877bcbd04d6196f671aa7a8a8c17d4dcf2e02c619f7367a2d900198429802279

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 21:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

877bcbd04d6196f671aa7a8a8c17d4dcf2e02c619f7367a2d900198429802279.exe
Size

45KB
MD5

9ac371a84c21539a32b9a476783071c1
SHA1

8bc7ffc78b6200da32f1e397d516601fb85ce3d3
SHA256

877bcbd04d6196f671aa7a8a8c17d4dcf2e02c619f7367a2d900198429802279
SHA512

e8ef0879da757d7e45bf7080ef75f997633d25c782890d049ffc452650c07d5ab6a230952b01fbd0973e6ccb391af60bff34d88947e2a1b40402d59de5a87852
SSDEEP

768:4RGhUG9S7S+7t+SHbXPliwC/UlgRSowF9pLEoKC8Ou3gz/1H5L:H6U+tfTPoZ/PSFgC87Qh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Magqncba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niikceid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhneehek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhneehek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcfqkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmkcoap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghcoqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmebnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgmcqkkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljkomfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Effcma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Febfomdd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liplnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpqdkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpncej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmcqkkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffhpbacb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpcqaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghcoqh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ganpomec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpefdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpefdl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjmaaddo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcfqkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	877bcbd04d6196f671aa7a8a8c17d4dcf2e02c619f7367a2d900198429802279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Febfomdd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpncej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmmkcoap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpqdkf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpcqaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbfdaigg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moanaiie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffhpbacb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfmffhde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljkomfjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbfdaigg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Legmbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmneda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mencccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gffoldhp.exe

Executes dropped EXE 42 IoCs

pid	Process
2576	Effcma32.exe
2604	Ffhpbacb.exe
2644	Fpqdkf32.exe
2640	Fpcqaf32.exe
2496	Fhneehek.exe
2460	Fjmaaddo.exe
2236	Febfomdd.exe
2572	Fmmkcoap.exe
524	Ghcoqh32.exe
832	Gffoldhp.exe
1900	Gpncej32.exe
1752	Ganpomec.exe
1640	Hpefdl32.exe
1160	Lmebnb32.exe
2932	Lfmffhde.exe
2168	Lmgocb32.exe
2788	Lgmcqkkh.exe
1864	Ljkomfjl.exe
3028	Laegiq32.exe
1620	Lbfdaigg.exe
2320	Liplnc32.exe
748	Lcfqkl32.exe
2316	Legmbd32.exe
1464	Mmneda32.exe
2064	Mooaljkh.exe
1684	Meijhc32.exe
1604	Moanaiie.exe
2532	Mlfojn32.exe
932	Mencccop.exe
2600	Mhloponc.exe
2408	Mofglh32.exe
2868	Mdcpdp32.exe
2832	Moidahcn.exe
2364	Magqncba.exe
2156	Nmnace32.exe
1656	Nplmop32.exe
1544	Nmpnhdfc.exe
2652	Ngibaj32.exe
1296	Nmbknddp.exe
2468	Nodgel32.exe
796	Niikceid.exe
2344	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
2272	877bcbd04d6196f671aa7a8a8c17d4dcf2e02c619f7367a2d900198429802279.exe
2272	877bcbd04d6196f671aa7a8a8c17d4dcf2e02c619f7367a2d900198429802279.exe
2576	Effcma32.exe
2576	Effcma32.exe
2604	Ffhpbacb.exe
2604	Ffhpbacb.exe
2644	Fpqdkf32.exe
2644	Fpqdkf32.exe
2640	Fpcqaf32.exe
2640	Fpcqaf32.exe
2496	Fhneehek.exe
2496	Fhneehek.exe
2460	Fjmaaddo.exe
2460	Fjmaaddo.exe
2236	Febfomdd.exe
2236	Febfomdd.exe
2572	Fmmkcoap.exe
2572	Fmmkcoap.exe
524	Ghcoqh32.exe
524	Ghcoqh32.exe
832	Gffoldhp.exe
832	Gffoldhp.exe
1900	Gpncej32.exe
1900	Gpncej32.exe
1752	Ganpomec.exe
1752	Ganpomec.exe
1640	Hpefdl32.exe
1640	Hpefdl32.exe
1160	Lmebnb32.exe
1160	Lmebnb32.exe
2932	Lfmffhde.exe
2932	Lfmffhde.exe
2168	Lmgocb32.exe
2168	Lmgocb32.exe
2788	Lgmcqkkh.exe
2788	Lgmcqkkh.exe
1864	Ljkomfjl.exe
1864	Ljkomfjl.exe
3028	Laegiq32.exe
3028	Laegiq32.exe
1620	Lbfdaigg.exe
1620	Lbfdaigg.exe
2320	Liplnc32.exe
2320	Liplnc32.exe
748	Lcfqkl32.exe
748	Lcfqkl32.exe
2316	Legmbd32.exe
2316	Legmbd32.exe
1464	Mmneda32.exe
1464	Mmneda32.exe
2064	Mooaljkh.exe
2064	Mooaljkh.exe
1684	Meijhc32.exe
1684	Meijhc32.exe
1604	Moanaiie.exe
1604	Moanaiie.exe
2532	Mlfojn32.exe
2532	Mlfojn32.exe
932	Mencccop.exe
932	Mencccop.exe
2600	Mhloponc.exe
2600	Mhloponc.exe
2408	Mofglh32.exe
2408	Mofglh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lamajm32.dll	Niikceid.exe
File created	C:\Windows\SysWOW64\Affcmdmb.dll	877bcbd04d6196f671aa7a8a8c17d4dcf2e02c619f7367a2d900198429802279.exe
File created	C:\Windows\SysWOW64\Legmbd32.exe	Lcfqkl32.exe
File created	C:\Windows\SysWOW64\Jhcfhi32.dll	Legmbd32.exe
File created	C:\Windows\SysWOW64\Mencccop.exe	Mlfojn32.exe
File created	C:\Windows\SysWOW64\Mhloponc.exe	Mencccop.exe
File created	C:\Windows\SysWOW64\Elonamqm.dll	Moidahcn.exe
File opened for modification	C:\Windows\SysWOW64\Nmbknddp.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Liplnc32.exe	Lbfdaigg.exe
File created	C:\Windows\SysWOW64\Moidahcn.exe	Mdcpdp32.exe
File created	C:\Windows\SysWOW64\Nmbknddp.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Aobmncbj.dll	Ghcoqh32.exe
File created	C:\Windows\SysWOW64\Ljkomfjl.exe	Lgmcqkkh.exe
File opened for modification	C:\Windows\SysWOW64\Lmgocb32.exe	Lfmffhde.exe
File created	C:\Windows\SysWOW64\Mlfojn32.exe	Moanaiie.exe
File created	C:\Windows\SysWOW64\Fihicd32.dll	Gffoldhp.exe
File opened for modification	C:\Windows\SysWOW64\Hpefdl32.exe	Ganpomec.exe
File created	C:\Windows\SysWOW64\Lbfdaigg.exe	Laegiq32.exe
File created	C:\Windows\SysWOW64\Lcfqkl32.exe	Liplnc32.exe
File created	C:\Windows\SysWOW64\Mofglh32.exe	Mhloponc.exe
File created	C:\Windows\SysWOW64\Mdcpdp32.exe	Mofglh32.exe
File created	C:\Windows\SysWOW64\Fkcpip32.dll	Ffhpbacb.exe
File created	C:\Windows\SysWOW64\Dlfdghbq.dll	Lfmffhde.exe
File created	C:\Windows\SysWOW64\Cnjgia32.dll	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Laegiq32.exe	Ljkomfjl.exe
File created	C:\Windows\SysWOW64\Moanaiie.exe	Meijhc32.exe
File opened for modification	C:\Windows\SysWOW64\Mofglh32.exe	Mhloponc.exe
File created	C:\Windows\SysWOW64\Ekebnbmn.dll	Mhloponc.exe
File created	C:\Windows\SysWOW64\Effcma32.exe	877bcbd04d6196f671aa7a8a8c17d4dcf2e02c619f7367a2d900198429802279.exe
File created	C:\Windows\SysWOW64\Fpqdkf32.exe	Ffhpbacb.exe
File created	C:\Windows\SysWOW64\Febfomdd.exe	Fjmaaddo.exe
File opened for modification	C:\Windows\SysWOW64\Ghcoqh32.exe	Fmmkcoap.exe
File created	C:\Windows\SysWOW64\Jndkpj32.dll	Fhneehek.exe
File opened for modification	C:\Windows\SysWOW64\Fmmkcoap.exe	Febfomdd.exe
File opened for modification	C:\Windows\SysWOW64\Lcfqkl32.exe	Liplnc32.exe
File created	C:\Windows\SysWOW64\Ibddljof.dll	Lcfqkl32.exe
File created	C:\Windows\SysWOW64\Ngibaj32.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Nmpnhdfc.exe
File opened for modification	C:\Windows\SysWOW64\Ffhpbacb.exe	Effcma32.exe
File created	C:\Windows\SysWOW64\Gpncej32.exe	Gffoldhp.exe
File opened for modification	C:\Windows\SysWOW64\Meijhc32.exe	Mooaljkh.exe
File opened for modification	C:\Windows\SysWOW64\Moanaiie.exe	Meijhc32.exe
File created	C:\Windows\SysWOW64\Lmnppf32.dll	Nplmop32.exe
File opened for modification	C:\Windows\SysWOW64\Fpcqaf32.exe	Fpqdkf32.exe
File created	C:\Windows\SysWOW64\Kacgbnfl.dll	Laegiq32.exe
File created	C:\Windows\SysWOW64\Diaagb32.dll	Mmneda32.exe
File opened for modification	C:\Windows\SysWOW64\Nodgel32.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Ghcoqh32.exe	Fmmkcoap.exe
File opened for modification	C:\Windows\SysWOW64\Ganpomec.exe	Gpncej32.exe
File opened for modification	C:\Windows\SysWOW64\Laegiq32.exe	Ljkomfjl.exe
File opened for modification	C:\Windows\SysWOW64\Moidahcn.exe	Mdcpdp32.exe
File opened for modification	C:\Windows\SysWOW64\Magqncba.exe	Moidahcn.exe
File created	C:\Windows\SysWOW64\Jfdnjb32.dll	Gpncej32.exe
File created	C:\Windows\SysWOW64\Nblihc32.dll	Ganpomec.exe
File opened for modification	C:\Windows\SysWOW64\Lgmcqkkh.exe	Lmgocb32.exe
File created	C:\Windows\SysWOW64\Negoebdd.dll	Liplnc32.exe
File opened for modification	C:\Windows\SysWOW64\Mooaljkh.exe	Mmneda32.exe
File created	C:\Windows\SysWOW64\Ngoohnkj.dll	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Jpfppg32.dll	Hpefdl32.exe
File created	C:\Windows\SysWOW64\Bjdmohgl.dll	Lmebnb32.exe
File created	C:\Windows\SysWOW64\Ogikcfnb.dll	Lgmcqkkh.exe
File opened for modification	C:\Windows\SysWOW64\Mmneda32.exe	Legmbd32.exe
File created	C:\Windows\SysWOW64\Hendhe32.dll	Mlfojn32.exe
File opened for modification	C:\Windows\SysWOW64\Nmnace32.exe	Magqncba.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2308	2344	WerFault.exe	69

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gffoldhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmgocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mencccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnqkpajk.dll"	Mencccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghcoqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmebnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbfdaigg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfmffhde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaagb32.dll"	Mmneda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhloponc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpcqaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpncej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpefdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibkpd32.dll"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcfhi32.dll"	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkacaml.dll"	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffhpbacb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmneda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmgocb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgmcqkkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negoebdd.dll"	Liplnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Legmbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffhpbacb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghcoqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfdghbq.dll"	Lfmffhde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljkomfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpmbcmh.dll"	Lbfdaigg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkcpip32.dll"	Ffhpbacb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mofglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpqdkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Moanaiie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekebnbmn.dll"	Mhloponc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	877bcbd04d6196f671aa7a8a8c17d4dcf2e02c619f7367a2d900198429802279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdmohgl.dll"	Lmebnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgmcqkkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmkonce.dll"	Fjmaaddo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifmohp.dll"	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	877bcbd04d6196f671aa7a8a8c17d4dcf2e02c619f7367a2d900198429802279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Febfomdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iieipa32.dll"	Febfomdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcfqkl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2576	2272	877bcbd04d6196f671aa7a8a8c17d4dcf2e02c619f7367a2d900198429802279.exe	28
PID 2272 wrote to memory of 2576	2272	877bcbd04d6196f671aa7a8a8c17d4dcf2e02c619f7367a2d900198429802279.exe	28
PID 2272 wrote to memory of 2576	2272	877bcbd04d6196f671aa7a8a8c17d4dcf2e02c619f7367a2d900198429802279.exe	28
PID 2272 wrote to memory of 2576	2272	877bcbd04d6196f671aa7a8a8c17d4dcf2e02c619f7367a2d900198429802279.exe	28
PID 2576 wrote to memory of 2604	2576	Effcma32.exe	29
PID 2576 wrote to memory of 2604	2576	Effcma32.exe	29
PID 2576 wrote to memory of 2604	2576	Effcma32.exe	29
PID 2576 wrote to memory of 2604	2576	Effcma32.exe	29
PID 2604 wrote to memory of 2644	2604	Ffhpbacb.exe	30
PID 2604 wrote to memory of 2644	2604	Ffhpbacb.exe	30
PID 2604 wrote to memory of 2644	2604	Ffhpbacb.exe	30
PID 2604 wrote to memory of 2644	2604	Ffhpbacb.exe	30
PID 2644 wrote to memory of 2640	2644	Fpqdkf32.exe	31
PID 2644 wrote to memory of 2640	2644	Fpqdkf32.exe	31
PID 2644 wrote to memory of 2640	2644	Fpqdkf32.exe	31
PID 2644 wrote to memory of 2640	2644	Fpqdkf32.exe	31
PID 2640 wrote to memory of 2496	2640	Fpcqaf32.exe	32
PID 2640 wrote to memory of 2496	2640	Fpcqaf32.exe	32
PID 2640 wrote to memory of 2496	2640	Fpcqaf32.exe	32
PID 2640 wrote to memory of 2496	2640	Fpcqaf32.exe	32
PID 2496 wrote to memory of 2460	2496	Fhneehek.exe	33
PID 2496 wrote to memory of 2460	2496	Fhneehek.exe	33
PID 2496 wrote to memory of 2460	2496	Fhneehek.exe	33
PID 2496 wrote to memory of 2460	2496	Fhneehek.exe	33
PID 2460 wrote to memory of 2236	2460	Fjmaaddo.exe	34
PID 2460 wrote to memory of 2236	2460	Fjmaaddo.exe	34
PID 2460 wrote to memory of 2236	2460	Fjmaaddo.exe	34
PID 2460 wrote to memory of 2236	2460	Fjmaaddo.exe	34
PID 2236 wrote to memory of 2572	2236	Febfomdd.exe	35
PID 2236 wrote to memory of 2572	2236	Febfomdd.exe	35
PID 2236 wrote to memory of 2572	2236	Febfomdd.exe	35
PID 2236 wrote to memory of 2572	2236	Febfomdd.exe	35
PID 2572 wrote to memory of 524	2572	Fmmkcoap.exe	36
PID 2572 wrote to memory of 524	2572	Fmmkcoap.exe	36
PID 2572 wrote to memory of 524	2572	Fmmkcoap.exe	36
PID 2572 wrote to memory of 524	2572	Fmmkcoap.exe	36
PID 524 wrote to memory of 832	524	Ghcoqh32.exe	37
PID 524 wrote to memory of 832	524	Ghcoqh32.exe	37
PID 524 wrote to memory of 832	524	Ghcoqh32.exe	37
PID 524 wrote to memory of 832	524	Ghcoqh32.exe	37
PID 832 wrote to memory of 1900	832	Gffoldhp.exe	38
PID 832 wrote to memory of 1900	832	Gffoldhp.exe	38
PID 832 wrote to memory of 1900	832	Gffoldhp.exe	38
PID 832 wrote to memory of 1900	832	Gffoldhp.exe	38
PID 1900 wrote to memory of 1752	1900	Gpncej32.exe	39
PID 1900 wrote to memory of 1752	1900	Gpncej32.exe	39
PID 1900 wrote to memory of 1752	1900	Gpncej32.exe	39
PID 1900 wrote to memory of 1752	1900	Gpncej32.exe	39
PID 1752 wrote to memory of 1640	1752	Ganpomec.exe	40
PID 1752 wrote to memory of 1640	1752	Ganpomec.exe	40
PID 1752 wrote to memory of 1640	1752	Ganpomec.exe	40
PID 1752 wrote to memory of 1640	1752	Ganpomec.exe	40
PID 1640 wrote to memory of 1160	1640	Hpefdl32.exe	41
PID 1640 wrote to memory of 1160	1640	Hpefdl32.exe	41
PID 1640 wrote to memory of 1160	1640	Hpefdl32.exe	41
PID 1640 wrote to memory of 1160	1640	Hpefdl32.exe	41
PID 1160 wrote to memory of 2932	1160	Lmebnb32.exe	42
PID 1160 wrote to memory of 2932	1160	Lmebnb32.exe	42
PID 1160 wrote to memory of 2932	1160	Lmebnb32.exe	42
PID 1160 wrote to memory of 2932	1160	Lmebnb32.exe	42
PID 2932 wrote to memory of 2168	2932	Lfmffhde.exe	43
PID 2932 wrote to memory of 2168	2932	Lfmffhde.exe	43
PID 2932 wrote to memory of 2168	2932	Lfmffhde.exe	43
PID 2932 wrote to memory of 2168	2932	Lfmffhde.exe	43

C:\Users\Admin\AppData\Local\Temp\877bcbd04d6196f671aa7a8a8c17d4dcf2e02c619f7367a2d900198429802279.exe
"C:\Users\Admin\AppData\Local\Temp\877bcbd04d6196f671aa7a8a8c17d4dcf2e02c619f7367a2d900198429802279.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\Effcma32.exe
  C:\Windows\system32\Effcma32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\Ffhpbacb.exe
    C:\Windows\system32\Ffhpbacb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\Fpqdkf32.exe
      C:\Windows\system32\Fpqdkf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\Fpcqaf32.exe
        
        C:\Windows\system32\Fpcqaf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\SysWOW64\Fhneehek.exe
        
        C:\Windows\system32\Fhneehek.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Fjmaaddo.exe
        
        C:\Windows\system32\Fjmaaddo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Febfomdd.exe
        
        C:\Windows\system32\Febfomdd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Fmmkcoap.exe
        
        C:\Windows\system32\Fmmkcoap.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Ghcoqh32.exe
        
        C:\Windows\system32\Ghcoqh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\SysWOW64\Gffoldhp.exe
        
        C:\Windows\system32\Gffoldhp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Gpncej32.exe
        
        C:\Windows\system32\Gpncej32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Ganpomec.exe
        
        C:\Windows\system32\Ganpomec.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Hpefdl32.exe
        
        C:\Windows\system32\Hpefdl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Lmebnb32.exe
        
        C:\Windows\system32\Lmebnb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Lfmffhde.exe
        
        C:\Windows\system32\Lfmffhde.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Lmgocb32.exe
        
        C:\Windows\system32\Lmgocb32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Lgmcqkkh.exe
        
        C:\Windows\system32\Lgmcqkkh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Ljkomfjl.exe
        
        C:\Windows\system32\Ljkomfjl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Laegiq32.exe
        
        C:\Windows\system32\Laegiq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Lbfdaigg.exe
        
        C:\Windows\system32\Lbfdaigg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Liplnc32.exe
        
        C:\Windows\system32\Liplnc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Lcfqkl32.exe
        
        C:\Windows\system32\Lcfqkl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Legmbd32.exe
        
        C:\Windows\system32\Legmbd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Mmneda32.exe
        
        C:\Windows\system32\Mmneda32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Mooaljkh.exe
        
        C:\Windows\system32\Mooaljkh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Meijhc32.exe
        
        C:\Windows\system32\Meijhc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Moanaiie.exe
        
        C:\Windows\system32\Moanaiie.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Mlfojn32.exe
        
        C:\Windows\system32\Mlfojn32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Mencccop.exe
        
        C:\Windows\system32\Mencccop.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Mhloponc.exe
        
        C:\Windows\system32\Mhloponc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Mofglh32.exe
        
        C:\Windows\system32\Mofglh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Mdcpdp32.exe
        
        C:\Windows\system32\Mdcpdp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Moidahcn.exe
        
        C:\Windows\system32\Moidahcn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Magqncba.exe
        
        C:\Windows\system32\Magqncba.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Nmnace32.exe
        
        C:\Windows\system32\Nmnace32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Nplmop32.exe
        
        C:\Windows\system32\Nplmop32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Nmpnhdfc.exe
        
        C:\Windows\system32\Nmpnhdfc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Nmbknddp.exe
        
        C:\Windows\system32\Nmbknddp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Niikceid.exe
        
        C:\Windows\system32\Niikceid.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:796
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        43⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 140
        44⤵
        Program crash
        
        PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Febfomdd.exe

Filesize
45KB

MD5
7464fcec6bec659a9a3be340ca1c80b2

SHA1
0e69f54f28af6c6bc2982612218eaee0a1622039

SHA256
ed72710111331f860a93df1cb5014504ae76b3d9094f1df8522610ea022ca833

SHA512
4c332c70e3d616f1a7391723b0dbb6181a675b1e268a4b2c91056619f7ac521e4545f2f42445228e75e8357ad1fd19e4e1e3550572b5ddcd7d2cf4a5308cc84c

Download Submit
C:\Windows\SysWOW64\Ffhpbacb.exe

Filesize
45KB

MD5
6c7a3049db523cc8697614a318751945

SHA1
b0a09b1976d27cfea7a5abaf5dd6e3d25d17259f

SHA256
15d24a57cf1c0a54ea0c3739c41d11d2b8d5d7fa9fe698771bf2a147e9e1eb9f

SHA512
08b7802b017cceb99fe5924febd15aca0b3efe085bf1fd26209673abf29a5419e58681caa0fea6e41b35c2ed0ec5a05d585b4fd60f068339d65942f020ea102f

Download Submit
C:\Windows\SysWOW64\Fjmaaddo.exe

Filesize
45KB

MD5
a923fd0cf8b40a856783965926f619ab

SHA1
94943393133d440bc49e2cbface4d4b1cbd23441

SHA256
db28fbff66ef41fbc362cfabf53b961605ba0e02a677333c987355bd4816fe24

SHA512
c5429c3efe04860ba09447c17ef1a5cf64fdbe44db4397955071c00d91826a7cdae3afced48d2f2fa36fae55a3503d979e8aec2b620ca8b12fe761ea7c17efa4

Download Submit
C:\Windows\SysWOW64\Fpqdkf32.exe

Filesize
45KB

MD5
eca16f6a696b035d682e76a41a44023a

SHA1
82e57d620dd3155fa83f310dd37677cb4e9145db

SHA256
9b74b147344333053ee1447b0b52755a46c3f642bba923eb1827d2f90bd7a3d1

SHA512
8ca200089462c199563f0e8771330b82b35ea88583dd05e77601ba300eaa814b24d62687900bfb3b16908850b18e56651a87e5a74d2fa7773a6e0821630dba8d

Download Submit
C:\Windows\SysWOW64\Gffoldhp.exe

Filesize
45KB

MD5
07ca4d86bd37787a2eae0df00195d702

SHA1
b737d7c453609d3025b29eb77ec95738966d5d2c

SHA256
e4eefa9eb60380db9987ad22dab33eb7e40b6095fed73c2c0d322e26c01e0f08

SHA512
bb5878c87a95dd3aa7eaf033b0fd5f5962a5eb24bab0bafc45c2a4e030ec773624f090076e22c5bbf3cfe8396022c92416bffe0437d76abe130c4cc740e83e43

Download Submit
C:\Windows\SysWOW64\Ghcoqh32.exe

Filesize
45KB

MD5
5f7f47f78209229023ada3eabd9ed907

SHA1
1699fe8f270ce3a272c0c4f69c62b88ba17eb786

SHA256
1f89a8cd3881f4b9396b5b2cb370ef811b90f739e47b967d17b368fae98609bb

SHA512
5fa4047be688bf71c8533f816570b6680e3cc60df1675f2697d744c14156e4b27d285e178759af4ccfef4bfa2b9d6a0e7441e07c8d094709f9f4497b866e8f54

Download Submit
C:\Windows\SysWOW64\Laegiq32.exe

Filesize
45KB

MD5
960a21f317bc787a5c6f0d1ede9c7005

SHA1
701fcc03ee9f10541ffd20bc2af596cafdda29b2

SHA256
281f31489551a77c743d1b7f64f62ce7d5ebcebef5b6d9ad14831ba848496d1a

SHA512
13823d94ac8a0f175b91e21542192f1636217c5e541dd649acbfead761528f3e9e345bc124bfdca3496031039fe6f99674a06c7152603ae18d04d10e46463e83

Download Submit
C:\Windows\SysWOW64\Lbfdaigg.exe

Filesize
45KB

MD5
f5d585299c61a4d51727296cea552001

SHA1
db06f7041c569746709979515a4f6fed0adfbe16

SHA256
609bfa9c67677b38a715e6aa05f82051473b62d2d41dce5d8197c966c040df80

SHA512
dc9c69e2cb8d6feebe4c8370fa1bbfbf3c8c8faa9ebcca18dd7c089ec95cd9d7380100bd8bc2f80cab4887408092f4e3c64b886eb4417d67ab66d147df8db081

Download Submit
C:\Windows\SysWOW64\Lcfqkl32.exe

Filesize
45KB

MD5
a6ba9e6057ff7ca1a66538c83e695c28

SHA1
306bda8ffe0599c358a6b5e877049360bb21b3a6

SHA256
a0ed080cfa3f682693783d72350543085f116edeed09548479e4043ba9b078cb

SHA512
541d042bab9a19c7bffb65514a648dd80cb3368e26084005116b76c2e932911ec0e1ad2414eb42d199354fd570af06e0ba8276e7ddc5223566f39c564d2eae2f

Download Submit
C:\Windows\SysWOW64\Legmbd32.exe

Filesize
45KB

MD5
9e590019e812767288cf4f9e709fe8a6

SHA1
2144dfdec1fb5085efb78fa2f6c8b1cfc0523850

SHA256
9790fcf1eb118c8ccb6c0f58bc2a5d372b179f27315e121ced974916c6bea497

SHA512
a61fc60b20cf276b132156e1ca1fd3044128d52282ee6db1b72c454eabbfcc2a5453652dd85c8375166fc96432a7551a4e37fba36559fed6abb1e5b9f2b8ea10

Download Submit
C:\Windows\SysWOW64\Lfmffhde.exe

Filesize
45KB

MD5
a5bd30c4c9c22ee883e0f09f2ef353f1

SHA1
e68612224053cad5190d70dfee3113d3b6a0afdb

SHA256
107fb26705a7a8b20a9a9bf098d9f7b0d500ffb0febc7a4ac39bfb3a222d7f6b

SHA512
c769559067e8a582ac6900e80af1b3c68dada96949d6d240ca80d4af98e8296b782fa7b182285a3c1c15a613d297f6130ac47b4a43601f9849aae11d8c09eb09

Download Submit
C:\Windows\SysWOW64\Lgmcqkkh.exe

Filesize
45KB

MD5
c2d3478f2df8b7406c4ec7c9b1bca65e

SHA1
90a503f880c5b4a6abf9079e6b8f1ebb602ad57c

SHA256
ac036d27f20a9b9a208455f12b64a83ae94cbd97b200fb04c8f29ddf194caaa8

SHA512
de179c8b0ebc7052dfcb6d57e6d329acc6ddc2bf9c30567e4afbdc37c70aa2553b25e6dd717a9c39d698050097b193f7281595436d293944ad960787cefb3daa

Download Submit
C:\Windows\SysWOW64\Liplnc32.exe

Filesize
45KB

MD5
0c59242a98b7f6ce6a73572a35527d70

SHA1
49bda21b9c5a0a678797f77b1e9251f351ed2278

SHA256
83625217fef3b1bb7a9954abbbb58925b7fadd493ceb4eee26735a2a3cf9b741

SHA512
aab6be06f14ba46c9494fa1d0b672c201ee8cf928bba28373ba67b71bb2a45c9dacff61d0fcb00aaf5ab2dd1c2d36966e7a86281a81b5979e1e7f0ea5a4bdef6

Download Submit
C:\Windows\SysWOW64\Ljkomfjl.exe

Filesize
45KB

MD5
0714624d348b92625edd4532d7265617

SHA1
b29f132ee9c5330ad0d09ba18798c386f2d67644

SHA256
85e6f83d0e8b6641d4db56b851d98c5bee3c71b9d1d37bc31996e867ab61afe8

SHA512
655588e08f52a974cd7b684ae0d9d0649279f85f6d183a7c3d85849b63bebd7f038665a6f94d2d0df0d79a2ea4f3ec8ea043160e76aeec44d92a054dabe9175f

Download Submit
C:\Windows\SysWOW64\Lmgocb32.exe

Filesize
45KB

MD5
6e1c225ed1fb41af36931b3c4c449979

SHA1
eea6beef9a8af71ed48cc90f4e00ab56bbd08e08

SHA256
55ebc2522a41e375f21edaa3f2324796b7d774c87852f8f70a73f74ab45d9922

SHA512
2099d230b1e9a18861ec82ed2502dd7d28045d25e437c9de19f6549b7c1a80ede22edd391323fb675527f3291e839c69d53ba224f02b9702f29cfbf99ebf705c

Download Submit
C:\Windows\SysWOW64\Magqncba.exe

Filesize
45KB

MD5
b9e39e33a99337ec4d071c53ac57294f

SHA1
594fb16f97b139367e9b9821a4cd6156aac6b2ce

SHA256
da23246514fc6416387c72d5d18d17b120478792edc14e320ad157e5f50a2a6e

SHA512
26b1183ee630323332290621db411e89c611666d6fa95340c3fd328ae8897db52e48e872647766fa209ca1475a0112b4518ba522f4bd2cdc458565909df931f7

Download Submit
C:\Windows\SysWOW64\Mdcpdp32.exe

Filesize
45KB

MD5
19fbf8fd6bd724f101cce757d33ca293

SHA1
c6df15f58421c4f9189ddf3705bec75562500f63

SHA256
f18e54300870aa5cdcea339135c1b8e0d33b76e7e6dd47587d98e16c4094fd03

SHA512
c156f3aaee01d20301ea5be8baf9a14c9377809ee0a5cff913740cb2780efee20e7ee57558f5d964a8fc79f8fa54fa83eb014356bf7af8e3d9031a2839c1f98e

Download Submit
C:\Windows\SysWOW64\Meijhc32.exe

Filesize
45KB

MD5
1c1ac9e1f2dba08e9d9d11dd49f630a2

SHA1
95d2afea0b0a4d6d7aa3816037ebb8b3cd1ebded

SHA256
10e68053ef0a2150482e468e6f0d65588ea871362802fb1a66587a65641d95e1

SHA512
fe1b6c1876348a25766e93486f6bff0f0c62d3e3706b7e8228e74ff6c2a57eaf0f1ae9828839b9354494076910cd07d0e932a95a0c2788c54241895084e7b5e6

Download Submit
C:\Windows\SysWOW64\Mencccop.exe

Filesize
45KB

MD5
ab5f2e8aaff0ca997b645b941980e9eb

SHA1
3c509e4115cc735df735a697a4c3e4bcd733d7a8

SHA256
1ac284337c4635e9e4e0f8624b75b8739c62bcb55d31d8b90f1fb15bf801daa0

SHA512
616dcdba6497683c89289dec451635952b53562691be1385a58821b6ad76bb45f2060810bd25df13ea7bf1496b654c5e6c0411d80a1f2cbbdbb53926a8a28c25

Download Submit
C:\Windows\SysWOW64\Mhloponc.exe

Filesize
45KB

MD5
5363252540284a765dc0d664b921355f

SHA1
365d9f5bd848812d7428131bc3794b6eb9925f8f

SHA256
c85e4f9dfb6cef96d652cbb57d803852d4535fa29dffcdc581e8efd8f0a5633d

SHA512
1871ee928be47e9897f0414fe9dc48fd3ee6df2f4ee7226ecc8546979a1f2127cdeb29f8f007009de1a861ad4fc3b3b73d2dedd73804890b50e9e47ac6ea6f17

Download Submit
C:\Windows\SysWOW64\Mlfojn32.exe

Filesize
45KB

MD5
196cefdaf959137c735700cb7d6de7d4

SHA1
be3fe5fa05d9e33d222460d4f946d218544281ca

SHA256
ac8bb0e81db14d474bcafea03990d1c1c60269e3d1d80e48cd4c85392cd75991

SHA512
8c0df8413a114d9cb3c92bb582b31882da38d84a0c312ae89b42b618597309ef517b91841e2d7752feebbd64d2d1557581bc7102a95c72eed8abb716a343656d

Download Submit
C:\Windows\SysWOW64\Mmneda32.exe

Filesize
45KB

MD5
76e712f1d9796ec09dc8d1c5c003b98c

SHA1
1108c1b2bb96e3b216817844f310c2ce62dac369

SHA256
758664d5a20d080dc055ba016ece5a781cece5d35dd3ff39a49ff750e63fbeeb

SHA512
acac384869b9470a130ba87d28b0be40ea5d21f3dc49cfd17f3d3f6eccbb4d16139dfef7d3b927d3e50a95c360e4e3a2ba950f832d51d5c6521cd5ff981096d4

Download Submit
C:\Windows\SysWOW64\Moanaiie.exe

Filesize
45KB

MD5
57b8b284f2a7b97ec223a98480913fcc

SHA1
9ee4df904ab6671cda98062e8a9696338297f765

SHA256
77ead04511cdc92d2c6a6a55b9dee49e98beeb58d4a945f53285f0711736b953

SHA512
1468acf8497a5e4431f2b1ee8ff626623f2962a8d855bec28a7d52067de6351a2787c914b5da10746f03102a8349899ffd5ed007c46fd61f6ad334b574b07320

Download Submit
C:\Windows\SysWOW64\Mofglh32.exe

Filesize
45KB

MD5
fae9769584b4c49dba0ef01f0dbfe8ef

SHA1
2dabd26b78293df1fc5a43540d78c912953ff046

SHA256
83b6f429db30c41181958221021f4617e4ed368dbb478c8be4381eb0c116c37f

SHA512
5ad799f1775b295b981d48d8823e4a6ef0dedcfd40c477a7dae1c81696d93f7520d286c530a944e733ccadeed716bdb933c0de03f0ad35489aa73128b9e59b2f

Download Submit
C:\Windows\SysWOW64\Moidahcn.exe

Filesize
45KB

MD5
98eb1cfb64583ca1f89933486cd14806

SHA1
93153c57cd8db999155d8611a8f0a2fa480bb18c

SHA256
853143b42bd77c4505c487c420137623f10c8d79d2959debdd1dfb47265042d3

SHA512
438bcad23ce0236512e7f6cbc607e6fc1c1257fd9f989a207f7980fe4dc452a4a8deb5eee5c645ca0ce4c762d29acccf86ee044150b783c88148912a7c2fb5ac

Download Submit
C:\Windows\SysWOW64\Mooaljkh.exe

Filesize
45KB

MD5
dcd78982a59d4a7a2b39f560245a5b0e

SHA1
879c6e0ceb1a7744e29986f2ddaca3acac5776f7

SHA256
60f5c5eac2bd94fc026ee34b62fdda2d402a264c13a0654a8a6d62deb27beb43

SHA512
9db92ffb337fc742c158997a242a7e091d3d1d86c097f2617abe8e0a83d22e2e48377bd605e8655cf5f81c121ecf01a3a8a7ecafd8fc0b5d8b137504acaf3b5f

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
45KB

MD5
a86fadd25240613616f22817d8d044ec

SHA1
65d8417e7b3b512ad3d3fbf0c6bda5994b5be19b

SHA256
28b9b05aa8e96dfc736355e76b82d4f6797fad660f2d3fdb96ee1ab3531b6a52

SHA512
bfcbce9fe7b00c541c58cef5a2e3c96780a43fb082b4d704d6e1911af6f3d82c552440cdbf8aab9a138d0c9bb8834202b9a2cd3c5daaea5667b90d44fe0ec6a1

Download Submit
C:\Windows\SysWOW64\Niikceid.exe

Filesize
45KB

MD5
b0ad2504fa2fd872c73a4c6cc4f97908

SHA1
3daa420d61b7bc4929f123fc4cae25360fd7301d

SHA256
888d5c6ae237a0e8bab3756b82a47a916f6b49c0d95eaeb0dff710089337519f

SHA512
01593191a4ac5b569410b58055c8b91324d169cced3d9757f72a24e9d23859cd8665e92ae6148ee75a39b75a397da1e53de31d870926483454178299de6ea72e

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
45KB

MD5
0feaa986f8c38e28e8794cdc9693d796

SHA1
2799fe42af9d7816adda480821abe41df070ba5e

SHA256
7b598e4f2e82d4243de0130d1511667d0cec438830cefe8f297d4735a3b7592f

SHA512
eb2ac23831a65dbbbdc574c3bc7d67ac34284b58b4e0135dcf2648e055dc964375dad4426679c6d4d3124ae83ac0f6a68d923c6601efc6e2cfa7237b34a20e9a

Download Submit
C:\Windows\SysWOW64\Nmbknddp.exe

Filesize
45KB

MD5
98248848d0506c1af66aa707447ce4b3

SHA1
cd20b20ba5549d2f0c457c93306dfc5828488aac

SHA256
ba004f959559ad92af74c8fa39c2656d57217e51c4162870e2cc46aa85c83ade

SHA512
8bc500e93950f9d02875b53793456915cf24a520e85f438840e7908f1e54ff1bc6e747902d82c859c88a8a02b71c2a9d730b0b687a71379c0aed76e19b1d1a03

Download Submit
C:\Windows\SysWOW64\Nmnace32.exe

Filesize
45KB

MD5
c4f603286c8a04f545f8b51d09acd71f

SHA1
ed7f9df9a778a0df3b7260709639056bdf6b5058

SHA256
cb7378304d525cb0a184caa0204096d5eea2907445ef6d82284d8ae0fe2b146e

SHA512
d1ebc532b9158a354207ce13d9b49e7fb708a059859a7d01e1b86e224dcdda188c5dc567d57a6a5fcc19055fa005536694c3cf40e825fc32c62244c5ae4d3f91

Download Submit
C:\Windows\SysWOW64\Nmpnhdfc.exe

Filesize
45KB

MD5
cf0d6c04a87e817602871453165a3f9a

SHA1
aafe277aee517a5ed0aa03a712b2e4bb90cda3b7

SHA256
ae8103e61f8119508380775f6740e80bee620a60c8c0a250f924ee7316a3a24d

SHA512
be9bc1b203dc5f1c3128325dede9b90ba6c92d6e76950f9028503bbd22d445b706ca589d5af22c655f22077e14edbfdd514bbe74d60da67cc4949a4ab3595f8c

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
45KB

MD5
ac0653f418fbea9a5da71ce0fbef14c8

SHA1
21e9e0212ba2df11285a0e3eb02dfc16f9bd0d62

SHA256
53d84274ea26cfa24919c65cf6d9a22e7b04669278d0e2dd636cad1b4e36b455

SHA512
2b758a0ef84f5752e963a97f6826d16529b2463ff65d8e85d3cef0add803af8d78ca62d238d29388b1403e0dd1d0a29fb21d4b1750ba48405a65b50d7bdba5e0

Download Submit
C:\Windows\SysWOW64\Nplmop32.exe

Filesize
45KB

MD5
85c1158bf71c08d2ab3f1fe7f228537f

SHA1
5ef7a5d753b33eb3fcbc243a8736fbf6f20a6f38

SHA256
29831e7748c4c5c5a23ca71739ac44b4104cdc476ead6e63089ff12fdd7a6df8

SHA512
53063a25c98009a685da9460ce41109b0efb3aa870528c8a145e562357aba89b21c9aecbcf5d6209e8019ab415ef827ded629daadcdf55f624c384dd9fbe6dd6

Download Submit
\Windows\SysWOW64\Effcma32.exe

Filesize
45KB

MD5
25ce419f0cd36a6be32846587a8f34ee

SHA1
070a34399d520fea64bc60d9b36cd90839a6e1b7

SHA256
879c948e98001157e6f5855a08f5a689423495593c362525eb1b9e9133dfae7d

SHA512
0a2ab7e96e872cd1d8f68da2f34eb3e067a852b8ad5c013112b958329d288a7bb62dc27e52a26e2db75cc71f46b58d70365c3d4788ee98b979139dd3c36c883d

Download Submit
\Windows\SysWOW64\Fhneehek.exe

Filesize
45KB

MD5
cccfe59d01f0b1a2fad6563bc91cf39d

SHA1
c315f622a95ea5252d78c7d3001cbf909c99a27a

SHA256
d496beb06ef8b49171df74a809b59ac6a95dfadcba3e372efad0cde10a043cae

SHA512
abf3bb0553651d331d89d312d8e36ed03ca39fe19856657ffe87ea82f898676c76921a0aea9868091c3ca412cafd89c29f9e3de8b58f844a19614148e0669384

Download Submit
\Windows\SysWOW64\Fmmkcoap.exe

Filesize
45KB

MD5
e78455fe5ed58563b03247d0e6405429

SHA1
7054778284357613bb776f877e38d300a6f4bd33

SHA256
5a3d28ac2b73da0cd018d97b03be2aeb3931f2b3bd7319d5a70ff13c3d48d04d

SHA512
09024124b304f14709bc768eda185a6291fe6661c20df47d2c2e5e4c7b9e4703d3a23a93e00510dd9cc9def9f218742c656523829ead89b769dee3e746c6a526

Download Submit
\Windows\SysWOW64\Fpcqaf32.exe

Filesize
45KB

MD5
ca0e2d111bc65f4450d71c5840d508e8

SHA1
a6e4b740634be05d18f52eef2c8ab858be2566ab

SHA256
99d1ec5e6caf0280f6ab81f3fa7ae0ac385870cec7ad0c98c320ea30f297b95a

SHA512
58d63f1eca4c63c172a1703c132063a9cb4802835e4c09d62f4f36c7ec869f2e2c84b87af132473c9fac615a80d0f653f902f45c9782bd0e6b73829bd0ddc031

Download Submit
\Windows\SysWOW64\Ganpomec.exe

Filesize
45KB

MD5
871b13c901a5c8aa60f34243eed684b5

SHA1
d65f9078878a05200bae59062ef329af455dbe03

SHA256
af428ba96577c65bb27e0a580ef2ee560b7974b0aa758d42f61256b3c70ba3a7

SHA512
22bf549349e0942ac5cd132e1c4a740f85330bf97306285beb7c76def3766fe34e59d89bb3ff95cfac3311bc76ee985b6d5d5df4a2578a65706676501708b32b

Download Submit
\Windows\SysWOW64\Gpncej32.exe

Filesize
45KB

MD5
cf0616b163660afb11d15f003f2a7b4b

SHA1
b16c041ee5350cdf0e7411160facddef499cf131

SHA256
0e65574df5732f672670a8aa1604502336159abbbb24adf13b5143541ea8f113

SHA512
69b7b8486599bbba0fa9eae030a4e0948b507ab6e289a49ba481f3a95414a694b3770132f540b7c27860985e4f1cb2b12f43578aa712dfbe2186371c91dc4f50

Download Submit
\Windows\SysWOW64\Hpefdl32.exe

Filesize
45KB

MD5
63a8753369486496ca0a4656fcdf949f

SHA1
43c9ee10f1d3b43b0d3582ef0227ce72f2233eef

SHA256
b3867462c4db872a8179beb8aee653fd8eadbf8fa4cb6e7ee0b5690961bcfdc5

SHA512
139b92e0e88e6644c9d7459796cc19f6d11932176090f492dcde7b14fae6ed7f7cbe5abd6504f1ea81633f5ee990fca56a713198bace9b8a758c46d22f34be9a

Download Submit
\Windows\SysWOW64\Lmebnb32.exe

Filesize
45KB

MD5
0cbca90fdec7ab554c5c4616144fadfb

SHA1
03117765a2cd59d0e47521cc86283f433c32823a

SHA256
ea827eccfb8491d468e857adc33bf1d12c4d3aad17235380b1b87be381622ad2

SHA512
a774e0f03ae612e8548a040624b07be18474fd36549b9652dfb1b9d081ce781a1c1b969545121f0e7177d958d7d31b6226ae5a394b26403b86fbc28f77c21951

Download Submit
memory/524-129-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/524-131-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/748-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/748-277-0x0000000000230000-0x000000000025F000-memory.dmp

Filesize
188KB

Download
memory/832-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/932-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/932-363-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1160-196-0x0000000000230000-0x000000000025F000-memory.dmp

Filesize
188KB

Download
memory/1160-194-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1464-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1464-301-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1464-507-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1604-330-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1604-335-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/1620-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1640-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1640-187-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1640-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1656-447-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1684-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1684-321-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1684-317-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1752-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-169-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1752-495-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-501-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-155-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1900-494-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2064-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2064-316-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2064-313-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2156-438-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2156-429-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2236-110-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-6-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2316-506-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-504-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2364-428-0x00000000002C0000-0x00000000002EF000-memory.dmp

Filesize
188KB

Download
memory/2364-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-377-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2408-403-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2460-91-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-358-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2532-349-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-149-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2572-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-25-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2576-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-402-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2600-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2640-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2640-487-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-50-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2644-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-486-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-226-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-500-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-387-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-388-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2832-410-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2868-378-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2868-405-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2868-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-250-0x00000000003C0000-0x00000000003EF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads