9526127bf6e4380641c0adf83e64c4245c3b39abdbf034a21ee4abd3b577efdf

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9526127bf6e4380641c0adf83e64c4245c3b39abdbf034a21ee4abd3b577efdf.exe
Size

94KB
MD5

f00e11dc498b089ada6e70cd71ef5488
SHA1

e91ebad9fa4c25cb8b0152957ab586432ff7d58f
SHA256

9526127bf6e4380641c0adf83e64c4245c3b39abdbf034a21ee4abd3b577efdf
SHA512

d541fc8417e02a5a52248e0c4b3daa100e18b658c5d94af17fb81433d4e6e96a81f3a6badabb9f6cfbc0e71c5e974a2dc026d24e493299663e0db57ff34c05c8
SSDEEP

1536:FtL9XhVtkDmI+D3pinl3MXxqEZ4yFOuPktaBUfC1tBF0/DR9ifhSZ7BR9L4DT2Eb:HlSa4nmX4iJFOkktaBUfClil9ifUZ6+4

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phajna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afcmfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doojec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9526127bf6e4380641c0adf83e64c4245c3b39abdbf034a21ee4abd3b577efdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebkbbmqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gejhef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpaihooo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejhef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfagighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afcmfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laiipofp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edgbii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbbajjlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfagighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phajna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Filapfbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegkpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfandnla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enkmfolf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnbcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnbcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfccogfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmjqe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqgmmk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pffgom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhikci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laiipofp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbfmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opeiadfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abmjqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbplml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbplml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Filapfbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpaihooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njbgmjgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enkmfolf.exe

Executes dropped EXE 51 IoCs

pid	Process
4984	Ofkgcobj.exe
5096	Opeiadfg.exe
2256	Pfandnla.exe
2024	Phajna32.exe
1888	Pffgom32.exe
4696	Pdjgha32.exe
2916	Aajhndkb.exe
5104	Apodoq32.exe
1688	Aaoaic32.exe
1684	Bgnffj32.exe
4960	Bogkmgba.exe
5108	Cdimqm32.exe
3968	Caageq32.exe
4368	Chnlgjlb.exe
3180	Dhphmj32.exe
3016	Ddgibkpc.exe
3332	Doojec32.exe
3668	Dgjoif32.exe
5100	Dhikci32.exe
968	Eqgmmk32.exe
3768	Enkmfolf.exe
2248	Edgbii32.exe
4632	Ebkbbmqj.exe
4132	Fnbcgn32.exe
4800	Fbplml32.exe
4640	Filapfbo.exe
4708	Fnkfmm32.exe
1076	Gegkpf32.exe
4056	Gejhef32.exe
208	Gpaihooo.exe
1012	Gbbajjlp.exe
4028	Ipdndloi.exe
776	Kcjjhdjb.exe
1868	Laiipofp.exe
4212	Mfkkqmiq.exe
2168	Njbgmjgl.exe
996	Pfagighf.exe
1624	Pfccogfc.exe
964	Pcgdhkem.exe
2428	Qmdblp32.exe
2352	Ajjokd32.exe
4496	Afcmfe32.exe
3128	Abmjqe32.exe
2756	Bpcgpihi.exe
392	Bbfmgd32.exe
2272	Bagmdllg.exe
4716	Cdhffg32.exe
212	Cdjblf32.exe
4928	Cpacqg32.exe
4816	Cacmpj32.exe
3812	Diqnjl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ngckdnpn.dll	Gegkpf32.exe
File opened for modification	C:\Windows\SysWOW64\Pdjgha32.exe	Pffgom32.exe
File opened for modification	C:\Windows\SysWOW64\Apodoq32.exe	Aajhndkb.exe
File opened for modification	C:\Windows\SysWOW64\Chnlgjlb.exe	Caageq32.exe
File created	C:\Windows\SysWOW64\Ghehjh32.dll	Ebkbbmqj.exe
File created	C:\Windows\SysWOW64\Eglfjicq.dll	Filapfbo.exe
File created	C:\Windows\SysWOW64\Nffaen32.dll	Njbgmjgl.exe
File created	C:\Windows\SysWOW64\Pcgdhkem.exe	Pfccogfc.exe
File opened for modification	C:\Windows\SysWOW64\Cdjblf32.exe	Cdhffg32.exe
File created	C:\Windows\SysWOW64\Pdjgha32.exe	Pffgom32.exe
File created	C:\Windows\SysWOW64\Phlepppi.dll	Apodoq32.exe
File created	C:\Windows\SysWOW64\Cpacqg32.exe	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Ghfqhkbn.dll	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Aaoaic32.exe	Apodoq32.exe
File opened for modification	C:\Windows\SysWOW64\Njbgmjgl.exe	Mfkkqmiq.exe
File opened for modification	C:\Windows\SysWOW64\Enkmfolf.exe	Eqgmmk32.exe
File created	C:\Windows\SysWOW64\Clmmco32.dll	Gbbajjlp.exe
File created	C:\Windows\SysWOW64\Kcjjhdjb.exe	Ipdndloi.exe
File opened for modification	C:\Windows\SysWOW64\Bbfmgd32.exe	Bpcgpihi.exe
File opened for modification	C:\Windows\SysWOW64\Doojec32.exe	Ddgibkpc.exe
File opened for modification	C:\Windows\SysWOW64\Dgjoif32.exe	Doojec32.exe
File created	C:\Windows\SysWOW64\Ppadalgj.dll	Ipdndloi.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Bogkmgba.exe	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Mkiongah.dll	Fbplml32.exe
File created	C:\Windows\SysWOW64\Fnbcgn32.exe	Ebkbbmqj.exe
File opened for modification	C:\Windows\SysWOW64\Fbplml32.exe	Fnbcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Mfkkqmiq.exe	Laiipofp.exe
File created	C:\Windows\SysWOW64\Alapqh32.dll	Mfkkqmiq.exe
File created	C:\Windows\SysWOW64\Afjpan32.dll	Bpcgpihi.exe
File opened for modification	C:\Windows\SysWOW64\Cdhffg32.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Dhphmj32.exe	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Bdepoj32.dll	Enkmfolf.exe
File created	C:\Windows\SysWOW64\Gegkpf32.exe	Fnkfmm32.exe
File created	C:\Windows\SysWOW64\Emlmcm32.dll	Kcjjhdjb.exe
File opened for modification	C:\Windows\SysWOW64\Abmjqe32.exe	Afcmfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cacmpj32.exe	Cpacqg32.exe
File created	C:\Windows\SysWOW64\Hkfoel32.dll	Ofkgcobj.exe
File created	C:\Windows\SysWOW64\Aoibcl32.dll	Dgjoif32.exe
File opened for modification	C:\Windows\SysWOW64\Ebkbbmqj.exe	Edgbii32.exe
File opened for modification	C:\Windows\SysWOW64\Fnbcgn32.exe	Ebkbbmqj.exe
File created	C:\Windows\SysWOW64\Gebekb32.dll	Fnkfmm32.exe
File created	C:\Windows\SysWOW64\Pfccogfc.exe	Pfagighf.exe
File opened for modification	C:\Windows\SysWOW64\Bpcgpihi.exe	Abmjqe32.exe
File created	C:\Windows\SysWOW64\Elekoe32.dll	Abmjqe32.exe
File opened for modification	C:\Windows\SysWOW64\Bgnffj32.exe	Aaoaic32.exe
File created	C:\Windows\SysWOW64\Mjhjimfo.dll	Ddgibkpc.exe
File opened for modification	C:\Windows\SysWOW64\Bagmdllg.exe	Bbfmgd32.exe
File created	C:\Windows\SysWOW64\Ebkbbmqj.exe	Edgbii32.exe
File created	C:\Windows\SysWOW64\Fbplml32.exe	Fnbcgn32.exe
File created	C:\Windows\SysWOW64\Filapfbo.exe	Fbplml32.exe
File created	C:\Windows\SysWOW64\Oeeape32.dll	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Caageq32.exe	Cdimqm32.exe
File opened for modification	C:\Windows\SysWOW64\Ddgibkpc.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Dgjoif32.exe	Doojec32.exe
File created	C:\Windows\SysWOW64\Dhikci32.exe	Dgjoif32.exe
File opened for modification	C:\Windows\SysWOW64\Gejhef32.exe	Gegkpf32.exe
File created	C:\Windows\SysWOW64\Laiipofp.exe	Kcjjhdjb.exe
File opened for modification	C:\Windows\SysWOW64\Opeiadfg.exe	Ofkgcobj.exe
File created	C:\Windows\SysWOW64\Pfandnla.exe	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Ajjokd32.exe	Qmdblp32.exe
File created	C:\Windows\SysWOW64\Cdhffg32.exe	Bagmdllg.exe
File opened for modification	C:\Windows\SysWOW64\Dhikci32.exe	Dgjoif32.exe
File created	C:\Windows\SysWOW64\Eqgmmk32.exe	Dhikci32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
688	3812	WerFault.exe	142

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opjghl32.dll"	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gegkpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emlmcm32.dll"	Kcjjhdjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njbgmjgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	9526127bf6e4380641c0adf83e64c4245c3b39abdbf034a21ee4abd3b577efdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnm32.dll"	Phajna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoibcl32.dll"	Dgjoif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgjoif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqgmmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Badjai32.dll"	Fnbcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnjancb.dll"	Gpaihooo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipdndloi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afjpan32.dll"	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll"	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppadalgj.dll"	Ipdndloi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqgmmk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnbcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnbcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbplml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmmco32.dll"	Gbbajjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alapqh32.dll"	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afcmfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gejhef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajjokd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	9526127bf6e4380641c0adf83e64c4245c3b39abdbf034a21ee4abd3b577efdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	9526127bf6e4380641c0adf83e64c4245c3b39abdbf034a21ee4abd3b577efdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlepppi.dll"	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekppjn32.dll"	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngckdnpn.dll"	Gegkpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnlhmpgg.dll"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	9526127bf6e4380641c0adf83e64c4245c3b39abdbf034a21ee4abd3b577efdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdjgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haclqq32.dll"	Gejhef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgjoif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhehh32.dll"	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnbjama.dll"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll"	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Filapfbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolfbd32.dll"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpmdqpl.dll"	Doojec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Edgbii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mfkkqmiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfagighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfoel32.dll"	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbplml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpaihooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipdndloi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 4984	2384	9526127bf6e4380641c0adf83e64c4245c3b39abdbf034a21ee4abd3b577efdf.exe	92
PID 2384 wrote to memory of 4984	2384	9526127bf6e4380641c0adf83e64c4245c3b39abdbf034a21ee4abd3b577efdf.exe	92
PID 2384 wrote to memory of 4984	2384	9526127bf6e4380641c0adf83e64c4245c3b39abdbf034a21ee4abd3b577efdf.exe	92
PID 4984 wrote to memory of 5096	4984	Ofkgcobj.exe	93
PID 4984 wrote to memory of 5096	4984	Ofkgcobj.exe	93
PID 4984 wrote to memory of 5096	4984	Ofkgcobj.exe	93
PID 5096 wrote to memory of 2256	5096	Opeiadfg.exe	94
PID 5096 wrote to memory of 2256	5096	Opeiadfg.exe	94
PID 5096 wrote to memory of 2256	5096	Opeiadfg.exe	94
PID 2256 wrote to memory of 2024	2256	Pfandnla.exe	95
PID 2256 wrote to memory of 2024	2256	Pfandnla.exe	95
PID 2256 wrote to memory of 2024	2256	Pfandnla.exe	95
PID 2024 wrote to memory of 1888	2024	Phajna32.exe	96
PID 2024 wrote to memory of 1888	2024	Phajna32.exe	96
PID 2024 wrote to memory of 1888	2024	Phajna32.exe	96
PID 1888 wrote to memory of 4696	1888	Pffgom32.exe	97
PID 1888 wrote to memory of 4696	1888	Pffgom32.exe	97
PID 1888 wrote to memory of 4696	1888	Pffgom32.exe	97
PID 4696 wrote to memory of 2916	4696	Pdjgha32.exe	98
PID 4696 wrote to memory of 2916	4696	Pdjgha32.exe	98
PID 4696 wrote to memory of 2916	4696	Pdjgha32.exe	98
PID 2916 wrote to memory of 5104	2916	Aajhndkb.exe	99
PID 2916 wrote to memory of 5104	2916	Aajhndkb.exe	99
PID 2916 wrote to memory of 5104	2916	Aajhndkb.exe	99
PID 5104 wrote to memory of 1688	5104	Apodoq32.exe	100
PID 5104 wrote to memory of 1688	5104	Apodoq32.exe	100
PID 5104 wrote to memory of 1688	5104	Apodoq32.exe	100
PID 1688 wrote to memory of 1684	1688	Aaoaic32.exe	101
PID 1688 wrote to memory of 1684	1688	Aaoaic32.exe	101
PID 1688 wrote to memory of 1684	1688	Aaoaic32.exe	101
PID 1684 wrote to memory of 4960	1684	Bgnffj32.exe	102
PID 1684 wrote to memory of 4960	1684	Bgnffj32.exe	102
PID 1684 wrote to memory of 4960	1684	Bgnffj32.exe	102
PID 4960 wrote to memory of 5108	4960	Bogkmgba.exe	103
PID 4960 wrote to memory of 5108	4960	Bogkmgba.exe	103
PID 4960 wrote to memory of 5108	4960	Bogkmgba.exe	103
PID 5108 wrote to memory of 3968	5108	Cdimqm32.exe	104
PID 5108 wrote to memory of 3968	5108	Cdimqm32.exe	104
PID 5108 wrote to memory of 3968	5108	Cdimqm32.exe	104
PID 3968 wrote to memory of 4368	3968	Caageq32.exe	105
PID 3968 wrote to memory of 4368	3968	Caageq32.exe	105
PID 3968 wrote to memory of 4368	3968	Caageq32.exe	105
PID 4368 wrote to memory of 3180	4368	Chnlgjlb.exe	106
PID 4368 wrote to memory of 3180	4368	Chnlgjlb.exe	106
PID 4368 wrote to memory of 3180	4368	Chnlgjlb.exe	106
PID 3180 wrote to memory of 3016	3180	Dhphmj32.exe	107
PID 3180 wrote to memory of 3016	3180	Dhphmj32.exe	107
PID 3180 wrote to memory of 3016	3180	Dhphmj32.exe	107
PID 3016 wrote to memory of 3332	3016	Ddgibkpc.exe	108
PID 3016 wrote to memory of 3332	3016	Ddgibkpc.exe	108
PID 3016 wrote to memory of 3332	3016	Ddgibkpc.exe	108
PID 3332 wrote to memory of 3668	3332	Doojec32.exe	109
PID 3332 wrote to memory of 3668	3332	Doojec32.exe	109
PID 3332 wrote to memory of 3668	3332	Doojec32.exe	109
PID 3668 wrote to memory of 5100	3668	Dgjoif32.exe	110
PID 3668 wrote to memory of 5100	3668	Dgjoif32.exe	110
PID 3668 wrote to memory of 5100	3668	Dgjoif32.exe	110
PID 5100 wrote to memory of 968	5100	Dhikci32.exe	111
PID 5100 wrote to memory of 968	5100	Dhikci32.exe	111
PID 5100 wrote to memory of 968	5100	Dhikci32.exe	111
PID 968 wrote to memory of 3768	968	Eqgmmk32.exe	112
PID 968 wrote to memory of 3768	968	Eqgmmk32.exe	112
PID 968 wrote to memory of 3768	968	Eqgmmk32.exe	112
PID 3768 wrote to memory of 2248	3768	Enkmfolf.exe	113

C:\Users\Admin\AppData\Local\Temp\9526127bf6e4380641c0adf83e64c4245c3b39abdbf034a21ee4abd3b577efdf.exe
"C:\Users\Admin\AppData\Local\Temp\9526127bf6e4380641c0adf83e64c4245c3b39abdbf034a21ee4abd3b577efdf.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\Ofkgcobj.exe
  C:\Windows\system32\Ofkgcobj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\SysWOW64\Opeiadfg.exe
    C:\Windows\system32\Opeiadfg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\SysWOW64\Pfandnla.exe
      C:\Windows\system32\Pfandnla.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
      - C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Edgbii32.exe
        
        C:\Windows\system32\Edgbii32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Ebkbbmqj.exe
        
        C:\Windows\system32\Ebkbbmqj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Fnbcgn32.exe
        
        C:\Windows\system32\Fnbcgn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Filapfbo.exe
        
        C:\Windows\system32\Filapfbo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Fnkfmm32.exe
        
        C:\Windows\system32\Fnkfmm32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Gegkpf32.exe
        
        C:\Windows\system32\Gegkpf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:964
        
        C:\Windows\SysWOW64\Qmdblp32.exe
        
        C:\Windows\system32\Qmdblp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Ajjokd32.exe
        
        C:\Windows\system32\Ajjokd32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        52⤵
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 412
        53⤵
        Program crash
        
        PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3812 -ip 3812
1⤵
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajhndkb.exe

Filesize
94KB

MD5
becd88f8b22c4ce85e31b82e10e96bb3

SHA1
70d21770b5a001c09f582bb7e84d28b4ebde6b3f

SHA256
2a0fb3693e2c23ea88dc895c1aef0858cd80a65fd6465e40a0829195930ef8ea

SHA512
586add30d2770a2ccf1cb435af7d3ffe35ef3dfc795f0e792a624acae7d61546ad2470aa8c0ef649dc8e5b6cbbd401824ffc59e324282d4c245235a4fbbc0c1d

Download Submit
C:\Windows\SysWOW64\Aaoaic32.exe

Filesize
94KB

MD5
3e2cb9e45d8e54953d1307f993d20be3

SHA1
e28bef0e06759b05511512eccc3d47a3e11212ae

SHA256
d402b39cd2dcdbd78e83b6051b3830ff1db1e1ab31d48e3adc919accf6df167b

SHA512
5c5d0d867980958731d961527bbd5eac56c265e3df96ca7c55594c8529c83002fbf7ea7777ba4857b6d9ff27c1240841fcf8cb5a6f62c548f0382b5d3eb3dccb

Download Submit
C:\Windows\SysWOW64\Afcmfe32.exe

Filesize
94KB

MD5
19dab28aa7c9b22b990e0f4555d62f33

SHA1
6e0382832b738cd8dac8fccf09da226b5160e63a

SHA256
05bedaae3967485918df4c5326389ac9eb0908687d8b224a9ea9d64ac3c2e3d8

SHA512
f204b1493df7d06cca3e93b055816f02aac182943ca1039209fcdf8e55c20904186fa1426bc64a90ef6af3f428669a7340d13d99bfc5c5c7adf161f6897ddfc7

Download Submit
C:\Windows\SysWOW64\Apodoq32.exe

Filesize
94KB

MD5
177c9e2ae0943b60f4973a71fd9058e2

SHA1
33ae2974e04b1212a03676ad615ea001960c7360

SHA256
966fd315043927ac744b74d8cc28c76a7eed554e15524de7926e71cb303d6344

SHA512
e0ab9c7e4bd5623a4c649c2221bc49d0fb513054b572f3d715985819a1a123c1acc09066e7a480d2e8a3e9c77693c81d04f30be2d8069a20edaf66d6a3246244

Download Submit
C:\Windows\SysWOW64\Bbfmgd32.exe

Filesize
94KB

MD5
157af17c673d23b0ee52dac8a7c15792

SHA1
1ef233ff1b285b7327ae3f44963630c3f0f28a80

SHA256
60033e70233a9a8255d2b7d32ef471b7c714d9d0db2f40a7272b1eff9616500d

SHA512
4d73d6ded06bbbdd1d930a987ec79250ddbf5edea0984520e4203cba3117f7ca327f6481da7990ce08c53059004cd22835e2ffaf981ed066bec0e08f919ffe70

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
94KB

MD5
1bbb0eb450546b0c7dd8a7ce3b84ce0a

SHA1
be0c849eac72422404a95f71c68db572c9574ca5

SHA256
d9401443042c6e62a551da35d79f8beb18cdef9a8c4701c9b98348fa81600eca

SHA512
b0d9d7f1ce02d51eb8d9998b01ab7e44599bfc11f4719038a35ae25b1d71a0d726de535c85a32742e02f076bbfc4daef24a4772e7623c6d3c3c8368654511134

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
94KB

MD5
d108768356e77d0c9bd13aa52bf2a223

SHA1
f685938a3d01656c39173539380a3e72c171004a

SHA256
87f242b318a409f7872ddacf9e70914a32caffee941fc9900482bc1501585d76

SHA512
850e123fc957006cbcc7ff92cb9e4b8be8fbfc6b00f235a56661bf77e25ab507b9143e01e39d72117e490931cd23d1f2a82b66b98eaa459f051e8bdc99d17b58

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
94KB

MD5
24025197b8a4f0706cd912fab6b245c3

SHA1
810ae7d4cacabd4c8a11d34780659c7b8a853927

SHA256
0b001838dbe054252b7889df5a0a570c289a9c45516da3ed2f5fea037cec8f0b

SHA512
f2a3500c68c88e8dd30cc47dea7a9cffb7dd47101dd21cc1ef494bfb65178806dc354a1645787ccb67b58b23339ac5322985965449c953f4d17701b6ae94c99a

Download Submit
C:\Windows\SysWOW64\Cdimqm32.exe

Filesize
94KB

MD5
a6408095eee0726d4728a7e1d950a19f

SHA1
6ab47d00bfa0308760efcf2682d1c7ef70f1541c

SHA256
b0db095e2436252b16a2ff1b78f01ab835cfdae905c7d212da2eb887bf61d5e0

SHA512
5562e694d2c4eba27dd0d937a84d9fdc6d01124206bd261336f8b22d9d72710e3080db8d9211b0c780cc06007bddd93a42ab41487f9d0a240858b52bbf617402

Download Submit
C:\Windows\SysWOW64\Chnlgjlb.exe

Filesize
94KB

MD5
f2ffe9e41d1e0a4e4a13ed25b16fa58a

SHA1
2e35b62c67e7ebe22a12e58705dab9eb5ea25348

SHA256
081eb1810dc9aae84c4ad1e2533838456e59bc8c4b54eb2f08aecf5a98eb783a

SHA512
dcc77f6c5900a30b04261d4cd6f180eadebbe037f619f9d04785fd4701bedb97e8fba7e6529d5a9b8dc0eb09efcdc50037666ef3551d7c90963b8c6baadc30f6

Download Submit
C:\Windows\SysWOW64\Cpacqg32.exe

Filesize
94KB

MD5
8f25dabf6a65a36c8a5f9393b85ed187

SHA1
18b1b948fdb475ed0daa3ad38c84e74a4e175a5c

SHA256
79bdcbf40d1ad5b3fbf44711f3d7b21ceb6478cc51ecb47bf3fc26a8cb4f77f2

SHA512
49e975141c45f6e25d1b9da4d5aeb949336cc0ea9c741706ac3ad697fe9662fbbb2b443560b4bf5de2cf6a8c8d4b8cc787922180e886ec9109f31aa8be2fa1f1

Download Submit
C:\Windows\SysWOW64\Ddgibkpc.exe

Filesize
94KB

MD5
520a0adc2021e786b6be6bcddec12bb7

SHA1
e362879004670e03071f63f584a331f23956317d

SHA256
8c0aeb62198686b7acb92c18ebe1f97bacaeeee768d3b662bf38ec4f49e19a42

SHA512
44b736fd5f0622fa319954bae4198d04f5dc9c7484c2f8d198be696bb25849e3fca3dddaa745094730441199ebb60f2ee1a1b55b958e05c515e2074e29ceabda

Download Submit
C:\Windows\SysWOW64\Dgjoif32.exe

Filesize
94KB

MD5
a4280b834ede1f616c441c070774f58b

SHA1
d6d7d700f11b8b7334ca1284db776e87f7750a24

SHA256
508e1d1d87700d359aa5e1a58524bfa8643408985de5104d9ef4c79d49879d85

SHA512
e4ed9f481eca7a2fc545881be2fe92562874089462d2b6818f510272ec271e88bad407a34ff57ef9551282339c1ca8433b36baa08e66b3fb7721c5c8fe25bf19

Download Submit
C:\Windows\SysWOW64\Dhikci32.exe

Filesize
94KB

MD5
b9817b0d7ec3fd021cb115c7ddc5664e

SHA1
05414b29f5d90c0eff0a757320cd3346d6f3547b

SHA256
a97fc9a772b80180ccace291672f159cdba8c90ee9fbdad2b0187af36956c4d7

SHA512
e8d05376a20db77cd182a016170d597277b7edceed89a4a083d6cac2a1ce3aa285d9c6455f18c9fa7bb9154170223e9cd364493f70083ffbf4c6c55c3f9ec1bc

Download Submit
C:\Windows\SysWOW64\Dhphmj32.exe

Filesize
94KB

MD5
54981f4b29878b8de7f8dd5f086429c7

SHA1
a42eb9f6ccfbb6e84c45263ad23c7213b91e9590

SHA256
a7860c439d2563f69349d223ae7353292ca23f2100420ff61dc8f30c8122a501

SHA512
4bc649158a65649c0c769a16f5425069a7aa39dcd40cba51cad68f10b19637152aec53acc0d401c391c2d066ea6cf9334e5a03819e937947526e859fdbbf0a9a

Download Submit
C:\Windows\SysWOW64\Doojec32.exe

Filesize
94KB

MD5
13c74e1cef4054b9151c7a2dc18a8ba2

SHA1
b6301c36f9a6167e01e37eec316a6142663fa0c0

SHA256
4c40f846d97bdca7692a9e01885de8002fab54664aff02e1303ed79d865abc89

SHA512
5a9da59e450ab6c936e5e24cad0354d0efa80e102209ff890d8bf0dc45d3688e3b1f6db8be0dd19f80a0c5d8104dab01ed16112c3e1a7b4604964c75347bec5d

Download Submit
C:\Windows\SysWOW64\Ebkbbmqj.exe

Filesize
94KB

MD5
19c8b9fa5fcdc3efcfd42c8d3ec4efae

SHA1
a280cd942662521e2fe913c63073827a5aa9b8c7

SHA256
0a89a6d468e27a28cda1fafa47ddf4d6e1762c00d80e3083a03d6dbeafd8c44a

SHA512
2a95d715c139b956235db53a2d54d1f2e3bce36850f60351832467a52234b44d349766dad1200bfdbe00ff8268de8b2a190e3781009847ed0adede5c2f7b71f3

Download Submit
C:\Windows\SysWOW64\Edgbii32.exe

Filesize
94KB

MD5
83aad6ce8ef2dc6af161163ca61eab28

SHA1
3d77cf24afb64f7afb2902e243b2047dd802e3d7

SHA256
1532b3982b3dc3d593d186f8ece0a49e0ca84daadecdc15659cb89101a6857f1

SHA512
9430a4b741fa581bc0d234204e87aac46f490ddbf4c960192cf9380c188e807b470ea630ebf93b96628f6e1109e07f32ff1df10426b57f6a2a2a030da53fa1d7

Download Submit
C:\Windows\SysWOW64\Enkmfolf.exe

Filesize
94KB

MD5
769baddc74fdecefd3b2a278b852c522

SHA1
113e6bb4b109f907e3c524e53ce008457547f5c8

SHA256
16d08a25d7298c417b52b472ff1a753ace3b1370f84a331aad37a3a59b51d372

SHA512
7ae1aa450ad731aa4053bfa560db9aa8161e3049c25ee829e66f925c558e8e031c9c5d2661e88d1dbb8c98e9c611f8eeb980f24beaed560045fa6991f47fa5fc

Download Submit
C:\Windows\SysWOW64\Eqgmmk32.exe

Filesize
94KB

MD5
c133fa4d09c85aea6d8222c14f00429a

SHA1
52945a9c71a23e9d723ca179965385d0ca525e2e

SHA256
d60cd640b74ed07e2da98f9f1dcea3881e0810b0dda01ad9686a61cbad3bef65

SHA512
abb52ecdd3bc93c817a07a435787b3372cd81fe69b6d2e3be194e875012706a2633f070e5f788fa22b88510372fcf7a0cee075a50e6beb4109c4b4184b085f05

Download Submit
C:\Windows\SysWOW64\Fbplml32.exe

Filesize
94KB

MD5
c8854176d9834495838f3aad388aebfd

SHA1
5542d9ca900e93193627412950641a1a47878c58

SHA256
d9aa0841e7704d70acc4d9e5a80dd2419d417df236cd39aad3264854379e3f38

SHA512
1a8b01c9064950cef2acea166dba7cbc03933d88c488be8700fa3f5a7071e40663d885ff056c3c3b99a172f8635875c955565e8a80a80e8188aa97f6544db967

Download Submit
C:\Windows\SysWOW64\Filapfbo.exe

Filesize
94KB

MD5
91ca989fb90eec4d61149a58075d9e5c

SHA1
b1e637160e75894c444c33aea4489a352187c07e

SHA256
5751f1ba2dba937205d6ae2a39cbb3db024ca098cc839f531e96d065dac895b5

SHA512
f862fff889fb2d608f7ff002b14b8a282e5da10d23d3e1729c69eccb51da64bed7e052fef9851182230a87a0322599ecd85fc1aa26c0331e2e33fc6e7dc0ad79

Download Submit
C:\Windows\SysWOW64\Fnbcgn32.exe

Filesize
94KB

MD5
b56ccf1562530d18d3610d58eb7eec41

SHA1
96877f9886ce69fe34906773e1b9de68c7c73386

SHA256
275c47d6c8ab8321eeaa07a73392e3d43076add99aaf6931112d12971a847ec6

SHA512
b0c067466a85c11f20ee072a5d2821880d0c411a965e2176ad457413d9baff6cbe8c3d19c5fd356961406e12f751b06fe99d8cc8a5ad5e1dc1413e09d2db33a8

Download Submit
C:\Windows\SysWOW64\Fnkfmm32.exe

Filesize
94KB

MD5
f14f3c011cc3d2e751ee9ced9dcf7d1b

SHA1
e9765a19bb223fa7ed9573408e22538237a31b1f

SHA256
799a51b064ed6dd2e8ec28947e08e0b5027951fcc69d862f276619ae2092eb54

SHA512
95856098d427ee6d355ebf8539dab3d77f30ef16d8adc110ad3ac66b30c48fa11fd0b454c967e7a9f8d4c2b2f7354674ff8b4ddbad2badba1fb2622aef59c930

Download Submit
C:\Windows\SysWOW64\Gbbajjlp.exe

Filesize
94KB

MD5
bf141994de591ea8e99d07bc7566c115

SHA1
4f9fa2921287012d63b592297a4b410cccd0025f

SHA256
8d2ad96d1394933f92c72919a86c38d17695fc4927d9df178f343f1e38ababc3

SHA512
7b46b4ef53ebedffeac7e50dcc20bceae0f99f37a6d75af16d1c36edb43f4eded1cb8217f8f8d317fffab173565624fc6390a3f3e883b55cbcebccff8459af6d

Download Submit
C:\Windows\SysWOW64\Gegkpf32.exe

Filesize
94KB

MD5
032cb6bc2bc4cc256dc066412967dc6f

SHA1
8e845920a7746a3797b5340a493815a860b0c5a4

SHA256
3fc3a315a19cdf94bb24fb3ddb46d4d963f8aad32de9798c5300acc9e5f362cd

SHA512
925588585a60a583278e60cba97e4d00a6ffd1d8ea1957946fc0f678a70ec68aefc4e593031e2f987d1cc8c5e479c0954ea02d926f9329e1e472a777cbcab597

Download Submit
C:\Windows\SysWOW64\Gejhef32.exe

Filesize
94KB

MD5
518008f67e13fab85b9a978216a12074

SHA1
ed65ac2c4277653f8fe7439dec73889107ee2261

SHA256
23db7eab75d213b5be75ed2eb59bf2eab14f297604e9dcc72874875b76a19c57

SHA512
dd0220dea9a93f79e9d4031d32f3ca5bb427fd952d9f28f2a70c699b7e3106ed52961c3ee8526341bfb7ca3a4d0683aff1ea0783e9d83bb4b467dfbe957f79e9

Download Submit
C:\Windows\SysWOW64\Gpaihooo.exe

Filesize
94KB

MD5
46365da25aaa863a76ad2267d5541c1d

SHA1
132d73fe339cfe77d2fb4329a729de97b3787ae3

SHA256
2261f0eb5748a7d952261899701f9a3b84fe8ea7ee47ac8ee3b0fd2c232f60e6

SHA512
6ac6eb59e52a2cfd334eec19735ce71034871231153b402822d2e3ad3f5ee3f3baa77956cba52b8918e8f16cae884991f37a0e14ceb30f4627190f4784744dd4

Download Submit
C:\Windows\SysWOW64\Ipdndloi.exe

Filesize
94KB

MD5
834414d156a78844db10008b89c42370

SHA1
bda2c751396201e9d59c64c7e743e0b96d085d44

SHA256
715bf5d99b8db66cefc1ef2d2e8a953d8cf1cfdfdb7892ba93c1aab38c56b528

SHA512
e6c430637c021a4e9d50784dafd51def9958f482fa50f28ef80bb1730ce334344d9d4a4b61d8975399f6cb9d6bd1d2b696f7d74ae0c05630a4785cc3cb26ece1

Download Submit
C:\Windows\SysWOW64\Ofkgcobj.exe

Filesize
94KB

MD5
c5362fe2c0ad4456991d9d50c230e1af

SHA1
a858e864cb9356208e3b3a3eba0891b1181dd489

SHA256
9c6feb7190563801cee820c23098521ed52b1f13b892a5c41d8b44f34bc6874d

SHA512
b9495596ff26ce76f20c6961ee0e68434f79e1d7183e4aa142b95ffd2bd2fc9dd04aa090b250fc9bc0eb3a32c0c86b46dd0c14ad62097bc4f68fb342dea4a833

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
94KB

MD5
18d169e3635733082ba5300a79b47315

SHA1
644f6f4769db98e1e40c25ef15ca69a11ba1b4fb

SHA256
8f6ea8903d077b3453eb6d19eb19f4340c5358d5a7efc90a05d8e5139a949a3f

SHA512
29c4b2653f59bdb9884538d2fd137e631fcf7a0d9f38e45a7c0325e3bcd49db02d3867525c46e7a40ef6d2fa9d28d7ad1a10ac6871e80d977cf12a0fb15bdacc

Download Submit
C:\Windows\SysWOW64\Pdjgha32.exe

Filesize
94KB

MD5
b5de6b05c7c6da5e66ed4b6764f5d28d

SHA1
13797ac271a1ef29ff638d2e64b1c545b239b342

SHA256
443c4b27190e020b9d8069e14d7d9ebd6af5a30e710fa70601aa35e65cabdf35

SHA512
7629e0845a361a90f638bdfb1f37fc8d57ca107e5415e993bcf73567d5dc447d0c7c14175806bdc39a23bb828ed4bcbdf7dd88bba0002b66262c63ef6480adf2

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe

Filesize
94KB

MD5
bbab07354dbde67a2feedff21dde0f0e

SHA1
2e3ba86adf1877449897073a86fbeabc42fd1df2

SHA256
70f03189fbc1208d29483794ba85480b7c3d9c99bbfc59d0fb0de4752b82c00a

SHA512
761bdd466a7dd935205a6abf0efe46340265f3a1b31b9b7c46ecea3a961d057fc2fe188cd906de1600b6176523bcc3ecd6b6f2347595ea234598eb1cd0fc58f1

Download Submit
C:\Windows\SysWOW64\Pffgom32.exe

Filesize
94KB

MD5
0a602b33b0a4c1928746e14e80334029

SHA1
255621b4aa672350c1072004715277f600672df3

SHA256
afb4b5aeb5144153d9b52790d01cb538706eeca04013a96c2459159a84fbd014

SHA512
741eef655df158012dbdea1ab69cd7dd08e16c287c4ebf5f759ac311b1e2ec8b0647c8e45d34d3731d30a2bfef7020022d6b1f7568038e1604dab557afa157e0

Download Submit
C:\Windows\SysWOW64\Phajna32.exe

Filesize
94KB

MD5
b68a72e2e088f5d823c97789dace8673

SHA1
e12f071d6470fb9c89ce83bcce4aae7407565844

SHA256
d06b47c459525e7e28ea2f8a4452b5112402e60a88c24dfd5d37265d2c848c75

SHA512
51142019679e14ace4928aae6a2e2118470546a92beb3e3bfd418452c312fde7e14f4ad83c781dce57f8db4e8b152c8ce7b2782348be6f36a2ce8d73d8021666

Download Submit
C:\Windows\SysWOW64\Pjehnm32.dll

Filesize
7KB

MD5
3c9a48f276eaaff67531c4a23d395b4d

SHA1
f6f68fe45c2cb458805e4f34f2394778a3a52627

SHA256
e2a03eba30bc061a2061c6934ca138b616aa4aedf6713e0c503660d189d64d9f

SHA512
0bddb68451e6c0894baea2e431af61ae934962b1ee8fae65b742062fb954f2e465b52f3374a36f080f380b0191d21b603fe24dcd60f72b80a5973e5e68051ad4

Download Submit
memory/208-393-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/208-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/212-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/212-374-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/392-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/392-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/776-390-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/776-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/964-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/964-385-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/968-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/968-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/996-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/996-386-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1012-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1012-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1076-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1076-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1624-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1624-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1684-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1684-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1688-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1688-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1868-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1868-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1888-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2168-387-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2168-283-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2248-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2248-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2256-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2272-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2272-375-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2352-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2352-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2384-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2428-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2428-384-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-378-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3016-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3016-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3128-379-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3128-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3180-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3180-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3668-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3668-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3768-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3768-403-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3812-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3812-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3968-409-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3968-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4028-391-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4028-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4056-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4056-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4132-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4132-399-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4212-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4212-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4368-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4368-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4496-380-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4496-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4640-398-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4640-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4696-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4708-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4708-397-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4716-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4716-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4800-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4800-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4816-372-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4816-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4928-373-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4928-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4960-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4960-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4984-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5096-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5100-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5100-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5104-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5104-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5108-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads