c8446471cbbb3f37e9c9b70f6507d8aa67e4ea20d247a7b73188eea4fa618fe8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 03:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c8446471cbbb3f37e9c9b70f6507d8aa67e4ea20d247a7b73188eea4fa618fe8.exe
Size

3.7MB
MD5

3004d817a43e524cc43040cf2e88689f
SHA1

9b485a184ab9a9ee8d375827caa187ca79a32be3
SHA256

c8446471cbbb3f37e9c9b70f6507d8aa67e4ea20d247a7b73188eea4fa618fe8
SHA512

ca1416732b94f4b8265bebd371883562a39502438f4cf3415c1c42e42a484fe23b036bda1394ce43f6ded844c8a3b7dbf991a0d8babba862d0dc4d55a8e44c7f
SSDEEP

98304:0h6r6HaSHFaZRBEYyqmS2DiHPKQgmZ0aUgUjvha/4wzlF65T:0JaSHFaZRBEYyqmS2DiHPKQgwUgUjvhz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c8446471cbbb3f37e9c9b70f6507d8aa67e4ea20d247a7b73188eea4fa618fe8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c8446471cbbb3f37e9c9b70f6507d8aa67e4ea20d247a7b73188eea4fa618fe8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fokbim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomonm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe

Executes dropped EXE 33 IoCs

pid	Process
5052	Fokbim32.exe
1852	Fjqgff32.exe
372	Fomonm32.exe
3284	Fobiilai.exe
4016	Fjhmgeao.exe
4436	Gbenqg32.exe
3504	Giacca32.exe
4036	Gjapmdid.exe
3468	Gcidfi32.exe
564	Hfjmgdlf.exe
2924	Hadkpm32.exe
3036	Hjmoibog.exe
4408	Hpihai32.exe
3308	Hfcpncdk.exe
2052	Haidklda.exe
3168	Ibjqcd32.exe
4148	Impepm32.exe
4460	Ibmmhdhm.exe
4208	Iiffen32.exe
4136	Jigollag.exe
4552	Jfkoeppq.exe
440	Kmegbjgn.exe
4748	Kdopod32.exe
592	Kpmfddnf.exe
4664	Kgfoan32.exe
4288	Liggbi32.exe
2328	Ldmlpbbj.exe
2564	Ndbnboqb.exe
2996	Ngcgcjnc.exe
1724	Ndghmo32.exe
2672	Nnolfdcn.exe
4644	Ndidbn32.exe
1784	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fjhmgeao.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Djmdfpmb.dll	Giacca32.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Gcidfi32.exe	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Geekfi32.dll	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Gbenqg32.exe	Fjhmgeao.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gbenqg32.exe
File opened for modification	C:\Windows\SysWOW64\Hpihai32.exe	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Fjqgff32.exe	Fokbim32.exe
File created	C:\Windows\SysWOW64\Gjapmdid.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Lpcioj32.dll	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Hfjmgdlf.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Ibmmhdhm.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Fokbim32.exe	c8446471cbbb3f37e9c9b70f6507d8aa67e4ea20d247a7b73188eea4fa618fe8.exe
File opened for modification	C:\Windows\SysWOW64\Giacca32.exe	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Haidklda.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Ilaidmmo.dll	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Neahbi32.dll	c8446471cbbb3f37e9c9b70f6507d8aa67e4ea20d247a7b73188eea4fa618fe8.exe
File opened for modification	C:\Windows\SysWOW64\Fobiilai.exe	Fomonm32.exe
File created	C:\Windows\SysWOW64\Hfjmgdlf.exe	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Fomonm32.exe	Fjqgff32.exe
File opened for modification	C:\Windows\SysWOW64\Gjapmdid.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Hadkpm32.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hdgohg32.dll	Fobiilai.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Fjqgff32.exe	Fokbim32.exe
File created	C:\Windows\SysWOW64\Ibmmhdhm.exe	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Fomonm32.exe	Fjqgff32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2700	1784	WerFault.exe	120

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggipmfe.dll"	Fokbim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c8446471cbbb3f37e9c9b70f6507d8aa67e4ea20d247a7b73188eea4fa618fe8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahbi32.dll"	c8446471cbbb3f37e9c9b70f6507d8aa67e4ea20d247a7b73188eea4fa618fe8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbkmemo.dll"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c8446471cbbb3f37e9c9b70f6507d8aa67e4ea20d247a7b73188eea4fa618fe8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblilb32.dll"	Fomonm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c8446471cbbb3f37e9c9b70f6507d8aa67e4ea20d247a7b73188eea4fa618fe8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll"	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgohg32.dll"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hadkpm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 5052	1544	c8446471cbbb3f37e9c9b70f6507d8aa67e4ea20d247a7b73188eea4fa618fe8.exe	83
PID 1544 wrote to memory of 5052	1544	c8446471cbbb3f37e9c9b70f6507d8aa67e4ea20d247a7b73188eea4fa618fe8.exe	83
PID 1544 wrote to memory of 5052	1544	c8446471cbbb3f37e9c9b70f6507d8aa67e4ea20d247a7b73188eea4fa618fe8.exe	83
PID 5052 wrote to memory of 1852	5052	Fokbim32.exe	84
PID 5052 wrote to memory of 1852	5052	Fokbim32.exe	84
PID 5052 wrote to memory of 1852	5052	Fokbim32.exe	84
PID 1852 wrote to memory of 372	1852	Fjqgff32.exe	85
PID 1852 wrote to memory of 372	1852	Fjqgff32.exe	85
PID 1852 wrote to memory of 372	1852	Fjqgff32.exe	85
PID 372 wrote to memory of 3284	372	Fomonm32.exe	88
PID 372 wrote to memory of 3284	372	Fomonm32.exe	88
PID 372 wrote to memory of 3284	372	Fomonm32.exe	88
PID 3284 wrote to memory of 4016	3284	Fobiilai.exe	89
PID 3284 wrote to memory of 4016	3284	Fobiilai.exe	89
PID 3284 wrote to memory of 4016	3284	Fobiilai.exe	89
PID 4016 wrote to memory of 4436	4016	Fjhmgeao.exe	91
PID 4016 wrote to memory of 4436	4016	Fjhmgeao.exe	91
PID 4016 wrote to memory of 4436	4016	Fjhmgeao.exe	91
PID 4436 wrote to memory of 3504	4436	Gbenqg32.exe	92
PID 4436 wrote to memory of 3504	4436	Gbenqg32.exe	92
PID 4436 wrote to memory of 3504	4436	Gbenqg32.exe	92
PID 3504 wrote to memory of 4036	3504	Giacca32.exe	93
PID 3504 wrote to memory of 4036	3504	Giacca32.exe	93
PID 3504 wrote to memory of 4036	3504	Giacca32.exe	93
PID 4036 wrote to memory of 3468	4036	Gjapmdid.exe	94
PID 4036 wrote to memory of 3468	4036	Gjapmdid.exe	94
PID 4036 wrote to memory of 3468	4036	Gjapmdid.exe	94
PID 3468 wrote to memory of 564	3468	Gcidfi32.exe	95
PID 3468 wrote to memory of 564	3468	Gcidfi32.exe	95
PID 3468 wrote to memory of 564	3468	Gcidfi32.exe	95
PID 564 wrote to memory of 2924	564	Hfjmgdlf.exe	96
PID 564 wrote to memory of 2924	564	Hfjmgdlf.exe	96
PID 564 wrote to memory of 2924	564	Hfjmgdlf.exe	96
PID 2924 wrote to memory of 3036	2924	Hadkpm32.exe	97
PID 2924 wrote to memory of 3036	2924	Hadkpm32.exe	97
PID 2924 wrote to memory of 3036	2924	Hadkpm32.exe	97
PID 3036 wrote to memory of 4408	3036	Hjmoibog.exe	98
PID 3036 wrote to memory of 4408	3036	Hjmoibog.exe	98
PID 3036 wrote to memory of 4408	3036	Hjmoibog.exe	98
PID 4408 wrote to memory of 3308	4408	Hpihai32.exe	99
PID 4408 wrote to memory of 3308	4408	Hpihai32.exe	99
PID 4408 wrote to memory of 3308	4408	Hpihai32.exe	99
PID 3308 wrote to memory of 2052	3308	Hfcpncdk.exe	100
PID 3308 wrote to memory of 2052	3308	Hfcpncdk.exe	100
PID 3308 wrote to memory of 2052	3308	Hfcpncdk.exe	100
PID 2052 wrote to memory of 3168	2052	Haidklda.exe	101
PID 2052 wrote to memory of 3168	2052	Haidklda.exe	101
PID 2052 wrote to memory of 3168	2052	Haidklda.exe	101
PID 3168 wrote to memory of 4148	3168	Ibjqcd32.exe	102
PID 3168 wrote to memory of 4148	3168	Ibjqcd32.exe	102
PID 3168 wrote to memory of 4148	3168	Ibjqcd32.exe	102
PID 4148 wrote to memory of 4460	4148	Impepm32.exe	103
PID 4148 wrote to memory of 4460	4148	Impepm32.exe	103
PID 4148 wrote to memory of 4460	4148	Impepm32.exe	103
PID 4460 wrote to memory of 4208	4460	Ibmmhdhm.exe	104
PID 4460 wrote to memory of 4208	4460	Ibmmhdhm.exe	104
PID 4460 wrote to memory of 4208	4460	Ibmmhdhm.exe	104
PID 4208 wrote to memory of 4136	4208	Iiffen32.exe	105
PID 4208 wrote to memory of 4136	4208	Iiffen32.exe	105
PID 4208 wrote to memory of 4136	4208	Iiffen32.exe	105
PID 4136 wrote to memory of 4552	4136	Jigollag.exe	106
PID 4136 wrote to memory of 4552	4136	Jigollag.exe	106
PID 4136 wrote to memory of 4552	4136	Jigollag.exe	106
PID 4552 wrote to memory of 440	4552	Jfkoeppq.exe	107

C:\Users\Admin\AppData\Local\Temp\c8446471cbbb3f37e9c9b70f6507d8aa67e4ea20d247a7b73188eea4fa618fe8.exe
"C:\Users\Admin\AppData\Local\Temp\c8446471cbbb3f37e9c9b70f6507d8aa67e4ea20d247a7b73188eea4fa618fe8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\SysWOW64\Fokbim32.exe
  C:\Windows\system32\Fokbim32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\Fjqgff32.exe
    C:\Windows\system32\Fjqgff32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\SysWOW64\Fomonm32.exe
      C:\Windows\system32\Fomonm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:372
    - - C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3284
      - C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        34⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 400
        35⤵
        Program crash
        
        PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1784 -ip 1784
1⤵
PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
3.7MB

MD5
07be41eaee3ae3a1b1c2f4fd67529db1

SHA1
9a184fc173f455fe9e4d3c9ac1ad1c16d8b327f2

SHA256
901a6969cc559c9575e5852481c1807fc5b99585f052c31c671779ec8346f5b0

SHA512
d7e6349de76620d5797ef0672ca9fa6cc55ded9a3836a6a4dfc8b374083eefb1d9a6a778215d46b779c463725ac35e8f0932292e316cb6d6b0efc2d69c9cdd3d

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
3.7MB

MD5
cb1cd1aa224275546550dcdab91978e9

SHA1
e853a7ea98fa26a87cfd55ac5848ba453b13bf89

SHA256
358adcff7ebc805f54f061808dbbb452af8f790772b59885d835df5cd93828fe

SHA512
7bfa9d3dc3ca87f4104b88cf18f68ed11ea62d4ab8c96196232820222ded0b2d9d55b116cc6e37c5ab8190c097738142dd94d166d4075ef6755e3fa01c1f74fc

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
3.7MB

MD5
e82f7bba3c0c19b1f1c9eb34005c3a9b

SHA1
df6f76aa48fb9837ec32f9a09ab08c03cccccbeb

SHA256
4ea0716b2446999b7a596cf2eb2579620b8f0f49a9953416d3502107b9772e82

SHA512
91997fdbabe630623235857905b6c00fcdd250cf21989e8971d5c4b4bc50dbea85322b89b3b53c5368840ca4b087a77cc49298ccf3cbeb33fe9751989629504c

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
3.7MB

MD5
c8dd8a85c0a255882fe2ec6112053ee2

SHA1
0139b1b52fb8ffe65c5ac2da589a677b6e65cc37

SHA256
d5c15282a1fd0140276113ca4e74365c3b21549b36388ff996ba3fade8c46364

SHA512
a96d0957a53178fc11dd5a269ec6e025c54bb8af262fcb9a2c4083f2853c8555d789f7ddbfb1621c9f08abd2ca970af6ebaf0f474522dda5962fb87713daaa91

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
3.7MB

MD5
e6c258d90daecb50ffbda98bc8d14b61

SHA1
d1d870e1a1083230252b566478950492deebead3

SHA256
9c87dc9c5f12e835ecb8f5f5e6fa43d7d4255295e1a9f7d84175efe909f189ef

SHA512
9a0df3102da48007ad19da94619a4d660256dde29f98a21f795bfb689839fcd2178fc0987133414d38556b09665bb46b069e507526bc46e0de3610d4d3fef2dc

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
3.7MB

MD5
94883cf33bf51cafe1cc265d1a75a072

SHA1
368c56510a435762525784e19bd6d7d592f26073

SHA256
1840d069bf10f3dcf9417aaa061ad2ae89e20d1f112ffeaf662fe15f38f3dddd

SHA512
da0da8bb322e1dff6478d7a0ee9a90397bf02945e5d1aee3f83d275a754fb168b2cdecb23057897cd45f9760f2853c790c5d902a845b10b11ed0c1c18ad985f7

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
3.7MB

MD5
a83866b4add5a2c02446dfbc306507e7

SHA1
19cc69a0ae46cfb24e481dcd3f9b256d85f034dd

SHA256
2c5999d95d8347cf369588d8736a35f7a7c8edc52c918a351b3ac68d39e0c1e8

SHA512
68f042e76fbdd0950adea20a80b42625660f5929b23e587104c95c721bebdca2f82b732e08bcbe409de3c6bd90cb56ffe61796ed40ac480557160f3592cf078f

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
3.7MB

MD5
18690b95493bb8ba14a42c56b5b11d43

SHA1
4d5ef3468577c24c3f19c88fb9a492e034aa216a

SHA256
38a6b8c539e7cb746e9e7d35c45fcec99b75582d5ab6ab71ce9347f12b506410

SHA512
c4329d4dc55a01ae44a57a6c511d4ee62d1d8f12d849c3f854db2d7e6127e8f15293e1dc963ce54285487b8b86c7ed0b1b70dc61d3c66b0dda3f89153d1d2e0c

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
3.7MB

MD5
73510ed79c35ed0e2610e82a3ec333cb

SHA1
28bb6491ace7a4f796b790e62794b78efd31ae54

SHA256
12eb580a7642e7f4fecba24ea5e849bdfb181089ea7137e245f27c3ea3336c9b

SHA512
7f5789657f6f30e6e4a2bbfa9a1ef0d92d8b2ce68741f7ad44c7611d63c7d88136d048e03de6b60e4de6657cbdcf8e21795e0054d243bafd07d27e608cade7f1

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
3.7MB

MD5
8e9bca21f51e8907e291de24641d0a66

SHA1
bf66599fbf0a48c85c428aaacf8d590af69e4889

SHA256
0c9ac11594b1e261dbe66c5fd2368079c1fdaa768bade0f6f4d50b233f73b043

SHA512
6a9528aab01605e473a368006313ad567e8afb9b187b17df180052a0a4f3d3eff706c427dd2c40e4e629ce1eb517aecc14736cd4d2ac7e1a2e8008f8124d5e82

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
3.7MB

MD5
42465283370c12215a70825b0c541244

SHA1
3c481f2c74f73c2056ce1713443037e9444eec1a

SHA256
da1f56846bf51a7338afa7a5ef73db5f3c4b229d3bfb41b84e73c5a8092d9a93

SHA512
067f5f62120243fc34a9006d3f1bd62c731597a8a9e21a6887ad36ca57f5713f435265e291f99ed9edb5f4dd8dd17731ddae1cb0a7c608917fa6f91ddb6aa042

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
3.7MB

MD5
daed1e4c79887decf2c290233c2de63b

SHA1
aaa8037551eee1c088b230cc29cae39414d99fe2

SHA256
7324b7c38734661ba65fb9c38ae8302cc3fa203bfe4b18e2a42700dabfbe10ba

SHA512
f86be2184fab390ede77b53cb85f18229036a043f9b1d400ff8c43963d9501becea78914cc26a5b35b396ac826c847992703b3e4a90c4a332ec43261a6e427cb

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
3.7MB

MD5
5438dc8ece33716a656c090a4f3ea570

SHA1
cb7b35d2b4300a5bc82d5ac71ff59658f74e7b77

SHA256
8f5770a88e52fbece0a52a83dee8536452f770ca9620bec1129ce5468ad589e4

SHA512
a83847562c8dcaef56b32439ef2d84eabe73e73796870a41704d4c131da4a507275f3317541358a2a13d9e9e5aca822dc2420e793a28c9e79b04836875b19fac

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
3.7MB

MD5
89e061f11cf415ff1ccf408f485af304

SHA1
dd8feae1f2cbddd27b23b830ada083bbba743027

SHA256
e3812e9f9be30dda0a15bef84a36edd93d003ffcc4c4f53d9110a3f9280bb745

SHA512
a5fb5999ba9c434ac9b2309367e3fb801c9c22e9b43b3a31ab8907cb73ce3832579eb9e608fc1d1c823530833bfed78791f6c847435b843f031a9f8f6b6b10a1

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
3.7MB

MD5
15101b8cfb93587926b4e4ec83bb06a4

SHA1
3f11ec5783a17ace4cacc4cc1ac1c0a78725d780

SHA256
eebc05ddcb3a928c90432eff5f6d6cebe8bf7bc0b704a734e6e370d5adacab81

SHA512
0b69a5cc44e85d7ccbf74509bd8a43549fc6215d18a6352b34d679f6939522ced67f8df63992a4366b2fe628f7de6d2546f3de0d83a9e6f848b3fa08eeaf1022

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
3.7MB

MD5
9a90310ce471af443c9971ec872eb714

SHA1
895285556c211194b774f7d5723836e6ecb5d9cb

SHA256
dd0e4c665f65b8489e0416988cddadd1bee90a3d32fe58fbc2d6ddad25b947dc

SHA512
526231a744dbffb407b036f58f8daea31977ce93d0a94fdde1339c7c03ffe18316fe4e2ca21366c9066cbb63cc59b61cca22653964882afaa9ad7d3db0bb86ad

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
3.7MB

MD5
328cc32d980dc6a74ecaa48d3eb81df9

SHA1
7ee6d7988a1d4db320726222146a07af7b63e608

SHA256
21f8136ffb66ba4eaced04360cf1dd5f51cdff22462288304eb1f877995996d4

SHA512
91d8b4aea0bf5fa11f68f8e8d5b752a34fe8cae8ff4823368ca633244297bfb4b627254be01d53b4eebdaab1b8d484fea96e6c67bb6d71ee0b3ea236aca5294e

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
3.7MB

MD5
eaa7aacbf56196f4b74785ce339e927e

SHA1
fe7833bd15f485839a4939786683121ebccdb165

SHA256
ae7a1ccef62c32af8e108e6015f03eaed950fd56d1867edc2b9fc2576bb25c92

SHA512
f10265ef6db746cb9773ecfc58665adc349cc805704aeb3b4fb6a132c45b384adefeb94043c31fb68960581317ea8ada50f22a810b9b5d897542d6581b98154a

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
3.7MB

MD5
a2215682950f26902107b27fa8277551

SHA1
97d68c5d50d05b7d6c491b61e5553a40cb2ef00f

SHA256
aff7d02649a951cc596ae0ece0017e0969b139544c4836da00ecdd1c0faf68f9

SHA512
583d23081b1d1db796eb9e96ae004f0fc7d732be697f03bff55b9be78a626d686961681a6eb09ac673244e6d9a22eb20468afa724cd98b4920795d63b8db2a00

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
3.7MB

MD5
aeb2bb543b72f961b4858a67c8256b02

SHA1
32d30c1ca6a36bfb51eb5ccc2b7f981dacee70c1

SHA256
e1d6bea832fd8ffad04dcc8c6709e3ff49a483f33fe74187ea7cfae0eb506a8c

SHA512
d699a2b7136a0f2210e05853c593f92ac5bea8dfe013e64eb4975142ffe76b5c4b515333a9d326abb3116acccbb75e6868bdd1aec99ebe73653fc1ecc086baf8

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
3.7MB

MD5
73aaa293f0c5368cb08498b86c590140

SHA1
aa3d7849c22d55aca54e13939160b334fbbf63ef

SHA256
2c78bac7c5facf109450d37c2783b8c6ab1a17fd2383b0fbb08e9eeaf14ccc99

SHA512
78e86499ebd94ddb4e54fd92bb670c0ba23c37bfcac6d7647070e8a0dd85cd7eba352ffb4d680a4a23fa953526f9554bbbd35ab890b5ec6c2664802156820920

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
3.7MB

MD5
0e8e0087f443296a86167a41db5e6499

SHA1
f980a33c3e2ed2ea5c45d64fabbf7e73cde8cab2

SHA256
1278ac9ac31b7cbc8f75b5abe680f34df5fc1cc89f01c37f278f47bd85b73833

SHA512
4cc3fbe159c5117519c6150282e41319287977be211ebc17b2a8a1a91ffb18c1a954d478dd947cec860d5034eef730c1dbea63249599dfa0f3d53f758a024069

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
3.7MB

MD5
2a6adc0fafa5d939362e32c3d955125a

SHA1
dbe6960f47c6033f45ff9bf6d3aacbeee1afdd6f

SHA256
4194e1a2920d646e59f5e69f93438598a7212fcfab900c7004f875b74b7d6622

SHA512
9926f40eb8308025ab59170acf0c9e0b8b486cdbd9afd36f6700656e8da1a548b6dd455a1c2e02ab6172ce7219fb4cb8bea57761c6c725e8f33aeedbca3dd0fe

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
3.7MB

MD5
165a22ec9489a393987e8bf754c3c32e

SHA1
f386f75456806967f0056e91983480d80d230c48

SHA256
86dd031566a63621aefdbd6de6bb2eecc84e7a0a95fca5328936cf13cdb540f4

SHA512
1505699b61742e4e5e964099c89a153cc85efab434bd0d1f76a18c8f18eefc64160210bd1a8281d6202c8b4fbfc16126a2edb77ceabec5c8789f67860c52f31c

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
3.7MB

MD5
2442486dd5e2481c5fe3de371e04f157

SHA1
d96055d01b1d555dc55f7e21643c7cfac81619bd

SHA256
b2d9bf7a169277dd1513c2bc87f205e4761e7b9e55eff5a64e30cd9d8fb42556

SHA512
f12c09739c1d63652390a14549c35a89004566470e9bd05c9d5a59efc153757669b6037e3bada15d684029ee9268bb862f62d40076f7cfdb10d07251205cd972

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
3.7MB

MD5
0e9f45e1a9c69b0618403c24fec28e50

SHA1
45ddcac1ae59314b00b6e6432ed236c1f482c40f

SHA256
3eaa762c0bf829ac411d762ae43d422dc950a9154f5b78cfd91bbc2f066e2a25

SHA512
3d11138aa9956484ac4d5b16bf073b473fec8b8e6f7ef63b8b04d8338ec769f1d2fa7569930008f41e38e263e5af30bf8d9693edbdadbc3df775a8ada6857be5

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
3.7MB

MD5
66b2c74cd60b2cd48a10c4ea553c337b

SHA1
229574d347dae745af1485e096e0dd001867e2e2

SHA256
69a0a573f1faf873af45d8c5dae3741e4fafe2ba7046c0f93cd1162c995d812f

SHA512
c98bebd556d805440e263c9cd2b43a4c6797ff8bb66b7e371e4a149a96efebd492ef5cffc19fa9dd706653b23da1cc69cbe826be8378fea21cd3fda6ff09f2b7

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
3.7MB

MD5
9e8ce1ff2c0750f8b6f642181afa8176

SHA1
95ea567ba2f2fdd44ceb3e70c0bd88d37494d2f2

SHA256
048aaeba67361ca141b824dcd6006f8ce180c34a4fcce3926cdbe903d8ec5f4e

SHA512
ef16eefd7e353d6f44d5f2ff72a3d5627e5c72b255b7e53e74f2f31b4c7c65d8b0179e0b65f5ebb0edcc8ef232edeaf4e3f1a195294317c0e46efa2c2ad7ec89

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
3.7MB

MD5
def6fa2cf46e033c821dde81d0439eb2

SHA1
a2aef7e639256ad26a706e6e685f3ebf76bb071b

SHA256
2ab5ba83bc5014cea2275588eb672da0e8560c320463529c97814b18af9ad703

SHA512
b311d3afba5550462a433bf6469f2aab547dead3a9c0d49102a98951c92284d91f8e9a6fba8ad5499dbd9ccf5fec37d1b5434c49c8d9afa0e7074a398a3856ea

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
3.7MB

MD5
634990a1d02df33561624fce8532e303

SHA1
17b4a7054e9161f5fe3eaeabf0d1b36911710d25

SHA256
7d81f458598c15b11d24bcc78d262e78bbfa35bb3adfb173e49a1446f8251e43

SHA512
277f829b07d479ef7a2b3dae46547a533d75225633789119fd74968b5d5ba4eb16dc8e39801e791564d645dfe5425115812ad5b5c7f41fe8a3db4f7201806b28

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
3.7MB

MD5
3a67b6db636d1e5864d55396db06b627

SHA1
8542753740445a0f2cf573c768908dd543cb90ee

SHA256
ab149cb89b72f5d1282b1facebe318ac4a0a789a24050b277495a7a4bb11c6b4

SHA512
fe14e8c61df39735d893dd0603f78a4bbbffd9c9690b20d76cf57ccb5952f5978ec42dbb60a2a2638c3434f7a46f4c6e407be5b0f1bb87a5275e311180abab67

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
3.7MB

MD5
f4e8aea36ead1c1503bd2e5fc89cb598

SHA1
2dcb480838eda5a6de98c0063a045c893ca4dc94

SHA256
fb185bcaefc8e8e183f87c226bd71f174401b473e5805c919a1c2b7029a3b004

SHA512
cf18651b36581216af7505128412ed9fb9efe49d2eb94b9dea621a101d0f2d295e0ab006b07c351b4b8ed6c1be126a3301954d0ceed244a9373feb5c32e199d9

Download Submit
memory/372-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/564-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/564-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/592-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-3-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1544-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads