894733ba2516ec1bcda998d3ec08a1f5affdb2151733fbff35c6e83ed3774d42

Analysis

max time kernel
140s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb70fed22565e18ce7f8e69049fe7180_JC.exe
Size

430KB
MD5

bb70fed22565e18ce7f8e69049fe7180
SHA1

b73bea67b06200084d08bc5144c1d71b82a350f3
SHA256

894733ba2516ec1bcda998d3ec08a1f5affdb2151733fbff35c6e83ed3774d42
SHA512

9582678f127ec7f3015ef1176dd32e9a76ce0242ed98d478e67eb3f16bf1feeb3d8bb87c83af3c1cbe60093cf2f7aa0844b90102e838d1a5bc075ffc207bba14
SSDEEP

6144:V+aF5SRhH0LVO9iERs+HLlD0rN2ZwVht740Psz:8JrH0LVO5Hpoxso

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnoaaaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqdcnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmfdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnldla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmmqhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bb70fed22565e18ce7f8e69049fe7180_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjgfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opqofe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogjdmbil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnldla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqafhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npbceggm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bb70fed22565e18ce7f8e69049fe7180_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kngkqbgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npgmpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjgfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqafhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmfdj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kngkqbgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmmqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhmnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npgmpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhmnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqdcnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npbceggm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojomcopk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljeafb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnoaaaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgnomg32.exe

Executes dropped EXE 28 IoCs

pid	Process
2184	Kngkqbgl.exe
4732	Lnjgfb32.exe
3284	Lnldla32.exe
824	Lnoaaaad.exe
4168	Ljeafb32.exe
3840	Mqafhl32.exe
4768	Mqdcnl32.exe
1008	Mcelpggq.exe
4676	Mmmqhl32.exe
3848	Mnmmboed.exe
1004	Nqmfdj32.exe
3260	Npbceggm.exe
3988	Ncqlkemc.exe
3960	Npgmpf32.exe
2204	Nnhmnn32.exe
2116	Ojomcopk.exe
3084	Ocjoadei.exe
2484	Opqofe32.exe
3372	Ogjdmbil.exe
1100	Bkphhgfc.exe
1644	Cdimqm32.exe
4460	Cponen32.exe
4124	Chiblk32.exe
2656	Cgnomg32.exe
992	Cgqlcg32.exe
3312	Dpiplm32.exe
2276	Dnmaea32.exe
3884	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gpkpbaea.dll	Mqdcnl32.exe
File created	C:\Windows\SysWOW64\Mmmqhl32.exe	Mcelpggq.exe
File created	C:\Windows\SysWOW64\Binlfp32.dll	Npbceggm.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dnmaea32.exe
File opened for modification	C:\Windows\SysWOW64\Mqafhl32.exe	Ljeafb32.exe
File created	C:\Windows\SysWOW64\Mcelpggq.exe	Mqdcnl32.exe
File created	C:\Windows\SysWOW64\Kolfbd32.dll	Bkphhgfc.exe
File created	C:\Windows\SysWOW64\Dnmaea32.exe	Dpiplm32.exe
File opened for modification	C:\Windows\SysWOW64\Lnldla32.exe	Lnjgfb32.exe
File created	C:\Windows\SysWOW64\Bhgbbckh.dll	Npgmpf32.exe
File created	C:\Windows\SysWOW64\Ogjdmbil.exe	Opqofe32.exe
File created	C:\Windows\SysWOW64\Cgqlcg32.exe	Cgnomg32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmfdj32.exe	Mnmmboed.exe
File created	C:\Windows\SysWOW64\Lpghll32.dll	Ojomcopk.exe
File created	C:\Windows\SysWOW64\Cponen32.exe	Cdimqm32.exe
File opened for modification	C:\Windows\SysWOW64\Cponen32.exe	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Cgnomg32.exe	Chiblk32.exe
File created	C:\Windows\SysWOW64\Hcjnlmph.dll	Cgqlcg32.exe
File opened for modification	C:\Windows\SysWOW64\Ncqlkemc.exe	Npbceggm.exe
File created	C:\Windows\SysWOW64\Nnhmnn32.exe	Npgmpf32.exe
File created	C:\Windows\SysWOW64\Ocjoadei.exe	Ojomcopk.exe
File created	C:\Windows\SysWOW64\Opqofe32.exe	Ocjoadei.exe
File created	C:\Windows\SysWOW64\Gpojkp32.dll	Ogjdmbil.exe
File created	C:\Windows\SysWOW64\Mqdcnl32.exe	Mqafhl32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhmnn32.exe	Npgmpf32.exe
File opened for modification	C:\Windows\SysWOW64\Ojomcopk.exe	Nnhmnn32.exe
File opened for modification	C:\Windows\SysWOW64\Ocjoadei.exe	Ojomcopk.exe
File created	C:\Windows\SysWOW64\Bkphhgfc.exe	Ogjdmbil.exe
File opened for modification	C:\Windows\SysWOW64\Dpiplm32.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Ijilflah.dll	Chiblk32.exe
File created	C:\Windows\SysWOW64\Kngkqbgl.exe	bb70fed22565e18ce7f8e69049fe7180_JC.exe
File opened for modification	C:\Windows\SysWOW64\Mqdcnl32.exe	Mqafhl32.exe
File created	C:\Windows\SysWOW64\Iknmmg32.dll	Mcelpggq.exe
File created	C:\Windows\SysWOW64\Mnmmboed.exe	Mmmqhl32.exe
File created	C:\Windows\SysWOW64\Figfoijn.dll	Mmmqhl32.exe
File created	C:\Windows\SysWOW64\Ojomcopk.exe	Nnhmnn32.exe
File created	C:\Windows\SysWOW64\Cdimqm32.exe	Bkphhgfc.exe
File opened for modification	C:\Windows\SysWOW64\Kngkqbgl.exe	bb70fed22565e18ce7f8e69049fe7180_JC.exe
File created	C:\Windows\SysWOW64\Fmplqd32.dll	Lnjgfb32.exe
File opened for modification	C:\Windows\SysWOW64\Lnoaaaad.exe	Lnldla32.exe
File created	C:\Windows\SysWOW64\Bjokon32.dll	Mqafhl32.exe
File created	C:\Windows\SysWOW64\Pmikmcgp.dll	Ocjoadei.exe
File opened for modification	C:\Windows\SysWOW64\Cdimqm32.exe	Bkphhgfc.exe
File opened for modification	C:\Windows\SysWOW64\Ogjdmbil.exe	Opqofe32.exe
File opened for modification	C:\Windows\SysWOW64\Ljeafb32.exe	Lnoaaaad.exe
File created	C:\Windows\SysWOW64\Ngidlo32.dll	Lnoaaaad.exe
File created	C:\Windows\SysWOW64\Mqafhl32.exe	Ljeafb32.exe
File opened for modification	C:\Windows\SysWOW64\Mcelpggq.exe	Mqdcnl32.exe
File opened for modification	C:\Windows\SysWOW64\Mnmmboed.exe	Mmmqhl32.exe
File opened for modification	C:\Windows\SysWOW64\Npbceggm.exe	Nqmfdj32.exe
File created	C:\Windows\SysWOW64\Dannpknl.dll	Ncqlkemc.exe
File created	C:\Windows\SysWOW64\Chiblk32.exe	Cponen32.exe
File created	C:\Windows\SysWOW64\Hemikcpm.dll	bb70fed22565e18ce7f8e69049fe7180_JC.exe
File created	C:\Windows\SysWOW64\Jlllhigk.dll	Ljeafb32.exe
File opened for modification	C:\Windows\SysWOW64\Npgmpf32.exe	Ncqlkemc.exe
File created	C:\Windows\SysWOW64\Aepjgm32.dll	Nnhmnn32.exe
File created	C:\Windows\SysWOW64\Dgfpihkg.dll	Opqofe32.exe
File created	C:\Windows\SysWOW64\Nqmfdj32.exe	Mnmmboed.exe
File opened for modification	C:\Windows\SysWOW64\Cgnomg32.exe	Chiblk32.exe
File opened for modification	C:\Windows\SysWOW64\Opqofe32.exe	Ocjoadei.exe
File opened for modification	C:\Windows\SysWOW64\Lnjgfb32.exe	Kngkqbgl.exe
File created	C:\Windows\SysWOW64\Lnoaaaad.exe	Lnldla32.exe
File opened for modification	C:\Windows\SysWOW64\Mmmqhl32.exe	Mcelpggq.exe
File created	C:\Windows\SysWOW64\Folnlh32.dll	Mnmmboed.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3188	3884	WerFault.exe	106

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfpihkg.dll"	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjnlmph.dll"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnldla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnoaaaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjokon32.dll"	Mqafhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcelpggq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npbceggm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgbbckh.dll"	Npgmpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcpjljph.dll"	Kngkqbgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npgmpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kngkqbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngidlo32.dll"	Lnoaaaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljeafb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqafhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmmqhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmfdj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojomcopk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknmmg32.dll"	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmfdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpghll32.dll"	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaafabl.dll"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjgfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binlfp32.dll"	Npbceggm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmikmcgp.dll"	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opqofe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bb70fed22565e18ce7f8e69049fe7180_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figfoijn.dll"	Mmmqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Folnlh32.dll"	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npbceggm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlllhigk.dll"	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhmnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	bb70fed22565e18ce7f8e69049fe7180_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemikcpm.dll"	bb70fed22565e18ce7f8e69049fe7180_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chiblk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	bb70fed22565e18ce7f8e69049fe7180_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chiblk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnoaaaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqafhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqdcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dannpknl.dll"	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpojkp32.dll"	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolfbd32.dll"	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kngkqbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbdlf32.dll"	Lnldla32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2184	2088	bb70fed22565e18ce7f8e69049fe7180_JC.exe	81
PID 2088 wrote to memory of 2184	2088	bb70fed22565e18ce7f8e69049fe7180_JC.exe	81
PID 2088 wrote to memory of 2184	2088	bb70fed22565e18ce7f8e69049fe7180_JC.exe	81
PID 2184 wrote to memory of 4732	2184	Kngkqbgl.exe	82
PID 2184 wrote to memory of 4732	2184	Kngkqbgl.exe	82
PID 2184 wrote to memory of 4732	2184	Kngkqbgl.exe	82
PID 4732 wrote to memory of 3284	4732	Lnjgfb32.exe	84
PID 4732 wrote to memory of 3284	4732	Lnjgfb32.exe	84
PID 4732 wrote to memory of 3284	4732	Lnjgfb32.exe	84
PID 3284 wrote to memory of 824	3284	Lnldla32.exe	85
PID 3284 wrote to memory of 824	3284	Lnldla32.exe	85
PID 3284 wrote to memory of 824	3284	Lnldla32.exe	85
PID 824 wrote to memory of 4168	824	Lnoaaaad.exe	86
PID 824 wrote to memory of 4168	824	Lnoaaaad.exe	86
PID 824 wrote to memory of 4168	824	Lnoaaaad.exe	86
PID 4168 wrote to memory of 3840	4168	Ljeafb32.exe	87
PID 4168 wrote to memory of 3840	4168	Ljeafb32.exe	87
PID 4168 wrote to memory of 3840	4168	Ljeafb32.exe	87
PID 3840 wrote to memory of 4768	3840	Mqafhl32.exe	88
PID 3840 wrote to memory of 4768	3840	Mqafhl32.exe	88
PID 3840 wrote to memory of 4768	3840	Mqafhl32.exe	88
PID 4768 wrote to memory of 1008	4768	Mqdcnl32.exe	101
PID 4768 wrote to memory of 1008	4768	Mqdcnl32.exe	101
PID 4768 wrote to memory of 1008	4768	Mqdcnl32.exe	101
PID 1008 wrote to memory of 4676	1008	Mcelpggq.exe	89
PID 1008 wrote to memory of 4676	1008	Mcelpggq.exe	89
PID 1008 wrote to memory of 4676	1008	Mcelpggq.exe	89
PID 4676 wrote to memory of 3848	4676	Mmmqhl32.exe	90
PID 4676 wrote to memory of 3848	4676	Mmmqhl32.exe	90
PID 4676 wrote to memory of 3848	4676	Mmmqhl32.exe	90
PID 3848 wrote to memory of 1004	3848	Mnmmboed.exe	93
PID 3848 wrote to memory of 1004	3848	Mnmmboed.exe	93
PID 3848 wrote to memory of 1004	3848	Mnmmboed.exe	93
PID 1004 wrote to memory of 3260	1004	Nqmfdj32.exe	91
PID 1004 wrote to memory of 3260	1004	Nqmfdj32.exe	91
PID 1004 wrote to memory of 3260	1004	Nqmfdj32.exe	91
PID 3260 wrote to memory of 3988	3260	Npbceggm.exe	92
PID 3260 wrote to memory of 3988	3260	Npbceggm.exe	92
PID 3260 wrote to memory of 3988	3260	Npbceggm.exe	92
PID 3988 wrote to memory of 3960	3988	Ncqlkemc.exe	100
PID 3988 wrote to memory of 3960	3988	Ncqlkemc.exe	100
PID 3988 wrote to memory of 3960	3988	Ncqlkemc.exe	100
PID 3960 wrote to memory of 2204	3960	Npgmpf32.exe	99
PID 3960 wrote to memory of 2204	3960	Npgmpf32.exe	99
PID 3960 wrote to memory of 2204	3960	Npgmpf32.exe	99
PID 2204 wrote to memory of 2116	2204	Nnhmnn32.exe	98
PID 2204 wrote to memory of 2116	2204	Nnhmnn32.exe	98
PID 2204 wrote to memory of 2116	2204	Nnhmnn32.exe	98
PID 2116 wrote to memory of 3084	2116	Ojomcopk.exe	97
PID 2116 wrote to memory of 3084	2116	Ojomcopk.exe	97
PID 2116 wrote to memory of 3084	2116	Ojomcopk.exe	97
PID 3084 wrote to memory of 2484	3084	Ocjoadei.exe	95
PID 3084 wrote to memory of 2484	3084	Ocjoadei.exe	95
PID 3084 wrote to memory of 2484	3084	Ocjoadei.exe	95
PID 2484 wrote to memory of 3372	2484	Opqofe32.exe	96
PID 2484 wrote to memory of 3372	2484	Opqofe32.exe	96
PID 2484 wrote to memory of 3372	2484	Opqofe32.exe	96
PID 3372 wrote to memory of 1100	3372	Ogjdmbil.exe	113
PID 3372 wrote to memory of 1100	3372	Ogjdmbil.exe	113
PID 3372 wrote to memory of 1100	3372	Ogjdmbil.exe	113
PID 1100 wrote to memory of 1644	1100	Bkphhgfc.exe	111
PID 1100 wrote to memory of 1644	1100	Bkphhgfc.exe	111
PID 1100 wrote to memory of 1644	1100	Bkphhgfc.exe	111
PID 1644 wrote to memory of 4460	1644	Cdimqm32.exe	102

C:\Users\Admin\AppData\Local\Temp\bb70fed22565e18ce7f8e69049fe7180_JC.exe
"C:\Users\Admin\AppData\Local\Temp\bb70fed22565e18ce7f8e69049fe7180_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\Kngkqbgl.exe
  C:\Windows\system32\Kngkqbgl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\Lnjgfb32.exe
    C:\Windows\system32\Lnjgfb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\SysWOW64\Lnldla32.exe
      C:\Windows\system32\Lnldla32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3284
    - - C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:824
      - C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008

C:\Windows\SysWOW64\Mmmqhl32.exe
C:\Windows\system32\Mmmqhl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\SysWOW64\Mnmmboed.exe
  C:\Windows\system32\Mnmmboed.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Windows\SysWOW64\Nqmfdj32.exe
    C:\Windows\system32\Nqmfdj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1004

C:\Windows\SysWOW64\Npbceggm.exe
C:\Windows\system32\Npbceggm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\SysWOW64\Ncqlkemc.exe
  C:\Windows\system32\Ncqlkemc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\Npgmpf32.exe
    C:\Windows\system32\Npgmpf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3960

C:\Windows\SysWOW64\Opqofe32.exe
C:\Windows\system32\Opqofe32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\Ogjdmbil.exe
  C:\Windows\system32\Ogjdmbil.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\SysWOW64\Bkphhgfc.exe
    C:\Windows\system32\Bkphhgfc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1100

C:\Windows\SysWOW64\Ocjoadei.exe
C:\Windows\system32\Ocjoadei.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\SysWOW64\Ojomcopk.exe
C:\Windows\system32\Ojomcopk.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\Nnhmnn32.exe
C:\Windows\system32\Nnhmnn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\Cponen32.exe
C:\Windows\system32\Cponen32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4460
- C:\Windows\SysWOW64\Chiblk32.exe
  C:\Windows\system32\Chiblk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4124

C:\Windows\SysWOW64\Cgnomg32.exe
C:\Windows\system32\Cgnomg32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2656
- C:\Windows\SysWOW64\Cgqlcg32.exe
  C:\Windows\system32\Cgqlcg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:992
- - C:\Windows\SysWOW64\Dpiplm32.exe
    C:\Windows\system32\Dpiplm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:3312

C:\Windows\SysWOW64\Dnmaea32.exe
C:\Windows\system32\Dnmaea32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2276
- C:\Windows\SysWOW64\Dkqaoe32.exe
  C:\Windows\system32\Dkqaoe32.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 400
    3⤵
    - Program crash
    PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3884 -ip 3884
1⤵
PID:1536

C:\Windows\SysWOW64\Cdimqm32.exe
C:\Windows\system32\Cdimqm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bkphhgfc.exe

Filesize
430KB

MD5
85ea9d2a7c7ff446371216b73d4289dc

SHA1
6bda862dbf045366f382ba8cdc6e1a6a65192329

SHA256
26d6b96deb49a27edd058a487b4f5ff3e369b8cb16137bfd3f03e6910e64c1ae

SHA512
e855df90540b799b82ddf734dc836c5f0579e7b631f81404568e0bada6024a9797bec478bcbc6a440f14478bb3ad3422b0d265fbf260dd94961366ee2f2096d0

Download Submit
C:\Windows\SysWOW64\Bkphhgfc.exe

Filesize
430KB

MD5
85ea9d2a7c7ff446371216b73d4289dc

SHA1
6bda862dbf045366f382ba8cdc6e1a6a65192329

SHA256
26d6b96deb49a27edd058a487b4f5ff3e369b8cb16137bfd3f03e6910e64c1ae

SHA512
e855df90540b799b82ddf734dc836c5f0579e7b631f81404568e0bada6024a9797bec478bcbc6a440f14478bb3ad3422b0d265fbf260dd94961366ee2f2096d0

Download Submit
C:\Windows\SysWOW64\Cdimqm32.exe

Filesize
430KB

MD5
d1140bf669843224ce1f9aee57a69c57

SHA1
98016e0ce0e36ca85d0e9761359cfd094c8dc88e

SHA256
3cfb14a12ffbe8d98a544863c2d540fae309462369672f55aa543a68089624ac

SHA512
6a5e4ad6d268e6527ef62175293c253d10af34e9ddfe5d7c94e7bf326b5e23c97add06b5a2348c0b1451dcaa081bf37230e3bf5c6dcd8efea80d6bb9605d0db4

Download Submit
C:\Windows\SysWOW64\Cdimqm32.exe

Filesize
430KB

MD5
d1140bf669843224ce1f9aee57a69c57

SHA1
98016e0ce0e36ca85d0e9761359cfd094c8dc88e

SHA256
3cfb14a12ffbe8d98a544863c2d540fae309462369672f55aa543a68089624ac

SHA512
6a5e4ad6d268e6527ef62175293c253d10af34e9ddfe5d7c94e7bf326b5e23c97add06b5a2348c0b1451dcaa081bf37230e3bf5c6dcd8efea80d6bb9605d0db4

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
430KB

MD5
e2cdba06d60d12235393f8a2561d9aeb

SHA1
d6f529302fe8e8ac7da9c2355c22f59c8196808b

SHA256
cdab97bcbcb4d56d17f74450b291a90d53c04ba4a5267b10bd02c88ac7021c6c

SHA512
6f8765fe0bc8541e408bae59509af4b7e10bf2065aa24c853f3a9250e07a7663f13f9e0e357dc07577c485618a87b99008a468e78f81b9f4a2cd6efdc0f82b60

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
430KB

MD5
e2cdba06d60d12235393f8a2561d9aeb

SHA1
d6f529302fe8e8ac7da9c2355c22f59c8196808b

SHA256
cdab97bcbcb4d56d17f74450b291a90d53c04ba4a5267b10bd02c88ac7021c6c

SHA512
6f8765fe0bc8541e408bae59509af4b7e10bf2065aa24c853f3a9250e07a7663f13f9e0e357dc07577c485618a87b99008a468e78f81b9f4a2cd6efdc0f82b60

Download Submit
C:\Windows\SysWOW64\Cgqlcg32.exe

Filesize
430KB

MD5
bf2da5765996253a55b99ec60e267b08

SHA1
851c221b9e333e92415e5d5a3ca181ccf919d2c8

SHA256
90a185d303d936a409d58b2d1dbe2fded62ef4bc647bd2034e1c3bfa122fecae

SHA512
c0028c2b998239694718c9617dcadb86f1a5436b64094f49f263b5af75439f117f0ff3583127793b9525d2a216201cc725e95e9179de35eeb33865621160bd44

Download Submit
C:\Windows\SysWOW64\Cgqlcg32.exe

Filesize
430KB

MD5
bf2da5765996253a55b99ec60e267b08

SHA1
851c221b9e333e92415e5d5a3ca181ccf919d2c8

SHA256
90a185d303d936a409d58b2d1dbe2fded62ef4bc647bd2034e1c3bfa122fecae

SHA512
c0028c2b998239694718c9617dcadb86f1a5436b64094f49f263b5af75439f117f0ff3583127793b9525d2a216201cc725e95e9179de35eeb33865621160bd44

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
430KB

MD5
5f2b1659a89bd75c5e813c0946149c3a

SHA1
e0e72c65a08ba7b9c796e53ffb4ec42c49eb2932

SHA256
18a12651e60a42d6002d07890aa6fef79162c443ff4257cda54a1e023478d840

SHA512
1aa3232c8bb2485fc8e7d944bea8f769fb70ca86e281cb7fd23da8728f00ccbf7ff73dace876c1fc7f043ab11735dcf1a27ede591ac1286c4456a14943fa33ad

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
430KB

MD5
5f2b1659a89bd75c5e813c0946149c3a

SHA1
e0e72c65a08ba7b9c796e53ffb4ec42c49eb2932

SHA256
18a12651e60a42d6002d07890aa6fef79162c443ff4257cda54a1e023478d840

SHA512
1aa3232c8bb2485fc8e7d944bea8f769fb70ca86e281cb7fd23da8728f00ccbf7ff73dace876c1fc7f043ab11735dcf1a27ede591ac1286c4456a14943fa33ad

Download Submit
C:\Windows\SysWOW64\Cponen32.exe

Filesize
430KB

MD5
33e1af93a3133d3d175085f87ce6ec39

SHA1
50fb5c45dd79285c8ad99b77f061da143b5b3fe5

SHA256
4a11cbc2867771c06bbd4df3f46b51441b5219f6c0f6c0b4bdab3156a0fdc25e

SHA512
c156d200b21eed2b7fb6f9508674067b3f305f6476a4c442eced5450b4d975241731c122dbbcaeff7afb9effac87ad4e66e02b88f5a787a935851345613522ad

Download Submit
C:\Windows\SysWOW64\Cponen32.exe

Filesize
430KB

MD5
33e1af93a3133d3d175085f87ce6ec39

SHA1
50fb5c45dd79285c8ad99b77f061da143b5b3fe5

SHA256
4a11cbc2867771c06bbd4df3f46b51441b5219f6c0f6c0b4bdab3156a0fdc25e

SHA512
c156d200b21eed2b7fb6f9508674067b3f305f6476a4c442eced5450b4d975241731c122dbbcaeff7afb9effac87ad4e66e02b88f5a787a935851345613522ad

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
430KB

MD5
580b8eb97ff7f36bfa6ceead3110a7f4

SHA1
1fd919f95d3f6835088f156c05cd3d2fbcaa1a89

SHA256
337b8d5d97e4ce57b5206354d8fb4a4c36fe612973283e7cbed5ee57b65bb080

SHA512
2e6faa3cfe81b17ead872ef259f3c136ee7cd52d131cce3ae049ae77e9b4d543e01c01c25db8feefe554683a5282440223aadee2f7baf262856ba2b38c1ab77c

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
430KB

MD5
580b8eb97ff7f36bfa6ceead3110a7f4

SHA1
1fd919f95d3f6835088f156c05cd3d2fbcaa1a89

SHA256
337b8d5d97e4ce57b5206354d8fb4a4c36fe612973283e7cbed5ee57b65bb080

SHA512
2e6faa3cfe81b17ead872ef259f3c136ee7cd52d131cce3ae049ae77e9b4d543e01c01c25db8feefe554683a5282440223aadee2f7baf262856ba2b38c1ab77c

Download Submit
C:\Windows\SysWOW64\Dnmaea32.exe

Filesize
430KB

MD5
08ecf92a873d8a1bef6d9ccde12f3231

SHA1
2add0a71bd80f0247360158558389ffaca29003a

SHA256
f7d3d05a0e0390764be1a4a1534c4bb3c775c273fc19da034519ce091eaf4a94

SHA512
e446ab85f6fd9b7afec65aed5f5a870cb75dd93bed99d536769cbc8c3052c0fd89673b5910822fd526d1e220968eb4733d54e6725ee97fab0254613fb546166e

Download Submit
C:\Windows\SysWOW64\Dnmaea32.exe

Filesize
430KB

MD5
08ecf92a873d8a1bef6d9ccde12f3231

SHA1
2add0a71bd80f0247360158558389ffaca29003a

SHA256
f7d3d05a0e0390764be1a4a1534c4bb3c775c273fc19da034519ce091eaf4a94

SHA512
e446ab85f6fd9b7afec65aed5f5a870cb75dd93bed99d536769cbc8c3052c0fd89673b5910822fd526d1e220968eb4733d54e6725ee97fab0254613fb546166e

Download Submit
C:\Windows\SysWOW64\Dpiplm32.exe

Filesize
430KB

MD5
f24db26832cbacc4b2614e725ae3c5ed

SHA1
2cbe9af5718c0c22420df5b3a25e827e1ef269aa

SHA256
c701b876ed29a337cf7a273131d2dc80724d2d5290e281e0534fbf5132ee1fa9

SHA512
d2ee2f547a65211aa36fa7958a181294efce70e2a8751a5cdf28b4f4f4195bda37e0e7c76d0dfb436086d77b8f730431d5def88a53dbcb0eaafad5dceb1b6d1b

Download Submit
C:\Windows\SysWOW64\Dpiplm32.exe

Filesize
430KB

MD5
f24db26832cbacc4b2614e725ae3c5ed

SHA1
2cbe9af5718c0c22420df5b3a25e827e1ef269aa

SHA256
c701b876ed29a337cf7a273131d2dc80724d2d5290e281e0534fbf5132ee1fa9

SHA512
d2ee2f547a65211aa36fa7958a181294efce70e2a8751a5cdf28b4f4f4195bda37e0e7c76d0dfb436086d77b8f730431d5def88a53dbcb0eaafad5dceb1b6d1b

Download Submit
C:\Windows\SysWOW64\Kngkqbgl.exe

Filesize
430KB

MD5
6d137eb1909182494eec65efc95bb478

SHA1
32b190909c583bb9df0989c4e665ce47a210f324

SHA256
fadfe12ee91ae9fd9b241392753d57f89e41b81fa08b76c201a0a2d3d79a72c4

SHA512
aead90bd16c2757e70ba83e647c8623e6e21eb802a096a794ed547deb468df0bede4fc2e39231ebf5a6d64d31822d8e6ce42a85947f81d51d84202705535abc4

Download Submit
C:\Windows\SysWOW64\Kngkqbgl.exe

Filesize
430KB

MD5
6d137eb1909182494eec65efc95bb478

SHA1
32b190909c583bb9df0989c4e665ce47a210f324

SHA256
fadfe12ee91ae9fd9b241392753d57f89e41b81fa08b76c201a0a2d3d79a72c4

SHA512
aead90bd16c2757e70ba83e647c8623e6e21eb802a096a794ed547deb468df0bede4fc2e39231ebf5a6d64d31822d8e6ce42a85947f81d51d84202705535abc4

Download Submit
C:\Windows\SysWOW64\Ljeafb32.exe

Filesize
430KB

MD5
6b459ade61ae355db2207e8111c70e58

SHA1
9ee1f4ce159c2a942651f1c506c3eae44dd8eb4b

SHA256
c97c87529b3fa05e616107019e9954a6f5b07a9a6d6459a40e0ee372080202af

SHA512
140b336c17b43cc2d5ee330c4c94f77d4fe22c02c163e4122ebefcb90975755af21586f2ec3d57e23944d32696a8b49e44fac8a2466ceb0dd640233a0ac74a76

Download Submit
C:\Windows\SysWOW64\Ljeafb32.exe

Filesize
430KB

MD5
ca46324bcae2d97eb77646a0c92740ff

SHA1
df5c3d8325be71e92faaf06aefc3c3ae9c5a5ad7

SHA256
573f0cea91022f171286c78f440c2556c5c564f3fc51df7f439cd58c7b8479a5

SHA512
1124df8f1c0250945297ddc23a0509c3eef9c4c7071d6270f2d755cd9f3eab65b8d3abdd3f78b382ac45980ccb3b890e36d364dc1bbab6abd31e872e124dd3b6

Download Submit
C:\Windows\SysWOW64\Ljeafb32.exe

Filesize
430KB

MD5
ca46324bcae2d97eb77646a0c92740ff

SHA1
df5c3d8325be71e92faaf06aefc3c3ae9c5a5ad7

SHA256
573f0cea91022f171286c78f440c2556c5c564f3fc51df7f439cd58c7b8479a5

SHA512
1124df8f1c0250945297ddc23a0509c3eef9c4c7071d6270f2d755cd9f3eab65b8d3abdd3f78b382ac45980ccb3b890e36d364dc1bbab6abd31e872e124dd3b6

Download Submit
C:\Windows\SysWOW64\Lnjgfb32.exe

Filesize
430KB

MD5
fa018b3ed37eb49db2a6ed73d7308fa0

SHA1
205dad2eb0bc9fc4283d278e0919185a88248de4

SHA256
dc174f5293e8426b1cb951175fbe69912de2cc19a8692abf287e1179a893ed1c

SHA512
78b3339d3c342370028e471ff32d79002128dffbb64efe0729e5c5210ba0fbd3e8e2a8d7f7f775891a72160f7d7d378d5cd21939a8b41453d01d2154f6a9ab19

Download Submit
C:\Windows\SysWOW64\Lnjgfb32.exe

Filesize
430KB

MD5
fa018b3ed37eb49db2a6ed73d7308fa0

SHA1
205dad2eb0bc9fc4283d278e0919185a88248de4

SHA256
dc174f5293e8426b1cb951175fbe69912de2cc19a8692abf287e1179a893ed1c

SHA512
78b3339d3c342370028e471ff32d79002128dffbb64efe0729e5c5210ba0fbd3e8e2a8d7f7f775891a72160f7d7d378d5cd21939a8b41453d01d2154f6a9ab19

Download Submit
C:\Windows\SysWOW64\Lnldla32.exe

Filesize
430KB

MD5
cc16f9934f2ff40d87bdc3ecb7a4545c

SHA1
b70e3328000fddae48cfd66dc8dec3dc749d90b8

SHA256
a28d8ddf0cceb1f48248c703b85a70c306bd2c77afe59e491bf41c06d7400aa1

SHA512
96a2f2a850685c06abc9380f67b6c314e381cf2cc5616326d840644c7cb93df9201d1c0837754fcd6f12cbd3731cea7338c46319834f4cebfadb1cece984e751

Download Submit
C:\Windows\SysWOW64\Lnldla32.exe

Filesize
430KB

MD5
cc16f9934f2ff40d87bdc3ecb7a4545c

SHA1
b70e3328000fddae48cfd66dc8dec3dc749d90b8

SHA256
a28d8ddf0cceb1f48248c703b85a70c306bd2c77afe59e491bf41c06d7400aa1

SHA512
96a2f2a850685c06abc9380f67b6c314e381cf2cc5616326d840644c7cb93df9201d1c0837754fcd6f12cbd3731cea7338c46319834f4cebfadb1cece984e751

Download Submit
C:\Windows\SysWOW64\Lnoaaaad.exe

Filesize
430KB

MD5
6b459ade61ae355db2207e8111c70e58

SHA1
9ee1f4ce159c2a942651f1c506c3eae44dd8eb4b

SHA256
c97c87529b3fa05e616107019e9954a6f5b07a9a6d6459a40e0ee372080202af

SHA512
140b336c17b43cc2d5ee330c4c94f77d4fe22c02c163e4122ebefcb90975755af21586f2ec3d57e23944d32696a8b49e44fac8a2466ceb0dd640233a0ac74a76

Download Submit
C:\Windows\SysWOW64\Lnoaaaad.exe

Filesize
430KB

MD5
6b459ade61ae355db2207e8111c70e58

SHA1
9ee1f4ce159c2a942651f1c506c3eae44dd8eb4b

SHA256
c97c87529b3fa05e616107019e9954a6f5b07a9a6d6459a40e0ee372080202af

SHA512
140b336c17b43cc2d5ee330c4c94f77d4fe22c02c163e4122ebefcb90975755af21586f2ec3d57e23944d32696a8b49e44fac8a2466ceb0dd640233a0ac74a76

Download Submit
C:\Windows\SysWOW64\Mcelpggq.exe

Filesize
430KB

MD5
7c06e0c2efad4d4f578a85a2edd646f2

SHA1
acc318fa46ca972f97682fc17fdae71bb8afb0fb

SHA256
50056898652501fb7ed65b0ef938312abc087f878080a3b38c764231012f3d69

SHA512
bd79badc19f4e2c91d9b1cc62113df7781a8f641c103a6b4b08ada2888e79894cd4c7c70ee106e4603b4235819b0ac1d7e36d92aff273bb9b528b5f0f1a42fb7

Download Submit
C:\Windows\SysWOW64\Mcelpggq.exe

Filesize
430KB

MD5
7c06e0c2efad4d4f578a85a2edd646f2

SHA1
acc318fa46ca972f97682fc17fdae71bb8afb0fb

SHA256
50056898652501fb7ed65b0ef938312abc087f878080a3b38c764231012f3d69

SHA512
bd79badc19f4e2c91d9b1cc62113df7781a8f641c103a6b4b08ada2888e79894cd4c7c70ee106e4603b4235819b0ac1d7e36d92aff273bb9b528b5f0f1a42fb7

Download Submit
C:\Windows\SysWOW64\Mmmqhl32.exe

Filesize
430KB

MD5
23a9b04fde7611d360c3f97b311e5783

SHA1
1b07d6125f4c4c8fbddd0c0b3045bdd4f3201cf6

SHA256
2cf4fe7b214e1aaa7e8858f048ab3e590db25fa560e6b35ea86b30f3c6655bd2

SHA512
971d346c65cd7e2ee34480027276f6eaeb4cfafb578fa0ba45ead654b3cc4520de4a34cd6eeacee24a30c620130f7ec3861af7e32f6f7d5c4b4900de3f4b480c

Download Submit
C:\Windows\SysWOW64\Mmmqhl32.exe

Filesize
430KB

MD5
23a9b04fde7611d360c3f97b311e5783

SHA1
1b07d6125f4c4c8fbddd0c0b3045bdd4f3201cf6

SHA256
2cf4fe7b214e1aaa7e8858f048ab3e590db25fa560e6b35ea86b30f3c6655bd2

SHA512
971d346c65cd7e2ee34480027276f6eaeb4cfafb578fa0ba45ead654b3cc4520de4a34cd6eeacee24a30c620130f7ec3861af7e32f6f7d5c4b4900de3f4b480c

Download Submit
C:\Windows\SysWOW64\Mnmmboed.exe

Filesize
430KB

MD5
ca99cc69a2f48d73ab4f04a6c0b04da9

SHA1
621c26ef5d435128d6363c24fb319aa778b2e613

SHA256
5b706241b78315a225b5c1bdd2c8b793b3f3807f7d2bb1aff5828cded737893f

SHA512
7b320b6345f6f2f29f3ab9f3a3626f5ac055cb69aa845a2afc9c1c3bcf3ae210ae28eabdc7d98b424458d446357b330641b6ca78366d8a9240fdcf492a659a3a

Download Submit
C:\Windows\SysWOW64\Mnmmboed.exe

Filesize
430KB

MD5
ca99cc69a2f48d73ab4f04a6c0b04da9

SHA1
621c26ef5d435128d6363c24fb319aa778b2e613

SHA256
5b706241b78315a225b5c1bdd2c8b793b3f3807f7d2bb1aff5828cded737893f

SHA512
7b320b6345f6f2f29f3ab9f3a3626f5ac055cb69aa845a2afc9c1c3bcf3ae210ae28eabdc7d98b424458d446357b330641b6ca78366d8a9240fdcf492a659a3a

Download Submit
C:\Windows\SysWOW64\Mqafhl32.exe

Filesize
430KB

MD5
8f964a04692a611a92dcaf58548d2860

SHA1
7ddd8e7f91e0de859f9b5a2899fae0b5adc850f9

SHA256
3dbaad02e807d88d652d8ae240d1774dcb2501a8260117051287ae8f6779ea7f

SHA512
72ca6feb3c63236ef431fd60244fec3be2fe8084ba533a1959a3e170aaf5704d8bd8ace7d697e2530e3f33fe1d0eea09bf7f409339c9a30b548525acb42bd372

Download Submit
C:\Windows\SysWOW64\Mqafhl32.exe

Filesize
430KB

MD5
8f964a04692a611a92dcaf58548d2860

SHA1
7ddd8e7f91e0de859f9b5a2899fae0b5adc850f9

SHA256
3dbaad02e807d88d652d8ae240d1774dcb2501a8260117051287ae8f6779ea7f

SHA512
72ca6feb3c63236ef431fd60244fec3be2fe8084ba533a1959a3e170aaf5704d8bd8ace7d697e2530e3f33fe1d0eea09bf7f409339c9a30b548525acb42bd372

Download Submit
C:\Windows\SysWOW64\Mqdcnl32.exe

Filesize
430KB

MD5
75fde1be9d2105af9a25f9355a5094f9

SHA1
d66192c51364ab3e6f90a9374a96860f2ad13ffb

SHA256
9260e2752d8e77875d4125203479c6b9ad5cb5fbc14fe85c0bafd7cbc8582be9

SHA512
e0bdcec9d868fcee1d8dec56aaa917df1892be99b1b73a927d066c86b4021da6a7b1c0ee94d6a1c51350ddda6e6db40b591fd0039feb7a936a658aa881632b67

Download Submit
C:\Windows\SysWOW64\Mqdcnl32.exe

Filesize
430KB

MD5
75fde1be9d2105af9a25f9355a5094f9

SHA1
d66192c51364ab3e6f90a9374a96860f2ad13ffb

SHA256
9260e2752d8e77875d4125203479c6b9ad5cb5fbc14fe85c0bafd7cbc8582be9

SHA512
e0bdcec9d868fcee1d8dec56aaa917df1892be99b1b73a927d066c86b4021da6a7b1c0ee94d6a1c51350ddda6e6db40b591fd0039feb7a936a658aa881632b67

Download Submit
C:\Windows\SysWOW64\Ncqlkemc.exe

Filesize
430KB

MD5
aeb95c7bb90d3f358762802f5e552039

SHA1
3a512c9cd6f0093b2744a4115b5e9ab941ce1dbd

SHA256
f07c8dda90d72ef0981300073fc0eccc76523da60693fb1acb39b1a19637877b

SHA512
b6cfaeff9add8b22e5d44648126e8dfb2e658d66f855d2a8c79232905b2d3ebbc3d774b861e3455df03e12acbaefe6db788083d0ebfb733c2a36e7799098dd9a

Download Submit
C:\Windows\SysWOW64\Ncqlkemc.exe

Filesize
430KB

MD5
aeb95c7bb90d3f358762802f5e552039

SHA1
3a512c9cd6f0093b2744a4115b5e9ab941ce1dbd

SHA256
f07c8dda90d72ef0981300073fc0eccc76523da60693fb1acb39b1a19637877b

SHA512
b6cfaeff9add8b22e5d44648126e8dfb2e658d66f855d2a8c79232905b2d3ebbc3d774b861e3455df03e12acbaefe6db788083d0ebfb733c2a36e7799098dd9a

Download Submit
C:\Windows\SysWOW64\Nnhmnn32.exe

Filesize
430KB

MD5
85904c7fda4b74fbd40fafb20d75fd5c

SHA1
e10eef25cbd4711ce0467e45dfd0bf9429628325

SHA256
00cd21c9945568c1af9e29f2230d300a71a72618078062708c618d9ce742f9fe

SHA512
99f0379afc95c94fac47c39d108ff99e4bf11bc1121f1de43c696849436d44d7d62699a97c0c27c45fe28433e87aa54a9cd0f3800f9a3e11776cfb18df8ae21c

Download Submit
C:\Windows\SysWOW64\Nnhmnn32.exe

Filesize
430KB

MD5
85904c7fda4b74fbd40fafb20d75fd5c

SHA1
e10eef25cbd4711ce0467e45dfd0bf9429628325

SHA256
00cd21c9945568c1af9e29f2230d300a71a72618078062708c618d9ce742f9fe

SHA512
99f0379afc95c94fac47c39d108ff99e4bf11bc1121f1de43c696849436d44d7d62699a97c0c27c45fe28433e87aa54a9cd0f3800f9a3e11776cfb18df8ae21c

Download Submit
C:\Windows\SysWOW64\Npbceggm.exe

Filesize
430KB

MD5
a509934e0813a8971e3d14ce7b185b77

SHA1
e7c3376896acf39fcb53539813e4e0a7552d75b3

SHA256
39f4523547d4141e52999f32b4641adeedc59c394a884503f4ce94c1bd168dc5

SHA512
afe2a9a58b82dde9ead736eacd6d710260c88e34118bb78f7fc82646d69a78b97537da7fdc5f25d0117cd230a0a730c38fb917521bb956c38df901249fec0768

Download Submit
C:\Windows\SysWOW64\Npbceggm.exe

Filesize
430KB

MD5
a509934e0813a8971e3d14ce7b185b77

SHA1
e7c3376896acf39fcb53539813e4e0a7552d75b3

SHA256
39f4523547d4141e52999f32b4641adeedc59c394a884503f4ce94c1bd168dc5

SHA512
afe2a9a58b82dde9ead736eacd6d710260c88e34118bb78f7fc82646d69a78b97537da7fdc5f25d0117cd230a0a730c38fb917521bb956c38df901249fec0768

Download Submit
C:\Windows\SysWOW64\Npgmpf32.exe

Filesize
430KB

MD5
d8a64262ec22c0a475633b9edc3b3fa1

SHA1
799392dee3a09e849a757e57553c4ad677fafffb

SHA256
d67c9f0fa8a7c3cd087f04d913d9fcb139d31d548e8d0f1bfeb2be354992e795

SHA512
041a5cdaf8371f09a73930e36f1e0cc3be6c1cd2f8bf82437e827e2a714e7578cd5d18a408acd61f6b0878a72fd16e47a4129c6dc5cb0e0f2792d610b89d0f8e

Download Submit
C:\Windows\SysWOW64\Npgmpf32.exe

Filesize
430KB

MD5
d8a64262ec22c0a475633b9edc3b3fa1

SHA1
799392dee3a09e849a757e57553c4ad677fafffb

SHA256
d67c9f0fa8a7c3cd087f04d913d9fcb139d31d548e8d0f1bfeb2be354992e795

SHA512
041a5cdaf8371f09a73930e36f1e0cc3be6c1cd2f8bf82437e827e2a714e7578cd5d18a408acd61f6b0878a72fd16e47a4129c6dc5cb0e0f2792d610b89d0f8e

Download Submit
C:\Windows\SysWOW64\Nqmfdj32.exe

Filesize
430KB

MD5
a5e7eb2a9ba679c9967152b1c9529e41

SHA1
7212fdb85b3083d9e3aef17103c4d1d1074b489a

SHA256
39e32e19ea212677188d7e5216cc8ce8468127fc4fc0975fbfc197677e785ca9

SHA512
3835b8ec7b6c406907de1d202b789049bfa0a39b8e68b76558befa3e9e8d9260a6baa8c26e88339eaa6f4c49c51f628b36deda1d6217ba075c9c99c89cd56090

Download Submit
C:\Windows\SysWOW64\Nqmfdj32.exe

Filesize
430KB

MD5
a5e7eb2a9ba679c9967152b1c9529e41

SHA1
7212fdb85b3083d9e3aef17103c4d1d1074b489a

SHA256
39e32e19ea212677188d7e5216cc8ce8468127fc4fc0975fbfc197677e785ca9

SHA512
3835b8ec7b6c406907de1d202b789049bfa0a39b8e68b76558befa3e9e8d9260a6baa8c26e88339eaa6f4c49c51f628b36deda1d6217ba075c9c99c89cd56090

Download Submit
C:\Windows\SysWOW64\Ocjoadei.exe

Filesize
430KB

MD5
540b4d34822139cad622b52033959ce0

SHA1
999c3511f86db5b455986a87deead9d6264b02f9

SHA256
b2a441e381f9bd936aa7b7017353ebd5583b4d3e5aaf39c749825832a16145f8

SHA512
0e9cdf2164820129071131d47ef8c2e680735d850674f37e0c3228ed650205c18790f480ebb9d589d0f6e47088eae0f64cf6c4473623d04c9ff360f4352f5747

Download Submit
C:\Windows\SysWOW64\Ocjoadei.exe

Filesize
430KB

MD5
540b4d34822139cad622b52033959ce0

SHA1
999c3511f86db5b455986a87deead9d6264b02f9

SHA256
b2a441e381f9bd936aa7b7017353ebd5583b4d3e5aaf39c749825832a16145f8

SHA512
0e9cdf2164820129071131d47ef8c2e680735d850674f37e0c3228ed650205c18790f480ebb9d589d0f6e47088eae0f64cf6c4473623d04c9ff360f4352f5747

Download Submit
C:\Windows\SysWOW64\Ogjdmbil.exe

Filesize
430KB

MD5
c14da7092df4d9cd14c1346b45fd2ae8

SHA1
f1c7f4e87be4520f90cd3cb2902cf9805f99e701

SHA256
ecf0cade0897c2f7eea47a16aa292d0c84125886f9144fb84a7f956f259855a8

SHA512
a65a4110529da8e28d4e47d7c4a06177fc8a915a8faa9e06dc7e233d97276fdf7b8aa4be6dfaae5f3e6e129a573a50e2797906f92bd692e994655a24b35e0bab

Download Submit
C:\Windows\SysWOW64\Ogjdmbil.exe

Filesize
430KB

MD5
c14da7092df4d9cd14c1346b45fd2ae8

SHA1
f1c7f4e87be4520f90cd3cb2902cf9805f99e701

SHA256
ecf0cade0897c2f7eea47a16aa292d0c84125886f9144fb84a7f956f259855a8

SHA512
a65a4110529da8e28d4e47d7c4a06177fc8a915a8faa9e06dc7e233d97276fdf7b8aa4be6dfaae5f3e6e129a573a50e2797906f92bd692e994655a24b35e0bab

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
430KB

MD5
71a464cabf177c7b45109ba3bf06063a

SHA1
00538744cecd623b1b0c97985d0417ec8c688191

SHA256
feb2fae91c33fd15d9aef8062ff19ebfa39e93812f11f7bfd5f3dadb8d08ae48

SHA512
8d6982287b7e4dac94be5622f4a8e28ee6b7db6bf2560608b13c35facfd38564bad86a32eb5e5afb26d9cd2c9693c8f8c3c27f8f02d775f401a791360e871458

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
430KB

MD5
71a464cabf177c7b45109ba3bf06063a

SHA1
00538744cecd623b1b0c97985d0417ec8c688191

SHA256
feb2fae91c33fd15d9aef8062ff19ebfa39e93812f11f7bfd5f3dadb8d08ae48

SHA512
8d6982287b7e4dac94be5622f4a8e28ee6b7db6bf2560608b13c35facfd38564bad86a32eb5e5afb26d9cd2c9693c8f8c3c27f8f02d775f401a791360e871458

Download Submit
C:\Windows\SysWOW64\Opqofe32.exe

Filesize
430KB

MD5
c2853a2af9988f3d0b278562bc9c438c

SHA1
92dd0135b393768df80659ddf61683fb3719586a

SHA256
b3a5b9760b6a9165126d3e62429ed3fa5b367e1001d697c2600731167b6cb96d

SHA512
d80ac1434df6eb4628204dad9b6ec5651cc110f8f1708b666f40091c861dca55dd879c158b30fef8fca62f8e80b9bd20b5f01a306aa21cad1bc57ae8c0563c37

Download Submit
C:\Windows\SysWOW64\Opqofe32.exe

Filesize
430KB

MD5
c2853a2af9988f3d0b278562bc9c438c

SHA1
92dd0135b393768df80659ddf61683fb3719586a

SHA256
b3a5b9760b6a9165126d3e62429ed3fa5b367e1001d697c2600731167b6cb96d

SHA512
d80ac1434df6eb4628204dad9b6ec5651cc110f8f1708b666f40091c861dca55dd879c158b30fef8fca62f8e80b9bd20b5f01a306aa21cad1bc57ae8c0563c37

Download Submit
memory/824-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/992-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/992-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3084-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3084-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads