4509921b23ef16b87baf2871ad0f0109090929b16f14f9774014023240e4bfa2

Analysis

max time kernel
131s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4509921b23ef16b87baf2871ad0f0109090929b16f14f9774014023240e4bfa2.exe
Size

52KB
MD5

f00e4308b96b6f967db50a2ea67be244
SHA1

45e98442d4d9bb97ffa6ce64277e7a28185a13ca
SHA256

4509921b23ef16b87baf2871ad0f0109090929b16f14f9774014023240e4bfa2
SHA512

4abb751dffb21e7b0fbcbf8299bc1e1c1e81185b04d4d5c7f8163b053957dab233fa4d702e7a0a59654be37d2ad526cd5ccf198351ebe8d7a510414bd0488b83
SSDEEP

1536:sDMUo8uFHX4GjiQGMLlKh9eaJFe2QCBMA0S:swCud+QGfnc26AL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Infhebbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jelonkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocphojh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Heepfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Infhebbh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnmeodjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhkljfok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Logicn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijmhkchl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leabphmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkohchko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inkaqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iccpniqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khkdad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkmlnimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4509921b23ef16b87baf2871ad0f0109090929b16f14f9774014023240e4bfa2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lajokiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4509921b23ef16b87baf2871ad0f0109090929b16f14f9774014023240e4bfa2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kalcik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnpaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Indkpcdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iajmmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Logicn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkaeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjgkab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khdoqefq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnnnfalp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hghfnioq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iccpniqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icfmci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdmlkfjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkaeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdmlkfjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnnnfalp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfohjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnpaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hghfnioq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijmhkchl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hegmlnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jelonkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjdokb32.exe

Executes dropped EXE 53 IoCs

pid	Process
3112	Hkmlnimb.exe
3964	Heepfn32.exe
4632	Hkohchko.exe
1552	Hnmeodjc.exe
2388	Hegmlnbp.exe
2204	Hkaeih32.exe
3876	Hnpaec32.exe
840	Hghfnioq.exe
3640	Hnbnjc32.exe
4176	Icogcjde.exe
1320	Indkpcdk.exe
4220	Icachjbb.exe
3008	Infhebbh.exe
4052	Iccpniqp.exe
2964	Ijmhkchl.exe
3020	Icfmci32.exe
2264	Inkaqb32.exe
1344	Iajmmm32.exe
4552	Jnnnfalp.exe
4684	Jdjfohjg.exe
3088	Jjdokb32.exe
5072	Jejbhk32.exe
4408	Jjgkab32.exe
2320	Jelonkph.exe
4056	Jhkljfok.exe
2876	Jacpcl32.exe
2824	Jjkdlall.exe
1448	Jaemilci.exe
4676	Jlkafdco.exe
4600	Koimbpbc.exe
4448	Keceoj32.exe
4436	Kkpnga32.exe
4620	Kajfdk32.exe
2624	Khdoqefq.exe
1772	Kalcik32.exe
1260	Kdkoef32.exe
1016	Klbgfc32.exe
2376	Kblpcndd.exe
3100	Kdmlkfjb.exe
1640	Kocphojh.exe
1476	Kemhei32.exe
2944	Khkdad32.exe
224	Lbqinm32.exe
4604	Lhmafcnf.exe
4516	Logicn32.exe
4964	Leabphmp.exe
960	Lhpnlclc.exe
4200	Lbebilli.exe
2368	Ledoegkm.exe
4536	Lhbkac32.exe
2404	Lolcnman.exe
3464	Lajokiaa.exe
1284	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hkohchko.exe	Heepfn32.exe
File created	C:\Windows\SysWOW64\Icachjbb.exe	Indkpcdk.exe
File opened for modification	C:\Windows\SysWOW64\Jjdokb32.exe	Jdjfohjg.exe
File created	C:\Windows\SysWOW64\Gqhomdeb.dll	Lbqinm32.exe
File created	C:\Windows\SysWOW64\Bdelednc.dll	Hnpaec32.exe
File opened for modification	C:\Windows\SysWOW64\Iccpniqp.exe	Infhebbh.exe
File created	C:\Windows\SysWOW64\Mkojhm32.dll	Iajmmm32.exe
File created	C:\Windows\SysWOW64\Fooqlnoa.dll	Lhmafcnf.exe
File opened for modification	C:\Windows\SysWOW64\Lolcnman.exe	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Oedlic32.dll	Hkmlnimb.exe
File created	C:\Windows\SysWOW64\Celipg32.dll	Hnbnjc32.exe
File created	C:\Windows\SysWOW64\Dbneceac.dll	4509921b23ef16b87baf2871ad0f0109090929b16f14f9774014023240e4bfa2.exe
File created	C:\Windows\SysWOW64\Infhebbh.exe	Icachjbb.exe
File created	C:\Windows\SysWOW64\Inkaqb32.exe	Icfmci32.exe
File created	C:\Windows\SysWOW64\Jnnnfalp.exe	Iajmmm32.exe
File created	C:\Windows\SysWOW64\Efhbch32.dll	Jejbhk32.exe
File created	C:\Windows\SysWOW64\Bibokqno.dll	Jjgkab32.exe
File created	C:\Windows\SysWOW64\Indkpcdk.exe	Icogcjde.exe
File created	C:\Windows\SysWOW64\Iccpniqp.exe	Infhebbh.exe
File created	C:\Windows\SysWOW64\Aedfbe32.dll	Infhebbh.exe
File created	C:\Windows\SysWOW64\Hbhgkfkg.dll	Koimbpbc.exe
File opened for modification	C:\Windows\SysWOW64\Kocphojh.exe	Kdmlkfjb.exe
File created	C:\Windows\SysWOW64\Lhmafcnf.exe	Lbqinm32.exe
File created	C:\Windows\SysWOW64\Lbebilli.exe	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Hghfnioq.exe	Hnpaec32.exe
File created	C:\Windows\SysWOW64\Eopbppjf.dll	Iccpniqp.exe
File created	C:\Windows\SysWOW64\Fhkkfnao.dll	Jnnnfalp.exe
File created	C:\Windows\SysWOW64\Jacpcl32.exe	Jhkljfok.exe
File opened for modification	C:\Windows\SysWOW64\Keceoj32.exe	Koimbpbc.exe
File opened for modification	C:\Windows\SysWOW64\Lhpnlclc.exe	Leabphmp.exe
File opened for modification	C:\Windows\SysWOW64\Lhbkac32.exe	Ledoegkm.exe
File opened for modification	C:\Windows\SysWOW64\Hkmlnimb.exe	4509921b23ef16b87baf2871ad0f0109090929b16f14f9774014023240e4bfa2.exe
File created	C:\Windows\SysWOW64\Cpmheahf.dll	Hnmeodjc.exe
File created	C:\Windows\SysWOW64\Hkaeih32.exe	Hegmlnbp.exe
File opened for modification	C:\Windows\SysWOW64\Icfmci32.exe	Ijmhkchl.exe
File created	C:\Windows\SysWOW64\Jhkljfok.exe	Jelonkph.exe
File created	C:\Windows\SysWOW64\Jlbngnmk.dll	Jelonkph.exe
File created	C:\Windows\SysWOW64\Mjlhjjnc.dll	Kajfdk32.exe
File created	C:\Windows\SysWOW64\Fbkcnp32.dll	Kblpcndd.exe
File created	C:\Windows\SysWOW64\Qagfppeh.dll	Logicn32.exe
File created	C:\Windows\SysWOW64\Lajokiaa.exe	Lolcnman.exe
File opened for modification	C:\Windows\SysWOW64\Hkaeih32.exe	Hegmlnbp.exe
File opened for modification	C:\Windows\SysWOW64\Hnpaec32.exe	Hkaeih32.exe
File created	C:\Windows\SysWOW64\Jjgkab32.exe	Jejbhk32.exe
File opened for modification	C:\Windows\SysWOW64\Jacpcl32.exe	Jhkljfok.exe
File opened for modification	C:\Windows\SysWOW64\Koimbpbc.exe	Jlkafdco.exe
File opened for modification	C:\Windows\SysWOW64\Klbgfc32.exe	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Lolcnman.exe	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Oofial32.dll	Lhbkac32.exe
File opened for modification	C:\Windows\SysWOW64\Inkaqb32.exe	Icfmci32.exe
File created	C:\Windows\SysWOW64\Keceoj32.exe	Koimbpbc.exe
File created	C:\Windows\SysWOW64\Hnbnjc32.exe	Hghfnioq.exe
File opened for modification	C:\Windows\SysWOW64\Ijmhkchl.exe	Iccpniqp.exe
File created	C:\Windows\SysWOW64\Ldnemdgd.dll	Jjdokb32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnga32.exe	Keceoj32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfdk32.exe	Kkpnga32.exe
File opened for modification	C:\Windows\SysWOW64\Leabphmp.exe	Logicn32.exe
File created	C:\Windows\SysWOW64\Hnmeodjc.exe	Hkohchko.exe
File opened for modification	C:\Windows\SysWOW64\Kemhei32.exe	Kocphojh.exe
File created	C:\Windows\SysWOW64\Logicn32.exe	Lhmafcnf.exe
File opened for modification	C:\Windows\SysWOW64\Lbebilli.exe	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Jjkdkibk.dll	Heepfn32.exe
File created	C:\Windows\SysWOW64\Ciddcagg.dll	Hkaeih32.exe
File created	C:\Windows\SysWOW64\Lgahlk32.dll	Icogcjde.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3392	1284	WerFault.exe	144

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Inkaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkojhm32.dll"	Iajmmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdkoef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hghfnioq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdmlkfjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpjkgoka.dll"	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhomdeb.dll"	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnpaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepbdodb.dll"	Jdjfohjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaemilci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjbah32.dll"	Kdmlkfjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Heepfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmheahf.dll"	Hnmeodjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahlk32.dll"	Icogcjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdkqcmb.dll"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll"	Lbebilli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hghfnioq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icogcjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jacpcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbhgkfkg.dll"	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfhohgp.dll"	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hegmlnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bblnengb.dll"	Hghfnioq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iccpniqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboleq32.dll"	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkmlnimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Heepfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icachjbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamgof32.dll"	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhpnlclc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4509921b23ef16b87baf2871ad0f0109090929b16f14f9774014023240e4bfa2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnmeodjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aedfbe32.dll"	Infhebbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbpeafn.dll"	Khdoqefq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfooh32.dll"	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlmhj32.dll"	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkohchko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfhni32.dll"	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooeqo32.dll"	Indkpcdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnemdgd.dll"	Jjdokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fooqlnoa.dll"	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdlmdd.dll"	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedlic32.dll"	Hkmlnimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciddcagg.dll"	Hkaeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkaeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijmhkchl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjejmalo.dll"	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Logicn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icogcjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjdokb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 100 wrote to memory of 3112	100	4509921b23ef16b87baf2871ad0f0109090929b16f14f9774014023240e4bfa2.exe	89
PID 100 wrote to memory of 3112	100	4509921b23ef16b87baf2871ad0f0109090929b16f14f9774014023240e4bfa2.exe	89
PID 100 wrote to memory of 3112	100	4509921b23ef16b87baf2871ad0f0109090929b16f14f9774014023240e4bfa2.exe	89
PID 3112 wrote to memory of 3964	3112	Hkmlnimb.exe	90
PID 3112 wrote to memory of 3964	3112	Hkmlnimb.exe	90
PID 3112 wrote to memory of 3964	3112	Hkmlnimb.exe	90
PID 3964 wrote to memory of 4632	3964	Heepfn32.exe	91
PID 3964 wrote to memory of 4632	3964	Heepfn32.exe	91
PID 3964 wrote to memory of 4632	3964	Heepfn32.exe	91
PID 4632 wrote to memory of 1552	4632	Hkohchko.exe	92
PID 4632 wrote to memory of 1552	4632	Hkohchko.exe	92
PID 4632 wrote to memory of 1552	4632	Hkohchko.exe	92
PID 1552 wrote to memory of 2388	1552	Hnmeodjc.exe	93
PID 1552 wrote to memory of 2388	1552	Hnmeodjc.exe	93
PID 1552 wrote to memory of 2388	1552	Hnmeodjc.exe	93
PID 2388 wrote to memory of 2204	2388	Hegmlnbp.exe	94
PID 2388 wrote to memory of 2204	2388	Hegmlnbp.exe	94
PID 2388 wrote to memory of 2204	2388	Hegmlnbp.exe	94
PID 2204 wrote to memory of 3876	2204	Hkaeih32.exe	95
PID 2204 wrote to memory of 3876	2204	Hkaeih32.exe	95
PID 2204 wrote to memory of 3876	2204	Hkaeih32.exe	95
PID 3876 wrote to memory of 840	3876	Hnpaec32.exe	97
PID 3876 wrote to memory of 840	3876	Hnpaec32.exe	97
PID 3876 wrote to memory of 840	3876	Hnpaec32.exe	97
PID 840 wrote to memory of 3640	840	Hghfnioq.exe	98
PID 840 wrote to memory of 3640	840	Hghfnioq.exe	98
PID 840 wrote to memory of 3640	840	Hghfnioq.exe	98
PID 3640 wrote to memory of 4176	3640	Hnbnjc32.exe	99
PID 3640 wrote to memory of 4176	3640	Hnbnjc32.exe	99
PID 3640 wrote to memory of 4176	3640	Hnbnjc32.exe	99
PID 4176 wrote to memory of 1320	4176	Icogcjde.exe	100
PID 4176 wrote to memory of 1320	4176	Icogcjde.exe	100
PID 4176 wrote to memory of 1320	4176	Icogcjde.exe	100
PID 1320 wrote to memory of 4220	1320	Indkpcdk.exe	101
PID 1320 wrote to memory of 4220	1320	Indkpcdk.exe	101
PID 1320 wrote to memory of 4220	1320	Indkpcdk.exe	101
PID 4220 wrote to memory of 3008	4220	Icachjbb.exe	103
PID 4220 wrote to memory of 3008	4220	Icachjbb.exe	103
PID 4220 wrote to memory of 3008	4220	Icachjbb.exe	103
PID 3008 wrote to memory of 4052	3008	Infhebbh.exe	104
PID 3008 wrote to memory of 4052	3008	Infhebbh.exe	104
PID 3008 wrote to memory of 4052	3008	Infhebbh.exe	104
PID 4052 wrote to memory of 2964	4052	Iccpniqp.exe	105
PID 4052 wrote to memory of 2964	4052	Iccpniqp.exe	105
PID 4052 wrote to memory of 2964	4052	Iccpniqp.exe	105
PID 2964 wrote to memory of 3020	2964	Ijmhkchl.exe	106
PID 2964 wrote to memory of 3020	2964	Ijmhkchl.exe	106
PID 2964 wrote to memory of 3020	2964	Ijmhkchl.exe	106
PID 3020 wrote to memory of 2264	3020	Icfmci32.exe	108
PID 3020 wrote to memory of 2264	3020	Icfmci32.exe	108
PID 3020 wrote to memory of 2264	3020	Icfmci32.exe	108
PID 2264 wrote to memory of 1344	2264	Inkaqb32.exe	109
PID 2264 wrote to memory of 1344	2264	Inkaqb32.exe	109
PID 2264 wrote to memory of 1344	2264	Inkaqb32.exe	109
PID 1344 wrote to memory of 4552	1344	Iajmmm32.exe	110
PID 1344 wrote to memory of 4552	1344	Iajmmm32.exe	110
PID 1344 wrote to memory of 4552	1344	Iajmmm32.exe	110
PID 4552 wrote to memory of 4684	4552	Jnnnfalp.exe	111
PID 4552 wrote to memory of 4684	4552	Jnnnfalp.exe	111
PID 4552 wrote to memory of 4684	4552	Jnnnfalp.exe	111
PID 4684 wrote to memory of 3088	4684	Jdjfohjg.exe	112
PID 4684 wrote to memory of 3088	4684	Jdjfohjg.exe	112
PID 4684 wrote to memory of 3088	4684	Jdjfohjg.exe	112
PID 3088 wrote to memory of 5072	3088	Jjdokb32.exe	113

C:\Users\Admin\AppData\Local\Temp\4509921b23ef16b87baf2871ad0f0109090929b16f14f9774014023240e4bfa2.exe
"C:\Users\Admin\AppData\Local\Temp\4509921b23ef16b87baf2871ad0f0109090929b16f14f9774014023240e4bfa2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:100
- C:\Windows\SysWOW64\Hkmlnimb.exe
  C:\Windows\system32\Hkmlnimb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\SysWOW64\Heepfn32.exe
    C:\Windows\system32\Heepfn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\SysWOW64\Hkohchko.exe
      C:\Windows\system32\Hkohchko.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4632
    - - C:\Windows\SysWOW64\Hnmeodjc.exe
        
        C:\Windows\system32\Hnmeodjc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
      - C:\Windows\SysWOW64\Hegmlnbp.exe
        
        C:\Windows\system32\Hegmlnbp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Hkaeih32.exe
        
        C:\Windows\system32\Hkaeih32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Hnpaec32.exe
        
        C:\Windows\system32\Hnpaec32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Hghfnioq.exe
        
        C:\Windows\system32\Hghfnioq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Hnbnjc32.exe
        
        C:\Windows\system32\Hnbnjc32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Icogcjde.exe
        
        C:\Windows\system32\Icogcjde.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Indkpcdk.exe
        
        C:\Windows\system32\Indkpcdk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Infhebbh.exe
        
        C:\Windows\system32\Infhebbh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Iccpniqp.exe
        
        C:\Windows\system32\Iccpniqp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Ijmhkchl.exe
        
        C:\Windows\system32\Ijmhkchl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Icfmci32.exe
        
        C:\Windows\system32\Icfmci32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Jdjfohjg.exe
        
        C:\Windows\system32\Jdjfohjg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Jjdokb32.exe
        
        C:\Windows\system32\Jjdokb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Kajfdk32.exe
        
        C:\Windows\system32\Kajfdk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Khkdad32.exe
        
        C:\Windows\system32\Khkdad32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3464
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        54⤵
        Executes dropped EXE
        
        PID:1284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 400
        55⤵
        Program crash
        
        PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1284 -ip 1284
1⤵
PID:2112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3852,i,7761714625659357865,10802238739796857379,262144 --variations-seed-version --mojo-platform-channel-handle=1272 /prefetch:8
1⤵
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Heepfn32.exe

Filesize
52KB

MD5
ff970ffc07a30210a2f4b8a917f25550

SHA1
2bd51dced683246743d05b8bfac9f41b7f9939ca

SHA256
f6d36ee04e4b57f6611d7f5d16dd0f27d33dc01d33e8f37bfa954f5edb870e50

SHA512
90d2154e049e50975358055fc21e10369d61dbc378c6a71889f61f2691bbd76c37d2809ba31864d80340edfa84ecd71030fea8276fdda9656aadf88c8ac5c70a

Download Submit
C:\Windows\SysWOW64\Hegmlnbp.exe

Filesize
52KB

MD5
e27b7fef4538c61d5b05f1f8c716de69

SHA1
79f966208a232a264d89c5c30111004d33ac705f

SHA256
510674bf3cb55387c06ae1f5669413201727cc83403584bb82b2f0e70042b3a9

SHA512
482ad85ccd5eb40e9011d1dbaee1eeec7b0038ff214a57649c61ebfa24ab4c66d32536b41751571605505a46a98f5ae45e0b9c828650eb7f321040a27c97fec7

Download Submit
C:\Windows\SysWOW64\Hghfnioq.exe

Filesize
52KB

MD5
343ed88e95a84fbbb211e010c9bba649

SHA1
1d9937d4ff386358fa286ac5c5ed95d4441152b7

SHA256
352180322988e65692bbf1e3c29c8233360d2af8a99cd0d85be84c258c612926

SHA512
bfb0141e3b6732a5c45e109406b049e2990bb7c43c6a8e096c9f20d193583611dfeda8890ae203c091de1c5c9d26f60126b543195864be29e6a6dcc57b7a3f32

Download Submit
C:\Windows\SysWOW64\Hkaeih32.exe

Filesize
52KB

MD5
af2fb06276dd1826b6fab433649a2d8f

SHA1
bc94ca361c66c2fa8c54c518986b8bf1219aca17

SHA256
67296a5c4a246ce99fc5a46e6c73dc8de238bde2cbdc4531f3326749d8aa9b15

SHA512
64a6ec089ac790be4f1996076f54c75a49a85af4c92a1d9480ee745a433f20350511f3430827a44680bc4026eb2a944cda00f7c211b5afa0cd0daeeb1c0e6b15

Download Submit
C:\Windows\SysWOW64\Hkmlnimb.exe

Filesize
52KB

MD5
f61851a7b78965114c6bc65db9caca73

SHA1
5915b519735ca19c647000454a09a2dcbd54fd31

SHA256
e028acf204edea4884b280b848a8231df006face5b9bb824f10915ec1b4f4115

SHA512
7816bb3449c88d21abbfe1216c8d952b1cce82e28294d85d9fe63078e4b3a6eaab7cbb73743534c1ba7458d13a3475a90e9c377bc282823f786407bdc37495b6

Download Submit
C:\Windows\SysWOW64\Hkohchko.exe

Filesize
52KB

MD5
782a238c16360377569f58e7c4e6662f

SHA1
f6a311ace58b3a6b2706a44be4e18a0803355932

SHA256
e5fb2ce284ef1ec8b1717350f60fa3ddc6868ba31057d3ea8c9cedbe26c70eb7

SHA512
f84758448cef175dfac8424ed681b2e751dc5b5cf60d4a05e8a2377118c6c6b29d0dd42a636870d28ed7b145ef70b0c6439f667eaa059119f6f2fb2413af0d14

Download Submit
C:\Windows\SysWOW64\Hnbnjc32.exe

Filesize
52KB

MD5
f966d0c71f4e867fbd0982d2d2dbcca8

SHA1
bb2837f60017e418d2b50fa160d6a58293110fa5

SHA256
68e47b77cc978b76db7aa16bae279b401de23249d1f0fcd0ecde39123d92086e

SHA512
9f7e47bf7e6378e3e43ffcbcc16e892e6cc1597ddd241d9f1df399e4de5ad565fa3f089930c4551fd6592714ae083c1207d98591dbaf6a5dd2812b34d191a70f

Download Submit
C:\Windows\SysWOW64\Hnmeodjc.exe

Filesize
52KB

MD5
f96c0adba38fadd31a4f9b2c48ffbdde

SHA1
740cd468d8b13fa0fc82bbc942c01c6ea130c12d

SHA256
7d093aabc44c08a81e1a7d71db072853c8032f1d64c0e585b8f85d61f7bad73d

SHA512
b4a33ff3f1663eaa743ce27e8219ef69b85f72a6559a9e7550ef4f9eefdac3dca02df61f77d5723467d747b908b894864f8ce174a7ef0616666c2159c8f4646f

Download Submit
C:\Windows\SysWOW64\Hnpaec32.exe

Filesize
52KB

MD5
727a4bb5ffed9abbce7ac64567f7b052

SHA1
8b381fb983faae7911c825ed0093878ba1e40786

SHA256
d386e203df0fb619bdc50ffcf9ca71b258da1e1bb8f0e8743fecc3c11f2b29ad

SHA512
330654e1f254a308a0e1e1d237b0ce27026ae1302fb22daf3cf3df254ee740889cf56def3e9a2db0b60800fd1ae96005765a9ec46e2736fdf20e11181daf28de

Download Submit
C:\Windows\SysWOW64\Iajmmm32.exe

Filesize
52KB

MD5
9f07664351fc31db9d615277cd7a3870

SHA1
65f99c698f3a87a095886cf52a2c9a957e1afcac

SHA256
074ea1386169d26abf497c985545bde1a57c3a4cdf748ad171d231da3b6b1a95

SHA512
2a15594b148400b013b99bdd313a2b24438d6842ad15230bb1df2271e35290e8a448a9c92296f8b599d2a43ffdf6714ddce508203d2ce780d85478d60c898268

Download Submit
C:\Windows\SysWOW64\Icachjbb.exe

Filesize
52KB

MD5
398639b9953aca4e31b75e85dc889fd4

SHA1
b2138f6506626967fb817638dbaca4bd393a9757

SHA256
589b3df97e7033be439ffe5a942c53489c71e3d319b63acf2349c66501c544d7

SHA512
771182b0b56246ed3213f1ba94a69db99bda47494e7ce517c5128ff1ed22eff21a79c9cfe46337e47621559e2fb12c87cd0229945d37a58885eaf45e77ad5e67

Download Submit
C:\Windows\SysWOW64\Iccpniqp.exe

Filesize
52KB

MD5
aa5b36e88795ea308f881e8ed4c7ac72

SHA1
e1e73af4f513a98a430c18e7eeee974c8ab9d687

SHA256
c9efb6eca12e3c94a914c27323ebb0f2781cc7faf7775213e67a0cd170b80ea4

SHA512
b7336c684a2f46173b47a758ab58ccb5492d9135573b13be385df991c66b9aaacff5326794cc1aaa176536be4fb8c20980105016b405e4a2fe28df8346382653

Download Submit
C:\Windows\SysWOW64\Icfmci32.exe

Filesize
52KB

MD5
ee54ea22e95b4dbb54ed972e74a93b39

SHA1
b12b6408ff9ac468f01e6e62a726e8011c304dea

SHA256
d44056702ba4376281a6de3d8313c2d6f6488ed246d0167c70a350330af23a97

SHA512
1e9bdfd5b3a082b852243e64d5299498e24546fe4e685f5558b9002e366ae88acb1e4974a2e1a0796a8b7facf28e90f26db92c47a8df40569d8f7e87482fb4aa

Download Submit
C:\Windows\SysWOW64\Icogcjde.exe

Filesize
52KB

MD5
9027adfded16894a89605d6a5ea3bb64

SHA1
2fbdffc8e115c03fd360199d353cefe167316e92

SHA256
e7bc4487215748c63e90f30439760df565317d6842bb40be0e17f3a2054c099c

SHA512
a88e895c7346228a9ab85de9133fae91901b357672d18d1198bf8f6074fa8b8bc7f9048b8bffcad4783a31768f5222148e7ae192f5947a1e1d92f1554f0fe46d

Download Submit
C:\Windows\SysWOW64\Ijmhkchl.exe

Filesize
52KB

MD5
b2262e21b60df720c17c766162b70cdb

SHA1
eaabf833c243a895251f43ee272abcc6bc80acfa

SHA256
63be0de64dbbff9de43d4c40bf0b166c16cff115988f3efb44fac6c072cc09c7

SHA512
04921abb62485f94f2949f6b21c9f808f134a0021ba73bb1dd5fa52adc06b5dcc9a0a4f7cd4443fcf375559517eaf0b0c7b59077feb9116ef07cd26ebf939435

Download Submit
C:\Windows\SysWOW64\Indkpcdk.exe

Filesize
52KB

MD5
34fc5c4d42e8ad6cb6054350bf45576e

SHA1
9eaab3e9198466de2f46e870d1e28448c42e4ff4

SHA256
e1846234eb00b52c7dae7510cd9b530d2e7b8f8b23825c5273e1dd99e51a706f

SHA512
6a5eb1a5b5569e60e9569b8eb6d34d01d304583e7e7ac29a028c830192fd100e79cb76b2a812b8c32b953edbea351d3226dd20ee2148b5ca151c9da7ae41f530

Download Submit
C:\Windows\SysWOW64\Infhebbh.exe

Filesize
52KB

MD5
4837cc14f29e3574bb481b3f24e4f804

SHA1
0c8f8b93a45ebd8b2f114a1c855ef78c71f6b68a

SHA256
7f890d79541c90f1dcc3ad5721caa619045a457f0b3c4ab9116c24a80147cafd

SHA512
49e65e2e1bdd702bbc83901f26ff61837691fd8bc66eb0ff13bafae0ae4ad52e25e545f5c35bbddb36eb415a1d2920fb8291e0e49af72421e6b0de13c71da637

Download Submit
C:\Windows\SysWOW64\Inkaqb32.exe

Filesize
52KB

MD5
dbb1ebc955f5c2d67ae43a73c4f18cb4

SHA1
84ccecdc6abda687858764de9b92d0ce3b844c67

SHA256
a3750a43f5e259a4e876bbd9825024a2465c8be68cfe20657462521d16d24c2c

SHA512
29e034064c90131aac82a9bbe44ecb507af43e7eeefa0d6655a3fca3b04266b2c417cfac0819a7fd61a6acaa38ebf7383af336019e2834846de4321c092154a8

Download Submit
C:\Windows\SysWOW64\Jacpcl32.exe

Filesize
52KB

MD5
6f6f3bf3ef3b5cbf16bc9e8eda6d8796

SHA1
638b4ca0bbbe8f845682909e14ac8584b057a106

SHA256
9c5939b684acb1e38c4ae9e64898184c84a9b786942149830c1e05630b68f291

SHA512
6a1e01e54794e717cee0dfb704179884252d573021c5770c42a21cbfa5ec6ce4c00a8470c68b48bc63272187ac65a1dfe3c4706f13e287f8698b61f5498d1dbc

Download Submit
C:\Windows\SysWOW64\Jaemilci.exe

Filesize
52KB

MD5
90afe0e913f1a61d7e74b410e0a17d45

SHA1
45e1de1db953a30a7b98f690b42f6c626b14fccd

SHA256
03f1aa68a03d539bd3afebf00ac5df0dbd42341ee6abd466a4b835ba4f166387

SHA512
a87f2ec549f7f343cb6e06b47017ca5d434a3c4a5ac8ef78af473ee125dc000ced7ea18f637a09668ba2726875b9470d25c72b1f3d1c4ef601f4e051baffee58

Download Submit
C:\Windows\SysWOW64\Jdjfohjg.exe

Filesize
52KB

MD5
e8ee9b9a0a9f2dc3496a0755b7466a9a

SHA1
496db1f631ea589340533bb584fd9c656ae7bae0

SHA256
ce99ba9bcb19e780586ff007f1b9f0ccf3cf6a072f505edc7ea2a652704d5d06

SHA512
894ff2267d197f1e28d053af8e8e20b64f0e208b983c3e486e2a91df58319c06f9192eb255a08bfef9ef116679da5113b45220cad950a0fe5319fa463cf5a0a1

Download Submit
C:\Windows\SysWOW64\Jejbhk32.exe

Filesize
52KB

MD5
b3d676504f13c948ecfe4ed84833e6c4

SHA1
f48bc24a8eb295e6a274eabb9f2733fa7e2f7d95

SHA256
aecd5e0fb4dd296081ed3deb24863f69f4a5b14ac75ac20d3477301596024a58

SHA512
fa3d1609ce9d239a8bc27d1d8a54e5e6e24f573ee279e4e849fad539e4cf537f1fba37c60586cbd2d41e562eda341571b3ff20e77b834845b3db217a934b3e2a

Download Submit
C:\Windows\SysWOW64\Jelonkph.exe

Filesize
52KB

MD5
a706b25a2c99b29893e76c42a127e7c5

SHA1
aeb7f243398360b6917959492b13efbe36baedb5

SHA256
ff68b1f79159083bca6bfcc1567feac325cbe62a4a4b68981022e77032715399

SHA512
695d7a0bf90e36bee36677606e6817afd241336a45bf0eae058b7f023e83bf3582176ea80b99dc18c7aa034be47b0b3e11ccc6c7a713f2011b4c5b9acc07cf17

Download Submit
C:\Windows\SysWOW64\Jhkljfok.exe

Filesize
52KB

MD5
f2e2ed3588c48932760ae2d7686f912c

SHA1
69a68c5789722414f7fe7ec74b7514652951bcaa

SHA256
8b3b483f0248b95ddad71e1e7ebe8ea995f323c2c2559d165f2f4bcd4fee2c63

SHA512
98d1d93e35fad2672d0d0ec921e4676699ffd16b90e816369954f7270a53d37dafdcd31a24035e341f1037cb1ba6a2f4d50e8a07e9101fcf2ab499433e900975

Download Submit
C:\Windows\SysWOW64\Jjdokb32.exe

Filesize
52KB

MD5
2aed8df0c1385f721440d9f1b8ad514a

SHA1
f6d5996768123e5e010d0b2336be1d2de491850e

SHA256
16347f37a969e7da76f766339c4af8b1b0acf31dab180bfcc2fe1eecd95a14ff

SHA512
a687b270a402dbdc2da39f252debe7cd1d3aa8b7a02218e57879617b6429e7c25ed73d2d593d82224ae82c86ea00116913d5dd364dce25d5331adce9f9691deb

Download Submit
C:\Windows\SysWOW64\Jjgkab32.exe

Filesize
52KB

MD5
670051f74f03ca62c6c2e8386ec8a01c

SHA1
791c07347f8fc2b61e2c368e89f6b78bf524aa9a

SHA256
f1b36e93bac52ead7379c3087ff19ae6caf67498c7d8d7c110587a53f327d44c

SHA512
57f16b9b1229ee39bc067d9eb35b1b9b8e6447973536b2a114b371b4e4f4207c64919c8f1d16143b639da3bfd4b00b28443b3d44534d59e326d750159bf91e6a

Download Submit
C:\Windows\SysWOW64\Jjkdlall.exe

Filesize
52KB

MD5
fdfeb3b2e69c26e632c0ef04dbefff4b

SHA1
ca980bf9215bdda59f3d2ce4623c624221b7b9c6

SHA256
dfa19a0c9a4462998d739659a5f00ccf91c13b413992a21a9e375f95a6a481fc

SHA512
716b1b9ecc31ce700175c7844e1e8a9a689bc4516341794a810aacc80eadf93660ee7021c39b0a1c6250b1165a46982c525604cae22821e9ab58975fc1e17303

Download Submit
C:\Windows\SysWOW64\Jlkafdco.exe

Filesize
52KB

MD5
79e601e9957b4d8f9413eee199fa6f43

SHA1
c74ec14276ca7d1abedb5eb52f1ab8499b2c2968

SHA256
c9d076b06c42a2dcd80430d0144cec873839e1b56857034c4dc4db930b6d4f11

SHA512
42e46664d721f019861a2011623d052463192c66b71979485f12519112358c89e06d7f1c47b6b339f3f04bf18ffcbd4c029d2c7dcada3f2c9c37aaf06124b06d

Download Submit
C:\Windows\SysWOW64\Jnnnfalp.exe

Filesize
52KB

MD5
65e9faa88fe950eb421c160230b68b7f

SHA1
1fdd353665583d219f6a5ccbc6561a6eed86ef14

SHA256
735dd471bbbd8e42f01883af7b56214e7ac293b6ad6a6182477b983462afe46c

SHA512
15d173032c6c9679178526e79b6deaa1832db42e95e59492c2d4dcfa9b5b0aec6cee1e5e955ee6c6f640b63c61d9a08eb4d25aad6755993894a424be058e869f

Download Submit
C:\Windows\SysWOW64\Keceoj32.exe

Filesize
52KB

MD5
0365624658f4ab118e3de33ba2768ea9

SHA1
13765b5556e457fc8ef6b26c28199bc2aedf04fe

SHA256
0290d6edb336e43984903d9d581bbe53ad91eb70b0602215f8aeccc1fd1472fe

SHA512
f500ec71d14618185919ef84937ce34338093fc1b8ff74a37d3842a5ee3c4f159434a32464207f167f4dcf3ec5f8fe00d5a06f7b17f40ee33f1add250df02cfa

Download Submit
C:\Windows\SysWOW64\Kkpnga32.exe

Filesize
52KB

MD5
0bd8f97fa3a546a35cc55b4e9fb127bc

SHA1
14aa3bac8b40b46363db7aab3dda989d9eb0d0cd

SHA256
705f2a1117758453c1a78ec455b2f9b7bdac857226e8263d1f68d31a6bda3248

SHA512
df96a8ce5d476e1f96929b3b4195bb903e31cdcf630b8eda2de8ba90ea5c37124b4303acb147a1774717ea5bba3ef534aa698c4df727a426749f36f137b671b2

Download Submit
C:\Windows\SysWOW64\Koimbpbc.exe

Filesize
52KB

MD5
78ff14764d45b3c4f271290cd04ea4ae

SHA1
3a7150f7887020b234590f944f15194b24f50126

SHA256
fae40623652cce487a1f3f79c1207b6a495c41209ac812a5d7768c35400f7659

SHA512
f4ee5b6dc532753626223754412f5b70b132e08987d1a2a70b7fa17e9051ffb47aff6036c2bb3ba0cd8de60453544e123ed637055f58ce64a56b075d90cb29c7

Download Submit
memory/100-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/224-322-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/224-404-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/840-63-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/960-346-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/960-396-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1016-415-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1016-286-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1260-280-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1260-417-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1284-385-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1284-382-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1320-88-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1320-466-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1344-144-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1344-453-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1448-433-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1448-224-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1476-314-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1552-32-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1640-304-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1640-409-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1772-419-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1772-274-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2204-48-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2264-141-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2320-196-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2320-441-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2368-392-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2368-358-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2376-292-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2376-413-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2388-40-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2404-370-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2404-387-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2624-268-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2624-421-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2824-216-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2824-435-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2876-207-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2876-437-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2944-406-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2944-316-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2964-458-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2964-119-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3008-462-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3008-104-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3020-456-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3020-128-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3088-447-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3088-167-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3100-298-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3100-411-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3112-8-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3464-388-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3464-376-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3640-71-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3876-55-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3964-16-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4052-460-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4052-112-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4056-200-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4056-439-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4176-468-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4176-79-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4200-352-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4200-394-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4220-464-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4220-96-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-443-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-184-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4436-256-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4436-425-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4448-427-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4448-248-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4516-400-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4516-334-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4536-364-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4536-390-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4552-451-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4552-152-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4600-240-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4600-429-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4604-328-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4604-402-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4620-423-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4620-262-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4632-24-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4676-431-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4676-232-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4684-160-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4684-449-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4964-398-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4964-344-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5072-445-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5072-176-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads