5183a12058eb7f29e93319cefa4bf48832de3ac07d0e9cc6c80ed2e0840e6f30

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 19:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5183a12058eb7f29e93319cefa4bf48832de3ac07d0e9cc6c80ed2e0840e6f30.exe
Size

96KB
MD5

f9506d31dd5cfd6ae029ad687af3b82d
SHA1

533c7185ad1fc98a127848720d6afe04ec27b572
SHA256

5183a12058eb7f29e93319cefa4bf48832de3ac07d0e9cc6c80ed2e0840e6f30
SHA512

0c8db5c1e94e89ba6f95fea904b553516a5691e85aec3c9e7f665f3e1608a9d0f0e7310ad860b70115648e99e70bc8cd475e0bdc25fd4cb2524ecb00982c599e
SSDEEP

1536:gbfXve7XMw7PGTGVnNwtr8FIxqUDeaRQyqng8PQOXH5eE3duV9jojTIvjrH:gbXveAw7PGTgNor8uxqUDeLne9E3d69J

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgjjnlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5183a12058eb7f29e93319cefa4bf48832de3ac07d0e9cc6c80ed2e0840e6f30.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjcdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llgjjnlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe

Executes dropped EXE 64 IoCs

pid	Process
2236	Klljnp32.exe
564	Kedoge32.exe
764	Kpjcdn32.exe
3276	Kefkme32.exe
3104	Kdgljmcd.exe
3644	Liddbc32.exe
3512	Ldjhpl32.exe
1280	Lfhdlh32.exe
1812	Lpqiemge.exe
1996	Lfkaag32.exe
4800	Llgjjnlj.exe
3168	Lepncd32.exe
1968	Ldanqkki.exe
932	Lphoelqn.exe
2612	Mgagbf32.exe
3428	Mlopkm32.exe
1640	Megdccmb.exe
636	Mlampmdo.exe
1832	Mgfqmfde.exe
4208	Mpoefk32.exe
2716	Melnob32.exe
1152	Mdmnlj32.exe
1200	Mnebeogl.exe
5000	Ndokbi32.exe
4508	Nljofl32.exe
4860	Ngpccdlj.exe
1952	Nphhmj32.exe
4804	Ngbpidjh.exe
1916	Nnlhfn32.exe
3516	Ngdmod32.exe
4160	Npmagine.exe
2148	Oflgep32.exe
1064	Ocbddc32.exe
776	Ojllan32.exe
440	Odapnf32.exe
4224	Olmeci32.exe
4572	Ofeilobp.exe
4592	Pqknig32.exe
3524	Pjcbbmif.exe
2100	Pqmjog32.exe
3624	Pggbkagp.exe
4196	Pjeoglgc.exe
5140	Pdkcde32.exe
5184	Pmfhig32.exe
5232	Pcppfaka.exe
5272	Pjjhbl32.exe
5316	Pcbmka32.exe
5364	Qnhahj32.exe
5400	Qdbiedpa.exe
5444	Qgqeappe.exe
5484	Qqijje32.exe
5524	Ajanck32.exe
5588	Adgbpc32.exe
5636	Ajckij32.exe
5676	Aqncedbp.exe
5724	Aeklkchg.exe
5768	Afmhck32.exe
5820	Aeniabfd.exe
5864	Aminee32.exe
5916	Bnhjohkb.exe
5976	Bcebhoii.exe
6032	Bnkgeg32.exe
6072	Baicac32.exe
6112	Bgcknmop.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Hleecc32.dll	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Nljofl32.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Nniadn32.dll	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Jgefkimp.dll	Melnob32.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Mdmnlj32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Nljofl32.exe	Ndokbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpccdlj.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Coffpf32.dll	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Klljnp32.exe	5183a12058eb7f29e93319cefa4bf48832de3ac07d0e9cc6c80ed2e0840e6f30.exe
File created	C:\Windows\SysWOW64\Mlopkm32.exe	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Mpoefk32.exe	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Kefkme32.exe	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Gnbinq32.dll	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Kmmfbg32.dll	Llgjjnlj.exe
File opened for modification	C:\Windows\SysWOW64\Mlopkm32.exe	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Megdccmb.exe	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Mhkngh32.dll	Kefkme32.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Megdccmb.exe	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Kedoge32.exe	Klljnp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Ngbpidjh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6412	6332	WerFault.exe	196

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kedoge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lepncd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojhkmkj.dll"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmfbg32.dll"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll"	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klljnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	5183a12058eb7f29e93319cefa4bf48832de3ac07d0e9cc6c80ed2e0840e6f30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 2236	3392	5183a12058eb7f29e93319cefa4bf48832de3ac07d0e9cc6c80ed2e0840e6f30.exe	95
PID 3392 wrote to memory of 2236	3392	5183a12058eb7f29e93319cefa4bf48832de3ac07d0e9cc6c80ed2e0840e6f30.exe	95
PID 3392 wrote to memory of 2236	3392	5183a12058eb7f29e93319cefa4bf48832de3ac07d0e9cc6c80ed2e0840e6f30.exe	95
PID 2236 wrote to memory of 564	2236	Klljnp32.exe	96
PID 2236 wrote to memory of 564	2236	Klljnp32.exe	96
PID 2236 wrote to memory of 564	2236	Klljnp32.exe	96
PID 564 wrote to memory of 764	564	Kedoge32.exe	97
PID 564 wrote to memory of 764	564	Kedoge32.exe	97
PID 564 wrote to memory of 764	564	Kedoge32.exe	97
PID 764 wrote to memory of 3276	764	Kpjcdn32.exe	98
PID 764 wrote to memory of 3276	764	Kpjcdn32.exe	98
PID 764 wrote to memory of 3276	764	Kpjcdn32.exe	98
PID 3276 wrote to memory of 3104	3276	Kefkme32.exe	99
PID 3276 wrote to memory of 3104	3276	Kefkme32.exe	99
PID 3276 wrote to memory of 3104	3276	Kefkme32.exe	99
PID 3104 wrote to memory of 3644	3104	Kdgljmcd.exe	100
PID 3104 wrote to memory of 3644	3104	Kdgljmcd.exe	100
PID 3104 wrote to memory of 3644	3104	Kdgljmcd.exe	100
PID 3644 wrote to memory of 3512	3644	Liddbc32.exe	101
PID 3644 wrote to memory of 3512	3644	Liddbc32.exe	101
PID 3644 wrote to memory of 3512	3644	Liddbc32.exe	101
PID 3512 wrote to memory of 1280	3512	Ldjhpl32.exe	102
PID 3512 wrote to memory of 1280	3512	Ldjhpl32.exe	102
PID 3512 wrote to memory of 1280	3512	Ldjhpl32.exe	102
PID 1280 wrote to memory of 1812	1280	Lfhdlh32.exe	103
PID 1280 wrote to memory of 1812	1280	Lfhdlh32.exe	103
PID 1280 wrote to memory of 1812	1280	Lfhdlh32.exe	103
PID 1812 wrote to memory of 1996	1812	Lpqiemge.exe	104
PID 1812 wrote to memory of 1996	1812	Lpqiemge.exe	104
PID 1812 wrote to memory of 1996	1812	Lpqiemge.exe	104
PID 1996 wrote to memory of 4800	1996	Lfkaag32.exe	105
PID 1996 wrote to memory of 4800	1996	Lfkaag32.exe	105
PID 1996 wrote to memory of 4800	1996	Lfkaag32.exe	105
PID 4800 wrote to memory of 3168	4800	Llgjjnlj.exe	106
PID 4800 wrote to memory of 3168	4800	Llgjjnlj.exe	106
PID 4800 wrote to memory of 3168	4800	Llgjjnlj.exe	106
PID 3168 wrote to memory of 1968	3168	Lepncd32.exe	108
PID 3168 wrote to memory of 1968	3168	Lepncd32.exe	108
PID 3168 wrote to memory of 1968	3168	Lepncd32.exe	108
PID 1968 wrote to memory of 932	1968	Ldanqkki.exe	109
PID 1968 wrote to memory of 932	1968	Ldanqkki.exe	109
PID 1968 wrote to memory of 932	1968	Ldanqkki.exe	109
PID 932 wrote to memory of 2612	932	Lphoelqn.exe	110
PID 932 wrote to memory of 2612	932	Lphoelqn.exe	110
PID 932 wrote to memory of 2612	932	Lphoelqn.exe	110
PID 2612 wrote to memory of 3428	2612	Mgagbf32.exe	111
PID 2612 wrote to memory of 3428	2612	Mgagbf32.exe	111
PID 2612 wrote to memory of 3428	2612	Mgagbf32.exe	111
PID 3428 wrote to memory of 1640	3428	Mlopkm32.exe	112
PID 3428 wrote to memory of 1640	3428	Mlopkm32.exe	112
PID 3428 wrote to memory of 1640	3428	Mlopkm32.exe	112
PID 1640 wrote to memory of 636	1640	Megdccmb.exe	114
PID 1640 wrote to memory of 636	1640	Megdccmb.exe	114
PID 1640 wrote to memory of 636	1640	Megdccmb.exe	114
PID 636 wrote to memory of 1832	636	Mlampmdo.exe	115
PID 636 wrote to memory of 1832	636	Mlampmdo.exe	115
PID 636 wrote to memory of 1832	636	Mlampmdo.exe	115
PID 1832 wrote to memory of 4208	1832	Mgfqmfde.exe	116
PID 1832 wrote to memory of 4208	1832	Mgfqmfde.exe	116
PID 1832 wrote to memory of 4208	1832	Mgfqmfde.exe	116
PID 4208 wrote to memory of 2716	4208	Mpoefk32.exe	117
PID 4208 wrote to memory of 2716	4208	Mpoefk32.exe	117
PID 4208 wrote to memory of 2716	4208	Mpoefk32.exe	117
PID 2716 wrote to memory of 1152	2716	Melnob32.exe	118

C:\Users\Admin\AppData\Local\Temp\5183a12058eb7f29e93319cefa4bf48832de3ac07d0e9cc6c80ed2e0840e6f30.exe
"C:\Users\Admin\AppData\Local\Temp\5183a12058eb7f29e93319cefa4bf48832de3ac07d0e9cc6c80ed2e0840e6f30.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\SysWOW64\Klljnp32.exe
  C:\Windows\system32\Klljnp32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\Kedoge32.exe
    C:\Windows\system32\Kedoge32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Windows\SysWOW64\Kpjcdn32.exe
      C:\Windows\system32\Kpjcdn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:764
    - - C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3276
      - C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1152
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4160
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        35⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        38⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        39⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        42⤵
        Executes dropped EXE
        
        PID:3624
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5444
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5588
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        63⤵
        Executes dropped EXE
        
        PID:6032
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5312
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        70⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        71⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        79⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        81⤵
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        82⤵
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        83⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        85⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        89⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6152
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        91⤵
        Drops file in System32 directory
        
        PID:6200
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        92⤵
        Drops file in System32 directory
        
        PID:6244
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        94⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 408
        95⤵
        Program crash
        
        PID:6412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6332 -ip 6332
1⤵
PID:6368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3724 --field-trial-handle=2972,i,4036376905309803364,5412922217215781933,262144 --variations-seed-version /prefetch:8
1⤵
PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
96KB

MD5
6b796adf2072ff5d543a8446767d0bfe

SHA1
f7f5a96995519a4c3da3214c606ab112df847b1f

SHA256
5083cb8d5aaf2fb4d08503df585de97db87916693eb7b5959895562ade81141a

SHA512
0b8b3a64f1a1a9c8b9508dc41a99238e1cb65bf8be2cdcbe7b014a26cc5683d819a669bd9b770de2bc2667565d8fe74a160104a0aa9a767a55a5dd8e2471e237

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
96KB

MD5
51bf798ba97a427d47b546cde9b02336

SHA1
dbaf03db2e5dde203ca3d21338169ad6d2811943

SHA256
580248960aa4f0699483b56639b74cb39bf33032dc35fbefb0f3fdc47e681e89

SHA512
09fcc6af6107b89d78c850fe12d7d8bfcc7576e71ff8e737294324c115ea2ae5d2ccdf9f078d60669c69c229a1500b2379d99aee480134f7bdf7d58aef1b2ec9

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
96KB

MD5
d00bf2d3503bf432c63c0519d6e63676

SHA1
75e9f0c9ced7bc9361d2da546f9bf59d49e0b0d8

SHA256
6b69c52d843b5c64bdacc0968493fb46a3c9e065fbc2a0216441c26bf91edadd

SHA512
43ee5b550967f41fd253b4baf4d2e2f00d3bae5a737733667525bf85635784d4b16537976082a7aae526be660231ccb8b60185c38d715e9c54d456c50351a9a4

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
96KB

MD5
3b6d1befc73b1615a7fc2050e26642c9

SHA1
9304e097a32fd17749aff046de1aa05028f15349

SHA256
26da1252eb426135caa080dab2fcf9898125c6cdea904659e06808f0bc75953f

SHA512
4e395b083f22c991554fd62f7f8e42cf1ba81bd23cde51522d578f3b9a36bf07aa22f56fb6e6c361693e1585793d3beb38b93f7b3591b0ab4b445d2a99ed0f1f

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
96KB

MD5
9a1a9a97b237a1f157c673483d265931

SHA1
7ce1577f6cc102934987a77ddeff51ec7f7ecb9a

SHA256
a07061d3c7c9a6643d8467fd389431f9de80872d2d1f201a20ba6fbf876ac0b9

SHA512
0382d9f140cf4d224bd7456e9b75c21f5a00a564c29e58c4dbeeb504232961afbf561abc33acb1cd5dd0ab3e589f3d9146ed4bc080a20132236ab0ed21e6e0c9

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
96KB

MD5
a2e16355a8f7c5ff26134c68fe78cab9

SHA1
3b012e5945ef55f89341e78675da26f059993c6d

SHA256
e0724b7c947394ba6d712e25e6983fb677973cadba6fef56c14e50312336f78d

SHA512
1fcaec76882ca58a4e2d3b5ce13bf4cc4e751ba7101ed6a6a478ee3a1595ef58fc9b6cd29259fac60abd3ac92ab42bbcee83fa4a9e3a7646de27c33b805c5c49

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
96KB

MD5
5b548bbfd6ac48e9b9fcb48292e55a60

SHA1
0f0b23e7d0f1b3d8cc5a4c321bc022bf0661763b

SHA256
5066e5b1287d0230eb4d920945482d7358e3e6882987cba0e4f40fd1a654a018

SHA512
7dcb0296f6b69059b624ff863d13a149896a2e5871948b6217ce7d721710f3a0f4a357a52d1a05ff3fb8c6afda3f6a4e4fa2a84dd8c8ba5fe6a047a3c6fff8a6

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
96KB

MD5
4c905b70ee28e3aeee1f93de4e14d757

SHA1
3e4d91839e117deed4e2a8cf5a5cafe71246b861

SHA256
569d1c48fe11d6a690ffc841ee45293c69f0c74a2854dbb9fcf73095be053145

SHA512
92926f1c717eedbafff19176f44eec7a0a987bde6ff2e177da9549d527f4c90c101137ee6a46eb190174bcd266decd441d8265a6cf3889694f1e9e694bcb5702

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
96KB

MD5
d6764233e6a8c3ebf617475914b89cac

SHA1
6923ded6325e91609d09ec1bd8be3692b9de0ec8

SHA256
793b665d0171b7bc2f65ea1fad956bc095f439aaec8eda7f2cb9cf3545bf2dc1

SHA512
6a376b2cf09dea11930195dcc3780cda161210e3050b82ae5fc61699d1073d3b2be12232d529f201183566e45b5126bc2c08f5a656fd692aed0636500595a256

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
96KB

MD5
b9752a422b1776a7c2ac8acbaf9a80bd

SHA1
2b83acf7a19244c41b0986fe93de68336c820be0

SHA256
7cda8cf6846ce444f06c58ed71b124376b83aa892074dd25e36a04bceb331444

SHA512
3a326d1078e672a5d886fa4b8ea809d6f0d3ffe5f241e7f2eba85a87ee4e660005bb402af584c61c9c2536314c9f0db73760956f8cb7e4691559692c7d341080

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
96KB

MD5
2e95a6bd8aa3443b16b0c6a536b3ecfe

SHA1
d697b3262beade33dfe075020a1b379c87a709f7

SHA256
abc50bfc330b32edfa020815502ebd89807eff71e5c600b289a6c1079b2be8b1

SHA512
5312971e9bbb9f8eb202a1a3ad0532c41b0afe09f534ba358203ee474e41585bcbe910f0bf07b0819fcdd569d8c4a6331240067816ffd14c92f45c54e1ffcf26

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
96KB

MD5
5562ef842f5b70b6ff015483e4c908ea

SHA1
b719ae0f189e99c9d0dc06e5767e653e183bdf98

SHA256
bd779e27dadee1add489f880d1faae8338ed505c78a08a62d3cdcdd128ede3f9

SHA512
612279816ac3dadb34522511cf586a7c85f560b2b04dc0f9f10df71d1181d7da22ef9ef4ef7adc0a8a61a4ab2c1595bd1f42c57049f99d6145c9fefbc6b025bc

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
96KB

MD5
da034958b9cef85e203f8492d6fe3245

SHA1
e754e867a85a7eefb0e06b26f9f4aeb15eeccfe1

SHA256
489322e464374d6ba4f6972e0a535a864a655eab7bc182e047d59162ec799046

SHA512
32d14a446c087300f0b44ffdc6f922dd92aa33a14ba218d9076f1a7760f02d86d68e280b30aaf24df5eeb37b358a3358de7aebe622dc58a0ff29f7f089ab934f

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
96KB

MD5
528e3eb6bd3f17f6e0cb2a8e6509ea6b

SHA1
e7915d57c898845073fe38ccb2ca10d552be206d

SHA256
d38d760682915a0aada84a5665380660134b3c1e0d01fa4d7600aa45e9f65c91

SHA512
6349bc7dc60160ce183b19ffa746176427af445667b63746388be4aaf080ea9bf1f1a69fd67f31cd1647e6fb632e9fa3a0888ef2cba420cabeac5d79069b403e

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
96KB

MD5
d9c558bfc549adba91fa5743402dc1ee

SHA1
8ec8ca1508e301b00df3a4f563c909dab8fa6153

SHA256
a7db7dad6f92dd2be11b6b7b826b54329985c2cb0d0fc779060d9ec912d78db8

SHA512
9be3ca057e7dc42494b5b872ae189797c132dc492da3f365430e9f5f453161e86fdc797465eac834b73c09eb93edadf93be3e06dff1cb602a5cb3ae0942ff469

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
96KB

MD5
2a7dec5da09ae439e593a70f8079adcd

SHA1
65cb35ee6c7ebcd3f7cc405cdb12d52b330189fa

SHA256
9cf69fac3e3f68bb526f0ca331fa6fa83c4b6188ebce20fd1255ae0f4d4c4f41

SHA512
9a4709b539a8999818d52dda7b4f4d066faa0f32aa11bd052f925bbf114fa3aa8e4d8f25b3143f6fcd40c65db5415ad051b205a46862071bfb325d1485ebe0e1

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
96KB

MD5
839276d2ac77223ae503774873314917

SHA1
114d7535f32326e353c277217d8f6eb8c4d8748e

SHA256
9e35da8caa0709ca6a1cfa0a121bd3ec6ff013e2d25799eba7e31dbf5f1d37b6

SHA512
ecf8953b28a9db4b6f3e6623e404146abc9d68b4eb70a4f01a3a5daa95ae72fa11388259455d8771c4745248c65527121a04e9263614c17051fb67b7a901ad85

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
96KB

MD5
ba2c34ab8866505cda2238d7bb12f98b

SHA1
8b5b96065257fd7a136526255f41a29adf3d59b7

SHA256
3f0f084c971ba343f1045d8e4c6a3d9747be41cca15af79e4a0b0eca3bbe1559

SHA512
42eb7be4aad0a1ba8b0003cc026964879d8ef8fd32e8cab93dd169dbdb851ce6d5f38bd1ac266b32400fcb5e8a3621752f4426f6a75ed3cac7d9f3590ffb49fb

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
96KB

MD5
d0c61b99975dfefe21f90a33233e3ce0

SHA1
126e6206ab38d8de68b4d9e66c755191ebcf3105

SHA256
c60484c05a60377602132bc49025d21f97bcc6d35b0c76ff6b85846ef5e37253

SHA512
98cd97c1053c7461f9ae71030092c76bdff38b933347fa5fb2eabf98ba5b67373bf3841e4a95468a6de3af60dea76034992f1b944cee21a8dd4a452b88b6f8e4

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
96KB

MD5
30504e1453b1180f7847ec3c63596fec

SHA1
339a62b85e2600210bc683d1b216b6cfa7d88057

SHA256
6100915efdbe9c0cdf65d2158c715a6f4e7c9d291ba4f8f92900601ef7e8e72e

SHA512
0392f91acb26a4ab314d92c81d99b99f026b94ea993260f9169caa990d04db78953a7695de537023bc3e30183c14e61e517a3aebab7b23d1cda3b5bbc4ac81db

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
96KB

MD5
a7d29daa9bd2290bfd2f1a08f44dc973

SHA1
b46d088b5f9098f4c113a4665bf48b8f90b0a2af

SHA256
ddb1a7d6964ad5f51089ac62b068e77bd01adcc97a0ac81643818394c552335b

SHA512
7dc5fcbe7b3789b4c489ffd718fb07671b6947dd541558df984a4742456921e98b94fe82ae120ce4e38daecb7d4773800eb2e4f3abd5c5f891f768d8db534eee

Download Submit
C:\Windows\SysWOW64\Mhkngh32.dll

Filesize
7KB

MD5
2241c75acece875547370bb7cdc02202

SHA1
8519902bc743bb794807c20da38ced1babfc6250

SHA256
62e2ba39f29c9f6849a93c46a4fda481ee0025574dee7b90a9dee4da4b8a0e2c

SHA512
a63338832bd9a3688555aa299fd07eb6a449af887d6a4ac0a0f5b6c6975636547e6e6d12863bf4351da4e9a1aa4ed3163d0628377e6a0b6f3c41cbcc88be881c

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
96KB

MD5
7fb4d6a9d3d190e2c15b9e469dd8779a

SHA1
d99ff8b4f10f5290804d32702964eb180ca5e29a

SHA256
c079432bfab519c71844d11367df13a9fdd89055ef7e9ee330df92a27cd883c5

SHA512
ae7bd99da572fe8b867abd8d28ab1e63807bfd66bd7c4b75af9ee02407a59971731854cb51a0c2885361b224a05e6b901ef57bbed20d2858fcb35ab195d99f7b

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
96KB

MD5
54c066726bd96410f13e015e027aa92b

SHA1
f82e00c32d3c57366c8ffd5f33931b486f04468c

SHA256
2d68d619dac2b514dfb5c749b7bdfccc43c8124498335abe48e3f56331927125

SHA512
2618381ecacea382b92a8c2b4b50910779eb8471723a6fed2c195eb2feb15fedc71720026a0fba3bd250a4f1a1f985b299052e64573f9cb63fe045225f3c4ce4

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
96KB

MD5
b6678b2b0139b74329c23d924bd70955

SHA1
ab0bbda28a425dc34e9d4accb959be00b98e8fbf

SHA256
985debdbac4034414cba76d3be29ff27a3efe2134ac4aff290f011250f5fc5a4

SHA512
48e4a8cee2d7de48af655791bdb01effb60d220cebeee15c8b1171068a1fde6ebc01ef0dcc8fda77b93b6fbffedf166003f7b124b352f14c9f547a865b04a71f

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
96KB

MD5
496afb5601ea777350c1b1061ebdb557

SHA1
768ea8c2ca20d62c904c8ac8ba32c264e818bcf4

SHA256
cc4326e1001a03d2ada70ffc114e86f46dacc7715faa62ca84a7190fa0208536

SHA512
8fb7a9606ced210494a4a4e478beedde739dc9cdc8514ab66ce877a109f422b67ae04b020a9fddaaf60505651a9ab1bb1ab36f693eceefbc30d0a3d35239c36d

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
96KB

MD5
4e49bcb9d6da5123b8d6a361ba647c77

SHA1
f956ec142ad8a435f4b7d4a268f2522f089ef4d8

SHA256
2eb60c51c537086b1f11d72f64625b2807dab5579583d234005124b46f4ba53b

SHA512
32c0b699e18f6cb9675fa0d36b85d3566534440a50fe1c3012222b4b9acdc5dd4a5afecc7a893cee1b1c3beb2f728782814f46cc6cd317b4f56f2ab675f9c12b

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
96KB

MD5
f151c0ff5eeb75d2129f12f548f36ad2

SHA1
47bcacb38f85e3bf587475df7b98e9ca441e5ef3

SHA256
de541996d43c443d343753bb1c1ad0dc5312ce49cd9d8e2ef4cdb171a6f3c7fb

SHA512
54db5808abe4f3d82600bb76695880d2ec0f3ac757a25e1d386a1ce2fc97fec65481fe391eb3965756de0ba3c94d40c41ffb17b0c2acfb91017288a17dae8d6d

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
96KB

MD5
30376fb7a29edaf137452c3fd61627aa

SHA1
cd9591e24c0b943ecf88d8c49da7c8a895541ee2

SHA256
30d93340db4b1ef5129769413e7553afa0edc4c94af1469f2ebd04d6bc55ebe5

SHA512
91eacb93a4141ea59e67165cec24b28522be87857fdf4c92a7a903c2647315d682788864da27d52cb7ab6387a50aaf72e9e653cce83889a691285fb0079f3c72

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
96KB

MD5
3c069bd92b55eeb7772a39e55e73bf3a

SHA1
da9f8d6703343904c646d2fce46b45e2fe7b98f7

SHA256
191f9845f060345977c51c3522b4e5fd4e8a87475c0cd6bab4277577a69159f1

SHA512
460f59915fdb7ebcd3ba2fe6faf93e37a3366ea032f30fcb83e17f85dc8598de494ebd1677cdf269e83cd3353a58bca23dedca357d2399bc4b56fbb9c8641c54

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
96KB

MD5
ea0864ac12a3d1b04c7c722c0f841b0e

SHA1
58b5903cb8433f74dd4532af8eea932e69be5038

SHA256
24c0ebcee5d3710f280ba0e949e478922b6a82137755f3fff99b9fe78049e2c7

SHA512
43f7113b587b01bdfd4c82fb733680ae46f1369ee727a09c358e6b7b4e09f436d289089c25a4debc1c360af094c6e43eee065d7351931d3cb9fb2c0a97e10c6b

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
96KB

MD5
34e60bd946917aa4103e002e65ff3ae7

SHA1
e336d7a0f1c196f04fe8a748aa6fc79793ffbbf2

SHA256
dff74273d4aaee884062924afca3864fc7a2a59f9fa412f4f8dd8b82079cc287

SHA512
90dac8af3f53190f2a8b72040499cadf7f6180a1a324872d20813e6e096cb9bfc738549beba7b9ff6a4c2a78491d00551ec44397f919e65e4011873c05ca5027

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
96KB

MD5
cae37da669ea47a3ab17dfa339a95e22

SHA1
db61e326600292ba26edd714ce2f5c24ff27c994

SHA256
a50fcce38855111e8cc56e2be1c31d66c9a031f3ba1f575ff28d645c277194d2

SHA512
9c5b283128a7a616cc31699d60e923b8c9b6762289c740e9ee543f2ace464e25c6886acea750c58fb681f7270d91f08e2f20c1014b9d265d990577161b1bcdf1

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
96KB

MD5
2a7629b7ace80fc7122c2a34b190db17

SHA1
75a3abb04366a66cdf3701a3f2d9b6d04965658b

SHA256
ca22e59b621f9c7541e1a270b8b749347b85955f00a0c5d668bbaa7396401a88

SHA512
bf57c68576730252b4c31c9d628ebc7bbc0181d24471b14503ef2aedb540a6bfe3135a3c59f3c7127476e1258f1b62223d0c4d483daf02b8cdb28c1bdc5e49b1

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
96KB

MD5
a42f62ea9e3632b50bf64d694c8ddfef

SHA1
1b179e8b616268321d550b475bbb22e483aa9557

SHA256
22458d05c0b2f55f1be662a2c1f90ccc5643217e473889ea69788a68fa217fb8

SHA512
551d76b15df1569a7d9e23bb2b164869bc54d351d8d62effb4079bd2837be979ee3ff3737567c00490c718f105a2bfff1d5090feedc1b4714c68a45a92ffc456

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
96KB

MD5
21c0a6781e33e8e1983c14e5660512a4

SHA1
f611a9ae5ddb380ad3691a27f225bb38c03371e1

SHA256
7ecb9771a2bada7432dfed5f93e838fe4c3afd5c49012ab60b76d3a2819d9fd0

SHA512
51ab8b19ac7c0ca28e72bdcaffccac218df29229e5ddd4f8e84002073796960d4d2b26b916480ce14fa566af153576995082ab905dba2ef5c197488bdd5511cd

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
96KB

MD5
141c9477842b8b75b050515bfef4fb80

SHA1
b3909dec51002a658aed50225fb36f9263781c96

SHA256
041a682eacca1a0214da4381e058d4dca49ed9c6e5fd95c61fbaf87132a1352c

SHA512
0df36914dad8bc242ecf534831800adecd875a4f48dcc8624e6b27b86fb6f913c144885ed0ef9b765f4e219d12b8ad6696821cbb4fded0365adf4b937a078b24

Download Submit
memory/440-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/564-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/636-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/764-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/776-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/932-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1064-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1152-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1200-189-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1280-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1640-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1812-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1832-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1916-236-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1952-218-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1968-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1996-83-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2100-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2148-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2236-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2612-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-172-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3104-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3168-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3276-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3392-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3428-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3512-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3516-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3524-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3624-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3644-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4160-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4196-318-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4208-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4224-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4508-204-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4572-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4592-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4800-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4860-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5000-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5140-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5184-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5232-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5272-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5316-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5364-356-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5400-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5444-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5484-374-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5524-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5588-387-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5636-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5676-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5724-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5768-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5820-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5864-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5916-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5976-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6032-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6072-446-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads