91c3cbdecfb2e725e5a4d429227949d837a4fa48afacc4c04c6c464862a8e8a9

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91c3cbdecfb2e725e5a4d429227949d837a4fa48afacc4c04c6c464862a8e8a9.exe
Size

264KB
MD5

cf4bc93c8a787c7c6444d1c05e103130
SHA1

ccf2a429ad813b84c6a9e08a6af816e1efcaa801
SHA256

91c3cbdecfb2e725e5a4d429227949d837a4fa48afacc4c04c6c464862a8e8a9
SHA512

ca4f5e63e4d1f2a1b3aa95e48cc4639ff80328d68acc9c5b4b40da1837c6e3c29cb6262e285ff5b8081d236d6625da4a9d6a401b636a0b6bb387a4cc78c89f0e
SSDEEP

6144://a6isohxd2Quohdbd0zscwIGUKfvUJ43ewmxteZekR+1b/KVC0C:KLxdzZdxGwsYI

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	91c3cbdecfb2e725e5a4d429227949d837a4fa48afacc4c04c6c464862a8e8a9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jioaqfcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llemdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplfcpin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcefno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcefno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcbihpel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplfcpin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcbihpel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	91c3cbdecfb2e725e5a4d429227949d837a4fa48afacc4c04c6c464862a8e8a9.exe

Executes dropped EXE 35 IoCs

pid	Process
4428	Jcbihpel.exe
2028	Jioaqfcc.exe
4672	Jcefno32.exe
2080	Jplfcpin.exe
5076	Jmbdbd32.exe
4068	Kmdqgd32.exe
3236	Kbfbkj32.exe
3452	Kdeoemeg.exe
2460	Kdgljmcd.exe
2216	Liddbc32.exe
4448	Ldjhpl32.exe
3392	Llemdo32.exe
1248	Lpcfkm32.exe
2412	Lmgfda32.exe
3604	Lgokmgjm.exe
2580	Medgncoe.exe
2884	Mpjlklok.exe
1900	Mplhql32.exe
3416	Mlcifmbl.exe
1304	Mcmabg32.exe
3652	Mpablkhc.exe
3332	Mgkjhe32.exe
3956	Ndokbi32.exe
4292	Ngpccdlj.exe
1428	Nphhmj32.exe
3944	Npjebj32.exe
4752	Ndhmhh32.exe
3588	Odkjng32.exe
2384	Ojgbfocc.exe
4684	Ocpgod32.exe
3028	Opdghh32.exe
4640	Ojllan32.exe
4316	Deagdn32.exe
2492	Dgbdlf32.exe
4728	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbdbd32.exe	Jplfcpin.exe
File opened for modification	C:\Windows\SysWOW64\Kdeoemeg.exe	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Mlcifmbl.exe	Mplhql32.exe
File created	C:\Windows\SysWOW64\Kdgljmcd.exe	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Gilnhifk.dll	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Amhpcomb.dll	Llemdo32.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Bbjiol32.dll	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Mcmabg32.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Jmbdbd32.exe	Jplfcpin.exe
File created	C:\Windows\SysWOW64\Mpjlklok.exe	Medgncoe.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Liddbc32.exe	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Mgkjhe32.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Jioaqfcc.exe	Jcbihpel.exe
File created	C:\Windows\SysWOW64\Fllifblf.dll	Jcbihpel.exe
File created	C:\Windows\SysWOW64\Mhkngh32.dll	Kdeoemeg.exe
File opened for modification	C:\Windows\SysWOW64\Kdgljmcd.exe	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Mchqfb32.dll	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Mkoqfnpl.dll	Jplfcpin.exe
File created	C:\Windows\SysWOW64\Qncbfk32.dll	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Kcdgpfak.dll	Jioaqfcc.exe
File created	C:\Windows\SysWOW64\Ecaobgnf.dll	Medgncoe.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kqgmgehp.dll	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ldjhpl32.exe	Liddbc32.exe
File opened for modification	C:\Windows\SysWOW64\Mpjlklok.exe	Medgncoe.exe
File opened for modification	C:\Windows\SysWOW64\Mpablkhc.exe	Mcmabg32.exe
File opened for modification	C:\Windows\SysWOW64\Jcefno32.exe	Jioaqfcc.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Kbfbkj32.exe	Kmdqgd32.exe
File opened for modification	C:\Windows\SysWOW64\Lmgfda32.exe	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Lffnijnj.dll	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Mplhql32.exe	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Jcbihpel.exe	91c3cbdecfb2e725e5a4d429227949d837a4fa48afacc4c04c6c464862a8e8a9.exe
File created	C:\Windows\SysWOW64\Hledan32.dll	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Ldjhpl32.exe	Liddbc32.exe
File opened for modification	C:\Windows\SysWOW64\Mlcifmbl.exe	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Jplfcpin.exe	Jcefno32.exe
File created	C:\Windows\SysWOW64\Ippohl32.dll	Jcefno32.exe
File opened for modification	C:\Windows\SysWOW64\Llemdo32.exe	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Mpablkhc.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Jcbihpel.exe	91c3cbdecfb2e725e5a4d429227949d837a4fa48afacc4c04c6c464862a8e8a9.exe
File created	C:\Windows\SysWOW64\Jcefno32.exe	Jioaqfcc.exe
File created	C:\Windows\SysWOW64\Liddbc32.exe	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Mgkjhe32.exe	Mpablkhc.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Jfnbea32.dll	Kmdqgd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4548	4728	WerFault.exe	126

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcbihpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcefno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phaedfje.dll"	91c3cbdecfb2e725e5a4d429227949d837a4fa48afacc4c04c6c464862a8e8a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecaobgnf.dll"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jioaqfcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippohl32.dll"	Jcefno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	91c3cbdecfb2e725e5a4d429227949d837a4fa48afacc4c04c6c464862a8e8a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilnhifk.dll"	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlineehd.dll"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplfcpin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgbon32.dll"	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfnbea32.dll"	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llemdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmdqgd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 4428	4840	91c3cbdecfb2e725e5a4d429227949d837a4fa48afacc4c04c6c464862a8e8a9.exe	89
PID 4840 wrote to memory of 4428	4840	91c3cbdecfb2e725e5a4d429227949d837a4fa48afacc4c04c6c464862a8e8a9.exe	89
PID 4840 wrote to memory of 4428	4840	91c3cbdecfb2e725e5a4d429227949d837a4fa48afacc4c04c6c464862a8e8a9.exe	89
PID 4428 wrote to memory of 2028	4428	Jcbihpel.exe	91
PID 4428 wrote to memory of 2028	4428	Jcbihpel.exe	91
PID 4428 wrote to memory of 2028	4428	Jcbihpel.exe	91
PID 2028 wrote to memory of 4672	2028	Jioaqfcc.exe	92
PID 2028 wrote to memory of 4672	2028	Jioaqfcc.exe	92
PID 2028 wrote to memory of 4672	2028	Jioaqfcc.exe	92
PID 4672 wrote to memory of 2080	4672	Jcefno32.exe	94
PID 4672 wrote to memory of 2080	4672	Jcefno32.exe	94
PID 4672 wrote to memory of 2080	4672	Jcefno32.exe	94
PID 2080 wrote to memory of 5076	2080	Jplfcpin.exe	95
PID 2080 wrote to memory of 5076	2080	Jplfcpin.exe	95
PID 2080 wrote to memory of 5076	2080	Jplfcpin.exe	95
PID 5076 wrote to memory of 4068	5076	Jmbdbd32.exe	96
PID 5076 wrote to memory of 4068	5076	Jmbdbd32.exe	96
PID 5076 wrote to memory of 4068	5076	Jmbdbd32.exe	96
PID 4068 wrote to memory of 3236	4068	Kmdqgd32.exe	97
PID 4068 wrote to memory of 3236	4068	Kmdqgd32.exe	97
PID 4068 wrote to memory of 3236	4068	Kmdqgd32.exe	97
PID 3236 wrote to memory of 3452	3236	Kbfbkj32.exe	98
PID 3236 wrote to memory of 3452	3236	Kbfbkj32.exe	98
PID 3236 wrote to memory of 3452	3236	Kbfbkj32.exe	98
PID 3452 wrote to memory of 2460	3452	Kdeoemeg.exe	100
PID 3452 wrote to memory of 2460	3452	Kdeoemeg.exe	100
PID 3452 wrote to memory of 2460	3452	Kdeoemeg.exe	100
PID 2460 wrote to memory of 2216	2460	Kdgljmcd.exe	101
PID 2460 wrote to memory of 2216	2460	Kdgljmcd.exe	101
PID 2460 wrote to memory of 2216	2460	Kdgljmcd.exe	101
PID 2216 wrote to memory of 4448	2216	Liddbc32.exe	102
PID 2216 wrote to memory of 4448	2216	Liddbc32.exe	102
PID 2216 wrote to memory of 4448	2216	Liddbc32.exe	102
PID 4448 wrote to memory of 3392	4448	Ldjhpl32.exe	103
PID 4448 wrote to memory of 3392	4448	Ldjhpl32.exe	103
PID 4448 wrote to memory of 3392	4448	Ldjhpl32.exe	103
PID 3392 wrote to memory of 1248	3392	Llemdo32.exe	104
PID 3392 wrote to memory of 1248	3392	Llemdo32.exe	104
PID 3392 wrote to memory of 1248	3392	Llemdo32.exe	104
PID 1248 wrote to memory of 2412	1248	Lpcfkm32.exe	105
PID 1248 wrote to memory of 2412	1248	Lpcfkm32.exe	105
PID 1248 wrote to memory of 2412	1248	Lpcfkm32.exe	105
PID 2412 wrote to memory of 3604	2412	Lmgfda32.exe	106
PID 2412 wrote to memory of 3604	2412	Lmgfda32.exe	106
PID 2412 wrote to memory of 3604	2412	Lmgfda32.exe	106
PID 3604 wrote to memory of 2580	3604	Lgokmgjm.exe	107
PID 3604 wrote to memory of 2580	3604	Lgokmgjm.exe	107
PID 3604 wrote to memory of 2580	3604	Lgokmgjm.exe	107
PID 2580 wrote to memory of 2884	2580	Medgncoe.exe	108
PID 2580 wrote to memory of 2884	2580	Medgncoe.exe	108
PID 2580 wrote to memory of 2884	2580	Medgncoe.exe	108
PID 2884 wrote to memory of 1900	2884	Mpjlklok.exe	109
PID 2884 wrote to memory of 1900	2884	Mpjlklok.exe	109
PID 2884 wrote to memory of 1900	2884	Mpjlklok.exe	109
PID 1900 wrote to memory of 3416	1900	Mplhql32.exe	110
PID 1900 wrote to memory of 3416	1900	Mplhql32.exe	110
PID 1900 wrote to memory of 3416	1900	Mplhql32.exe	110
PID 3416 wrote to memory of 1304	3416	Mlcifmbl.exe	111
PID 3416 wrote to memory of 1304	3416	Mlcifmbl.exe	111
PID 3416 wrote to memory of 1304	3416	Mlcifmbl.exe	111
PID 1304 wrote to memory of 3652	1304	Mcmabg32.exe	112
PID 1304 wrote to memory of 3652	1304	Mcmabg32.exe	112
PID 1304 wrote to memory of 3652	1304	Mcmabg32.exe	112
PID 3652 wrote to memory of 3332	3652	Mpablkhc.exe	113

C:\Users\Admin\AppData\Local\Temp\91c3cbdecfb2e725e5a4d429227949d837a4fa48afacc4c04c6c464862a8e8a9.exe
"C:\Users\Admin\AppData\Local\Temp\91c3cbdecfb2e725e5a4d429227949d837a4fa48afacc4c04c6c464862a8e8a9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\SysWOW64\Jcbihpel.exe
  C:\Windows\system32\Jcbihpel.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\SysWOW64\Jioaqfcc.exe
    C:\Windows\system32\Jioaqfcc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\SysWOW64\Jcefno32.exe
      C:\Windows\system32\Jcefno32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4672
    - - C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
      - C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        36⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 396
        37⤵
        Program crash
        
        PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4728 -ip 4728
1⤵
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jcbihpel.exe

Filesize
264KB

MD5
5929c2fc7de49a76f8bb9f4494f69ff1

SHA1
fa1ce4c84de863f104c2689850d4efc8fceff25c

SHA256
ede0c8019ce56888d5a6e841d976fdb584b25cdbfb11e1a9ae83c5f314663586

SHA512
3f5e6d9b129502eceadc92e4cacc6bf0dcefcf8878e2f501add87318e35241b5c082b0bed2f233334b528eb1fb75251994fc424509e5bef6052cbd12eb3c1b95

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
192KB

MD5
cc5f69b3f68e530de10f256b2b6cf2dd

SHA1
a3121ef0b35355bf0ed4294199f02f358bd8bd3b

SHA256
2ece365b56c8738854d4f79e20b2aed44aa444b5ad5344934b784e4d28dd819e

SHA512
1eb24a18b6092552fb616d2823a6b4d635513068805a8ba9d38b042f42b3c283a610d926400f4e160c27bf1d5b0d2d69036afd39582b744ef9e069b673bbd7f1

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
264KB

MD5
74b69df9a0ba520d180d16b660b66a01

SHA1
4249caad3f9a05d0b5ac97c131b3cf881f34902b

SHA256
cba5e00524c0c03dafdf34133169d14606efba4eab91b56d4a2243da8a7b92c0

SHA512
2ae585a5d4d74c407b890b0157cd260394e780c61bea3f4cbef9e34dc716d1e4e3a3e6f80980651e38b5a77f1ac1b362814383e88e39233027d2a04b7a34e351

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
264KB

MD5
967f9d9dde3f431795dd074efcbbe71f

SHA1
6db74e32c700ebdbe71940979245045f157c9d01

SHA256
9b4cc2f7f1dd2f5052a23e69b36e83a5cfb46e9d08680c93af0d997b589a7229

SHA512
90326786588d82f79563cd389d67f560cbb87e9bdfc6dca67c14f847802966e2d3002146e0f81f263884eab3c1b940e6701da62789715e3312fb9e5cab0848e1

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
264KB

MD5
53ea5103e9e4e48c7816f7770371d4b7

SHA1
39b6e836a87c411bd5fc46df28ed71cd56c675b2

SHA256
660f961ec180b82d6d73b0c8de1ee2d42f7930b5ed53e3fc0d8162f0a2903006

SHA512
3a3b9735206f68ad23e6cb556133cf0ab3a0ed4008cf9ea3e5ac741e1c7b3aa02ae7a37bd2151eed03b282acd643024dd6c7ee6e86ffada7c59a26d61a0e7997

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
264KB

MD5
e3fb71301ce4b09afaf2caa11222983d

SHA1
f880349a8924dc24890a421e2eea318d3b69dc2f

SHA256
bbbd9ad6be24113bf9504a8a52959f2a02710f315c5d50aa256589ecfcf16e69

SHA512
81d30d25ebc4d9357fa10ad1acaed5d423db22186f195b5a68ce5b8efe4f9b1bc5317e24313664c05195a9f33c4aba1d32623a87ed38905ea9d35814fe2d5443

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
264KB

MD5
c87be1edf5e3beb7b62dad1b6c337a31

SHA1
102dd1482fa6ff949c57130de8a75ba72ec77749

SHA256
f364e5bc2c487f8bc29c3a4d413edc0b2bbc9d3a35fb96fc1b84f006da9d162c

SHA512
59d0ccba3294fffc8eea23700aa5ec93ae24ed7a6f2443fbed8a93ebb3af4ad75e6315c2c7117b7c11e8f6b12d6971c5a4fa11aba5e53118c7cca3707841ae8c

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
264KB

MD5
482f87b91b70377a019086c9926698b8

SHA1
a87884d9160d6e30e17a17ad2a34aa2b6977c771

SHA256
3e160b745288b0921465a1848c5341d4cee456bb7055e9df7013979218ab1ea3

SHA512
1feb20b5220e4303424b69138a6c59b061f7af273033d4759507b86300fceab5b4f175d53da167771509d1f80c79519c0392d702480c14872b09e04b611c595c

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
264KB

MD5
2e353b829dfaf37c0eca65eb9f4fc78e

SHA1
830cd5d0f72acc5c5344008dcb20c4787201f70f

SHA256
84b618a38628d35460b9da22faec985a17ca998e1903388aa90bdec105bfd645

SHA512
2919c4734e4fa0864bb9aedc4630d4fbd442ae994bd9657904c9eb8fa9897a262173db6603a538528bbb2d01a8b342ec929a1ba325768e55d6d2d478a470ffb1

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
264KB

MD5
1adc41506e3017aac7a5f586f892db47

SHA1
91ce20862d29d9a39495594561c0c1ed27babbf6

SHA256
200983dc65869b9928b60397ef651f75a89d0e4a65767a6627e3977db81d54d3

SHA512
3b3a3bb3ed9551d66710525fd795eddbb76e1cb746ac0a68ffb20e5b89529c14528f03996bffd70bf06bffe4367450f27d13db94f53dcb21a6cc69af6ca613e1

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
264KB

MD5
e344ca8333b4d5933c6584549adf793f

SHA1
38b0416a055746744172ffdde294b19b40453a28

SHA256
c7016193608f5e3561c830af80c3cc97c9bd2da0981e3f6ee2a0aa8fa4650b01

SHA512
6125898dadac1b8694d42b01c1ad4b20fd27db91dc9ff689a9a5a0d1591fe1459b1b233f10f5aa92a9e634e5f6cbe7b05aa0eee4baf75b626c674fdb33d516d4

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
264KB

MD5
151730e225c07cbc662bb6b460ec9e33

SHA1
56e8963645d23148601c1a61f34e8128412b9bfb

SHA256
2e6bfbcffa5e8dd6b10172e1a356ed0cadf973f86069ff7a52c66e66833e96f1

SHA512
37081d306ff338933c83627126b3aecfbf7144a686c414dcbc8a671f05ce8d235269bb4b5426d1856a3ff4005a47d7deb0942432584fcae2b3d61352780f42b1

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
264KB

MD5
7413a33f4438b9b4e523845757720b4a

SHA1
21b3e04f428b104c415da1f4e926f7a482b9f61a

SHA256
57fdb1c304571a5797e8f0bf2ae706bcffde5cc49b9dbe44a88df09ccd03c3f3

SHA512
d32d0432bd8180ca3257d1d8cc1526d644cf718003e23daf85eb87bb20064292a24166439fdb5ccd58a8c73b783b1fe8aa37ce0816de6dc72e9405128fc5667c

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
264KB

MD5
56a03ef53e7d73f7591b12720d2e3497

SHA1
aa047cf2f0faf840ab53ce493d24a909fe393781

SHA256
47afe9c15405cbe2c082afdb8d8035c00cf8c6b0aef70cb5ac3dddf527044a22

SHA512
208855d1c2621b11e9b48b11734bc419e3e92ba6d54e951ea8aacf2658ec2cd9396e8ec5495b1139d6811dc024d54319dc8b7e4a67fd186b9f08752ceeb97868

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
264KB

MD5
2f3fb70a6553dbb8b9c44917ed30639c

SHA1
fb37deabd991b0030c9958910941d7a8cd57be4c

SHA256
bb0cab021143bc79c872ed4e015542bacbfc040bd5ab649fd0fdaac511f61eb7

SHA512
5a8c033d09ab5ff4d8f01254dd9a9497ccf43f85aec27904a9d2e96bf61f3258be290a4e4aa5c37210af87df64ea2f237257cc4a88d7841d166a7abab34c50d5

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
264KB

MD5
6b44a7805821a493ef423599160583d6

SHA1
688a24a4196bc2f4190145a37ed2646d26579406

SHA256
14f8252e3edd518d6aecb1191ff00c8f93b4aaf47ba47c81bb7b432ff697dba3

SHA512
137365e2c486bc21e88944e74f365e9f39ec7fb3feb4cd74ed5017e0de6278952a04636279350ece7136adf158a22d65dac15de0cf5f50aa129bd3330ad8c337

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
264KB

MD5
cd136ae406b0a567ea74675060efda04

SHA1
cc53feece7bb50f696a5d1f2bbb446217fe5aabd

SHA256
939c99a45230814df07720467c1df922cce133fe5a8c5ca0b0212515ea2c5d8f

SHA512
732311bb146626b62a5fd9063d061454e9e3e9e0ce8cc706edd0e3b587976ef54af7054aaadde11415d7456d94cbdb45b88c7a9cbf457fc2925ec13f7e18dd45

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
264KB

MD5
e8dae07c7b7f8e37939229ac9bfe1564

SHA1
970adc9f071c882c51cb554f5b464fd89ed36672

SHA256
bb13027af7bb9cb7fedf4a4529e09bc734cad95e802b9ff45247a862df353e19

SHA512
a04d2c7858d6be6a84f24f165cbb3512b7895bb192af5cdb201a8b66bb5a4210d174b585f3a61e1ce2821f42d1e0983b1e39f1f9238d8b9d1841ea1fadd16065

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
264KB

MD5
ec0f2d10dc7951c5654f0425d20f2e69

SHA1
37110b7c375a7523ef52815115a27390bcc1f0f2

SHA256
58bd5275b6e0f5c4949bea9154c6fac845e878e5384d401d3416b64b019251c3

SHA512
8b0a24ba54d100fa64947b8cc28439526aa667a8754fafb74298bbd7cec804c31ba210d2aea824a5687ada809ebf13584d8df9419c72fc5a5f91c22ae0999cf7

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
231KB

MD5
f1041106604c439e15b5a995d07035a6

SHA1
586b3b254840c76cb8e57d401ad36c839f85e5d8

SHA256
abd8ce929f0d4b7e6e404802d60886abee03b56f35ec28d927e669b75a56776f

SHA512
e53362f4e2d2a8b1ae4df04815c96e16364728cf9fa5d7af1ccd8ed7f712bb4ea87e04dcbc2df68aa3276d526654b126ce2f64cd5af589b0f484783dafb8a746

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
264KB

MD5
8e063ec503e40d5bf94ff6a2fa037926

SHA1
da6e4753205b11d9de21b9e375e54bb7e8e993fe

SHA256
0b0af8e8a55f55c5c29a63486b721836f4b18e991103fb4ba9232a5fcdacda4c

SHA512
a6f6379090add2cedc73e309126c93007f0539e96b60c73ffa6d7fd9f53309600da1d7c0829817d8c0cb8ff3ce26277e9b670ef1e5abf20eb5d78f87c642269a

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
264KB

MD5
aec49d53c09d57be39b6959c30edfcc1

SHA1
d1d0c43725fbc95bda7809452b60d0dfc001fe6e

SHA256
0f2b3e9e341e0fac1ac20d621223601202549ba50e81e489d1aa9e4d6680397b

SHA512
2fbdc87bdf32f312de0e7d87728358680b62fa2e98106fc45b8fd9ff1c2481b84d5fca5855f63ee0df4ce134f378069d656300fc3b25a5370a1348cb08937cc9

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
264KB

MD5
cf57ce0121bdf193e170d84a60b973b1

SHA1
a3359e3d7f64db6bd3e09e08149f1029f9ed5f81

SHA256
428392864f4d36a776cda5c682073546dd3b43c429a4e68a66a9bc8416116299

SHA512
a6cfc1f3c001d29a76f8fa09cec962e19999a9528db61701bf161eedf7e280bc30fed7037ca4d75d3df71c2dcf595c3f87e67a3f3016fe0bda52e152202b30ad

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
264KB

MD5
1a395951df19a4a72b227a3a4c49d515

SHA1
8d0c40301d64b0c65668c4399b252d717422f716

SHA256
5eca40a69466274fcde375391cda0e0bb24929199f7542e64f9809eb42715f03

SHA512
719cab28075823856d31f9768aa6d4bf98931d86165ad701de23c6c186feee4bbcb0bb50cd6138d70f7920890a80a946dee58bb4bf57df06756db8a7e369eff7

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
264KB

MD5
90a1bee97390bbe6ff5ffbb8a6403d98

SHA1
b37f8866df0b7884f94f1a6f9305b51437352219

SHA256
3e19625afd987e1c8d52df5608ae32237160d77d6ffe2a93dcd1eafb609dac9e

SHA512
fb3fcfda84ed2b3c75cd0deaa8b35192081ec045a73fdc0a77256a1030aad6c509e032e238a0a35f8ffd7ae8ccc83fb8be2b382de5ca2abd22af2f7a363cd4d7

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
264KB

MD5
2600c91293769dab0100972a5754bfec

SHA1
a57e1fb7fcd008cffa353d173e81bfc372d6d5ae

SHA256
0fac3465c9ce167ed927a11a35ffaf6adcd03cc571065bc84edb57bf66b574a7

SHA512
17b150ca7302967ff509403dc4424cab08e1d4dcacca072c323e33a4de033a4cf292bec1597eb858ba42685766a60a60860e2278e120ee9d7168e9d1fe33aea2

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
264KB

MD5
2a0447c7cf0ca9eda6874f8b6e28e3cb

SHA1
f9f02638d72834a5800d4fae98e77f4201b1e9ae

SHA256
f60ad83c5d63c476416be5dbbfc399ad16fa226b8ef867ec67227d7000d870c8

SHA512
d5ebb65488131efb20b9c3038b831e172172a6af7447eb0ffedbb1ba1709e181b26ecab93a2187c116f649f117bf4a310929abd6b8e78fa8702940919c1ed35b

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
264KB

MD5
065fc96427633de92a74ae28fc182780

SHA1
91aa1e9b6e509aa3bec931d8b79738f08423ddc0

SHA256
4a78140bf5be34139aa5268b07d27a0de4c5726317786ec89e5c8c358a5e5e55

SHA512
6a5669ecacc9e093427138fc9c51b81d52acb8c8cda56443c51c6a65e935414cf120ec81c6832067a44b390516991cab92e05ddb54735f5bd5ca7d9decfb00a4

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
264KB

MD5
291325dff123ba0293629b261f0508e5

SHA1
878793c57c3604a164991c4c19d1b918016f94c0

SHA256
ae89c3357265a6437b15687f1f957d474eb15ddd73af53cb6a181cab8ffec167

SHA512
84936f0f52252d118589949aa512f2d483a426de824a243b4cd9f4fb946dff2bb89de157528ef93b6ed39d1d22a3c67881a57a02e7d7790b9bc51f65362de8f7

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
264KB

MD5
981b05314ed63381ee364f5a868e22fb

SHA1
7d6ad61fd90a970066ba5cca762b3a50d8822b37

SHA256
1f3077e08ecb2949e4205c2e3c7bbdc3a04b326c4f52634ce626fd95b2caff7f

SHA512
ef906b65b6e5704d1368f31af51645ee7bb5904dc937dd3f57be27468a7e07c68e44cbdb4738dc4e69c4d472c274e98618a45d4ec573e5b9fb57da998669a71f

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
264KB

MD5
7a73d881d9ea46a7e82cb82d636e1d79

SHA1
479047ebdfd08a6cc94107a2ad2bc05b18d21f2b

SHA256
1dfe430f9aa8d5b6651fc3200cf0e532fa64492b79842d69bd1fccf6595b5c6e

SHA512
142a433a610af7379ee3d0500f33089e2117e124d640c616a32b857fe824a1b6302e601c7ee6e320d111e832195366804da3b01d11e6f6f664628812466e926d

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
264KB

MD5
61abc6affaf767780153dae25a53177c

SHA1
68a4dafb8c783eb307f1fc432f36912d43bcacd9

SHA256
1a45b6b4737aefbd3fd7128a2bf80d89e9c81e805fbae5062ceeb1fa4e66d1fd

SHA512
9ab149c7a4152f15f04e1f2f6620e6b784770b348ef55a70d5cbbae10d748d7238a9fb5083975d349b1ee0f5f9985f2a3df68118a0117ea949ac7b7aa1eeb070

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
264KB

MD5
228c82b0e13c6e0073cc845f4afd1f12

SHA1
e2a3a2ab34a0c66dd1d9bf4090c6b94b0356e102

SHA256
a97746210531eec8f4880b12d79fd3ad2ad6ef027c69942363d0710f423c4ec6

SHA512
47820d232fff51439a34a2aa8771ec757c5c2cf39f92ed500d614aedaa43c7438d61379d3f6e4d182fab5a80999549710a225e8f78b31eea9032aa878b32a4e0

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
264KB

MD5
83c6307cf7cf6e0c7003f3ee704262fd

SHA1
90f992c1e61bfc00ab609626cca65879989455a4

SHA256
1e93a2319c4c89ca41f26ed873934bcdc49afcfbe7250cd1532b835ceb32675f

SHA512
bb6011cbf24f58f5c44972ccc92568041febfc7f3b01a4a9247eed0d832e857d340dc316feb382bbd9ffccb4ba144434161fdd210f824ccee7bd3a9e2f73fa70

Download Submit
memory/1248-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads