19b24c087d6325250b123e856c0dd0e8660b533bcaf9e42c2ec0f5e14bb6aabd

Analysis

max time kernel
41s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07-07-2024 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39a2c952338610920d48bcf4966924a0N.exe
Size

91KB
MD5

39a2c952338610920d48bcf4966924a0
SHA1

85bbaa447106def78b11be7a1cc60a08c2f20f4f
SHA256

19b24c087d6325250b123e856c0dd0e8660b533bcaf9e42c2ec0f5e14bb6aabd
SHA512

57b192d68f4690a14a4b05da1b7f51960ea8ebf680068cf711faa382d7d4af77f1928aabcf736180a09f8bd45a31871ce4be2fd4a0555e17f3c7d695e1cea0b1
SSDEEP

1536:LwnU+GlCUShtVtFEpjQUKJP0Fm9CJPU1+f5xKz1oI/RSVX+Yr/viVMi:L+fGnShZDgm9CVE1Ncuo/vOMi

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majdkifd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noighakn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjndca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Elpnmhgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffcbce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flpkll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nogjbbma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmlfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Diklpn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efolib32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmknko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amfcfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chkpakla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmlfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eeffpn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdbibjok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdbibjok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fblpnepn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dqiakm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpedmhfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fimedaoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goemhfco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gddbfm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbhco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nogjbbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpfhfjgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chfffk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbiggof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeffpn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fidkep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghlell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Noighakn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chfffk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djcbib32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fblpnepn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlfaag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpbgghhl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elpnmhgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjndca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfcfk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkpakla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Elbkbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fimedaoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmknko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Flpkll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfhfjgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enjand32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elbkbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffcbce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqiakm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbiggof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djcbib32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efllcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efllcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goemhfco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdbeqmag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbhco32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdbeqmag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majdkifd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlfaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpedmhfi.exe

Executes dropped EXE 39 IoCs

pid	Process
968	Majdkifd.exe
2492	Mkbhco32.exe
2772	Nlfaag32.exe
2780	Nogjbbma.exe
2112	Noighakn.exe
2640	Pjndca32.exe
2304	Amfcfk32.exe
552	Bpfhfjgq.exe
588	Chfffk32.exe
1736	Chkpakla.exe
2328	Chmlfj32.exe
2516	Dqiakm32.exe
1844	Dgbiggof.exe
1372	Djcbib32.exe
2272	Dopkai32.exe
2468	Dpbgghhl.exe
2524	Diklpn32.exe
1496	Dpedmhfi.exe
860	Efolib32.exe
752	Enjand32.exe
624	Eipekmjg.exe
1824	Eeffpn32.exe
2140	Elpnmhgh.exe
1284	Elbkbh32.exe
1508	Efllcf32.exe
1648	Fabppo32.exe
1700	Fimedaoe.exe
1636	Fdbibjok.exe
2732	Fmknko32.exe
3020	Ffcbce32.exe
2872	Flpkll32.exe
2816	Fidkep32.exe
2124	Fblpnepn.exe
2612	Ghihfl32.exe
2220	Ghlell32.exe
1684	Goemhfco.exe
2056	Gdbeqmag.exe
800	Gddbfm32.exe
1792	Gmmgobfd.exe

Loads dropped DLL 64 IoCs

pid	Process
688	39a2c952338610920d48bcf4966924a0N.exe
688	39a2c952338610920d48bcf4966924a0N.exe
968	Majdkifd.exe
968	Majdkifd.exe
2492	Mkbhco32.exe
2492	Mkbhco32.exe
2772	Nlfaag32.exe
2772	Nlfaag32.exe
2780	Nogjbbma.exe
2780	Nogjbbma.exe
2112	Noighakn.exe
2112	Noighakn.exe
2640	Pjndca32.exe
2640	Pjndca32.exe
2304	Amfcfk32.exe
2304	Amfcfk32.exe
552	Bpfhfjgq.exe
552	Bpfhfjgq.exe
588	Chfffk32.exe
588	Chfffk32.exe
1736	Chkpakla.exe
1736	Chkpakla.exe
2328	Chmlfj32.exe
2328	Chmlfj32.exe
2516	Dqiakm32.exe
2516	Dqiakm32.exe
1844	Dgbiggof.exe
1844	Dgbiggof.exe
1372	Djcbib32.exe
1372	Djcbib32.exe
2272	Dopkai32.exe
2272	Dopkai32.exe
2468	Dpbgghhl.exe
2468	Dpbgghhl.exe
2524	Diklpn32.exe
2524	Diklpn32.exe
1496	Dpedmhfi.exe
1496	Dpedmhfi.exe
860	Efolib32.exe
860	Efolib32.exe
752	Enjand32.exe
752	Enjand32.exe
624	Eipekmjg.exe
624	Eipekmjg.exe
1824	Eeffpn32.exe
1824	Eeffpn32.exe
2140	Elpnmhgh.exe
2140	Elpnmhgh.exe
1284	Elbkbh32.exe
1284	Elbkbh32.exe
1508	Efllcf32.exe
1508	Efllcf32.exe
1648	Fabppo32.exe
1648	Fabppo32.exe
1700	Fimedaoe.exe
1700	Fimedaoe.exe
1636	Fdbibjok.exe
1636	Fdbibjok.exe
2732	Fmknko32.exe
2732	Fmknko32.exe
3020	Ffcbce32.exe
3020	Ffcbce32.exe
2872	Flpkll32.exe
2872	Flpkll32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ffcbce32.exe	Fmknko32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbhco32.exe	Majdkifd.exe
File created	C:\Windows\SysWOW64\Ghlell32.exe	Ghihfl32.exe
File created	C:\Windows\SysWOW64\Aeannooi.dll	Ghlell32.exe
File opened for modification	C:\Windows\SysWOW64\Gdbeqmag.exe	Goemhfco.exe
File created	C:\Windows\SysWOW64\Hhcbdmon.dll	Nlfaag32.exe
File created	C:\Windows\SysWOW64\Noighakn.exe	Nogjbbma.exe
File created	C:\Windows\SysWOW64\Elpnmhgh.exe	Eeffpn32.exe
File created	C:\Windows\SysWOW64\Fimedaoe.exe	Fabppo32.exe
File opened for modification	C:\Windows\SysWOW64\Fabppo32.exe	Efllcf32.exe
File created	C:\Windows\SysWOW64\Jjhecdda.dll	Fidkep32.exe
File created	C:\Windows\SysWOW64\Nogjbbma.exe	Nlfaag32.exe
File opened for modification	C:\Windows\SysWOW64\Dpedmhfi.exe	Diklpn32.exe
File opened for modification	C:\Windows\SysWOW64\Ghihfl32.exe	Fblpnepn.exe
File created	C:\Windows\SysWOW64\Pjiiggfq.dll	Dpedmhfi.exe
File opened for modification	C:\Windows\SysWOW64\Flpkll32.exe	Ffcbce32.exe
File opened for modification	C:\Windows\SysWOW64\Majdkifd.exe	39a2c952338610920d48bcf4966924a0N.exe
File created	C:\Windows\SysWOW64\Plongokk.dll	39a2c952338610920d48bcf4966924a0N.exe
File opened for modification	C:\Windows\SysWOW64\Eipekmjg.exe	Enjand32.exe
File opened for modification	C:\Windows\SysWOW64\Efllcf32.exe	Elbkbh32.exe
File created	C:\Windows\SysWOW64\Fidkep32.exe	Flpkll32.exe
File opened for modification	C:\Windows\SysWOW64\Pjndca32.exe	Noighakn.exe
File opened for modification	C:\Windows\SysWOW64\Djcbib32.exe	Dgbiggof.exe
File created	C:\Windows\SysWOW64\Ffcbce32.exe	Fmknko32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbiggof.exe	Dqiakm32.exe
File created	C:\Windows\SysWOW64\Nemoffml.dll	Eipekmjg.exe
File created	C:\Windows\SysWOW64\Idlfno32.dll	Gddbfm32.exe
File created	C:\Windows\SysWOW64\Mkbhco32.exe	Majdkifd.exe
File created	C:\Windows\SysWOW64\Dpelnopf.dll	Noighakn.exe
File created	C:\Windows\SysWOW64\Iliehb32.dll	Chkpakla.exe
File created	C:\Windows\SysWOW64\Dceehbdo.dll	Chmlfj32.exe
File created	C:\Windows\SysWOW64\Dpbgghhl.exe	Dopkai32.exe
File created	C:\Windows\SysWOW64\Lelnjj32.dll	Efolib32.exe
File created	C:\Windows\SysWOW64\Ebineoap.dll	Flpkll32.exe
File created	C:\Windows\SysWOW64\Pjndca32.exe	Noighakn.exe
File opened for modification	C:\Windows\SysWOW64\Amfcfk32.exe	Pjndca32.exe
File opened for modification	C:\Windows\SysWOW64\Chkpakla.exe	Chfffk32.exe
File created	C:\Windows\SysWOW64\Neikfk32.dll	Elpnmhgh.exe
File created	C:\Windows\SysWOW64\Beoanjep.dll	Fblpnepn.exe
File created	C:\Windows\SysWOW64\Keedfp32.dll	Gdbeqmag.exe
File created	C:\Windows\SysWOW64\Ibfbna32.dll	Chfffk32.exe
File created	C:\Windows\SysWOW64\Enjand32.exe	Efolib32.exe
File created	C:\Windows\SysWOW64\Elbkbh32.exe	Elpnmhgh.exe
File created	C:\Windows\SysWOW64\Bpnmhiij.dll	Fmknko32.exe
File opened for modification	C:\Windows\SysWOW64\Ghlell32.exe	Ghihfl32.exe
File created	C:\Windows\SysWOW64\Jgmclcjo.dll	Goemhfco.exe
File created	C:\Windows\SysWOW64\Dgbiggof.exe	Dqiakm32.exe
File created	C:\Windows\SysWOW64\Oqmfaebe.dll	Djcbib32.exe
File opened for modification	C:\Windows\SysWOW64\Gddbfm32.exe	Gdbeqmag.exe
File opened for modification	C:\Windows\SysWOW64\Nlfaag32.exe	Mkbhco32.exe
File created	C:\Windows\SysWOW64\Chmlfj32.exe	Chkpakla.exe
File opened for modification	C:\Windows\SysWOW64\Fblpnepn.exe	Fidkep32.exe
File opened for modification	C:\Windows\SysWOW64\Fmknko32.exe	Fdbibjok.exe
File created	C:\Windows\SysWOW64\Aklgck32.dll	Majdkifd.exe
File created	C:\Windows\SysWOW64\Chfffk32.exe	Bpfhfjgq.exe
File opened for modification	C:\Windows\SysWOW64\Chmlfj32.exe	Chkpakla.exe
File created	C:\Windows\SysWOW64\Dopkai32.exe	Djcbib32.exe
File created	C:\Windows\SysWOW64\Mcdqeq32.dll	Eeffpn32.exe
File created	C:\Windows\SysWOW64\Eecipl32.dll	Elbkbh32.exe
File created	C:\Windows\SysWOW64\Fdbibjok.exe	Fimedaoe.exe
File created	C:\Windows\SysWOW64\Gddbfm32.exe	Gdbeqmag.exe
File opened for modification	C:\Windows\SysWOW64\Dopkai32.exe	Djcbib32.exe
File created	C:\Windows\SysWOW64\Eeffpn32.exe	Eipekmjg.exe
File created	C:\Windows\SysWOW64\Fmknko32.exe	Fdbibjok.exe

Program crash 1 IoCs

pid	pid_target	Process
2448	1792	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmlfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqmfaebe.dll"	Djcbib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjcqj32.dll"	Fdbibjok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fblpnepn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chkpakla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beoanjep.dll"	Fblpnepn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghlell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkpaaa32.dll"	Diklpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fdbibjok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdmjfi32.dll"	Amfcfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chkpakla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmlfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbiggof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lindbn32.dll"	Enjand32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eipekmjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeannooi.dll"	Ghlell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibfbna32.dll"	Chfffk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migbkglj.dll"	Fimedaoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffcbce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gddbfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fabppo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keedfp32.dll"	Gdbeqmag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpelnopf.dll"	Noighakn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopkai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fimedaoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fidkep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djcbib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnkjca32.dll"	Dpbgghhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enjand32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fabppo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chfffk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbiggof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efllcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	39a2c952338610920d48bcf4966924a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dqiakm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnfjbkng.dll"	Ghihfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdbeqmag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majdkifd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nibmdpam.dll"	Dqiakm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjiiggfq.dll"	Dpedmhfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdbeqmag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plongokk.dll"	39a2c952338610920d48bcf4966924a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eipekmjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdbibjok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fidkep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aklgck32.dll"	Majdkifd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpfhfjgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Noighakn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dclbgadl.dll"	Nogjbbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafklb32.dll"	Fabppo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majdkifd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpfhfjgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efolib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpnmhiij.dll"	Fmknko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghihfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjndca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eeffpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Noighakn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aefipolf.dll"	Dopkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Elbkbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efllcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Goemhfco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlfno32.dll"	Gddbfm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 968	688	39a2c952338610920d48bcf4966924a0N.exe	29
PID 688 wrote to memory of 968	688	39a2c952338610920d48bcf4966924a0N.exe	29
PID 688 wrote to memory of 968	688	39a2c952338610920d48bcf4966924a0N.exe	29
PID 688 wrote to memory of 968	688	39a2c952338610920d48bcf4966924a0N.exe	29
PID 968 wrote to memory of 2492	968	Majdkifd.exe	30
PID 968 wrote to memory of 2492	968	Majdkifd.exe	30
PID 968 wrote to memory of 2492	968	Majdkifd.exe	30
PID 968 wrote to memory of 2492	968	Majdkifd.exe	30
PID 2492 wrote to memory of 2772	2492	Mkbhco32.exe	31
PID 2492 wrote to memory of 2772	2492	Mkbhco32.exe	31
PID 2492 wrote to memory of 2772	2492	Mkbhco32.exe	31
PID 2492 wrote to memory of 2772	2492	Mkbhco32.exe	31
PID 2772 wrote to memory of 2780	2772	Nlfaag32.exe	32
PID 2772 wrote to memory of 2780	2772	Nlfaag32.exe	32
PID 2772 wrote to memory of 2780	2772	Nlfaag32.exe	32
PID 2772 wrote to memory of 2780	2772	Nlfaag32.exe	32
PID 2780 wrote to memory of 2112	2780	Nogjbbma.exe	33
PID 2780 wrote to memory of 2112	2780	Nogjbbma.exe	33
PID 2780 wrote to memory of 2112	2780	Nogjbbma.exe	33
PID 2780 wrote to memory of 2112	2780	Nogjbbma.exe	33
PID 2112 wrote to memory of 2640	2112	Noighakn.exe	34
PID 2112 wrote to memory of 2640	2112	Noighakn.exe	34
PID 2112 wrote to memory of 2640	2112	Noighakn.exe	34
PID 2112 wrote to memory of 2640	2112	Noighakn.exe	34
PID 2640 wrote to memory of 2304	2640	Pjndca32.exe	35
PID 2640 wrote to memory of 2304	2640	Pjndca32.exe	35
PID 2640 wrote to memory of 2304	2640	Pjndca32.exe	35
PID 2640 wrote to memory of 2304	2640	Pjndca32.exe	35
PID 2304 wrote to memory of 552	2304	Amfcfk32.exe	36
PID 2304 wrote to memory of 552	2304	Amfcfk32.exe	36
PID 2304 wrote to memory of 552	2304	Amfcfk32.exe	36
PID 2304 wrote to memory of 552	2304	Amfcfk32.exe	36
PID 552 wrote to memory of 588	552	Bpfhfjgq.exe	37
PID 552 wrote to memory of 588	552	Bpfhfjgq.exe	37
PID 552 wrote to memory of 588	552	Bpfhfjgq.exe	37
PID 552 wrote to memory of 588	552	Bpfhfjgq.exe	37
PID 588 wrote to memory of 1736	588	Chfffk32.exe	38
PID 588 wrote to memory of 1736	588	Chfffk32.exe	38
PID 588 wrote to memory of 1736	588	Chfffk32.exe	38
PID 588 wrote to memory of 1736	588	Chfffk32.exe	38
PID 1736 wrote to memory of 2328	1736	Chkpakla.exe	39
PID 1736 wrote to memory of 2328	1736	Chkpakla.exe	39
PID 1736 wrote to memory of 2328	1736	Chkpakla.exe	39
PID 1736 wrote to memory of 2328	1736	Chkpakla.exe	39
PID 2328 wrote to memory of 2516	2328	Chmlfj32.exe	40
PID 2328 wrote to memory of 2516	2328	Chmlfj32.exe	40
PID 2328 wrote to memory of 2516	2328	Chmlfj32.exe	40
PID 2328 wrote to memory of 2516	2328	Chmlfj32.exe	40
PID 2516 wrote to memory of 1844	2516	Dqiakm32.exe	41
PID 2516 wrote to memory of 1844	2516	Dqiakm32.exe	41
PID 2516 wrote to memory of 1844	2516	Dqiakm32.exe	41
PID 2516 wrote to memory of 1844	2516	Dqiakm32.exe	41
PID 1844 wrote to memory of 1372	1844	Dgbiggof.exe	42
PID 1844 wrote to memory of 1372	1844	Dgbiggof.exe	42
PID 1844 wrote to memory of 1372	1844	Dgbiggof.exe	42
PID 1844 wrote to memory of 1372	1844	Dgbiggof.exe	42
PID 1372 wrote to memory of 2272	1372	Djcbib32.exe	43
PID 1372 wrote to memory of 2272	1372	Djcbib32.exe	43
PID 1372 wrote to memory of 2272	1372	Djcbib32.exe	43
PID 1372 wrote to memory of 2272	1372	Djcbib32.exe	43
PID 2272 wrote to memory of 2468	2272	Dopkai32.exe	44
PID 2272 wrote to memory of 2468	2272	Dopkai32.exe	44
PID 2272 wrote to memory of 2468	2272	Dopkai32.exe	44
PID 2272 wrote to memory of 2468	2272	Dopkai32.exe	44

C:\Users\Admin\AppData\Local\Temp\39a2c952338610920d48bcf4966924a0N.exe
"C:\Users\Admin\AppData\Local\Temp\39a2c952338610920d48bcf4966924a0N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\SysWOW64\Majdkifd.exe
  C:\Windows\system32\Majdkifd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\SysWOW64\Mkbhco32.exe
    C:\Windows\system32\Mkbhco32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\Nlfaag32.exe
      C:\Windows\system32\Nlfaag32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\SysWOW64\Nogjbbma.exe
        
        C:\Windows\system32\Nogjbbma.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\SysWOW64\Noighakn.exe
        
        C:\Windows\system32\Noighakn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Pjndca32.exe
        
        C:\Windows\system32\Pjndca32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Amfcfk32.exe
        
        C:\Windows\system32\Amfcfk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Bpfhfjgq.exe
        
        C:\Windows\system32\Bpfhfjgq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Chfffk32.exe
        
        C:\Windows\system32\Chfffk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\Chkpakla.exe
        
        C:\Windows\system32\Chkpakla.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Chmlfj32.exe
        
        C:\Windows\system32\Chmlfj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Dqiakm32.exe
        
        C:\Windows\system32\Dqiakm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Dgbiggof.exe
        
        C:\Windows\system32\Dgbiggof.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Djcbib32.exe
        
        C:\Windows\system32\Djcbib32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Dopkai32.exe
        
        C:\Windows\system32\Dopkai32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Dpbgghhl.exe
        
        C:\Windows\system32\Dpbgghhl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Diklpn32.exe
        
        C:\Windows\system32\Diklpn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Dpedmhfi.exe
        
        C:\Windows\system32\Dpedmhfi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Efolib32.exe
        
        C:\Windows\system32\Efolib32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Enjand32.exe
        
        C:\Windows\system32\Enjand32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Eipekmjg.exe
        
        C:\Windows\system32\Eipekmjg.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Eeffpn32.exe
        
        C:\Windows\system32\Eeffpn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Elpnmhgh.exe
        
        C:\Windows\system32\Elpnmhgh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2140
        
        C:\Windows\SysWOW64\Elbkbh32.exe
        
        C:\Windows\system32\Elbkbh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Efllcf32.exe
        
        C:\Windows\system32\Efllcf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Fabppo32.exe
        
        C:\Windows\system32\Fabppo32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Fimedaoe.exe
        
        C:\Windows\system32\Fimedaoe.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Fdbibjok.exe
        
        C:\Windows\system32\Fdbibjok.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Fmknko32.exe
        
        C:\Windows\system32\Fmknko32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Ffcbce32.exe
        
        C:\Windows\system32\Ffcbce32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Flpkll32.exe
        
        C:\Windows\system32\Flpkll32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\Fidkep32.exe
        
        C:\Windows\system32\Fidkep32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Fblpnepn.exe
        
        C:\Windows\system32\Fblpnepn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Ghihfl32.exe
        
        C:\Windows\system32\Ghihfl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Ghlell32.exe
        
        C:\Windows\system32\Ghlell32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Goemhfco.exe
        
        C:\Windows\system32\Goemhfco.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Gdbeqmag.exe
        
        C:\Windows\system32\Gdbeqmag.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Gddbfm32.exe
        
        C:\Windows\system32\Gddbfm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Gmmgobfd.exe
        
        C:\Windows\system32\Gmmgobfd.exe
        40⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 140
        41⤵
        Program crash
        
        PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dclbgadl.dll

Filesize
7KB

MD5
1ee114f55e58cc956b8b9f8d1b9f4b24

SHA1
93060204c4297d66a1c96a788205c62a8a30380e

SHA256
31add9d9c37b016ebf622b504da94566fe38bb8a4a674e09878671ab7e83c04b

SHA512
123e38cb09a8c99d4ed3ea3669c4d7b4de2b834315288d8aca4b58323f3e7fec8e946d8da9de93724611c0862676e2e8b84efab87849525b52cd933684ba6d47

Download Submit
C:\Windows\SysWOW64\Diklpn32.exe

Filesize
91KB

MD5
fe554cff64ce3c502c3f294b1af7a0cc

SHA1
fcb62492e12f9bf061e6fa2b24786830e046595f

SHA256
5cc6e6d143e95699cbb8700f4f59f7c62d4efff58111e60075a0dea218eb2395

SHA512
c2a9db299ff0d48e4a4f1b374f17df6443380dae87c3e898ba18a802919fd7eaafcd626e04aa713956e214e13b23988dc455171b4b1c2da042f5be19331ddba3

Download Submit
C:\Windows\SysWOW64\Dpedmhfi.exe

Filesize
91KB

MD5
c978f1fd0e5cf18696e0127da988c056

SHA1
2586af663acbc48b5993b986d013a4c7189576d5

SHA256
51cb06b11ccf0d7bd4d4a39e533bbc6beaf14bc1bfd93665bc5a459f445f0800

SHA512
3534407730cac0104a66d33b814beae7994d1055b695d3ce7748ea691ae7c751aae7610277e98e6db299d5f44666d750dca04f0fd2695a1080a667ea15959dbd

Download Submit
C:\Windows\SysWOW64\Eeffpn32.exe

Filesize
91KB

MD5
76af04eb1972ee60cdb46e418ed9e603

SHA1
1f4f0b116dd7688ccfae9ecaab45a41794370656

SHA256
553f836165b846b0e1588d7715441e9ce48ecb5c235bd6beefbccc93512977dd

SHA512
5d16e67f05a7065329abc51d966220a7a025f8f26d37ae126b76f339b6cb42c878d3b32bfcb971590d7069f6ae14e5f3c89f0f0ff95e9ad8884464c179c99020

Download Submit
C:\Windows\SysWOW64\Efllcf32.exe

Filesize
91KB

MD5
13d5ae382a330e8d61189f7451b93678

SHA1
8447912168fd46789caee15d9709e193030572b9

SHA256
feb70ac52e8f08388784854898951ba7e348aec717d507cdf729434b2e4106f8

SHA512
51707f8ee88e790f0f516dadefcf6cf328cbe3bf64c776e236f4a8be55c86e9eb4666f6fe7cd2a53fbfe909438464bc2a36277c62b50649d8c653a4c65f41c63

Download Submit
C:\Windows\SysWOW64\Efolib32.exe

Filesize
91KB

MD5
039877b2bfc256ac112b89aea895dbcb

SHA1
21c489735c75c28a24e50c8e7c9b69c588306059

SHA256
fb15f9a04a0e875e8d64af24fabb028005a8d5e6a8faecc44f925ce91db33d86

SHA512
75786f0a2f36af0a4d0a44a075f4e594cc25602f093cea120987e8a82e78c7d5235bc26e0291fe355fe76528439c524774cbf7dd03ee159c1de392e1ad397a79

Download Submit
C:\Windows\SysWOW64\Eipekmjg.exe

Filesize
91KB

MD5
385fa5ba633a609985581e281dcf52db

SHA1
bc8781af02c62ac92e2a9c2356652050c43f32c8

SHA256
44b4a9a4c2d0315fb3528a8c07e21c571b037df7712520ad17d6424fa8c072ca

SHA512
df42c13c19d6d443f0f6f46c9033e5aa396ac8e2f0620924bab041a6dc548efe89f67776fc086fb27aaf4f1dcd11adc054718a0412ab4068c630a74df5aa941d

Download Submit
C:\Windows\SysWOW64\Elbkbh32.exe

Filesize
91KB

MD5
72be71a4c68b545fe54d7c57fdba1cf7

SHA1
782e5b9b116af7c004702442e3d5812cdfa3e3c9

SHA256
84fa8b8a932b27d3a562fde5c7604731d7532356cbd517e3d39e5e0485ef9827

SHA512
62133cfe780f0546457a1269dd89e2ad1eccd840bae1b07ea4450a43a162bf5166dd4d7c515796ba6e0b1bf5f48149f82c44f9cdd57048144d5ba77bf4fe0664

Download Submit
C:\Windows\SysWOW64\Elpnmhgh.exe

Filesize
91KB

MD5
a152e64b73dc9e38712032d266c1e77e

SHA1
015185c99c881c32f6c184887308149fc09b4d0c

SHA256
2019bd64514bb92e7a17acf54fa1ba6f959fffac3c61bea6db3470f2a1c86f6e

SHA512
49baad2d77ef102a691bb178bdb50059dcf9fc36ee9ff084096fc044527250d4452a1bfb79fb7d8257ec548b1f10a28916594d0a43ab31cbb4184d825d759872

Download Submit
C:\Windows\SysWOW64\Enjand32.exe

Filesize
91KB

MD5
de25b62d72cae3452fbc4b023b47fdeb

SHA1
b5dbce47f2b6600dda2619707192c3f1e56f73d8

SHA256
1306196985cd3e6ca662788884197b1af9bdef0e2e1a4f66b3e716fb1c9fd1cb

SHA512
5cca18d1e06e144e66ac9a4de5211818a3f5f5598a434d802fd6e831ba7ef08bd4717620ff656f46b56d6a0f32ad78113ce896a0b478849320bb9a6c358bce6c

Download Submit
C:\Windows\SysWOW64\Fabppo32.exe

Filesize
91KB

MD5
772c44f06558a02bb63edf40cf7a34be

SHA1
49f557fe248a5d6b9445f9d137b4d6dfdd927f67

SHA256
e1da85bfc1843259f010e0e9993ca150bebf4befb99d876d2b335ea918115a34

SHA512
88a6db919042176b98ca42408d088e50b6418a3820d4a94470a62b54ff4ef4c445438002ead695c6742c84fa3fb144dc219526b39d207ac9d27a0840020cccd3

Download Submit
C:\Windows\SysWOW64\Fblpnepn.exe

Filesize
91KB

MD5
623085670d2542e81b7601143b25d04c

SHA1
434bcd06a6f1ebe320dde99f7b1f4e0bb4975f74

SHA256
53b7c1de4820e0c54960d987339ad95c97eca5d0ca6b8a79eda572530251218a

SHA512
4d9ddafe95bb5fe6c551725eb5014943356be0dccad06f53cb42781a114c916e87d320725f8e0b7784907ba1e6f58795b1294070b6a109171686e067b359154e

Download Submit
C:\Windows\SysWOW64\Fdbibjok.exe

Filesize
91KB

MD5
90ab2a55b0d36c11f5d0b66f88aedec5

SHA1
1d45a8cb06fa1487a4cbf253188d369c2b0a7efd

SHA256
8b60391675dcd70ae89cc29767696826d795f72668322a3ca8db8f5076d0a2c7

SHA512
4bb99e78ac226a584e3b503b4635edda274d6bcb42a0e1c5931e77d8bd347f04f8b293961a5f88417d5cf2e81f57521b11dd79c1c53ccbdcb3bf25d9b35952ce

Download Submit
C:\Windows\SysWOW64\Ffcbce32.exe

Filesize
91KB

MD5
2a91f7fa79c3853880c1a120ce072d63

SHA1
1c67a4b45f9bbbbaede98c6aa0e986f76e9181f5

SHA256
acf6ea724adc137da5b93028f92356efe4a51dd0cbeeb20560ac67bf02bd42e4

SHA512
81fe75bfc2c4a48201f0bf9bd38d78fb400241b6dea2609474347139bdff163bd40e8ea79422b90b443368efcc238e8689febe9ec84d05ff828b3b3a387eeab2

Download Submit
C:\Windows\SysWOW64\Fidkep32.exe

Filesize
91KB

MD5
87b6c5c9f419b6bee037b1dd34ff5031

SHA1
abf4ae4aaaa5a3f24473165635d3ead7836b6958

SHA256
9f9a74d4e29659fdbe03abc9a01b605198e837a34773e45491d33ba0c621f067

SHA512
e235f436c5e8865e1fa0204f0aca85af4a32e95b967e40b2b6ba0c768f5416f178fd0deef7e9a507de7f582134656ecd54967b14adc8bac487df95c02cbd969c

Download Submit
C:\Windows\SysWOW64\Fimedaoe.exe

Filesize
91KB

MD5
f95148383881698f81ab58f59e7a326d

SHA1
4bcc46d3a35669eb32321af09010e0be9bdeee3a

SHA256
67ecec0c1e35403fb88704ccdff499abdad32f3128b03a5f0f271be2065b5e42

SHA512
7a86d19499fc122662668556e9928d63316d3937fb008dcff23a860506df608a5f130c9316f4f804553eed84f81b64f383c41a8cb46c2c6169e692710e058583

Download Submit
C:\Windows\SysWOW64\Flpkll32.exe

Filesize
91KB

MD5
82d0f91476830a493ee1f4c22694a4e3

SHA1
1332203a421008707c7a1a0a192e532f664e411b

SHA256
8c7c61e68c496d296ba7f6aee4a7349db30c27cdf17dfe82fb66c9f3518dda84

SHA512
28c953023f6f7c0f43f953d8cd63173cd7e1af35e145f131df7bd03ffb96349c29ef3a674a45b96d8b38b37248b41b4527dfdf1dd7148e3710797a822bccdaa7

Download Submit
C:\Windows\SysWOW64\Fmknko32.exe

Filesize
91KB

MD5
c60ffb1dadbaf599b3f62051c929bee9

SHA1
046f8403efab66ae911f3d053842972e032bd0bc

SHA256
6b8e425d57b62f763dddedee259b2d4c3e57903603b2542c2d6b26380e182c55

SHA512
649c2b85b66d4a076d8672a788134622277adb3959d9b150fcb70a2ba906f309cb5da0ce8be48b8b2d7f98901336060a36c78ddd388998e3723df0af174dcd01

Download Submit
C:\Windows\SysWOW64\Gdbeqmag.exe

Filesize
91KB

MD5
8794ef29d1528c9b68e3312c96a97b10

SHA1
c86ec346cae68c5587e36e63d4793da3f7aa691a

SHA256
972e3451ffb32fddc0aa2fb90279c7c064b551580b61c6dd74f84773e93b6fe2

SHA512
b645179af3d2817ed274726d442b3c0e71ee502d07be1b96ccd89c72ee2648b148aa216c662e80beb70d1c6f65d4abcddcea8daff630832451015d45664d8f35

Download Submit
C:\Windows\SysWOW64\Gddbfm32.exe

Filesize
91KB

MD5
fa05d9615b8ac769570cde94970a3aea

SHA1
80095fd9e37920ce92dc3d8581b224fed1bfa872

SHA256
a1da208b93b4272bed9aca67a411c2e61aead7bcab6b5dc88fb97c56e3627b94

SHA512
e32cd19cf3353a79e3526f6153ee9467023a66ec4f22155f7917fe5ee5721216b0f5523ebeaeb0ca1aa4dc6e6d6a5cd150fd004dc10e7e558bcce64d8778f37a

Download Submit
C:\Windows\SysWOW64\Ghihfl32.exe

Filesize
91KB

MD5
03e074609c4c7c94d07ca74396526f5f

SHA1
25d2cfb71707b4ef15296ca9ac81c46de581741f

SHA256
c53905f7bc8b070e67e4f685cd1d108a0b38e6e62595d7019fe67c37c4941c0f

SHA512
b337211d8f4a3422b2233aea6a0ad11211ff03419823401eecdfe7bac8265e2d65b203f70f16fa85be5e316b1ccc37c2c6bbe1c1ff6a6fae0917f8165868bdc6

Download Submit
C:\Windows\SysWOW64\Ghlell32.exe

Filesize
91KB

MD5
bc9fea100fcaa9aa259e934dbac64164

SHA1
e7e0f04b4e29b246b1188ebe1494299e86f9aec3

SHA256
db818adc08b215fdb72044aa90556a04b2a1b33e0b2522abf36ee6d1ce2cd7f5

SHA512
c2483526002d5578d916fb19c363326181bb3bf470d72a3838f1593d27a2e270bd2119823f775c24cad0c81f3889496128e65499142d74364273d813e76028ad

Download Submit
C:\Windows\SysWOW64\Gmmgobfd.exe

Filesize
91KB

MD5
47466fa451c84f7bf9d4a679e46a752b

SHA1
5b9ddd6262b65e4e35acfc22f1d86b919f0e4a21

SHA256
94cc6836ef961276b266e6d960861ba59dedc56807b1a951b9cb7cb41af21662

SHA512
fb4c1ac8541a4cf0badd4c3afd52b11f6aa80c8a46a5acb5ad381642932c1ffc78ed108c1defbb7e1c3c5940cf300840b00fa0400db1efc26169d5685596fa47

Download Submit
C:\Windows\SysWOW64\Goemhfco.exe

Filesize
91KB

MD5
4f4c872bdae55cab386406b74055826f

SHA1
1ca2b32e0ba9823687cc4b6a1ee407b2923ed61c

SHA256
0455a64fb140efdc56e463d4381eec3fd765ecc9ead9c02587342763ec7dd72c

SHA512
9aac3180d2e8f4b52d9247389ae9b788bf0089017a2b897273c0738c9e31eb9f4b9579d2f1e9562ec4509152792343fb4908ceae316105123944952357c789f5

Download Submit
\Windows\SysWOW64\Amfcfk32.exe

Filesize
91KB

MD5
d38d27de38af4187c0198c12a3a0a441

SHA1
ff1a67835cf0b9a36975fbcf72ca60d132a162ce

SHA256
464a02b4f2a20ee2c89b1bb5f4feee831ce69dfd8b73b9aeef4fba6a4435b97f

SHA512
dcb906686a8c0086e628cf1041c11ca3cf5370cb00781c4d2f29d015723d386ef4d9d8c652a62174749766a4697a7cf7c38c1d0119e9be628cc2cb81847325b4

Download Submit
\Windows\SysWOW64\Bpfhfjgq.exe

Filesize
91KB

MD5
99817a7d52fb302f7f7b66f1b896598e

SHA1
8e63330e282c8617521175c24f0ed0bf8785f771

SHA256
ded52ab32d2f15111d1dfa8900c425068e016f7f371a8c7f580059bc86d41c2c

SHA512
8d656561709a183f90adb6c26c4d9267a9312c6c03409e0f7091391909d4254363a3c1751d9a3eb48057e737aaf7ce591d69a02a372fd2236363da84e596406b

Download Submit
\Windows\SysWOW64\Chfffk32.exe

Filesize
91KB

MD5
12110bbd661ed50f7e07affa87aad640

SHA1
9474ef5844f8cd4cf762250bbb262c40f9c94555

SHA256
3e6261958a344117394c7bccccc7b990251d6e7647becda9bc9a4a73c64f4ecf

SHA512
2037ec6f4e812050a90d1b9f61a709173c36194176e2a08adcca3528c1e00cf609801d0982e5aba01fa94825ce600dd93134e2f0c72bb25110476a71a8947b9e

Download Submit
\Windows\SysWOW64\Chkpakla.exe

Filesize
91KB

MD5
d6035a14404eeaa1c0588a0922ef9ae8

SHA1
58b9ebfac3162805e6ca83635aa637d9f2a2b1ab

SHA256
2b3643e1ada358d327fe5e8240dacf20d1b0c661b8d12a30c5b47f6fece56b49

SHA512
38fc3f48ab021a1f42bfdeacd75afc6135a3597e853bcbf39cfd3481219a8987ae5513c95a5294b30bccf7f3dff2b8dc9758967d490a7e637cc2c15e4057dcb7

Download Submit
\Windows\SysWOW64\Chmlfj32.exe

Filesize
91KB

MD5
882dd7112a27cd445dd5d6eb380cbb11

SHA1
43379a63eeb8032b5c8dfc3c5ec5e457a6f5baea

SHA256
99e855bad1cdbe476c1c879e600272b0c1821ebd7a976243e209dfc3d35c9f0d

SHA512
edef8cd41ee02cb3880484dbd15c209f3a1bd7c3177c5c15a577d78b9c3e1f55519ab68db047b377a6155afbba0399a4daddd6df3e63c68ba63ebcf86a59512f

Download Submit
\Windows\SysWOW64\Dgbiggof.exe

Filesize
91KB

MD5
bdf72afeb79e914b9cf5f5687589f501

SHA1
f84329b5903b8124502fe446375aff1c9ef296ee

SHA256
94ba6dddae037514765cf852d3e3b0ae1992646519160c42b451ba5ccbaaca47

SHA512
2e8da575eaba439714dd022d3306276e15e925c8ec417d0a52cb6cfc11a68bb9b7096f699ff16f7b53ee3d57f4e97ae0d4a9cfc7c509bec3a29928c03546c183

Download Submit
\Windows\SysWOW64\Djcbib32.exe

Filesize
91KB

MD5
5a9449fc471793a6a8891e1eebea3ca4

SHA1
1b70350b10ec6ccfe51ae81d476dcefdb7764151

SHA256
025a512865bb0af9467023f2c4591a0f9cee6f12c8a1c596c2dc384ff1d5b334

SHA512
c12320fee88cd6adcd807274adb07b088525f3ee1cae533b7cbb5f58bdd1df7867d0170ebec58f0f6dc43b0a90afa5ce85956ad0955d81d47fdf9afb3ea1188d

Download Submit
\Windows\SysWOW64\Dopkai32.exe

Filesize
91KB

MD5
dc49c2229722f1c397c700b43b780614

SHA1
44c17e9a96f95e9047ab2561277c0aecf121fbda

SHA256
a7b0cacb79667ef6b47b370e8559971de10acbbd1e9cdf73d76be23f173816fa

SHA512
aa2bb642e5194a65b89a859f0ce7782af6558e8b6d3914852066584036ae0db15161ba656867f597c130e0994aae72d05be95d26fb525a1cb4dcec5de04958d5

Download Submit
\Windows\SysWOW64\Dpbgghhl.exe

Filesize
91KB

MD5
450362e402925d3c576d528a8da1c5ad

SHA1
884ca2fa010b9a7f25fa9665706720422af85a3c

SHA256
be3d5b3d9bb37005dec4bdf5d5ec15095efc1a9f8f3931d37618bb6bb20470ad

SHA512
870e1e2ac5e46819a0c5751af00ed18950e8044fede2e4f3914b5a4e46a1a5b8fe55204348957668b23c155466893bae012fba3ccc1fd79f9958d476d30b014a

Download Submit
\Windows\SysWOW64\Dqiakm32.exe

Filesize
91KB

MD5
a56984a8b859a791ad55493a037167fe

SHA1
52b257aa4bede71a4c39fb4910a1901412103a8b

SHA256
b0d63267afb01eb5571e5bd1e17e3f00c1be5d455e019780b72efdad1ae97044

SHA512
8b3dfd042a751adc5a36b4f818bdf37432a07a904d00ce3f0a59517ee68a2652467ba224f78ff4095a7ea4d73ff3695f5384781e2b9e26e129d2be2670b12ef4

Download Submit
\Windows\SysWOW64\Majdkifd.exe

Filesize
91KB

MD5
bd329d78862f7cc5c22b409605041aa3

SHA1
19cb416d26aa57ac7727e5e6373500f20d95a755

SHA256
2cf5434cb1ce452d442618201783c5fa66607a46f8d2401c88d142ae8b45bd17

SHA512
7ea774b6b9be00ea2d3715ee9d4f18354716d7415e6fe6f3e943f93b3f742d46bc5b8aa471004b3504abed6e383b94bd0ca16b354cb71cef0e9d239cfe9a50d7

Download Submit
\Windows\SysWOW64\Mkbhco32.exe

Filesize
91KB

MD5
44709c4b0dc900ec93bc43737e5d7624

SHA1
0069e9c0523eb16d789d729c0599df78c4cb0177

SHA256
1c84f9a2ecc1f0e799acdfaab5abb9692ae8f6ef88470c9abfada7528eb946e1

SHA512
e6cb4a7b51dacc696c5164a95eabe657442de0d1400201b17f8a8d1663fdda19a70497398297d22eb4053546b81a4c1f997e3f8b0aeeb5fe343164050030d415

Download Submit
\Windows\SysWOW64\Nlfaag32.exe

Filesize
91KB

MD5
504a2c3ab17bc02ca9a7c4d263390dd9

SHA1
e6fa03aed0848276f7a014853f5dda3b93e49994

SHA256
ac56babb6e884d127015fa0aa480f6dc4cafa0bdf74fccc8deea67267e9d5ee6

SHA512
783548d530cd0eed61c771045dd015c97ee297a78c3a30ac3cac317df1c82fe6ada25a17a0a528499d7c1faf2bea71c259dda2dc884515beb7651ad194051173

Download Submit
\Windows\SysWOW64\Nogjbbma.exe

Filesize
91KB

MD5
f654ed965fde8ba8d0761d91a6cf9e9f

SHA1
1a49ea87c66d5ef47d13dd69d4913ac9904a045a

SHA256
f02aa1e9992559558b123a08771472fb96a2c719f5d8a82243df388747c513a6

SHA512
8318689a66700c7df21b456d3acab465e3beaafa53f0379f58680daa0278f16a92a4e62f7e61a9c5fae7618782e58362e8e75ddfb1bd4778a7932dc42c8c9a88

Download Submit
\Windows\SysWOW64\Noighakn.exe

Filesize
91KB

MD5
8d2b74de595e9f9acec8f6999ff2a8a8

SHA1
6d12599a198897eae1be6a5a3d6e9a3fb47852a2

SHA256
3913cc32d51dbf29f4477b2b4f3b37d354c8c96b75dbdd508f5334f8f9f67add

SHA512
e30b7aa78b78b2906a636a32336771810a8ff6a8917120d9f1cc40a330fa8278f2fc57cf7a1e28d6096684f999be3c9549e92d85c4da0b635844eca75fa398ab

Download Submit
\Windows\SysWOW64\Pjndca32.exe

Filesize
91KB

MD5
0a52797a71aafa8c04c4099a4a83a023

SHA1
85d5378247a82ffaa04504252c9947b37a1b2a27

SHA256
c6eabfa188aa03cd82052360a15bab53bba8a1cec9168ecd2fa03ac0aa6d0aa8

SHA512
44111dbe535264af02c7ee1847c693dd8747ddd1df48aa3e9ef0d9cfd6208e32565ca1bdea6b19e5e95f10d7f73ff277359e0f592a7dab0afaefd207d86a4c64

Download Submit
memory/552-467-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/552-468-0x00000000001B0000-0x00000000001ED000-memory.dmp

Filesize
244KB

Download
memory/552-116-0x00000000001B0000-0x00000000001ED000-memory.dmp

Filesize
244KB

Download
memory/552-108-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/588-469-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/624-273-0x0000000000610000-0x000000000064D000-memory.dmp

Filesize
244KB

Download
memory/624-274-0x0000000000610000-0x000000000064D000-memory.dmp

Filesize
244KB

Download
memory/624-264-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/688-403-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/688-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/688-7-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/688-422-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/752-253-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/752-263-0x00000000003A0000-0x00000000003DD000-memory.dmp

Filesize
244KB

Download
memory/752-262-0x00000000003A0000-0x00000000003DD000-memory.dmp

Filesize
244KB

Download
memory/800-455-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/800-460-0x00000000002B0000-0x00000000002ED000-memory.dmp

Filesize
244KB

Download
memory/800-461-0x00000000002B0000-0x00000000002ED000-memory.dmp

Filesize
244KB

Download
memory/860-252-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/860-244-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/968-25-0x00000000003A0000-0x00000000003DD000-memory.dmp

Filesize
244KB

Download
memory/968-13-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/968-428-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1284-297-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1284-306-0x00000000002B0000-0x00000000002ED000-memory.dmp

Filesize
244KB

Download
memory/1284-307-0x00000000002B0000-0x00000000002ED000-memory.dmp

Filesize
244KB

Download
memory/1372-188-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1496-238-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1508-317-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/1508-308-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1508-318-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/1636-341-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1636-355-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/1636-350-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/1648-319-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1648-328-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/1648-329-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/1684-430-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1700-340-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1700-339-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1700-330-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1736-470-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1736-134-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1792-462-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1824-277-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1824-285-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/1824-281-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/1844-175-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2056-449-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/2056-444-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2112-74-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2124-408-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/2124-406-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2124-407-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/2140-286-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2140-295-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/2140-296-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/2220-429-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/2220-427-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2272-208-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/2272-201-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2304-466-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2328-160-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/2328-161-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/2328-147-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2328-471-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2468-216-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2492-439-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2492-36-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/2492-27-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2492-37-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/2516-167-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2524-225-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2612-404-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2612-417-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/2640-82-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2640-465-0x0000000000230000-0x000000000026D000-memory.dmp

Filesize
244KB

Download
memory/2640-89-0x0000000000230000-0x000000000026D000-memory.dmp

Filesize
244KB

Download
memory/2640-464-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2732-356-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2732-362-0x0000000000280000-0x00000000002BD000-memory.dmp

Filesize
244KB

Download
memory/2732-361-0x0000000000280000-0x00000000002BD000-memory.dmp

Filesize
244KB

Download
memory/2772-450-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2772-48-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2780-463-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2780-63-0x00000000002C0000-0x00000000002FD000-memory.dmp

Filesize
244KB

Download
memory/2780-55-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2816-385-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2816-399-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/2816-405-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/2872-374-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2872-383-0x00000000001B0000-0x00000000001ED000-memory.dmp

Filesize
244KB

Download
memory/2872-384-0x00000000001B0000-0x00000000001ED000-memory.dmp

Filesize
244KB

Download
memory/3020-363-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3020-372-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/3020-373-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads