7286ec92e48e07d5145f81046e467c5278139afb66b9e30a5242e4fa73af9b49

Analysis

max time kernel
171s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2036ebeb7a0050485df7a94604428f0.exe
Size

107KB
MD5

a2036ebeb7a0050485df7a94604428f0
SHA1

c3a8e5f8f0664a5c8e5a2db424e7fc50a64133b3
SHA256

7286ec92e48e07d5145f81046e467c5278139afb66b9e30a5242e4fa73af9b49
SHA512

5674c3fac48f42d125e2528826282d9ad2d3372544a740a8e189d577366cba7534b5e47e9257042ba15a6477c1018c3f95f1f0f440c4253a0cfbb638e20f8fdf
SSDEEP

1536:8gtxCYHkqtdAyd83mH+8wjfOB4VWul2LkaIZTJ+7LhkiB0MPiKeEAgHD/Chx3y:KYEu6Y7+80OB4WuWkaMU7uihJ5233y

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hofmaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljffccjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljffccjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfmghdpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdlgmgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onqdhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfpkhjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfpkhjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mikepg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgodjiio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjpoio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dagajlal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjpoio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eimlgnij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hofmaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhbmnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljephmgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnocakfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mejnlpai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghbkdald.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mikepg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnocakfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Foqdem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfgace32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfeoijbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onqdhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebdcmhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbgafqla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbdmdlie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnppkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Foqdem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Decdeama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dagajlal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Decdeama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eimlgnij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jggapj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jggapj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oggllnkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgodjiio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhbmnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ankgpk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijigfaol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igkadlcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndmpddfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a2036ebeb7a0050485df7a94604428f0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ankgpk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfaglf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfmghdpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdlgmgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgeadjai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciefek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deejpjgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgagjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgagjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deejpjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbdmdlie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgeadjai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjlnhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eihlahjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gooqfkan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijigfaol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a2036ebeb7a0050485df7a94604428f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgmllpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oggllnkl.exe

Malware Dropper & Backdoor - Berbew 35 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000300000001e7e2-8.dat	family_berbew
behavioral2/files/0x000300000001e7e4-16.dat	family_berbew
behavioral2/files/0x000400000001e7e9-24.dat	family_berbew
behavioral2/files/0x000200000001e7eb-27.dat	family_berbew
behavioral2/files/0x000200000001e7ed-40.dat	family_berbew
behavioral2/files/0x000200000001e7f0-48.dat	family_berbew
behavioral2/files/0x000200000001e7f2-56.dat	family_berbew
behavioral2/files/0x000200000001e7f4-64.dat	family_berbew
behavioral2/files/0x000200000001e7f6-72.dat	family_berbew
behavioral2/files/0x000200000001e7f9-80.dat	family_berbew
behavioral2/files/0x000200000001e7fb-89.dat	family_berbew
behavioral2/files/0x000200000001e7fd-98.dat	family_berbew
behavioral2/files/0x000300000001e800-107.dat	family_berbew
behavioral2/files/0x000200000001e802-116.dat	family_berbew
behavioral2/files/0x000200000001e804-125.dat	family_berbew
behavioral2/files/0x000200000001e806-134.dat	family_berbew
behavioral2/files/0x000200000001e809-145.dat	family_berbew
behavioral2/files/0x000200000001e80b-152.dat	family_berbew
behavioral2/files/0x000300000002276d-161.dat	family_berbew
behavioral2/files/0x000a00000002303e-171.dat	family_berbew
behavioral2/files/0x000600000002314f-180.dat	family_berbew
behavioral2/files/0x0006000000023152-187.dat	family_berbew
behavioral2/files/0x0006000000023155-196.dat	family_berbew
behavioral2/files/0x0006000000023157-205.dat	family_berbew
behavioral2/files/0x0006000000023159-212.dat	family_berbew
behavioral2/files/0x000600000002315b-221.dat	family_berbew
behavioral2/files/0x0006000000023162-224.dat	family_berbew
behavioral2/files/0x0006000000023164-238.dat	family_berbew
behavioral2/files/0x000700000002314a-247.dat	family_berbew
behavioral2/files/0x000700000002314c-256.dat	family_berbew
behavioral2/files/0x0006000000023166-264.dat	family_berbew
behavioral2/files/0x0006000000023168-273.dat	family_berbew
behavioral2/files/0x0006000000023174-310.dat	family_berbew
behavioral2/files/0x0006000000023179-322.dat	family_berbew
behavioral2/files/0x000600000002317e-336.dat	family_berbew

Executes dropped EXE 45 IoCs

pid	Process
4908	Jnocakfb.exe
696	Lfpkhjae.exe
1212	Mejnlpai.exe
800	Nhbmnj32.exe
1256	Pbdmdlie.exe
2212	Akhaipei.exe
2288	Ankgpk32.exe
2032	Bnppkj32.exe
5092	Belemd32.exe
2128	Cgagjo32.exe
3060	Cfgace32.exe
1784	Decdeama.exe
5060	Eimlgnij.exe
4632	Fpnkdfko.exe
4224	Fgmllpng.exe
1656	Hofmaq32.exe
2560	Hfeoijbi.exe
4284	Igkadlcd.exe
4352	Jggapj32.exe
2152	Kfaglf32.exe
2664	Ljffccjh.exe
2376	Lfmghdpl.exe
2928	Mdlgmgdh.exe
3304	Ndmpddfe.exe
4952	Oggllnkl.exe
3596	Onqdhh32.exe
5072	Pjlnhi32.exe
396	Bgeadjai.exe
3096	Bgodjiio.exe
4528	Cebdcmhh.exe
1880	Ciefek32.exe
116	Dagajlal.exe
1680	Deejpjgc.exe
3420	Eihlahjd.exe
3148	Fjpoio32.exe
3108	Foqdem32.exe
4692	Ghbkdald.exe
3196	Gooqfkan.exe
2328	Ijigfaol.exe
4604	Kbgafqla.exe
4768	Ljephmgl.exe
1272	Lcdjba32.exe
1764	Mikepg32.exe
1660	Nmpdgdmp.exe
5040	Nleaha32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cgagjo32.exe	Belemd32.exe
File created	C:\Windows\SysWOW64\Kfaglf32.exe	Jggapj32.exe
File created	C:\Windows\SysWOW64\Gooqfkan.exe	Ghbkdald.exe
File created	C:\Windows\SysWOW64\Oggllnkl.exe	Ndmpddfe.exe
File created	C:\Windows\SysWOW64\Deejpjgc.exe	Dagajlal.exe
File opened for modification	C:\Windows\SysWOW64\Gooqfkan.exe	Ghbkdald.exe
File created	C:\Windows\SysWOW64\Niaekl32.dll	Nmpdgdmp.exe
File created	C:\Windows\SysWOW64\Pbdmdlie.exe	Nhbmnj32.exe
File opened for modification	C:\Windows\SysWOW64\Hfeoijbi.exe	Hofmaq32.exe
File created	C:\Windows\SysWOW64\Foqdem32.exe	Fjpoio32.exe
File opened for modification	C:\Windows\SysWOW64\Foqdem32.exe	Fjpoio32.exe
File created	C:\Windows\SysWOW64\Egfghn32.dll	Ljffccjh.exe
File opened for modification	C:\Windows\SysWOW64\Bgeadjai.exe	Pjlnhi32.exe
File created	C:\Windows\SysWOW64\Ijigfaol.exe	Gooqfkan.exe
File created	C:\Windows\SysWOW64\Onbiicqa.dll	Oggllnkl.exe
File created	C:\Windows\SysWOW64\Lmlihj32.dll	Eihlahjd.exe
File created	C:\Windows\SysWOW64\Ejjakmcg.dll	Ijigfaol.exe
File created	C:\Windows\SysWOW64\Mejnlpai.exe	Lfpkhjae.exe
File opened for modification	C:\Windows\SysWOW64\Pbdmdlie.exe	Nhbmnj32.exe
File created	C:\Windows\SysWOW64\Hnkhdmeh.dll	Onqdhh32.exe
File created	C:\Windows\SysWOW64\Ciefek32.exe	Cebdcmhh.exe
File opened for modification	C:\Windows\SysWOW64\Pjlnhi32.exe	Onqdhh32.exe
File opened for modification	C:\Windows\SysWOW64\Dagajlal.exe	Ciefek32.exe
File created	C:\Windows\SysWOW64\Onccdj32.dll	Dagajlal.exe
File created	C:\Windows\SysWOW64\Nleaha32.exe	Nmpdgdmp.exe
File created	C:\Windows\SysWOW64\Jkkdccim.dll	Mejnlpai.exe
File created	C:\Windows\SysWOW64\Dcgpmj32.dll	Cgagjo32.exe
File opened for modification	C:\Windows\SysWOW64\Ljffccjh.exe	Kfaglf32.exe
File created	C:\Windows\SysWOW64\Lkehlmll.dll	Gooqfkan.exe
File created	C:\Windows\SysWOW64\Fbjcmpdk.dll	Bnppkj32.exe
File created	C:\Windows\SysWOW64\Fgmllpng.exe	Fpnkdfko.exe
File created	C:\Windows\SysWOW64\Ndmpddfe.exe	Mdlgmgdh.exe
File created	C:\Windows\SysWOW64\Hinklh32.dll	Bgeadjai.exe
File created	C:\Windows\SysWOW64\Lcdjba32.exe	Ljephmgl.exe
File created	C:\Windows\SysWOW64\Pagebpan.dll	Hofmaq32.exe
File created	C:\Windows\SysWOW64\Bgodjiio.exe	Bgeadjai.exe
File opened for modification	C:\Windows\SysWOW64\Eihlahjd.exe	Deejpjgc.exe
File created	C:\Windows\SysWOW64\Lfpiamoj.dll	Deejpjgc.exe
File opened for modification	C:\Windows\SysWOW64\Igkadlcd.exe	Hfeoijbi.exe
File created	C:\Windows\SysWOW64\Bdhiofpj.dll	Cebdcmhh.exe
File opened for modification	C:\Windows\SysWOW64\Mikepg32.exe	Lcdjba32.exe
File opened for modification	C:\Windows\SysWOW64\Belemd32.exe	Bnppkj32.exe
File opened for modification	C:\Windows\SysWOW64\Cfgace32.exe	Cgagjo32.exe
File opened for modification	C:\Windows\SysWOW64\Fpnkdfko.exe	Eimlgnij.exe
File created	C:\Windows\SysWOW64\Igkadlcd.exe	Hfeoijbi.exe
File created	C:\Windows\SysWOW64\Onqdhh32.exe	Oggllnkl.exe
File opened for modification	C:\Windows\SysWOW64\Fjpoio32.exe	Eihlahjd.exe
File created	C:\Windows\SysWOW64\Jnefdf32.dll	Lcdjba32.exe
File created	C:\Windows\SysWOW64\Lfpkhjae.exe	Jnocakfb.exe
File opened for modification	C:\Windows\SysWOW64\Nhbmnj32.exe	Mejnlpai.exe
File created	C:\Windows\SysWOW64\Idfedoei.dll	Jggapj32.exe
File created	C:\Windows\SysWOW64\Afdmjk32.dll	Kfaglf32.exe
File created	C:\Windows\SysWOW64\Dagajlal.exe	Ciefek32.exe
File opened for modification	C:\Windows\SysWOW64\Ijigfaol.exe	Gooqfkan.exe
File created	C:\Windows\SysWOW64\Ankgpk32.exe	Akhaipei.exe
File opened for modification	C:\Windows\SysWOW64\Decdeama.exe	Cfgace32.exe
File opened for modification	C:\Windows\SysWOW64\Lfmghdpl.exe	Ljffccjh.exe
File created	C:\Windows\SysWOW64\Pjlnhi32.exe	Onqdhh32.exe
File opened for modification	C:\Windows\SysWOW64\Kbgafqla.exe	Ijigfaol.exe
File created	C:\Windows\SysWOW64\Decdeama.exe	Cfgace32.exe
File created	C:\Windows\SysWOW64\Amfemoei.dll	Decdeama.exe
File created	C:\Windows\SysWOW64\Jggapj32.exe	Igkadlcd.exe
File created	C:\Windows\SysWOW64\Bgeadjai.exe	Pjlnhi32.exe
File created	C:\Windows\SysWOW64\Igadaq32.dll	Akhaipei.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4920	5040	WerFault.exe	139

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdlgmgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgodjiio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkdccim.dll"	Mejnlpai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfgace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggnnqmk.dll"	Eimlgnij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eihlahjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmajnph.dll"	Ghbkdald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mikepg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgeadjai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deejpjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eihlahjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmpdgdmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhbmnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Decdeama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfaglf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfmghdpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndmpddfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dagajlal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejjakmcg.dll"	Ijigfaol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hofmaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfeoijbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljffccjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjlnhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhbmnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcijglg.dll"	a2036ebeb7a0050485df7a94604428f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjcmpdk.dll"	Bnppkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfomiaim.dll"	Pjlnhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlibnkcm.dll"	Kbgafqla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akhaipei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfmghdpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghbkdald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdjba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Igkadlcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jggapj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfedoei.dll"	Jggapj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkhdmeh.dll"	Onqdhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdkgi32.dll"	Mikepg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfghn32.dll"	Ljffccjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deejpjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a2036ebeb7a0050485df7a94604428f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ankgpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfgace32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpnkdfko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnkig32.dll"	Hfeoijbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gooqfkan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfpkhjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngjpgqp.dll"	Belemd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pagebpan.dll"	Hofmaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onbiicqa.dll"	Oggllnkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkmck32.dll"	Fjpoio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biadee32.dll"	Jnocakfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgagjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnfnab32.dll"	Ljephmgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niaekl32.dll"	Nmpdgdmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a2036ebeb7a0050485df7a94604428f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfpkhjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfemoei.dll"	Decdeama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onqdhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebdcmhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnocakfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plbggp32.dll"	Cfgace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhpppcge.dll"	Fgmllpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inopfb32.dll"	Lfmghdpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dppgmlhk.dll"	Bgodjiio.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 4908	3492	a2036ebeb7a0050485df7a94604428f0.exe	92
PID 3492 wrote to memory of 4908	3492	a2036ebeb7a0050485df7a94604428f0.exe	92
PID 3492 wrote to memory of 4908	3492	a2036ebeb7a0050485df7a94604428f0.exe	92
PID 4908 wrote to memory of 696	4908	Jnocakfb.exe	94
PID 4908 wrote to memory of 696	4908	Jnocakfb.exe	94
PID 4908 wrote to memory of 696	4908	Jnocakfb.exe	94
PID 696 wrote to memory of 1212	696	Lfpkhjae.exe	95
PID 696 wrote to memory of 1212	696	Lfpkhjae.exe	95
PID 696 wrote to memory of 1212	696	Lfpkhjae.exe	95
PID 1212 wrote to memory of 800	1212	Mejnlpai.exe	97
PID 1212 wrote to memory of 800	1212	Mejnlpai.exe	97
PID 1212 wrote to memory of 800	1212	Mejnlpai.exe	97
PID 800 wrote to memory of 1256	800	Nhbmnj32.exe	98
PID 800 wrote to memory of 1256	800	Nhbmnj32.exe	98
PID 800 wrote to memory of 1256	800	Nhbmnj32.exe	98
PID 1256 wrote to memory of 2212	1256	Pbdmdlie.exe	99
PID 1256 wrote to memory of 2212	1256	Pbdmdlie.exe	99
PID 1256 wrote to memory of 2212	1256	Pbdmdlie.exe	99
PID 2212 wrote to memory of 2288	2212	Akhaipei.exe	100
PID 2212 wrote to memory of 2288	2212	Akhaipei.exe	100
PID 2212 wrote to memory of 2288	2212	Akhaipei.exe	100
PID 2288 wrote to memory of 2032	2288	Ankgpk32.exe	101
PID 2288 wrote to memory of 2032	2288	Ankgpk32.exe	101
PID 2288 wrote to memory of 2032	2288	Ankgpk32.exe	101
PID 2032 wrote to memory of 5092	2032	Bnppkj32.exe	102
PID 2032 wrote to memory of 5092	2032	Bnppkj32.exe	102
PID 2032 wrote to memory of 5092	2032	Bnppkj32.exe	102
PID 5092 wrote to memory of 2128	5092	Belemd32.exe	103
PID 5092 wrote to memory of 2128	5092	Belemd32.exe	103
PID 5092 wrote to memory of 2128	5092	Belemd32.exe	103
PID 2128 wrote to memory of 3060	2128	Cgagjo32.exe	104
PID 2128 wrote to memory of 3060	2128	Cgagjo32.exe	104
PID 2128 wrote to memory of 3060	2128	Cgagjo32.exe	104
PID 3060 wrote to memory of 1784	3060	Cfgace32.exe	105
PID 3060 wrote to memory of 1784	3060	Cfgace32.exe	105
PID 3060 wrote to memory of 1784	3060	Cfgace32.exe	105
PID 1784 wrote to memory of 5060	1784	Decdeama.exe	106
PID 1784 wrote to memory of 5060	1784	Decdeama.exe	106
PID 1784 wrote to memory of 5060	1784	Decdeama.exe	106
PID 5060 wrote to memory of 4632	5060	Eimlgnij.exe	107
PID 5060 wrote to memory of 4632	5060	Eimlgnij.exe	107
PID 5060 wrote to memory of 4632	5060	Eimlgnij.exe	107
PID 4632 wrote to memory of 4224	4632	Fpnkdfko.exe	108
PID 4632 wrote to memory of 4224	4632	Fpnkdfko.exe	108
PID 4632 wrote to memory of 4224	4632	Fpnkdfko.exe	108
PID 4224 wrote to memory of 1656	4224	Fgmllpng.exe	109
PID 4224 wrote to memory of 1656	4224	Fgmllpng.exe	109
PID 4224 wrote to memory of 1656	4224	Fgmllpng.exe	109
PID 1656 wrote to memory of 2560	1656	Hofmaq32.exe	110
PID 1656 wrote to memory of 2560	1656	Hofmaq32.exe	110
PID 1656 wrote to memory of 2560	1656	Hofmaq32.exe	110
PID 2560 wrote to memory of 4284	2560	Hfeoijbi.exe	111
PID 2560 wrote to memory of 4284	2560	Hfeoijbi.exe	111
PID 2560 wrote to memory of 4284	2560	Hfeoijbi.exe	111
PID 4284 wrote to memory of 4352	4284	Igkadlcd.exe	112
PID 4284 wrote to memory of 4352	4284	Igkadlcd.exe	112
PID 4284 wrote to memory of 4352	4284	Igkadlcd.exe	112
PID 4352 wrote to memory of 2152	4352	Jggapj32.exe	113
PID 4352 wrote to memory of 2152	4352	Jggapj32.exe	113
PID 4352 wrote to memory of 2152	4352	Jggapj32.exe	113
PID 2152 wrote to memory of 2664	2152	Kfaglf32.exe	114
PID 2152 wrote to memory of 2664	2152	Kfaglf32.exe	114
PID 2152 wrote to memory of 2664	2152	Kfaglf32.exe	114
PID 2664 wrote to memory of 2376	2664	Ljffccjh.exe	115

C:\Users\Admin\AppData\Local\Temp\a2036ebeb7a0050485df7a94604428f0.exe
"C:\Users\Admin\AppData\Local\Temp\a2036ebeb7a0050485df7a94604428f0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\SysWOW64\Jnocakfb.exe
  C:\Windows\system32\Jnocakfb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\Lfpkhjae.exe
    C:\Windows\system32\Lfpkhjae.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\SysWOW64\Mejnlpai.exe
      C:\Windows\system32\Mejnlpai.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1212
    - - C:\Windows\SysWOW64\Nhbmnj32.exe
        
        C:\Windows\system32\Nhbmnj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
      - C:\Windows\SysWOW64\Pbdmdlie.exe
        
        C:\Windows\system32\Pbdmdlie.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\Akhaipei.exe
        
        C:\Windows\system32\Akhaipei.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Ankgpk32.exe
        
        C:\Windows\system32\Ankgpk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Bnppkj32.exe
        
        C:\Windows\system32\Bnppkj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Belemd32.exe
        
        C:\Windows\system32\Belemd32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Cgagjo32.exe
        
        C:\Windows\system32\Cgagjo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Cfgace32.exe
        
        C:\Windows\system32\Cfgace32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Decdeama.exe
        
        C:\Windows\system32\Decdeama.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Eimlgnij.exe
        
        C:\Windows\system32\Eimlgnij.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Fpnkdfko.exe
        
        C:\Windows\system32\Fpnkdfko.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Fgmllpng.exe
        
        C:\Windows\system32\Fgmllpng.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Hofmaq32.exe
        
        C:\Windows\system32\Hofmaq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Hfeoijbi.exe
        
        C:\Windows\system32\Hfeoijbi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Igkadlcd.exe
        
        C:\Windows\system32\Igkadlcd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Jggapj32.exe
        
        C:\Windows\system32\Jggapj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Kfaglf32.exe
        
        C:\Windows\system32\Kfaglf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Ljffccjh.exe
        
        C:\Windows\system32\Ljffccjh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Lfmghdpl.exe
        
        C:\Windows\system32\Lfmghdpl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Mdlgmgdh.exe
        
        C:\Windows\system32\Mdlgmgdh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Ndmpddfe.exe
        
        C:\Windows\system32\Ndmpddfe.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Oggllnkl.exe
        
        C:\Windows\system32\Oggllnkl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Onqdhh32.exe
        
        C:\Windows\system32\Onqdhh32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Pjlnhi32.exe
        
        C:\Windows\system32\Pjlnhi32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Bgeadjai.exe
        
        C:\Windows\system32\Bgeadjai.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Bgodjiio.exe
        
        C:\Windows\system32\Bgodjiio.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Cebdcmhh.exe
        
        C:\Windows\system32\Cebdcmhh.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Ciefek32.exe
        
        C:\Windows\system32\Ciefek32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\SysWOW64\Dagajlal.exe
        
        C:\Windows\system32\Dagajlal.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Deejpjgc.exe
        
        C:\Windows\system32\Deejpjgc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Eihlahjd.exe
        
        C:\Windows\system32\Eihlahjd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Fjpoio32.exe
        
        C:\Windows\system32\Fjpoio32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Foqdem32.exe
        
        C:\Windows\system32\Foqdem32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\Ghbkdald.exe
        
        C:\Windows\system32\Ghbkdald.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Gooqfkan.exe
        
        C:\Windows\system32\Gooqfkan.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Ijigfaol.exe
        
        C:\Windows\system32\Ijigfaol.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Kbgafqla.exe
        
        C:\Windows\system32\Kbgafqla.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Ljephmgl.exe
        
        C:\Windows\system32\Ljephmgl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Lcdjba32.exe
        
        C:\Windows\system32\Lcdjba32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Mikepg32.exe
        
        C:\Windows\system32\Mikepg32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Nmpdgdmp.exe
        
        C:\Windows\system32\Nmpdgdmp.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Nleaha32.exe
        
        C:\Windows\system32\Nleaha32.exe
        46⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 400
        47⤵
        Program crash
        
        PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5040 -ip 5040
1⤵
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akhaipei.exe

Filesize
107KB

MD5
c92f2908f33562705f9b4381f0226a2b

SHA1
c6397cd7213bd61589ceef29f88fbe1f3f213885

SHA256
92b4b0018b48e107a8c931a924283e09ccf015bd819ebbdf20be9d81a524fcca

SHA512
3257255fcff115de80e916939be270abf14e1f5d95ae55e293419769934b565add1a26c676fb270c775e24b791abdd01568a6d5c66d0dea190b799d84d2ebe70

Download Submit
C:\Windows\SysWOW64\Ankgpk32.exe

Filesize
107KB

MD5
3ccb258acc5bd7cf14e3fdcc5b538d45

SHA1
5f8e6ed169dc1664b445d46c428b79e96995a633

SHA256
8a061a80052dee0d93939ea249e943f1cb21165013fdb366b02ffec7755cce01

SHA512
3e06d874f683adb754a9e8024710135be015b9b019d12114529fb2699b52b2b8019223b028ca4e843a4e1545a56d4fc38f13063af43a9eb93813f50b003a8bfe

Download Submit
C:\Windows\SysWOW64\Belemd32.exe

Filesize
107KB

MD5
8ce53dc298b42691bccff0a206935977

SHA1
c6d5c6f16608149d9e95903d21718fbe5594af1c

SHA256
2f8b04f5d3d575c80f2e66756748b2f1ee638dc11222583668e5ce0bd0e48291

SHA512
fb038e130a05ee7cc7844e24b2134ad400d4d740548d1eb66e8d74cbfb09c94b793a08368909a8a778950a62e29ee58176b8c9cbf337f068e936c2a178ab29ab

Download Submit
C:\Windows\SysWOW64\Bgeadjai.exe

Filesize
107KB

MD5
f341e1e6ddb3c77b651434626f88d406

SHA1
92c7031b09d6ea600eec3287034b36b8220225b7

SHA256
f1ae4a2302e9f231859d46a8edb759f857ce0466d558866edf8c6e731f899dcf

SHA512
61886879c43bc5616ace20d624ac81164bca3db540c0cb6148bb37c2791f804754e9866a9d8ae4fb135d5bd756756f11989cc0c2d278b6235c5a7a7c1a1502ac

Download Submit
C:\Windows\SysWOW64\Bgodjiio.exe

Filesize
107KB

MD5
70e6ccbd405844bf4cfc6f33551ed3b8

SHA1
38c2a134ca2c959d6d30633b8616289b331ead72

SHA256
0898ebd898ee7ae94aaf675fbf55c49a08a9992392bcef3620db862547df7376

SHA512
a582cfde451dc0d991b6713e2fcedc41262bdb81ff3a5a5e832683805d1f82489ec2d98a0922f94391b708c551372509903554fb8da8585bc65aff03e51ca1eb

Download Submit
C:\Windows\SysWOW64\Bnppkj32.exe

Filesize
107KB

MD5
7e158c48c82c017d8342844861f899da

SHA1
b172c62a3c3ce7b37183e387e03374d3ad5a0c35

SHA256
838b8de710eaea0b34951cde1697f94e73093c0b319687619bbfb5709e532b7e

SHA512
cc988a98a427d72d8ee3f7164349a665b8f303477f2ad4e2a5eabd06075a7a3cd0aa8ecd2f337424ecdf9086a90ffd2df3add0c3be5c28af9b1f450f7e7ab3c5

Download Submit
C:\Windows\SysWOW64\Cebdcmhh.exe

Filesize
107KB

MD5
30afdcd17abf048a4b132c12924fd43d

SHA1
4f7245f235bd5acdb98aff7d8c250244a4058b2d

SHA256
0dbf252391c64b0613b68bb34568f38a46f2a19255e72536275533dc82c15fde

SHA512
eb7ede0469bd34e1c4e96adef1e9bdf7780e3c98b7f23d9b7077a1bb723923d422fb9b312bbedea6febef2c3a85dcbd925b1ea9f46d87f0c35c809f2cb5e2373

Download Submit
C:\Windows\SysWOW64\Cfgace32.exe

Filesize
107KB

MD5
593d0566600866c4b893f043a7d44f85

SHA1
a57ea7afd5a17d5622f2ee5789d6023075932121

SHA256
e7aa8c592fcdf34df5d1fab415357547cb01fdd1bd32fa5a151d91c4dec11147

SHA512
0a0720dfaea7e02960c949e04f1c342b72a4f2faa3e30682a1e05aa0a07ff6755249ce7ec7d08626480f30c8a2fc09b0ed774f04ec57bbc51dec38d531c46243

Download Submit
C:\Windows\SysWOW64\Cgagjo32.exe

Filesize
107KB

MD5
dce0466e0e27f8c21e784296ba1ab58f

SHA1
e0d7032c17eaff87d4e8777e7eeeb7a0f0b1159f

SHA256
a40b3afdc72768c05bb8e1b5df1bbd669772d71be987a2c6314a587f818f8b14

SHA512
6e8f7b713d6f9b6da96a978c1e41f80ca1910b5d82f161e95fe22c6449880bc86478ec32bc9469b2203039536b19547d02f993ff3a162dcecc208edf0b85c076

Download Submit
C:\Windows\SysWOW64\Ciefek32.exe

Filesize
107KB

MD5
4ff3bfad3d35f529df205ee683bf537b

SHA1
71992fae443eedc3d9af4b56125afc30248742ff

SHA256
712675299d76f8617ae7a5c2a4d5e80aa171d3db91bc95d35ad0cc835e6608c8

SHA512
c269683303c54e4441f6e90123a522eaf0bcbf55e78fb58b6b0a9ea518637725fcf15c195238f52e7d26a122e07eaaba781eaec7e171952e693f5c79fd9fdd8d

Download Submit
C:\Windows\SysWOW64\Dagajlal.exe

Filesize
107KB

MD5
d0fcd63f596dddd705423ee6bf3dcc49

SHA1
ae310a1a1e38f28ec7df7ad33ce697a7c8ddcf8b

SHA256
4425d8e3fe33fa573c069610deea82cc5ebbcedba729a600096e5305cc2ab42b

SHA512
d45cbfe9c3d8c658f32ed0b8b74a936a06f5a7d01deff9c9d4fe3b9a2ebaa817fd8c73a349e696290eda98570bb61c14a838236df3f4d452cba6cd06ef19607a

Download Submit
C:\Windows\SysWOW64\Decdeama.exe

Filesize
107KB

MD5
c19687932eb6875691d051ae0595e3d1

SHA1
51aecb95400a1acbb3f94a312061bbb3c0259940

SHA256
626dde8237674ecad5edeeb6de5784bd7dfd5a7c78c49929accddec59e5b0e44

SHA512
f9116f34538854b8d407a0f7291287b168f6ac982c3a4375674a23c147c137f71abe643c61b553df65cfaa33c3decd58ce23690f6f8f8114a169d098299d335a

Download Submit
C:\Windows\SysWOW64\Eimlgnij.exe

Filesize
107KB

MD5
d29e5c46df983686a980bf920e2afa13

SHA1
e9632bf7fdcecf31668cc28bb5680391ac3ebba3

SHA256
e8140ec7053896fb2151734cc97bc8bab8698a6d0130a5011db5338ffa6c6255

SHA512
738cbfa874f5f2b736a265293ad2a266baa000430c2577d64c18719e91b96c6660f140462debcda7de1ec6079af3568aef9212f0f96eec972c6be44b7fa0cd7d

Download Submit
C:\Windows\SysWOW64\Fgmllpng.exe

Filesize
107KB

MD5
651aebaca13d724363b991d7cd0167c5

SHA1
8407ab7b645886772f7bb84adbfec0fb9b811e91

SHA256
bff46336091929d21a275bec9378afe2591b82b395e962246855bf121b760b6b

SHA512
d1a426efe62a0f99257f58bad14351836835c0b6adb3f013536f4b8d79b7db2f6151045e29e3a69e636df952bed8f7a71ce7fd59d1a471556fab8e49763fe55a

Download Submit
C:\Windows\SysWOW64\Fpnkdfko.exe

Filesize
107KB

MD5
658c05d52b25bdb23a64d5ac9207a6b1

SHA1
9194353d42455e5fbec6fede5d075a27932b1257

SHA256
544eda598ab23238c07587f398c269166426691bcb896b9f8cedbe70f4f9c4d0

SHA512
3d29ff224f0cf8e58b1f355fecbc149592794ad2885417459ad58d72c8e539851f0f76b1567d6aded35ce58b01495fc85fda3e021169083bde36d11ab798b7e8

Download Submit
C:\Windows\SysWOW64\Gooqfkan.exe

Filesize
107KB

MD5
12e512558dd020a02c0449282815c593

SHA1
220fd81231949363858f50843b954bd7eda9b0e8

SHA256
277631dfae5f728683f3e6e594890df97bbde6a924777961c2e3332859601444

SHA512
aee104f5a98b30a3d906e3ada11999886d539ecc5005ee267e3f614946d392025f2f1a256bd95257fb6042960830e50d243c947477f923506134b998f3996276

Download Submit
C:\Windows\SysWOW64\Hfeoijbi.exe

Filesize
107KB

MD5
b4b4ac3f7ce06c61fb21740ef3561d22

SHA1
17a87fcda885367342538699423a4b57cb9ad625

SHA256
2a51e86b918516a77b8f0ddacc199d8cbefe859fea8a3c9b05a4628653c417af

SHA512
1e0cd819e4f0e797ba145479f184a0591aabaa9adbad26ff54577971c4b9c842bbe53b2140af1ca0c51e8cc43530ed0f406696b9cc896b2d96ea088cde2ae640

Download Submit
C:\Windows\SysWOW64\Hofmaq32.exe

Filesize
107KB

MD5
8fe93173e0a4ddd5796829e4fd2e312c

SHA1
55cc99ad73f92f4eac41e2741e285792638e2448

SHA256
cb3f0fe401cc45f15948dd1180529c66d78e105854f59b59fd59c97b6bd87554

SHA512
cbd371849c79f411a05b34b3c681a0bc70fb08e1300adc06f109cfda56d43dccc7a7fac0817aadd2acb04fd8532d15f79825b72ef5ef4709ab9fa34f0d015cf7

Download Submit
C:\Windows\SysWOW64\Igkadlcd.exe

Filesize
107KB

MD5
60f7a7f0761154d9bcc82db3b38ac6fb

SHA1
e64861b801defcb0d3520f13dfbc802dfe8ddcb8

SHA256
d9755a56c48da7775bae6fcd7bed112647f6f5e93d28965c25a9e81766ef7cdd

SHA512
0049c00218a25da2014d0dfdad1333db3f401928419fe19708bb12f850eefaee95dd75bb13b9245a4baae9e88f313d8cfb7b4bf5883fc7ae2b726fbd3a33edbf

Download Submit
C:\Windows\SysWOW64\Jggapj32.exe

Filesize
107KB

MD5
593b3faaeec8444f6b8d79f4b4ae5eb9

SHA1
2fffc657bc4a0c34ad828a67d9a174fbfffba8e7

SHA256
51e80ca84171d47c0a2ba30709a707b0692a25ff8170b013c2a05d3e0a030218

SHA512
fd43026d2ab7afd52cc858bb940fa0a80a576831ec8f4b908fc942ecb24066fab954ad4e3337eb290c878afbe01e1ef210d7d6b1bbbf95128d58e60744471f0e

Download Submit
C:\Windows\SysWOW64\Jnocakfb.exe

Filesize
107KB

MD5
0599d2d39d2bcc9898490f242e03c003

SHA1
869b15b74f319736a44b98a892ae2e1f6c440ee3

SHA256
8ced6e1439213305b873a833379968164a4e6a8296f1c65cbc47586fe7dc1b21

SHA512
05027c5e07168900e94f120ab966488f9f682fb821a4dd24dfdaab5f57a57329a625d2c88a15d735ad29066793482c653da8e73358f2b00bcd08cd00eec0fc39

Download Submit
C:\Windows\SysWOW64\Kbgafqla.exe

Filesize
107KB

MD5
43608a3b8bfc4e1080277004431da621

SHA1
9296e3a8a6d660079fe379338ae9f994713a014d

SHA256
945182cad348b72f920dc534264b5bd8dcafe5c6c6334b20330bdd010c95edc3

SHA512
8f0df0fd5002666ed42a3829a55396b1cbc985e45bd08cef467f56b93334149b77f77ddaedd1975d8eeade423d4308e77532070a24afceaf624a5ae0abf33b42

Download Submit
C:\Windows\SysWOW64\Kfaglf32.exe

Filesize
107KB

MD5
a5e86015c72019b6ce55214ac71e1db1

SHA1
fca149178206841b2a89c688f591591a97544b25

SHA256
7172d991fdc3850641bfc132e50f9c5be5f295c9ab7482c3a5e89e42689a7bda

SHA512
642c4ee1e226be07e6e7f8059bc95f73c5afef146bd1b5da1187e9aaab6bbdd8fc3271adb462a9a2efc8a4a9c7b0393577d3a6b9c02a9434ca37cc1acfb3092b

Download Submit
C:\Windows\SysWOW64\Lcdjba32.exe

Filesize
107KB

MD5
49d5351edee06f82c35f0fa3cd50ff99

SHA1
9b436d416376de4872088cc02957ca98c246b8a8

SHA256
0333f568d40ea791a56d555d6fa48be0d330b742b0f0bfca857fafb67a0fa22b

SHA512
5751ec2b54e89495df699b8e3cc687187d7fe6b5e0534ce0fe11645ab565e3ec29511126db366e66f3be8bcead18208d652ec882a78459a9d8e94a73c71e4d04

Download Submit
C:\Windows\SysWOW64\Lfmghdpl.exe

Filesize
107KB

MD5
19b8a3a7130b795a9c317dadea749588

SHA1
2bcdcc25effef779d348c5b73b1f8fcdfe936c85

SHA256
3c3ca5326b4c88f1b2a1831f0e6df8222e2f46067d81f7bfa06efa4cf9534445

SHA512
2c1b040a0ddb1c5bec464d1f2034fe22f639754af8fed388a348765bb61fb7579b0d1ace9b7622668c6f8bc78265ce5c657c38902eb4445771394a89eeccf6a1

Download Submit
C:\Windows\SysWOW64\Lfpkhjae.exe

Filesize
107KB

MD5
1fae2dfec2bce9cec1bbb1c916be4829

SHA1
dff514132e9b2fbba3f49a2e7105ccd5cb3b14a7

SHA256
7b41504eb61b813a1dc2dab85c2e1ca59eda12fee6d1c9962105a85ffe6b9c1a

SHA512
18778e64251ac44d600c6093aa6a94bd6f6dc1b47976ad08cb900c99b350cf476161435b32f10d528a8ef6d3fe39a79ef1fd680810ce06f875c76b6bb5498bf3

Download Submit
C:\Windows\SysWOW64\Ljffccjh.exe

Filesize
107KB

MD5
0c6edf33b71d337c48468752f101a686

SHA1
3a444e4fd1a0db0c6a2a8b9a14be29ad0358c417

SHA256
56a19b67b86096d4d5be4c45fff0d355840720c6a15b28f2248675cc2c33dbc9

SHA512
a84b1fb1540518f275448688d5c78ef7e53e642039e8353ffe737b2ce68b98244801e9a1957a318cd2aff09645589ed24ce6922cd521659055398ad5a80da2c5

Download Submit
C:\Windows\SysWOW64\Mdlgmgdh.exe

Filesize
107KB

MD5
358d71d59437ccbaf643201e4e2ce0c3

SHA1
ba4efb4768a0188964de3ba05969001c3db0e9e9

SHA256
2f75ccbd56acf4f47dd0e70818e3750ab98ef248c1a08333c219e1119d8f410e

SHA512
77ab1f90a827bad33985cdeb01f7cd7e88a62ee6b013c11179b2fe6247d8e9e082ff662d9ca17adf8440970ec628894f4fcd311743a84dfd0015fd0aaec3afb3

Download Submit
C:\Windows\SysWOW64\Mejnlpai.exe

Filesize
107KB

MD5
fbd1bd90e94c707174ccc0a92cc699ea

SHA1
da9f22ed817ab5e56d853cdba5a104bc4a93c197

SHA256
caa63fa9a925a683ad66136e0276344d1bf33561ca1589c171a26b71a32f4904

SHA512
6623bcfc1135ca1bfdad7ee933a9719ac57c4a78bb34f96e12b93f23841cc4f2f7f3e2582fbcb8b8852a97fa02b7cc0f81fbb96c5db979fe9b1bdeee6642ab24

Download Submit
C:\Windows\SysWOW64\Ndmpddfe.exe

Filesize
107KB

MD5
997adbf4effe5fc699b024292ddac1ef

SHA1
dc73e18884ee3c3ff0d079dfc63a78a60c0f016f

SHA256
a685c47716d8108c56cf4ca871123cb419332fd65302b6b2a4c2632e9dc66364

SHA512
c3c3654e0bb11a462f6830dd4f6d7743c1bac51209ede1eed7cca74390e0f1b81fa0e9d2f7770e4b07695f8d40db79a9876d7ae25ace28688777552b80efc02a

Download Submit
C:\Windows\SysWOW64\Nhbmnj32.exe

Filesize
107KB

MD5
99cda7f08f53413b7507cd4985790369

SHA1
03995670e0cbdf0c0f99e5f378b1e82ba255787d

SHA256
a2b8a84ad5e35084801e74590eed034966a4d24b59a651146b12dd68cc5f6f8d

SHA512
e6e68ab854845538b1fa705ee1e5d37188722f520a5026f70eef1fecc6a6760689d745bf9206761bca05cd35a36b4aaa2b073555054cad4253d74db9849bc0e4

Download Submit
C:\Windows\SysWOW64\Oggllnkl.exe

Filesize
107KB

MD5
71b43aaad9b30b5de8fc8c60ab81c57c

SHA1
bfcdf3ab8c6fc051d7daf0300e5f5378951c09d0

SHA256
84986a5e39ad40b4da9ff41b3df1380f242bb80d781e4163c083710492670c13

SHA512
45a06b26f7cfbb81dc22a0d5e08fab72881b610800b6256b65a4fae0286efd276ba58232866a7bbd1f640e51630d024c22c4f84218f6e6e04276284d6cffc7b6

Download Submit
C:\Windows\SysWOW64\Onqdhh32.exe

Filesize
107KB

MD5
9dcea903ac74a0fef1bfb8a930434d7c

SHA1
b01ceee224120f575f82f08ee18c6078caff9cc2

SHA256
860bd27c22b48a13d6b3f336d63b88452022c3fd22f9629932841a62320eb990

SHA512
441b256a33d0a4b62a3b8ba1c384e78947a414a66a2ad66e6a66630d56dfde12dec92db41dd735e99cc2fc45bb2df6e4d96884f9cf8e161169b5c87b6b5a0c25

Download Submit
C:\Windows\SysWOW64\Pbdmdlie.exe

Filesize
107KB

MD5
4616b1c410908343b37dde2fe640fe42

SHA1
82f32d3b9f759fcf3d6f880bc85140a44103cdca

SHA256
4a2b7ae27d9b30f79ccbc2b08c8326ddbee8015b4662201794a1679fd4c56ca8

SHA512
d859f3ea8e8b4bb54ddbad8202b81a9f993243b86be5687dd25328644e1efb2a60c5ce16f8d43693ac0f5fa2ce59fc536b372ebc34c66c30017afccb40b19313

Download Submit
C:\Windows\SysWOW64\Pjlnhi32.exe

Filesize
107KB

MD5
bca745b0086043b0e48d9fdf3cf30ae8

SHA1
14c093f2466e45d2252ddfdee96ad4f8ed2c2af9

SHA256
541095950a5f757e24d6895caee36cb2935e30389fe48cf19eb639c1b1ae651e

SHA512
64e5544cc0d53ebdd79ffe8712f572b3f3f1e03514cfa78266759015087c7291257f0cf989decd2b89e880e4015767b017ae227a8a73e0a0a6e39f4c34930930

Download Submit
memory/116-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/396-246-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/696-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/696-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/800-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/800-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1212-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1212-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1256-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1256-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1656-141-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1680-282-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1784-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1784-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1880-270-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2032-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2032-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2128-172-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2128-83-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2152-178-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2212-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2212-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2288-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2288-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2328-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2376-194-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2560-146-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2560-235-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2664-265-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2664-181-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2928-202-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2928-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3060-96-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3096-254-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3108-307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3148-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3196-315-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3304-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3304-288-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3420-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3492-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3492-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3492-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3492-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3596-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3596-302-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4224-132-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4284-155-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4284-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4352-164-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4352-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4528-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4528-258-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4632-123-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4692-309-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4908-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4908-10-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4952-295-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4952-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5060-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5060-110-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5072-236-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5092-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5092-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads