43cce7f8781823c70c2836ccc44149941fef89e6219be17bb1dd288ca7efdf69

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43cce7f8781823c70c2836ccc44149941fef89e6219be17bb1dd288ca7efdf69.exe
Size

704KB
MD5

037586a00c675b6ff49add872964085e
SHA1

3668f7bb6366d4d0c985523eea30948b03c57b6b
SHA256

43cce7f8781823c70c2836ccc44149941fef89e6219be17bb1dd288ca7efdf69
SHA512

71a6d89502dda693842db030968780448b6ae4d6ae8c67d35ce02289ac1135a53854c36405bfcb319b651f0ea78edf66d930e526e11f1fa9e7f84ecbddb00846
SSDEEP

12288:waph2kkkkK4kXkkkkkkkkl888888888888888888nusMH0QiRLsR4P377a20R01X:waph2kkkkK4kXkkkkkkkkhLX3a20R0vh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbhnhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhqbkhch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnbbbffj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Linphc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnhnbb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdpndnei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnicmdli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgagfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amfcikek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpleef32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhacojl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfmjgeaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpekon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Legmbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Albjlcao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghqnjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hedocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnpinc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnpinc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpekon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfcikek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cojema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdqbekcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbidgeci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aipddi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbhnhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhqbkhch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgagfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	43cce7f8781823c70c2836ccc44149941fef89e6219be17bb1dd288ca7efdf69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnhnbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdpndnei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joaeeklp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfamcogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfamcogo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdgdempa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aipddi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cafecmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cafecmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghqnjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpleef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efcfga32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdqbekcm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cojema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Joaeeklp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	43cce7f8781823c70c2836ccc44149941fef89e6219be17bb1dd288ca7efdf69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Albjlcao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inifnq32.exe

Executes dropped EXE 41 IoCs

pid	Process
2172	Aipddi32.exe
2604	Albjlcao.exe
2616	Amfcikek.exe
2600	Bpiipf32.exe
2456	Bpleef32.exe
2536	Cafecmlj.exe
2964	Cojema32.exe
2400	Dfamcogo.exe
1788	Dbhnhp32.exe
2332	Enhacojl.exe
2336	Efcfga32.exe
796	Fnhnbb32.exe
1676	Fhqbkhch.exe
1632	Ghqnjk32.exe
2700	Hedocp32.exe
2904	Hdqbekcm.exe
2916	Inifnq32.exe
2760	Jdpndnei.exe
2264	Jnicmdli.exe
1812	Jgagfi32.exe
988	Jdgdempa.exe
2944	Jnpinc32.exe
1636	Joaeeklp.exe
2880	Kfmjgeaj.exe
2940	Kbidgeci.exe
2380	Leimip32.exe
1712	Lnbbbffj.exe
2068	Lpekon32.exe
3000	Linphc32.exe
3056	Lfbpag32.exe
3028	Lpjdjmfp.exe
2744	Legmbd32.exe
2524	Mkhofjoj.exe
1620	Mhloponc.exe
2576	Maedhd32.exe
2924	Ngdifkpi.exe
1672	Naimccpo.exe
1840	Niebhf32.exe
2168	Ncmfqkdj.exe
2016	Ncpcfkbg.exe
524	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
2300	43cce7f8781823c70c2836ccc44149941fef89e6219be17bb1dd288ca7efdf69.exe
2300	43cce7f8781823c70c2836ccc44149941fef89e6219be17bb1dd288ca7efdf69.exe
2172	Aipddi32.exe
2172	Aipddi32.exe
2604	Albjlcao.exe
2604	Albjlcao.exe
2616	Amfcikek.exe
2616	Amfcikek.exe
2600	Bpiipf32.exe
2600	Bpiipf32.exe
2456	Bpleef32.exe
2456	Bpleef32.exe
2536	Cafecmlj.exe
2536	Cafecmlj.exe
2964	Cojema32.exe
2964	Cojema32.exe
2400	Dfamcogo.exe
2400	Dfamcogo.exe
1788	Dbhnhp32.exe
1788	Dbhnhp32.exe
2332	Enhacojl.exe
2332	Enhacojl.exe
2336	Efcfga32.exe
2336	Efcfga32.exe
796	Fnhnbb32.exe
796	Fnhnbb32.exe
1676	Fhqbkhch.exe
1676	Fhqbkhch.exe
1632	Ghqnjk32.exe
1632	Ghqnjk32.exe
2700	Hedocp32.exe
2700	Hedocp32.exe
2904	Hdqbekcm.exe
2904	Hdqbekcm.exe
2916	Inifnq32.exe
2916	Inifnq32.exe
2760	Jdpndnei.exe
2760	Jdpndnei.exe
2264	Jnicmdli.exe
2264	Jnicmdli.exe
1812	Jgagfi32.exe
1812	Jgagfi32.exe
988	Jdgdempa.exe
988	Jdgdempa.exe
2944	Jnpinc32.exe
2944	Jnpinc32.exe
1636	Joaeeklp.exe
1636	Joaeeklp.exe
2880	Kfmjgeaj.exe
2880	Kfmjgeaj.exe
2940	Kbidgeci.exe
2940	Kbidgeci.exe
2380	Leimip32.exe
2380	Leimip32.exe
1712	Lnbbbffj.exe
1712	Lnbbbffj.exe
2068	Lpekon32.exe
2068	Lpekon32.exe
3000	Linphc32.exe
3000	Linphc32.exe
3056	Lfbpag32.exe
3056	Lfbpag32.exe
3028	Lpjdjmfp.exe
3028	Lpjdjmfp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jdpndnei.exe	Inifnq32.exe
File created	C:\Windows\SysWOW64\Jnpinc32.exe	Jdgdempa.exe
File opened for modification	C:\Windows\SysWOW64\Leimip32.exe	Kbidgeci.exe
File opened for modification	C:\Windows\SysWOW64\Lfbpag32.exe	Linphc32.exe
File opened for modification	C:\Windows\SysWOW64\Mkhofjoj.exe	Legmbd32.exe
File opened for modification	C:\Windows\SysWOW64\Ncmfqkdj.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Giaekk32.dll	Bpiipf32.exe
File created	C:\Windows\SysWOW64\Ghfnkn32.dll	Fhqbkhch.exe
File created	C:\Windows\SysWOW64\Inifnq32.exe	Hdqbekcm.exe
File created	C:\Windows\SysWOW64\Fnqkpajk.dll	Mkhofjoj.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Naimccpo.exe
File created	C:\Windows\SysWOW64\Amfcikek.exe	Albjlcao.exe
File opened for modification	C:\Windows\SysWOW64\Amfcikek.exe	Albjlcao.exe
File opened for modification	C:\Windows\SysWOW64\Cafecmlj.exe	Bpleef32.exe
File created	C:\Windows\SysWOW64\Hedocp32.exe	Ghqnjk32.exe
File created	C:\Windows\SysWOW64\Linphc32.exe	Lpekon32.exe
File created	C:\Windows\SysWOW64\Eppddhlj.dll	Ngdifkpi.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Dfamcogo.exe	Cojema32.exe
File created	C:\Windows\SysWOW64\Fnhnbb32.exe	Efcfga32.exe
File created	C:\Windows\SysWOW64\Jgagfi32.exe	Jnicmdli.exe
File created	C:\Windows\SysWOW64\Indgjihl.dll	Jgagfi32.exe
File opened for modification	C:\Windows\SysWOW64\Linphc32.exe	Lpekon32.exe
File created	C:\Windows\SysWOW64\Lfbpag32.exe	Linphc32.exe
File opened for modification	C:\Windows\SysWOW64\Legmbd32.exe	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Pelggd32.dll	Kfmjgeaj.exe
File created	C:\Windows\SysWOW64\Jjifqd32.dll	Aipddi32.exe
File opened for modification	C:\Windows\SysWOW64\Dfamcogo.exe	Cojema32.exe
File created	C:\Windows\SysWOW64\Dgalgjnb.dll	Jnicmdli.exe
File opened for modification	C:\Windows\SysWOW64\Ncpcfkbg.exe	Ncmfqkdj.exe
File opened for modification	C:\Windows\SysWOW64\Bpleef32.exe	Bpiipf32.exe
File opened for modification	C:\Windows\SysWOW64\Dbhnhp32.exe	Dfamcogo.exe
File created	C:\Windows\SysWOW64\Efcfga32.exe	Enhacojl.exe
File created	C:\Windows\SysWOW64\Jnicmdli.exe	Jdpndnei.exe
File opened for modification	C:\Windows\SysWOW64\Jdgdempa.exe	Jgagfi32.exe
File created	C:\Windows\SysWOW64\Jkfalhjp.dll	Kbidgeci.exe
File created	C:\Windows\SysWOW64\Hfjiem32.dll	Leimip32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Aipddi32.exe	43cce7f8781823c70c2836ccc44149941fef89e6219be17bb1dd288ca7efdf69.exe
File opened for modification	C:\Windows\SysWOW64\Kfmjgeaj.exe	Joaeeklp.exe
File created	C:\Windows\SysWOW64\Kbidgeci.exe	Kfmjgeaj.exe
File created	C:\Windows\SysWOW64\Enhacojl.exe	Dbhnhp32.exe
File created	C:\Windows\SysWOW64\Lnlmhpjh.dll	Legmbd32.exe
File created	C:\Windows\SysWOW64\Cafecmlj.exe	Bpleef32.exe
File opened for modification	C:\Windows\SysWOW64\Hedocp32.exe	Ghqnjk32.exe
File created	C:\Windows\SysWOW64\Dlpajg32.dll	Hedocp32.exe
File opened for modification	C:\Windows\SysWOW64\Inifnq32.exe	Hdqbekcm.exe
File created	C:\Windows\SysWOW64\Ibddljof.dll	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Ampehe32.dll	Dbhnhp32.exe
File created	C:\Windows\SysWOW64\Fdilpjih.dll	Enhacojl.exe
File created	C:\Windows\SysWOW64\Fhqbkhch.exe	Fnhnbb32.exe
File created	C:\Windows\SysWOW64\Ipnndn32.dll	Jdpndnei.exe
File opened for modification	C:\Windows\SysWOW64\Jgagfi32.exe	Jnicmdli.exe
File created	C:\Windows\SysWOW64\Ghbaee32.dll	Jnpinc32.exe
File created	C:\Windows\SysWOW64\Ncmfqkdj.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Naimccpo.exe	Ngdifkpi.exe
File created	C:\Windows\SysWOW64\Ghqnjk32.exe	Fhqbkhch.exe
File opened for modification	C:\Windows\SysWOW64\Jnicmdli.exe	Jdpndnei.exe
File opened for modification	C:\Windows\SysWOW64\Lpekon32.exe	Lnbbbffj.exe
File created	C:\Windows\SysWOW64\Gabqfggi.dll	Lnbbbffj.exe
File opened for modification	C:\Windows\SysWOW64\Efcfga32.exe	Enhacojl.exe
File opened for modification	C:\Windows\SysWOW64\Ghqnjk32.exe	Fhqbkhch.exe
File created	C:\Windows\SysWOW64\Aaebnq32.dll	Lpekon32.exe
File opened for modification	C:\Windows\SysWOW64\Lpjdjmfp.exe	Lfbpag32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1160	524	WerFault.exe	68

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfmjgeaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlmhpjh.dll"	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjifqd32.dll"	Aipddi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfamcogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhqbkhch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdqbekcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cojema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aghcamqb.dll"	Efcfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhloponc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghqnjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjiem32.dll"	Leimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aelcmdee.dll"	43cce7f8781823c70c2836ccc44149941fef89e6219be17bb1dd288ca7efdf69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgnhbba.dll"	Bpleef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhqbkhch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgagfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpleef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giaekk32.dll"	Bpiipf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Linphc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpekon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgagfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfmjgeaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbidgeci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfalhjp.dll"	Kbidgeci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbhnhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdpndnei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hedocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnpinc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll"	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnndn32.dll"	Jdpndnei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll"	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgalgjnb.dll"	Jnicmdli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbidgeci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macalohk.dll"	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhloponc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	43cce7f8781823c70c2836ccc44149941fef89e6219be17bb1dd288ca7efdf69.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Albjlcao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cafecmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hedocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	43cce7f8781823c70c2836ccc44149941fef89e6219be17bb1dd288ca7efdf69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aipddi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiaej32.dll"	Amfcikek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdqbekcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpekon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Linphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpiipf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnqkpajk.dll"	Mkhofjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkhofjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlpajg32.dll"	Hedocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Joaeeklp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnicmdli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Indgjihl.dll"	Jgagfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	43cce7f8781823c70c2836ccc44149941fef89e6219be17bb1dd288ca7efdf69.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2172	2300	43cce7f8781823c70c2836ccc44149941fef89e6219be17bb1dd288ca7efdf69.exe	28
PID 2300 wrote to memory of 2172	2300	43cce7f8781823c70c2836ccc44149941fef89e6219be17bb1dd288ca7efdf69.exe	28
PID 2300 wrote to memory of 2172	2300	43cce7f8781823c70c2836ccc44149941fef89e6219be17bb1dd288ca7efdf69.exe	28
PID 2300 wrote to memory of 2172	2300	43cce7f8781823c70c2836ccc44149941fef89e6219be17bb1dd288ca7efdf69.exe	28
PID 2172 wrote to memory of 2604	2172	Aipddi32.exe	29
PID 2172 wrote to memory of 2604	2172	Aipddi32.exe	29
PID 2172 wrote to memory of 2604	2172	Aipddi32.exe	29
PID 2172 wrote to memory of 2604	2172	Aipddi32.exe	29
PID 2604 wrote to memory of 2616	2604	Albjlcao.exe	30
PID 2604 wrote to memory of 2616	2604	Albjlcao.exe	30
PID 2604 wrote to memory of 2616	2604	Albjlcao.exe	30
PID 2604 wrote to memory of 2616	2604	Albjlcao.exe	30
PID 2616 wrote to memory of 2600	2616	Amfcikek.exe	31
PID 2616 wrote to memory of 2600	2616	Amfcikek.exe	31
PID 2616 wrote to memory of 2600	2616	Amfcikek.exe	31
PID 2616 wrote to memory of 2600	2616	Amfcikek.exe	31
PID 2600 wrote to memory of 2456	2600	Bpiipf32.exe	32
PID 2600 wrote to memory of 2456	2600	Bpiipf32.exe	32
PID 2600 wrote to memory of 2456	2600	Bpiipf32.exe	32
PID 2600 wrote to memory of 2456	2600	Bpiipf32.exe	32
PID 2456 wrote to memory of 2536	2456	Bpleef32.exe	33
PID 2456 wrote to memory of 2536	2456	Bpleef32.exe	33
PID 2456 wrote to memory of 2536	2456	Bpleef32.exe	33
PID 2456 wrote to memory of 2536	2456	Bpleef32.exe	33
PID 2536 wrote to memory of 2964	2536	Cafecmlj.exe	34
PID 2536 wrote to memory of 2964	2536	Cafecmlj.exe	34
PID 2536 wrote to memory of 2964	2536	Cafecmlj.exe	34
PID 2536 wrote to memory of 2964	2536	Cafecmlj.exe	34
PID 2964 wrote to memory of 2400	2964	Cojema32.exe	35
PID 2964 wrote to memory of 2400	2964	Cojema32.exe	35
PID 2964 wrote to memory of 2400	2964	Cojema32.exe	35
PID 2964 wrote to memory of 2400	2964	Cojema32.exe	35
PID 2400 wrote to memory of 1788	2400	Dfamcogo.exe	36
PID 2400 wrote to memory of 1788	2400	Dfamcogo.exe	36
PID 2400 wrote to memory of 1788	2400	Dfamcogo.exe	36
PID 2400 wrote to memory of 1788	2400	Dfamcogo.exe	36
PID 1788 wrote to memory of 2332	1788	Dbhnhp32.exe	37
PID 1788 wrote to memory of 2332	1788	Dbhnhp32.exe	37
PID 1788 wrote to memory of 2332	1788	Dbhnhp32.exe	37
PID 1788 wrote to memory of 2332	1788	Dbhnhp32.exe	37
PID 2332 wrote to memory of 2336	2332	Enhacojl.exe	38
PID 2332 wrote to memory of 2336	2332	Enhacojl.exe	38
PID 2332 wrote to memory of 2336	2332	Enhacojl.exe	38
PID 2332 wrote to memory of 2336	2332	Enhacojl.exe	38
PID 2336 wrote to memory of 796	2336	Efcfga32.exe	39
PID 2336 wrote to memory of 796	2336	Efcfga32.exe	39
PID 2336 wrote to memory of 796	2336	Efcfga32.exe	39
PID 2336 wrote to memory of 796	2336	Efcfga32.exe	39
PID 796 wrote to memory of 1676	796	Fnhnbb32.exe	40
PID 796 wrote to memory of 1676	796	Fnhnbb32.exe	40
PID 796 wrote to memory of 1676	796	Fnhnbb32.exe	40
PID 796 wrote to memory of 1676	796	Fnhnbb32.exe	40
PID 1676 wrote to memory of 1632	1676	Fhqbkhch.exe	41
PID 1676 wrote to memory of 1632	1676	Fhqbkhch.exe	41
PID 1676 wrote to memory of 1632	1676	Fhqbkhch.exe	41
PID 1676 wrote to memory of 1632	1676	Fhqbkhch.exe	41
PID 1632 wrote to memory of 2700	1632	Ghqnjk32.exe	42
PID 1632 wrote to memory of 2700	1632	Ghqnjk32.exe	42
PID 1632 wrote to memory of 2700	1632	Ghqnjk32.exe	42
PID 1632 wrote to memory of 2700	1632	Ghqnjk32.exe	42
PID 2700 wrote to memory of 2904	2700	Hedocp32.exe	43
PID 2700 wrote to memory of 2904	2700	Hedocp32.exe	43
PID 2700 wrote to memory of 2904	2700	Hedocp32.exe	43
PID 2700 wrote to memory of 2904	2700	Hedocp32.exe	43

C:\Users\Admin\AppData\Local\Temp\43cce7f8781823c70c2836ccc44149941fef89e6219be17bb1dd288ca7efdf69.exe
"C:\Users\Admin\AppData\Local\Temp\43cce7f8781823c70c2836ccc44149941fef89e6219be17bb1dd288ca7efdf69.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\Aipddi32.exe
  C:\Windows\system32\Aipddi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\Albjlcao.exe
    C:\Windows\system32\Albjlcao.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\Amfcikek.exe
      C:\Windows\system32\Amfcikek.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\Bpiipf32.exe
        
        C:\Windows\system32\Bpiipf32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\Bpleef32.exe
        
        C:\Windows\system32\Bpleef32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Cafecmlj.exe
        
        C:\Windows\system32\Cafecmlj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Cojema32.exe
        
        C:\Windows\system32\Cojema32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Dfamcogo.exe
        
        C:\Windows\system32\Dfamcogo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Dbhnhp32.exe
        
        C:\Windows\system32\Dbhnhp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Enhacojl.exe
        
        C:\Windows\system32\Enhacojl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Efcfga32.exe
        
        C:\Windows\system32\Efcfga32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Fnhnbb32.exe
        
        C:\Windows\system32\Fnhnbb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\Fhqbkhch.exe
        
        C:\Windows\system32\Fhqbkhch.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Ghqnjk32.exe
        
        C:\Windows\system32\Ghqnjk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Hedocp32.exe
        
        C:\Windows\system32\Hedocp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Hdqbekcm.exe
        
        C:\Windows\system32\Hdqbekcm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Inifnq32.exe
        
        C:\Windows\system32\Inifnq32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\Jdpndnei.exe
        
        C:\Windows\system32\Jdpndnei.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Jnicmdli.exe
        
        C:\Windows\system32\Jnicmdli.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Jgagfi32.exe
        
        C:\Windows\system32\Jgagfi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Jdgdempa.exe
        
        C:\Windows\system32\Jdgdempa.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:988
        
        C:\Windows\SysWOW64\Jnpinc32.exe
        
        C:\Windows\system32\Jnpinc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Joaeeklp.exe
        
        C:\Windows\system32\Joaeeklp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Kfmjgeaj.exe
        
        C:\Windows\system32\Kfmjgeaj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Kbidgeci.exe
        
        C:\Windows\system32\Kbidgeci.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Leimip32.exe
        
        C:\Windows\system32\Leimip32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Lnbbbffj.exe
        
        C:\Windows\system32\Lnbbbffj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\Lpekon32.exe
        
        C:\Windows\system32\Lpekon32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Linphc32.exe
        
        C:\Windows\system32\Linphc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Lfbpag32.exe
        
        C:\Windows\system32\Lfbpag32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Lpjdjmfp.exe
        
        C:\Windows\system32\Lpjdjmfp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Legmbd32.exe
        
        C:\Windows\system32\Legmbd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Mkhofjoj.exe
        
        C:\Windows\system32\Mkhofjoj.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Mhloponc.exe
        
        C:\Windows\system32\Mhloponc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Maedhd32.exe
        
        C:\Windows\system32\Maedhd32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Ngdifkpi.exe
        
        C:\Windows\system32\Ngdifkpi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Naimccpo.exe
        
        C:\Windows\system32\Naimccpo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Ncmfqkdj.exe
        
        C:\Windows\system32\Ncmfqkdj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        42⤵
        Executes dropped EXE
        
        PID:524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 140
        43⤵
        Program crash
        
        PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Albjlcao.exe

Filesize
704KB

MD5
1737e6c899fbc3ad3e8f5980d0d0e2ab

SHA1
a95f9f00b4ac818d53edc3a39b2795a22a7d9474

SHA256
33e7c08b58fae82835c7864b2dfa90ed25d41ef4948b3df11bfd8256468d4845

SHA512
bf0c5a6c3b025fc62735a41b4a68d78501639813ad42e9f656755b4eb04b3bcbc0a2daf06b80960fe475dcf51be33f19bda6f0eb72604aca77d21bf8ac968ed4

Download Submit
C:\Windows\SysWOW64\Amfcikek.exe

Filesize
64KB

MD5
13bfa48982f0320b062c65827ea83dbb

SHA1
f44c7e15a82b42df72d7b0c54cd7322c2e009868

SHA256
f105d458ee33893caaadd758c45f19ce1b267db120d6ca45d05bff6e6fe000c9

SHA512
f640efbfdd070e7f2711a6477c061352eb3faa6fb5855cd149eef22ba364823f00fcaef8c18c5949ffa176b3bc65fbb1820222d17773b284c07f747d69b2c572

Download Submit
C:\Windows\SysWOW64\Bpleef32.exe

Filesize
704KB

MD5
7f26c2e7aafd1856ac1ad15b9f6dc7d7

SHA1
3938478b52f92142a344ac4c33d0147f2c9bf950

SHA256
37a29b601392fbab0a1aac59fa47749253133146dae642df575f982b743efca8

SHA512
4c5ae787398120870cee83449f460b018478786f12e80f30d13429f9459114057d6638e40878b47de19521b88fa53be87c9eb39883b26e36435503e6d8f112fd

Download Submit
C:\Windows\SysWOW64\Cafecmlj.exe

Filesize
704KB

MD5
2ab7a840e3ceba06e127b9b58922247d

SHA1
9aa84d7bb363ad3465630d6069d48105d9e89feb

SHA256
c003651dd058165f7005f7657d44d2174fecb501fddcb26905fc28d73a735941

SHA512
1eab23674926b9b651fbe587c68ed8a335def551b851940131bff0a6d53eed218185357a96c058596cf65771952b1e85fbccf5c045560353c2b97c8763eaff94

Download Submit
C:\Windows\SysWOW64\Cojema32.exe

Filesize
704KB

MD5
f5b07878972a5abbff2da610fa2c9f5e

SHA1
d07cb6a3852550585102c514995758cb4611c59f

SHA256
294043f0e0af1ac9a6fb72dc45dc5b7463fe3a7cdd86012dae7ca921da47002b

SHA512
31c57a38ee9c26ff44e0fb2b322ea13b92cd749c31452b0414500d58d1896bf45d34606220e48ef4defc94c9c8c5f04037ab1924e709556837e506b028762879

Download Submit
C:\Windows\SysWOW64\Dbhnhp32.exe

Filesize
704KB

MD5
46808d4e38624d890e827427908be25f

SHA1
9fa8f2f310caf84ec5812e80dfa2e41a5af0c7a4

SHA256
63e1fcc226bf54ea7d48cbd16b0afd7fd5d3ea02edfa59c40661773ea1fe41bc

SHA512
19e8b77469aea4ca54177c5112a28b9198bb9004ce110ebef361b770095a34930340eebc53c34282848bb2714b3dfcf258b847332d5d00625f325bda0efcdbab

Download Submit
C:\Windows\SysWOW64\Dfamcogo.exe

Filesize
704KB

MD5
fbc226a615190ad76b16069e370fd837

SHA1
8acfd6ab404f12c7e5fe4b3428ddc189eda41e07

SHA256
4fcfe13909bb17149f8cda4f899f9199f706e6aeab549980f7f322853e5397d1

SHA512
26eef288d7575e60f707cec6fe206b792e8ccc129b57fcb0168b76587a4e431d224ddb5cee4453a29ead6761451684f825a35d9876c6ae84897feb8e6e084eec

Download Submit
C:\Windows\SysWOW64\Efcfga32.exe

Filesize
704KB

MD5
109c5e1d5ef06d5aad404166b828e35e

SHA1
c579e7d51c506bef7fcc4de711f51064947725db

SHA256
e067e7bb2ffbfbd33689c3c97134a0bf6ad7e6526ad4ba9c429354b507008c77

SHA512
9081221a031c7ab8f9f159fb08db03b51408d1af5dc125fb0b38ae63dbe3e812326bfe87d02aa8a91666dcccdda77c1b8b040069b7d7b4ecd595194822be4b58

Download Submit
C:\Windows\SysWOW64\Enhacojl.exe

Filesize
704KB

MD5
615d1b0a95a371b3ae03457e351a1427

SHA1
e61fe82aecfd8f028bad149f76fcdb8b77251ba9

SHA256
262dbaf0993576fc9fe75e9966bbd4e3526c48ff5a3529c63034c42f03c41038

SHA512
9a70c4421697b8a9ebd97e1bfe1544dec4cc1b2722aad4bc12d09e9b8bf1cfb3e75c92766e8e9f063285cc53cec51019361b372b1e087fb90098ff4235fb41a6

Download Submit
C:\Windows\SysWOW64\Fhqbkhch.exe

Filesize
704KB

MD5
c68007ddf9b24dfd76c8fb0fe414b533

SHA1
ca6b922c10bfae7a5b3089e838e038892867308d

SHA256
4e541e47eda78ec76a8da5eed58cfaddda53dcc50511881dad2e940577061b05

SHA512
facf07489cc167dd2dcbacc0e09f31236a90f5c01dde9028245b2e57243f394943978a2a2d91f783ce3843f4ae133fbaf48533049d687d77fa4de1c457137286

Download Submit
C:\Windows\SysWOW64\Fnhnbb32.exe

Filesize
704KB

MD5
2a8e36d7c4fb01f7c894e040d2818d3e

SHA1
b57c63d1c87290d75c56bb2c130cbfd6202df02a

SHA256
8fff6d401cf958362de8c63b2a198fe79350d6788dc1195ebaa506f7323fc77d

SHA512
6b2c7d137a1f0dd1712d59563b80ef03e5f6e6821a3ba4a1106fcffb12e2fa7878779ec9aa42835d0ed66be557b4245a58a1ccf068e9e6032cdb6261cc912051

Download Submit
C:\Windows\SysWOW64\Ghqnjk32.exe

Filesize
704KB

MD5
678a983d3cfcf7da5307ef8d9049b85a

SHA1
8a68ee7b5341a88b2da8c2a55a985d01638ad872

SHA256
f833c3ba9a5aca4e846c963e141dc0cef8ccce23159477ee604d5a2ec551e6a5

SHA512
8dd0c8c7bfd24af46b48adc8e5f93e3b8aca0bd481065404e8f7e0db641f0138573893184e54f2d54d8e872eff8bf3fe4a9350e0067b03de625794ee7508afcc

Download Submit
C:\Windows\SysWOW64\Hdqbekcm.exe

Filesize
704KB

MD5
9e14883bd8c7044b9aeb9109688e356a

SHA1
dbc69a62b223b0572aa07c4a51d92e597a2ff5dd

SHA256
6da618c5649acf0a8ac8baea73c15665bb521f27c9650f13bbbf84f6aa33afb6

SHA512
fa08ffad77e622b664252effb30df450ec8d1d079a74b3a632f8c6f76824fe34aae9deaaae3e98a782b0fe1260511d16c16c56f2f4cd20d56be80bd800c9d4df

Download Submit
C:\Windows\SysWOW64\Hedocp32.exe

Filesize
704KB

MD5
770b3dd95bd7b40a651fdc48bdbdc1c1

SHA1
b6a68ef2b3de27c2720ba2f1b3068288ece09de1

SHA256
cb4181d9e75062ff788c0cfce49845de10c04fe4667e01f0c9b618f1e2317648

SHA512
a5750c1442e87eb499870958fc96a6aa78c4692386ea2e82ec79c6a07fb50d3036ad9e642680468794ff2d9914cc73175724f4d8f7cab88e532978093f8334b9

Download Submit
C:\Windows\SysWOW64\Hedocp32.exe

Filesize
455KB

MD5
a330ff20e9996aeaabf24a5d0e05b4d6

SHA1
a6c2225d0d31372cdad9536b530c90f07f92ac75

SHA256
d488191ca34809b202b4754f735df7dd9b4e37600530f750e6b8b421bccd07a3

SHA512
cce74990b321b2a46a118e3fc7814586a0acd08492ac389938f17bb1d77309b1c9a791ce468147bc2f5ab4b5170d4399404bb7f408077722631131cf38b3c66f

Download Submit
C:\Windows\SysWOW64\Hedocp32.exe

Filesize
64KB

MD5
5b5738d8b4c15f4a3df65a2626370e28

SHA1
0cb640aa9dfa89676c1c205c46b895a6874eaf5c

SHA256
ad6da9da6959a623b52771caa42c7a21678d147fb841382150a4b701ddbc9dbb

SHA512
9f0a28305a9979928f3551d535213661c66a0b4af208f99c89b45de4b4a96cece6417ec7b30cb212585cdb1b97c1caf17a3e32c1ddaa4c196ba51686201021f4

Download Submit
C:\Windows\SysWOW64\Inifnq32.exe

Filesize
704KB

MD5
92e11b0723250992ec2f90dd946138b3

SHA1
54f2b6a56f3c43c244a3761edbba4fb2406e405e

SHA256
d9e4a8e0ba75f9d6a1f09b693a25bad308a9b669422b189c1c398c62371323d2

SHA512
9dd0125d425e2f67aabf6d053a1eac5eefdfe30c2f45c95cab487f4939a20ab101a6f9cdd6cbe7d0e4b057f9211f49f882cc1690cc7050086f58da7a254526af

Download Submit
C:\Windows\SysWOW64\Jdgdempa.exe

Filesize
704KB

MD5
8d50cef84e7f6bd7fa6ceefe2df79c05

SHA1
71c928b252661375c0320d4977a7f2883a142968

SHA256
475ebf083c065a61c8dc854a9f377861fb737e7ff9ba076e7867a31856b3fa87

SHA512
0ad804938bd44c83fd72c685c7be1bebee7bf0c367bad1f03f1ddec514c2975b0cf3b0bef12304fd6bd2449300415bc319cfc3e9bf76e1daab36c0c038746b5a

Download Submit
C:\Windows\SysWOW64\Jdpndnei.exe

Filesize
704KB

MD5
6386356d498bde01258262104bd779e6

SHA1
4914416b40abf77a9139a01ce07e0d7a0638eb2d

SHA256
d4aee31d3cfe5e86b31a068862d88df2d11ed76c55c9e12541d843a82f77776d

SHA512
c58de6542d1b4fc3f6f7b71aa0cb0c9becaba02bf7240d157ee9427db67f0650499abafdd8c04685c1c35a592db13a846c1115c2b08a0c6806a9b2aacf84e7e0

Download Submit
C:\Windows\SysWOW64\Jgagfi32.exe

Filesize
704KB

MD5
4e4ca5982c8eb437bdbed5f0dd805d43

SHA1
c012585f3d8b51c0b5f9af32bcd7f1f1f670071e

SHA256
542c0d21cf667f0ee2128c3571dbbabab206817ed703e1de7aa901c77f4af0b5

SHA512
87b984718d39525b26bf2e20d0cfa90bfbefa0d56dc242c15982c72888f079ceae5f3da9cc161fd1aee5591c14ece5d72c21aa2b1e75743e26b46ebde7340961

Download Submit
C:\Windows\SysWOW64\Jnicmdli.exe

Filesize
704KB

MD5
72e5f16c15f6ac10b94464df4f008f2e

SHA1
d23c87c7a343525a4fb3e40a142a2b60a5d9ef13

SHA256
637838ffcbaeeffad128bc883c345d2bc7231207a0d02d1d43abd3c34a655c89

SHA512
dfb48a85ba80ba2e77e64c67de2df26e4ef2cb70a9fe5c4c7733672e9d97f9f7ba7de569a55d4d34ab719a3b23424bc79f5d6395e3cc61c49271368eca196ebf

Download Submit
C:\Windows\SysWOW64\Jnpinc32.exe

Filesize
704KB

MD5
402e813fc9252045ed504a103593b63f

SHA1
81efeefd790aacf62618c71290dcf6d8e0607d6f

SHA256
879c56910ff65359c2f625dc3be43bab11a1cadd5dfcbda7e118487e7f6a81ea

SHA512
25b3c1d3f780f30a62ca8fd824d198f9c9e9a89f2810f04892c5eff6b73a7ea12b53a48a0fc5915ed346ef8cea81828f365e128eb67be0f0313a310eb23c7338

Download Submit
C:\Windows\SysWOW64\Joaeeklp.exe

Filesize
704KB

MD5
81de90f5d5c2087dbbbfbf8474953033

SHA1
92fcd4d6e2118c34e5cd38d484281f8ec2cae116

SHA256
778ba92f7c1f104793042ea14a0c694fb4e5144c383fd2b57286b3cacec6ca2d

SHA512
465020e55fcdf6528f33a11f2a0a5428a5355b8c5ac96b4ed9eacd0aa28b6a35aa4086af0b14b1a4d3527e88996473933e4188e74de0ea622d3a9a930d949c8b

Download Submit
C:\Windows\SysWOW64\Kbidgeci.exe

Filesize
704KB

MD5
f36d565738ca121198d2031a8397a981

SHA1
dd548a955fe78a25a77014916c0b3ea6d2f93c55

SHA256
5fdb535bd5a5a0f583ce9d14884774a7e727561ac3deb38d76dcb605a8c85b4f

SHA512
d3985073b40beee265e3e372a08ba9e24a6f888f5f729144078233cab7dd3df3aa95493aea4cfafcac8539290d4002b59ae05105eb67227b69a8971c36e66f84

Download Submit
C:\Windows\SysWOW64\Kfmjgeaj.exe

Filesize
704KB

MD5
22ee399a12af47203b80cd02eb0dccd3

SHA1
e39efe377d98693802d3ba6e1c623087896aefc1

SHA256
016cac57fed6bbfb3f7fccecaa43ae0fccdc8ae7acb793ec50b4439e6ddf1b2d

SHA512
3315f8be0f233cb3337fe8000880a206e6c359402b78c66082cc84fc4eddee131f6b7c07eb06b9cdb43eb9761df560a52022cf116cae08e81465717f68d16d7e

Download Submit
C:\Windows\SysWOW64\Legmbd32.exe

Filesize
704KB

MD5
2a79af17ace94bfe2fa1fd57ba6e8c16

SHA1
f1c8b8cf5798e769a42fb65850d46149fd2d814d

SHA256
790698db39bc5bdc6dd49584a334d1728bc88d3afbf0514a39e13f380bd055ba

SHA512
60d92f3a7b24a60b1f961355ee10cf686cc5bed54c0df3ba4a8f53181a08fb5277d088dbfc80f83f8bf828ea3d148372e4b38bd8a95b6c31614efd24360daa9e

Download Submit
C:\Windows\SysWOW64\Leimip32.exe

Filesize
704KB

MD5
8b29a06147b2b9a1ebaa1b7c7d1e2344

SHA1
11034f8c13b0f1be25fc4c4f6100d30b2f8a0d58

SHA256
0a4f39abc0dd23a1a3d3ca812c23fc1673dc8d982ebe6ee7d5febf9024645b30

SHA512
5132284a6c332f212d29c3c4c3a67fedde3b551c81da33a14ec2f6969d1fd42f6fc0ea65faa75199a57e2f65dd4e60a47cba0057c7b5d190d781baf8de82d6b9

Download Submit
C:\Windows\SysWOW64\Lfbpag32.exe

Filesize
704KB

MD5
c9771695115179c77c24131359e4000d

SHA1
74b2e4ad00a3b1adad832fd6dec6e517e07443be

SHA256
2633867076be4025647886ba35bf25fd8af9debc389a42b046715b878c13b14a

SHA512
80ba24ccee0451fa1aafb125e12925869df603ca49a166dd78c5b43396fa61ac41d633b1c74942b9b63b60b4e8597c83c072fb1969acd7753144abd8bd887bdc

Download Submit
C:\Windows\SysWOW64\Linphc32.exe

Filesize
704KB

MD5
62c24f2df1507fd213eddb7776ce9429

SHA1
11923578e0060af99b2baaae9523517bcc92fc19

SHA256
0a71d35720ca893dbb5f0ba1959fdb89408c705be8b5627ef576722128622b42

SHA512
463b0fedf51dc54928611acb364dc411e555bf01994a983397115eeba51f3461c5f4a825105b8c2bcda0cd08317bcba9803b5dcf25e2332e2801fd95e3a3578f

Download Submit
C:\Windows\SysWOW64\Lnbbbffj.exe

Filesize
704KB

MD5
57fe30b33df9503ab4c306697934a1c7

SHA1
a234a1c51443d00f8591f1663ec3f9c8c52a559a

SHA256
4a0ce86e395a90ed58a43deca48e14cb8419efa29045bd1400d273800fde7042

SHA512
89fb0a984c2d499ceb8d76bc61d6657e5d1b8303a0e6e92ef8fb7ccb8941a16543ed73b6743e9166f6a3f1019ee2a237ae76968ea25bd18bd16aac6040d4f72c

Download Submit
C:\Windows\SysWOW64\Lpekon32.exe

Filesize
704KB

MD5
39c39cdda50a0ec38856107833678622

SHA1
1723b6362cc864649fa623600e213cebb8ee71b6

SHA256
e6b5dd36fb4c0f8d65f1753e26d53df34412c7b5efcdb77f5c846242f72ee774

SHA512
be977458c2b1f7c9fcde213ec200a97b6e813ecd7086b281c6b4ae8b2a1c72553e28566419925d0f9b6b7c5cef16ddab3adf098806ba4006bbd3d9f5f4a37b78

Download Submit
C:\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
45KB

MD5
4fa37af08b9d7699f8572533a65a2d1b

SHA1
ac2be54f4245b0b2bc36182f38a540235ae45a4e

SHA256
36f1a064b14a327257a6f7a1f1cd61f3fdb2345ff71de180a9bbd420936d682b

SHA512
81abccb91eef2787b041ef373da93174397c0e1654f7c1bd25433178c7a03a4665b40e835291dc50dcad121bd3f251934b3040aa9246d50dbd9a2234ac17e199

Download Submit
C:\Windows\SysWOW64\Maedhd32.exe

Filesize
704KB

MD5
5528f891de32e2058bdb0714be3ef2ed

SHA1
3c2cf33411c75f840f1bcb407846728a845c356d

SHA256
9c8237fa45378e7d4bb285691ea8bd4b9151a3c7c5fafb6ee440342ecc1d9e93

SHA512
7e1e0bcc392d10a343aaff244dd22d81dd9c2d8e2ba040e3d9798117a7a610a3da84776601f71c441dbd2695ac4f778d92fcc3a4c26a673ac3ef76edb4b80188

Download Submit
C:\Windows\SysWOW64\Mhloponc.exe

Filesize
704KB

MD5
820b71e9e9d28804ce065a901282370d

SHA1
374a789c432325203a8c5c5cd3167b9e9cce3c85

SHA256
659a1e9d4ace780f9fbfaea74ad0a4b3f7114f621c4f814afba0fc3ae329d8d2

SHA512
ff2ec34e2d32d2e62bb10bdac1476904764e21013322bc11dd752b3a2e5f03bdd0ad2467a5c9ff27801955f107e3841cf4d6f81c66f0a14e2d3caa4e71d94b9e

Download Submit
C:\Windows\SysWOW64\Mkhofjoj.exe

Filesize
704KB

MD5
f14c33ccf8da21b9064287bcf0f48968

SHA1
896835c9e020e4d0ebd5805d38485e2de1ddeb17

SHA256
a48761741893894361d1f030202284aa543eca77c1b57294841e399a41487aff

SHA512
c99bb3f665f598db840042f79691e8fb16d86b2a1c45c3f988cc432e5cdff018aec55872e85ddf24a12f5c9b83dc1d6402148f76e0c3e9599546d131dac9a999

Download Submit
C:\Windows\SysWOW64\Naimccpo.exe

Filesize
704KB

MD5
0bfc8c7605caed4a105d0968f243cee6

SHA1
9de70a58aaee4991b9d2d69b34fe6a2ff3e08628

SHA256
442b942335e24a715411724da29c42ae7712771159d028af1f1fa895603d7a98

SHA512
10710d476f98e0f879f0e1ea81a4e87d9b96112c43fcc21384adf14295bf82a1989d6a221b401109d6570203fe0df0940558d42062ab715042c01aee4262d686

Download Submit
C:\Windows\SysWOW64\Ncmfqkdj.exe

Filesize
704KB

MD5
df3507e1e2c2248bb00530b430461620

SHA1
17ce0fbc2bb12e256f079bd3e37ed6cba29a3fca

SHA256
a07b9a9a3d2a5f485deea17eadfa447f88fb05a3bc07e736cfd7e5aa8d42fba0

SHA512
411a2be1a928bb67a3df602da062c40204a8349c97ef41cdfd7a8da8a0f112657017f08de661d5fb66966fdc601b27f05b212958d1c765342c7493c8ecd0e5a6

Download Submit
C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
704KB

MD5
99bbbdecc7df73235f255283d7b8fe65

SHA1
3e1d148c372a91e83471d6200b1c603f75f8557b

SHA256
4b35bb6ef8fa27d57917771791bf3b669104e09572cfa916c9311288bf2509b1

SHA512
5f028abbae85adf272f2fd7e945f766c106ba301d66f0737fb398437264e6f39811116b04007fd458994ab652204a14d10d4cfb35019364b3a55f29e56c27c8b

Download Submit
C:\Windows\SysWOW64\Ngdifkpi.exe

Filesize
704KB

MD5
158731c2832650ae5017301aab391f45

SHA1
238c233b358acf54a0975bc3e5c5d0f03b9b8d10

SHA256
eda66f25b501a26e7f125c019601abc9d5ba929f2a57fbc6cd28d40033015c48

SHA512
78d379bc40ce000d8c78f4c414a44c4af9b7ed2dc2eac89cc8e56100af4ab5b98e20a09dfeea87c7a4d5aa8f23be374fe6a17e2646155d0d7db60e05d1557c63

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
704KB

MD5
6750a6baa8150eeedb11a30bf62fc240

SHA1
505c9a3b682ab35b9213b9ab8d9c700f15017466

SHA256
ade375c69a8ff63cd7f90fb69a1b9b8d2461b76a82700c14af206647e3677ff8

SHA512
98bd8a58c810f30f7031221c0969ab57f420bf7903b6c01fbe5d5386ee050684ceb67f4032f88ea35edf4290500259930a6e71cf5621b27e12c034b3133e9da2

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
704KB

MD5
db6eadee9631065ec07d2adbff399099

SHA1
61628a71f8dbff46803402ad0f0743e10296227a

SHA256
2dfcf965e09b815bd3679c75beca7ea7e3a271c728d4c9f780ee0cd02f7e528f

SHA512
22083c5da6abaf5c02919c22edd7028d61b44618295b53fdd96718db8a7965458c0a89d81157f5ca6bd826626cbf30ce92fbf44a824860305b68cc33114f57a3

Download Submit
\Windows\SysWOW64\Aipddi32.exe

Filesize
704KB

MD5
e52ea658bf292c4bea970e6c09d374ca

SHA1
3e372c1c59160bf442d1a021e4893982e3c0d332

SHA256
30d88c1cd70fb44ca1a4528578f7b35d6de9fd3c54a021382bfd38c870e7ffd7

SHA512
d27c7425810ccae1c537daa91b30df77e62d26057d563482124e856f3e3305e4e11fccf52de2817d1818d67243f2eceeea5c481fa1d99ce01a2f9a2f171a1269

Download Submit
\Windows\SysWOW64\Amfcikek.exe

Filesize
704KB

MD5
8aa28aa578d78f82820828f893a570b4

SHA1
ff5e09fbf5ef075c707437975b729973fca2f563

SHA256
4a06a2be8b29e58935d63c0a41d2333ccf2386ae1196172433a0903f546516bb

SHA512
be06d5d860293d49d5dbcdeb2f8f7d044b91d0c0d0fa9ea5dd7a6dae1e73af03d324aff71d6be34af64724e9e35e6f3be370cfb4a84f15bcb84038947ae3424c

Download Submit
\Windows\SysWOW64\Bpiipf32.exe

Filesize
704KB

MD5
bbd77a17ea6f4ecb1a682c9027a7f559

SHA1
f5322566d2ffd862c23b356adee3a5e45664124a

SHA256
aa401b5c34d42a32bc7f2e7562c3465d7f7a760608c3e0733a17491d642c10c1

SHA512
c0f2bd81468cd02dd574d62cf309d992b491b77b37e2e6b0e9d3847fccd7bf0810b8cf54b2efe030877fd791409dec601e6ec0fd5d2fa454cd6a3eebc1b8bcc0

Download Submit
memory/796-163-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/988-288-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1620-407-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1632-293-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1632-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1636-291-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1676-193-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1712-333-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1712-338-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1788-186-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1812-259-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1812-287-0x00000000001B0000-0x00000000001E9000-memory.dmp

Filesize
228KB

Download
memory/2068-347-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2068-367-0x0000000000230000-0x0000000000269000-memory.dmp

Filesize
228KB

Download
memory/2068-356-0x0000000000230000-0x0000000000269000-memory.dmp

Filesize
228KB

Download
memory/2172-19-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2172-27-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2264-250-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2300-238-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2300-12-0x00000000003A0000-0x00000000003D9000-memory.dmp

Filesize
228KB

Download
memory/2300-243-0x00000000003A0000-0x00000000003D9000-memory.dmp

Filesize
228KB

Download
memory/2300-6-0x00000000003A0000-0x00000000003D9000-memory.dmp

Filesize
228KB

Download
memory/2300-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2332-162-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2336-190-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2380-366-0x00000000001B0000-0x00000000001E9000-memory.dmp

Filesize
228KB

Download
memory/2380-360-0x00000000001B0000-0x00000000001E9000-memory.dmp

Filesize
228KB

Download
memory/2380-328-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2400-161-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2456-164-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2524-390-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2536-109-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2536-282-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2536-141-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2536-116-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2600-90-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2604-33-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2616-65-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2616-41-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2616-264-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2616-269-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2700-322-0x00000000003A0000-0x00000000003D9000-memory.dmp

Filesize
228KB

Download
memory/2700-218-0x00000000003A0000-0x00000000003D9000-memory.dmp

Filesize
228KB

Download
memory/2700-201-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2700-317-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2744-384-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2744-389-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2760-249-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2880-303-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2880-301-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2880-324-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2904-371-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/2904-224-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2916-248-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2916-233-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2940-316-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2940-307-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2944-289-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2964-171-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2964-290-0x00000000002A0000-0x00000000002D9000-memory.dmp

Filesize
228KB

Download
memory/2964-160-0x00000000002A0000-0x00000000002D9000-memory.dmp

Filesize
228KB

Download
memory/3000-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3028-370-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3056-369-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads