b59a0a714c5b372481

SHA1
30a8ab5840ef2559f0e60f0ec068ceacd80bf0cf

SHA256
da74c56b484627887308fa65f64b7827f737c63d2d6f074f03d1290c59928f66

SHA512
7c1238bcf5b839b50a9ccab895b7f33c20a8028f99e93978bb19334fbff2a68e053ef040ceab9701e3addc539c84a97bf1f750eb8efd1797f355f52e323c9ca1

Download Submit
C:\Windows\SysWOW64\Eeelnp32.exe

Filesize
1.7MB

MD5
4b201738362a64ca83c9360e0c6dea49

SHA1
4c48a885a57feab242266c06b73b486ec557c366

SHA256
42a0e1b3e54af2d0459845fa2086d9dd26df0f431237daa0f0ac0c794001e7a5

SHA512
46e729aab971f5737ee6243029d1f5192b028265e0447419fcdeba60011a8a72af38c649c895a5759e383e7e819c840c62ecedaab8ef62d78053afc2fe24465e

Download Submit
C:\Windows\SysWOW64\Ekdnei32.exe

Filesize
1.7MB

MD5
b69166be41a52d4a9a95df5284c1beed

SHA1
a264b546ff6950348582dc03e5baacddd08ae243

SHA256
07207bff08f1dc5acf143895ae2b1d611888a379b57981f298900fc391165381

SHA512
7706f7254ed7348e9052a40f3f2148fb5db941a2ad3537ef26af31ee5c4c62054d08331097309fdd21b6011027a2f8af8a8871c18deaa9d67cf297c51e6dfaca

Download Submit
C:\Windows\SysWOW64\Ekonpckp.exe

Filesize
1.7MB

MD5
4589dc2797fcfada14ce1fb1dfe575c3

SHA1
3a9dd37b8a0be04a6632c3ed34007aa276d954ff

SHA256
7ae20d78d1ae515a817c2e2353a172255e19bd45e29ad471f46d0792a7d9324e

SHA512
af072ff965151cbf7d1d1f212685a2a7df9232296748056569cea85b22f887a280f2c6d46d5b1996fa8de2b3033ecf04af950fc2d9a3fe4438f5f06b048f4ac9

Download Submit
C:\Windows\SysWOW64\Feoodn32.exe

Filesize
1.7MB

MD5
a31638e7dda91f513df204fd888d85b3

SHA1
1785e361ce2594336241b08cdff861b369b4a61b

SHA256
4120d1eac7f08e89f9db937bc2d032c41980e70e8b309553925a4e9c01414048

SHA512
8a7cbb2d98807e4657de39210ea7cc5a3896b5cd1b600d872c62ccc8c365b655cca77b3b37d8f5330e529fcb5f36113fc236224708b8634cadaa2c47b2fc818c

Download Submit
C:\Windows\SysWOW64\Feqeog32.exe

Filesize
1.7MB

MD5
1df1ee09073516c470e18c40fbfc9900

SHA1
a1d9f9e2fc674f43d06193184a1df5e65a549abd

SHA256
231fd18ec7139e8f3c378724708bccce963d99efee9078400f4bc2e175ae9df2

SHA512
5b0aa27a7e318e078ea135477767f15ab08a7e32eaa9611d694308b22c6fa42b6fdf8a425744eafa396d218c85ce6dcf9ecdb4a7e83b58ff616d7780b416d897

Download Submit
C:\Windows\SysWOW64\Fiqjke32.exe

Filesize
1.7MB

MD5
33f4015cdf89772b3d71589ea0c48be8

SHA1
20329e25f12580c569631cc522f79156491c69b9

SHA256
b30d3a41c748ba94fcef17d19e9c54dff3d3eb2a9c2678e7ded341ffc4c5447f

SHA512
8e1949cb946503253b8df3c34ceecd066b71bc1dd9056d3ae6c27595f731d281e1457a2b4d1c3658e570eaf4ffd2008205572c519ff46c5eb12b04750639baf5

Download Submit
C:\Windows\SysWOW64\Fmmmfj32.exe

Filesize
1.7MB

MD5
18c88e1db05ece8d67a7c9101f471c1c

SHA1
9a9f89b2ba8fee1226e0ab64504b2928c31f0da2

SHA256
b2d6561685459a2c3fdb2ffeb8c564cc28dfb01daa510cfce1f74977f3850723

SHA512
6360947f86aac2b018da91e304c488d49c22f612cfdae20ca44826287bddb0b10d4e2c807cc6fbc068e2df80b68cd7cd686edd44dd392f12224908b3a7ade0a9

Download Submit
C:\Windows\SysWOW64\Gejhef32.exe

Filesize
1.7MB

MD5
2b5c7fc745a04a5a7daf3456a078cdb3

SHA1
abcea1125fba950893fc601ad1c2ad3243bce755

SHA256
9ea47bb9f1df7c39ccf57ec0912879bcb9870f139a8fa921af78915225ad0fed

SHA512
604ee599da1ffb3ad5df9b8aace311a8e72f9459f0b971da9d6f045f47b8854c420fe2e7b0e2e4a45356216dff245a8d2d392bba14b63e6a53997d710739a179

Download Submit
C:\Windows\SysWOW64\Gflhoo32.exe

Filesize
1.7MB

MD5
39944cf68b6a34e8baec362ae3a19648

SHA1
49344289d0c8cf406ebb43e80f088bac29acb83c

SHA256
c47d44aeae08f4cc10bad76736232e2f1b7e272ddde18e6ba9fe9b90ada5c512

SHA512
aa52bbd3a57a72e7a7980044a69762c8aeea9dff4219a7f83bac72ae798d70acb44d032e08a7fdd724c0550327bb1c41a45cb706bde636145933317f6153ea3e

Download Submit
C:\Windows\SysWOW64\Giljfddl.exe

Filesize
1.7MB

MD5
ba319a0e68473e978b8cf6423f2d0e43

SHA1
3fff6811a095eb295be6ab96d99a2c6635305973

SHA256
52aa9d75dc81a9b63f1697055707dcc35035a80f08acbeae86416e73f5bf5b20

SHA512
fcf874b693489f3f045482a3ddd1d00895ae7395ca4d3dc619f7ebfbccf12d510c200ddbef820892f353260517fa37e9749810bed2732b8aa95698c520cff09c

Download Submit
C:\Windows\SysWOW64\Gojiiafp.exe

Filesize
1.7MB

MD5
d5afee5d7ba3ceaa37924b36231b43c7

SHA1
19b1fde240ebd283e2092d5382d981eab957aa13

SHA256
fe5488ed934bb5e96ca6ccf07b61fa8857cdf65b4c9d4705d1e4a7acb2cdcbdc

SHA512
5da4df622b322fce59ad43f98c4261acd1e647f2d5383d6cb3126ac2f3a0f76eae559d2c4b20e536d19253c7ad1197394b3b139d7dafefdbc3105547dcb6e95b

Download Submit
C:\Windows\SysWOW64\Iacngdgj.exe

Filesize
1.7MB

MD5
1e8d60955cd09d9c1a2d1332d5326d75

SHA1
d3800e7947454c43d01a86c791c1a83688718908

SHA256
1b4300ffe6bb37efc107d1be59ebee870712170c8f9e6b2e9db087a23ac58f68

SHA512
d7ea956e59a8209c780ccbb0a2ffd71bfecc27e13f92f205d1c58a88e12bbd11c08f6818c6077ae889c5ff408b908fe61e14ec5a2a5ad7c0f5e32e19f3d7f763

Download Submit
C:\Windows\SysWOW64\Iahgad32.exe

Filesize
1.7MB

MD5
40ff544799ecb65af0d7ee75f81f581f

SHA1
269873ffdd22159197955cc71f68ed182c728ecb

SHA256
1bfa368ed7e6964019e49cb7240e93a314b675a890444a630fd748bc7da191c1

SHA512
28816037a696e62e78a70eb27e51dc29bce6c47eb67f5327d1a84fdf97f3e3f2ae6129ae29de6d4916b29edc0cf01145473c4f0c254e475c1268bad55601378c

Download Submit
C:\Windows\SysWOW64\Iliinc32.exe

Filesize
1.7MB

MD5
c4a997676d3535daa210712d853cef06

SHA1
9d23bf4f216c485a8d82cef9622d458779026aa9

SHA256
96ef27a9c8da46f201603f2c667d2d0c0c3bd8451b43589dd3c85dfc4e2d0c1e

SHA512
8bcdc7c941602b728245c09b373973748320a9b1aa26d1069b25a9f4ca2e4608f6aacf53c444c35ef4b44d5fafa517c614be0902b61441f88da73eac18038b08

Download Submit
C:\Windows\SysWOW64\Imkbnf32.exe

Filesize
1.7MB

MD5
4ea35f317bc26015ee16f21336c2d270

SHA1
2aea4f1d025252bf29272b95a1f5fc724b62eab2

SHA256
297fc12f677fef25a8389124f44b9a5afbd6c7569a91997fb871f2cd6f5446db

SHA512
8346c31ca1b105169c914139f0aed386aecbe176f21a80ab92090edcbbf5575bb9d88b92f2f5b84c6f8ea0bdf97b66e0f417b548605ddd9276a566dc84915428

Download Submit
C:\Windows\SysWOW64\Jadgnb32.exe

Filesize
1.7MB

MD5
29cd465126ac19b76d7f3b3046798d8d

SHA1
fed26ed3d0dcef3ec4a6c266147388b5e87ef316

SHA256
42cf7e1fb17b5a971c7808acb6b8a79d1b5b78e0854d5d254b5683b4dc569785

SHA512
18ab9297be1c4807343c931d1cf96840aa2a082695f769d93440335704c10e001fd04775960afd46bc9816e85f696009448c1d9f0f7ef8d41a07c725eca51925

Download Submit
C:\Windows\SysWOW64\Jngbjd32.exe

Filesize
1.7MB

MD5
2bfe197d87874b603559265fd39cafc6

SHA1
c94d62ec861b417b5107b113fc3fcbee4c3da3e3

SHA256
afd2b5156a4afc8e4fffc776ca7b4411c9aa516f6a78f8ea7aad9656b416852d

SHA512
de621a6e09490b5f20d46c9739374cd8705d5402e87949f614fc108e75abf45e9e2875e58ee7c5262dd2ddbd5eb231639821e0c58ae1f6ff1656ff3c9d6dd5db

Download Submit
C:\Windows\SysWOW64\Kbhmbdle.exe

Filesize
1.7MB

MD5
c5000ac39bd79628867987cd5fae77a0

SHA1
c7bc8605c7fb7b6259f1edea5975f2faa48143a3

SHA256
b552aecd8eec0b551b33c077648c831b337e4d4ec72f04455918d081fe1bdd3a

SHA512
0023372e42e3dd1efbff2970ccceac63818bfa2eeb6ee30b2ec8fa1f047ac6c75a6dd8be74fc54f18ff78f17fd431a35d694b6542ece4681fd7c08a312e041f0

Download Submit
C:\Windows\SysWOW64\Komhll32.exe

Filesize
1.7MB

MD5
01932dd17efc99a2f37c0905541c2ac5

SHA1
d87ad9a9e95f6e1a530c757cdff29310c294b5eb

SHA256
e9bc2a0650f83ed06fb857bd237e5a97b73ae6e323b66691c4a3bc34a39fbc64

SHA512
62ab00b101974acb543a2ca9fafbeb0c8b397513820ffe4d0620fe142e585e96ece8b29e14ba1d1447851aaca2a4b03ee820a06fb1f455373dadac9d14aacf98

Download Submit
C:\Windows\SysWOW64\Laiipofp.exe

Filesize
1.7MB

MD5
2f4f256311eb82a5b7a4f25d612eae1c

SHA1
84f50069d89e374fbef32a4f6aac52b6b5c6c972

SHA256
1b0dc3290a8926c2d1d3b464c59e263a3c870d5f505d1cb96dd4214a5948b241

SHA512
fe97bb26b5220cafa6c96b529e1e9ad0aa8d59e7794b548652672ad03a9e1295fbd9f0fb15b96de7f591b240e24b56aaf9fcb0b1ce03dbe713b8e51055431f4f

Download Submit
C:\Windows\SysWOW64\Mfkkqmiq.exe

Filesize
1.7MB

MD5
7fa6506a9506c518e640debc805267f1

SHA1
e3d38f9130da9173726d35571a8382e68a3531ce

SHA256
27b1458e2b40c25ed1df4a2745ba3cb5bc33181dffcc6e1fda9173aa0aa79c66

SHA512
bb6cd67898b53b6ca57a83493d370e06bea12ca4f58caaebe556a28b30a86d48fa5ca58bafc589834cd2995e35ac22ae0ac14fda09e5f634d9f22fbcd874ff55

Download Submit
C:\Windows\SysWOW64\Mjlalkmd.exe

Filesize
1.7MB

MD5
027bd0a01fcc9c9643afbb90c967e3d6

SHA1
f046a801d9d867fb01b4ec78207bdb5e3a30608b

SHA256
7d442028b9ff64af399db6a5a7629328f64ac8d35b10a731d2b57361fc1b73e5

SHA512
1b4fc19cad33f80bb66717c6d73c48987ff07b44cfa38acc75f8a8332fc04bc8893cfc8603c7ad6a9a96cd6a2059c490053b4eacd584e36fa023adbc9fd3910d

Download Submit
C:\Windows\SysWOW64\Mnegbp32.exe

Filesize
1.7MB

MD5
b9303b1e5f0fd9d5deb30c571d7228d6

SHA1
ae19c9fcf5d2b8a4f5904a287bafd098fb0a2589

SHA256
6d0d9588ae73c1445116f4ba79d04d4df7fb80b612695aeb602d6777ef6f6299

SHA512
109a880b1aa31f997e4b8e14a3f50e14420e9c8cb1acbb9835ca60b6ef14de0c9a3fec1e2f29d8978d75a2ecea4f93733d2bfdfcaf11c2821a28382b4b1ff1ef

Download Submit
C:\Windows\SysWOW64\Ncqlkemc.exe

Filesize
1.7MB

MD5
ed55c9fd6597328183772a0a9b9b0165

SHA1
8298540b7ed8b73724afa2adf7a346a582613646

SHA256
2f32fd69be16a635b0446baddbee24478c00f31aad60b7258004f278efbecbba

SHA512
dc3b44b6eb5e588055ec232aa95dad3e9b59976c4f35f702dc434df96becf4c5a618513e76620fa7656f4364c72e7953470cfa69010edefd19c0104786ad8e77

Download Submit
C:\Windows\SysWOW64\Nhhdnf32.exe

Filesize
1.7MB

MD5
fa03eb3c7cc6bedec5532b0a54651f59

SHA1
b56e546bced771bce308daf90dfe939b2f2e8699

SHA256
ffe99f838d32e6f7baaba3b5132afed3c257b9654c34cd1da6473a324113340c

SHA512
2ffdc51f3d0428315700e0cb734a6da63105b347d47eb805fb807db9763805dadb2be5069d78e03c0aa4f99995fe138127d92b60967e9e6c2392a5db3c5f8ebd

Download Submit
C:\Windows\SysWOW64\Oakbehfe.exe

Filesize
1.7MB

MD5
e57d8f963ea3f44827bbd81eafbe577d

SHA1
10a45676be3958abd1df428c7e804d3e8a3b30d2

SHA256
76de6f453f68e5b91e89a10a62011d549bdc204086ade39358abb56312803218

SHA512
d00374267fc3d6ad19466fd059a2d090112eaf1078db7623c53c8e804a6e34b326886e7762973796d9c3402c5164b1fd22411b94a005665256b3017f9af1a036

Download Submit
C:\Windows\SysWOW64\Oikjkc32.exe

Filesize
1.7MB

MD5
26e656a743722a21dd3df8555b5772be

SHA1
4a079d8717890b35cb358aec15ef5522883c1ce7

SHA256
b4c5b693c1f1ba057f0ce153d2273dc80bd174850f2a3698b6a31225bcd236b1

SHA512
71937c8e4b2057ab200339a876cc6be6f0e8eca022f2cc042d925b87d9113a88d8e40fc08840c5d3ca692f81e2be8bc97b75285400503522929fb290ec862d96

Download Submit
C:\Windows\SysWOW64\Oqhoeb32.exe

Filesize
576KB

MD5
aba2324e0c36542dec4b4269b66f303f

SHA1
8206affe4238a1f7619b94d0679ffc83e61b2957

SHA256
278825f929376254f804eeb146f0910e5e81cf3ce4ecc045ea3e57db5076e568

SHA512
04a1b10cc9f10fc07db33df44cdecf66255cff9ffaed5dd93bc8275f2a714ff5fc72f8821310cc3002e32a72ea7653727e4cc6eb3c16866cdf0003ad5a31f1b0

Download Submit
C:\Windows\SysWOW64\Pdenmbkk.exe

Filesize
1.7MB

MD5
cbf4e3da435573e246acf11b41a6101a

SHA1
4ba06a51e9fbcebaee2e9f9da625db6d50625bdb

SHA256
c87e6745475115f844036f6530ad5221f7f13be1620266c89fbbe3fa4c302dee

SHA512
c3e14871ceba608783e1375e1736af80ea7b38c9edaa5b2e221dca27eb1736b0c044cbde38b55710e5a3a56dc92d8224ea1ef8c7cf4091ede790a7ec433416b7

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
1.7MB

MD5
51f07ce9b09b3f46d110db51eb47d12c

SHA1
1c53c3eaf1ac83c48f12436643fbabf7538f44d1

SHA256
d0b461662ef86dce2dafad52e755f10efeaca1922687cd3b8b76a7267120deda

SHA512
863ac293700cfa82fe3e62f1e73d943ede1b023b8c1458785032f98a40ee44a8a224fc8e9bc821830f435516b66fb2a5c8810540df99b1cdce0faa2d36c42267

Download Submit
memory/464-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3232-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads