ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe
Size

256KB
MD5

74db5c7530fd91c3e7dc0e0a96f67ed6
SHA1

2210bb842f819a57d073dc9a66308ff74addfa48
SHA256

ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2
SHA512

55d8ff60e2ad0f241a71e17cfe1f38d38364784108221953de3446cbe55985f3bd943d408ca6bb2080d58b5d9d1641065205279ae5280594e0d73e968911e7a9
SSDEEP

6144:26hp+omRoPC9C81NByvZ6Mxv5Rar3O6B9fZSLhZmzbBy9:fr+oOo69C8HByvNv54B9f01ZmHBy9

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpbheh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbeknj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnopfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ekelld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbla32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oonafa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgeefbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bemgilhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqijej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnhkcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odobjg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pklhlael.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pggbla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjlqhoba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bidjnkdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpdnkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oonafa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgeefbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aoepcn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blgpef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfffnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojfaijcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aplifb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bidjnkdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfffnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mimbdhhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oklkmnbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aamfnkai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbhela32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Boqbfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dlnbeh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Noqamn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkclhl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Najdnj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oklkmnbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojfaijcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aamfnkai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckafbbph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ednpej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lliflp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mimbdhhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qedhdjnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dookgcij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pklhlael.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkeimlfm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlnbeh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lliflp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qabcjgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhela32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbeknj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoepcn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgjclbdi.exe

Executes dropped EXE 46 IoCs

pid	Process
2508	Lliflp32.exe
2704	Lbeknj32.exe
2668	Mkclhl32.exe
2888	Mkeimlfm.exe
2416	Mpdnkb32.exe
2400	Mimbdhhb.exe
2908	Najdnj32.exe
2800	Noqamn32.exe
2644	Nnhkcj32.exe
2760	Oklkmnbp.exe
2648	Oonafa32.exe
772	Ojfaijcc.exe
1524	Odobjg32.exe
2076	Pklhlael.exe
300	Pgeefbhm.exe
2280	Pggbla32.exe
584	Qabcjgkh.exe
1152	Qlkdkd32.exe
2372	Qedhdjnh.exe
1992	Aplifb32.exe
1324	Aamfnkai.exe
1068	Adnopfoj.exe
560	Aoepcn32.exe
1956	Bjlqhoba.exe
1164	Bbhela32.exe
1588	Bidjnkdg.exe
1584	Boqbfb32.exe
1432	Bemgilhh.exe
2568	Blgpef32.exe
2552	Ckafbbph.exe
2716	Cdikkg32.exe
3020	Dgjclbdi.exe
1952	Dpbheh32.exe
2892	Dcenlceh.exe
2300	Dlnbeh32.exe
2808	Dfffnn32.exe
2656	Dookgcij.exe
2804	Edkcojga.exe
524	Ekelld32.exe
876	Ednpej32.exe
2092	Ejkima32.exe
1484	Efaibbij.exe
2384	Eqgnokip.exe
1336	Eqijej32.exe
1284	Fjaonpnn.exe
396	Fkckeh32.exe

Loads dropped DLL 64 IoCs

pid	Process
1368	ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe
1368	ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe
2508	Lliflp32.exe
2508	Lliflp32.exe
2704	Lbeknj32.exe
2704	Lbeknj32.exe
2668	Mkclhl32.exe
2668	Mkclhl32.exe
2888	Mkeimlfm.exe
2888	Mkeimlfm.exe
2416	Mpdnkb32.exe
2416	Mpdnkb32.exe
2400	Mimbdhhb.exe
2400	Mimbdhhb.exe
2908	Najdnj32.exe
2908	Najdnj32.exe
2800	Noqamn32.exe
2800	Noqamn32.exe
2644	Nnhkcj32.exe
2644	Nnhkcj32.exe
2760	Oklkmnbp.exe
2760	Oklkmnbp.exe
2648	Oonafa32.exe
2648	Oonafa32.exe
772	Ojfaijcc.exe
772	Ojfaijcc.exe
1524	Odobjg32.exe
1524	Odobjg32.exe
2076	Pklhlael.exe
2076	Pklhlael.exe
300	Pgeefbhm.exe
300	Pgeefbhm.exe
2280	Pggbla32.exe
2280	Pggbla32.exe
584	Qabcjgkh.exe
584	Qabcjgkh.exe
1152	Qlkdkd32.exe
1152	Qlkdkd32.exe
2372	Qedhdjnh.exe
2372	Qedhdjnh.exe
1992	Aplifb32.exe
1992	Aplifb32.exe
1324	Aamfnkai.exe
1324	Aamfnkai.exe
1068	Adnopfoj.exe
1068	Adnopfoj.exe
560	Aoepcn32.exe
560	Aoepcn32.exe
1956	Bjlqhoba.exe
1956	Bjlqhoba.exe
1164	Bbhela32.exe
1164	Bbhela32.exe
1588	Bidjnkdg.exe
1588	Bidjnkdg.exe
1584	Boqbfb32.exe
1584	Boqbfb32.exe
1432	Bemgilhh.exe
1432	Bemgilhh.exe
2568	Blgpef32.exe
2568	Blgpef32.exe
2552	Ckafbbph.exe
2552	Ckafbbph.exe
2716	Cdikkg32.exe
2716	Cdikkg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mimbdhhb.exe	Mpdnkb32.exe
File created	C:\Windows\SysWOW64\Ocindg32.dll	Nnhkcj32.exe
File created	C:\Windows\SysWOW64\Bmfmjjgm.dll	Aplifb32.exe
File created	C:\Windows\SysWOW64\Igmdobgi.dll	Bjlqhoba.exe
File created	C:\Windows\SysWOW64\Najdnj32.exe	Mimbdhhb.exe
File created	C:\Windows\SysWOW64\Heldepab.dll	Oonafa32.exe
File created	C:\Windows\SysWOW64\Bemgilhh.exe	Boqbfb32.exe
File created	C:\Windows\SysWOW64\Dfffnn32.exe	Dlnbeh32.exe
File opened for modification	C:\Windows\SysWOW64\Efaibbij.exe	Ejkima32.exe
File created	C:\Windows\SysWOW64\Hoogfn32.dll	Eqijej32.exe
File created	C:\Windows\SysWOW64\Hgeegb32.dll	Lbeknj32.exe
File created	C:\Windows\SysWOW64\Inlepd32.dll	Oklkmnbp.exe
File created	C:\Windows\SysWOW64\Odobjg32.exe	Ojfaijcc.exe
File created	C:\Windows\SysWOW64\Agjiphda.dll	Bbhela32.exe
File opened for modification	C:\Windows\SysWOW64\Blgpef32.exe	Bemgilhh.exe
File created	C:\Windows\SysWOW64\Ckafbbph.exe	Blgpef32.exe
File created	C:\Windows\SysWOW64\Mpdnkb32.exe	Mkeimlfm.exe
File created	C:\Windows\SysWOW64\Oincig32.dll	Mpdnkb32.exe
File created	C:\Windows\SysWOW64\Pklhlael.exe	Odobjg32.exe
File created	C:\Windows\SysWOW64\Noqamn32.exe	Najdnj32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhkcj32.exe	Noqamn32.exe
File created	C:\Windows\SysWOW64\Pgeefbhm.exe	Pklhlael.exe
File created	C:\Windows\SysWOW64\Hojgbclk.dll	Qedhdjnh.exe
File opened for modification	C:\Windows\SysWOW64\Dfffnn32.exe	Dlnbeh32.exe
File created	C:\Windows\SysWOW64\Nnfbei32.dll	Dcenlceh.exe
File opened for modification	C:\Windows\SysWOW64\Eqgnokip.exe	Efaibbij.exe
File created	C:\Windows\SysWOW64\Joliff32.dll	Dgjclbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mkclhl32.exe	Lbeknj32.exe
File opened for modification	C:\Windows\SysWOW64\Aplifb32.exe	Qedhdjnh.exe
File created	C:\Windows\SysWOW64\Aoepcn32.exe	Adnopfoj.exe
File opened for modification	C:\Windows\SysWOW64\Bjlqhoba.exe	Aoepcn32.exe
File created	C:\Windows\SysWOW64\Qbgpffch.dll	Cdikkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dpbheh32.exe	Dgjclbdi.exe
File created	C:\Windows\SysWOW64\Kkgklabn.dll	Qlkdkd32.exe
File created	C:\Windows\SysWOW64\Jnhccm32.dll	Boqbfb32.exe
File created	C:\Windows\SysWOW64\Cdikkg32.exe	Ckafbbph.exe
File opened for modification	C:\Windows\SysWOW64\Lbeknj32.exe	Lliflp32.exe
File created	C:\Windows\SysWOW64\Jcpclc32.dll	Pklhlael.exe
File created	C:\Windows\SysWOW64\Qedhdjnh.exe	Qlkdkd32.exe
File created	C:\Windows\SysWOW64\Ejkima32.exe	Ednpej32.exe
File created	C:\Windows\SysWOW64\Klmkof32.dll	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Mkclhl32.exe	Lbeknj32.exe
File opened for modification	C:\Windows\SysWOW64\Adnopfoj.exe	Aamfnkai.exe
File created	C:\Windows\SysWOW64\Oegjkb32.dll	Aoepcn32.exe
File created	C:\Windows\SysWOW64\Dgjclbdi.exe	Cdikkg32.exe
File created	C:\Windows\SysWOW64\Dookgcij.exe	Dfffnn32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdnkb32.exe	Mkeimlfm.exe
File opened for modification	C:\Windows\SysWOW64\Pgeefbhm.exe	Pklhlael.exe
File created	C:\Windows\SysWOW64\Mpioaoic.dll	Qabcjgkh.exe
File created	C:\Windows\SysWOW64\Blgpef32.exe	Bemgilhh.exe
File opened for modification	C:\Windows\SysWOW64\Dcenlceh.exe	Dpbheh32.exe
File created	C:\Windows\SysWOW64\Eqgnokip.exe	Efaibbij.exe
File created	C:\Windows\SysWOW64\Nnhkcj32.exe	Noqamn32.exe
File opened for modification	C:\Windows\SysWOW64\Pklhlael.exe	Odobjg32.exe
File created	C:\Windows\SysWOW64\Bjlqhoba.exe	Aoepcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bemgilhh.exe	Boqbfb32.exe
File opened for modification	C:\Windows\SysWOW64\Dgjclbdi.exe	Cdikkg32.exe
File created	C:\Windows\SysWOW64\Mimbdhhb.exe	Mpdnkb32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbla32.exe	Pgeefbhm.exe
File created	C:\Windows\SysWOW64\Qlkdkd32.exe	Qabcjgkh.exe
File created	C:\Windows\SysWOW64\Aplifb32.exe	Qedhdjnh.exe
File created	C:\Windows\SysWOW64\Eqijej32.exe	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Fjaonpnn.exe	Eqijej32.exe
File opened for modification	C:\Windows\SysWOW64\Edkcojga.exe	Dookgcij.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2132	396	WerFault.exe	73

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkclhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkhilpb.dll"	Najdnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Efaibbij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbeknj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkeimlfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amaipodm.dll"	Pggbla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnhkcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgjclbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpdnkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qabcjgkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aplifb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoogfn32.dll"	Eqijej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aamfnkai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemkjqde.dll"	ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lbeknj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qlkdkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdikkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oonafa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pklhlael.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkeimlfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adnopfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dpbheh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbadbn32.dll"	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Efaibbij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eqijej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oonafa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obmhdd32.dll"	Pgeefbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qedhdjnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjlqhoba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhfbach.dll"	Blgpef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjidgghp.dll"	Dpbheh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ednpej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pklhlael.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelpgepb.dll"	Aamfnkai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aoepcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpbheh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogcek32.dll"	Dookgcij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pggbla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioaoic.dll"	Qabcjgkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qedhdjnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpbbfi32.dll"	Ekelld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Najdnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojgbclk.dll"	Qedhdjnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegjkb32.dll"	Aoepcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeegb32.dll"	Lbeknj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odobjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpclc32.dll"	Pklhlael.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjlqhoba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bidjnkdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oincig32.dll"	Mpdnkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mimbdhhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igmdobgi.dll"	Bjlqhoba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ekelld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lliflp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2508	1368	ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe	28
PID 1368 wrote to memory of 2508	1368	ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe	28
PID 1368 wrote to memory of 2508	1368	ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe	28
PID 1368 wrote to memory of 2508	1368	ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe	28
PID 2508 wrote to memory of 2704	2508	Lliflp32.exe	29
PID 2508 wrote to memory of 2704	2508	Lliflp32.exe	29
PID 2508 wrote to memory of 2704	2508	Lliflp32.exe	29
PID 2508 wrote to memory of 2704	2508	Lliflp32.exe	29
PID 2704 wrote to memory of 2668	2704	Lbeknj32.exe	30
PID 2704 wrote to memory of 2668	2704	Lbeknj32.exe	30
PID 2704 wrote to memory of 2668	2704	Lbeknj32.exe	30
PID 2704 wrote to memory of 2668	2704	Lbeknj32.exe	30
PID 2668 wrote to memory of 2888	2668	Mkclhl32.exe	31
PID 2668 wrote to memory of 2888	2668	Mkclhl32.exe	31
PID 2668 wrote to memory of 2888	2668	Mkclhl32.exe	31
PID 2668 wrote to memory of 2888	2668	Mkclhl32.exe	31
PID 2888 wrote to memory of 2416	2888	Mkeimlfm.exe	32
PID 2888 wrote to memory of 2416	2888	Mkeimlfm.exe	32
PID 2888 wrote to memory of 2416	2888	Mkeimlfm.exe	32
PID 2888 wrote to memory of 2416	2888	Mkeimlfm.exe	32
PID 2416 wrote to memory of 2400	2416	Mpdnkb32.exe	33
PID 2416 wrote to memory of 2400	2416	Mpdnkb32.exe	33
PID 2416 wrote to memory of 2400	2416	Mpdnkb32.exe	33
PID 2416 wrote to memory of 2400	2416	Mpdnkb32.exe	33
PID 2400 wrote to memory of 2908	2400	Mimbdhhb.exe	34
PID 2400 wrote to memory of 2908	2400	Mimbdhhb.exe	34
PID 2400 wrote to memory of 2908	2400	Mimbdhhb.exe	34
PID 2400 wrote to memory of 2908	2400	Mimbdhhb.exe	34
PID 2908 wrote to memory of 2800	2908	Najdnj32.exe	35
PID 2908 wrote to memory of 2800	2908	Najdnj32.exe	35
PID 2908 wrote to memory of 2800	2908	Najdnj32.exe	35
PID 2908 wrote to memory of 2800	2908	Najdnj32.exe	35
PID 2800 wrote to memory of 2644	2800	Noqamn32.exe	36
PID 2800 wrote to memory of 2644	2800	Noqamn32.exe	36
PID 2800 wrote to memory of 2644	2800	Noqamn32.exe	36
PID 2800 wrote to memory of 2644	2800	Noqamn32.exe	36
PID 2644 wrote to memory of 2760	2644	Nnhkcj32.exe	37
PID 2644 wrote to memory of 2760	2644	Nnhkcj32.exe	37
PID 2644 wrote to memory of 2760	2644	Nnhkcj32.exe	37
PID 2644 wrote to memory of 2760	2644	Nnhkcj32.exe	37
PID 2760 wrote to memory of 2648	2760	Oklkmnbp.exe	38
PID 2760 wrote to memory of 2648	2760	Oklkmnbp.exe	38
PID 2760 wrote to memory of 2648	2760	Oklkmnbp.exe	38
PID 2760 wrote to memory of 2648	2760	Oklkmnbp.exe	38
PID 2648 wrote to memory of 772	2648	Oonafa32.exe	39
PID 2648 wrote to memory of 772	2648	Oonafa32.exe	39
PID 2648 wrote to memory of 772	2648	Oonafa32.exe	39
PID 2648 wrote to memory of 772	2648	Oonafa32.exe	39
PID 772 wrote to memory of 1524	772	Ojfaijcc.exe	40
PID 772 wrote to memory of 1524	772	Ojfaijcc.exe	40
PID 772 wrote to memory of 1524	772	Ojfaijcc.exe	40
PID 772 wrote to memory of 1524	772	Ojfaijcc.exe	40
PID 1524 wrote to memory of 2076	1524	Odobjg32.exe	41
PID 1524 wrote to memory of 2076	1524	Odobjg32.exe	41
PID 1524 wrote to memory of 2076	1524	Odobjg32.exe	41
PID 1524 wrote to memory of 2076	1524	Odobjg32.exe	41
PID 2076 wrote to memory of 300	2076	Pklhlael.exe	42
PID 2076 wrote to memory of 300	2076	Pklhlael.exe	42
PID 2076 wrote to memory of 300	2076	Pklhlael.exe	42
PID 2076 wrote to memory of 300	2076	Pklhlael.exe	42
PID 300 wrote to memory of 2280	300	Pgeefbhm.exe	43
PID 300 wrote to memory of 2280	300	Pgeefbhm.exe	43
PID 300 wrote to memory of 2280	300	Pgeefbhm.exe	43
PID 300 wrote to memory of 2280	300	Pgeefbhm.exe	43

C:\Users\Admin\AppData\Local\Temp\ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe
"C:\Users\Admin\AppData\Local\Temp\ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\Lliflp32.exe
  C:\Windows\system32\Lliflp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\Lbeknj32.exe
    C:\Windows\system32\Lbeknj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\Mkclhl32.exe
      C:\Windows\system32\Mkclhl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SysWOW64\Mkeimlfm.exe
        
        C:\Windows\system32\Mkeimlfm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\SysWOW64\Mpdnkb32.exe
        
        C:\Windows\system32\Mpdnkb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Mimbdhhb.exe
        
        C:\Windows\system32\Mimbdhhb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Najdnj32.exe
        
        C:\Windows\system32\Najdnj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Noqamn32.exe
        
        C:\Windows\system32\Noqamn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Nnhkcj32.exe
        
        C:\Windows\system32\Nnhkcj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Oklkmnbp.exe
        
        C:\Windows\system32\Oklkmnbp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Oonafa32.exe
        
        C:\Windows\system32\Oonafa32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Ojfaijcc.exe
        
        C:\Windows\system32\Ojfaijcc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Odobjg32.exe
        
        C:\Windows\system32\Odobjg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Pklhlael.exe
        
        C:\Windows\system32\Pklhlael.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Pgeefbhm.exe
        
        C:\Windows\system32\Pgeefbhm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:300
        
        C:\Windows\SysWOW64\Pggbla32.exe
        
        C:\Windows\system32\Pggbla32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Qabcjgkh.exe
        
        C:\Windows\system32\Qabcjgkh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:584
        
        C:\Windows\SysWOW64\Qlkdkd32.exe
        
        C:\Windows\system32\Qlkdkd32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Qedhdjnh.exe
        
        C:\Windows\system32\Qedhdjnh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Aplifb32.exe
        
        C:\Windows\system32\Aplifb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Aamfnkai.exe
        
        C:\Windows\system32\Aamfnkai.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Adnopfoj.exe
        
        C:\Windows\system32\Adnopfoj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Aoepcn32.exe
        
        C:\Windows\system32\Aoepcn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Bjlqhoba.exe
        
        C:\Windows\system32\Bjlqhoba.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Bbhela32.exe
        
        C:\Windows\system32\Bbhela32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1164
        
        C:\Windows\SysWOW64\Bidjnkdg.exe
        
        C:\Windows\system32\Bidjnkdg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Boqbfb32.exe
        
        C:\Windows\system32\Boqbfb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\Bemgilhh.exe
        
        C:\Windows\system32\Bemgilhh.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\Blgpef32.exe
        
        C:\Windows\system32\Blgpef32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Ckafbbph.exe
        
        C:\Windows\system32\Ckafbbph.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Cdikkg32.exe
        
        C:\Windows\system32\Cdikkg32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Dgjclbdi.exe
        
        C:\Windows\system32\Dgjclbdi.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Dpbheh32.exe
        
        C:\Windows\system32\Dpbheh32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Dcenlceh.exe
        
        C:\Windows\system32\Dcenlceh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Dlnbeh32.exe
        
        C:\Windows\system32\Dlnbeh32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2300
        
        C:\Windows\SysWOW64\Dfffnn32.exe
        
        C:\Windows\system32\Dfffnn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\Dookgcij.exe
        
        C:\Windows\system32\Dookgcij.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Edkcojga.exe
        
        C:\Windows\system32\Edkcojga.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Ekelld32.exe
        
        C:\Windows\system32\Ekelld32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:524
        
        C:\Windows\SysWOW64\Ednpej32.exe
        
        C:\Windows\system32\Ednpej32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Ejkima32.exe
        
        C:\Windows\system32\Ejkima32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Efaibbij.exe
        
        C:\Windows\system32\Efaibbij.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Eqgnokip.exe
        
        C:\Windows\system32\Eqgnokip.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\Eqijej32.exe
        
        C:\Windows\system32\Eqijej32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Fjaonpnn.exe
        
        C:\Windows\system32\Fjaonpnn.exe
        46⤵
        Executes dropped EXE
        
        PID:1284
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        47⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 140
        48⤵
        Program crash
        
        PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aamfnkai.exe

Filesize
256KB

MD5
a28f9cb874d4e31818b32f28d19712d5

SHA1
d4f71348d58edbf68601eb1aab17d8a01907a40c

SHA256
2c31482af142559a2dedf9d01c71971ae3b8d1e01433f5d168468502adb45163

SHA512
423cb14b8ad972a45161189aeb79907f7f3eabe1cd92ea9daec53116a6683b520bced14ef4ac31d032854ba143c5c157c7a9b1bad542e75d85e80ff932bd8fa8

Download Submit
C:\Windows\SysWOW64\Adnopfoj.exe

Filesize
256KB

MD5
ae38beee939f6700b0d4343994c97076

SHA1
9a93923790ea8d13d53fc6ae758f968218ed5b1b

SHA256
0af2e4f7e9323a38e1b7caaed5f347a7c23786cc4c0f7115940f87b0249c3b87

SHA512
b2f274a67a712215e678f38c1688913a5477c4edf5906cfa9ddb4ecb98e47b7d9801afc422d1a718b119f2be083de51e2b82dff7d578b9fb4578fbb7cd251d49

Download Submit
C:\Windows\SysWOW64\Aoepcn32.exe

Filesize
256KB

MD5
d72ae154844a1f10b79ad358916a2b3d

SHA1
9e1fb3ff24ea9b097b35d70e52bac4f6ff66c87f

SHA256
3129e4ba79803fc537708b46b70eeaab24a1b3fc71d0f9d2f922e15a1260a31d

SHA512
4b50eeb0289a5b8accba3d5eabc3e346ceae50d4f38decb93856086aafde4c79a453806db4aa72b309ce9f3066ec20dcca007ba177c4dbece63f735d7bf5d406

Download Submit
C:\Windows\SysWOW64\Aplifb32.exe

Filesize
256KB

MD5
7a9fad816d56568c91b10c703e56592e

SHA1
c7b859bf45801d7eabe73b3ad6ec30f09636f471

SHA256
2c957f13dd30279cb5cdf1ec5d54e35faaa3669b86b5c56b7459ad535c371978

SHA512
28241cb40ff96cc041279c4a53d0ce964abfe6f188001e4b4cd1cd1aa4f0052e5aff66e735f5f41fb45b4942de3858c9e72aca583bc26ca548d25476aeba415f

Download Submit
C:\Windows\SysWOW64\Bbhela32.exe

Filesize
256KB

MD5
91de31bb4d8a7dc19f323ff2b4cfc193

SHA1
424005b7273b85e3e85bd94f8f33f3d045fb9a11

SHA256
391bb062deac195fe3ce8b05871d4257719b2c7f5b2e057122b3d3610b72a2ed

SHA512
d3465d977d7110bdab46d8ee5c238ef1df3af8d469067f64305a6c0c2ccd6f74603f8fbd48cd1c3c30a711cf87d19e8e5b7cda043204625271d61b360bf13ef7

Download Submit
C:\Windows\SysWOW64\Bemgilhh.exe

Filesize
256KB

MD5
7ef680967fd807b2b1f226894191f2c6

SHA1
39a561c2e850f1f33466f35877ea7a9b78eab2f8

SHA256
3aaee746ffbda6bb1130f41977e82b415d296b8039ede8602ff7d0a9e172b33d

SHA512
6e8ac04e374d572101ab8941924e68766bfcf2fe35d70f21b8e84a1cb6e0b50384056d247bad2621c566e7ddc9630b091f06145b07afd82748bad17c88924d2b

Download Submit
C:\Windows\SysWOW64\Bidjnkdg.exe

Filesize
256KB

MD5
b201fa57666e77f276b23138498b6006

SHA1
79317c02d169fbb4159ba4a873195b486654fe9f

SHA256
3c3a9af693362383a19dcc505f3bc4f4e00056914813b2655f1ba03f0c2a0005

SHA512
0af508b93934ceb9ba49b45967d44bf1fb0e24ef9b6cf245aa6e2f17fc5cd9242419b7bc6c48e29dc41a4073309cab08869df39488737b16068976665228fbe7

Download Submit
C:\Windows\SysWOW64\Bjlqhoba.exe

Filesize
256KB

MD5
166d92a021cf0136eabf331aa4dc0574

SHA1
8be59e4f4301a11d63cdbd6bb6e8dceda54ded57

SHA256
77b34908799b2d9ee587f9d1ba8018f291909238e10b859fa6b3807b12883a5b

SHA512
81c3caae4af18701a704ce1a66d0ed56980c67925e46377a4f288e690194cf81e4d018547f0f6aecdf6b6e8affa7d00d0bfb31d6e71621e67920fe972dbef48a

Download Submit
C:\Windows\SysWOW64\Blgpef32.exe

Filesize
256KB

MD5
19df9c44ecf56ada1280dcac8d8a0ce2

SHA1
49f57b826df0eeddf95561fbcc6914ca4624e823

SHA256
5429e3a9c60d49968ee637c59547f0fe6554c7fff911d380600bcbad2f2a1a58

SHA512
0a81ecd691e09ad643cdc0a2a758639b8d68efb7e06c425400e96c68b4885dcf19a5addce45a16aab5ae08e3cc8ac4749ed70270d0d3994ca7320cf7e9221aaf

Download Submit
C:\Windows\SysWOW64\Boqbfb32.exe

Filesize
256KB

MD5
5e372323888c8db5cc0c77a965dec21c

SHA1
4c05a83de91002ceed8fe866c2552454ec615d7c

SHA256
3322a6ce389bc8bcfbd57d027b118b0fba3428bbf97c5eeec4bdb9d06aebab5a

SHA512
cfaaf0e093c0b04e1b4f664f20ca2f796ce9287dc50a7aba6d5b03e4773dc243049ede81189f079c41087f13e192e2f98562261a4d4e448a23428febf8cb1964

Download Submit
C:\Windows\SysWOW64\Cdikkg32.exe

Filesize
256KB

MD5
b4d6083374088d647f1f0e9be7d09840

SHA1
8c561fec2120e5da5b036e6b44aa506a133e853f

SHA256
0356616aa500790b8ca30340b2703decd80d2e8d9bf5d7794585caf71ca9184f

SHA512
0f4697944fa67553e1372a9b8a49dbf035c5283acfb5a35f20733aa8791085dd215681e5e6cfea0c20961ed6bb1f58d18c4fdb8b7a5840965a50c2d31c3309f6

Download Submit
C:\Windows\SysWOW64\Ckafbbph.exe

Filesize
256KB

MD5
2ac874475489b7cfcaeb7ac135202a95

SHA1
99a97e46482d5a48dff6121e3d6755088dad6d30

SHA256
2a4c3145792026fc2d76d017f38b2e272dad5ab3a4b6a5157ab92c8af7b86b60

SHA512
eabf2195a458c76f51df4c9b923aafb47cc3e2e54bdfdf845e40c8c2b287126ee67f0ce942406096407e6c62ca3a7fb7ccdea2eedda1685532ca8650b414a6f9

Download Submit
C:\Windows\SysWOW64\Dcenlceh.exe

Filesize
256KB

MD5
1e3a938128e3044c08b4ebda95be47be

SHA1
13204773afb28a563e0fa4c8667fb348b00f1220

SHA256
b423da8a59be38ffcef1fe374b5277027053c35f3513872f151d0c45c01499db

SHA512
e50053091c9d753e1b7996566dc5f6d827bab9872bd95dcbe575cde98c79d7925671122377c377a4ba2b941484cef20427ab0f4da5aec57ef550a917d9d6a4b0

Download Submit
C:\Windows\SysWOW64\Dfffnn32.exe

Filesize
256KB

MD5
71b530d65cdcdbdc41ba2dcefad95b28

SHA1
bde222edfd88e1ee2a751e908849e9397f2d9fd8

SHA256
a1a5eb117f2af45fbd2d2aafcfeb9d7deddceb4fbbe948bbbc2b851321e56dd3

SHA512
e2416f0f34c23d37f81af2e14714b1b2d67aaf31017dd7b9e6eee753eaa623797dae1a062cbdf036d5db78e10ea832d1fd100e5d7780227261f778685767b7cc

Download Submit
C:\Windows\SysWOW64\Dgjclbdi.exe

Filesize
256KB

MD5
3ae7d972062b29894b664eaf3a594ce0

SHA1
41667946c4fd40d1e96bf5439f4ed94c706c9bd7

SHA256
dbdf5c81bbd9706664a0b48798e8fd48861305573b081708ef58d8bb4ab5b6f7

SHA512
9e12909d05180afda1c05f4b7112b1aa27b939752588da9701da806a1282a30303b8637131449ec2e70ea6897b323d33542a62a6cb2b62ec188db4e3fa098651

Download Submit
C:\Windows\SysWOW64\Dlnbeh32.exe

Filesize
256KB

MD5
617c0dffba5f60d5045868042bf4eff0

SHA1
c4e97cad2b313bc169d4ed42ad899069196b087b

SHA256
abecdb79b10fb6941fcc6e987eabbb1493c40fb3bd989572caec74d8b9cc7e62

SHA512
60fa5178df4a9f4c36ddf13003df63089530b1f47d8cd74cf5542088498463fe32c9741fff37ac59f442a72346489433ddc25afa7f34db35438b026bf83d67d7

Download Submit
C:\Windows\SysWOW64\Dookgcij.exe

Filesize
256KB

MD5
f7590533d42653b46c49b00e17fcfe01

SHA1
9d18aea9830c6c45678d5eafd8c5ac6dcc446233

SHA256
593551f3589f6cc33a22b215e1d07f00b78920948cc67b333f34f9f6b9756c6a

SHA512
3371ae8bacb765762454885885b663dc3a389ca77e24f89deb328ab78fedead4bb7fcbd230057d59e80e8b8880de15ddd144cc395c2dd840a7285ff172d7fd62

Download Submit
C:\Windows\SysWOW64\Dpbheh32.exe

Filesize
256KB

MD5
522ffe4a99603e266d7d21e79727dba5

SHA1
a594b8a77bcbf23ce50d5f065be49637f9d2207b

SHA256
7b30268eba153c183a234dc74ac6ce63fd44c516fa991eb5c542f26c1ede17c3

SHA512
8ceaed16b75fa146a7a7f91fecdb78985dbfb17a030ff370f5fbee21b30b808c369f842f69209bb64be5355d629a4a927c27c84869e8f52036786ac249992428

Download Submit
C:\Windows\SysWOW64\Edkcojga.exe

Filesize
256KB

MD5
702b0a3656f6f3fec9502772dd37c353

SHA1
c3438f5d26254dd767d64173d1f3869054d1c9be

SHA256
334bca412b5de0f13884edd21e3765e9dcfd8a02524a3e54d202dd84b60fbd01

SHA512
009767f4c03c99aa1d9d767166eae1119d56d191d2db1aaca972926d0e10758256e375eb25c13932e777796d6ba0d42956a81c9c6390d73ed7042fbd018241ea

Download Submit
C:\Windows\SysWOW64\Ednpej32.exe

Filesize
256KB

MD5
effb13b2c46d3b5052eb0d3ed1046244

SHA1
2101648949fb199524ea414e39b8aa2bc23b88c6

SHA256
680fff2adbb80d429292b8514d66a3a4a290b108f57f62d6e43608d8db0d3e33

SHA512
41ab51e54845f5b805c383f3db05f9d54405a97fe0b911d9dce415555ae029d50cc03173feaf1a6a549262fb49ace7175d2bf0fdede5b861e200e60621962ff0

Download Submit
C:\Windows\SysWOW64\Efaibbij.exe

Filesize
256KB

MD5
a726f9689a3414284f0a5bc789a90e0e

SHA1
065ecee94ed628081059a232d868963077f19fcf

SHA256
30bd7156853cb47b4c552ba81b39192d97d20274a703327481763a9328ba44a9

SHA512
eb7c6ed6029b3a4458ff87394d3b904363cb0ce69d04f097f8dc5af88573ea5fd223bb846662a357a2c4255cfc86db880207c337954658bd600e9783976acff5

Download Submit
C:\Windows\SysWOW64\Ejkima32.exe

Filesize
256KB

MD5
72e6547765df975783d19c20c456b91d

SHA1
80e80b7344da23e8dbf8cc475acc795b5ccb48dc

SHA256
7d50e265633d33cc96295e348842cdc9af677b06210d171623ae7be22c96eead

SHA512
41c5828d866e863ac05345c6ce2e0acbff3d2a16445246adf1858803c0f6192e6d1e4f2df06e9596d6fc12691cecc8873c8e66380810aff2ef7b123780fbfdb5

Download Submit
C:\Windows\SysWOW64\Ekelld32.exe

Filesize
256KB

MD5
99e7c1f9b6b78fc7ad7712aa3c0e6231

SHA1
4f8c8603828c173bf88877227fe34488c5b7f427

SHA256
f0c0dc14d53313b9f4c22598259bbf25ef850356b77de899698736a96544e293

SHA512
8b0b517026398147159f97c68d4fbb82957253ef1426bd9020e87e04fd8ba56e9d863200ae1e3fc82f41187826b79bd032d087436c53da8e54301d850e1445fb

Download Submit
C:\Windows\SysWOW64\Eqgnokip.exe

Filesize
256KB

MD5
65f7dac2f172a094279ea36c0d9ee4a8

SHA1
6ae3ce402f2727d735468cde82231166e6b17e90

SHA256
ce5adc9c838404943d3c6d29caa27a7c4a634746303906c6a369c0919064e4f3

SHA512
1fcd6fdbca9bd81b2108cfb5b719e632f8af1d825beb3a01680a466305fe6bd87333c705e9e31685c3f061782af4a07a59ad73fc6d12c1b58bc7b9cea164e72a

Download Submit
C:\Windows\SysWOW64\Eqijej32.exe

Filesize
256KB

MD5
9788b35353c8b536c750f44c3a399b58

SHA1
42ec11de3fd78939004a824261f4af650c4d19ef

SHA256
e93c2d011997e01c21b913b35c9115b07b5cb2c42a3edd5cf03d6b4a1c85574f

SHA512
5f9d135d513c9d646d229ade07d7c78839d7fb407d77048c4c8d2231a22ac50846e8f8388721a8f7b72002b5e22cb4d3912663eaa17d49c6b07b2592849804e6

Download Submit
C:\Windows\SysWOW64\Fjaonpnn.exe

Filesize
256KB

MD5
e5face8f9897dc79a498ca9e424638e2

SHA1
fd550f808742952dfd8691859bce266598054971

SHA256
61940868221a13aaf0996d711e67495d44d5e37052d22435e698fdb156fb5d31

SHA512
ee2ad3a071cd7edd80cd2469ab426a0e9829f8fe92a0ab1d5f7edbaeb6831ac9be86b80d94e75c7cb7a03c36ce3a7b1c10bf39b4e1505b7623876f53b32853a7

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
256KB

MD5
6eed8c6828962bbafafe9064af41473a

SHA1
46a5c7b7ca83d76c57326ac10e3c68a0313c233e

SHA256
7e4e77797e293e1a8638dfde91ec9b148a25163509fa24a88a495ae72fa441a3

SHA512
a8c06e8b210cf66ce5b73eb89b0e6a6b580aa5567d367a01264ee6b6949327c5d82c9104654cfc2f01091695c9d9ed81279b022f2fd1c0ce610e46f83593a25a

Download Submit
C:\Windows\SysWOW64\Lbeknj32.exe

Filesize
256KB

MD5
eb1d2edc886b6b4b9e3fc0f8c78a8dd1

SHA1
cd2d2fad885f257809bf26f4567a3cae7739f50b

SHA256
184df2b26a3706efdc2510a403d7ba4af847017c4f504e5c3c81b48d00886ad0

SHA512
bc513140dca2ac4dbee1c682398bd22a6f41466ec498824d5da7d504c0613e25523a2ccc24bf5ceb856c1b07f836a702d597901907507c192a9070585e2aedbf

Download Submit
C:\Windows\SysWOW64\Mkeimlfm.exe

Filesize
256KB

MD5
0496c3133926a1a8b372370ae071ca4e

SHA1
eec0741f8a08a0512f8b2676420e5ae684cb3fdb

SHA256
1f48d41e4af841f83ee038ba278d01062da896c9154f841f1dc2a0da2719a7b1

SHA512
dcd4133ea63791e812e6dd5bf86ff472b1c019428a2806c4b46a3b4d5d5ea923af371696c548cf649a15bb5c475238d5899dafbc8054240f3e131c95c65fccec

Download Submit
C:\Windows\SysWOW64\Obdkcckg.dll

Filesize
7KB

MD5
648b9ee8684453120a22b55249363f25

SHA1
a697c7c4750f46cac93731ce7cbbc79ecf64d927

SHA256
d4daaaf10efcdbfa4be0b4f44cb5b9ebed71a176607b3d9f9f45fb65d763a479

SHA512
a77c8b161d3cbbf9810024b1aa680d99583b5415945b99622f27e8496870c4f105d48887f9db21a7da50155b23ea747ae0c85bb9ff0aaea0f658f40ba28d3536

Download Submit
C:\Windows\SysWOW64\Ojfaijcc.exe

Filesize
256KB

MD5
1b83a45eedc4e38ca9122fa9358eb863

SHA1
c92536ee7100ab8e9fb58693b9f57e85fc00a42c

SHA256
7736c09f2aade560e75aafe2d0e1516b3c462b9b9ac89b3f34d8ec8e8bc43b8a

SHA512
33c58012d6fb88d9d28ea8b5835d9c7365450890321d2998428af546b4dd9555c86a8a772ff0e72829a78f27cb273f0b43b708cbb1676c054a660c223106f721

Download Submit
C:\Windows\SysWOW64\Oklkmnbp.exe

Filesize
256KB

MD5
be770a24e7385f40c50d23054266b0b6

SHA1
42031a525fcfd2d1b9073885be8686cd45960a59

SHA256
d23f4622fad7105f17848e36e80ded47c49d73839964c89752728875eed7c342

SHA512
d375682a7a6acea6f6f757f7e4cc22ace1a067b5f94a2cc0dc6689727ed6902d01f8483832fa31f7ef5b05a92bd86a479ae2b0ee5ba3bf2a70c369acee57eef4

Download Submit
C:\Windows\SysWOW64\Pggbla32.exe

Filesize
256KB

MD5
3dbda1ececd984d970c067da2d86abcb

SHA1
5cfd09fb289f346d9bfe5b4af59c891d68f6bc36

SHA256
4eb46e69f7ec5ba9e06e76c70ac734e4c8e6fbf75914df425d0f345063e7e56c

SHA512
cd4c45df1716bc8aa248e0d3a4a1586df4904bccd38d1e1d55845a2fd6d47a555e3935374fc02a5ea72d6d7f151ad259237f498d65456910713aeac105e73016

Download Submit
C:\Windows\SysWOW64\Pklhlael.exe

Filesize
256KB

MD5
52ce6917c849bcf1d3c403bc6f1291ae

SHA1
6fc6ff4ece7c58fc52b4de20f8b73ad86452dbfe

SHA256
16ecae669030eec883f80c8af978ba5beb51da19fca050ef7e5b41fa83cec379

SHA512
21df607c3d368260f8c68747ea6ac515132620250940dd48b4b2b7571d0a25bb065a217495e2189206da5bb6edbf0975f11fc6735f94a5fc9aaf26042ceee888

Download Submit
C:\Windows\SysWOW64\Qabcjgkh.exe

Filesize
256KB

MD5
6150d50933b2739c538c14f15bc9e82f

SHA1
620b79ce58b9cd9215b9d20aa598a47aa3f5d4b7

SHA256
e98e425c8d63bb26ce318c84416179ca302734879b6e618126eaba1ea7808a70

SHA512
873f1cead196bebe8fd4116ceff387576bcf8e1c3f8f3a8b4f817887af98d113bf36c5b8da7615bb3dd4b6fc4742c609a1efad58efb0ad9211a6e2ce167ee5d3

Download Submit
C:\Windows\SysWOW64\Qedhdjnh.exe

Filesize
256KB

MD5
e6ee9b77d5ad77654b9eae82a01e44f0

SHA1
ca870e2130e967364926d0bc8a746f273c5a94eb

SHA256
6d7f7f7c40da8bf2c6587babd19838264c89b4a8971f03e7f7fbd64a2b33aee1

SHA512
4e64643e963bf23ca64d93235b2ad317aa43cd92362479797576e7171e407e6ca48aa1e19106dc3d7e22e18f2d8608ff5b16910fd4c35cfc1b0778bfdfb5989c

Download Submit
C:\Windows\SysWOW64\Qlkdkd32.exe

Filesize
256KB

MD5
5764672fee43df488e42e04b28e2cabf

SHA1
f0afefbb3ad515c15aa6a378394f636012db85af

SHA256
47f12c535ae69088e54a654f598a8a310d97f4c1d35ca60e045cc120733561fc

SHA512
ef14fe74f61be835f850b74b6bba354f169789319b8da8d90611f07b297d43968790bd6b2a67e6d1aa6afcc5ff4d9e931b051ba5368c1fc3079026adf96eef50

Download Submit
\Windows\SysWOW64\Lliflp32.exe

Filesize
256KB

MD5
bf455c0b080b9f46ccde172f941a6701

SHA1
e86c9469fc1c2d8ff41e3573bddc1fb51a73c6f2

SHA256
b3b5a8c0490a7dce155854dbd301bb3d16264306eb0b48ba314976c35c3ea0d7

SHA512
e804237302220e15f65c8bbaa2d86d7bc5f9888de548a15e4e96d98838df121ce650cfeebec84b07df0c7784b9b446c0bb1bb70e6646d09866b210b21a59e5ae

Download Submit
\Windows\SysWOW64\Mimbdhhb.exe

Filesize
256KB

MD5
d27ae26369f99a8440ea2b740c84b7e7

SHA1
b7f1e5d965c9465df01383485d48a5063fcb1ae1

SHA256
99b4b051f946434f9b0e279b2d12bd596ba73f72d74d0b67ad7b3a2278ac6a8f

SHA512
fff1a84cb27c068057f6124e793699d61ff5e06d94ffa1c5f9874c23f9a5c917eac586fd2d764b6f969741709cd6f555d283ef3ee2b207d432c8e1d204c91188

Download Submit
\Windows\SysWOW64\Mkclhl32.exe

Filesize
256KB

MD5
8e3dff2b6181e3e48142044acefdd0fe

SHA1
62b2bafe0dd9e9710ddc6668c11eedee79bbb97a

SHA256
70c90f8a7a1ce6197e1f109000eec97681f664014e36120928c8efdd97b5fa83

SHA512
6b6439d82fd81b768bf341ea647d31cc505209d411b01b0d4c35b842cab6f7ba4e84e385ea0a289ecd03c0be01b305ca8add0bc47ab2eae2b5c91f15f59d4780

Download Submit
\Windows\SysWOW64\Mpdnkb32.exe

Filesize
256KB

MD5
1c7aa17059d4c320442d8b3fe6a530a3

SHA1
ae0c3d54367ae34ec85b104262f608cd4be3684a

SHA256
adcacc3b638e2d81a871c10e8d96aa6fe35a7054e7d10b76ef7e952396c5984d

SHA512
96faaf813509c46607e44a5a5dbd58ba985d19311c682031bfc67d9b13d2cb67459b4ffa4cee6b8d7ac8b69453c4c32b5651a03c4d2b9c4d638596a443f347ad

Download Submit
\Windows\SysWOW64\Najdnj32.exe

Filesize
256KB

MD5
fc028cb9c8329397a30f01fbc45a95f0

SHA1
a88c192264e75544e4cfe3952e9d5f7990c3d3aa

SHA256
cb013950c0fb58329603646c9db90fc7431f8b83816794d15a8e57fcab3bd16c

SHA512
3d799f793779d7461d0bc33a407fdb48950f542233473dd870fd191b1970289322a936988bd61e0db52417473b376fbf7ee3ad747f50b2dbb1b151ae448989d6

Download Submit
\Windows\SysWOW64\Nnhkcj32.exe

Filesize
256KB

MD5
08edd1d8bfe8a0d0c6f28df5c8681655

SHA1
8ec7fad01a916472a9a69d2c4e2c7c7f77f0b7c2

SHA256
d0c92b4779380e9367f51f1e47d7a3ac209adf6cd012e60b414b855160f53eec

SHA512
57a37cba74ffc2678d5b1b43dc1fefc96243e1cc78ccfebc0f87b28d76944313d3bf40b73e9f8a940857b70e32726f4fdc2d50a4d43635329a3aeadea114bfac

Download Submit
\Windows\SysWOW64\Noqamn32.exe

Filesize
256KB

MD5
4f6fdd4e37d694283930d66af1ae8d0d

SHA1
9161fecf6773411b8f11bfd0507beffcdb221a91

SHA256
cb38f26b15fbc0b8e1dceba00ce5187a5156f23ceaf55aff2996ad841122dbf2

SHA512
1d63509f918f7ac0594c4cc769efecf966490dbbe0ea21d79e991fa5005b27b6dda471214ee265e8e494e21d054a8bbf78bf47bb2bd1fa7b125e229461c00726

Download Submit
\Windows\SysWOW64\Odobjg32.exe

Filesize
256KB

MD5
7a899f657f522987f7263d3fbd120e39

SHA1
41663dec7d539d3f1062b664425d9497c53ac876

SHA256
207429417f955ee13220b94334a9e93d77532149469eb14517e64f6a2e46e16d

SHA512
271c887c2283456c11f3907ec16e8a96c5377b09a7e5a07c96971f2c0b081cdbdb7574e8aef2150244ae59d6fbd60824153ab34c650cb8f214aed8d23abfafd4

Download Submit
\Windows\SysWOW64\Oonafa32.exe

Filesize
256KB

MD5
74c9a2995dc157a1b7c49493aecef3ef

SHA1
477f8b0f1a30f48e1351d707ad54fac799fbe493

SHA256
9ee135d2496c60961d9cbb8e4164fb135e61c672e27ceee57e3b03a2d32d3e18

SHA512
8387165b8694fcea277cdc128fef3187c5c91a442a50de88f9cedabffc67bc6ad6a0d509171cee6c12d0136a0646c87ded18e78d72d46fee4f33533c58a7fe34

Download Submit
\Windows\SysWOW64\Pgeefbhm.exe

Filesize
256KB

MD5
73aa7db9629db51a1540f4a6b3eb6b89

SHA1
ff22851ab4bb02fd61f2ebafda9fc90179b2b5c4

SHA256
3f35f7f564cb8062e5025e2601d26b7988ca2011c44f74c97a59efded69ffd4a

SHA512
e8c14ef410c824cf7baaab1c97de382f75319587b802f47f5b79995dee35abc39b1fbd674ecda497c77e4a0abeb391a40bde7bcf993000d84f83f9c84efa1b0c

Download Submit
memory/300-211-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/300-214-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/560-308-0x00000000003A0000-0x00000000003DE000-memory.dmp

Filesize
248KB

Download
memory/560-303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/560-309-0x00000000003A0000-0x00000000003DE000-memory.dmp

Filesize
248KB

Download
memory/584-244-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/584-239-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/772-178-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/772-171-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1068-298-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1068-293-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1068-288-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1152-245-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1152-253-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1164-325-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1164-330-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1324-277-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1324-287-0x0000000000230000-0x000000000026E000-memory.dmp

Filesize
248KB

Download
memory/1324-282-0x0000000000230000-0x000000000026E000-memory.dmp

Filesize
248KB

Download
memory/1368-18-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1368-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1368-6-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1432-355-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1432-359-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1432-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1524-198-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1584-351-0x00000000001C0000-0x00000000001FE000-memory.dmp

Filesize
248KB

Download
memory/1584-353-0x00000000001C0000-0x00000000001FE000-memory.dmp

Filesize
248KB

Download
memory/1584-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1588-333-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1588-341-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1588-331-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1956-316-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1956-312-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1956-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1992-265-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1992-276-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1992-271-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2076-197-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2280-234-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2280-226-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2372-260-0x00000000003C0000-0x00000000003FE000-memory.dmp

Filesize
248KB

Download
memory/2372-255-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-266-0x00000000003C0000-0x00000000003FE000-memory.dmp

Filesize
248KB

Download
memory/2400-95-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2400-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2416-88-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/2416-80-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/2416-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2644-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2644-143-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2648-165-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/2648-157-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2668-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-35-0x0000000000300000-0x000000000033E000-memory.dmp

Filesize
248KB

Download
memory/2704-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2760-147-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2760-142-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2800-122-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/2888-54-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2888-66-0x0000000000340000-0x000000000037E000-memory.dmp

Filesize
248KB

Download
memory/2908-98-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-106-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads