5f36396e25e141f739473e5d07f42792b64ab5e318a0d7261ea7044debac9cc4

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2024 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f36396e25e141f739473e5d07f42792b64ab5e318a0d7261ea7044debac9cc4.exe
Size

96KB
MD5

eb09cc31e4793c6ac1f30594f90c28ef
SHA1

4f0619b17451a51b41a1a65cb3b2442f90046d7c
SHA256

5f36396e25e141f739473e5d07f42792b64ab5e318a0d7261ea7044debac9cc4
SHA512

e32ab5b388323b4745a373269f8891361a4a37b1cbd33c7f2f166b89dfb9fd2127328a8bec4d95a2c71a2f0295c081ef3920729d8423c392be6d51c8b2779abd
SSDEEP

1536:yNFd5ln+R4AmEw0QYQHseoFBar03tH7GOCtPEJcEeeg0E4BS/BOmvCMy0QiLiizd:yNbDnK9jQNrqHSREgb4BS5OmvCMyELiY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fpimlfke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlnjbedi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpchib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgpfbjlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfnfjehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpfjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eehicoel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpdcag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpimlfke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gihgfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imnocf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jleijb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdciiec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngndaccj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eofgpikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipeeobbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imnocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgpfbjlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmfcok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fpdcag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfeaopqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gblbca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllokajf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcidmkpq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfchlbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jleijb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jofalmmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfeaopqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlnjbedi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpoalo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpoalo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoideh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfnfjehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngndaccj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcdciiec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppgegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eoideh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gblbca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpchib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iojbpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iidphgcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jofalmmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adcjop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5f36396e25e141f739473e5d07f42792b64ab5e318a0d7261ea7044debac9cc4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofgpikj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcidmkpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmfcok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckeimm32.exe

Executes dropped EXE 43 IoCs

pid	Process
1960	Ckeimm32.exe
1720	Dijbno32.exe
4516	Eofgpikj.exe
980	Eoideh32.exe
488	Eehicoel.exe
4832	Fmcjpl32.exe
5040	Fpdcag32.exe
2980	Fpimlfke.exe
3256	Gfeaopqo.exe
464	Gblbca32.exe
1796	Gihgfk32.exe
3828	Hlnjbedi.exe
2220	Hpchib32.exe
3276	Ipeeobbe.exe
436	Iojbpo32.exe
2816	Imnocf32.exe
4488	Iidphgcn.exe
2616	Jleijb32.exe
2480	Jofalmmp.exe
5044	Jgpfbjlo.exe
2868	Jllokajf.exe
640	Kcidmkpq.exe
4196	Kpoalo32.exe
1140	Kfnfjehl.exe
4480	Lcdciiec.exe
4732	Ljqhkckn.exe
4648	Mfchlbfd.exe
1748	Nmfcok32.exe
2324	Ngndaccj.exe
2644	Ppgegd32.exe
2972	Pjpfjl32.exe
3928	Qhhpop32.exe
2560	Qdaniq32.exe
2800	Adcjop32.exe
4024	Ahdpjn32.exe
5012	Bkibgh32.exe
2236	Bdfpkm32.exe
1384	Cgifbhid.exe
3404	Cglbhhga.exe
3336	Cdpcal32.exe
1380	Cdbpgl32.exe
2212	Dhphmj32.exe
4420	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hpchib32.exe	Hlnjbedi.exe
File created	C:\Windows\SysWOW64\Chflphjh.dll	Iojbpo32.exe
File created	C:\Windows\SysWOW64\Qdaniq32.exe	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Pipeabep.dll	Cglbhhga.exe
File opened for modification	C:\Windows\SysWOW64\Kpoalo32.exe	Kcidmkpq.exe
File opened for modification	C:\Windows\SysWOW64\Gihgfk32.exe	Gblbca32.exe
File created	C:\Windows\SysWOW64\Iojbpo32.exe	Ipeeobbe.exe
File created	C:\Windows\SysWOW64\Anhejhfp.dll	Jleijb32.exe
File created	C:\Windows\SysWOW64\Kcidmkpq.exe	Jllokajf.exe
File created	C:\Windows\SysWOW64\Cgifbhid.exe	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Kqqpck32.dll	Fpimlfke.exe
File opened for modification	C:\Windows\SysWOW64\Jllokajf.exe	Jgpfbjlo.exe
File opened for modification	C:\Windows\SysWOW64\Ljqhkckn.exe	Lcdciiec.exe
File opened for modification	C:\Windows\SysWOW64\Bdfpkm32.exe	Bkibgh32.exe
File opened for modification	C:\Windows\SysWOW64\Ppgegd32.exe	Ngndaccj.exe
File created	C:\Windows\SysWOW64\Ckbcpc32.dll	Pjpfjl32.exe
File created	C:\Windows\SysWOW64\Okhbek32.dll	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Eofgpikj.exe	Dijbno32.exe
File created	C:\Windows\SysWOW64\Fmcjpl32.exe	Eehicoel.exe
File created	C:\Windows\SysWOW64\Gfeaopqo.exe	Fpimlfke.exe
File created	C:\Windows\SysWOW64\Hlnjbedi.exe	Gihgfk32.exe
File created	C:\Windows\SysWOW64\Ldldehjm.dll	Gihgfk32.exe
File created	C:\Windows\SysWOW64\Hpchib32.exe	Hlnjbedi.exe
File created	C:\Windows\SysWOW64\Hpidaqmj.dll	Jgpfbjlo.exe
File opened for modification	C:\Windows\SysWOW64\Pjpfjl32.exe	Ppgegd32.exe
File created	C:\Windows\SysWOW64\Pjpfjl32.exe	Ppgegd32.exe
File created	C:\Windows\SysWOW64\Njgigo32.dll	Jllokajf.exe
File created	C:\Windows\SysWOW64\Kpoalo32.exe	Kcidmkpq.exe
File created	C:\Windows\SysWOW64\Eelche32.dll	Kpoalo32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdciiec.exe	Kfnfjehl.exe
File created	C:\Windows\SysWOW64\Bpmhce32.dll	Eofgpikj.exe
File created	C:\Windows\SysWOW64\Jdgccn32.dll	Eoideh32.exe
File created	C:\Windows\SysWOW64\Gihgfk32.exe	Gblbca32.exe
File created	C:\Windows\SysWOW64\Pqhfnd32.dll	Hlnjbedi.exe
File created	C:\Windows\SysWOW64\Ggpenegb.dll	Ppgegd32.exe
File created	C:\Windows\SysWOW64\Qhhpop32.exe	Pjpfjl32.exe
File opened for modification	C:\Windows\SysWOW64\Adcjop32.exe	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Ekppjn32.dll	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Dfjehbcf.dll	Hpchib32.exe
File opened for modification	C:\Windows\SysWOW64\Jofalmmp.exe	Jleijb32.exe
File created	C:\Windows\SysWOW64\Ofkhpmpa.dll	Mfchlbfd.exe
File opened for modification	C:\Windows\SysWOW64\Cglbhhga.exe	Cgifbhid.exe
File created	C:\Windows\SysWOW64\Eoideh32.exe	Eofgpikj.exe
File created	C:\Windows\SysWOW64\Ocoaob32.dll	Gfeaopqo.exe
File created	C:\Windows\SysWOW64\Idefqiag.dll	Lcdciiec.exe
File created	C:\Windows\SysWOW64\Bdfpkm32.exe	Bkibgh32.exe
File opened for modification	C:\Windows\SysWOW64\Fpimlfke.exe	Fpdcag32.exe
File opened for modification	C:\Windows\SysWOW64\Gblbca32.exe	Gfeaopqo.exe
File opened for modification	C:\Windows\SysWOW64\Iojbpo32.exe	Ipeeobbe.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Cajdjn32.dll	Kcidmkpq.exe
File created	C:\Windows\SysWOW64\Cdbpgl32.exe	Cdpcal32.exe
File created	C:\Windows\SysWOW64\Bjqlnnkp.dll	Dijbno32.exe
File created	C:\Windows\SysWOW64\Imnocf32.exe	Iojbpo32.exe
File opened for modification	C:\Windows\SysWOW64\Iidphgcn.exe	Imnocf32.exe
File created	C:\Windows\SysWOW64\Pfabjq32.dll	Gblbca32.exe
File created	C:\Windows\SysWOW64\Ofkhal32.dll	Ahdpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Cdpcal32.exe	Cglbhhga.exe
File created	C:\Windows\SysWOW64\Eopjfnlo.dll	Ngndaccj.exe
File opened for modification	C:\Windows\SysWOW64\Ipeeobbe.exe	Hpchib32.exe
File created	C:\Windows\SysWOW64\Ngndaccj.exe	Nmfcok32.exe
File created	C:\Windows\SysWOW64\Adfnba32.dll	Nmfcok32.exe
File opened for modification	C:\Windows\SysWOW64\Cgifbhid.exe	Bdfpkm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1888	4420	WerFault.exe	133

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckbcpc32.dll"	Pjpfjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jllokajf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocoaob32.dll"	Gfeaopqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jgpfbjlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfnfjehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhbek32.dll"	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fpdcag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jofalmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idefqiag.dll"	Lcdciiec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekppjn32.dll"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipeeobbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngndaccj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbandhne.dll"	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fpdcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmhce32.dll"	Eofgpikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cajdjn32.dll"	Kcidmkpq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmfcok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckeimm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chflphjh.dll"	Iojbpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmfcok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5f36396e25e141f739473e5d07f42792b64ab5e318a0d7261ea7044debac9cc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekgliip.dll"	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jleijb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gblbca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfjehbcf.dll"	Hpchib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jllokajf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpoalo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhpmpa.dll"	Mfchlbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcneqod.dll"	Eehicoel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjqlnnkp.dll"	Dijbno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dijbno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eehicoel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iidphgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcidmkpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddedlaq.dll"	Kfnfjehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpenegb.dll"	Ppgegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmenh32.dll"	Ckeimm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jofalmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckeimm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldldehjm.dll"	Gihgfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adcjop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdgccn32.dll"	Eoideh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcdciiec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcdciiec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	5f36396e25e141f739473e5d07f42792b64ab5e318a0d7261ea7044debac9cc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iojbpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpoalo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpchib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlnjbedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhdfi32.dll"	Ipeeobbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gihgfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelche32.dll"	Kpoalo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfchlbfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhphmj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 1960	956	5f36396e25e141f739473e5d07f42792b64ab5e318a0d7261ea7044debac9cc4.exe	91
PID 956 wrote to memory of 1960	956	5f36396e25e141f739473e5d07f42792b64ab5e318a0d7261ea7044debac9cc4.exe	91
PID 956 wrote to memory of 1960	956	5f36396e25e141f739473e5d07f42792b64ab5e318a0d7261ea7044debac9cc4.exe	91
PID 1960 wrote to memory of 1720	1960	Ckeimm32.exe	92
PID 1960 wrote to memory of 1720	1960	Ckeimm32.exe	92
PID 1960 wrote to memory of 1720	1960	Ckeimm32.exe	92
PID 1720 wrote to memory of 4516	1720	Dijbno32.exe	93
PID 1720 wrote to memory of 4516	1720	Dijbno32.exe	93
PID 1720 wrote to memory of 4516	1720	Dijbno32.exe	93
PID 4516 wrote to memory of 980	4516	Eofgpikj.exe	94
PID 4516 wrote to memory of 980	4516	Eofgpikj.exe	94
PID 4516 wrote to memory of 980	4516	Eofgpikj.exe	94
PID 980 wrote to memory of 488	980	Eoideh32.exe	95
PID 980 wrote to memory of 488	980	Eoideh32.exe	95
PID 980 wrote to memory of 488	980	Eoideh32.exe	95
PID 488 wrote to memory of 4832	488	Eehicoel.exe	96
PID 488 wrote to memory of 4832	488	Eehicoel.exe	96
PID 488 wrote to memory of 4832	488	Eehicoel.exe	96
PID 4832 wrote to memory of 5040	4832	Fmcjpl32.exe	97
PID 4832 wrote to memory of 5040	4832	Fmcjpl32.exe	97
PID 4832 wrote to memory of 5040	4832	Fmcjpl32.exe	97
PID 5040 wrote to memory of 2980	5040	Fpdcag32.exe	98
PID 5040 wrote to memory of 2980	5040	Fpdcag32.exe	98
PID 5040 wrote to memory of 2980	5040	Fpdcag32.exe	98
PID 2980 wrote to memory of 3256	2980	Fpimlfke.exe	99
PID 2980 wrote to memory of 3256	2980	Fpimlfke.exe	99
PID 2980 wrote to memory of 3256	2980	Fpimlfke.exe	99
PID 3256 wrote to memory of 464	3256	Gfeaopqo.exe	100
PID 3256 wrote to memory of 464	3256	Gfeaopqo.exe	100
PID 3256 wrote to memory of 464	3256	Gfeaopqo.exe	100
PID 464 wrote to memory of 1796	464	Gblbca32.exe	101
PID 464 wrote to memory of 1796	464	Gblbca32.exe	101
PID 464 wrote to memory of 1796	464	Gblbca32.exe	101
PID 1796 wrote to memory of 3828	1796	Gihgfk32.exe	102
PID 1796 wrote to memory of 3828	1796	Gihgfk32.exe	102
PID 1796 wrote to memory of 3828	1796	Gihgfk32.exe	102
PID 3828 wrote to memory of 2220	3828	Hlnjbedi.exe	103
PID 3828 wrote to memory of 2220	3828	Hlnjbedi.exe	103
PID 3828 wrote to memory of 2220	3828	Hlnjbedi.exe	103
PID 2220 wrote to memory of 3276	2220	Hpchib32.exe	104
PID 2220 wrote to memory of 3276	2220	Hpchib32.exe	104
PID 2220 wrote to memory of 3276	2220	Hpchib32.exe	104
PID 3276 wrote to memory of 436	3276	Ipeeobbe.exe	105
PID 3276 wrote to memory of 436	3276	Ipeeobbe.exe	105
PID 3276 wrote to memory of 436	3276	Ipeeobbe.exe	105
PID 436 wrote to memory of 2816	436	Iojbpo32.exe	106
PID 436 wrote to memory of 2816	436	Iojbpo32.exe	106
PID 436 wrote to memory of 2816	436	Iojbpo32.exe	106
PID 2816 wrote to memory of 4488	2816	Imnocf32.exe	107
PID 2816 wrote to memory of 4488	2816	Imnocf32.exe	107
PID 2816 wrote to memory of 4488	2816	Imnocf32.exe	107
PID 4488 wrote to memory of 2616	4488	Iidphgcn.exe	108
PID 4488 wrote to memory of 2616	4488	Iidphgcn.exe	108
PID 4488 wrote to memory of 2616	4488	Iidphgcn.exe	108
PID 2616 wrote to memory of 2480	2616	Jleijb32.exe	109
PID 2616 wrote to memory of 2480	2616	Jleijb32.exe	109
PID 2616 wrote to memory of 2480	2616	Jleijb32.exe	109
PID 2480 wrote to memory of 5044	2480	Jofalmmp.exe	110
PID 2480 wrote to memory of 5044	2480	Jofalmmp.exe	110
PID 2480 wrote to memory of 5044	2480	Jofalmmp.exe	110
PID 5044 wrote to memory of 2868	5044	Jgpfbjlo.exe	111
PID 5044 wrote to memory of 2868	5044	Jgpfbjlo.exe	111
PID 5044 wrote to memory of 2868	5044	Jgpfbjlo.exe	111
PID 2868 wrote to memory of 640	2868	Jllokajf.exe	112

C:\Users\Admin\AppData\Local\Temp\5f36396e25e141f739473e5d07f42792b64ab5e318a0d7261ea7044debac9cc4.exe
"C:\Users\Admin\AppData\Local\Temp\5f36396e25e141f739473e5d07f42792b64ab5e318a0d7261ea7044debac9cc4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\Ckeimm32.exe
  C:\Windows\system32\Ckeimm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\Dijbno32.exe
    C:\Windows\system32\Dijbno32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\SysWOW64\Eofgpikj.exe
      C:\Windows\system32\Eofgpikj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4516
    - - C:\Windows\SysWOW64\Eoideh32.exe
        
        C:\Windows\system32\Eoideh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:980
      - C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:488
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Hlnjbedi.exe
        
        C:\Windows\system32\Hlnjbedi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Jleijb32.exe
        
        C:\Windows\system32\Jleijb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        27⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        44⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 232
        45⤵
        Program crash
        
        PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4420 -ip 4420
1⤵
PID:656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4032 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bkibgh32.exe

Filesize
96KB

MD5
b6924b59ccc2963a3d78eaf02a3f8459

SHA1
68ef585ad03b254724f06f5c6b63e2f219232975

SHA256
615764c1e872f91afc2b32096efa2ad7e43ed34b05f215ddc97895df7d33fbae

SHA512
5271ab3982e3d0651d8eda9efa003951a3bb93e78d28f1e4c16d61a352f4eda6d683f7280f71e6acbd7a000a22a7ba553e4a2c21bbe3e694ca0e1cacd8cc6d43

Download Submit
C:\Windows\SysWOW64\Cglbhhga.exe

Filesize
96KB

MD5
71ac1ba7bbdfdeeda6e54ef47df93589

SHA1
15a8bd7f00309065e88191e7637d2279c820f5a8

SHA256
08c41f90e4a326849996923eadd197cd6d257e5bbf2d0300477a465356b3ba27

SHA512
0ede2c0025427a3502d75b66769421f63ece3dae534f9782f53a621ff2e1da7e890e3201634bcf064025b93da4bc73f0fb844c01df6ee60d0be3b129dc2ec394

Download Submit
C:\Windows\SysWOW64\Ckeimm32.exe

Filesize
96KB

MD5
edd2b2cfccad8fca71bb551c5efebade

SHA1
6802ce136e664577840eecb034292e813542801c

SHA256
df4e65d1b7805de2567adfc62285a608c4150eec3fa6eccb9c8728d96f4a9e7b

SHA512
78a2da5813a315bc12639fc3c9c349ecdba6aa47a113628cf40a6b66f6153c0db7b35ef1eabef1c96511d9a46335d0b1c1cfe71f5acd2013b2186a1a25ef6f20

Download Submit
C:\Windows\SysWOW64\Dijbno32.exe

Filesize
96KB

MD5
e3639a3770509b87aa062a860ec79bdc

SHA1
6eb5bbc7d879623e70cf6732557969fc46ac3287

SHA256
c76c8f6854671fe9fbd0108050f984805ca2e933301c1822c1890d0df77cf515

SHA512
9aaa7e5b44ca5421c9ad1b645f00748520350a5a6bb7f3471e891f3ef739e1a90f947d969cf48509e59fbbdb0450087dc501706dae6ccaae074b5d83934eaea8

Download Submit
C:\Windows\SysWOW64\Eehicoel.exe

Filesize
96KB

MD5
b1ad785a9a79c372f6fa1c3dfa1b3730

SHA1
f4f6ba1ac92d54ddb2b795e69157a8e8957d177c

SHA256
aca80892b92dfb62df6c4ef97c92eeff47eda6a74a5105d7e6615d83c8c72ac0

SHA512
348653849bf39e204ee9c6d8759856070e1dd717f5a0e7cea9336194e8338f2e897946072cb49da41bfec1ae94cae18d07b87d2beeccca6749676ea5dd05a184

Download Submit
C:\Windows\SysWOW64\Eofgpikj.exe

Filesize
96KB

MD5
42b69b39873dd8ee9b5606ae135a6c88

SHA1
76913a930341767a232394f6196c1805ddb7f6f7

SHA256
a6774063ff96f3e93589b84788c1e6d2a5dd51234bc69c1ece3ee98e0c344869

SHA512
dd6c545a474518a08dd7bce11cd5bfc737ed66c5fe3b88c70478605183cb502cd2cc00cd62341155fae53940bfc43deb82b5da1d7cbe0d547d62d060c24177cf

Download Submit
C:\Windows\SysWOW64\Eoideh32.exe

Filesize
96KB

MD5
08b435e2ab9edf02078a13acc3a7f309

SHA1
ce3e15ca1482863c92441aed22b9877dd914c6ed

SHA256
79ed49b8253be7c50ee75f6ac791ef7615a67baf0e84adf00a50039ddb1f7523

SHA512
2c6a24cc0c3b4c4356144d1cdf653e1325d8be1e2e91f52d1b5fed32d1c159d6ecf36d94e7a9e95764bd9e3222ee8ee20cb830ea29ac9338b472aed6942c561c

Download Submit
C:\Windows\SysWOW64\Fmcjpl32.exe

Filesize
96KB

MD5
1bee79b020aa670ed6199b06cd6dd447

SHA1
470d4abf6d43fce0f894a10f6f9823d94f9903ce

SHA256
041adcc30b0543d6b492de530bf6699daf9aa5a3041846ee13048a439188a0ad

SHA512
3b9aff4e556c2780e73bf7f66e3fae4dc284ab524f53962acd55c25c565f2e6ca2a74f8d9c620e09275b3b2a1d6ae628523c6a4edc030253421e9b4177c55fd4

Download Submit
C:\Windows\SysWOW64\Fpdcag32.exe

Filesize
96KB

MD5
c5576f234025e30aebd541f8c9a7ebd5

SHA1
d074eda039f8c85046232fc5f18a78b751331ad0

SHA256
de2d54dd08f867998f0275fa8bdfaed01c0b680faa55a29e0d26b7343f69549f

SHA512
2f0e42fa90363c90809cb5ded63843c19ef3c1c5f2be22c8026940dee0ee098d8957589fbbcdaa4eadff36cb63e64b6ce32dae3d924fae29b5fd4abbacdbc78c

Download Submit
C:\Windows\SysWOW64\Fpimlfke.exe

Filesize
96KB

MD5
88a4fb6fc20d670bc829bcf24ad677ae

SHA1
de8aa49b806ef203a9f13f822f822088d239ed71

SHA256
23dc007828eed542b87111e19f0b350094729ab9b9273b3f7c7067d5f8b20f93

SHA512
1be63f8793ec470bb02bf668d5c9e4b5bdef83a20bb2b31433ce252d8a1702210650988fdefcad115d75ddee7c8dfc7f00763d06d89f73b4f3cb92d6d4fcb184

Download Submit
C:\Windows\SysWOW64\Gblbca32.exe

Filesize
96KB

MD5
8862e5c2e2d638c0d63b858853ce9974

SHA1
b00080a3f11a003fdaf8786d1917484c7b97a817

SHA256
6050467fd6edbce233e5f4ba6e37cfa6836ce78a05204a8531344e79da66f06a

SHA512
d1a3971edd238ad0d76d27df9f493aafd3468a67be39285dc5ad8d95ec8e8b731214702677c40bd57afb7c2a5f97ac64ce397cfa9015dfa5451276caeb8653aa

Download Submit
C:\Windows\SysWOW64\Gfeaopqo.exe

Filesize
96KB

MD5
ca18d6205b83dc1ebe56fddc6f29e512

SHA1
0798d016947f159952f3c0bc66ec73ffaf419e60

SHA256
0d1f56403060aaa512557f00084079aeb50655739cc6f5da87a0fa169b62023a

SHA512
d826924a146011a6cc52a244ce39407fc6e27c915d77d88299219569a4b3407c385c29376a59aa2f39cb12229fe009ab9b2c6eb81936583627f095fcb981864c

Download Submit
C:\Windows\SysWOW64\Gihgfk32.exe

Filesize
96KB

MD5
9a51ad585810bf9442cebfc65b42cebe

SHA1
d15db7d2c6d9df2697a6e9646f45961dc26bc21d

SHA256
5f14f1ba80295fa29831fe84695c8626e83fc22ae59b146fed0b1c434336cf1c

SHA512
3295c25ab42dcdbb3ee4e5b42a26019aad78baf9c7444f12d81c6be4d88242d408fe2bc58624a3c6242623d48e658ed84374f465501f6cca55ac1363722d80f0

Download Submit
C:\Windows\SysWOW64\Hlnjbedi.exe

Filesize
96KB

MD5
cd64660165664cb622fae35aae215076

SHA1
4d7bf6ef1cdf68067fc3a24cc4aa0831b5820846

SHA256
515d4068077fba7e78a403ae05f8d9d105f317982f92b8228da6fe646c37ce1d

SHA512
8c43fb76da099acd180764d4f20f5c00eaf8c072c912cabceb921b44215ddbe65c9c5b385f46d6ef4ec95db355f6bc1d7d5dd0f64f5ea1e405855e4240ae02ba

Download Submit
C:\Windows\SysWOW64\Hpchib32.exe

Filesize
96KB

MD5
be1c80e70ee21b0f88e2146de7a357c0

SHA1
f7528f320099f03b5149a237cba6d8d6664ca2e9

SHA256
950bce7730a46a3395b7937c0b049c41998f4723a40602ee342c3b4f4a3051d7

SHA512
d4227a8f19ad2d65ec9a25bb70c6b0f1020b28ba82fe6e9965cdd24ed51468a988dc239868b82ba4120b0b4a9fe847c278c54016b66914640614686b1a0c0e41

Download Submit
C:\Windows\SysWOW64\Iidphgcn.exe

Filesize
96KB

MD5
30c8531095937bc867f111a561e92a0c

SHA1
a76e8b2c35f1535633de9a2ac1580e1815291e4d

SHA256
afcabc1f943230bea5db33d96384d76ece775b549c7a9c0a8c3476438e04f706

SHA512
9e8dc4f25de00dd283926f4bf36403c502ffadfd374ab55e76fe693611bbc27b143eafeeb6b1b7d02e4058045b1e90958ec97c398edceb5f90baea634701aa07

Download Submit
C:\Windows\SysWOW64\Imnocf32.exe

Filesize
96KB

MD5
a644f4a8a5f6b7a21430e9134d457ca8

SHA1
f89cfc26ae4daba6d27ebc2307d5843121bb6139

SHA256
dc8698277eba6bc89b61b18a45059bf7f94f6215b32cf44f5f7f519b688437c4

SHA512
f67cf69806a19708ca4223820924fe76401c95dc96460755ba0ae54edc16f2aa81ceae29c5331c0faaf1de3408fba420d453f8bfa17e675ba5f427500152e4e5

Download Submit
C:\Windows\SysWOW64\Iojbpo32.exe

Filesize
96KB

MD5
26d7df8123a28f9bee4e46869b42976f

SHA1
dbe33cece20b47098914458136463c68167bdc35

SHA256
e5bcf0e635c804455b22d8571c72ace1aca74c0cc6a1e81fc18c49b84d140ace

SHA512
02307457f1f1028e622bf2747e6764da41a9b4169ceae144b8bc9f5d3d139e010dc8851340257273bbe5e6963b31f3f27f7aae013247df517afcc3918049944e

Download Submit
C:\Windows\SysWOW64\Ipeeobbe.exe

Filesize
96KB

MD5
f75e7d1909d776a0969b28a1e182972f

SHA1
be9f862dd8a68422a41103bc8585f369ca4493f2

SHA256
5e9d1d92cdc54e91029254b89cffdd9ef932d7fd8345d50ffeaba71843284400

SHA512
7632efb4bcaafccdf0915579dd65a11075b1f5744b472e107e92ca3628c31e6825b301a7e0e32e0de57cd9db9ba4d2633515f3cead757f2c48e5149d310fd515

Download Submit
C:\Windows\SysWOW64\Jdgccn32.dll

Filesize
7KB

MD5
4e3bd7f2da9772babdbfa37ace34a652

SHA1
623a2524b6b3553e96c36f313094e849a644dbda

SHA256
3031aba99663db82f2ea7221d5f10dd8b5bf4a2a7209a66642f755a57a36bfbf

SHA512
9f7f579654474b73c900cbb446a7170f4214a553cc2e65ff9355ec5a89c4298f445f0f1ebf310a30c2c3b1615f9e27bc70005380b7ba9f343e0ea27b37b0b93b

Download Submit
C:\Windows\SysWOW64\Jgpfbjlo.exe

Filesize
96KB

MD5
0ffbb21cba0c5d5b9b1c2949a1a4d8f7

SHA1
d0eaa4487419cb2edcbca278f575ea2e892b2575

SHA256
364e3951651f2e3a58624b415a3f6def35e41e28eb7aeaeb1799ac2012fcfc14

SHA512
6e738ba155c0acabc0cd039432389c321d935c9f2375f34a07f474d4a14356d17e7f7b76bf67efc9d3ce4e8e9c7b4cd8f52cf28460bbb06c87f3f877e3fe1d8b

Download Submit
C:\Windows\SysWOW64\Jleijb32.exe

Filesize
96KB

MD5
aac3f3706a2eba516de757c05c30ec02

SHA1
014e7d389be3ed3749bb8ae0d5a60f0234a004d6

SHA256
cce9eb6bfe0bbb2e37f47aa221048a14e802c7b85011dacd3dd0debb51481bc9

SHA512
78381a714cce2e4d1007241f3c817523f0b00455c4e4d24c2aae34f3998013262bbf1d511850ca02801b2bf66c133a4f24951a51a42d5d70b2ec4149a72247bb

Download Submit
C:\Windows\SysWOW64\Jllokajf.exe

Filesize
96KB

MD5
5bfd7b7fc16419b4cb481590aeed3619

SHA1
d5da7ee7e8f551a6e494a4894873d906d61e5cfe

SHA256
d509d2bc283492c95f098153ff6e3caa1194ccabba1a58f359fb645385b24f07

SHA512
f0ba209e975bc7a16c505aac89691d7a53cc61e4182de3ec5a8e032fd03d8d851bb429f25782303d1078bc66732b0cd89e31f293e25a4d611c5b4749e96c1595

Download Submit
C:\Windows\SysWOW64\Jofalmmp.exe

Filesize
96KB

MD5
2f606b8352b527919e30e50548c5e411

SHA1
0b2c5784bdfc0fd7a1fa45d4c4791169de70bf77

SHA256
e0fe9758e44575e6a91ee95f28a49d14a3e6327c51355a3c7159efba0315e587

SHA512
e959ac6f169e36f761f3365d4e9ed58a89d8a75cb55e0613765e335ab31e5313deaad7dee1e06034892e36fe556aa0abbe2543867f631c82d168a76a9e0ebf0c

Download Submit
C:\Windows\SysWOW64\Kcidmkpq.exe

Filesize
96KB

MD5
190b9089e1f068d42d1731264c4eebb4

SHA1
58c7ff18014e81308a84a92f299537cf025c0064

SHA256
194d06412c5f99ff6fbfb907f4343d5c2c3fda9687886ce53a58c77cd234d0a7

SHA512
b37856f7d352f27061220a7f30b3c0a886aaf8dd54f9ac90d358cfb8fc61f2363388d348de3c965a5b0a55be0b3cf0d228af34eac502e82a0b2dbbea6ace603a

Download Submit
C:\Windows\SysWOW64\Kfnfjehl.exe

Filesize
96KB

MD5
1b9002ca9df86a927ee289e966224daa

SHA1
cbd663e06bedf496f28c9eb79fa8f9645b76a81d

SHA256
fb39cf1752ad44dc52083c8287483a4d862bb598889ef9c991e1f8d64874cd5a

SHA512
a1ea2418c1ec96addfd4ad990ead1cd92eb9879141952a13c46c10ce6cb63dd3fd682a39ea7fe9165c938e27290b84d2d52deb7390d5ccf636d97019d16cb373

Download Submit
C:\Windows\SysWOW64\Kpoalo32.exe

Filesize
96KB

MD5
02d1bdf2c7916f4290a03c03be8f3c5f

SHA1
c009d7e0e016d31eb4ccdcdc398b2b51a9263bc2

SHA256
1e9b88092731f0b4b61ca61a6359d0591926258f5914dad3b9d2b0c10d1b56d2

SHA512
2970ea4ef5f2fc147bfa91e0b586ec60efc55ef9da40fce4be76b66a2e0ac64cd8350f4bb253d98054f50a13ba1e150ad888105cbd239491844e97d58083cbda

Download Submit
C:\Windows\SysWOW64\Lcdciiec.exe

Filesize
96KB

MD5
32a26d6d742eb2ced197cd0beaae4521

SHA1
eacf1ac4f0d8f079c25b5950fc246159eedcea67

SHA256
a0261d335344b1599c013b9d14f4bd5aa28226b9f61c73bb545366188711f307

SHA512
3822758f198023f391924f02387f9a99e97cd5f1b3ef17eb03d81b85051f08597b88d17f56be1f556487de6d551d7c4469440f4e76068c9c114d2277bc3b10dc

Download Submit
C:\Windows\SysWOW64\Ljqhkckn.exe

Filesize
96KB

MD5
28e5138139bed442595c858d5956ab76

SHA1
d7ae5a790d384d9834b57cf404826e9bfccfd1a6

SHA256
5c8c8448b31999592bd5e7e6677aa406f3b5bcc885c2f7ea20a8a9f7ee47813b

SHA512
67436e67c6497b1f4299c3a5548ea1ed068009673e060f62a82c064c841e58d354b4ac5da1502dd62e78b2934a017db8d60c66071466a7ac9b0b159cb085f8bc

Download Submit
C:\Windows\SysWOW64\Mfchlbfd.exe

Filesize
96KB

MD5
8ddb99e473fe81f47b4f9c6770f96be7

SHA1
3ec89d6b06c13fb8bdd46e8a8a500ddc0076f43a

SHA256
919805b39c9578957b9eda66f002cf9714474ff972f8e733fbdcf0d40ffb26e9

SHA512
23c5ad4f74d8ba082cd491a2680eeff9727873240d77709b0d1d77d3097fa75669b6d6ca6e7bfa475ea6719fe335b6b89cec05e1e8714e0bcff0643c89e146d5

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
96KB

MD5
4729ef18174734c0772f208db1cd4b8c

SHA1
6d197e32e050be4a9111affc0b240bb818322270

SHA256
6b9cf59acb02ade16c2bb41d44aa8676959ee15d5389e70c2c3efdc07bada547

SHA512
daa1423eaaf9af9cbd49fdeb862145cd9c4046fdb384272692d47b82f5953977b1a153182b0ef7a70ea83cce415780f82001595ef611b61f7993d65050170013

Download Submit
C:\Windows\SysWOW64\Nmfcok32.exe

Filesize
96KB

MD5
6e747a01562dcb2b8c3d82b87fcccd39

SHA1
9125f926754660af20e18664cf48532a8ce40fbf

SHA256
73364071ea608fdd6d025e97b3c2f29d67a6798919eff6c9785a2def558a6652

SHA512
bf0ca62a76d8e96a0f530556c25c32cf8cd941b905097083887ba7b9f8739bc511a93a7e87dc165d6541fbde659597f3527b5306b67ca6d20b82bd6ddfeec298

Download Submit
C:\Windows\SysWOW64\Pjpfjl32.exe

Filesize
96KB

MD5
130ccad71a7301938b4d81a252919882

SHA1
5789b1686aaa84b2e8682436f39c7541f8fec84f

SHA256
6d627b7baff1d06496d5132d8a7497415d74c062fb329e308baea08b44256929

SHA512
c1d057279601f6abe863b1fbc1fe3c91ee33d499cb4315e4026ed04b2bfe5dff7a43d03e69284744c25b4712f459ebab5282422d3d972bbdab8c5126bf5c1b88

Download Submit
C:\Windows\SysWOW64\Ppgegd32.exe

Filesize
96KB

MD5
336562c574f45e241c84103e1170ecdc

SHA1
c6f432bf356d06f53503dc505ba656f4d97538ad

SHA256
b8430d5a2db8a81a525d7e4fce6b25abd706c7ee49aedfb8fb57bb6a964e2de2

SHA512
8ac6ba4f98380661447cd68fc9a8dfaa8f9645fc8d431cf0d84fe90eaf764a1578ffb5023802b33c7fcd0883d585a390384636e83830f0dfa7987c65eb3f4131

Download Submit
C:\Windows\SysWOW64\Qhhpop32.exe

Filesize
96KB

MD5
602a6f40ad151c0a0e6c8a7c9bee810d

SHA1
f13f70c6d9655b62d2055dc91cc2dabc53b6dc95

SHA256
77cc53d5a2c6da7f749420127105c7d6d42513e8e00474444a7426c3fe0ac81b

SHA512
d07941ecf09403b139128ede78f99122b2625bdd4db98726b81a77fbf4bd0c0d13028de5d14ecb9971b2d2ee8fbc9d11375e71c827a7a127bb822a604d0aa2ef

Download Submit
memory/436-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/436-213-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/464-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/464-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/488-123-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/488-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/640-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/640-276-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/956-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/956-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/980-114-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/980-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1140-295-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1140-205-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1380-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1380-359-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1384-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1384-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1720-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1720-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1748-242-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1748-319-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1796-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1796-177-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1960-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1960-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2212-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2212-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-195-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2236-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2236-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2324-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2324-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2480-249-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2480-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2560-354-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2560-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2616-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2616-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2644-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2644-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2800-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2816-222-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2816-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2868-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2868-267-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2972-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2972-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2980-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2980-150-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3256-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3256-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3276-204-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3276-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3336-361-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3336-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3404-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3404-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3828-186-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3828-99-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3928-277-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3928-347-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4024-356-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4024-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4196-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4196-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4420-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4420-357-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4480-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4480-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4488-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4488-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4648-312-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4648-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4732-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4732-305-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4832-132-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4832-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5012-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5012-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5040-57-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5040-141-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5044-258-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5044-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads