2dee30d44a56feb68515d6b6c1ff092019450f0916f363daa39e4deaff769f8d

Analysis

max time kernel
148s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dee30d44a56feb68515d6b6c1ff092019450f0916f363daa39e4deaff769f8d.exe
Size

207KB
MD5

957b9947a99b5e76b813b97ba724ec80
SHA1

4f6b393c4eeefb924db93e4c068f916562ff446d
SHA256

2dee30d44a56feb68515d6b6c1ff092019450f0916f363daa39e4deaff769f8d
SHA512

55db1ada9ae3682702787f2767a0e5ffbb9a732fdad57cadfd63f87285f6c21554c27da7d10052dabc8b1a341be9d0ff6e9ca71567d4ba84a6dcf0aa4223389c
SSDEEP

3072:KR69Eel415kYENTVjoSdoxx4KcWmjRrzyAyAtWgoJSWYVo2ASOvojoS:oTnENTVjj+VPj92d62ASOwj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmjojo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpekon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmjgeaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilhhdga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afiglkle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjojo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aniimjbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhehek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieidmbcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onpjghhn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igonafba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapicp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iedkbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2dee30d44a56feb68515d6b6c1ff092019450f0916f363daa39e4deaff769f8d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onpjghhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ikhjki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhngjmlo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjdmmdnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iedkbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieidmbcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfmjgeaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohaeia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hapicp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhngjmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjdmmdnh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghjel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohaeia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikhjki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afiglkle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igonafba.exe

Executes dropped EXE 39 IoCs

pid	Process
2524	Hhehek32.exe
2584	Hapicp32.exe
2592	Igonafba.exe
2860	Iedkbc32.exe
2580	Ieidmbcc.exe
2488	Ikhjki32.exe
264	Jhngjmlo.exe
2968	Jjdmmdnh.exe
2780	Kfmjgeaj.exe
1668	Kmjojo32.exe
1588	Kgemplap.exe
880	Lghjel32.exe
2840	Lpekon32.exe
1376	Lfbpag32.exe
2028	Lbiqfied.exe
2228	Migbnb32.exe
2080	Mlhkpm32.exe
1204	Nckjkl32.exe
2704	Nmpnhdfc.exe
1452	Nodgel32.exe
980	Nilhhdga.exe
1616	Ohaeia32.exe
2240	Onpjghhn.exe
1744	Pfgngh32.exe
1580	Pmccjbaf.exe
2924	Qngmgjeb.exe
1728	Aniimjbo.exe
2844	Ackkppma.exe
2640	Afiglkle.exe
2672	Aijpnfif.exe
2624	Bpfeppop.exe
2728	Bhajdblk.exe
2556	Biafnecn.exe
2464	Balkchpi.exe
472	Bhhpeafc.exe
2828	Cdoajb32.exe
2688	Cpfaocal.exe
2692	Cmjbhh32.exe
2432	Ceegmj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2012	2dee30d44a56feb68515d6b6c1ff092019450f0916f363daa39e4deaff769f8d.exe
2012	2dee30d44a56feb68515d6b6c1ff092019450f0916f363daa39e4deaff769f8d.exe
2524	Hhehek32.exe
2524	Hhehek32.exe
2584	Hapicp32.exe
2584	Hapicp32.exe
2592	Igonafba.exe
2592	Igonafba.exe
2860	Iedkbc32.exe
2860	Iedkbc32.exe
2580	Ieidmbcc.exe
2580	Ieidmbcc.exe
2488	Ikhjki32.exe
2488	Ikhjki32.exe
264	Jhngjmlo.exe
264	Jhngjmlo.exe
2968	Jjdmmdnh.exe
2968	Jjdmmdnh.exe
2780	Kfmjgeaj.exe
2780	Kfmjgeaj.exe
1668	Kmjojo32.exe
1668	Kmjojo32.exe
1588	Kgemplap.exe
1588	Kgemplap.exe
880	Lghjel32.exe
880	Lghjel32.exe
2840	Lpekon32.exe
2840	Lpekon32.exe
1376	Lfbpag32.exe
1376	Lfbpag32.exe
2028	Lbiqfied.exe
2028	Lbiqfied.exe
2228	Migbnb32.exe
2228	Migbnb32.exe
2080	Mlhkpm32.exe
2080	Mlhkpm32.exe
1204	Nckjkl32.exe
1204	Nckjkl32.exe
2704	Nmpnhdfc.exe
2704	Nmpnhdfc.exe
1452	Nodgel32.exe
1452	Nodgel32.exe
980	Nilhhdga.exe
980	Nilhhdga.exe
1616	Ohaeia32.exe
1616	Ohaeia32.exe
2240	Onpjghhn.exe
2240	Onpjghhn.exe
1744	Pfgngh32.exe
1744	Pfgngh32.exe
1580	Pmccjbaf.exe
1580	Pmccjbaf.exe
2924	Qngmgjeb.exe
2924	Qngmgjeb.exe
2376	Agdjkogm.exe
2376	Agdjkogm.exe
2844	Ackkppma.exe
2844	Ackkppma.exe
2640	Afiglkle.exe
2640	Afiglkle.exe
2672	Aijpnfif.exe
2672	Aijpnfif.exe
2624	Bpfeppop.exe
2624	Bpfeppop.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bmeelpbm.dll	Ikhjki32.exe
File created	C:\Windows\SysWOW64\Cpbplnnk.dll	Lbiqfied.exe
File created	C:\Windows\SysWOW64\Nodgel32.exe	Nmpnhdfc.exe
File opened for modification	C:\Windows\SysWOW64\Ackkppma.exe	Agdjkogm.exe
File opened for modification	C:\Windows\SysWOW64\Aijpnfif.exe	Afiglkle.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Igonafba.exe	Hapicp32.exe
File created	C:\Windows\SysWOW64\Jhngjmlo.exe	Ikhjki32.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Fffdil32.dll	Igonafba.exe
File opened for modification	C:\Windows\SysWOW64\Lghjel32.exe	Kgemplap.exe
File created	C:\Windows\SysWOW64\Mlhkpm32.exe	Migbnb32.exe
File created	C:\Windows\SysWOW64\Lmnppf32.dll	Nckjkl32.exe
File opened for modification	C:\Windows\SysWOW64\Qngmgjeb.exe	Pmccjbaf.exe
File opened for modification	C:\Windows\SysWOW64\Hhehek32.exe	2dee30d44a56feb68515d6b6c1ff092019450f0916f363daa39e4deaff769f8d.exe
File created	C:\Windows\SysWOW64\Biddmpnf.dll	2dee30d44a56feb68515d6b6c1ff092019450f0916f363daa39e4deaff769f8d.exe
File created	C:\Windows\SysWOW64\Kgemplap.exe	Kmjojo32.exe
File created	C:\Windows\SysWOW64\Mgecadnb.dll	Migbnb32.exe
File opened for modification	C:\Windows\SysWOW64\Pfgngh32.exe	Onpjghhn.exe
File created	C:\Windows\SysWOW64\Ckpfcfnm.dll	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Lpekon32.exe	Lghjel32.exe
File created	C:\Windows\SysWOW64\Poceplpj.dll	Lfbpag32.exe
File opened for modification	C:\Windows\SysWOW64\Onpjghhn.exe	Ohaeia32.exe
File opened for modification	C:\Windows\SysWOW64\Aniimjbo.exe	Qngmgjeb.exe
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Balkchpi.exe
File opened for modification	C:\Windows\SysWOW64\Kmjojo32.exe	Kfmjgeaj.exe
File created	C:\Windows\SysWOW64\Nmpnhdfc.exe	Nckjkl32.exe
File opened for modification	C:\Windows\SysWOW64\Nilhhdga.exe	Nodgel32.exe
File created	C:\Windows\SysWOW64\Ihfhdp32.dll	Hapicp32.exe
File created	C:\Windows\SysWOW64\Mpcnkg32.dll	Kgemplap.exe
File created	C:\Windows\SysWOW64\Lgenio32.dll	Ohaeia32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhkpm32.exe	Migbnb32.exe
File created	C:\Windows\SysWOW64\Cmjbhh32.exe	Cpfaocal.exe
File opened for modification	C:\Windows\SysWOW64\Migbnb32.exe	Lbiqfied.exe
File created	C:\Windows\SysWOW64\Aniimjbo.exe	Qngmgjeb.exe
File created	C:\Windows\SysWOW64\Bhajdblk.exe	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Kgemplap.exe	Kmjojo32.exe
File opened for modification	C:\Windows\SysWOW64\Nmpnhdfc.exe	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Cmelgapq.dll	Pmccjbaf.exe
File opened for modification	C:\Windows\SysWOW64\Balkchpi.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Iedkbc32.exe	Igonafba.exe
File created	C:\Windows\SysWOW64\Jjdmmdnh.exe	Jhngjmlo.exe
File opened for modification	C:\Windows\SysWOW64\Nodgel32.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Khqpfa32.dll	Lpekon32.exe
File created	C:\Windows\SysWOW64\Onpjghhn.exe	Ohaeia32.exe
File opened for modification	C:\Windows\SysWOW64\Bpfeppop.exe	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Bhhpeafc.exe
File opened for modification	C:\Windows\SysWOW64\Cpfaocal.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Daiohhgh.dll	Iedkbc32.exe
File created	C:\Windows\SysWOW64\Hnablp32.dll	Onpjghhn.exe
File created	C:\Windows\SysWOW64\Afiglkle.exe	Ackkppma.exe
File created	C:\Windows\SysWOW64\Hqalfl32.dll	Kfmjgeaj.exe
File created	C:\Windows\SysWOW64\Ackkppma.exe	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Aijpnfif.exe	Afiglkle.exe
File created	C:\Windows\SysWOW64\Ieidmbcc.exe	Iedkbc32.exe
File opened for modification	C:\Windows\SysWOW64\Ikhjki32.exe	Ieidmbcc.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	Bhajdblk.exe
File opened for modification	C:\Windows\SysWOW64\Iedkbc32.exe	Igonafba.exe
File opened for modification	C:\Windows\SysWOW64\Ohaeia32.exe	Nilhhdga.exe
File created	C:\Windows\SysWOW64\Oodajl32.dll	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Plgifc32.dll	Ackkppma.exe
File opened for modification	C:\Windows\SysWOW64\Cmjbhh32.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Hhehek32.exe	2dee30d44a56feb68515d6b6c1ff092019450f0916f363daa39e4deaff769f8d.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1468	2432	WerFault.exe	67

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Igonafba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	2dee30d44a56feb68515d6b6c1ff092019450f0916f363daa39e4deaff769f8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdleb32.dll"	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nilhhdga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2dee30d44a56feb68515d6b6c1ff092019450f0916f363daa39e4deaff769f8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhehek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iedkbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ikhjki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhngjmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqpfa32.dll"	Lpekon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	2dee30d44a56feb68515d6b6c1ff092019450f0916f363daa39e4deaff769f8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfmjgeaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgenio32.dll"	Ohaeia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhehek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpekon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnablp32.dll"	Onpjghhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ieidmbcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjdmmdnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabqfggi.dll"	Lghjel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll"	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfenfipk.dll"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hapicp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffdil32.dll"	Igonafba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecjiaic.dll"	Ieidmbcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieidmbcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjphijco.dll"	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ikhjki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hapicp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iedkbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqalfl32.dll"	Kfmjgeaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpekon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohaeia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daiohhgh.dll"	Iedkbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giegfm32.dll"	Jjdmmdnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll"	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpfcfnm.dll"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmeelpbm.dll"	Ikhjki32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2524	2012	2dee30d44a56feb68515d6b6c1ff092019450f0916f363daa39e4deaff769f8d.exe	28
PID 2012 wrote to memory of 2524	2012	2dee30d44a56feb68515d6b6c1ff092019450f0916f363daa39e4deaff769f8d.exe	28
PID 2012 wrote to memory of 2524	2012	2dee30d44a56feb68515d6b6c1ff092019450f0916f363daa39e4deaff769f8d.exe	28
PID 2012 wrote to memory of 2524	2012	2dee30d44a56feb68515d6b6c1ff092019450f0916f363daa39e4deaff769f8d.exe	28
PID 2524 wrote to memory of 2584	2524	Hhehek32.exe	29
PID 2524 wrote to memory of 2584	2524	Hhehek32.exe	29
PID 2524 wrote to memory of 2584	2524	Hhehek32.exe	29
PID 2524 wrote to memory of 2584	2524	Hhehek32.exe	29
PID 2584 wrote to memory of 2592	2584	Hapicp32.exe	30
PID 2584 wrote to memory of 2592	2584	Hapicp32.exe	30
PID 2584 wrote to memory of 2592	2584	Hapicp32.exe	30
PID 2584 wrote to memory of 2592	2584	Hapicp32.exe	30
PID 2592 wrote to memory of 2860	2592	Igonafba.exe	31
PID 2592 wrote to memory of 2860	2592	Igonafba.exe	31
PID 2592 wrote to memory of 2860	2592	Igonafba.exe	31
PID 2592 wrote to memory of 2860	2592	Igonafba.exe	31
PID 2860 wrote to memory of 2580	2860	Iedkbc32.exe	32
PID 2860 wrote to memory of 2580	2860	Iedkbc32.exe	32
PID 2860 wrote to memory of 2580	2860	Iedkbc32.exe	32
PID 2860 wrote to memory of 2580	2860	Iedkbc32.exe	32
PID 2580 wrote to memory of 2488	2580	Ieidmbcc.exe	33
PID 2580 wrote to memory of 2488	2580	Ieidmbcc.exe	33
PID 2580 wrote to memory of 2488	2580	Ieidmbcc.exe	33
PID 2580 wrote to memory of 2488	2580	Ieidmbcc.exe	33
PID 2488 wrote to memory of 264	2488	Ikhjki32.exe	34
PID 2488 wrote to memory of 264	2488	Ikhjki32.exe	34
PID 2488 wrote to memory of 264	2488	Ikhjki32.exe	34
PID 2488 wrote to memory of 264	2488	Ikhjki32.exe	34
PID 264 wrote to memory of 2968	264	Jhngjmlo.exe	35
PID 264 wrote to memory of 2968	264	Jhngjmlo.exe	35
PID 264 wrote to memory of 2968	264	Jhngjmlo.exe	35
PID 264 wrote to memory of 2968	264	Jhngjmlo.exe	35
PID 2968 wrote to memory of 2780	2968	Jjdmmdnh.exe	36
PID 2968 wrote to memory of 2780	2968	Jjdmmdnh.exe	36
PID 2968 wrote to memory of 2780	2968	Jjdmmdnh.exe	36
PID 2968 wrote to memory of 2780	2968	Jjdmmdnh.exe	36
PID 2780 wrote to memory of 1668	2780	Kfmjgeaj.exe	37
PID 2780 wrote to memory of 1668	2780	Kfmjgeaj.exe	37
PID 2780 wrote to memory of 1668	2780	Kfmjgeaj.exe	37
PID 2780 wrote to memory of 1668	2780	Kfmjgeaj.exe	37
PID 1668 wrote to memory of 1588	1668	Kmjojo32.exe	38
PID 1668 wrote to memory of 1588	1668	Kmjojo32.exe	38
PID 1668 wrote to memory of 1588	1668	Kmjojo32.exe	38
PID 1668 wrote to memory of 1588	1668	Kmjojo32.exe	38
PID 1588 wrote to memory of 880	1588	Kgemplap.exe	39
PID 1588 wrote to memory of 880	1588	Kgemplap.exe	39
PID 1588 wrote to memory of 880	1588	Kgemplap.exe	39
PID 1588 wrote to memory of 880	1588	Kgemplap.exe	39
PID 880 wrote to memory of 2840	880	Lghjel32.exe	40
PID 880 wrote to memory of 2840	880	Lghjel32.exe	40
PID 880 wrote to memory of 2840	880	Lghjel32.exe	40
PID 880 wrote to memory of 2840	880	Lghjel32.exe	40
PID 2840 wrote to memory of 1376	2840	Lpekon32.exe	41
PID 2840 wrote to memory of 1376	2840	Lpekon32.exe	41
PID 2840 wrote to memory of 1376	2840	Lpekon32.exe	41
PID 2840 wrote to memory of 1376	2840	Lpekon32.exe	41
PID 1376 wrote to memory of 2028	1376	Lfbpag32.exe	42
PID 1376 wrote to memory of 2028	1376	Lfbpag32.exe	42
PID 1376 wrote to memory of 2028	1376	Lfbpag32.exe	42
PID 1376 wrote to memory of 2028	1376	Lfbpag32.exe	42
PID 2028 wrote to memory of 2228	2028	Lbiqfied.exe	43
PID 2028 wrote to memory of 2228	2028	Lbiqfied.exe	43
PID 2028 wrote to memory of 2228	2028	Lbiqfied.exe	43
PID 2028 wrote to memory of 2228	2028	Lbiqfied.exe	43

C:\Users\Admin\AppData\Local\Temp\2dee30d44a56feb68515d6b6c1ff092019450f0916f363daa39e4deaff769f8d.exe
"C:\Users\Admin\AppData\Local\Temp\2dee30d44a56feb68515d6b6c1ff092019450f0916f363daa39e4deaff769f8d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\Hhehek32.exe
  C:\Windows\system32\Hhehek32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\Hapicp32.exe
    C:\Windows\system32\Hapicp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\Igonafba.exe
      C:\Windows\system32\Igonafba.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\Iedkbc32.exe
        
        C:\Windows\system32\Iedkbc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\Windows\SysWOW64\Ieidmbcc.exe
        
        C:\Windows\system32\Ieidmbcc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Ikhjki32.exe
        
        C:\Windows\system32\Ikhjki32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Jhngjmlo.exe
        
        C:\Windows\system32\Jhngjmlo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Jjdmmdnh.exe
        
        C:\Windows\system32\Jjdmmdnh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Kfmjgeaj.exe
        
        C:\Windows\system32\Kfmjgeaj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Kmjojo32.exe
        
        C:\Windows\system32\Kmjojo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Kgemplap.exe
        
        C:\Windows\system32\Kgemplap.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Lghjel32.exe
        
        C:\Windows\system32\Lghjel32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Lpekon32.exe
        
        C:\Windows\system32\Lpekon32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Lfbpag32.exe
        
        C:\Windows\system32\Lfbpag32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Lbiqfied.exe
        
        C:\Windows\system32\Lbiqfied.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Migbnb32.exe
        
        C:\Windows\system32\Migbnb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Mlhkpm32.exe
        
        C:\Windows\system32\Mlhkpm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Nckjkl32.exe
        
        C:\Windows\system32\Nckjkl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\Nmpnhdfc.exe
        
        C:\Windows\system32\Nmpnhdfc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Nilhhdga.exe
        
        C:\Windows\system32\Nilhhdga.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Ohaeia32.exe
        
        C:\Windows\system32\Ohaeia32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Onpjghhn.exe
        
        C:\Windows\system32\Onpjghhn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\Qngmgjeb.exe
        
        C:\Windows\system32\Qngmgjeb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Aniimjbo.exe
        
        C:\Windows\system32\Aniimjbo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:472
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Cmjbhh32.exe
        
        C:\Windows\system32\Cmjbhh32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        41⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 140
        42⤵
        Program crash
        
        PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ackkppma.exe

Filesize
207KB

MD5
bb629b63e14a35715c6575291089afbc

SHA1
7b972afb7f0978ae4f6c79f6fc954c1f858a1ca2

SHA256
0f1d510125a22b4333df629efc38da59f8ca71ce74ed8ad4823eb5c5326ccde7

SHA512
72ea6fa0e963455a65b2b083b5b2fb15066395888df144ac3d7d9fd0052f348e93ccfd90c15fecd0f691735661bdf794c20838f19d7d88ae78c17f6ddb2deb50

Download Submit
C:\Windows\SysWOW64\Afiglkle.exe

Filesize
207KB

MD5
5fd4bf18c7427ed80fa62f156ef46280

SHA1
d0f2debe4a2cdbb3300caf7a79433006248e4a4b

SHA256
20646e806002f8df72896f0b3c978bb0e8017235f427f58a6de88971d7b2aedc

SHA512
7972d800c549e817633103342041d6343045ee7a3b5a065dbbeaedde8f05ab943a41a8551eb260782b327486ae458edcdc17c32f0385877783f228d9f7b308ae

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
207KB

MD5
e72a69fb44bb322bf24510104d7823a7

SHA1
77237c96f768f88fdb255b1b7cc32ed7de850180

SHA256
bfd3ea508423a9e37448d78e7bd3e3396c385ccd0b4d8123db5510d6725b41f2

SHA512
fc0eafbf6bcdf9a790a0693c3a150fa70975c63a57a273d5d560a0287cb94b2ef5ae3b75cfc7002591a29cb7a4babcc9caaa00f39ffbbf4e65a803c7ec245e63

Download Submit
C:\Windows\SysWOW64\Aniimjbo.exe

Filesize
207KB

MD5
7741c359500a415490d48952b111d296

SHA1
7dc786543d34f3c45f8a56ae282641a9d4631be4

SHA256
86a3c38f526ef19b4a9e21d768db196301bf2352c9020a76847310635f990bd3

SHA512
238fe078d79bbc50cb0f84df04b261bfc9e8f170c59e1c619486c562e3668f91819a1846d3ea38f14e4f2f532129f44e4fcf52f9b369cb85d3d5d903a1327d9d

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
207KB

MD5
67350ec3cba3d11699362fb02bb70d08

SHA1
796a477d38d711b44a914e0c7b62b4edc391002b

SHA256
639b1f06603bcde64ce73fe032aee1ea9471c189761b41cfdb64317897fc5d2d

SHA512
ffe2e0c86a6a85fdd26d7b5b55d3a28fa8fcffdbb6b294ecb9c48a487488daf72ba8761b51acedd6b8041ce6aae36f5397107fc5feba7cbbfb871195b2b0532a

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
207KB

MD5
c5d5a39d94fca70e9ba6a9ef76d91aa4

SHA1
ef10998d0986d7f3f85fcee3efbbe6337dc95324

SHA256
02954def982ab227b2c087f27e398d87c9d9ab015994b488fe8821b14a45aada

SHA512
bb6e8d9096654b1f697f29cd43c57c1c27cc013c5a992e8b22a0f1ab8b1e7a6752231ca3b1a550e2b4640d3caf5ea18720dad9de221b33e9a120d3357e8094c4

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
207KB

MD5
ef110b1b79e5f1a9e03a85a9d9861df5

SHA1
8d9559faa6395caa9b65d921667c4f997819687f

SHA256
e4e2369b3ca749cdbadd7ad620106504086cb8e4e87bc5d228dd85dd695d1729

SHA512
3da93cf2dee9dd6eb9c0e02e64438feabecaa6949fa2e3e24131234fc2140655c7f4746b739508989b26102f60eff32e145408b5632433ce8f067b77e8717742

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
207KB

MD5
2647efba1e85a9d5aa014fb7dc78d313

SHA1
f814b411e226a2eecb03e2a1d99fea70b68cd8ee

SHA256
d19fa6f9a1dea6094d7df4fb71d19b30dac3c961e0a79710dcf64f49e9d7a031

SHA512
9e15b05a7aecfd32b582406c2ac200cc39783be5682ea87c7141834cc6f1bae5ba12db690a7d2592828502321bb4364df5e367764a9c4c8ef4ff7bf5e0872561

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
207KB

MD5
46756dfc8cf91739e09829e10cac1bf6

SHA1
234d8b4173713efa8393186c2572b1c12d563c5e

SHA256
0be917a58c4ab5d27a201499e1589ba9fe4d54341a8f5c76287ae3b5687f0284

SHA512
089390c9c59ade5738aad1b548c0dfa60a9f71c56e3df0f90f5f5060d8491117c316c2cddce038d0593fb826a2bfd119a7bc5547c9676a0229071dece4d2b74b

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
207KB

MD5
f8bbfbc5bf1c906e5c26a26e6d11eb31

SHA1
d87c055b38b04f719ca587ee166a7790e1435d3b

SHA256
c9a1f0fac24303eed99d48ea429c95e8d6e1ee9c5a6004124e2584e69c139d19

SHA512
02cf473c9d542d9d6a37e691d7f59c81b206a7dcde2a7a8b057d5d8b220027c6e3329030cbac7a8840e6754e97b405d65eb394078fe20064d275c248bbec56d0

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
207KB

MD5
2eef1eb9bc07fee5d2eeafdfa3d4aa60

SHA1
91aa2d7607931f414599be60bfdba707234c90ab

SHA256
80efa0b695b1129048d71242a5066ce194d996a8d14318b8ab6043680bd9e0bb

SHA512
cec0a369e8cbfcc86eae4e77a2401dbd5a322127091ede6d4684d9420a9ba004ece9d0772ee44409dd029c78296c1e67ef49a094aa2da6d170ac3467ca32956a

Download Submit
C:\Windows\SysWOW64\Cmjbhh32.exe

Filesize
207KB

MD5
70f2bae287d211d5102ae5fc685d7bef

SHA1
485fedd3b12588866ea140a34823b070e0eb3f69

SHA256
ed6403bed24fe7012f6dfbb5a60eae432a011b99ff3db3b25e6e9123d5c17b4d

SHA512
648d6318746750bb9683960d39ab2950ea61f29c0d24cbd7018b68da8f4396ad62323a4b8e1327265386b4c79234c0e3016e25049b7a3af7d1ac51248603874e

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
207KB

MD5
9349d09d8116c2060a999009f58ecb38

SHA1
d65fe0411f093afdc22d83329f5d81f859eddf70

SHA256
d84b90de15102be64aafc2ea064131195faeebbc42d462713cd70ab5676270ec

SHA512
a92ecd1a7555bdd784021efe56341d5beb225813e02f8017681785c42131e7a7ca81acc76c23065ef2ce67f3746deb3284a2c24e40b78c2cc90dd837c85c888d

Download Submit
C:\Windows\SysWOW64\Daiohhgh.dll

Filesize
7KB

MD5
f4045b400fbdfb1e1a581cc5debd84bb

SHA1
d9bdca36f760b95391e3d1394ad4e7793f2c1344

SHA256
cdc65839e2b1141e1f5a15e5f61fe437679f9b147d999894d3214100bd89d859

SHA512
9595d333fbacf54a825af7420bbf4d588d4a5cd037287dee529254e10b148846659633178c5644d08b747327fb49cf0e08b8c510fd59d346f03b3abbbaa632aa

Download Submit
C:\Windows\SysWOW64\Migbnb32.exe

Filesize
207KB

MD5
bd9ab31484da8886037c7fda24b9521a

SHA1
0b33a8068f1188fd7a647b3baedb3291b0b2b120

SHA256
1a29f84e0db3872e1deaffc6c2174402dd0a59aaf0229f35fa7de76947ce505d

SHA512
289c1c5e5476d5e63ec3bef3040887cbb310e2a3e8e455bbb9948773ff8800d72881db7da6938e86b0954924aef884f5d05dc4ab581fc2046e427801c1a8c463

Download Submit
C:\Windows\SysWOW64\Mlhkpm32.exe

Filesize
207KB

MD5
509a801c872f5360279469ef66965d89

SHA1
2391d031ae0a7496d51b261b441d65ac0e77287f

SHA256
d3c92e4c696cc02da499709199ff13a30700fbda52ba29b485082e340a090c36

SHA512
7f9f41b37d36adac16bb2c69bfb49ff52ec367b3adf3044395a4e886f6aeca095b1ac46cb1aa2bbf891b79491b71022ab6058e707b62dbd0551ee23bb30b7899

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
207KB

MD5
51b881e22948380faac9c52ab73e2b0a

SHA1
9d3082cd74dd2616663a60bc8c944a68c853c65f

SHA256
2af53b7a992326a86109444b3fbf4f387626c8b5fe0c58a112b9401372cc3552

SHA512
3824a54cd7735501603cdd23cab414949ff155e0387e61d9da371045e1b633fb5f1d7197abb1662bb9fb57119df361bf669ec301dde4c462f97158f8201ac8fa

Download Submit
C:\Windows\SysWOW64\Nilhhdga.exe

Filesize
207KB

MD5
3bffc587045c0b1b6a7478bbac677e09

SHA1
0ec8671772e1c176a251e3f2269b7a054b22e851

SHA256
7f3becc602d679709a086bb584349382e16c82bd988b3b34da4e1fd443147678

SHA512
2df8c797981c2e1f65d66cf3a447d4803feaae3af505fa5f6f23fc9d20420b0a0bbc3937c54437e0ab8d53fcb1584c73d67482565e834073eff779214b69635f

Download Submit
C:\Windows\SysWOW64\Nmpnhdfc.exe

Filesize
207KB

MD5
7337e64615bfb6f13a3e531a9e4faff2

SHA1
1f1cb2af3543f71102649dbe66f88d0eec5983e1

SHA256
9a6bc45eb2ae718b49400bc2782abaa95f3ddb2e83434b08553c17f7ff258c14

SHA512
21dabe036d8dee256dab2c4c3f323f4b0e4590b34dc1bb36a83b536151acb0f424d6a89f697b6dac3826d65f450185ff8acdb1ba77450b7ce74dcdb45442e848

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
207KB

MD5
ca6d610e7449a2fc6636cbb265667f5b

SHA1
d547da35bff02ec5f52eac9a9760efe7948c6703

SHA256
3a59f4195d08e958f247feacc967882c13cd18c07887ef52d8954d9483d72c00

SHA512
dd5c5313f35f46f0d2aff2ebc21e3998a87de3dbb456693d1b04af82e2adfb32bddccc63c98417347422a70099c02d07bb701af89f8cbcd5e5d03571bcf3fde1

Download Submit
C:\Windows\SysWOW64\Ohaeia32.exe

Filesize
207KB

MD5
cf84f799ae5d41248797e262a751a732

SHA1
fb8970adff3278a41895f9cde9518b0f9f3687a2

SHA256
42eb2b514a938f7c4dd920ba8bb92b82b065d94bc661292d848058f513310f3d

SHA512
08d94d19b7047f9fb6c54ad2f0ebac87b696fbaaea430d8f38fa02b4e6d7337d1e0c8dcf49c30f632c079317ce0318873c0f871250256e630e0c23fe6059f5f6

Download Submit
C:\Windows\SysWOW64\Onpjghhn.exe

Filesize
207KB

MD5
2ad6dfca2a09593e2b8ba7fc93c52ad9

SHA1
ef048e86046674f49fdc918980882a431a50fb33

SHA256
eb2956a897a0de4cbd46ff9a13dabc6b951c7cb7805a64b19a7aa02b109acc0e

SHA512
d49e5b54d7e8cdfd54b1d7c1c15d97c9939b246d79db076f1908cfa6f19ae813ec793733c393103de5baaa214a3cdf0c60e0c706787c869ac9f15292c17de86d

Download Submit
C:\Windows\SysWOW64\Pfgngh32.exe

Filesize
207KB

MD5
a46b0a21926217bd455662c39d33d970

SHA1
06c657b429086ab89df4b32973ce929dae15ebd2

SHA256
d7c4721b7995fd7409bacffeccbab8528e5e4c30682823792c9cabdacb4b973a

SHA512
bf87392be781a461a73d7767b8baf0bef31c3af7368ad38e63e105f81ff9383f77fab8c3f96d373879561b90759f4a78907910fc2523be2dc978870bd23dab97

Download Submit
C:\Windows\SysWOW64\Pmccjbaf.exe

Filesize
207KB

MD5
6d35af338e1242d57e9767429b1eac20

SHA1
649d24994c4e8b50341adbfb6a88138be2092ef0

SHA256
83b25fc5d342bc7573a49276befc60d185b739b74e006523bc7ca6b66f728766

SHA512
24a240c0da68c26e6913eb4b8a7e5af253b40d91a200339e1493748992d40e6c8f374bc84642424cc56ddd21c5876da6f02e240bf2ee54664f9fd6700d33d910

Download Submit
C:\Windows\SysWOW64\Qngmgjeb.exe

Filesize
207KB

MD5
382888213c930995d5eed8a92e005446

SHA1
74e1d7e0b0c6be4ab2ac57b5758af100804e512e

SHA256
1388f2ecbaf4381f2abd4da5f98f54b24a1410973bbddaa2658f50e4e48c925e

SHA512
215ba63d4238445a17c9da0b5f2e53a34b37123a127cf9410eaaa7209af254031f2dbc595626756e008c32025fbb34bc214f863cc8dffe71b23442c1f9d4567e

Download Submit
\Windows\SysWOW64\Hapicp32.exe

Filesize
207KB

MD5
a72c5becd03877ae1fdd0766be8700bc

SHA1
c4eb0122ace5abdbf5ff63203beb0cdc5fd69ebe

SHA256
7aa6b469d9daae753a088b127a37068856dc2e86f863cd11eb10cbf08e2a8f03

SHA512
111d4bed8cde1f602d82f612e3811de581a2ef57d21ad97fbbe91b986fc7f1d823964b24fe9f77ae6592936933c5e4a7a16b71db745c936d3105007299ef1771

Download Submit
\Windows\SysWOW64\Hhehek32.exe

Filesize
207KB

MD5
2632b78343d174573e54a334a7a2a70a

SHA1
10365f86f64a2dff5cf51dfc9983fa8cf31cbf4a

SHA256
7dd518530f268cf668947a13c32e5fd8e7e145dbb847f6c8e69ebcdd63883e20

SHA512
c20726953dc1b7676f4c4f41b02a390a91c1f67d911f39245c028d3a3229d9cbdd33e54f07e2db54d2c4fb60f8befe6d2c03528731ed2fa0c68fa9fdf64dd4fb

Download Submit
\Windows\SysWOW64\Iedkbc32.exe

Filesize
207KB

MD5
7163ff2df1f6a041ceb64b1f487b2700

SHA1
2cfd0c200bbc95b279162010c649edf4704bf1c8

SHA256
de9d8a7212f21f32303f37f19c03a388ed28d5256a5075c0cd850af7045eb142

SHA512
4139ae32bfb66a32e7ea7d6a243b3aba23efd76b2a5fdef0028be009f27a400d71a3bd0750f661e8b18e7be6d5bfb8144f3594dac9f9565406647c34394f771c

Download Submit
\Windows\SysWOW64\Ieidmbcc.exe

Filesize
207KB

MD5
23bb55a92b2a844deaea36946682a85d

SHA1
03fc7a8c15ca121fe72c888bf672af304955aa9a

SHA256
963a90d9ff961a38a35e8f1d06ba4d41ae563e7bfa8b38cc858e131c782bc6cc

SHA512
4dcc10c6d7d02f6b6db458d1cdcf61e367c7280ba3fafd7b5aedc493023089efa356d064547358ad275033e3a64f9c0c760f005310e5f38a63c41125f545d67f

Download Submit
\Windows\SysWOW64\Igonafba.exe

Filesize
207KB

MD5
ce4456413a331439f86bdb2c09cbede8

SHA1
bd68814ccddb586f55f2dbf19b16202e2c8e25b3

SHA256
9197ec479d2e82583d0cb7a6785b10877ceb9b39b1c4ccc42b01752d9f444090

SHA512
b9c669a07e59985f19dda3d714f36c10db4db3a997814fe8f1594665eecad4e2d409c4407f6da00853a744bd50f3d4c0d4c87eb39447951cf5e22bf032645a76

Download Submit
\Windows\SysWOW64\Ikhjki32.exe

Filesize
207KB

MD5
43b019082e0a3431c6f973f9075993b3

SHA1
62fddc14a3f1ffbed58600a8703f93a8c079a152

SHA256
38741c809997049dd023eec76c29d8200ed165d45ed5a92cd1f4997167b69c99

SHA512
91142c8bc99af890b3238b0249dd35a09f0ccfdad3234df3f2914baf773243ee80e768c17e8f383fde2078a81dff2847ad97a6c60134e69d74838fc3befae87c

Download Submit
\Windows\SysWOW64\Jhngjmlo.exe

Filesize
207KB

MD5
cf1dba7fa1465285ee65c3dc223f9b85

SHA1
79a02af8da4ed1ba5e33169289bcde1079eb22aa

SHA256
575167c2e7f465a682f0aeefc14cb4087a8782e282cbbf570e2df6b6f34d9158

SHA512
0bd73c32384b710c8119be68f406f7e133dd0eb7251763b835a7546f399b1a8f2377cf8b377f77533ff8b6f42098866c9f5d9c6177d289dc9a67752a15e5fb50

Download Submit
\Windows\SysWOW64\Jjdmmdnh.exe

Filesize
207KB

MD5
41cb891397dd4c529e51063073bb596e

SHA1
6e364727135d78a18d30bae66f3412bc21933154

SHA256
0d4f0401fc1f31060f289692967e6b845a408f8a80bfa4147e034c2853dd47a9

SHA512
9251ca4a06a5a5c5d162b4cc657a55cb8d85852c81cac4be839e90c44398e0580baf94277453be287702bf01acb46b6303ad6957f9cd01ab58d15eb32827ea18

Download Submit
\Windows\SysWOW64\Kfmjgeaj.exe

Filesize
207KB

MD5
f2d2a932dac69adea04f83decb6d1d2a

SHA1
c967929471e61448613e83cabc7d1c6b6fe4dc9e

SHA256
59b1126ca34f73d01e6bf3f680b3648b41599e919b706a4a44dacaba5d8e9931

SHA512
f78b0ea2da84ee66743f51fe0eadd574407f381fcada3032ba72c01ded053ab6a25145c684f4d4c5e2570ec46803ebb5e32aaf0f1c477812232ba2eba8842bd5

Download Submit
\Windows\SysWOW64\Kgemplap.exe

Filesize
207KB

MD5
66a59c560ded5013a17c550c23b6d2b7

SHA1
ff08505373253543171e8686d860ac2d6263777f

SHA256
b76d68b180dec8cbc77df4fc83dfb7ccbab5512d0bf00584ea702e43734d23d5

SHA512
4f7c9e55d514df0e9a56c1d2a21366b65c3638d2c402a0323b41935f2d94da92cd114b48c94126c253f26beea8128e573e432b1636df7856f776f1c30dc23d73

Download Submit
\Windows\SysWOW64\Kmjojo32.exe

Filesize
207KB

MD5
76a795ffa4ad0f554cdbb405d5a6d3fe

SHA1
a822b36176bfc807de10de09da32e07a74949a22

SHA256
4260f28ad27b0a94578681bf75577ae617c63041be8f05741382061acd3314f8

SHA512
9195dcc299c9f6e752cf52229e769411df49ba82e88c5dcea0621a855dd3de372b5097b9e166bf7d8d293e25d2bd55107fae5c15963a9d2feba4820f8c0d4ffd

Download Submit
\Windows\SysWOW64\Lbiqfied.exe

Filesize
207KB

MD5
74aabb4d4516cf3415269a58f8fcddcf

SHA1
08c2b31d3d433dbd60bfd0a5d61a6942e54589af

SHA256
2812181804b9a32893310060d7bf5af1a3b46a31744804d82447a35de511342f

SHA512
cfa792c3a279b61606b4334621727e6ce56d52fc6814085435a8ede290e29de1a5cd20a5acd6d53558d76ec8c085a1103b59cc903dfd78459f4d2f5c96496fc3

Download Submit
\Windows\SysWOW64\Lfbpag32.exe

Filesize
207KB

MD5
2246f29902af1478dc2e93b21936fb59

SHA1
86216f182a081eaff021a05df4a1e53b4d41d6c9

SHA256
a450a35426e9260f3455211e0a792e2f090f780dae06e2cf44000d5458667f08

SHA512
a83e60e949808301d44044027513c4eb06403fb74c9a1018ac11186cddc37e022da2cf0bb64c8f880c7702bfab87647b114120ff0904560a4eaf620678d45091

Download Submit
\Windows\SysWOW64\Lghjel32.exe

Filesize
207KB

MD5
47acbb3cc95521d222d43933e4d2d434

SHA1
36d6f1648bc5847b88801b0f44c2c59e0465479f

SHA256
2369794ecb45e957f75cabc7a44a8efe4a02de09b15f92bd9645a6e5a4075cb0

SHA512
d095582fdff195bc392eeed838a0591e220d8e2f240fe742da5b0320f13e07ef681e06be477d0572cb04955b5be2a4531e991fa3c4e5ae8585e74c708685a7ef

Download Submit
\Windows\SysWOW64\Lpekon32.exe

Filesize
207KB

MD5
8d20fcd982393813a405c04dd52d9bf4

SHA1
9d336e302a2891a64b675f706091b9f4439e08aa

SHA256
b4ecc2958ce5c1df5d33fcf0ebf3bf5c6cdd3ce2b1550d4efbaf57270880b282

SHA512
3d36e8806b3d7d60fc73a2c9b90a7b8ccd44962e9f24078d5d036485bc47b3c1723bd9e30515a725a4b76ad1ef59ef9181b6b13fa1c80d285e0252645a370444

Download Submit
memory/264-95-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/264-548-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/472-423-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/472-424-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/880-558-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/880-160-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/980-274-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/980-279-0x00000000002C0000-0x000000000031B000-memory.dmp

Filesize
364KB

Download
memory/1204-252-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/1204-243-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1376-200-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/1376-201-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/1376-188-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1376-579-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1452-259-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1452-269-0x00000000002A0000-0x00000000002FB000-memory.dmp

Filesize
364KB

Download
memory/1452-268-0x00000000002A0000-0x00000000002FB000-memory.dmp

Filesize
364KB

Download
memory/1580-320-0x0000000000230000-0x000000000028B000-memory.dmp

Filesize
364KB

Download
memory/1580-326-0x0000000000230000-0x000000000028B000-memory.dmp

Filesize
364KB

Download
memory/1588-556-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1588-152-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1616-280-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1616-290-0x00000000002B0000-0x000000000030B000-memory.dmp

Filesize
364KB

Download
memory/1616-289-0x00000000002B0000-0x000000000030B000-memory.dmp

Filesize
364KB

Download
memory/1668-134-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1668-554-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1728-342-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/1744-311-0x00000000002C0000-0x000000000031B000-memory.dmp

Filesize
364KB

Download
memory/1744-310-0x00000000002C0000-0x000000000031B000-memory.dmp

Filesize
364KB

Download
memory/2012-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-526-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-440-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-6-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/2028-208-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2028-215-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2028-216-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2080-237-0x00000000002B0000-0x000000000030B000-memory.dmp

Filesize
364KB

Download
memory/2080-238-0x00000000002B0000-0x000000000030B000-memory.dmp

Filesize
364KB

Download
memory/2228-219-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2228-232-0x00000000002E0000-0x000000000033B000-memory.dmp

Filesize
364KB

Download
memory/2240-295-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2240-300-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/2240-301-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/2376-348-0x0000000000300000-0x000000000035B000-memory.dmp

Filesize
364KB

Download
memory/2376-352-0x0000000000300000-0x000000000035B000-memory.dmp

Filesize
364KB

Download
memory/2376-337-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2432-456-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2464-413-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/2464-418-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/2464-404-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2488-88-0x0000000000230000-0x000000000028B000-memory.dmp

Filesize
364KB

Download
memory/2488-81-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2488-546-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2524-25-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/2524-18-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2524-528-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2556-403-0x00000000002E0000-0x000000000033B000-memory.dmp

Filesize
364KB

Download
memory/2556-402-0x00000000002E0000-0x000000000033B000-memory.dmp

Filesize
364KB

Download
memory/2556-397-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2580-544-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2584-35-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/2584-538-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2584-455-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/2584-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2592-49-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/2592-540-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2592-48-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2624-387-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/2624-374-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2640-369-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/2640-355-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2672-373-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2692-454-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/2692-453-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/2704-258-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/2704-254-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/2728-392-0x00000000004D0000-0x000000000052B000-memory.dmp

Filesize
364KB

Download
memory/2780-552-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2828-434-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2828-435-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2828-433-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2840-173-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2840-187-0x0000000000340000-0x000000000039B000-memory.dmp

Filesize
364KB

Download
memory/2840-186-0x0000000000340000-0x000000000039B000-memory.dmp

Filesize
364KB

Download
memory/2840-560-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2844-353-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2844-354-0x00000000004D0000-0x000000000052B000-memory.dmp

Filesize
364KB

Download
memory/2860-62-0x00000000002C0000-0x000000000031B000-memory.dmp

Filesize
364KB

Download
memory/2860-542-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2860-73-0x00000000002C0000-0x000000000031B000-memory.dmp

Filesize
364KB

Download
memory/2924-331-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/2924-321-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2924-332-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/2968-550-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2968-108-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2968-120-0x0000000000330000-0x000000000038B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads