06a03596bf315db1df375dba6b1f175e95118da68c47cc0b998bcef07c27f5e1

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06a03596bf315db1df375dba6b1f175e95118da68c47cc0b998bcef07c27f5e1.exe
Size

77KB
MD5

d0b223ba794a831e53e1776cb3925236
SHA1

3b87905b0fd4d4932fd7642e8a6102e2d8cfe9b2
SHA256

06a03596bf315db1df375dba6b1f175e95118da68c47cc0b998bcef07c27f5e1
SHA512

24a1a4bb3749c5fe15e9e115129a21ca268a5e282508095ad35e6734f7b882b23644ba73427b6540d52b219b64eaf92347e27fa0eb3ed10d9f72aaaf7bc7037d
SSDEEP

1536:NDzOQKM3pB0q8QrPdE6IxXlr6LDeWH2LtO1Rwfi+TjRC/D:ND73p6qLPdQlr6HvsSwf1TjYD

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe

Executes dropped EXE 63 IoCs

pid	Process
1128	Meiaib32.exe
2516	Mdjagjco.exe
4856	Migjoaaf.exe
3016	Mgkjhe32.exe
4040	Mnebeogl.exe
4864	Ncbknfed.exe
4132	Nilcjp32.exe
4172	Ncdgcf32.exe
4824	Nnjlpo32.exe
4948	Njqmepik.exe
4280	Npjebj32.exe
2472	Ngdmod32.exe
1188	Nlaegk32.exe
3164	Nfjjppmm.exe
1492	Oponmilc.exe
3204	Ogkcpbam.exe
2508	Oneklm32.exe
3056	Ognpebpj.exe
4740	Onhhamgg.exe
3380	Odapnf32.exe
4584	Ofcmfodb.exe
5000	Oqhacgdh.exe
1924	Ojaelm32.exe
5100	Pcijeb32.exe
4876	Pcncpbmd.exe
3168	Pncgmkmj.exe
3828	Pdmpje32.exe
4552	Pfolbmje.exe
4684	Pmidog32.exe
976	Qnhahj32.exe
924	Qmmnjfnl.exe
632	Qcgffqei.exe
3404	Aqkgpedc.exe
5040	Afhohlbj.exe
4808	Ambgef32.exe
2620	Afjlnk32.exe
1168	Aeklkchg.exe
3492	Afmhck32.exe
3640	Amgapeea.exe
4628	Afoeiklb.exe
1796	Agoabn32.exe
624	Bjmnoi32.exe
2812	Bagflcje.exe
4640	Bjokdipf.exe
3028	Bchomn32.exe
3320	Bjagjhnc.exe
5044	Beglgani.exe
3792	Bmbplc32.exe
2024	Bfkedibe.exe
4736	Cnffqf32.exe
3748	Caebma32.exe
3536	Chokikeb.exe
2728	Ceckcp32.exe
2712	Chagok32.exe
1264	Cnkplejl.exe
3936	Cffdpghg.exe
2420	Calhnpgn.exe
5004	Djdmffnn.exe
3108	Ddmaok32.exe
3336	Dhkjej32.exe
4412	Daconoae.exe
3768	Dogogcpo.exe
1816	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Nilcjp32.exe	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Lffnijnj.dll	Migjoaaf.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Mgkjhe32.exe	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Kiljkifg.dll	Meiaib32.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Nodfmh32.dll	06a03596bf315db1df375dba6b1f175e95118da68c47cc0b998bcef07c27f5e1.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Mgkjhe32.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Bfkedibe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2572	1816	WerFault.exe	156

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	06a03596bf315db1df375dba6b1f175e95118da68c47cc0b998bcef07c27f5e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdmai32.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 1128	2136	06a03596bf315db1df375dba6b1f175e95118da68c47cc0b998bcef07c27f5e1.exe	90
PID 2136 wrote to memory of 1128	2136	06a03596bf315db1df375dba6b1f175e95118da68c47cc0b998bcef07c27f5e1.exe	90
PID 2136 wrote to memory of 1128	2136	06a03596bf315db1df375dba6b1f175e95118da68c47cc0b998bcef07c27f5e1.exe	90
PID 1128 wrote to memory of 2516	1128	Meiaib32.exe	91
PID 1128 wrote to memory of 2516	1128	Meiaib32.exe	91
PID 1128 wrote to memory of 2516	1128	Meiaib32.exe	91
PID 2516 wrote to memory of 4856	2516	Mdjagjco.exe	92
PID 2516 wrote to memory of 4856	2516	Mdjagjco.exe	92
PID 2516 wrote to memory of 4856	2516	Mdjagjco.exe	92
PID 4856 wrote to memory of 3016	4856	Migjoaaf.exe	93
PID 4856 wrote to memory of 3016	4856	Migjoaaf.exe	93
PID 4856 wrote to memory of 3016	4856	Migjoaaf.exe	93
PID 3016 wrote to memory of 4040	3016	Mgkjhe32.exe	94
PID 3016 wrote to memory of 4040	3016	Mgkjhe32.exe	94
PID 3016 wrote to memory of 4040	3016	Mgkjhe32.exe	94
PID 4040 wrote to memory of 4864	4040	Mnebeogl.exe	95
PID 4040 wrote to memory of 4864	4040	Mnebeogl.exe	95
PID 4040 wrote to memory of 4864	4040	Mnebeogl.exe	95
PID 4864 wrote to memory of 4132	4864	Ncbknfed.exe	96
PID 4864 wrote to memory of 4132	4864	Ncbknfed.exe	96
PID 4864 wrote to memory of 4132	4864	Ncbknfed.exe	96
PID 4132 wrote to memory of 4172	4132	Nilcjp32.exe	97
PID 4132 wrote to memory of 4172	4132	Nilcjp32.exe	97
PID 4132 wrote to memory of 4172	4132	Nilcjp32.exe	97
PID 4172 wrote to memory of 4824	4172	Ncdgcf32.exe	98
PID 4172 wrote to memory of 4824	4172	Ncdgcf32.exe	98
PID 4172 wrote to memory of 4824	4172	Ncdgcf32.exe	98
PID 4824 wrote to memory of 4948	4824	Nnjlpo32.exe	99
PID 4824 wrote to memory of 4948	4824	Nnjlpo32.exe	99
PID 4824 wrote to memory of 4948	4824	Nnjlpo32.exe	99
PID 4948 wrote to memory of 4280	4948	Njqmepik.exe	100
PID 4948 wrote to memory of 4280	4948	Njqmepik.exe	100
PID 4948 wrote to memory of 4280	4948	Njqmepik.exe	100
PID 4280 wrote to memory of 2472	4280	Npjebj32.exe	101
PID 4280 wrote to memory of 2472	4280	Npjebj32.exe	101
PID 4280 wrote to memory of 2472	4280	Npjebj32.exe	101
PID 2472 wrote to memory of 1188	2472	Ngdmod32.exe	103
PID 2472 wrote to memory of 1188	2472	Ngdmod32.exe	103
PID 2472 wrote to memory of 1188	2472	Ngdmod32.exe	103
PID 1188 wrote to memory of 3164	1188	Nlaegk32.exe	104
PID 1188 wrote to memory of 3164	1188	Nlaegk32.exe	104
PID 1188 wrote to memory of 3164	1188	Nlaegk32.exe	104
PID 3164 wrote to memory of 1492	3164	Nfjjppmm.exe	105
PID 3164 wrote to memory of 1492	3164	Nfjjppmm.exe	105
PID 3164 wrote to memory of 1492	3164	Nfjjppmm.exe	105
PID 1492 wrote to memory of 3204	1492	Oponmilc.exe	107
PID 1492 wrote to memory of 3204	1492	Oponmilc.exe	107
PID 1492 wrote to memory of 3204	1492	Oponmilc.exe	107
PID 3204 wrote to memory of 2508	3204	Ogkcpbam.exe	108
PID 3204 wrote to memory of 2508	3204	Ogkcpbam.exe	108
PID 3204 wrote to memory of 2508	3204	Ogkcpbam.exe	108
PID 2508 wrote to memory of 3056	2508	Oneklm32.exe	109
PID 2508 wrote to memory of 3056	2508	Oneklm32.exe	109
PID 2508 wrote to memory of 3056	2508	Oneklm32.exe	109
PID 3056 wrote to memory of 4740	3056	Ognpebpj.exe	110
PID 3056 wrote to memory of 4740	3056	Ognpebpj.exe	110
PID 3056 wrote to memory of 4740	3056	Ognpebpj.exe	110
PID 4740 wrote to memory of 3380	4740	Onhhamgg.exe	111
PID 4740 wrote to memory of 3380	4740	Onhhamgg.exe	111
PID 4740 wrote to memory of 3380	4740	Onhhamgg.exe	111
PID 3380 wrote to memory of 4584	3380	Odapnf32.exe	112
PID 3380 wrote to memory of 4584	3380	Odapnf32.exe	112
PID 3380 wrote to memory of 4584	3380	Odapnf32.exe	112
PID 4584 wrote to memory of 5000	4584	Ofcmfodb.exe	113

C:\Users\Admin\AppData\Local\Temp\06a03596bf315db1df375dba6b1f175e95118da68c47cc0b998bcef07c27f5e1.exe
"C:\Users\Admin\AppData\Local\Temp\06a03596bf315db1df375dba6b1f175e95118da68c47cc0b998bcef07c27f5e1.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\Meiaib32.exe
  C:\Windows\system32\Meiaib32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\SysWOW64\Mdjagjco.exe
    C:\Windows\system32\Mdjagjco.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\SysWOW64\Migjoaaf.exe
      C:\Windows\system32\Migjoaaf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        26⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4736
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1264
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        65⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 212
        66⤵
        Program crash
        
        PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1816 -ip 1816
1⤵
PID:656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
77KB

MD5
493d3e293123e5ce0924ffd675f29fca

SHA1
5abe96d110566443e079850d0b729bbca4d5cd4d

SHA256
bba5f063072c7193c0fddb9a2b9eadb175351191cc51f682ae7103125ae1e794

SHA512
e63bb902ad5317f6251b17122d5b95474adc56f90c654b694ffed519197d8f6b17476051ce70d63294b61aee79d3bcb911b1e9a256ef62cc01e2d87eba89b762

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
77KB

MD5
c334cd9aea252019c36770ec9dd41134

SHA1
d2202be814c04bb667be2cb6773da5a5ea08d41f

SHA256
3d88888f707509536cdb44cd75039616c849517b5d1718a490ddbbb718223c08

SHA512
c71296af288b66b1b3a9dbe1c11be379b5144acf6104f9402ad4d19a23218efb347d02820731f2ea95c42ee5c28ae8691b9afe0da9922e36a185303f316aa418

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
77KB

MD5
e4af39b7e77efc394ad0cdd4fe5114af

SHA1
4f831c0ffb31627698d6dfa04be666ba7a37f017

SHA256
ccab0e0a225798533e677f8810feacad5cfe60c70f97a976fbae8627e6db4e97

SHA512
c4780b3cf185c2820c80159f48e9e8983a85e05cb9d47736c137b5bc6b063560e0ba1ee7440449bba1d90612090e0c92df7391fa90756ddbf09ac4105b193d1f

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
77KB

MD5
f6b20a5ce2a28ff1b577255e0e7adc1e

SHA1
241311457c3c50d8efaa9591c1400657a00f57e4

SHA256
7b8f00a040a4c441433c03d421c6daecc0439065bb84f5dcafadb2115dfa8a43

SHA512
54653b83c5ac3a65802de639d4534165788c9a26fda3cca0ee80144808fd649b3c6e50b67e6ab9e72dbbc9dfae657bd1d567e05a9d603125b0018d43c9590410

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
77KB

MD5
c77f4b5b463ffeb966985cff1cf2b61c

SHA1
3d8bd5e9628aabdf766f9b7c43c278d42cd8c5d6

SHA256
8a46cb3e8a904ffcbd9d1b57af877dc14400597aa4542633bf50cdd9b6afcd5c

SHA512
0b8c6df811f2c5b03f4ebbffe06bedc17a146bd8327d3d834a0a9a5972803e7597f0364656ee1c4f5b39e24157f91e3706df4866f048c9659f4fde307b21f009

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
77KB

MD5
076d76b77f4557532c54bad3aaa867c8

SHA1
15d8e9a1cfe1b540ecb316458243349b8ec18761

SHA256
2b4cf9ef64f0d67f12b87ffd99587690206deb647b1f7b4454282d87fdf70a72

SHA512
800f8178ed17db75b8b2c7e3224e84d30eaac2d9ec72ac26ee46474b084f206fc791904e9d4d784e2cb4b7a00dc8892e981e3205559e670a8ef506b482be6639

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
77KB

MD5
7b7e0b091d9fe540a9b883fc53d80cc9

SHA1
5dbaa612fbe1329a2ac2f08bd0d034536d50894d

SHA256
1cc6530fd716d6bf5c5d26971f72cfce7a7442c1ce1abb4674d8257400d15c73

SHA512
714e3e0fc19ade3e337a72fd00ba363e3db5aa94525b21c73707dfae8addcca749d5a8132153cd7999a6d41bd7357315ad9210a838f5c4bacb0914cb00ad65aa

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
77KB

MD5
4dc0c0a57ece4754d5547ead5e0b821c

SHA1
06c7ef8c66f8552db85afaa6f8f62f76fcbd957f

SHA256
65221cbbe3aa0891a6f674f28bd9352fa8bc2149b485839236f7cadd29531fe6

SHA512
c31507c6b3d58ea1488dbfab31251334ff711a03bcb4f1524bff4cb8b0a8b5f9303c6124b305ecdc87ce37ad09a89860d403a7c9876ba230bea950f1c281a261

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
77KB

MD5
f286ddacf011bdf249595e7538569b52

SHA1
55f3d8ce5b1f14014a5c9c490f446b2cec70cd9a

SHA256
928e2817a493ee29b972fc8e37583e312aa651fbcc9bf9efd0fd3c410654f380

SHA512
d4dfb3ee451f605a1a751f32f8af7c2332ea721747a6945579005fec319678ad3488aad584ada3959cd445eec84cadd5a1ca0c94938c46303b8ea64287d698c9

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
77KB

MD5
c6225b2bfc498b65af207cbf34bb8f12

SHA1
815842ca0c4d50fee72c17e86eaa3278aa157103

SHA256
337260179bca0e01a92c3cdafd42b48e8560b684fea3f0135a3c3fefbbf8f70e

SHA512
749f1bd32393998fcc6cdb4af2f6798c7b818d7778e0d9649f9309d5c733e99d6197b12819241ae07e1ae5b2486b90e90c6030ac1224a93d949bbcee3bb3ef13

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
14KB

MD5
5ab49703ac4b8d3b3a1824840405e7f5

SHA1
6de1419babd8e35712a31ee2392b686f4d17d42b

SHA256
734a0c2b2c936e8550ba203b21d60401266ffc882f5ba7e0fd5a91673fd26006

SHA512
bd3637d400ed0263f2b8821d300348ba49c75480b2bc73ecbf4ad16046a3890681261cfe88634a6ba167b0a88163cd6655c5731e31f0f24634d76ff84282aba2

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
77KB

MD5
05decf448f030eb659cf5d39bb8ea41c

SHA1
e938c060834dd7812d4e8c87f574193a54e32867

SHA256
5244fe942edf2582627e20a38360bcd3a7e5b9b9cd9a2f4640f65a401bc63f3b

SHA512
ec71a959ec000bd3f0eaaa0d4579387197b027d20410d8fbe82e2ea31bbd9eae7313efd8d396aebabea96d30c4858a97300a18e23633e3ee8f258b2f5d1418a3

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
77KB

MD5
7a88e84673106cd37ff721f14e252d6a

SHA1
dd927fdd46e495944ec57834598a5b6cf7ed7ed0

SHA256
4737fcfe61c0179808bde428faccd9daff6bba513159ee3b79c4daa1ffe2b542

SHA512
b1fc8b1dab3733044539c50d3a0168ea14f4fc608e5d7d6996dfeac948235548a6f893a9eb6c360a3778a0bca403daed5b4421090ce94e5c2d306fa3b133e560

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
77KB

MD5
3eb6cc1e87e0b83d04653913d7279d64

SHA1
fbcb4a785e68b97f7c9b1952811a2012c36b34a8

SHA256
7b0d87fccf6687f4e1159a027bd1ec208dcf9fc5648db8f58e451b8c48ae7fe3

SHA512
19c3d41d366b65f5efc854cb90711838c933b1f234ac8928144742cfc5a808dee5f56102f6ff2098cd51555af95e6a020c86d9b65b758afae9b5830bfee5ca7f

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
77KB

MD5
344da413f6adc1cb0a2df971dba72119

SHA1
7683aeb0fec11cfda76fe1faab2fc32f11f4f536

SHA256
0041690f0ebfe151278fba4ad50df769a0287ec0ec445bceac11819eb8cfc427

SHA512
e3853275eff12d26bb403b6b81457f21949b924ac6152afb240db67ca944a0a2e8bd192e845f276642615c62f9bc6fcc0981f6bcd9e5dcf975e18c7ba6f59272

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
77KB

MD5
e36134c4ce1285fda8ee7a700bc733e1

SHA1
6c1417ff0092456aabc0f30851bb0bed32932c54

SHA256
929c22c3d32268ed9b3a1119bdc4efa69d8e15ea372b59767e78ce3d83bc94d1

SHA512
2f9697b47a01161fbb131754f0c3e2244248bb8bf565b425749cd5ae152266c42a603efe6b7d637be93eb60c09b2471c89fdff6617f3cb31bf6c5b8672bcad0b

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
77KB

MD5
58aa072b18d0099c3e5620e5c98edf44

SHA1
2bb586f05f89ebca8bdbecc7116541528d56e05f

SHA256
a23db66930d77985f7dfacff68582373169e573ae8ccae6989a23f144d596ca7

SHA512
3d62234bf6d0f88d63e420ac8e8f9b4608f9ef381f9dde2e3a26afee4cfccfc1d5d29a9e1b48ea5ef1c7ec6996000fc2475ee2647a38569310aa57888360cf20

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
77KB

MD5
277db3562dfee2c3e19d2cbda2d69e37

SHA1
3ccaf338d5d94459aa5af27a649fde059ad0bd16

SHA256
de8751792e40ff5f3ceda733736e46a5ff3c9b6b1da7d8d0288acf402ba42b92

SHA512
d905b53c215c79b7c0bf839b75a05a2993fe9d73e09b94089fde5dfe1a718eb1210df540fff648c7f148f15d16bbe50ed3cb5c17dfac01c9ae698fb2b1e353bf

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
77KB

MD5
a33d496a16cd700c98419d0455e11ee6

SHA1
d95bfa018386e316ba59b1e57381d36775bf6219

SHA256
3776f9f145f888998c6fee368718fcae3be184dee40182308698c7505e5026c5

SHA512
fe4598b37033663dd3ab649de2d95139933fa4f51fbba6d86c2a5dcefa5328cf425e99857601186e01466d536d2d1a863765dda4915e643cfd0ff9171a6ca921

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
77KB

MD5
bf85498272cdebf5dc2ab09b33e238c9

SHA1
a424ee7c737ce41ef45efcf527494e5a104d7479

SHA256
d0cb49d1e7bfbe4ee0f3b2a80f163e3b66b4bc6268a92fc50513c8125538d1c0

SHA512
a4fdf79dff404f0aecd6ad0911862ee9637ab2d26c97632ab35ea8ef516e176f47be5850d01db6432b08a734a312ef3b243232c4a04d3280895778da16505209

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
77KB

MD5
124d8c6c869b03884bf707c1e335cab1

SHA1
805d9df6bc53a11a43828257558a8b05a1678b59

SHA256
4021e0249b46104b20ebca2f4ca1b0bcdeb2c56e624a5904a4855172acdeb841

SHA512
0cf73449793315e6b0c76be1ea789d93cfb25e2428117e9cc5500bbd35834a28234fbcb74e017f817ab8b5531a24feaa107a6a12c73af3f31cd2ae557497f0c3

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
77KB

MD5
6ce6a6a8f80ea04d272ffb13b406deb2

SHA1
80fb0a064abe55019018b039acf50bb0a2ff670a

SHA256
a3aee7b2c1bb051b1e65027006d2076ff17aa31a64b584b99e48ecf8fa7469ff

SHA512
3c8366be41d408492e3146dc3d3a363a5b11006c262326cb29816f209613ebcd206782eb388fc7353c305af3c5eedf60325adba60323f8653f2dd89a4c6e4b9d

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
77KB

MD5
ce47567e972ee933cfae8714997f5438

SHA1
56ed44a0447e797e04c8b307744c655d18f95ba0

SHA256
f6325297146aaf896dc20edf7c88c7e12535f647cf35955b8e1c2b82248d2156

SHA512
52fbe84716524863d130e6e2c992602305b94ddd4efab115e7b78e8592b95aa4bc6d88327b65d33c60450027c6970966dd7914f0aa8c60fdb81ff8dd5850dee8

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
77KB

MD5
910c24c472790b593433f10a1f931129

SHA1
fadae0cbef86fb79d9bdef30a1a4e14fe4080ebf

SHA256
426ff910a4bae7269ddacb682638124ebc237f7a7ce0c5467f1919e08fe703a5

SHA512
cea69f867ee4a2340d6e8c07ac530e1c4d97b480bb244f0682e7d9a8ae87986c0db382268c7b767015a3eba0b7f77c88732fb36bf7da1ddeaed2ba15533f8661

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
77KB

MD5
6e5a1608dd874889563bc90c716bb72c

SHA1
209b3f5787c1feab345333e29187640125c8f871

SHA256
d3a5aa809943e36bc293346442d3afc6e9631acb5e2d5c1462031fda4e49e185

SHA512
454d80d92a1ed24bd81e174701ae3b98f0596f9848b8e2ffd8305257aefd2f0e63b7d8ced795f32b5111cd4ef94dbb41c513b03f1dd7f78ae760cc69a5515a35

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
77KB

MD5
964ffd4e531014f96017d36ab98e3f1e

SHA1
73a8f9433dfda42e159e67b7a9cbe30a87542446

SHA256
060321b2d70e1922931b1d39027a4fd042df63f56891b6932b9ec5046a08ae3c

SHA512
a7007b19b31e506cec5a25ef64593926720ce6a5253a8ee4cfe72d970c6f2e6cd08dad86d982236060dc9afe162f811c943864b5425d1cb90aae9ea52ed59071

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
77KB

MD5
1d5e6cd1c53242c08258efd823fad1dc

SHA1
093e1ad917002579166d7ef9bcd88e03205c05d6

SHA256
963ffee65ecf4bfcdf4aaf4c71df98ba18c20b79301acef468456d4b98ef857e

SHA512
f4eb85ae9d3b60cbe6ca346281841e6e8820cbae8dff10d6c4536dedaf9bc012d5c27b90bc02f7b8f594cf4162b4a95f162e455cf6d8d589b0436f7fbe7c361a

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
77KB

MD5
f2cdb2d813f60cad05ab3b3d69aed73c

SHA1
613fbc86158080b7f5b242c65b992d07db18b7cf

SHA256
67bb91a129859bf9ba1e02032c5e04235a78973f70b818c2c872f88431ff9d2c

SHA512
9566ee864e2bc106be47f4e716feb8a1ab79894f354fd5f869f7d26d128c59171ef5e510742e220ed84154941cb53b6bad8a95946badf1e725e30825b789bdbf

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
77KB

MD5
12092c655930f74894d36813c6476a88

SHA1
998d5bab9f4c237afefccaca1b121b8ded386d88

SHA256
368242f5f554cc33c7f75296372f1fba5a385125b46961f241df2e5c986739f8

SHA512
c4eb761e99146bfe4afc8932bec637a040d94f53e63d5dc2ee46158cff77ab3ad62b72a2181611767fcebc99eadb0ad11ef2a9b45d74512dbb76d794a8ddd85a

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
77KB

MD5
77f8cc1c3b64706a814abea8c19fdca0

SHA1
aefb422a0401f5568a453ce55e605e356be9f7c4

SHA256
1375b1a41b344e4726a1591d31c195a4f90afe14784c6fe65fcb56d7accd5724

SHA512
1fe90fe6ec3e8a241bdb21258cc83faaecd008fa437fb527cb4615b01363f4be5aac8083563c71fe3547e295258b2c5c5b14814fb943defa6e04b350951bf3a4

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
77KB

MD5
bdd7dc061f27d9cdab2e95e0b7db5416

SHA1
8adfebb49fbc8efaaab856032a28f1533a25074e

SHA256
0eb4d4633074751ff07a7c8a0630f5a278d42783d89ffa8d85c99f3b7926221b

SHA512
44c884232a7b085258307e23205d9336005a36365c2f08ef8b2ff7b9ebd894524ca038efe8ef2081d88980f577291c50c46d5ae903c24581b957fbf7ba52d0c4

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
77KB

MD5
9d56c95046f051ca6d406d0ae72cdd52

SHA1
3d1dfda97556c9f65cf086662dad2c51041d4e65

SHA256
ea95704e6f1347a672c4e1d7b5534eb88cf03ffdee1804192d6babf89c9d856b

SHA512
f9c69a44550eefaff8da97a787f156831dcf0fc6ff45216d7dba7fa7f0c29b4c692d58f8fd80480f44fb149b867abfac3f14885c2ab25ffc2720cf0f7a0c0302

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
77KB

MD5
59b922db003c0e0fde8893f1f31e33cb

SHA1
7a52e4bb7a4d6f5102e80970ff2e5a0f2d525f0a

SHA256
13110615ac7db16068da973e4ab8ad19c39a5e80c3cba55c16dad7a92710565b

SHA512
bc1fed9ef454104cf577a34059a59f4cf6f7dc56f39424f5b8c2fde8ad70cf775eb93b195a0c614f673ddd77805f62faba2abb4334e9d3b1b95ab5489507dadb

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
77KB

MD5
25cc59fdf08ade56f55791cbaa8477b1

SHA1
4a81f64d9f45a58f4df90f4f527dd6f9c9f02b38

SHA256
42deaa9a944130c1aa3740a44b3468e090bcafc10d4549001f317c172c284393

SHA512
25ba876709fae4390a60f9961af6640435205c3c3dad5bae9d252a76e6b7f5a047e13f96abcc748e4b3e0884f5c3d48b3aeaf3b902336f273b23c6614feba56b

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
77KB

MD5
97949ca86cead039d35fb47cca68756c

SHA1
b635c69a77586e74c3a6305e545d6414c5e4e926

SHA256
47266f94ed80764f1a3e1e4d69853a7deed26461ee45dad443d1c0fe9a0c64ef

SHA512
11336abe88fa5913d225872c00618de7fee0f9d51d6f747436ab7fd1d99f60cb876ccbcacc261b645ebfa37dc84b978c95d049a97b6a75185164008d9e256b40

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
77KB

MD5
8376bd56335a0541a7de461dc8c2e9fe

SHA1
97df26823841e342b7fe89d159d639a74710131a

SHA256
0b4fdb3fc694b0ae0ee607bc8809afb7aeec7695cd180b2a0705c56af674398b

SHA512
7bdf62576e98bab9caeb7c1c245362433ab2f8555915de290e0f20676791e9c3a9216394f73e2631fd0ea364661a18231fdff41bf228ed86e2546c822f85a307

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
77KB

MD5
134707b1034ece60f0fe182485a4f31f

SHA1
aafe54e5c71d2c065a380d8de8f2a5a5ca0c3d6f

SHA256
b8d94754a6d3fef9129fd65bda689c65f68c2cddeec88c6ffd744d05855d0bd6

SHA512
ba4b7267b9c0407ac5b6eb7f21045d432b2ceb1d63e65e45ce011fa4d7385fefa259366b13a6cd0298e4fb86a6dd1428fa22c80d86ee1136c422c18b536e0d81

Download Submit
memory/624-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/632-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/924-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/976-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1128-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1168-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1188-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1264-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1492-122-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1796-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-190-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2136-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2136-5-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2136-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2420-409-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2472-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2620-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-391-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3016-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-337-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3056-146-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3108-421-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3164-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3204-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3320-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3336-427-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3380-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3404-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3492-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-379-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3748-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3792-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3828-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3936-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4040-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4132-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4280-94-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4400-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-174-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4628-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4640-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4684-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4736-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4740-154-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4808-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4864-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-86-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5000-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5100-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads