02855af7325cacfb8e11332abadfe337a86de3216e9eb45518cad7f56fde2ed3

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02855af7325cacfb8e11332abadfe337a86de3216e9eb45518cad7f56fde2ed3.exe
Size

276KB
MD5

167377ace6322d3fbb08a2015d8abdd3
SHA1

55b3348e48c19c2aed9f86c4a787ed2d22231a72
SHA256

02855af7325cacfb8e11332abadfe337a86de3216e9eb45518cad7f56fde2ed3
SHA512

f4e739d64a3a9b585359684d41e38f5aa7d5c5e3796ff3d9cc1611d96db512039f240e65e9f3022cd7dc6bec0a9e4aac7155dc9082115431fa85b16c87955836
SSDEEP

6144:zXh9t2QwQuCJ3ldZMGXF5ahdt3rM8d7TtLa:7h9t2QwoVXFWtJ9O

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcehdod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmdcfidg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbeejp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jedccfqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmojkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ickglm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaldccip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iebngial.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlbcnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpoihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npiiffqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aggpfkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hefnkkkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlbcnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	02855af7325cacfb8e11332abadfe337a86de3216e9eb45518cad7f56fde2ed3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hefnkkkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kckqbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	02855af7325cacfb8e11332abadfe337a86de3216e9eb45518cad7f56fde2ed3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqpcjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmdcfidg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cacckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opclldhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klhnfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcngpjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Palklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpelhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgpfbjlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpelhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibaeen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmojkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hoclopne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gifkpknp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedccfqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmeede32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmeede32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klhnfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogekbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paiogf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdojjo32.exe

Executes dropped EXE 54 IoCs

pid	Process
2812	Fmkqpkla.exe
4112	Gmojkj32.exe
2676	Gifkpknp.exe
4040	Gmdcfidg.exe
1080	Gpelhd32.exe
2016	Gbeejp32.exe
5152	Hefnkkkj.exe
5448	Hlbcnd32.exe
5768	Hoclopne.exe
5344	Ibaeen32.exe
1152	Iebngial.exe
3496	Ipjoja32.exe
2196	Ickglm32.exe
5924	Jekqmhia.exe
5956	Jmeede32.exe
5872	Jgpfbjlo.exe
5472	Jedccfqg.exe
3308	Kckqbj32.exe
5536	Kpoalo32.exe
1004	Klhnfo32.exe
4528	Lgpoihnl.exe
1016	Mjcngpjh.exe
1084	Nqpcjj32.exe
5812	Npiiffqe.exe
2120	Ocgbld32.exe
4888	Ogekbb32.exe
4612	Opclldhj.exe
888	Pfoann32.exe
1852	Pnifekmd.exe
5000	Paiogf32.exe
3900	Palklf32.exe
5088	Pmblagmf.exe
3744	Qdoacabq.exe
2776	Qdaniq32.exe
4764	Amjbbfgo.exe
3404	Apjkcadp.exe
4444	Amnlme32.exe
3532	Aggpfkjj.exe
2856	Aaldccip.exe
3816	Amcehdod.exe
784	Bdojjo32.exe
1704	Bmhocd32.exe
448	Bhmbqm32.exe
3132	Bhpofl32.exe
2324	Bgelgi32.exe
4376	Cdimqm32.exe
3984	Cponen32.exe
3540	Ckgohf32.exe
2220	Cpdgqmnb.exe
4596	Cacckp32.exe
4972	Cogddd32.exe
1868	Dgcihgaj.exe
4548	Dpkmal32.exe
1616	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Locfbi32.dll	Jgpfbjlo.exe
File created	C:\Windows\SysWOW64\Cajdjn32.dll	Kckqbj32.exe
File created	C:\Windows\SysWOW64\Mjcngpjh.exe	Lgpoihnl.exe
File created	C:\Windows\SysWOW64\Nqpcjj32.exe	Mjcngpjh.exe
File created	C:\Windows\SysWOW64\Jchdqkfl.dll	Nqpcjj32.exe
File created	C:\Windows\SysWOW64\Fmkqpkla.exe	02855af7325cacfb8e11332abadfe337a86de3216e9eb45518cad7f56fde2ed3.exe
File created	C:\Windows\SysWOW64\Fogmlp32.dll	Hlbcnd32.exe
File created	C:\Windows\SysWOW64\Jekqmhia.exe	Ickglm32.exe
File opened for modification	C:\Windows\SysWOW64\Paiogf32.exe	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Cdimqm32.exe	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Kolfbd32.dll	Bgelgi32.exe
File opened for modification	C:\Windows\SysWOW64\Cogddd32.exe	Cacckp32.exe
File created	C:\Windows\SysWOW64\Ppihoe32.dll	Gpelhd32.exe
File opened for modification	C:\Windows\SysWOW64\Jmeede32.exe	Jekqmhia.exe
File opened for modification	C:\Windows\SysWOW64\Pnifekmd.exe	Pfoann32.exe
File opened for modification	C:\Windows\SysWOW64\Aaldccip.exe	Aggpfkjj.exe
File created	C:\Windows\SysWOW64\Jgddkelm.dll	Bhpofl32.exe
File created	C:\Windows\SysWOW64\Dgcihgaj.exe	Cogddd32.exe
File created	C:\Windows\SysWOW64\Obqhpfck.dll	Lgpoihnl.exe
File created	C:\Windows\SysWOW64\Gdmpga32.dll	Ogekbb32.exe
File opened for modification	C:\Windows\SysWOW64\Apjkcadp.exe	Amjbbfgo.exe
File created	C:\Windows\SysWOW64\Amjbbfgo.exe	Qdaniq32.exe
File opened for modification	C:\Windows\SysWOW64\Klhnfo32.exe	Kpoalo32.exe
File created	C:\Windows\SysWOW64\Flbfjl32.dll	Ocgbld32.exe
File created	C:\Windows\SysWOW64\Qdaniq32.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Aaldccip.exe	Aggpfkjj.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dpkmal32.exe
File opened for modification	C:\Windows\SysWOW64\Gmojkj32.exe	Fmkqpkla.exe
File created	C:\Windows\SysWOW64\Ipjoja32.exe	Iebngial.exe
File created	C:\Windows\SysWOW64\Igafkb32.dll	Paiogf32.exe
File opened for modification	C:\Windows\SysWOW64\Dpkmal32.exe	Dgcihgaj.exe
File opened for modification	C:\Windows\SysWOW64\Ipjoja32.exe	Iebngial.exe
File created	C:\Windows\SysWOW64\Ekbmje32.dll	Amnlme32.exe
File created	C:\Windows\SysWOW64\Cogddd32.exe	Cacckp32.exe
File created	C:\Windows\SysWOW64\Cpdgqmnb.exe	Ckgohf32.exe
File opened for modification	C:\Windows\SysWOW64\Cacckp32.exe	Cpdgqmnb.exe
File created	C:\Windows\SysWOW64\Dpkmal32.exe	Dgcihgaj.exe
File opened for modification	C:\Windows\SysWOW64\Hefnkkkj.exe	Gbeejp32.exe
File created	C:\Windows\SysWOW64\Jedccfqg.exe	Jgpfbjlo.exe
File opened for modification	C:\Windows\SysWOW64\Nqpcjj32.exe	Mjcngpjh.exe
File created	C:\Windows\SysWOW64\Gpelhd32.exe	Gmdcfidg.exe
File created	C:\Windows\SysWOW64\Lciibdmj.dll	Hoclopne.exe
File created	C:\Windows\SysWOW64\Ejphhm32.dll	Amjbbfgo.exe
File created	C:\Windows\SysWOW64\Nbgqin32.dll	Mjcngpjh.exe
File opened for modification	C:\Windows\SysWOW64\Npiiffqe.exe	Nqpcjj32.exe
File created	C:\Windows\SysWOW64\Paiogf32.exe	Pnifekmd.exe
File opened for modification	C:\Windows\SysWOW64\Amjbbfgo.exe	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Olaafabl.dll	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Fpejkd32.dll	Gifkpknp.exe
File created	C:\Windows\SysWOW64\Gbeejp32.exe	Gpelhd32.exe
File created	C:\Windows\SysWOW64\Ickglm32.exe	Ipjoja32.exe
File opened for modification	C:\Windows\SysWOW64\Pmblagmf.exe	Palklf32.exe
File opened for modification	C:\Windows\SysWOW64\Bdojjo32.exe	Amcehdod.exe
File created	C:\Windows\SysWOW64\Omjbpn32.dll	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Hefnkkkj.exe	Gbeejp32.exe
File opened for modification	C:\Windows\SysWOW64\Jgpfbjlo.exe	Jmeede32.exe
File opened for modification	C:\Windows\SysWOW64\Kpoalo32.exe	Kckqbj32.exe
File created	C:\Windows\SysWOW64\Hebqnm32.dll	Ibaeen32.exe
File created	C:\Windows\SysWOW64\Jgpfbjlo.exe	Jmeede32.exe
File created	C:\Windows\SysWOW64\Aggpfkjj.exe	Amnlme32.exe
File created	C:\Windows\SysWOW64\Gejain32.dll	Npiiffqe.exe
File created	C:\Windows\SysWOW64\Dmokdgeg.dll	Klhnfo32.exe
File created	C:\Windows\SysWOW64\Palklf32.exe	Paiogf32.exe
File created	C:\Windows\SysWOW64\Apjkcadp.exe	Amjbbfgo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
628	1616	WerFault.exe	144

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	02855af7325cacfb8e11332abadfe337a86de3216e9eb45518cad7f56fde2ed3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jgpfbjlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okddnh32.dll"	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dibkjmof.dll"	Gmdcfidg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didmdo32.dll"	Iebngial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kckqbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichqihli.dll"	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aggpfkjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaafabl.dll"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ickglm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekaacddn.dll"	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Paiogf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelfeh32.dll"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gifkpknp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibaeen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gifkpknp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmokdgeg.dll"	Klhnfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbfjl32.dll"	Ocgbld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjcngpjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbandhne.dll"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhmbqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpelhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hefnkkkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hoclopne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klhnfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpoihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepmqdbn.dll"	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gikgni32.dll"	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpoalo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchdqkfl.dll"	Nqpcjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cogddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmeede32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cajdjn32.dll"	Kckqbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migmpjdh.dll"	Ickglm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Appfnncn.dll"	Jedccfqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblknjim.dll"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpejkd32.dll"	Gifkpknp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hoclopne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klhnfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidhnlin.dll"	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgnjp32.dll"	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iebngial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Paiogf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjpajgi.dll"	Cponen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	02855af7325cacfb8e11332abadfe337a86de3216e9eb45518cad7f56fde2ed3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmdcfidg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmdlh32.dll"	Gbeejp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2812	2260	02855af7325cacfb8e11332abadfe337a86de3216e9eb45518cad7f56fde2ed3.exe	91
PID 2260 wrote to memory of 2812	2260	02855af7325cacfb8e11332abadfe337a86de3216e9eb45518cad7f56fde2ed3.exe	91
PID 2260 wrote to memory of 2812	2260	02855af7325cacfb8e11332abadfe337a86de3216e9eb45518cad7f56fde2ed3.exe	91
PID 2812 wrote to memory of 4112	2812	Fmkqpkla.exe	92
PID 2812 wrote to memory of 4112	2812	Fmkqpkla.exe	92
PID 2812 wrote to memory of 4112	2812	Fmkqpkla.exe	92
PID 4112 wrote to memory of 2676	4112	Gmojkj32.exe	93
PID 4112 wrote to memory of 2676	4112	Gmojkj32.exe	93
PID 4112 wrote to memory of 2676	4112	Gmojkj32.exe	93
PID 2676 wrote to memory of 4040	2676	Gifkpknp.exe	94
PID 2676 wrote to memory of 4040	2676	Gifkpknp.exe	94
PID 2676 wrote to memory of 4040	2676	Gifkpknp.exe	94
PID 4040 wrote to memory of 1080	4040	Gmdcfidg.exe	95
PID 4040 wrote to memory of 1080	4040	Gmdcfidg.exe	95
PID 4040 wrote to memory of 1080	4040	Gmdcfidg.exe	95
PID 1080 wrote to memory of 2016	1080	Gpelhd32.exe	96
PID 1080 wrote to memory of 2016	1080	Gpelhd32.exe	96
PID 1080 wrote to memory of 2016	1080	Gpelhd32.exe	96
PID 2016 wrote to memory of 5152	2016	Gbeejp32.exe	97
PID 2016 wrote to memory of 5152	2016	Gbeejp32.exe	97
PID 2016 wrote to memory of 5152	2016	Gbeejp32.exe	97
PID 5152 wrote to memory of 5448	5152	Hefnkkkj.exe	98
PID 5152 wrote to memory of 5448	5152	Hefnkkkj.exe	98
PID 5152 wrote to memory of 5448	5152	Hefnkkkj.exe	98
PID 5448 wrote to memory of 5768	5448	Hlbcnd32.exe	99
PID 5448 wrote to memory of 5768	5448	Hlbcnd32.exe	99
PID 5448 wrote to memory of 5768	5448	Hlbcnd32.exe	99
PID 5768 wrote to memory of 5344	5768	Hoclopne.exe	100
PID 5768 wrote to memory of 5344	5768	Hoclopne.exe	100
PID 5768 wrote to memory of 5344	5768	Hoclopne.exe	100
PID 5344 wrote to memory of 1152	5344	Ibaeen32.exe	101
PID 5344 wrote to memory of 1152	5344	Ibaeen32.exe	101
PID 5344 wrote to memory of 1152	5344	Ibaeen32.exe	101
PID 1152 wrote to memory of 3496	1152	Iebngial.exe	102
PID 1152 wrote to memory of 3496	1152	Iebngial.exe	102
PID 1152 wrote to memory of 3496	1152	Iebngial.exe	102
PID 3496 wrote to memory of 2196	3496	Ipjoja32.exe	103
PID 3496 wrote to memory of 2196	3496	Ipjoja32.exe	103
PID 3496 wrote to memory of 2196	3496	Ipjoja32.exe	103
PID 2196 wrote to memory of 5924	2196	Ickglm32.exe	104
PID 2196 wrote to memory of 5924	2196	Ickglm32.exe	104
PID 2196 wrote to memory of 5924	2196	Ickglm32.exe	104
PID 5924 wrote to memory of 5956	5924	Jekqmhia.exe	105
PID 5924 wrote to memory of 5956	5924	Jekqmhia.exe	105
PID 5924 wrote to memory of 5956	5924	Jekqmhia.exe	105
PID 5956 wrote to memory of 5872	5956	Jmeede32.exe	106
PID 5956 wrote to memory of 5872	5956	Jmeede32.exe	106
PID 5956 wrote to memory of 5872	5956	Jmeede32.exe	106
PID 5872 wrote to memory of 5472	5872	Jgpfbjlo.exe	107
PID 5872 wrote to memory of 5472	5872	Jgpfbjlo.exe	107
PID 5872 wrote to memory of 5472	5872	Jgpfbjlo.exe	107
PID 5472 wrote to memory of 3308	5472	Jedccfqg.exe	108
PID 5472 wrote to memory of 3308	5472	Jedccfqg.exe	108
PID 5472 wrote to memory of 3308	5472	Jedccfqg.exe	108
PID 3308 wrote to memory of 5536	3308	Kckqbj32.exe	109
PID 3308 wrote to memory of 5536	3308	Kckqbj32.exe	109
PID 3308 wrote to memory of 5536	3308	Kckqbj32.exe	109
PID 5536 wrote to memory of 1004	5536	Kpoalo32.exe	110
PID 5536 wrote to memory of 1004	5536	Kpoalo32.exe	110
PID 5536 wrote to memory of 1004	5536	Kpoalo32.exe	110
PID 1004 wrote to memory of 4528	1004	Klhnfo32.exe	111
PID 1004 wrote to memory of 4528	1004	Klhnfo32.exe	111
PID 1004 wrote to memory of 4528	1004	Klhnfo32.exe	111
PID 4528 wrote to memory of 1016	4528	Lgpoihnl.exe	112

C:\Users\Admin\AppData\Local\Temp\02855af7325cacfb8e11332abadfe337a86de3216e9eb45518cad7f56fde2ed3.exe
"C:\Users\Admin\AppData\Local\Temp\02855af7325cacfb8e11332abadfe337a86de3216e9eb45518cad7f56fde2ed3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\Fmkqpkla.exe
  C:\Windows\system32\Fmkqpkla.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\Gmojkj32.exe
    C:\Windows\system32\Gmojkj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\SysWOW64\Gifkpknp.exe
      C:\Windows\system32\Gifkpknp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
      - C:\Windows\SysWOW64\Gpelhd32.exe
        
        C:\Windows\system32\Gpelhd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5152
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5448
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5768
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5344
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5924
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5956
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5872
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5472
        
        C:\Windows\SysWOW64\Kckqbj32.exe
        
        C:\Windows\system32\Kckqbj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5536
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3900
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3404
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3816
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3540
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        55⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 412
        56⤵
        Program crash
        
        PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1616 -ip 1616
1⤵
PID:1644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3104 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amcehdod.exe

Filesize
276KB

MD5
f4e03333bb55fb9de337501fbccb3c43

SHA1
338989c12e35f9bcce0c0bf157e3472200b23e1b

SHA256
5b4b172c1269d97e3a2912282c68de7c1ae774625552102dbc2d935de762ee47

SHA512
28ac7ebd1e08f48abaf65207c0b89b09cc8c98925c5cc73906b9849226b4067221a0ab2a1cacd2eb98f37f0af38017b2a8f00aac6cd024c2b99fe7aaf3351168

Download Submit
C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
276KB

MD5
1d69de060e1041d7e53c28b78207c748

SHA1
6274ce8ad83a2d22afbe50c84f4f65c5d5f21f67

SHA256
caca67de654ac77bd3c5796945e545eac42c0848c117803b7d1123e7f692c5cd

SHA512
87963aad34ab9cc650457b590ed953b678899609b9296eeb1abcf1269c2321877553aa6a18ed1914162bb081888ecb9132243c67fd97e8075aeb3c4f82e3c716

Download Submit
C:\Windows\SysWOW64\Cponen32.exe

Filesize
276KB

MD5
1b972d335225f002ade516268575d48b

SHA1
a9913a193647c9e57aef90d4b5b8575f4db6a28b

SHA256
97ab75d907ae4a24c2f16e2c38a69c052a57c0178b8ef16dd4778413a0e480be

SHA512
30b3f4db7fa64e90ea4ad80a0dd551fca695b5420e1e8e9a6f112789f0750835c341ffab0903dfc52f685c571693abf4245a05a74d3e9a91b45d82e4e6899cc6

Download Submit
C:\Windows\SysWOW64\Dibkjmof.dll

Filesize
7KB

MD5
4de0997d3769ebf18083eb08dc2f45e0

SHA1
bbfd0865cf33493e89ba857ba0146bbb416b4b45

SHA256
493a1b2efdda532091daf3b49ab9fbd9e3e5445e051cb49ea0932d3cd3da3097

SHA512
b633224bb58d5f6300161f3615d4cd13e6b95aef6768ae5633084a775294f9093cb5f86cf96863741074c88366deedf098395dfa9fe1035b42a5c2df4816665a

Download Submit
C:\Windows\SysWOW64\Fmkqpkla.exe

Filesize
276KB

MD5
504161b5d884dea0bfa8b471ac096105

SHA1
ded4b2065d570bb513b309b1855d89d3ece68c47

SHA256
3e9ce4a0ee8ff31a3c006022b6007495e140426eb270b996f8639cd04ef18035

SHA512
2d9c3601204bbf58db5426d8a499aa44a24cca0915f71e8887dde93c859abe9de2f08c2d1110e32c6f74b4562a370fc30b72af6ea23188707ecb337ac736522a

Download Submit
C:\Windows\SysWOW64\Gbeejp32.exe

Filesize
276KB

MD5
d59be5ccdbf3b6a7117c433c5ee582de

SHA1
70a6f3e750b64d17f4aab10d10c1bbdbe25cbd54

SHA256
6916b58e4a5f5c7067a0d0f9490934557ae0e84f6a5ea4d4f98e6822671118ef

SHA512
22617ed697a69068bbceae74b6750d325d3eb439ac717f151c1b6194492bb22be8549c0575a59a7d5af267e7989349ccfdb42fdd655505e60e2c372c94f8d28d

Download Submit
C:\Windows\SysWOW64\Gifkpknp.exe

Filesize
276KB

MD5
b442104cc0a1d2fa3e2066724248d163

SHA1
9e31bf22ee1fcf08543160a59b59284f98a107ee

SHA256
3434042f1117d4cbcc5ef1e8eaad0f25eff8c93e92b0d2eda450c84e20a8c886

SHA512
4bc11be57ba6e1dcce80ed722f3b60bd4bc74177e5df4465dd5f6e531f89533aeb8c25c4025f6d586f2dae5f2cfb346fcb32fa486e85099596ab59bc6589f041

Download Submit
C:\Windows\SysWOW64\Gmdcfidg.exe

Filesize
276KB

MD5
a135032f6a4c964bf4c3ee0f45c74507

SHA1
1b446b2a084f2fa35b38fe8b280cd236cd520e6d

SHA256
2e8b4b26fb4bfcf038b9e199830b4e10f7cfcd2acdb16ba87354e186cf2a4241

SHA512
4de5085697d3d815894391e69f1b8d158385927a219829ef4aa5c6f33a74f173905ab39635f975c4d0a06b94d55ff132e48956e2369da6331720168539eeafe1

Download Submit
C:\Windows\SysWOW64\Gmojkj32.exe

Filesize
276KB

MD5
7dab596758ff107fca32eeacecd3d10b

SHA1
17c564d80eb2f4f929e7c5e74adf47e1e65c536b

SHA256
e7de0e1b45094f1e70a91b83d448c17ee02574bba1380ea21445c944ba04ca20

SHA512
7f8f817aeed693a54c3ef8e29e180d92b213d8206b526f1ccd264262275c8f93da1f3a47f9029968a59b8d858877b5134f740e845ff3ef1f0b7bb937d9198bbb

Download Submit
C:\Windows\SysWOW64\Gpelhd32.exe

Filesize
276KB

MD5
2c34dc3e65906799e9d546aced36510c

SHA1
b4627c61144af5566c5570184753eed6da401b97

SHA256
847a3591ed9bb8dc07e664710c1b79fb40f2a6cb1acfeff357980f1587fec8ca

SHA512
66a98b48f4b9b3f2970c93bd09e2aac76f16ea7002fc68a27d42a572e1872bd4192796cbd235dd1e325062efbdc94ed0b880ad09060eb81d3d9acfaee4a928d1

Download Submit
C:\Windows\SysWOW64\Hefnkkkj.exe

Filesize
276KB

MD5
efa6de43447a7a439634de446fa2ab36

SHA1
73e67408a9684304943294b3b8aeb038ac786e06

SHA256
a07d71dbf7e1c7e5d780680356e74559a4116e080c9f8fe9364eff3f208d91e8

SHA512
484147bbb8f90f07d20a654e13d668b7a6189b9cca6428df004a9ff242045856fb4a8f54c215404cde501f180d2ba791fb897e90a8adf5c58e98ce39f1f0ffa5

Download Submit
C:\Windows\SysWOW64\Hlbcnd32.exe

Filesize
276KB

MD5
9f9f6b626b5c2f84dadc9a9ed3f3b885

SHA1
57e6e085856fe19a89f278b1b6d22916f9fc62e9

SHA256
487105ce0d77cefe529388f43dd6dfb5f94c0cbefabdb77aca8678be6aab744f

SHA512
3845b93627a2036966d4ac5ab51d3691a38d9c209335246f10b824f175330f074361e6dab63160d040cf818813e1ba5b38c0afcfe27c69ead6378d8d514c4cfe

Download Submit
C:\Windows\SysWOW64\Hoclopne.exe

Filesize
276KB

MD5
e2e64645d6fd4580a08d09d280fe2367

SHA1
a39f56382f8b120f4d57180bc3476af26034ef34

SHA256
d8450089904b61eba715764d75d267ffc7e14215bd31c5bafb1bf693cb6219a3

SHA512
8f558de46514694cbbf0a6e4d835995ad0a2264e1df0c86636fed547d7be1c6fb7da655739c8f46b83586aca0741c8d517dc282b303c32d3565381ab7c44ebe3

Download Submit
C:\Windows\SysWOW64\Ibaeen32.exe

Filesize
276KB

MD5
8e9dd8ee03ea1a8ebf4950befbd02926

SHA1
c04a0f9ba252dba4eac47642ab5d88400a31c3e3

SHA256
ffdfe371fd34e53a5457a6df09a4540786a06c3505d36af209d99f6ad3cf842b

SHA512
a0390f3ae1d02dac50b1292075182f5bb8e3e9f4cb5886c0688c8a1b2841c500878b1ebdfa077c46158e3dca5643033729a9ba7f23ed8448d635e79a180cbf43

Download Submit
C:\Windows\SysWOW64\Ickglm32.exe

Filesize
276KB

MD5
d839668a76ccea8ddd6b96a0a268e2d5

SHA1
5812558ca71c013c168133fee2732a3011701440

SHA256
2ffbbbdb99d738ef30aaefe5b37044cf02400ac04dcd22ed55cb78eccf9222f9

SHA512
95fc1d10304c295b9f69a7b86132864f523d94d5c8b3ce68d805617534397284348dbed8f6fb0fbf2b4387d226496c6a0a261a0da8ff4c52ff7bd783cb74ff1b

Download Submit
C:\Windows\SysWOW64\Iebngial.exe

Filesize
276KB

MD5
10fac9eabcb6377eb081cf95cf6f0b0e

SHA1
3afdd60b94205e5b3bdfc72355a59dd9824006b1

SHA256
4802053e4ccad8e9dad0f52eb94c218b22faf8f5e98b8590fa1710c59e1e98c0

SHA512
ebb18df325425cf23193fc9ed2ce5a78d133219f26b2983f28fb5c00781bd13f422a37e5ab33c29b235af49409ee6a23d29e4a59b4d23a4c5ece100715c390c9

Download Submit
C:\Windows\SysWOW64\Ipjoja32.exe

Filesize
276KB

MD5
4dde60e1235a9f734b0fd9e56cf9d90d

SHA1
20e34b6fa209ead1565999726a06d6adcafd3b67

SHA256
e9d4f07cce8f4cd295410339c104a393cf4b09bf1b795782b07538aea0781dc4

SHA512
1645b5f6cb480572da31e486da07b2731873f4d2de1d247b3dcfca4e4b9ec477c9711ca003fd3ce360b50bdf41b3b2955cfeecab5df2f17385af73732609ecce

Download Submit
C:\Windows\SysWOW64\Jedccfqg.exe

Filesize
276KB

MD5
61c25a4b465030cea79ec1e091807c83

SHA1
aaddd5ece44e47efc7ff09662e7e00166fcdc151

SHA256
cef766f12f4f2dabb56f271ea0160290ddb3b5f01625b374f753b5bafe467931

SHA512
a4c1259d0e923f826e182382e1ec0cc86915ef32b834a59b3a867f163b70049aefe29d468c1221e13e50dd9695b55bd67f8a605eaf244b93102f9a6fa7350e05

Download Submit
C:\Windows\SysWOW64\Jekqmhia.exe

Filesize
276KB

MD5
8a5a83ed714ba8a1a87f8d8619ecf2fb

SHA1
a990d4f81ddc6300e978bb9fd57a4d9f3c73a972

SHA256
4e14271497ac7469ca2b6fb9081c5945d5abf18aec4de75f1a1a6b856fc3fc46

SHA512
a032d3f7ebb93719ae2f9f7c073e285e4a18a11fe698371ae93e52e259d141a27c580646326b63f3118e4a5c1c0c2dd8c14bc4256471cd102cd782212ec2c6c0

Download Submit
C:\Windows\SysWOW64\Jgpfbjlo.exe

Filesize
276KB

MD5
c1b56017974692810015a91d30a6b1a4

SHA1
5c9b3e54bedee297f762296304407ee4c070a915

SHA256
4c2f416f01a8c29618bc806c270cd5d108b13fa31a250221603c67d085f877bc

SHA512
645118fa050f501c5e7c2be01c08dd5c9b26c859f95ca4eefb0ca4f263f0bdd31c59fad3d44e6785b3155d424fb678f2a1b51e164e54c58564903c79439988a7

Download Submit
C:\Windows\SysWOW64\Jmeede32.exe

Filesize
276KB

MD5
d829c030487853e44a96a225b81bbabd

SHA1
60862fb71f6027f997ee55d993c12ab459bdddbc

SHA256
c7713787811815a88111c3ef401fa297273243751fb7aca3a8b249b67269bf80

SHA512
4280d91642ec59f1597beced81383711d1cc31b4ded8e3af5e4e48a37f83542a89eba34e342edcf61007eb39e7a3a0ad66e15676c214b57da22324617387e48a

Download Submit
C:\Windows\SysWOW64\Kckqbj32.exe

Filesize
276KB

MD5
8c18ab6688c8b0e9e9d66d151b040dfc

SHA1
11089af8df360cbb38a647fc80bfabe492bbdfe0

SHA256
9eca43a43625ac5f9c7bf917d30eaa69ccf6efdcf8a8ef336081ff35011e1a67

SHA512
3d27ad81197ad1413ed1e3b531c4ceb6edaa6eab61a9e3954be96a2a489bfb4f878fa044fa1d43fed97547a56f3ddfbfffc97b7616f2c93678faaeaac58d6338

Download Submit
C:\Windows\SysWOW64\Klhnfo32.exe

Filesize
276KB

MD5
b82e207b8292c982cede2a870df31f75

SHA1
dc1a65845533c0fefdea04a2e70c732497ed14a0

SHA256
91194e9ba9467e13536877a825a1f178053267282386d0910aedacbc15196123

SHA512
4727aaee7588c98e223ba743a3f8a055bec00765adfb295396006e1cad8c1fb17d19f7069960a2e0e54500143ed5d2566bf963595f8d9f9409c115d86c412dd9

Download Submit
C:\Windows\SysWOW64\Kpoalo32.exe

Filesize
276KB

MD5
e716e73464679a7c9fd5c08fa57bc787

SHA1
47a2495b9eba0a79edd16e2323cc73e68a1073e5

SHA256
20727e0bf569c88a09854a98886565527c4bd9b471d9a2928ad7721dbe7ef322

SHA512
e3519922542a1341455debff588a8436179b8f55896b2a415ba2eff0733d6204e117ddbb1520e9e01984c16dba7dcd4f4442979b53019482e68d2ed94ba7d841

Download Submit
C:\Windows\SysWOW64\Lgpoihnl.exe

Filesize
276KB

MD5
1e015da248ee6ac005bd6519a637302e

SHA1
49bd2aba77801111b997e849e6fd54a77e1f40a0

SHA256
87ac4a10f7d211a581d5981dd5f881024a812f0c067cdec098e228ccc8d80155

SHA512
e34a150bf6fc19643b5960df1d712d95a65df90ab6cb3009bd43ec10729aa32ee2b75288f0130f832b5b6ef07a696f2ba29a75d9283db63a2988e2a08ce8bf39

Download Submit
C:\Windows\SysWOW64\Mjcngpjh.exe

Filesize
276KB

MD5
e18a191bf5a68edc656b13ababc2f962

SHA1
1d1f5815705cb3df611ca26b9c05d8a49ae4ce51

SHA256
d2f9126bf01be735dcdaf0dd2a910143c830555e38e22d12d97aa066c0e8e1ec

SHA512
48e2956d341fc4b9f98e859ec50c2087de36db73db8a47348e102a68dfffaeea019b83b1f9e8845e06b62546d0afdb0c9801b85caf8818c3eb106003b33887c9

Download Submit
C:\Windows\SysWOW64\Npiiffqe.exe

Filesize
276KB

MD5
2ec610a4dfb2a28f4dda2e90a4380c71

SHA1
b8082fe437c048fc8db0d7ab74c5260eefff8135

SHA256
794ccfeefbe1be935d439447a4b0328ce7b52595db613a665188f1f42d19ce90

SHA512
3f3a3c2c365bc113dbbb5b0b99caf4c81c86808e7c98da9fab6641134510b060db9b76bec5bf5b64da81398287ae3deff12bc39a6432edad48debc616bf7dca0

Download Submit
C:\Windows\SysWOW64\Nqpcjj32.exe

Filesize
276KB

MD5
7082ce242d95482f16701022f7ffc6e3

SHA1
ac43941ea66b2b8ee5a53dfc731743c27e92b88d

SHA256
5b48cb282e91eda00df48498d788876855566f221d8aa1ff7624db1ea72551bf

SHA512
55dce45c102c0d6cb2f9f104a9d4725aa6a6057bcf5113ce5c7c1e658c3db8cbbf4ed19ecce75d40b734d2f8d2e8369cc49bfcc43828440b13cd953647cd8020

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe

Filesize
276KB

MD5
52ecbdb9c1abfc7a6b5d5954972bfe15

SHA1
a1a3605bbd793f8a63d7b025dd987c40e36ec159

SHA256
11f7040f49aadaa7fe93370e2707a70c0eee01eea65b6f0aa2222823ee6d9489

SHA512
c780f2ce142db20d9d1b932da461e73e8e87fd110d131e7399a013611655460b946eb5beffc30b65968463035499d959b3d1bc5f404f8d8cb7b2446dc6361f29

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
276KB

MD5
8feb1ff252df87186e2639e80589da76

SHA1
5f932c85bca623a59bd300905edd31763f882c2d

SHA256
0e0966a33ca9251ebc8289d537a5033db82d461e11ee85baca2267cb78b747a8

SHA512
dedea429aecb41ff009d1f6b6a28aa7e9c55afa817f2c578008ce0d5d1593ce2ead138345ae1b6ee4e0924abac7c52a6a7a8a7ed90c9a1a930d06b51410c5472

Download Submit
C:\Windows\SysWOW64\Opclldhj.exe

Filesize
276KB

MD5
c711027a2dd0b3905b14bb0f6a2ccbd4

SHA1
c29ede5bd09aa203f22eb83f06c0ba6b712bc299

SHA256
24ee327332429673aed0bf63ecb4de8dc6805d98aba09ad55142223f71c10443

SHA512
95321179355a5052244f5e780cd3eed02ff0be231a8c00098e9d4453fc0246323e7521afaef0d5487055eed05757877f8a3a10d4f62b70b06c52d93a3459287d

Download Submit
C:\Windows\SysWOW64\Opclldhj.exe

Filesize
276KB

MD5
a9250f2bfa19d7f8b493e2b8dfdc74c1

SHA1
496e76471c4f9a6b929c0ea5e990d231f724bd2c

SHA256
af18feb5b9e9f6c8efb3d82f06ff10f81f16c6b0c083b1e1067ed9301810ade5

SHA512
36b417ab4178ee5926be0c4c77a28593ce54d0dfa7d14400e98bcca0db0f9404efe903507ffa669d8cb21324cce1709eb2e0aa1b36c3139b74c4b78cc0ca32b7

Download Submit
C:\Windows\SysWOW64\Paiogf32.exe

Filesize
276KB

MD5
b254198e7b3472bf66e36416d071e5c4

SHA1
697b32e399fa64e406a0fd6f840d67727f65ac6f

SHA256
6da0086f24bef7a863e5c3fa3be8af2ec59bab7e8a93f653aa9ab5bdb052fc60

SHA512
6f137ad8026d74d8cdeea1f1f36708eab9a8ac59dc17cc0d6bb054b356f0543dd6724cc1658f1579b7ac1e74ef3a88ff48ca31134dae43081b743adad049f69f

Download Submit
C:\Windows\SysWOW64\Palklf32.exe

Filesize
276KB

MD5
1f7c494c5619acd38eb2be01709b2fc9

SHA1
6ab59d9ca1ed00851f271ab17e97a57c86537826

SHA256
dce7d092a07d2666bba218e42eab79da2cd03eadfd74cf76866a5cadb1c305d8

SHA512
25098d450cb8dacf7cf53815ce9dbc385244bcb11a7f4aae2e1e24a8f6a6fc785b6bd77b5be808c884c1b9e6846e4ab7bdf5823c9ea2d322cac0055f845287f2

Download Submit
C:\Windows\SysWOW64\Pfoann32.exe

Filesize
276KB

MD5
e051fa7c3d8b85ab92a0fdaddd253b1e

SHA1
173d5fe233f3aeae860000e80f0a4826810c3fac

SHA256
4aab88e3ad78ac9b182a63b521a3aa2e00213d49ccdde4b50261e65da52e5eb8

SHA512
fd8c8ead31abe27b08d7f376a56b5d87db6653129ac6c2bf33c805282dfc484a830798342f9cb36f09f654fd80763202551111990a08a10bbfe878f933a372cf

Download Submit
C:\Windows\SysWOW64\Pmblagmf.exe

Filesize
276KB

MD5
4858520fb7fee3b6fb2a9f186c480746

SHA1
8481b74272d17b83bf749ed23389b842ac288c2d

SHA256
7b75a6a9bd79ebae88a8303a2572857c52e5a0106561009b1a92cbb227a3bbe5

SHA512
e510b189c322f8eb17e48fba3d85a323e481f16da542455799bd67813b5bc510110dc694ac523a05b9b5994e65c46be335c466f8aac42ee82159db939e8d6c19

Download Submit
C:\Windows\SysWOW64\Pnifekmd.exe

Filesize
276KB

MD5
91206c75af30f0a5fee30c7755e19ea0

SHA1
faaa5fcac3fde100cee9c921586165010df7811d

SHA256
720794971bd1bb3f6ad6617600a4702fea835df49e6b7519ff5ffd846cf110eb

SHA512
59ad666c846ebeb45ac039f67700ae213a9eef23c191854272fec3e947e583efb7cf62d231063c2c95a2e08d8351a080b81965a6de29ae860e793c0e8715fccd

Download Submit
memory/448-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/784-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/784-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1004-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1004-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1016-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1016-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1080-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1080-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3744-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3744-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5152-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5152-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5344-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5344-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5448-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5448-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5472-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5472-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5536-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5536-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5768-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5812-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5812-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5872-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5872-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5924-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5924-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5956-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5956-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads