acfa118f66a9c77d65862021c11aa52e0e620226124e8bd90b68ef5620468a33

Analysis

max time kernel
135s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acfa118f66a9c77d65862021c11aa52e0e620226124e8bd90b68ef5620468a33.exe
Size

479KB
MD5

675d007618821882a450fcb69ec6b946
SHA1

0b26e3b1197fc5089cd08ceb25d512319cafca20
SHA256

acfa118f66a9c77d65862021c11aa52e0e620226124e8bd90b68ef5620468a33
SHA512

94a04cae98bd94ac50bec19e7140a6c84fd544a9f4e7e8ac317696c363af4c8739d2338eb344be2b797cf37b8b248d5a0e1e9df5ddc35e94ffbbc42c2df1ec01
SSDEEP

6144:uZDXBf1E+sycRJ6EQnT2leTLgNPx33fpu2leTLg:I7uRJ6EQ6Q2drQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mphamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phiekaql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljoboloa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmokpglb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	acfa118f66a9c77d65862021c11aa52e0e620226124e8bd90b68ef5620468a33.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odgjdibf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgkaip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mphamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmebblf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegnol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eangjkkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hifaic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odgjdibf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqbohocd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegnol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eangjkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Femigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfqjhmhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aiqkmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaofedkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcabhido.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgbob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpfko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiqomj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phpklp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geflne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljoboloa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohkijc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmebblf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Capkim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eimelg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifphkbep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	acfa118f66a9c77d65862021c11aa52e0e620226124e8bd90b68ef5620468a33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Poagma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aiqkmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bggnijof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eimelg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geflne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nahdapae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbhgjoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpfko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaofedkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqbohocd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lckglc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noehac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noehac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohkijc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifphkbep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfpqap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhadgmge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdeffgff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clmckmcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phpklp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhadgmge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poagma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clmckmcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhmmieil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lckglc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgbob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akopoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdnka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmgfod32.exe

Executes dropped EXE 40 IoCs

pid	Process
1628	Icgbob32.exe
1820	Lmgfod32.exe
1312	Lhadgmge.exe
1304	Nahdapae.exe
1420	Noehac32.exe
4476	Odgjdibf.exe
4956	Poagma32.exe
1504	Pdeffgff.exe
4908	Aiqkmd32.exe
4876	Bgkaip32.exe
2212	Clmckmcq.exe
3492	Mhmmieil.exe
4820	Mphamg32.exe
3336	Nmbhgjoi.exe
3532	Ohkijc32.exe
5008	Ogpfko32.exe
1408	Oiqomj32.exe
4428	Phiekaql.exe
1388	Phpklp32.exe
1784	Aaofedkl.exe
3932	Akopoi32.exe
3608	Bggnijof.exe
4988	Bqbohocd.exe
2392	Cnmebblf.exe
864	Cegnol32.exe
872	Capkim32.exe
5028	Eangjkkd.exe
1240	Eimelg32.exe
2056	Femigg32.exe
1344	Geflne32.exe
3720	Hifaic32.exe
3472	Hcabhido.exe
2404	Ijdnka32.exe
3264	Ifphkbep.exe
3316	Kfpqap32.exe
2744	Lckglc32.exe
452	Lfqjhmhk.exe
5024	Ljoboloa.exe
4244	Mmokpglb.exe
416	Mbldhn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Capkim32.exe	Cegnol32.exe
File created	C:\Windows\SysWOW64\Kfpqap32.exe	Ifphkbep.exe
File created	C:\Windows\SysWOW64\Hpqkcc32.dll	Poagma32.exe
File created	C:\Windows\SysWOW64\Aiqkmd32.exe	Pdeffgff.exe
File opened for modification	C:\Windows\SysWOW64\Nmbhgjoi.exe	Mphamg32.exe
File created	C:\Windows\SysWOW64\Oiqomj32.exe	Ogpfko32.exe
File created	C:\Windows\SysWOW64\Lkkgqn32.dll	Ogpfko32.exe
File created	C:\Windows\SysWOW64\Hifaic32.exe	Geflne32.exe
File created	C:\Windows\SysWOW64\Ckmacl32.dll	Hifaic32.exe
File created	C:\Windows\SysWOW64\Onighcgh.dll	Pdeffgff.exe
File created	C:\Windows\SysWOW64\Eiopdhnf.dll	Aiqkmd32.exe
File created	C:\Windows\SysWOW64\Jgkbak32.dll	Bgkaip32.exe
File created	C:\Windows\SysWOW64\Akopoi32.exe	Aaofedkl.exe
File created	C:\Windows\SysWOW64\Idqogkic.dll	Bqbohocd.exe
File opened for modification	C:\Windows\SysWOW64\Bggnijof.exe	Akopoi32.exe
File created	C:\Windows\SysWOW64\Ijdnka32.exe	Hcabhido.exe
File opened for modification	C:\Windows\SysWOW64\Ifphkbep.exe	Ijdnka32.exe
File created	C:\Windows\SysWOW64\Lmgfod32.exe	Icgbob32.exe
File opened for modification	C:\Windows\SysWOW64\Odgjdibf.exe	Noehac32.exe
File opened for modification	C:\Windows\SysWOW64\Aiqkmd32.exe	Pdeffgff.exe
File created	C:\Windows\SysWOW64\Clmckmcq.exe	Bgkaip32.exe
File opened for modification	C:\Windows\SysWOW64\Akopoi32.exe	Aaofedkl.exe
File created	C:\Windows\SysWOW64\Lfqjhmhk.exe	Lckglc32.exe
File created	C:\Windows\SysWOW64\Icgbob32.exe	acfa118f66a9c77d65862021c11aa52e0e620226124e8bd90b68ef5620468a33.exe
File created	C:\Windows\SysWOW64\Nahdapae.exe	Lhadgmge.exe
File created	C:\Windows\SysWOW64\Phpklp32.exe	Phiekaql.exe
File opened for modification	C:\Windows\SysWOW64\Ijdnka32.exe	Hcabhido.exe
File opened for modification	C:\Windows\SysWOW64\Mmokpglb.exe	Ljoboloa.exe
File created	C:\Windows\SysWOW64\Nheeabjo.dll	Lckglc32.exe
File opened for modification	C:\Windows\SysWOW64\Noehac32.exe	Nahdapae.exe
File created	C:\Windows\SysWOW64\Nmbhgjoi.exe	Mphamg32.exe
File created	C:\Windows\SysWOW64\Cnglpdin.dll	Phpklp32.exe
File opened for modification	C:\Windows\SysWOW64\Eimelg32.exe	Eangjkkd.exe
File created	C:\Windows\SysWOW64\Qjdhlc32.dll	Eangjkkd.exe
File created	C:\Windows\SysWOW64\Ejnphkkg.dll	Lmgfod32.exe
File created	C:\Windows\SysWOW64\Ijmjaqam.dll	Ohkijc32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmebblf.exe	Bqbohocd.exe
File opened for modification	C:\Windows\SysWOW64\Mphamg32.exe	Mhmmieil.exe
File opened for modification	C:\Windows\SysWOW64\Ohkijc32.exe	Nmbhgjoi.exe
File opened for modification	C:\Windows\SysWOW64\Ogpfko32.exe	Ohkijc32.exe
File created	C:\Windows\SysWOW64\Mkpeom32.dll	Lhadgmge.exe
File created	C:\Windows\SysWOW64\Cacjdgkj.dll	Clmckmcq.exe
File created	C:\Windows\SysWOW64\Femigg32.exe	Eimelg32.exe
File created	C:\Windows\SysWOW64\Oiohgjga.dll	Hcabhido.exe
File created	C:\Windows\SysWOW64\Glbqampo.dll	Noehac32.exe
File created	C:\Windows\SysWOW64\Mphamg32.exe	Mhmmieil.exe
File opened for modification	C:\Windows\SysWOW64\Phpklp32.exe	Phiekaql.exe
File created	C:\Windows\SysWOW64\Lhadgmge.exe	Lmgfod32.exe
File created	C:\Windows\SysWOW64\Ppehbl32.dll	Aaofedkl.exe
File created	C:\Windows\SysWOW64\Eimelg32.exe	Eangjkkd.exe
File opened for modification	C:\Windows\SysWOW64\Kfpqap32.exe	Ifphkbep.exe
File created	C:\Windows\SysWOW64\Pdeffgff.exe	Poagma32.exe
File created	C:\Windows\SysWOW64\Bgkaip32.exe	Aiqkmd32.exe
File created	C:\Windows\SysWOW64\Dpbmfghh.dll	Mhmmieil.exe
File created	C:\Windows\SysWOW64\Bggnijof.exe	Akopoi32.exe
File opened for modification	C:\Windows\SysWOW64\Lfqjhmhk.exe	Lckglc32.exe
File created	C:\Windows\SysWOW64\Dfjood32.dll	Nmbhgjoi.exe
File created	C:\Windows\SysWOW64\Phiekaql.exe	Oiqomj32.exe
File opened for modification	C:\Windows\SysWOW64\Eangjkkd.exe	Capkim32.exe
File created	C:\Windows\SysWOW64\Noehac32.exe	Nahdapae.exe
File created	C:\Windows\SysWOW64\Mhmmieil.exe	Clmckmcq.exe
File opened for modification	C:\Windows\SysWOW64\Mhmmieil.exe	Clmckmcq.exe
File created	C:\Windows\SysWOW64\Jepidp32.dll	Mphamg32.exe
File opened for modification	C:\Windows\SysWOW64\Lckglc32.exe	Kfpqap32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4440	416	WerFault.exe	132

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgkbak32.dll"	Bgkaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpbmfghh.dll"	Mhmmieil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmebblf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibgfkq32.dll"	Ljoboloa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiopdhnf.dll"	Aiqkmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbqampo.dll"	Noehac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhmmieil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmokpglb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nahdapae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnphkkg.dll"	Lmgfod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohkijc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oiqomj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqbohocd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgbob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mphamg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Femigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnonap32.dll"	Geflne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lckglc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljoboloa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgkaip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akopoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigmon32.dll"	Mmokpglb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcblbn32.dll"	acfa118f66a9c77d65862021c11aa52e0e620226124e8bd90b68ef5620468a33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppehbl32.dll"	Aaofedkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clmckmcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlhomk32.dll"	Kfpqap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Poagma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqbohocd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjdhlc32.dll"	Eangjkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmgfod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegnol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohkijc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Geflne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcabhido.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbikolk.dll"	Ifphkbep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nheeabjo.dll"	Lckglc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmbhgjoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnglpdin.dll"	Phpklp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaofedkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdeffgff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhadgmge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Poagma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bggnijof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	acfa118f66a9c77d65862021c11aa52e0e620226124e8bd90b68ef5620468a33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Capkim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eimelg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcabhido.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkkgqn32.dll"	Ogpfko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaofedkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eangjkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Femigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odgjdibf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bggnijof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqejedmp.dll"	Femigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmacl32.dll"	Hifaic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phiekaql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepidp32.dll"	Mphamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijmjaqam.dll"	Ohkijc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopfdc32.dll"	Phiekaql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eangjkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifphkbep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfpqap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiffij32.dll"	Icgbob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onighcgh.dll"	Pdeffgff.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 1628	5108	acfa118f66a9c77d65862021c11aa52e0e620226124e8bd90b68ef5620468a33.exe	91
PID 5108 wrote to memory of 1628	5108	acfa118f66a9c77d65862021c11aa52e0e620226124e8bd90b68ef5620468a33.exe	91
PID 5108 wrote to memory of 1628	5108	acfa118f66a9c77d65862021c11aa52e0e620226124e8bd90b68ef5620468a33.exe	91
PID 1628 wrote to memory of 1820	1628	Icgbob32.exe	93
PID 1628 wrote to memory of 1820	1628	Icgbob32.exe	93
PID 1628 wrote to memory of 1820	1628	Icgbob32.exe	93
PID 1820 wrote to memory of 1312	1820	Lmgfod32.exe	94
PID 1820 wrote to memory of 1312	1820	Lmgfod32.exe	94
PID 1820 wrote to memory of 1312	1820	Lmgfod32.exe	94
PID 1312 wrote to memory of 1304	1312	Lhadgmge.exe	95
PID 1312 wrote to memory of 1304	1312	Lhadgmge.exe	95
PID 1312 wrote to memory of 1304	1312	Lhadgmge.exe	95
PID 1304 wrote to memory of 1420	1304	Nahdapae.exe	96
PID 1304 wrote to memory of 1420	1304	Nahdapae.exe	96
PID 1304 wrote to memory of 1420	1304	Nahdapae.exe	96
PID 1420 wrote to memory of 4476	1420	Noehac32.exe	97
PID 1420 wrote to memory of 4476	1420	Noehac32.exe	97
PID 1420 wrote to memory of 4476	1420	Noehac32.exe	97
PID 4476 wrote to memory of 4956	4476	Odgjdibf.exe	98
PID 4476 wrote to memory of 4956	4476	Odgjdibf.exe	98
PID 4476 wrote to memory of 4956	4476	Odgjdibf.exe	98
PID 4956 wrote to memory of 1504	4956	Poagma32.exe	99
PID 4956 wrote to memory of 1504	4956	Poagma32.exe	99
PID 4956 wrote to memory of 1504	4956	Poagma32.exe	99
PID 1504 wrote to memory of 4908	1504	Pdeffgff.exe	100
PID 1504 wrote to memory of 4908	1504	Pdeffgff.exe	100
PID 1504 wrote to memory of 4908	1504	Pdeffgff.exe	100
PID 4908 wrote to memory of 4876	4908	Aiqkmd32.exe	102
PID 4908 wrote to memory of 4876	4908	Aiqkmd32.exe	102
PID 4908 wrote to memory of 4876	4908	Aiqkmd32.exe	102
PID 4876 wrote to memory of 2212	4876	Bgkaip32.exe	103
PID 4876 wrote to memory of 2212	4876	Bgkaip32.exe	103
PID 4876 wrote to memory of 2212	4876	Bgkaip32.exe	103
PID 2212 wrote to memory of 3492	2212	Clmckmcq.exe	104
PID 2212 wrote to memory of 3492	2212	Clmckmcq.exe	104
PID 2212 wrote to memory of 3492	2212	Clmckmcq.exe	104
PID 3492 wrote to memory of 4820	3492	Mhmmieil.exe	105
PID 3492 wrote to memory of 4820	3492	Mhmmieil.exe	105
PID 3492 wrote to memory of 4820	3492	Mhmmieil.exe	105
PID 4820 wrote to memory of 3336	4820	Mphamg32.exe	106
PID 4820 wrote to memory of 3336	4820	Mphamg32.exe	106
PID 4820 wrote to memory of 3336	4820	Mphamg32.exe	106
PID 3336 wrote to memory of 3532	3336	Nmbhgjoi.exe	107
PID 3336 wrote to memory of 3532	3336	Nmbhgjoi.exe	107
PID 3336 wrote to memory of 3532	3336	Nmbhgjoi.exe	107
PID 3532 wrote to memory of 5008	3532	Ohkijc32.exe	108
PID 3532 wrote to memory of 5008	3532	Ohkijc32.exe	108
PID 3532 wrote to memory of 5008	3532	Ohkijc32.exe	108
PID 5008 wrote to memory of 1408	5008	Ogpfko32.exe	109
PID 5008 wrote to memory of 1408	5008	Ogpfko32.exe	109
PID 5008 wrote to memory of 1408	5008	Ogpfko32.exe	109
PID 1408 wrote to memory of 4428	1408	Oiqomj32.exe	110
PID 1408 wrote to memory of 4428	1408	Oiqomj32.exe	110
PID 1408 wrote to memory of 4428	1408	Oiqomj32.exe	110
PID 4428 wrote to memory of 1388	4428	Phiekaql.exe	111
PID 4428 wrote to memory of 1388	4428	Phiekaql.exe	111
PID 4428 wrote to memory of 1388	4428	Phiekaql.exe	111
PID 1388 wrote to memory of 1784	1388	Phpklp32.exe	112
PID 1388 wrote to memory of 1784	1388	Phpklp32.exe	112
PID 1388 wrote to memory of 1784	1388	Phpklp32.exe	112
PID 1784 wrote to memory of 3932	1784	Aaofedkl.exe	113
PID 1784 wrote to memory of 3932	1784	Aaofedkl.exe	113
PID 1784 wrote to memory of 3932	1784	Aaofedkl.exe	113
PID 3932 wrote to memory of 3608	3932	Akopoi32.exe	114

C:\Users\Admin\AppData\Local\Temp\acfa118f66a9c77d65862021c11aa52e0e620226124e8bd90b68ef5620468a33.exe
"C:\Users\Admin\AppData\Local\Temp\acfa118f66a9c77d65862021c11aa52e0e620226124e8bd90b68ef5620468a33.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\SysWOW64\Icgbob32.exe
  C:\Windows\system32\Icgbob32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\Lmgfod32.exe
    C:\Windows\system32\Lmgfod32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\SysWOW64\Lhadgmge.exe
      C:\Windows\system32\Lhadgmge.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Windows\SysWOW64\Nahdapae.exe
        
        C:\Windows\system32\Nahdapae.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
      - C:\Windows\SysWOW64\Noehac32.exe
        
        C:\Windows\system32\Noehac32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Odgjdibf.exe
        
        C:\Windows\system32\Odgjdibf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Poagma32.exe
        
        C:\Windows\system32\Poagma32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Pdeffgff.exe
        
        C:\Windows\system32\Pdeffgff.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Aiqkmd32.exe
        
        C:\Windows\system32\Aiqkmd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Bgkaip32.exe
        
        C:\Windows\system32\Bgkaip32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Clmckmcq.exe
        
        C:\Windows\system32\Clmckmcq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Mhmmieil.exe
        
        C:\Windows\system32\Mhmmieil.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Mphamg32.exe
        
        C:\Windows\system32\Mphamg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Nmbhgjoi.exe
        
        C:\Windows\system32\Nmbhgjoi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Ohkijc32.exe
        
        C:\Windows\system32\Ohkijc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Ogpfko32.exe
        
        C:\Windows\system32\Ogpfko32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Oiqomj32.exe
        
        C:\Windows\system32\Oiqomj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Phiekaql.exe
        
        C:\Windows\system32\Phiekaql.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Phpklp32.exe
        
        C:\Windows\system32\Phpklp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Aaofedkl.exe
        
        C:\Windows\system32\Aaofedkl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Akopoi32.exe
        
        C:\Windows\system32\Akopoi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Bggnijof.exe
        
        C:\Windows\system32\Bggnijof.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Bqbohocd.exe
        
        C:\Windows\system32\Bqbohocd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Cnmebblf.exe
        
        C:\Windows\system32\Cnmebblf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Cegnol32.exe
        
        C:\Windows\system32\Cegnol32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Capkim32.exe
        
        C:\Windows\system32\Capkim32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Eangjkkd.exe
        
        C:\Windows\system32\Eangjkkd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Eimelg32.exe
        
        C:\Windows\system32\Eimelg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Femigg32.exe
        
        C:\Windows\system32\Femigg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Geflne32.exe
        
        C:\Windows\system32\Geflne32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Hifaic32.exe
        
        C:\Windows\system32\Hifaic32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Hcabhido.exe
        
        C:\Windows\system32\Hcabhido.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Ijdnka32.exe
        
        C:\Windows\system32\Ijdnka32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\Ifphkbep.exe
        
        C:\Windows\system32\Ifphkbep.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Kfpqap32.exe
        
        C:\Windows\system32\Kfpqap32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Lckglc32.exe
        
        C:\Windows\system32\Lckglc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Lfqjhmhk.exe
        
        C:\Windows\system32\Lfqjhmhk.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Ljoboloa.exe
        
        C:\Windows\system32\Ljoboloa.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Mmokpglb.exe
        
        C:\Windows\system32\Mmokpglb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Mbldhn32.exe
        
        C:\Windows\system32\Mbldhn32.exe
        41⤵
        Executes dropped EXE
        
        PID:416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 224
        42⤵
        Program crash
        
        PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1048 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 416 -ip 416
1⤵
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaofedkl.exe

Filesize
479KB

MD5
a9a53e230c5ce955cf6d9a1a429d1406

SHA1
3efbe9faad179a6df86737e0fc9b0572cdf67fc9

SHA256
992f02b600baca4edbdba5e03918eb2b2a912130d52eed2122725dba300ef6ed

SHA512
b93c903305a6982c2e518c73416d8aa5c3946b2ec8b917be82c9be7079d7d0ecc6a031ebcb46db4ab0a8564682e632d5c48611684dbf555f4a740ac3983788d1

Download Submit
C:\Windows\SysWOW64\Aiqkmd32.exe

Filesize
479KB

MD5
51c5011d175fb95f23d23cdf36cb234b

SHA1
e507d7a7de650b6c29497218606189412a8b605b

SHA256
467e27c4c3945f0b8ee1ab00851465aeedca770b2151a542de9d03b43163f074

SHA512
6089e77277dd5ff29c4d84c1ca94aa019bd82ce31bdfd9086ace81eb9b026be942eabfdd03920e42ca767750e941468e6e6ad9e5f2881a794260c2b2608a453d

Download Submit
C:\Windows\SysWOW64\Akopoi32.exe

Filesize
479KB

MD5
77048cb6d6512cf3eb93c024a011f3a3

SHA1
356312c84ff10b22f8270c621c57a3f40cb041d8

SHA256
53dc716a4682a409df7f38f81297015f5ad00a5132f9ed84f19adff6355416ff

SHA512
0c8bed07c982a8323bd94c95485491086409ae35a2a799c1e0f0869030ad716298d82198b872fd8c40798e84d1687f2f4188a90f116cc8331e7566d92e5a7867

Download Submit
C:\Windows\SysWOW64\Bggnijof.exe

Filesize
479KB

MD5
9aa29c7d92bc8a4ee4604889bb009608

SHA1
788dba0a3013b257c035f2bed3215033b5e6d6fb

SHA256
1457587a1f5d0ef4450ab5b6020a8fcafe353e88c994e7d163fe5773bcab172d

SHA512
638f7ebc4f962831a37a05686d6b116dfb8df9dc9ff979a40806c8d320fdd91721610533c2be12e752fe6acfeccef8aa1d819cf1b748b28f5c740931494abbb3

Download Submit
C:\Windows\SysWOW64\Bgkaip32.exe

Filesize
479KB

MD5
b1a3112e8321a543e2ae392b1509d896

SHA1
248893b7d9e4a96ec343f76ff195a373283ba9e2

SHA256
3843a458142bdf26f874fd59e4535d8a422ec46c739eb6a81d3ce9f803f93579

SHA512
02a625b8da5ddad667e23141889f312cb7282749e847719a72610a6be25f1383e25c125bef751f1a61cfe211b391442458c90c94a98815f13a6aebbc9affb2d1

Download Submit
C:\Windows\SysWOW64\Bqbohocd.exe

Filesize
479KB

MD5
78a391da210a1201c2403c45163cfad3

SHA1
68fbf4340a6008f2edb3832a57b8d288b47683f6

SHA256
95321d0ad31e07aee509b038c976f469cdb850feaceb10b17672e0840f81e91f

SHA512
d86d83d3f3c2919d3655a8861f60c011c4449e297ab80bef28c227bcb02eba45bd79c1b9d65c7247b7153d3efb20d9a36d8f2856c49cbced2b3d03317095f447

Download Submit
C:\Windows\SysWOW64\Capkim32.exe

Filesize
479KB

MD5
28c3a7775e7803422b38a3ee20eb6463

SHA1
2144b227b3d5056937c75527f2786f85735c1419

SHA256
ed37186a086da1a0cc1084b4ec44ede9a6a3b3e2834cbf8649a6ae8ccb61fade

SHA512
a600f47259c6fc6e7294433eeedf259fcc408e48577994114a1412ef9be41bd5ac7a39c6099d2b2036951ea1c04c2cf9e58ef690c52f491f65f842a1e4c33426

Download Submit
C:\Windows\SysWOW64\Cegnol32.exe

Filesize
479KB

MD5
13a97fe301a58631bd5f216e876ffd82

SHA1
54a6908ae145bb323dc9e97e2c63ba582f7a2177

SHA256
72ac87013759010a4667dff9ceb56b28d5bc642b5030e4f230c837824887c098

SHA512
e6a315492e25e1821ed7b1b45dd1e4e44233d96ae98dd3bfb0d465e0f12e23c8206ba2f4c2e4c8e9db86e8ffba897654d7fad37e81302d08669cc6110e5b56b6

Download Submit
C:\Windows\SysWOW64\Clmckmcq.exe

Filesize
479KB

MD5
3a51987de40604aade524b84a61d3279

SHA1
8a022387aec786d3ce8c9af8fe780aefb7dcd809

SHA256
731ffb3df76b56b81064fa7f1c47ff5169f2a05f58b3e1d32522946b44fbae69

SHA512
83ac07ab6a3dfb656e82dc7233973e63da4572aa4f7ba3c678fb08547ca2b4a433647ed38dd8698294cb12afcd0de18078398bb496694aada8ec2580db2ece7f

Download Submit
C:\Windows\SysWOW64\Cnmebblf.exe

Filesize
479KB

MD5
83049b9fabccc7378ce975d3fe2a10d6

SHA1
a6580dfa7b9d11853e6280556a6fcc4f267da72a

SHA256
621a18aac96d96a16f2603ef1376197a74a60e06ae219aaf57fe7c6a9ec1ce4b

SHA512
0f2e3a9c9daea3351715306085ff9cab7abfc7f719014ffcdab59c508122ab2a06a2cc901e4f861a92964c7adab3c3d7a7623ed5491600e3dd0c963854ca248f

Download Submit
C:\Windows\SysWOW64\Eangjkkd.exe

Filesize
479KB

MD5
d2855ee301d35f84f81d879e2d4f4fd4

SHA1
805e83d84765a403e0203640cef5879343636c17

SHA256
93e02778bc7386f067ead5462a22765bd3086f73180c558192a9460facff1bad

SHA512
69ffed508fc8715ee672d999edfaed80157c825fa4318075abc1f3db7e271088d4c5b47a862c5c042a57e3d5b87186c403df3d8d1d0d60e5f1865f6c5d89ba1f

Download Submit
C:\Windows\SysWOW64\Eimelg32.exe

Filesize
479KB

MD5
4081978e5c6c686c02324be95d6b9358

SHA1
5821e0dc682e96dd37cd5e24f683a9cab5e98387

SHA256
b8d60838bc6efe5a8910bb0a0342cfb31ad6b25f12177d35d3aa813813ce998b

SHA512
8de074bc548f3ece143c0d328e1581b6802944000381ecd6fa18554b2efbaf1d3985888ad51069e8a944ca03395ca8879aa0177fdd4ebd28107a15009910d8c0

Download Submit
C:\Windows\SysWOW64\Femigg32.exe

Filesize
479KB

MD5
f7e0126e65d316a124095ef96ce9c76d

SHA1
674b5b4f5df1435584b6ef6160644d7cb93d3937

SHA256
a97caa61115bd87bcbd8f23c7d0998ac8dfebf4a861b01a04674a08231e05a3a

SHA512
8007ccea1d824a662b4964b856f1ab05807c0834d878120ce3503bfe094adfc668f7b3e7d6ca008c687bff63aaa8dcd97b41a6aab6cffdb89f35cecf37f7bf89

Download Submit
C:\Windows\SysWOW64\Geflne32.exe

Filesize
479KB

MD5
3f17575644fc5e2c59c46e7ef2fcb80a

SHA1
f15faa686299cc652cd032766fb5c4c2678eb13a

SHA256
5c523b01778829a9c1e823c8b5704a0388c776ea01f3fc5fc900b99d3a63df90

SHA512
0dbe4b009b1f506e6960722cd3ffa110013f2f995e76b03702a998df89398277988c0150ce41fc32a005cccd6d0c216542f83850ae5b08ee79f9ecafc916d133

Download Submit
C:\Windows\SysWOW64\Hcabhido.exe

Filesize
479KB

MD5
07097d263a95e38b7f9d31f4e4f26ec0

SHA1
5627e05e5698e3018936e9c19d543338864b71b0

SHA256
b9b78905f4e77541ce6b29b3d1c5c5a841521b6a16e2aec39c2e809334b8d5cc

SHA512
04e9e1fe3a4f314aa783a7841aa92157eead5b6f3680abb77cd26fde391fd880cdbeeaf7fd2f74847451627e1128cd5353e5284446412b7e436ac4619f43ad16

Download Submit
C:\Windows\SysWOW64\Hifaic32.exe

Filesize
479KB

MD5
b42fa360f4f1b2f00e5e58eda0274613

SHA1
594ee473d274d2cc0608e36836a7e5af1da8b4b1

SHA256
b6620ab1335bbd61e6d08187da4d23d2a13a1ecd2a668a1b663f002341e637c9

SHA512
9fa294d9901724166442f16604c981f85b68064c17c930affbd54e1f2b59fb4615a816e8f32314f08466b2e0bc0ed909fab458e978ebeb9a72cd3aa59e8ab5d0

Download Submit
C:\Windows\SysWOW64\Icgbob32.exe

Filesize
479KB

MD5
38eca0245f6718555e845da7c4a27771

SHA1
53826efdfdccb0b37322b63a1229d44dff94c7b3

SHA256
c230002bfbbe76ff6dc5734e083a79bf9bf1fc22be17621f49de2a8143ad09dd

SHA512
972088e7f03e122a64dc86bb2b4d88cfb8b5e436a808bc3ab6a4e661fe2cecfe9e7e637dd9931aef3da42fdb1b02bbaa6a30a5da96b319adcc89faaa9cc0a7b9

Download Submit
C:\Windows\SysWOW64\Ifphkbep.exe

Filesize
479KB

MD5
a9816eb13ea88392f8fe6f1f6c47378e

SHA1
389b59169af850c5196381740f052ee4c46ad514

SHA256
6bd97681851d6c5805203cdbd444bf9317b4286b3183ffb4fa5c3dd9976d41db

SHA512
87912629998f25cc6a05c0681430ac1dfec3702002191477de7877f8866827b4a389583d76d503648ae7ce48bfe0ea96c45be398ab1d8b00d1d0eca8e059d134

Download Submit
C:\Windows\SysWOW64\Lhadgmge.exe

Filesize
479KB

MD5
2cf068038b5a37b1a660ed5558c036aa

SHA1
449af42519f9af888717a03b742009dd9eac7bf2

SHA256
5730a3b223273c0d083bb83c9b9affcbc1fb6aeed90bc62c3a1bbd262305d813

SHA512
55c151231e20ba4c69009e254f1b726c45ccf55671c3daa0e290b0bc25cce3742cb0068067613d10f229454acc10684a384e8b8c448381d301e2d1c1985b0090

Download Submit
C:\Windows\SysWOW64\Ljoboloa.exe

Filesize
479KB

MD5
ac481dd6d6a3adf4d6b029b600460b1d

SHA1
d2720cd909c2478d4de11ac4780587087e727249

SHA256
2089cf09d86a0efc3721edd34132b4bb4614d817804ee400ae210a689aa10db8

SHA512
85bb8425b32d24314842d28a5514d808bce0ca615ea6312fb56c0054b63deaad9c3f8056c1c03bbf00bb03bba72b890914f14cdae2fe3155b019c814bb2506cf

Download Submit
C:\Windows\SysWOW64\Lmgfod32.exe

Filesize
479KB

MD5
0d3014b78e8ba3bd299c69aa202e0916

SHA1
6e4a95a6d9db06c813ba0b22f17b8800a0c4fc2d

SHA256
98a5acfbfd036968904e3a5fb361d3e4322293c9783eaa118489fdbf3c5b9be0

SHA512
11ea62bb9a4d0099b273f8e67560639b4ca53f3edfc6ef572b097f3cd4ea1fdb777c5fac4caa1fb84305818c1dfd0340d20699b921c1a5deda89bf1caeb6ebb9

Download Submit
C:\Windows\SysWOW64\Mhmmieil.exe

Filesize
479KB

MD5
c7e100c72909aae15e6effe65a231540

SHA1
30808d097a9d295e341c36c698f016e07f540d87

SHA256
2baf9d012b0b60ad9f856779a23903b7ceb00d13539938f30ef5d0ee7caa9929

SHA512
e49f588e74278e894dad1fa4bc2c8a16ecec90010b46071e4a84e670093962a1ec955b251de458bb3b17bd73b25477eeca74810eadc0717ec38be99ed8e75f51

Download Submit
C:\Windows\SysWOW64\Mphamg32.exe

Filesize
479KB

MD5
fb4a3df5bae233a91124549d4acfd085

SHA1
684afc1cfc2add4c58389f9d441ce0f2d1ce0705

SHA256
2616819748872a23b4db66db1474abae0242f6cb466fae0d220ec8ad7febc0b2

SHA512
cd8e585c80d7d404ae733a0841b58ffd583196e17114f8dfa74330a34fe21ef20ee1d733f18dd0c0d489bb04dc16491eb89614fde389db13b5f78c00be6dd6dc

Download Submit
C:\Windows\SysWOW64\Nahdapae.exe

Filesize
479KB

MD5
be352ad87b92f707270db1afd0497196

SHA1
dbf1c4135d238b9b0e26943752522d18e66c0e40

SHA256
b1a509416ea5b76f41689c80d55311297a6a4f271c0c5f44fb2eae17728fc4b3

SHA512
e4437b844dea14a4da30a7620676bad2781f1ac970aaf832835921c80630fc0388a49be99e34e9f2e5a1779b1856bec38b7c5611b03441542a090ebace963c59

Download Submit
C:\Windows\SysWOW64\Nmbhgjoi.exe

Filesize
479KB

MD5
79733627233d093334eae8fb9e84444f

SHA1
04dfeb85d0685b6d6f3b8fc6abd22593d415f26c

SHA256
19551c7b394286ab8c775bfe77ee3536399db15d99150e7dfd944b69ecbeabc8

SHA512
5d4f7c479526c02705ef6a01fb67d2b0b9bf45d7bf5bee0fb06cd9d2cc160f0f0fdd6559eff58e946a5a4ca7fa4db56a7895faa078f80f1b0042c5514c452a90

Download Submit
C:\Windows\SysWOW64\Noehac32.exe

Filesize
479KB

MD5
5dcdd8626db4a87a918796f00238dfd9

SHA1
2ddbc1a6722174916ebe4af719eddfc1e125db39

SHA256
06bdd8ead4a66a983a874681bf64a4b406d38f32069359e1bdadfcb4ff43c6cc

SHA512
5f8d281282dc09bc24918922b50ea95c2bb1aab20881db056e38c7c570e9e14e0fed81a39d9c7605db6ae791769bf460b9d960ab3ca1a879fe3802c35acb3968

Download Submit
C:\Windows\SysWOW64\Odgjdibf.exe

Filesize
479KB

MD5
6277b66af907c31288dd01d62ce8b16e

SHA1
623934623114808b79535d0b7764b858639d60ea

SHA256
0c8c23129e741aeb3ba373934d1a396fb1769885902d066d81f75433772015ab

SHA512
f0f071b506d83106c2edbc68ec551c73f467fb60bd79f8b372ab1dfe8c1e4b37af84d7dd8b9ce685a9b7f2d26a7625b7521ae8acfc165e8b1ab6866b4157a8f5

Download Submit
C:\Windows\SysWOW64\Ogpfko32.exe

Filesize
479KB

MD5
3570fafa57344b264819dfc009906a25

SHA1
2936c991a0b89bfdce9d10efbeb567950b9f2f2a

SHA256
e0d2de4d38eea5ba3b98418311b788d480b43b42e8de1be096abae82b84b90bd

SHA512
c15618dde5a4687f1fb72941116302bc94d317676cd5274503916abbe491ba2aaac2e9e75663390cee39555c0766a9a965b722e8c92e344ffabfcbfad6e2dc81

Download Submit
C:\Windows\SysWOW64\Ohkijc32.exe

Filesize
479KB

MD5
3a7351fa26c71b24acf25ec3738df681

SHA1
255d6c68b6defb926da7a82fa484ef47b7c3600f

SHA256
80271bca3dc1114f30d4b2979b2c0f3078f107dc973803fc98ddad7fa5b756ea

SHA512
d22b0c65d15697ea4c5a93a92a04cf44fad87612ba335d451c868ccda596e8c352e4dfa46b1d9a1c1354f57651c206b980ababd1dd57af6006dcce6e381d832a

Download Submit
C:\Windows\SysWOW64\Oiqomj32.exe

Filesize
479KB

MD5
f4bf3973097404022ea51f5dc3d97262

SHA1
f9ab2d9de39241a1893026daa2dfbc1021d2ac34

SHA256
24bd1313f666543e5c04fd707f57a925a6ca1aee60bddc8be50489be5c5cef17

SHA512
08df2d842b4de85c8e8e7f5d1aafe44c09701ac9932d59192366bfb39572c76ecba03f653abb81e7fe1e432be610647950f029cf487a2514139bba4bb0595813

Download Submit
C:\Windows\SysWOW64\Pdeffgff.exe

Filesize
479KB

MD5
24725ecd715fe312b960fd03ef3aaa54

SHA1
64e6235e1bca77ff9555565686cfca47a1f135ac

SHA256
2190ef96b8b51c7e23a94b093da2d5d52cdfec02caa2e59a96fd67398352dce4

SHA512
5d0be13d64e9cb93f625d6a0e8f1e6aa4b4fb9b7abaeb1fa21440dd849e279ed5d7d108c74c112310eb5d7eb2b1e7b103fc5b941660328b128e9011592a75077

Download Submit
C:\Windows\SysWOW64\Phiekaql.exe

Filesize
479KB

MD5
aa92911b301bb17372291aa7538dd5a5

SHA1
e444930feff2718230eed617622f5b9e75612862

SHA256
5e9c5628cb0ea049185d55fba1a4eda19dfdb2a0cd673bd44736e15d0fe6e3e8

SHA512
25fc5ab35f03dc049d5ae13f390ff6619bd3fd84638bd98236b0f7905adf7431da510492042d698bc6c9107e433611790a634134b16b5b512632acdc7ed04e35

Download Submit
C:\Windows\SysWOW64\Phpklp32.exe

Filesize
479KB

MD5
6e9b097d17db2b53f0ade9adc9065991

SHA1
999c3af0a751ae846919d2482a8da5532cb63cec

SHA256
a178ddb2f8d3d6e6c4697bd501754c9bdfc2e5ebcea20e8e2e3e4681db531c1d

SHA512
73f76812bf6801cc7bcf0f43311d562a37bfa3f339d069e2dd0703a159b4896ab19daec5b57144035d7c90ea23c28dca88a0ef987591eddb7a4d5a0665512d83

Download Submit
C:\Windows\SysWOW64\Poagma32.exe

Filesize
479KB

MD5
45e2d5cd494f988403bbe2d52314e32c

SHA1
36685208128ecc9bd379364c0c2fa25f1ec17c34

SHA256
954d61d41a0a126485a145c1675b8ec0ac6844c89e15bdce2ae817c8c949ac27

SHA512
7c335fc97d149749a2c1bda06157bb390f123cbdbf95b91f2a40a26f0263730fc2b4ea6caffaffcb5c5d99b484b928a32c7ad9c2eb0bc6344de6a5697629fc53

Download Submit
memory/416-419-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/416-323-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/452-302-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/452-430-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/864-212-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/864-452-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/872-220-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/872-450-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1240-236-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1240-446-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1304-34-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1304-362-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1312-27-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1312-360-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1344-253-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1344-441-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1388-464-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1388-161-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1408-145-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1408-470-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1420-42-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1420-364-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1504-66-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1504-383-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1628-15-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1628-352-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1784-462-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1784-170-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1820-358-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1820-19-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2056-244-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2056-444-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2212-409-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2212-93-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2392-454-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2392-205-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2404-275-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2404-439-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2744-296-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2744-432-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3264-436-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3264-282-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3316-434-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3316-290-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3336-120-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3336-474-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3472-269-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3472-438-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3492-107-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3492-414-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3532-132-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3532-472-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3608-458-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3608-187-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3720-260-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3720-477-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3932-460-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3932-179-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4244-425-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4244-314-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4428-153-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4428-466-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4476-51-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4476-366-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4820-476-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4820-112-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4876-407-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4876-83-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4908-74-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4908-386-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4956-58-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4956-384-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4988-456-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4988-196-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5008-468-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5024-427-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5024-308-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5028-448-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5028-228-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5108-350-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5108-2-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/5108-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads