8fccc867a7e8c0c801b833d5d61ce0730f99c619c0e60c32e23333fce07cfa31

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fccc867a7e8c0c801b833d5d61ce0730f99c619c0e60c32e23333fce07cfa31.exe
Size

280KB
MD5

6d15cb9b9d6d50c6ddb69121ecbdbf75
SHA1

21df5aa20ec1cbb3080b0330ab3170b0845d04b9
SHA256

8fccc867a7e8c0c801b833d5d61ce0730f99c619c0e60c32e23333fce07cfa31
SHA512

2340cf9664be8c8bc86bc99e22e8e1623663df0111e3ef29215feab1c6dfe2c2b2b2b64aee2b846cf5a869b39424f8bf6397490f2cea75360622e0d25102550f
SSDEEP

6144:ZRGbl3vr/YD3vfPi/GOORjMmRUoooooooooooooooooooooooooy/G3:ZcBTq3vXi//OVLCoooooooooooooooom

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgihaji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcgiefen.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iojbpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojfcdnjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbgihaji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nclbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejopl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gejopl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gihgfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iojbpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqdcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Offnhpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gihgfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmfplibd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hffken32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmblagmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8fccc867a7e8c0c801b833d5d61ce0730f99c619c0e60c32e23333fce07cfa31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpoihnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paiogf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidnkkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfjfecno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phonha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahofoogd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmfplibd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Holfoqcm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hemdlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hemdlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klfaapbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfaemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	8fccc867a7e8c0c801b833d5d61ce0730f99c619c0e60c32e23333fce07cfa31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ioolkncg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jekqmhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfjfecno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nclbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baannc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caojpaij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpgind32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Holfoqcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hffken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfaemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpgind32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Johnamkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhpofl32.exe

Executes dropped EXE 43 IoCs

pid	Process
1208	Fbgihaji.exe
2100	Gidnkkpc.exe
5008	Gejopl32.exe
2172	Gihgfk32.exe
3428	Gmfplibd.exe
4988	Gpgind32.exe
2496	Holfoqcm.exe
4064	Hffken32.exe
1320	Hekgfj32.exe
3248	Hemdlj32.exe
1012	Iohejo32.exe
4392	Iojbpo32.exe
3552	Ioolkncg.exe
1700	Jekqmhia.exe
3516	Johnamkm.exe
3508	Klahfp32.exe
3472	Klfaapbl.exe
4560	Lgpoihnl.exe
4640	Lfjfecno.exe
1096	Mqdcnl32.exe
2988	Mcgiefen.exe
4648	Nclbpf32.exe
4396	Nfohgqlg.exe
3620	Nfaemp32.exe
316	Offnhpfo.exe
4568	Ojfcdnjc.exe
4408	Phonha32.exe
4464	Paiogf32.exe
2528	Pmblagmf.exe
3968	Qobhkjdi.exe
4740	Qdaniq32.exe
5044	Ahofoogd.exe
3252	Amnlme32.exe
4312	Aopemh32.exe
3916	Baannc32.exe
1508	Bhmbqm32.exe
5084	Bhpofl32.exe
260	Bdfpkm32.exe
2980	Cdimqm32.exe
1996	Caojpaij.exe
4468	Caageq32.exe
2596	Dpiplm32.exe
3592	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jbklgfdh.dll	Hemdlj32.exe
File created	C:\Windows\SysWOW64\Cdimqm32.exe	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Caageq32.exe	Caojpaij.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Aknhkd32.dll	Fbgihaji.exe
File created	C:\Windows\SysWOW64\Gmfplibd.exe	Gihgfk32.exe
File created	C:\Windows\SysWOW64\Paiogf32.exe	Phonha32.exe
File opened for modification	C:\Windows\SysWOW64\Bdfpkm32.exe	Bhpofl32.exe
File opened for modification	C:\Windows\SysWOW64\Gejopl32.exe	Gidnkkpc.exe
File created	C:\Windows\SysWOW64\Kbjpeo32.dll	Mcgiefen.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Bjokon32.dll	Lfjfecno.exe
File created	C:\Windows\SysWOW64\Pmblagmf.exe	Paiogf32.exe
File created	C:\Windows\SysWOW64\Johnamkm.exe	Jekqmhia.exe
File created	C:\Windows\SysWOW64\Mfcjqc32.dll	Johnamkm.exe
File created	C:\Windows\SysWOW64\Lihcbd32.dll	Nfaemp32.exe
File created	C:\Windows\SysWOW64\Kolfbd32.dll	Bdfpkm32.exe
File opened for modification	C:\Windows\SysWOW64\Fbgihaji.exe	8fccc867a7e8c0c801b833d5d61ce0730f99c619c0e60c32e23333fce07cfa31.exe
File opened for modification	C:\Windows\SysWOW64\Iohejo32.exe	Hemdlj32.exe
File opened for modification	C:\Windows\SysWOW64\Baannc32.exe	Aopemh32.exe
File opened for modification	C:\Windows\SysWOW64\Bhmbqm32.exe	Baannc32.exe
File opened for modification	C:\Windows\SysWOW64\Klahfp32.exe	Johnamkm.exe
File created	C:\Windows\SysWOW64\Qdaniq32.exe	Qobhkjdi.exe
File opened for modification	C:\Windows\SysWOW64\Ojfcdnjc.exe	Offnhpfo.exe
File created	C:\Windows\SysWOW64\Nphihiif.dll	Offnhpfo.exe
File created	C:\Windows\SysWOW64\Baannc32.exe	Aopemh32.exe
File created	C:\Windows\SysWOW64\Gihgfk32.exe	Gejopl32.exe
File created	C:\Windows\SysWOW64\Enjgeopm.dll	Nclbpf32.exe
File created	C:\Windows\SysWOW64\Phonha32.exe	Ojfcdnjc.exe
File created	C:\Windows\SysWOW64\Lbandhne.dll	Qobhkjdi.exe
File opened for modification	C:\Windows\SysWOW64\Gihgfk32.exe	Gejopl32.exe
File created	C:\Windows\SysWOW64\Klkfenfk.dll	Gmfplibd.exe
File created	C:\Windows\SysWOW64\Gejopl32.exe	Gidnkkpc.exe
File opened for modification	C:\Windows\SysWOW64\Pmblagmf.exe	Paiogf32.exe
File created	C:\Windows\SysWOW64\Dmokdgeg.dll	Klfaapbl.exe
File created	C:\Windows\SysWOW64\Mgmodn32.dll	Aopemh32.exe
File created	C:\Windows\SysWOW64\Dpiplm32.exe	Caageq32.exe
File opened for modification	C:\Windows\SysWOW64\Hekgfj32.exe	Hffken32.exe
File created	C:\Windows\SysWOW64\Ejhdfi32.dll	Iohejo32.exe
File opened for modification	C:\Windows\SysWOW64\Caageq32.exe	Caojpaij.exe
File opened for modification	C:\Windows\SysWOW64\Hffken32.exe	Holfoqcm.exe
File opened for modification	C:\Windows\SysWOW64\Amnlme32.exe	Ahofoogd.exe
File created	C:\Windows\SysWOW64\Aooold32.dll	Lgpoihnl.exe
File created	C:\Windows\SysWOW64\Bdmlme32.dll	Mqdcnl32.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Caojpaij.exe
File created	C:\Windows\SysWOW64\Hcjnlmph.dll	Caageq32.exe
File created	C:\Windows\SysWOW64\Dgmchiim.dll	Gidnkkpc.exe
File created	C:\Windows\SysWOW64\Kmhjapnj.dll	Holfoqcm.exe
File created	C:\Windows\SysWOW64\Mcgiefen.exe	Mqdcnl32.exe
File created	C:\Windows\SysWOW64\Ckkpjkai.dll	Nfohgqlg.exe
File created	C:\Windows\SysWOW64\Klfaapbl.exe	Klahfp32.exe
File created	C:\Windows\SysWOW64\Lfjfecno.exe	Lgpoihnl.exe
File opened for modification	C:\Windows\SysWOW64\Paiogf32.exe	Phonha32.exe
File created	C:\Windows\SysWOW64\Keiifian.dll	Pmblagmf.exe
File opened for modification	C:\Windows\SysWOW64\Cdimqm32.exe	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Hhjhdagb.dll	Hffken32.exe
File opened for modification	C:\Windows\SysWOW64\Mcgiefen.exe	Mqdcnl32.exe
File created	C:\Windows\SysWOW64\Lgpoihnl.exe	Klfaapbl.exe
File opened for modification	C:\Windows\SysWOW64\Lgpoihnl.exe	Klfaapbl.exe
File created	C:\Windows\SysWOW64\Nfohgqlg.exe	Nclbpf32.exe
File created	C:\Windows\SysWOW64\Ojfcdnjc.exe	Offnhpfo.exe
File opened for modification	C:\Windows\SysWOW64\Phonha32.exe	Ojfcdnjc.exe
File opened for modification	C:\Windows\SysWOW64\Qobhkjdi.exe	Pmblagmf.exe
File created	C:\Windows\SysWOW64\Klahfp32.exe	Johnamkm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3460	3592	WerFault.exe	132

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iojbpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojfcdnjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gejopl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmodn32.dll"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iojbpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keiifian.dll"	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkfenfk.dll"	Gmfplibd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caojpaij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edqnimdf.dll"	Klahfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgpoihnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8fccc867a7e8c0c801b833d5d61ce0730f99c619c0e60c32e23333fce07cfa31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmchiim.dll"	Gidnkkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hffken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hemdlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfjfecno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gihgfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hffken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ioolkncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mqdcnl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phonha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmfplibd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhjedb.dll"	Gpgind32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjofoqdn.dll"	Hekgfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klfaapbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgnjp32.dll"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapceeje.dll"	8fccc867a7e8c0c801b833d5d61ce0730f99c619c0e60c32e23333fce07cfa31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gihgfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migmpjdh.dll"	Ioolkncg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpoihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aooold32.dll"	Lgpoihnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcgiefen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gidnkkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhjapnj.dll"	Holfoqcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gejopl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhjhdagb.dll"	Hffken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfaemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbikhdcm.dll"	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klahfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmokdgeg.dll"	Klfaapbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojfcdnjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hekgfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfaemp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobfelii.dll"	Jekqmhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafphi32.dll"	Paiogf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkgohbq.dll"	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	8fccc867a7e8c0c801b833d5d61ce0730f99c619c0e60c32e23333fce07cfa31.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 1208	3104	8fccc867a7e8c0c801b833d5d61ce0730f99c619c0e60c32e23333fce07cfa31.exe	90
PID 3104 wrote to memory of 1208	3104	8fccc867a7e8c0c801b833d5d61ce0730f99c619c0e60c32e23333fce07cfa31.exe	90
PID 3104 wrote to memory of 1208	3104	8fccc867a7e8c0c801b833d5d61ce0730f99c619c0e60c32e23333fce07cfa31.exe	90
PID 1208 wrote to memory of 2100	1208	Fbgihaji.exe	91
PID 1208 wrote to memory of 2100	1208	Fbgihaji.exe	91
PID 1208 wrote to memory of 2100	1208	Fbgihaji.exe	91
PID 2100 wrote to memory of 5008	2100	Gidnkkpc.exe	92
PID 2100 wrote to memory of 5008	2100	Gidnkkpc.exe	92
PID 2100 wrote to memory of 5008	2100	Gidnkkpc.exe	92
PID 5008 wrote to memory of 2172	5008	Gejopl32.exe	93
PID 5008 wrote to memory of 2172	5008	Gejopl32.exe	93
PID 5008 wrote to memory of 2172	5008	Gejopl32.exe	93
PID 2172 wrote to memory of 3428	2172	Gihgfk32.exe	94
PID 2172 wrote to memory of 3428	2172	Gihgfk32.exe	94
PID 2172 wrote to memory of 3428	2172	Gihgfk32.exe	94
PID 3428 wrote to memory of 4988	3428	Gmfplibd.exe	95
PID 3428 wrote to memory of 4988	3428	Gmfplibd.exe	95
PID 3428 wrote to memory of 4988	3428	Gmfplibd.exe	95
PID 4988 wrote to memory of 2496	4988	Gpgind32.exe	96
PID 4988 wrote to memory of 2496	4988	Gpgind32.exe	96
PID 4988 wrote to memory of 2496	4988	Gpgind32.exe	96
PID 2496 wrote to memory of 4064	2496	Holfoqcm.exe	97
PID 2496 wrote to memory of 4064	2496	Holfoqcm.exe	97
PID 2496 wrote to memory of 4064	2496	Holfoqcm.exe	97
PID 4064 wrote to memory of 1320	4064	Hffken32.exe	98
PID 4064 wrote to memory of 1320	4064	Hffken32.exe	98
PID 4064 wrote to memory of 1320	4064	Hffken32.exe	98
PID 1320 wrote to memory of 3248	1320	Hekgfj32.exe	99
PID 1320 wrote to memory of 3248	1320	Hekgfj32.exe	99
PID 1320 wrote to memory of 3248	1320	Hekgfj32.exe	99
PID 3248 wrote to memory of 1012	3248	Hemdlj32.exe	100
PID 3248 wrote to memory of 1012	3248	Hemdlj32.exe	100
PID 3248 wrote to memory of 1012	3248	Hemdlj32.exe	100
PID 1012 wrote to memory of 4392	1012	Iohejo32.exe	101
PID 1012 wrote to memory of 4392	1012	Iohejo32.exe	101
PID 1012 wrote to memory of 4392	1012	Iohejo32.exe	101
PID 4392 wrote to memory of 3552	4392	Iojbpo32.exe	102
PID 4392 wrote to memory of 3552	4392	Iojbpo32.exe	102
PID 4392 wrote to memory of 3552	4392	Iojbpo32.exe	102
PID 3552 wrote to memory of 1700	3552	Ioolkncg.exe	103
PID 3552 wrote to memory of 1700	3552	Ioolkncg.exe	103
PID 3552 wrote to memory of 1700	3552	Ioolkncg.exe	103
PID 1700 wrote to memory of 3516	1700	Jekqmhia.exe	104
PID 1700 wrote to memory of 3516	1700	Jekqmhia.exe	104
PID 1700 wrote to memory of 3516	1700	Jekqmhia.exe	104
PID 3516 wrote to memory of 3508	3516	Johnamkm.exe	105
PID 3516 wrote to memory of 3508	3516	Johnamkm.exe	105
PID 3516 wrote to memory of 3508	3516	Johnamkm.exe	105
PID 3508 wrote to memory of 3472	3508	Klahfp32.exe	106
PID 3508 wrote to memory of 3472	3508	Klahfp32.exe	106
PID 3508 wrote to memory of 3472	3508	Klahfp32.exe	106
PID 3472 wrote to memory of 4560	3472	Klfaapbl.exe	107
PID 3472 wrote to memory of 4560	3472	Klfaapbl.exe	107
PID 3472 wrote to memory of 4560	3472	Klfaapbl.exe	107
PID 4560 wrote to memory of 4640	4560	Lgpoihnl.exe	108
PID 4560 wrote to memory of 4640	4560	Lgpoihnl.exe	108
PID 4560 wrote to memory of 4640	4560	Lgpoihnl.exe	108
PID 4640 wrote to memory of 1096	4640	Lfjfecno.exe	109
PID 4640 wrote to memory of 1096	4640	Lfjfecno.exe	109
PID 4640 wrote to memory of 1096	4640	Lfjfecno.exe	109
PID 1096 wrote to memory of 2988	1096	Mqdcnl32.exe	110
PID 1096 wrote to memory of 2988	1096	Mqdcnl32.exe	110
PID 1096 wrote to memory of 2988	1096	Mqdcnl32.exe	110
PID 2988 wrote to memory of 4648	2988	Mcgiefen.exe	111

C:\Users\Admin\AppData\Local\Temp\8fccc867a7e8c0c801b833d5d61ce0730f99c619c0e60c32e23333fce07cfa31.exe
"C:\Users\Admin\AppData\Local\Temp\8fccc867a7e8c0c801b833d5d61ce0730f99c619c0e60c32e23333fce07cfa31.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\SysWOW64\Fbgihaji.exe
  C:\Windows\system32\Fbgihaji.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\SysWOW64\Gidnkkpc.exe
    C:\Windows\system32\Gidnkkpc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\SysWOW64\Gejopl32.exe
      C:\Windows\system32\Gejopl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5008
    - - C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Gpgind32.exe
        
        C:\Windows\system32\Gpgind32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Hemdlj32.exe
        
        C:\Windows\system32\Hemdlj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4648
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:260
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        44⤵
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 412
        45⤵
        Program crash
        
        PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3592 -ip 3592
1⤵
PID:320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3896 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adfokn32.dll

Filesize
7KB

MD5
e04e316d070cd29ffa1e0073599e7725

SHA1
7870aa7554c2d5157c6e653c87265984bd1e2d89

SHA256
5648f7341eaacb71dea24087a17d81460ba9e47b75fcf7123f0f8de512ba4209

SHA512
c1bda7b6a1e94d64e9578c9884812f3fe675589736b300e09b5442e1fc49475823baca883825f2e487976d649dce65bf494b789416d3a0d4ac1d83f6b24badc2

Download Submit
C:\Windows\SysWOW64\Ahofoogd.exe

Filesize
280KB

MD5
a937a4879bb4434aca072d2ec706fbb7

SHA1
ec2c7a12abfea7b6c31e4b6f53ec0487178940b9

SHA256
7da4089b7ef67e2f291a2bcd0dabf6803eef39fef70d0a84cd02c9f71db663c6

SHA512
4c81a02398ced533f6f4e830780b7f189fba062f9d0c3866db6b1c10e8a774a31a64f5aab89d82dcff6b5df22d8229079865636fc13a3efdc3e63679c5ea78d9

Download Submit
C:\Windows\SysWOW64\Amnlme32.exe

Filesize
280KB

MD5
edc6aaef2ce50fa13380d7d20f0641c4

SHA1
4f6436f2493795bb615243bd39ee31ba7b8787c3

SHA256
3e0ca93136d6c9d48101c7a162ae0d87ad084b6120080c64745c4792fce1ad8d

SHA512
50b590e67cb9612e82fef68258274e414b6cb33c3cb50188edee0048aeb6c08e293eca4ef6fdb8ae9d0b20465e64fb031ada3b00e5ff7758577b297d1036f1b9

Download Submit
C:\Windows\SysWOW64\Dpiplm32.exe

Filesize
280KB

MD5
05b4ede0de8848a2235974e1ad0eb2b1

SHA1
d7665ca69844c0142311328106ccd7e918d2289b

SHA256
cdac8eb9172d903866ed7d2db1a12b40254905ef8b69859539e79e4f900ba775

SHA512
42711a0aad3b498a42484081d307234c9620df9126ced78ef28cb57db4af9fc3b16bb96ae786fc1a5064ec577791bebedd0ac4c7399ab5d50e5b37d5a44ab9dd

Download Submit
C:\Windows\SysWOW64\Fbgihaji.exe

Filesize
280KB

MD5
d833ae192721bcfe5871475d7c9c03de

SHA1
ba2e95c08d160f6aaa6ab0097a3b64cf2e3cc751

SHA256
3e51b4d8bd306f3571c4e55f5346bf1f03533fe5362b56f795b9fb0581270f58

SHA512
f1aac2108e00f1164e31f2fc3fac1f8a3d063dbac032004486cf82fb5c5b9c8242c4ffd2716dc29969e2dbcad7562af44e042ce8df1d87c9d0a74c72345ac1d9

Download Submit
C:\Windows\SysWOW64\Gejopl32.exe

Filesize
280KB

MD5
e6a6168a88892140f129ad95d572daed

SHA1
b64cff8310037240c55cc3fc0cbf3431eef7d9d6

SHA256
6acfc58e40584433b19d1615f6ef6cc1e9b29791ac98a4bdbc83a6e0ff9053a5

SHA512
6753dec7fcdf3f6f6ef6d087ed31d1816a2b0f56073f23fa25d22ab83b411d12c3662d46a4e5fffbfc40641a65ce9650269c627bad0a5b2150d3d6711dbc21e5

Download Submit
C:\Windows\SysWOW64\Gidnkkpc.exe

Filesize
280KB

MD5
d2a01ecbfa4a477982839406acb1b520

SHA1
3709df2071a6ebc9b000dda54e42cc3fdd479296

SHA256
a83e74b0a634ea37d5f4b4c0eedfadbe54efea6a25f6937eeb1c9313ee516c44

SHA512
f1c4689379c52526a463b788b7e2b17bfda7fc44543ecdceb28300cd88eb454d9e0686d8223daf29b5944f79715cba440d7f0d84f32fd817b4c6e1dd91c3639e

Download Submit
C:\Windows\SysWOW64\Gihgfk32.exe

Filesize
280KB

MD5
4782335c12a1d72310e198ee497b92d6

SHA1
0171d64f3e061725ac41b1f9e0747f05dd26f92b

SHA256
da755a2354ce6b5cb7dbe864048ff4e65d7e5aadb378354bd920f2ebda59a443

SHA512
6c1d08ed21b5ed4954ece62974f9455b783b7a4dde3a5765bddca64f3a4eb097442e57b3b389dc1c9ca461bbde23624c1805722b7052c5bba38c85f6eacd61d6

Download Submit
C:\Windows\SysWOW64\Gmfplibd.exe

Filesize
280KB

MD5
08dc30dbc7a81f0d28c59f54b2da25f6

SHA1
e8ddad658f7cc794c39dc43156f57f6ad938b621

SHA256
77d11c231ffa5564f393eda168903e0c647ef18675c3906c2b6f2917d0c18d42

SHA512
c53608b2d07044c90a4adf98e69e7be782f4004d148cfe57b75d75e9c19219b82e5e394591c96102296e55a5816423c9449f8c56db4e7528d054f2e43c78855f

Download Submit
C:\Windows\SysWOW64\Gpgind32.exe

Filesize
280KB

MD5
dad401f0e6eba089b43fddacfe035014

SHA1
62858e3359dc47b7a71271a57c09e6368c227b47

SHA256
b2b30a0524c76fe8b80b34c809d262ccb104c7a1fd1d71bc38c7e54c1be7257c

SHA512
e31653ec246b282ca8562db6607203180254cb01c54d709721327263ae313d22cf8240daa79887e02ebe8e7b976055627726b02e989d427439bd9e431d7c25f6

Download Submit
C:\Windows\SysWOW64\Hekgfj32.exe

Filesize
280KB

MD5
10aa01e784341f034cc9c69e88272759

SHA1
8407eab207103b8fae739dc89ba78d4bce5f6251

SHA256
db4d36b7723fc1d29c58292aa9e752cd9767fffa35f2b9fa716e40e77f2e38f1

SHA512
dc4fcbf12374ce8a370afeca69443936d2f27a5e4186230cf93499adc67d77c80dfc3ce0b43d2da287bbc4dd9d363b7aaac7374323102f0ab1eb3dde54e1bb3f

Download Submit
C:\Windows\SysWOW64\Hemdlj32.exe

Filesize
280KB

MD5
2030bbcc8f92f0d38aef6ecc48598014

SHA1
15e0ce0f9609e05b493c35c79625301c2fb5fe02

SHA256
0faab65034b27091333f3daa1730cbc1e788bacd83399ef15c6cf89bde9ef6c2

SHA512
58d785ff71cd3ac4e03c3fbcc01dad1cca956edbf92ef0fbb29de14d262ebeabc2bbe3e7aaa926f4cf2ba69ec7b44c470dfffb6fabeb82c76e43fa1fabc8fa2c

Download Submit
C:\Windows\SysWOW64\Hffken32.exe

Filesize
280KB

MD5
eb453428190633386c9f9b0234070b81

SHA1
b98ad7e50fcc3ebf9403256bfb9a04be15e79fba

SHA256
dab2b0ff4786fb88d8fefa1b27a2e649fc5d21b1da9ffbad4d1521daadc08715

SHA512
e593afb77022de8a37466fe1a32d8b6ff857f118d53ebe56ad0e1e7d33aa8d50c4c1e00c8361076e173ecf1d01d99b1020df4a7ba99af4b0799a421374310009

Download Submit
C:\Windows\SysWOW64\Holfoqcm.exe

Filesize
280KB

MD5
e880a307ded77b32f652c37f9819fb66

SHA1
fd5f44c07a4dfa52d6182a36b2280dbb768564a4

SHA256
82b345cb6738b07c10253ed4c321ff58d477473c5fa1edd649a05657ab2bcbbf

SHA512
209d078c637866ed08178d31b2dfab6f030bbefb5ce9e2e4558917983f102855dfdbd16a4a7c845b06ab9fa04a8d00bc32b4baad45993c67d2cc05cb71f18ef5

Download Submit
C:\Windows\SysWOW64\Iohejo32.exe

Filesize
280KB

MD5
70b0ffbefda51658d287ecb504b081c6

SHA1
23df64b4b3d8481e72c10ba648aa6644a147a954

SHA256
3e64d311f52cabc6141b290aeac3dea3edd146a233646b0f0095bd818fc18992

SHA512
f0df54e4a639057636e0d2a39a386262c7ebfd340f9b1cd5ad90e2490624b4d3c61745e7b922568f371b3fd5e13890f9fe11cc66be62485b57118aea9e306be4

Download Submit
C:\Windows\SysWOW64\Iojbpo32.exe

Filesize
280KB

MD5
1b246c3f5418286eba54e52829f97698

SHA1
74b32e7c66cea00f099a793d2aec7ec8f9cf469d

SHA256
56833a9bcfa3e4e58b2d5c556afbb1b739980f77e624e2f65ddc0d64058630bd

SHA512
7b1cd8630c37a6f189b2dd51259422fbb9310033c0c03a985ca7f122eb68ee80d0c4370409b51f23a84d09e0624f6c2ad097aeff21a5677a2fa3821bb80705d8

Download Submit
C:\Windows\SysWOW64\Ioolkncg.exe

Filesize
280KB

MD5
cad0d32636179fed39083164c754d8b4

SHA1
9f6cfba7f0cd4557e4a7e3797b9020589d13e286

SHA256
bcd31593cdbd896280da85d33e2c76755132b5a9373ee6d85d1ee0ec60475c68

SHA512
ce988c3914dbbda10f82469177974c3ddb58ce35be48c4e43a9887b5ca43160c2e0be4b438832709f7062f3b17d4a99d0b4640eef4bb4155bf786b873e5600e7

Download Submit
C:\Windows\SysWOW64\Jekqmhia.exe

Filesize
280KB

MD5
e8cd497f4ba5bb5274e30cda70eb801a

SHA1
65e90de241d648d318ec62867779240e78e317db

SHA256
fe68804fb235192c586927d36d6036d6fa1dabf1f56c22fe581bc140d8205751

SHA512
c069db8f1303ccee8d55c635013ee74c60706af21beb48e50ebc92e11fd6bce16a7f8d085cd59845e95f9bbb959490b40f03654c0f2705fc8d107d282b3aac7f

Download Submit
C:\Windows\SysWOW64\Johnamkm.exe

Filesize
280KB

MD5
0908cdccba4691ff26a15b3541bb259d

SHA1
715eaa452a6fb15596fc68a385e2fc8442a1fba0

SHA256
ef337bedfa2b124588f870db815058ecf348663c07c63674e1dd758a5478796f

SHA512
c166ff3005b390593fd74abd788bc865e9b53b32ec6c93cf2408cc9b102193ec52d2eeadb278a397312cb4c5d743e1396339ae987c7e0f18f490350e9aef8f60

Download Submit
C:\Windows\SysWOW64\Klahfp32.exe

Filesize
280KB

MD5
73e7c4da20e00bfbb9b638ed3021479d

SHA1
d80518d160732881a3f4fcfc54dfd1fbc7a6a75d

SHA256
bb3816f345b8d6170837ff4a05be582da84300df3518fb2d0acce2617b97500f

SHA512
09d4d0498980a28a029c35435a9aedfe444e9dd99f1a24721517e248da2439088eb3397c79d89faf5a07285ab90fcb42e142bd0fb301d90ab97128eda908be68

Download Submit
C:\Windows\SysWOW64\Klfaapbl.exe

Filesize
280KB

MD5
2c0fe24f21d291b2225fd6da5b65b1b2

SHA1
9fb773a29330706b42089441a6cc34f9a3abf6d0

SHA256
07909e1299ead253565a8f7018348dbc7a6392c73d8bc76890f86db6b310102b

SHA512
8fd7a26fa020e530a6813a28582d36b9a58b113eaed09fac4be16b1c8cd1c8eeedb4110b1c48238d8f000a34a134020d049d27dcbb9998e5656ab356bceca790

Download Submit
C:\Windows\SysWOW64\Lfjfecno.exe

Filesize
280KB

MD5
d368075e256712b88f0751ae83ff9ec4

SHA1
883e59589b74a6c76f42bfdc755b66fb84e20eb3

SHA256
9ebe16d27348bedb3a4f0c1301b039f81a608aca08dca0fb6457f23c4695456e

SHA512
9aec5bd3ce0631ba1b0b274d0805dbcdfa7eac256b6d5442d190ca60f20fb59d171c7e86beb2c5121911976b9c5be5007587bc0c5274e6ef290e6351f3c15c95

Download Submit
C:\Windows\SysWOW64\Lgpoihnl.exe

Filesize
280KB

MD5
61e9ca2c820cc48b3efc371b32646145

SHA1
eebc412ce252be7c37ac190cd3208d7e58358e46

SHA256
bb618d5a383da15ffee45d42acbe18f6f988d7165baa4e5ca954ec8ece5cb902

SHA512
eada292d80ea16b558e602fb47209d0767104a3f79aef809858256079974cc170f558b3245df2e6a2c4b6ae4d8a6966a1984b04fc79bfc129e37cc3d6cf8cb72

Download Submit
C:\Windows\SysWOW64\Lgpoihnl.exe

Filesize
280KB

MD5
0ed3d1a80488736b44bccb671294d3e9

SHA1
aa9ce5668cd4a9f1ba9596f701b0625e8cb7f39b

SHA256
a3c44ad61045edda1026c3e0589559d4158b5b36b11a0625865417350c9557d4

SHA512
e135b95df5904010c204e1137710c823c1e936919486bc910dd513035c32f319b8bb11955819e7b37ff52dd599e3fc97dca677e5620a6d75bbf41674f2950926

Download Submit
C:\Windows\SysWOW64\Mcgiefen.exe

Filesize
280KB

MD5
e70ab4b0bb1befe80a431c59bdc282dc

SHA1
273bb1df976486c74be11638ebcc219fecdae2c1

SHA256
99ff8a5e47bbf22e925dc85ab3769ef8571b5251551658363ac9e5e9021b8a38

SHA512
4ee0abfa1abaf1863ee9ba0cdb9ec0ec68bc8724523b0f6b32543da01e56c8f741272fff97222ed3aa04c0388a36d285f35ea323ff8a15fdc9175f055665b55d

Download Submit
C:\Windows\SysWOW64\Mqdcnl32.exe

Filesize
280KB

MD5
cf854b2a34098c7b968d72219e5862f8

SHA1
9236be30f1df5a7aaa3587e5d65ae6e554626b53

SHA256
cee82cd20af6d6cdc703e963e14ab3876693a26cf095a2b6c09075419c85f573

SHA512
cce4b3e607f11655446c235ef7ab461b480bd96b8a261b33e67fb7d3ad863fb022457d45d947ced364972bbe87f121f538ca1ee049c558de24a02366508a3242

Download Submit
C:\Windows\SysWOW64\Nclbpf32.exe

Filesize
280KB

MD5
805e25552f088af99bc871b5393ece67

SHA1
939071e27d06d4f73f35c50de013249413b69089

SHA256
e5596d52793fe130bc0be723a7cc892b2b50cbf831cedec81948033e5135be47

SHA512
9d2b281e6a1c94d1d9473e600bf8180458ed047c276fe119b035972f06c8bfe98a6027d20728d738e2e7fcae24a3aca37739306052dca3c5b6c468b835722103

Download Submit
C:\Windows\SysWOW64\Nfaemp32.exe

Filesize
280KB

MD5
792d7b9df598a5b761811fd997146aea

SHA1
bc1e0c5e522244f68aec0c98cee10d89466c6687

SHA256
598facd6032643328b16f2c38f56c9e1541f5c8e93b2556765fbf8935b2f7f75

SHA512
5e6f3a51c5d0132876c4727d458d3e53ca40aec981c498803636d6bdb61d760ed11028b5ca5256aeaf822faa57120adfb6cd5449dd18631daf56541aea7202f4

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
280KB

MD5
ea34694830f4f0dcc2caacfc2c6f72ba

SHA1
379608fba60df46ec21baf7348fd51a79c22ab66

SHA256
12b2e0175a578dcc23e4f8587b6792f2e0fbe373732a9925c5c7fc82d0c58a5c

SHA512
a63ec9eda09d0064e0ec4771021200c7a08b2d17efdaa2b9b12a1aa06dbcd808f155d4df6d21e3aacea1717fe65e5d957939afb928965dc74c3bd6985ac05cc0

Download Submit
C:\Windows\SysWOW64\Offnhpfo.exe

Filesize
280KB

MD5
e0977b57f1b06598365689e428705912

SHA1
0d254132dbe411fafbd39557aed0093571835b22

SHA256
10f1dd5909274004bf08bc867c4d33f9ab7e2b1a168738b41566efa079c0d071

SHA512
83eb0ec6ef354b2846ddeb4918520d5174e1dc5485a598ca29bf1459bb1ba8cd45009f2c7e94b2d22cd0ca20e02bff62ee3cd6be4688d6e1cc20d6cb97aa30f2

Download Submit
C:\Windows\SysWOW64\Ojfcdnjc.exe

Filesize
280KB

MD5
f2fad1dbc97a713ebd73b8e21ea5090e

SHA1
d04a6fa838d5e69ff93242605d19180754b42ccd

SHA256
b2641338b35daba2162a86af807515b5e51b8f0722e7970d5b57a05e3aa67a56

SHA512
dab70214e62ef9683365b0a4e0713c44b8bdb6836dd40c10a78445125caf08a121d703d38c9133434eef0d9c99c8f80a448f9be3f2202eb302c7845b4963bf61

Download Submit
C:\Windows\SysWOW64\Paiogf32.exe

Filesize
280KB

MD5
4f902671079ecd4c80b67354bb60cfc8

SHA1
8c8107b9490fde7c8b2d78d85d709955e2c3f66b

SHA256
1df4cb30252ae8ad51a977e02d2a1daf1346ca71b6475d5ace5486625f0703d7

SHA512
95a56bf7263a3912ed7bce5beea9cd3d34f303f8467806c8cc4d87a7ce6a46f092b5e631fe14070b4a0ce96b4901145903d2a3c708acea92254f72d85ada13a7

Download Submit
C:\Windows\SysWOW64\Phonha32.exe

Filesize
280KB

MD5
058e87c11449a7c935449169c56c1c72

SHA1
a511b0f986ff5f0543b5e04b4d647c1f88ef6d97

SHA256
ee4151f242c416c7db399db06646bda44f5217e19f79eeca2b7fee56d75fe809

SHA512
9de8715b38e716fdcc865d0eac0a8be8c12b8f21c5f3635d5d62a156677bf9f41ec0ec23f32c45f1fd9c813eb3ef48ff0920a3723d37b7d08fee50e0294ecc9e

Download Submit
C:\Windows\SysWOW64\Pmblagmf.exe

Filesize
280KB

MD5
e01cb08c2e1840fd8bd4fba944dc3767

SHA1
6ce3114c0ac340a1578d066f68aa5eeb2e60c67e

SHA256
fbebdc972bf2d52976dabab71c9bbaacf2faf7f2eed72c6a9f9771d2920c2203

SHA512
e5298650f1b3ab988b162b1507fb91abe807e3d395d939c6c08f18899bfa9cfb332d3a3544f8abbe7da3ee298d7c8c104df7404e0ac895e67150502df9b07389

Download Submit
C:\Windows\SysWOW64\Qdaniq32.exe

Filesize
280KB

MD5
d784aeca5b38bb95eda77dcb2e8c7237

SHA1
113fc88d8a7c24390ac3cd310f42b09683c68c6f

SHA256
a20c03c30096d56f1ce05a5e0b1d0d0346af6cc386b8e3053c3f2990c353a711

SHA512
cc5fb72528e74e21536c346b3e3f7ebbe098fde9bcb0fe7fae36248f7a40dcc25d6c6964f367c613e3e8bb2a0f3d08c66c1a1fa628034cd371796c051e992c63

Download Submit
C:\Windows\SysWOW64\Qobhkjdi.exe

Filesize
280KB

MD5
0c078f224673353fc43ee8007c834ba8

SHA1
8a6fd785a92ee71ba95f48b40382cec2d235dc63

SHA256
ae6b9e8f47b40bf6e2904dc98d2761b3adf20b1cd5e359acdc76fc3a267bdecb

SHA512
191c20d962b368fd1759a5952203ea42de5d3e201b62e281e9945c4cb3bc749ebe9c5cfd9188ba53b625def4f0d20511f6935a27386f0796a598c2447ecb1759

Download Submit
memory/260-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/260-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/316-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/316-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1208-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1208-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2496-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2496-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3104-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3104-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3248-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3248-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3428-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3428-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3592-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3592-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4640-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4640-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5044-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5044-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads