d0e3cdd0db413e7f88297e5041e623cd68ba2085f31686458fdda8f98c6184fc

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 02:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d0e3cdd0db413e7f88297e5041e623cd68ba2085f31686458fdda8f98c6184fc.exe
Size

165KB
MD5

29e9dc6aa2bcd2e63ec9f857438f3661
SHA1

8132e7f67d8f130d419d96cc477a97080dc05f66
SHA256

d0e3cdd0db413e7f88297e5041e623cd68ba2085f31686458fdda8f98c6184fc
SHA512

510763025218cff62cf8c481da79276b8accff6515d7140f0e42c94e0cd3663db7d14b23c2038c4fe1c824347f1279df264c0836de41fa429b4838beeff2c77c
SSDEEP

3072:rF4Jqmzyw9UhrrSBpqMy5haT3vQfEdArGzHq+egM5bylnO/hZP:rF4JpzywEabQMdArGzHregqgnO

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klljnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d0e3cdd0db413e7f88297e5041e623cd68ba2085f31686458fdda8f98c6184fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhoqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcllonma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe

Executes dropped EXE 64 IoCs

pid	Process
2116	Jcllonma.exe
3596	Kpbmco32.exe
3468	Klimip32.exe
2508	Kebbafoj.exe
4752	Klljnp32.exe
4400	Kedoge32.exe
3492	Klngdpdd.exe
1776	Kbhoqj32.exe
948	Kplpjn32.exe
3216	Lffhfh32.exe
4448	Ldjhpl32.exe
384	Lboeaifi.exe
5040	Lmdina32.exe
4580	Lgmngglp.exe
3872	Lljfpnjg.exe
788	Lgokmgjm.exe
2212	Mdckfk32.exe
3508	Medgncoe.exe
1144	Mpjlklok.exe
3480	Megdccmb.exe
4220	Mmnldp32.exe
2088	Mlcifmbl.exe
1688	Mgimcebb.exe
4344	Mdmnlj32.exe
1080	Miifeq32.exe
4156	Npcoakfp.exe
4436	Ngmgne32.exe
4708	Ngpccdlj.exe
4364	Nnjlpo32.exe
4728	Ncfdie32.exe
3684	Nloiakho.exe
4104	Nlaegk32.exe
3288	Ojgbfocc.exe
1320	Olfobjbg.exe
3892	Ofnckp32.exe
2728	Ognpebpj.exe
4832	Olkhmi32.exe
620	Onjegled.exe
2544	Ofeilobp.exe
616	Pgefeajb.exe
208	Pqmjog32.exe
3524	Pggbkagp.exe
2868	Pqpgdfnp.exe
4724	Pcncpbmd.exe
4204	Pmfhig32.exe
2708	Pfolbmje.exe
524	Pmidog32.exe
3176	Pgnilpah.exe
3192	Qmkadgpo.exe
1068	Qdbiedpa.exe
2208	Qfcfml32.exe
4848	Acjclpcf.exe
3556	Ajckij32.exe
1448	Aclpap32.exe
3920	Amddjegd.exe
3080	Afmhck32.exe
4348	Amgapeea.exe
3768	Aglemn32.exe
4296	Accfbokl.exe
3992	Bjmnoi32.exe
1760	Bebblb32.exe
3220	Bmngqdpj.exe
2328	Bffkij32.exe
4388	Balpgb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mdckfk32.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Mpjlklok.exe	Medgncoe.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Hqdeld32.dll	Kebbafoj.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnlj32.exe	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Miifeq32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Kebbafoj.exe	Klimip32.exe
File opened for modification	C:\Windows\SysWOW64\Lboeaifi.exe	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Ecaobgnf.dll	Medgncoe.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Lmdina32.exe	Lboeaifi.exe
File opened for modification	C:\Windows\SysWOW64\Mmnldp32.exe	Megdccmb.exe
File created	C:\Windows\SysWOW64\Jgefkimp.dll	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Lgmngglp.exe	Lmdina32.exe
File opened for modification	C:\Windows\SysWOW64\Mpjlklok.exe	Medgncoe.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Namdcd32.dll	Kbhoqj32.exe
File created	C:\Windows\SysWOW64\Lffhfh32.exe	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Miifeq32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Klngdpdd.exe	Kedoge32.exe
File opened for modification	C:\Windows\SysWOW64\Lljfpnjg.exe	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Kedoge32.exe	Klljnp32.exe
File created	C:\Windows\SysWOW64\Gfkfpo32.dll	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Lljfpnjg.exe	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Mnkhmbin.dll	Mmnldp32.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Miifeq32.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgne32.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Jcllonma.exe	d0e3cdd0db413e7f88297e5041e623cd68ba2085f31686458fdda8f98c6184fc.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Nloiakho.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5996	5908	WerFault.exe	184

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klimip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkhmbin.dll"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbjac32.dll"	Klngdpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoecnk32.dll"	Jcllonma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 2116	3588	d0e3cdd0db413e7f88297e5041e623cd68ba2085f31686458fdda8f98c6184fc.exe	89
PID 3588 wrote to memory of 2116	3588	d0e3cdd0db413e7f88297e5041e623cd68ba2085f31686458fdda8f98c6184fc.exe	89
PID 3588 wrote to memory of 2116	3588	d0e3cdd0db413e7f88297e5041e623cd68ba2085f31686458fdda8f98c6184fc.exe	89
PID 2116 wrote to memory of 3596	2116	Jcllonma.exe	90
PID 2116 wrote to memory of 3596	2116	Jcllonma.exe	90
PID 2116 wrote to memory of 3596	2116	Jcllonma.exe	90
PID 3596 wrote to memory of 3468	3596	Kpbmco32.exe	91
PID 3596 wrote to memory of 3468	3596	Kpbmco32.exe	91
PID 3596 wrote to memory of 3468	3596	Kpbmco32.exe	91
PID 3468 wrote to memory of 2508	3468	Klimip32.exe	92
PID 3468 wrote to memory of 2508	3468	Klimip32.exe	92
PID 3468 wrote to memory of 2508	3468	Klimip32.exe	92
PID 2508 wrote to memory of 4752	2508	Kebbafoj.exe	93
PID 2508 wrote to memory of 4752	2508	Kebbafoj.exe	93
PID 2508 wrote to memory of 4752	2508	Kebbafoj.exe	93
PID 4752 wrote to memory of 4400	4752	Klljnp32.exe	94
PID 4752 wrote to memory of 4400	4752	Klljnp32.exe	94
PID 4752 wrote to memory of 4400	4752	Klljnp32.exe	94
PID 4400 wrote to memory of 3492	4400	Kedoge32.exe	95
PID 4400 wrote to memory of 3492	4400	Kedoge32.exe	95
PID 4400 wrote to memory of 3492	4400	Kedoge32.exe	95
PID 3492 wrote to memory of 1776	3492	Klngdpdd.exe	96
PID 3492 wrote to memory of 1776	3492	Klngdpdd.exe	96
PID 3492 wrote to memory of 1776	3492	Klngdpdd.exe	96
PID 1776 wrote to memory of 948	1776	Kbhoqj32.exe	98
PID 1776 wrote to memory of 948	1776	Kbhoqj32.exe	98
PID 1776 wrote to memory of 948	1776	Kbhoqj32.exe	98
PID 948 wrote to memory of 3216	948	Kplpjn32.exe	99
PID 948 wrote to memory of 3216	948	Kplpjn32.exe	99
PID 948 wrote to memory of 3216	948	Kplpjn32.exe	99
PID 3216 wrote to memory of 4448	3216	Lffhfh32.exe	100
PID 3216 wrote to memory of 4448	3216	Lffhfh32.exe	100
PID 3216 wrote to memory of 4448	3216	Lffhfh32.exe	100
PID 4448 wrote to memory of 384	4448	Ldjhpl32.exe	102
PID 4448 wrote to memory of 384	4448	Ldjhpl32.exe	102
PID 4448 wrote to memory of 384	4448	Ldjhpl32.exe	102
PID 384 wrote to memory of 5040	384	Lboeaifi.exe	103
PID 384 wrote to memory of 5040	384	Lboeaifi.exe	103
PID 384 wrote to memory of 5040	384	Lboeaifi.exe	103
PID 5040 wrote to memory of 4580	5040	Lmdina32.exe	104
PID 5040 wrote to memory of 4580	5040	Lmdina32.exe	104
PID 5040 wrote to memory of 4580	5040	Lmdina32.exe	104
PID 4580 wrote to memory of 3872	4580	Lgmngglp.exe	105
PID 4580 wrote to memory of 3872	4580	Lgmngglp.exe	105
PID 4580 wrote to memory of 3872	4580	Lgmngglp.exe	105
PID 3872 wrote to memory of 788	3872	Lljfpnjg.exe	106
PID 3872 wrote to memory of 788	3872	Lljfpnjg.exe	106
PID 3872 wrote to memory of 788	3872	Lljfpnjg.exe	106
PID 788 wrote to memory of 2212	788	Lgokmgjm.exe	107
PID 788 wrote to memory of 2212	788	Lgokmgjm.exe	107
PID 788 wrote to memory of 2212	788	Lgokmgjm.exe	107
PID 2212 wrote to memory of 3508	2212	Mdckfk32.exe	109
PID 2212 wrote to memory of 3508	2212	Mdckfk32.exe	109
PID 2212 wrote to memory of 3508	2212	Mdckfk32.exe	109
PID 3508 wrote to memory of 1144	3508	Medgncoe.exe	110
PID 3508 wrote to memory of 1144	3508	Medgncoe.exe	110
PID 3508 wrote to memory of 1144	3508	Medgncoe.exe	110
PID 1144 wrote to memory of 3480	1144	Mpjlklok.exe	111
PID 1144 wrote to memory of 3480	1144	Mpjlklok.exe	111
PID 1144 wrote to memory of 3480	1144	Mpjlklok.exe	111
PID 3480 wrote to memory of 4220	3480	Megdccmb.exe	112
PID 3480 wrote to memory of 4220	3480	Megdccmb.exe	112
PID 3480 wrote to memory of 4220	3480	Megdccmb.exe	112
PID 4220 wrote to memory of 2088	4220	Mmnldp32.exe	113

C:\Users\Admin\AppData\Local\Temp\d0e3cdd0db413e7f88297e5041e623cd68ba2085f31686458fdda8f98c6184fc.exe
"C:\Users\Admin\AppData\Local\Temp\d0e3cdd0db413e7f88297e5041e623cd68ba2085f31686458fdda8f98c6184fc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\SysWOW64\Jcllonma.exe
  C:\Windows\system32\Jcllonma.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\Kpbmco32.exe
    C:\Windows\system32\Kpbmco32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\SysWOW64\Klimip32.exe
      C:\Windows\system32\Klimip32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3468
    - - C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1080
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3684
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        34⤵
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        35⤵
        Executes dropped EXE
        
        PID:1320
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:620
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:524
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3080
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        65⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        73⤵
        Drops file in System32 directory
        
        PID:4416
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        80⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        82⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        83⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        85⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5736
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        94⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 404
        95⤵
        Program crash
        
        PID:5996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5908 -ip 5908
1⤵
PID:5972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jcllonma.exe

Filesize
165KB

MD5
7a6bb449fd697607800eaeff4868e19a

SHA1
241b52ebe5da394756fbdd66fe64e028b9744932

SHA256
cf3c8e68b0054384e216bcbec927f9fa22115875db67f29ee43ad5d3d1699cbc

SHA512
3c9df01976bf502603f1e5d449bc8299854bf0be9ef54047b15644f64dc8a22d4ad613e2bbafdd97303472e2bcb0f484c6e896885d2c9d4d0701138a2529bdf6

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
165KB

MD5
a0de4324e7b77a9cd196e93c89b7182a

SHA1
7d90452e0343d23180d38aae6fdbb61fc2624f41

SHA256
a8a65b5ad5a55a35f650bd85a461d244aa9306f26d31811074f1920fad70537e

SHA512
f5041fe7d9d3fef841f4a2ecd194ddd78c7d931f6b64bc45d1e6f01c08f0cd9658beff916f5da70e9490b906749d65c6fbe3d68062b0ac68ae267cdd9f15473d

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
165KB

MD5
6c2dc85acf29b46e3ebc5a1bac47dc14

SHA1
7a898f1a3a95746fbd64f57a57733d57ca177ab3

SHA256
ddbca2217f9202822e451f0d6fa2a09a0fd20882d4245f8e9ed60dbeb6dbb9b6

SHA512
ef8794094ed1a4ae6fec62da50a8c210f0ca8e9e0f14a6bf0ccf6a19f69f5da8b5d53df3fed937c39aee60d56b3da203b83d18340eb138db82d6ae6f98197077

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
116KB

MD5
fdd81e9c567088f11923e65159cb3c2a

SHA1
bf67f1386e21325219ce75b4835ca728dbdb0ee8

SHA256
23c01724981d16431aebdf182f184a6dffbca9dae489c4f03f70c43fb82f3c6a

SHA512
8f4258964ff60011fa83e9759b82983363a2a59879e07ed700811cc30ad194f1096e85e68158d2d5cb99bf928285aab64afb40c7ee4c695f030d85e643e76acf

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
108KB

MD5
2ce93b204fe00d99a16608a25bf7914c

SHA1
7d8b7625c1a9cd66aae37cec1681325b6a6d8cb4

SHA256
cf3637073e5ed107ca96d6e90ad29e7d052603cbe4185702f4643c041ab060cf

SHA512
672ada7b0d5f102230dc7e6198f72adb8744a98ab1c7c83408ff3ca77e59aa80ac3a23592236049ceac00b7ad01a7c3cd7572a911135f8be200084a82a148c90

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
165KB

MD5
f36431a3c52536f420945c1d5928f459

SHA1
a0a06b2a17172ecc18ddedc036617e7f8b566299

SHA256
ceaccc27fbd6880eb0f0c850be4a5ecaa240bcdc7723cf66dcd75e7feb7a8bda

SHA512
88778254c3fbadf95c10b5c6e1f1d4497fb5c5938cbee83aad5049f2e138c050d5a8db63a1bf85ad77b4266f93d9bb441815ad066c44b6022ff234ed795d9739

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
165KB

MD5
643a93d63df6f63bcb144808c60d8863

SHA1
bd5f27a30ed5f55cc0f9da6e5dc69db97e88e9d3

SHA256
30ebbe6e3d0ebedefa04e9dd31e77b3bacba570bc6c89d23ac418e65b7c9dea0

SHA512
719917894af8e20fc5d54d2a06826141eb0fb67b592e6e5d484189f7ba82c3b3a27340d3040b4d662d31f0a0b01f2fe85449e7890b7c0ab2adb7e9808530d1bb

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
116KB

MD5
c0599c1c394ef40ac02837390dcb6d3e

SHA1
c390e42b7d516f85cdcbe00baaf3f02bc6857ca6

SHA256
227890e5cbf4830ddc0eead19f75a0b5f548a6f80990fb8e8f17726d4329c528

SHA512
ba5067d6e17c252b111fac067320b115ba60436226d984f2c7ce5f17e302fa79a8392cb1ae11c32ceb9c4e3d4216edc5916c03b25b4bae0e18db3685e7a82c82

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
165KB

MD5
a82cd41d7db66398d28455057836391b

SHA1
eaf8274e11c7fb5cd8e0f57f6330188321ea6d42

SHA256
a6c86dae0e68c2908ce131862b11094c9217f67a2f334fa35986a55d72502c8d

SHA512
75a44c3de887156f4e6e5fcba8f733f10ec5410e8619d7264bc973e93f21f0fb934080c7a04356a9992773e472d2fd9400bc9eb950a5164ea9a12f699b4b81e4

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
165KB

MD5
cbd92c38bfd748e3da74f7a1ba8ecd44

SHA1
e3d9fafeb026d442c55744cf08746820ef790c9e

SHA256
3fe50201613793538a6a81965d07fe40e56092ea7e948e585ec3d7e033df730c

SHA512
ee00d87ed40f26ea941f2cffff7287f49e26d6eff3ed86b8392530681244146cc8111b257f07e709e18a2ce96ea85a2d43eb84478bff95e7e1e4cbb706b725cf

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
165KB

MD5
cf3dbdb3eae9e49cc8959abe2214383d

SHA1
fd622fe6819993b0d00477d7d255edb4f7c3da85

SHA256
0b8f859bfe3d9253662aa1cc6909fc49b648f0bdc0d34a15141c7c15e0d54d64

SHA512
b306f88c3951739360f54f06db80f3d182977c095cfc3afec950d0a43952b10223d6d3ad087091e775dae83564d218824398dd86f4bb63e2fa8e3972ef7c9a3c

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
165KB

MD5
5ac1781ebbd01020c83223522f84f0ab

SHA1
709c7e910d1bea6549861e1e7c0fb80b9690e445

SHA256
04f9359f824cef5ba0e4861829439f3f4d0ac5a95be865d6f85898edb3d659fe

SHA512
98f690cf74550478352367235fbb32d696d71c01fcd533e2de5fe5459b47e8d703ea553a1ce7d1afe9b7a74908417670d635645fb028601f24225b207553e04a

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
165KB

MD5
a0fb7d853cf686682d23627899a85f4c

SHA1
4892f7f57cf56eb4535e50ef8196d009aabdf1c5

SHA256
22df47e3a66158a4747ba13d0417189513c353a881e6e4489553bb583eb1b3fb

SHA512
37db6cbccdae73c88d2aaa861da84faa25e6e92b8485fe9a980e0e3b13ae57e0638307ee2ed3b7c7be62fd91699aaf305bee23aceb3f84aa6a9b77fca90a4dc3

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
165KB

MD5
226300bfafca6b2410739e5c24a8c89b

SHA1
5f67d215e93c96c033a5cd29d91976f959eb7dc5

SHA256
ba2e9f4b491cd12d5ce753895764bf4d398bc9d2d59a49f89b47e048277c5ec0

SHA512
cd49fcf8390788b7d37f7a190d175348da5dcf650dc27b1add23e245b4191bc5cd51597c486d1621865c62fd1131245c6584c168784f6b7890ba5ca7d4e26a7b

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
165KB

MD5
fdaa45395e1f372bda95eb4aee0339ae

SHA1
60488004d4455abd6bf3620dbc9e111ca6a779f5

SHA256
7c9c169674597c94328c15e80f99aaddaf96e04df606d613909caec6036f63bc

SHA512
0a0953c85cea6112aa69ba7561284eb4e2f8ff11112465a36590375bba71b79808be14cace20fbdbba1ff5d3315f2b7872e46a1803864da8695c94f56c7d974d

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
165KB

MD5
a42700e8eb866430934b553f5c8e6432

SHA1
65b772f6fa11dd58f9c72d580b47ffc79b9c3039

SHA256
1971e1f6696052955ffa660815b5299efdf5a3e5dd402fcecdbf4ca641a1d3c0

SHA512
ce8b94fd506acb7c1a42e9a12b4390c3d5170b96d7c94bfe7f3ba99aaf139441056c4981f0931e9f35b6672caf0573290eee4acb754a5eb837d48131c2a2e223

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
165KB

MD5
b3070c3ebd75c23b808e9763e3262d63

SHA1
ee1f3680c3aa7bd392a72eef3cd148bf249a8597

SHA256
d7cd046cc0374ecd10e5d49f4ebd48b2ee29b5c9ec55874c7326c23e163e71fa

SHA512
4e60f70af0e4270b7cad4b38a76c07a87157cfa1a7b5ba7a713b4c726e23e02fc17d4b7bfe4aefc7f71253723d61ae33de968e8f0bae36517a08abc6c571da96

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
165KB

MD5
f4ddbae97b1635b40d20a5471e933d9d

SHA1
53e1d989e83ff2845025140f240237498e0e66b9

SHA256
020036a20a86ed15882496a2fd5dd3f706b8035d92776d082d7e5f6fde3c601c

SHA512
c4fc0e1b4387a7fc30990db66b4179cabad7302b7e89dd4a9df7c64c42eb5c116612bf6fcfd28cfc41a6cbba54e6d661ab528789ca8fe7751fb59faf32c37517

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
165KB

MD5
c88b0ae15f871dc559d3f4d1742371ab

SHA1
77e4a95d74c25162d18ade17ee7b2516d4c42396

SHA256
04bf37816374123fdc06fd196c9434905eee7d82f73551888036c7e696813ac4

SHA512
9e739deb194907acb09094b30687eec448b20da6949559ea171f0db9222441ec4aa559195a4071c3694aa7f001073d34234dc7d9220e445db14af9d3ef4adb8e

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
165KB

MD5
f7cfc6350daf47d05e981f9efab15afc

SHA1
9800f40d4eef26e18a1b25f2324c90b7aac617c1

SHA256
758922d030325c94cda683aca88b8a8c9b94c067f90a10ebb42b98d9862787af

SHA512
8dfbe8a81aacc8734786a20a1acd21ef7bd8ad47217c5bcbbd0ea826d082bb662387426697dbc4f3bcdff572501e8b4761b45528cfcd9acb2254105f9e3ee4be

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
165KB

MD5
bd6c828b868ea1deadb6d2ead6281830

SHA1
be43811cae339e7c71a40e91b8d9b097ce5839e2

SHA256
07c08b173609d93364d50365937c6d40b6f257e8eba51491f53ed6781c01d32f

SHA512
52930dd7074659a5d061be5b01f6fc3a2d1c69261f995cceeada3179f91351f1b69485afcc32f90c352bed4c6260b10804f52c90940677438312f8b03349b6b8

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
165KB

MD5
4c631b4880522dc7475e6551243714c1

SHA1
c04b4bc110379bbd174d1027dde95544ffce996d

SHA256
0e3e5059bd2133cc99dd82b5a3890ec511f5ff1e5a4c91ed51fcbb644dde8be3

SHA512
b126f04be8deeef9bc395ec43d1cc7815eb19669319a112510860c3eacf51f3dc0c3234573c563580b270c3e825a76c81a28494d80bbfa1c72396a2a3206257a

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
165KB

MD5
d48595796f3e95611d971933903e3e12

SHA1
b7e4d36354b6adb8c0edc68a18624d5b28855b87

SHA256
38c437b586da209bc44ebc16fb115a8193415e61ba828e1ffdaedb8c8c98e3f6

SHA512
f960a37925d80bfbbc36e63d98cce20163620797bd2775812c66a07d966668f3683ac4f8dea589d4241db526290ca082ec3a72034bc7769fb1178ae3b1bdf719

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
165KB

MD5
8183f47f491d37d9d38094a80150cdf9

SHA1
e3cd92d1ecb0a6d2b93573b1972fe5919b801075

SHA256
39d9fac9a1abcd4dcf7a9a2bdf5a6c0b210fb25eda7dc5e7d0b04d6571911fe1

SHA512
a263872dfd574f7ebb92c310e4968eeb4195c39dc41d8c4ee7bef58b04152f5f208c0462c3e2b0732277dbadc8317dd534cef21126124414c98f76a540c8087a

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
165KB

MD5
aa96abb550e1ed0992383ed44801eae4

SHA1
555aee9f576b27a8cc550ca875c88f176e1454aa

SHA256
14a01c0f058d8a43696746a5a7f1da1979afa25d51013f4436980058170db877

SHA512
efd150a863150a184b956427fc5ad703641bfd78ae79aef8e8cf98575e75660046e7f1e984933d4e591328f82eb223de6dab1abddd4cd7c41ccbe22a6c9174d2

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
165KB

MD5
0d93665aac61a80880b1ca4a20d302af

SHA1
e09aa7211b49acbc47f562e5d1170610ddbccf98

SHA256
98a311c1e0732f77061f6a5509259ccb03c2d2a8dd5cb09bd79dcf0f39c50017

SHA512
2a5b4e3bd802c66b798ba8015b83bdc671d9a97c145b29ed4c997f2467ccfdd807508d598bccf36cbe23919ce1c15d1a28d02cd6119dfa2e6201e2d0a71ad41d

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
165KB

MD5
13d7b37634c932f92583fd8f88b5e143

SHA1
602d32321fc9d7f07abd29ed8a2ce001a1c62a95

SHA256
662eefc4ca70e61e8a80ac7de52f7031b58ccf1360ceffe79a92dac8ee6dfdd9

SHA512
b1900428486aeb4cc75e873d2f3572a33490dd689901741d355fa39b3bfc5a276fe690f8f1c30b287b59591b164f91ad7e0de447ecb04b03f64ec6ed267d81c3

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
165KB

MD5
d22a604f7be0be28c5e653a1bab6fd47

SHA1
835046477550ba83e5de5f954554a5fa8584941a

SHA256
ae33faa8457605efff02d98bffe851068ce8e877d3479d9a8c3f2b50ace6cc4f

SHA512
4c7651137693961fc4e03fc861227f0962c0b6c1ae33b15c61c186f858845d31c6a77b8eca9ed56dc5559622db206e0499bd8d0ad60e75c91c09df0dadaef425

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
165KB

MD5
a2a75c304f84876754a3c00c1ab889d9

SHA1
e4668ea191d75fb5ed57de6a362b848c1d658b18

SHA256
ec82b83bc485cbdb01886a4b2110b5749c5420aa836e4d7721f87af1b8b36437

SHA512
4c27ad2b324565e54b549f35d3a637e7f125161e7f0647c33d0606f7b76bde5360ba30fca579469de06925066d175abfc2beb49f5afa93cc2f889adec7f03e37

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
165KB

MD5
c964f2cd87dc3b690e5076d19122af03

SHA1
a1d82d2fd468bcf5d5953d27a94ee7efa360ff8a

SHA256
140254b3982c906bbda63387a1e93800abe3a2b34d5f4dce529bc42536e3f00f

SHA512
9c318a5c86df41e5fe8fc9bde05c805b1426b71497d6a2428e519525a4265c3bf4af9d798b3916625f435c1ee072a6ebac66ab0def158fd444f36968895531be

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
165KB

MD5
0c0d87d92748db35add1f9bed7ab40a5

SHA1
5aa872712daca4342c4279383ecca3d8bf1c55b4

SHA256
c5fa89bd6c8bab596d2844ea49e30043b5aeca4bc0923cdad88507b810cee7dc

SHA512
38b289d17fd9c875f4852967833dd41a187598f2ddb5cfede90e017601521a7c34c50697b24e82ffa480c727792908c4be0dce5b402ed557e25965de99debd3e

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
165KB

MD5
53c5febfc5a027b35a68dbe2fee42f67

SHA1
fe4ec225c00bd118fd9ac2f69074d3ac82a68d54

SHA256
0cbeb68d1930244bd6b9956592f1837b1847aa912ae026e83e84733af91de60f

SHA512
a285a3a6a8c4e964d6498915fd544664bdc5a69fef63426c539a250f6a4802ebd4d3f45b956d551190b3e4f33d734abca5952cb0335cdb8cbc3457a310e6c989

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
165KB

MD5
a3ab7aa7e429f77c823df10a4557499b

SHA1
b8f86c2bda1d307a2acc15ffd422e85ae2968aec

SHA256
ebd5a5de47e1e8d900fd599188b4b5fffec02432f6d4c30ccd6b56d523a428f5

SHA512
8c4687bd34de0fd33e89a77cb3e71a43860d5239b632680cb621127b326bb6bbbf77a4d2e8078edc36b2f49617119e734fc4da3184bfdf1acb085b27daf36bed

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
165KB

MD5
df41b253e8b2866fc508576e371250e1

SHA1
241d3194ef8b478f3e65afb943c78cbc948f4f9e

SHA256
78ca27bcc4d5ad3df5be98ffe59f538ca00789666df821be16f155f1c2327894

SHA512
0edb24dabf8e62004562c8faca9c09418c5bc7dc0ca230aa33edc397800cc38e4d31d719c8dfb0b384057937c1d71a8a3797c7c3083fb503d4a1aa8b943c45b1

Download Submit
memory/208-311-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/384-96-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/524-347-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/616-305-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/620-293-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/788-129-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/948-72-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1068-364-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1080-201-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1144-153-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1320-269-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1448-388-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1688-185-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1760-430-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1776-63-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2088-176-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2116-8-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2208-370-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2212-136-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2328-442-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2508-36-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2544-299-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2708-345-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2728-281-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2868-323-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3080-400-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3192-362-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3216-81-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3220-436-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3288-263-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3468-25-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3480-161-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3508-145-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3524-317-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3556-382-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3588-79-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3588-5-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3588-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3596-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3684-249-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3768-412-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3872-121-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3892-275-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3920-394-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3992-428-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4104-261-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4156-209-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4204-335-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4220-168-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4296-418-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4344-193-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4348-406-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4364-233-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4400-48-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4436-216-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4448-89-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4580-112-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4708-229-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4724-329-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4728-240-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4752-40-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4832-287-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4848-378-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5040-104-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads