524bbd4457789d09b844414ce8da6ea3f43ed2218220f3a3913e1673f8d97ddf

Analysis

max time kernel
134s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

524bbd4457789d09b844414ce8da6ea3f43ed2218220f3a3913e1673f8d97ddf.exe
Size

121KB
MD5

0dbc7c893697992a8a9391fe51d5fc1c
SHA1

24e3402744ab98fa09f19effe5b3bd8a36888755
SHA256

524bbd4457789d09b844414ce8da6ea3f43ed2218220f3a3913e1673f8d97ddf
SHA512

e469b55d920e4303052cb0cac3414510418545914d9a18caf89769dbbd74e66eb7c80bf7a8c59d0b84d58e5c2c98b518f9a175da67f3ab925265ef9a3e2b72de
SSDEEP

1536:VAR7gE4teVHhVCdb0JfgbA02pTOO6H8KMUtUCV19zQYOd5ijJnD5ir3oGuiWDD:VAnIeFwegbUpSO6cKMUtZO7AJnD5tvv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajjokd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koonge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllagh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbdpad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oophlo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdpad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mokfja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	524bbd4457789d09b844414ce8da6ea3f43ed2218220f3a3913e1673f8d97ddf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbhhieao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjlcjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqoloc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhegig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohidbkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpnooan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkdod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhnhajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhnhajba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loofnccf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egpnooan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjggal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajjokd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	524bbd4457789d09b844414ce8da6ea3f43ed2218220f3a3913e1673f8d97ddf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokfja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dickplko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkedonpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqkondfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbkdod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lllagh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmdblp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbhhieao.exe

Executes dropped EXE 36 IoCs

pid	Process
736	Koonge32.exe
4196	Lhnhajba.exe
4188	Lllagh32.exe
3572	Loofnccf.exe
3132	Loacdc32.exe
3648	Mjggal32.exe
3796	Mofmobmo.exe
964	Mohidbkl.exe
4412	Mokfja32.exe
5076	Nhegig32.exe
3980	Nqoloc32.exe
396	Njjmni32.exe
4748	Niojoeel.exe
3016	Oiagde32.exe
3808	Omopjcjp.exe
3788	Oophlo32.exe
2620	Ojhiogdd.exe
4392	Pjlcjf32.exe
2112	Paihlpfi.exe
1844	Qmdblp32.exe
968	Ajjokd32.exe
3812	Ajdbac32.exe
932	Bbdpad32.exe
1596	Cmnnimak.exe
4316	Cigkdmel.exe
5104	Dickplko.exe
4000	Dkedonpo.exe
4320	Egpnooan.exe
1620	Eqkondfl.exe
3328	Fclhpo32.exe
1920	Fcpakn32.exe
2796	Fcbnpnme.exe
5072	Fcekfnkb.exe
1504	Gbhhieao.exe
3920	Gbkdod32.exe
4476	Gbmadd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fllhjc32.dll	Oophlo32.exe
File created	C:\Windows\SysWOW64\Qmdblp32.exe	Paihlpfi.exe
File opened for modification	C:\Windows\SysWOW64\Mohidbkl.exe	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Nhegig32.exe	Mokfja32.exe
File created	C:\Windows\SysWOW64\Kpqgeihg.dll	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Fcpakn32.exe	Fclhpo32.exe
File created	C:\Windows\SysWOW64\Loofnccf.exe	Lllagh32.exe
File created	C:\Windows\SysWOW64\Cmnnimak.exe	Bbdpad32.exe
File created	C:\Windows\SysWOW64\Dickplko.exe	Cigkdmel.exe
File opened for modification	C:\Windows\SysWOW64\Dickplko.exe	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Fldeljei.dll	Mofmobmo.exe
File opened for modification	C:\Windows\SysWOW64\Nqoloc32.exe	Nhegig32.exe
File created	C:\Windows\SysWOW64\Pnbmhkia.dll	Ajjokd32.exe
File created	C:\Windows\SysWOW64\Gbjlkd32.dll	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Jlkklm32.dll	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Jlmmnd32.dll	Loofnccf.exe
File opened for modification	C:\Windows\SysWOW64\Niojoeel.exe	Njjmni32.exe
File created	C:\Windows\SysWOW64\Jlojif32.dll	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Foolmeif.dll	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Ghcfpl32.dll	Mokfja32.exe
File opened for modification	C:\Windows\SysWOW64\Ajjokd32.exe	Qmdblp32.exe
File opened for modification	C:\Windows\SysWOW64\Eqkondfl.exe	Egpnooan.exe
File created	C:\Windows\SysWOW64\Obhehh32.dll	Qmdblp32.exe
File created	C:\Windows\SysWOW64\Dkedonpo.exe	Dickplko.exe
File opened for modification	C:\Windows\SysWOW64\Fclhpo32.exe	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Oiagde32.exe	Niojoeel.exe
File opened for modification	C:\Windows\SysWOW64\Egpnooan.exe	Dkedonpo.exe
File created	C:\Windows\SysWOW64\Njjmni32.exe	Nqoloc32.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Gbkdod32.exe
File created	C:\Windows\SysWOW64\Ajdbac32.exe	Ajjokd32.exe
File created	C:\Windows\SysWOW64\Bbdpad32.exe	Ajdbac32.exe
File created	C:\Windows\SysWOW64\Dilcjbag.dll	Ajdbac32.exe
File opened for modification	C:\Windows\SysWOW64\Cigkdmel.exe	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Koonge32.exe	524bbd4457789d09b844414ce8da6ea3f43ed2218220f3a3913e1673f8d97ddf.exe
File created	C:\Windows\SysWOW64\Lllagh32.exe	Lhnhajba.exe
File opened for modification	C:\Windows\SysWOW64\Lllagh32.exe	Lhnhajba.exe
File created	C:\Windows\SysWOW64\Lgidjfjk.dll	Paihlpfi.exe
File opened for modification	C:\Windows\SysWOW64\Gbhhieao.exe	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Gbmadd32.exe	Gbkdod32.exe
File opened for modification	C:\Windows\SysWOW64\Paihlpfi.exe	Pjlcjf32.exe
File opened for modification	C:\Windows\SysWOW64\Ajdbac32.exe	Ajjokd32.exe
File opened for modification	C:\Windows\SysWOW64\Koonge32.exe	524bbd4457789d09b844414ce8da6ea3f43ed2218220f3a3913e1673f8d97ddf.exe
File opened for modification	C:\Windows\SysWOW64\Mokfja32.exe	Mohidbkl.exe
File opened for modification	C:\Windows\SysWOW64\Fcpakn32.exe	Fclhpo32.exe
File created	C:\Windows\SysWOW64\Fcekfnkb.exe	Fcbnpnme.exe
File opened for modification	C:\Windows\SysWOW64\Gbkdod32.exe	Gbhhieao.exe
File created	C:\Windows\SysWOW64\Npakijcp.dll	Mjggal32.exe
File created	C:\Windows\SysWOW64\Hjcbmgnb.dll	Njjmni32.exe
File created	C:\Windows\SysWOW64\Cjkhnd32.dll	Niojoeel.exe
File created	C:\Windows\SysWOW64\Mnjenfjo.dll	Oiagde32.exe
File opened for modification	C:\Windows\SysWOW64\Loacdc32.exe	Loofnccf.exe
File created	C:\Windows\SysWOW64\Mofmobmo.exe	Mjggal32.exe
File created	C:\Windows\SysWOW64\Cigkdmel.exe	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Fclhpo32.exe	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Jfqqddpi.dll	Fclhpo32.exe
File created	C:\Windows\SysWOW64\Gbkdod32.exe	Gbhhieao.exe
File opened for modification	C:\Windows\SysWOW64\Mjggal32.exe	Loacdc32.exe
File created	C:\Windows\SysWOW64\Bcejdp32.dll	Mohidbkl.exe
File opened for modification	C:\Windows\SysWOW64\Pjlcjf32.exe	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Eclbio32.dll	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Fcbnpnme.exe	Fcpakn32.exe
File opened for modification	C:\Windows\SysWOW64\Fcbnpnme.exe	Fcpakn32.exe
File opened for modification	C:\Windows\SysWOW64\Mofmobmo.exe	Mjggal32.exe
File created	C:\Windows\SysWOW64\Egpnooan.exe	Dkedonpo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3104	4476	WerFault.exe	126

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mohidbkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	524bbd4457789d09b844414ce8da6ea3f43ed2218220f3a3913e1673f8d97ddf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpagaf32.dll"	Pjlcjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajjokd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcndmiqg.dll"	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll"	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkcghg32.dll"	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclbio32.dll"	Eqkondfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmlqhcc.dll"	524bbd4457789d09b844414ce8da6ea3f43ed2218220f3a3913e1673f8d97ddf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oophlo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmdblp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egpnooan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	524bbd4457789d09b844414ce8da6ea3f43ed2218220f3a3913e1673f8d97ddf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lodabb32.dll"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbhhieao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Niojoeel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Koonge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npakijcp.dll"	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcejdp32.dll"	Mohidbkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lllagh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcfpl32.dll"	Mokfja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Loacdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nneilmna.dll"	Gbhhieao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mohidbkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjenfjo.dll"	Oiagde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhnhajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplfokdm.dll"	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fachkklb.dll"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Niojoeel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	524bbd4457789d09b844414ce8da6ea3f43ed2218220f3a3913e1673f8d97ddf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Koonge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqkondfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkklm32.dll"	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Gbkdod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllhjc32.dll"	Oophlo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	524bbd4457789d09b844414ce8da6ea3f43ed2218220f3a3913e1673f8d97ddf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcbmgnb.dll"	Njjmni32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 736	2380	524bbd4457789d09b844414ce8da6ea3f43ed2218220f3a3913e1673f8d97ddf.exe	91
PID 2380 wrote to memory of 736	2380	524bbd4457789d09b844414ce8da6ea3f43ed2218220f3a3913e1673f8d97ddf.exe	91
PID 2380 wrote to memory of 736	2380	524bbd4457789d09b844414ce8da6ea3f43ed2218220f3a3913e1673f8d97ddf.exe	91
PID 736 wrote to memory of 4196	736	Koonge32.exe	92
PID 736 wrote to memory of 4196	736	Koonge32.exe	92
PID 736 wrote to memory of 4196	736	Koonge32.exe	92
PID 4196 wrote to memory of 4188	4196	Lhnhajba.exe	93
PID 4196 wrote to memory of 4188	4196	Lhnhajba.exe	93
PID 4196 wrote to memory of 4188	4196	Lhnhajba.exe	93
PID 4188 wrote to memory of 3572	4188	Lllagh32.exe	94
PID 4188 wrote to memory of 3572	4188	Lllagh32.exe	94
PID 4188 wrote to memory of 3572	4188	Lllagh32.exe	94
PID 3572 wrote to memory of 3132	3572	Loofnccf.exe	95
PID 3572 wrote to memory of 3132	3572	Loofnccf.exe	95
PID 3572 wrote to memory of 3132	3572	Loofnccf.exe	95
PID 3132 wrote to memory of 3648	3132	Loacdc32.exe	96
PID 3132 wrote to memory of 3648	3132	Loacdc32.exe	96
PID 3132 wrote to memory of 3648	3132	Loacdc32.exe	96
PID 3648 wrote to memory of 3796	3648	Mjggal32.exe	97
PID 3648 wrote to memory of 3796	3648	Mjggal32.exe	97
PID 3648 wrote to memory of 3796	3648	Mjggal32.exe	97
PID 3796 wrote to memory of 964	3796	Mofmobmo.exe	98
PID 3796 wrote to memory of 964	3796	Mofmobmo.exe	98
PID 3796 wrote to memory of 964	3796	Mofmobmo.exe	98
PID 964 wrote to memory of 4412	964	Mohidbkl.exe	99
PID 964 wrote to memory of 4412	964	Mohidbkl.exe	99
PID 964 wrote to memory of 4412	964	Mohidbkl.exe	99
PID 4412 wrote to memory of 5076	4412	Mokfja32.exe	100
PID 4412 wrote to memory of 5076	4412	Mokfja32.exe	100
PID 4412 wrote to memory of 5076	4412	Mokfja32.exe	100
PID 5076 wrote to memory of 3980	5076	Nhegig32.exe	101
PID 5076 wrote to memory of 3980	5076	Nhegig32.exe	101
PID 5076 wrote to memory of 3980	5076	Nhegig32.exe	101
PID 3980 wrote to memory of 396	3980	Nqoloc32.exe	102
PID 3980 wrote to memory of 396	3980	Nqoloc32.exe	102
PID 3980 wrote to memory of 396	3980	Nqoloc32.exe	102
PID 396 wrote to memory of 4748	396	Njjmni32.exe	103
PID 396 wrote to memory of 4748	396	Njjmni32.exe	103
PID 396 wrote to memory of 4748	396	Njjmni32.exe	103
PID 4748 wrote to memory of 3016	4748	Niojoeel.exe	104
PID 4748 wrote to memory of 3016	4748	Niojoeel.exe	104
PID 4748 wrote to memory of 3016	4748	Niojoeel.exe	104
PID 3016 wrote to memory of 3808	3016	Oiagde32.exe	105
PID 3016 wrote to memory of 3808	3016	Oiagde32.exe	105
PID 3016 wrote to memory of 3808	3016	Oiagde32.exe	105
PID 3808 wrote to memory of 3788	3808	Omopjcjp.exe	106
PID 3808 wrote to memory of 3788	3808	Omopjcjp.exe	106
PID 3808 wrote to memory of 3788	3808	Omopjcjp.exe	106
PID 3788 wrote to memory of 2620	3788	Oophlo32.exe	107
PID 3788 wrote to memory of 2620	3788	Oophlo32.exe	107
PID 3788 wrote to memory of 2620	3788	Oophlo32.exe	107
PID 2620 wrote to memory of 4392	2620	Ojhiogdd.exe	108
PID 2620 wrote to memory of 4392	2620	Ojhiogdd.exe	108
PID 2620 wrote to memory of 4392	2620	Ojhiogdd.exe	108
PID 4392 wrote to memory of 2112	4392	Pjlcjf32.exe	109
PID 4392 wrote to memory of 2112	4392	Pjlcjf32.exe	109
PID 4392 wrote to memory of 2112	4392	Pjlcjf32.exe	109
PID 2112 wrote to memory of 1844	2112	Paihlpfi.exe	110
PID 2112 wrote to memory of 1844	2112	Paihlpfi.exe	110
PID 2112 wrote to memory of 1844	2112	Paihlpfi.exe	110
PID 1844 wrote to memory of 968	1844	Qmdblp32.exe	111
PID 1844 wrote to memory of 968	1844	Qmdblp32.exe	111
PID 1844 wrote to memory of 968	1844	Qmdblp32.exe	111
PID 968 wrote to memory of 3812	968	Ajjokd32.exe	112

C:\Users\Admin\AppData\Local\Temp\524bbd4457789d09b844414ce8da6ea3f43ed2218220f3a3913e1673f8d97ddf.exe
"C:\Users\Admin\AppData\Local\Temp\524bbd4457789d09b844414ce8da6ea3f43ed2218220f3a3913e1673f8d97ddf.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\Koonge32.exe
  C:\Windows\system32\Koonge32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\SysWOW64\Lhnhajba.exe
    C:\Windows\system32\Lhnhajba.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Windows\SysWOW64\Lllagh32.exe
      C:\Windows\system32\Lllagh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4188
    - - C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
      - C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Qmdblp32.exe
        
        C:\Windows\system32\Qmdblp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Ajjokd32.exe
        
        C:\Windows\system32\Ajjokd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Dickplko.exe
        
        C:\Windows\system32\Dickplko.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Gbhhieao.exe
        
        C:\Windows\system32\Gbhhieao.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Gbkdod32.exe
        
        C:\Windows\system32\Gbkdod32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        37⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 412
        38⤵
        Program crash
        
        PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4476 -ip 4476
1⤵
PID:3044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3944 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajdbac32.exe

Filesize
121KB

MD5
19b0876988bf4d8fafae95e4a6f3366f

SHA1
26b3b44279dd8a88700b5021668aeaad94668916

SHA256
27284e41bcd105a11f7672eedb0d20fde9593d74411fa9a6baf119114e53a2cd

SHA512
57768efe713644aff1a4c46612fad6e28cf86cb0a688e85b0e84c694381bab7ed01f78cbeff06f6c1fd4eafa20f512febe2da483fdd9b18362e9b0df3d594e07

Download Submit
C:\Windows\SysWOW64\Ajjokd32.exe

Filesize
121KB

MD5
20321fb71968f1159c981d8e9b53cbdc

SHA1
b7134cd57eecff98adce375d0a27f7cef420c466

SHA256
58b1b0c94e563cf53f829d8c5a3b4125dc5c3e8e3345fa8a0e5d281142b0d7cb

SHA512
4c1462edb99b6ae095b0b6a0d506c889ae37f10fb36b9ff8a3d274da0720693effb464a6ced202fb94317cff90dfd285aceecb1a01dd986adac9790c448e4310

Download Submit
C:\Windows\SysWOW64\Bbdpad32.exe

Filesize
121KB

MD5
03b95ccaa4ec9d8b9fe00dd0e7463d00

SHA1
fd5f7fc3603efc7567c99690875e39951983a09a

SHA256
e61109a707e82f240feae819f5c7b25d5d0147daa7899bceff73173a3220a7be

SHA512
0dd747e0b4e4159087a9b436c67d29c173e4c8ed246461a3821a0e256470a32e5d5db31427ebf46939e9de0e1ebdb26247e7e648ca0ab4c6bdddb21fcb24c1c2

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
121KB

MD5
347a87884efa916aa1b51c895ce3b3c2

SHA1
44d09098f10d2c0606965b9985c10d74797b27ba

SHA256
0cb32d7a261fb1e76b9dbf464baf56102680c2f578c088723e60d2093ea4a1ee

SHA512
8dac109d7524d01570834ddf8bc6f6571204212fe5ef326e0f4b7c6eae0a5474f05457c33a47537f8f292a00eb0247a51eeb8474529e805a8ece3a6518f40715

Download Submit
C:\Windows\SysWOW64\Cmnnimak.exe

Filesize
121KB

MD5
6b1f9d23ed06a25f6044d0d2f60d41a7

SHA1
d40517a92c8ac6f6a049ce550dd11b7befe74b17

SHA256
190196019008392b1f122b66116abf5d7c8a451f4c92ae3525e8ac037b67e6f3

SHA512
dd31ee52781ff2824d1a81ecefe4d1af48d0844286b0bdd93ecd8daaedbb6fcd1d2d70a5146ddabe3a38f1994663fe784aea64dd5018ed91be11583691229ac2

Download Submit
C:\Windows\SysWOW64\Dickplko.exe

Filesize
121KB

MD5
07456794a1d007a742a5ac9da1892519

SHA1
f2c0ae43e200b6983b771a87eab4959fad91b9a6

SHA256
353f7c7fc5eaad707dd0b7b22cc1c7db1e453bba7fd6dabbe4fec5ec66d9ae65

SHA512
1a92bfdbe3613f29285079a3a590ce61affbe6c5e3c3d5185bdca6c6481ec13f375e78f7ebdef8845c74469bc23e7c9d56e8c09b0cbecc341abae301a4050c73

Download Submit
C:\Windows\SysWOW64\Dkedonpo.exe

Filesize
121KB

MD5
214b93ae535d67b0cfeafda9e585019b

SHA1
a3a48f3c2fa3d779e11696ba323cf11a6b1f83af

SHA256
eed4bd09355284829972f762bbc879db34091cfd351da45902123f66a227971a

SHA512
9c1dde280e9f6de374cd2a5f3c3afba53872fb4aaf34d7bb7eba88e9428d22b7b094a0778e93963d7af122cbd9cd29c7eb6bfc520df03f22f84699a1fc68fb56

Download Submit
C:\Windows\SysWOW64\Egpnooan.exe

Filesize
121KB

MD5
bac91968c648f13f041d36ea2a0bd053

SHA1
fec89a769decd61f1c86ba56215458300ff5fef2

SHA256
c657805f5c465519d1ba36d9667c309f59e220fc03233a4da1aa199398a2b78f

SHA512
dc7b0aca0f989a1ac9793eab36790b9c5ba19538915466fd06b56cb659dfb83a0b877de97cde08ed2c48925e76ec97482987ba6831ab1a51055a57dde935f0ad

Download Submit
C:\Windows\SysWOW64\Eqkondfl.exe

Filesize
121KB

MD5
c6412ad559af1d4034e8acb17d24c1e9

SHA1
686b927d76028d21ac53275c976dae4c8cbf9481

SHA256
903a48006eab4cc4c3bc849f1314e5b478f1ab814dfa0855361cb6462ada18b9

SHA512
787907ea98a07df5c80cf327b591be4662003834f007659120bdd626cc6c739adcdc0f219b5b7850c9cf81d868ded73e93e75da2707b84b91d727bcbb8ae6b81

Download Submit
C:\Windows\SysWOW64\Fcbnpnme.exe

Filesize
121KB

MD5
0fcff50737f002c1a0c4ee6a0f5b6de5

SHA1
dd239ec82198041b47b2a860863003a7504f4640

SHA256
8dae30b11f7c2c71cfae92858d6f270648ae93dd128847e4167dad4e525aaf3a

SHA512
4237f658ef31064a2004df7214f9e61a1875ee5dd02903a3018768a10e639cb77b9dae6e1adaa77567b45eeeeae85921dc74229923d669d03b38d896efbaa5d4

Download Submit
C:\Windows\SysWOW64\Fclhpo32.exe

Filesize
121KB

MD5
d045eeae245cf2823fd71e4a6b218ad1

SHA1
50b05d8fe9874a7556c9ddebe3b2f32e64e1e357

SHA256
b837d608df5d0b7399687be6b8024599927a2449b2b3d5df82eaab41d217a676

SHA512
bb5047d37f00b505de375d015367ab16773650f7d5376015eee5fa159e9bc9cc5ecfd12bd651af4bca6f419c1c44710239f442a5ef16449a8548640c9bbea546

Download Submit
C:\Windows\SysWOW64\Fcpakn32.exe

Filesize
121KB

MD5
f8a0ff8524954089d4ffd7a9ef53aef6

SHA1
fb4c52444a324c007fadb86ac79106f0ddb27ea5

SHA256
ad5f64ceabbea07830c96ac1b5be66859c860e906b4f481e43b435b41584b896

SHA512
3124d93a9a9b8c1b45275b2971839f0a1f3433ca438707509af0ad07f7272976a7d407da63a606690c15c11e68c7a7c224f7af85642d00a7243f7348c2cbca99

Download Submit
C:\Windows\SysWOW64\Jlmmnd32.dll

Filesize
7KB

MD5
d3f58e54a0093ed0fad3b2474fc3f036

SHA1
195f69ee88ac09f0715e77207545a22375a9fdeb

SHA256
9c11077c3dc5a988a2aac450330a46efa7154bbbd090c558e13da867381fc19b

SHA512
98836a1515206243ac87656e5374f95a23284cb8aa5ee7b3335fde1b82cf4d7a759f8cf47ac09cb22218abf63b2c7a5c405e0d96766379e2b51207a7af571c24

Download Submit
C:\Windows\SysWOW64\Koonge32.exe

Filesize
121KB

MD5
9e185f58917fd44fa4ca6f1c15e775da

SHA1
037ec3b2b091450e597f84ccb24e351c0a2d8992

SHA256
6b7f7bf2116cebf31eb77ce959a218204bea69af14d579c3789175bae8a3c53e

SHA512
b156ccf0382eeef9494562e277e61165ae5936f46aa48052e8df8f6467f7ab3548a034f3d9f4b6529600619d6a5f166a850f7c4d0e049a880df647801cd73c73

Download Submit
C:\Windows\SysWOW64\Lhnhajba.exe

Filesize
121KB

MD5
2bc4fdbe9c0281785ab8d6d538252ea4

SHA1
6c86165f9cd9e72fa82d5ba545426a9c31093507

SHA256
33fc3bdca6c6bfc15661fd0b0a97636e2c4b21ac85e7974bd76022e9d30ce44c

SHA512
c44aadd9af1bd2888bca3e23101da050e39c4952d14216fd14175eb0e1b3fb4b351b289b8ca9d66657072888c5f6ee2102e2a4d0344530823e151dfd78d4db92

Download Submit
C:\Windows\SysWOW64\Lllagh32.exe

Filesize
121KB

MD5
834a34bd95ee6015671bc55ac9bd8cde

SHA1
fce2c6a7b8dc5bbf01c038af2d4d2b39b836e737

SHA256
60553765f90208053536b609bef5c56c2a05c300ee4aec00094f7330b1575969

SHA512
6158d01fad7ad47fe1b2bd47f5ce897fb10a4e5bcfe31b5a305052d7ebb6fc4c1b000dbc4764004d5f43d9be72b77244b070625ef40afc4c64b455712341f4be

Download Submit
C:\Windows\SysWOW64\Loacdc32.exe

Filesize
121KB

MD5
95e6bf623e25812247c393382ac16aeb

SHA1
200144a2e5985fdfc37e0d249ec4964c24a0ac21

SHA256
ac36f3e897698c18cfc99ab8b06701f9efce9a829fa86e8e6284bd03c6c1657f

SHA512
c68e76035ac1fe703a75b64d177016906df4d2fc921a6abee7cf673c76589f4abff6ad391912e8a238b72e1322be0c04946795dad7b86ae656d8c37a66128ca1

Download Submit
C:\Windows\SysWOW64\Loofnccf.exe

Filesize
121KB

MD5
893c7e352995e38cec69d815640e2664

SHA1
b56929a706663afac61344f299c4f275223d95e4

SHA256
9f69875c9bd4aed3a3e59f2c4d919175a63022e861646439f094633b196a7b56

SHA512
af6cab58eeaa8f310eafe3659e118fa1c9f2e63d761b330d00059b1879ce26b9634c6903e55e97e1f3b56ce61025f15f3298e7e69c4f15d40a48e6977f61651c

Download Submit
C:\Windows\SysWOW64\Mjggal32.exe

Filesize
121KB

MD5
f246e8246863592f1d93335ebca4eb19

SHA1
966d35c660e309407a11e108ae94557fc4e85bce

SHA256
694a135cd691ca6098e81fd99ac3b4f567d92578f1b1681e10b8409356b02fa1

SHA512
b332c71049ed546b24d9a2a730b686756a3d46a83d76a99fba8c44ee41fcab7ddc09e9339f874793b8451e15e36e204b56b1dac6c77a8315020250512e9e0c54

Download Submit
C:\Windows\SysWOW64\Mofmobmo.exe

Filesize
121KB

MD5
d162cdd4e023292cefe87a4020b2c228

SHA1
c0f0aac25a61a37bba3e583a08a941a01a07793f

SHA256
48bcaf4885b6056e4050d1e22df406580bfb04f020412919f5354366804c0b9c

SHA512
410795906071c450e328624d57b7e9696aed2f2438ddda35cfb76bd075ea34ccdb2139f51cc8b7e67dea88f5f06239779b4124a99e4504ac455a7e69fc70044c

Download Submit
C:\Windows\SysWOW64\Mohidbkl.exe

Filesize
121KB

MD5
a1061c52b57a72a369546a0bbb2bb98c

SHA1
6765da81a37c44fca02287cd10e31f745c0f2cd0

SHA256
01868053574f967f047a57fc62d0569fa4f862ac681c6c2667376abff9b5e1b1

SHA512
8df0fb0682d300e067fa43625d1ff4fba24152466321428c6bd17868fd6ae838afed2e6ed01d3633dd42640f667f3f0173c1e9d590ed4f5e994ee35e2210cc39

Download Submit
C:\Windows\SysWOW64\Mokfja32.exe

Filesize
121KB

MD5
dcc1eb9e8b668ff67f33fccfcb56bfc9

SHA1
435484682aa7d4c8795473fb8b3cc8bb0764e955

SHA256
6d757f3280dc339becb8c9d51678d16d428be67821f08411be6c602f615b26fd

SHA512
77efc9112e05f534e4cae1f39b1c7eff68a06b312f8d2b12f49bf4cf1f5198dbf11b4eaced9d6a41cfea93def6e397f4b4d7908f83283603860fc1f8467f488d

Download Submit
C:\Windows\SysWOW64\Nhegig32.exe

Filesize
121KB

MD5
43f13914eeac9cd20d621b56605a531c

SHA1
096c2f99f5238a5fe9cab672b536ad3b30a9e4fd

SHA256
cafda3f3567c68dcb782872a295199981c503950768e4e7d289ac611553a7f50

SHA512
15c2e65d7e722dae4ac4880c11cc50d334b6b3d8707c65ab2b19314163ff37a7dd3b4fe126950b4478e812ae21a1492982a59d601ded55f2ff193f6c630218a1

Download Submit
C:\Windows\SysWOW64\Niojoeel.exe

Filesize
121KB

MD5
3eba6a0f35d740db42cee59bf7ef790f

SHA1
4cdb97027da8e4157a6859089715423b150c8829

SHA256
b9a33662377f3d4234d85a3c800f900534e59f1213a68f9d18364bd3d7d06e22

SHA512
b35c86f2baf02c62716b7789ea9fca57dbe9118fc30a7e91cd98a7869370c7fc44ae5aa3da6b4ddd94bc7794b04ca434258d3edad1a69c29e395132e48347925

Download Submit
C:\Windows\SysWOW64\Njjmni32.exe

Filesize
121KB

MD5
aea39962c4171be05070d9d19185d332

SHA1
88930b814c9d94fc37c2f75556eb5b4ed08e1ffa

SHA256
34924f1695e23fea650c8c5a888455bab878f949ccbd2ccaca0c1d40ee5cd45d

SHA512
1c9d070ade3ecc46e3824b1bc35a3ef9635893c4bf002566b9699cb1df9e40e00b893e290bec6665954047ad407dc832cd5e893d37dd2898f92cb332cc06f9e3

Download Submit
C:\Windows\SysWOW64\Nqoloc32.exe

Filesize
121KB

MD5
0a514216e20d1ef730308954b36e62fa

SHA1
833957449102b9a68a68aa3291dc4627cd0b0cd0

SHA256
267196109261f04f8e59f48a9e83097baf73995fda30be6c152fdaa2e235d915

SHA512
2679399be0104d1e9132e7d08df107f1bd04699ff623dd2999c9f768e1dc0ef8336584743ec8bd3198704707a991df0f04a0917947fe64525f7aee56338c2ab9

Download Submit
C:\Windows\SysWOW64\Oiagde32.exe

Filesize
121KB

MD5
3082c363b8dd7f64438924b5436f349c

SHA1
a53bb99f4558ed00a1629c1e0c2f9d076bc2448a

SHA256
bedef93dce2e39da695290f4a8e9beffeabc4fda35e9b92610a106c8835c3d3f

SHA512
2e6b99c13a018d772da22032fe833624ad93ebcbc17133872d5f804b3d92cb3c2807fb8fd1333cb436c3a8b16353b41e599e3e5929cf894a50d433ec3d6a4941

Download Submit
C:\Windows\SysWOW64\Ojhiogdd.exe

Filesize
121KB

MD5
59f530a7876c8389a4e1fb66ea835c6d

SHA1
9c4ea9ac19f8af597eebf9e75243564b0c8c6af6

SHA256
cbd9737a6c996446fa15fd24da47e77a1c66243691f9fe3d3958bda74b2b52f4

SHA512
ebbdbb670151d20595e701b6f4d9037401ee0483166d917623d25489e3edda77a108d350a295cd882644afabc3b64c1385fabc475f774a97fa3513a1f230693d

Download Submit
C:\Windows\SysWOW64\Omopjcjp.exe

Filesize
121KB

MD5
d37551d26b7a039ffff59cf6baa5ade8

SHA1
86ac875029c3fb2f930c0c6c40a8d71a94290dcb

SHA256
a24158258076cd820e27e528af656396772494c740dc5cbf1f8a5356f13f2cec

SHA512
fbd707e32902f0a186d436e73b343f56b8cb94bd5b0ff7224e5507f046ffae913f928a974a7c948d2341744746fff5d2ec5cd94bb975fe272edfee82c9c38cd9

Download Submit
C:\Windows\SysWOW64\Oophlo32.exe

Filesize
121KB

MD5
0dbbd28e8af95ca4dad66f65cdf0e8d5

SHA1
0b953ec51c28a73605cbef74ced84f254700ffd8

SHA256
a5287e342d48c67c56f8f325025e619697b085aa2bdaf098055d278c36105453

SHA512
9d7e6e2f4d7a68a4348b2fd24c1872d32512ee6a5646ab969febc12fa0e2148a464ebc02df957bf931382185519af79b0cd0229703692defb18ee03526999d03

Download Submit
C:\Windows\SysWOW64\Paihlpfi.exe

Filesize
121KB

MD5
cfddf301b7cf68a10d2be23e8c46f946

SHA1
85bcf8bbfb71a8671627eb268ea9411bf44cb02e

SHA256
c8e923087925df65ad2006e462f987621caba6722142ed54a8364c2938eba3d4

SHA512
265709028a7236eb019634e4b6c489302d9a75697d58410e3ccb84a806b7a3648a8e69bd53feae0fbc837995db99d49c4584f40c5958b5b45b06bf9293f3f81d

Download Submit
C:\Windows\SysWOW64\Pjlcjf32.exe

Filesize
121KB

MD5
8f65f0a5b2818323f06929179f24ddcb

SHA1
bcd2d0fd83a0b3bbda1379932395ad15e8ec58a2

SHA256
e07c0e441a27bd7c26511d20134561be5f231a81a30a7252dfe93d313152b822

SHA512
fe3ef94ef68ab59114e75bcd236f100627a219ab5fa6a1a2c4eafaf01fe3d85b4c876754312181512758f02de83ba8ef2ed504f8ba05ca202e6452fc9b6483cb

Download Submit
C:\Windows\SysWOW64\Qmdblp32.exe

Filesize
121KB

MD5
4aa4deacba4978ddb41eabb74aaa7c92

SHA1
94a20bfa3e70ad4fd877db98c112aadc94a3ba9d

SHA256
91ef47847ce0c1f10fd303f420ba0c4ed680e83076aa8741409d3558705c3f19

SHA512
a4e60aaabcd2d77b4bcf47dbe6a18bd7f1c77820f4505e8770344ac1daa953cd48df2be609b64163c690527e4596aa3f8bd6f6b4f866ca705296d1ea51fa96f2

Download Submit
memory/396-305-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/396-95-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/736-316-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/736-7-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/932-184-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/932-294-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/964-63-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/964-309-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/968-168-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/968-296-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1504-268-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1504-281-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1596-293-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1596-191-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1620-287-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1620-232-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1844-160-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1844-297-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1920-248-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1920-289-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2112-298-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2112-151-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2380-317-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2380-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2620-300-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2620-135-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2796-256-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2796-285-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3016-303-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3016-112-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3132-40-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3132-312-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3328-286-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3328-240-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3572-313-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3572-32-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3648-47-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3648-311-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3788-127-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3788-301-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3796-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3796-310-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3808-302-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3808-120-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3812-176-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3812-295-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3920-282-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3920-274-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3980-88-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3980-306-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4000-290-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4000-216-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4188-314-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4188-23-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4196-16-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4196-315-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4316-200-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4316-292-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4320-224-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4320-288-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4392-143-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4392-299-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4412-308-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4412-72-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4476-283-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4476-280-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4748-304-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4748-103-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5072-262-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5072-284-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5076-79-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5076-307-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5104-291-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5104-208-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads