122dc58c9f7049c24f48d321b41e4fa4fbce762cb59ea5cc342f135010820f68

Analysis

max time kernel
146s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

122dc58c9f7049c24f48d321b41e4fa4fbce762cb59ea5cc342f135010820f68.exe
Size

59KB
MD5

73d524c99cfb7bb9be02f7432c27e66e
SHA1

342d8ee8a3de99b4b562c520b48d4bfd6e142dd5
SHA256

122dc58c9f7049c24f48d321b41e4fa4fbce762cb59ea5cc342f135010820f68
SHA512

1d65fa697ff070372e326bd1b078f3eb62fa57521894c0cf2a97c9620dfd6dd4471379603c4d4cc039596bef22b3cbead4625ac699150037f24cca07ea5712b5
SSDEEP

768:xq9I28107t5INJovOUXoCByrE4BdMK0aRRaUW78uqv32p/1H5zXdnhfXaXdnh:xqKpcToSEEXK0a6U7uqP2LLO

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdopjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdqcenmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclppboi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bedbhi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkaeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclppboi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bedbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aiabhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcicjbal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lajokiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amkabind.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iajmmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Napameoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oheienli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmeoqlpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcabej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdqcenmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcicjbal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfoegm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	122dc58c9f7049c24f48d321b41e4fa4fbce762cb59ea5cc342f135010820f68.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iajmmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofbdncaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nefdbekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfoegm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cplckbmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	122dc58c9f7049c24f48d321b41e4fa4fbce762cb59ea5cc342f135010820f68.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdopjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lamlphoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofbdncaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijbbfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddble32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfpghccm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nefdbekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Napameoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkaeih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aiabhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cplckbmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odgqopeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lamlphoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfpghccm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcabej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfeijqqe.exe

Executes dropped EXE 32 IoCs

pid	Process
2408	Hkaeih32.exe
2716	Iajmmm32.exe
768	Ijbbfc32.exe
1252	Jdopjh32.exe
3836	Kdhbpf32.exe
4012	Kdpiqehp.exe
1776	Lddble32.exe
872	Lajokiaa.exe
1344	Lamlphoo.exe
224	Mcabej32.exe
5052	Mojopk32.exe
876	Nefdbekh.exe
1380	Napameoi.exe
3180	Nfpghccm.exe
3308	Ofbdncaj.exe
5040	Odgqopeb.exe
852	Oheienli.exe
4952	Pmeoqlpl.exe
4352	Pdqcenmg.exe
3396	Pmjhlklg.exe
3284	Pfeijqqe.exe
652	Qkdohg32.exe
4420	Qkfkng32.exe
2564	Afnlpohj.exe
4516	Amkabind.exe
3624	Aiabhj32.exe
1996	Bcicjbal.exe
1108	Bfoegm32.exe
1168	Bedbhi32.exe
5160	Cplckbmc.exe
5216	Dfonnk32.exe
5276	Dbkhnk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kdpiqehp.exe	Kdhbpf32.exe
File opened for modification	C:\Windows\SysWOW64\Pdqcenmg.exe	Pmeoqlpl.exe
File created	C:\Windows\SysWOW64\Qkdohg32.exe	Pfeijqqe.exe
File created	C:\Windows\SysWOW64\Amkabind.exe	Afnlpohj.exe
File opened for modification	C:\Windows\SysWOW64\Hkaeih32.exe	122dc58c9f7049c24f48d321b41e4fa4fbce762cb59ea5cc342f135010820f68.exe
File created	C:\Windows\SysWOW64\Iajmmm32.exe	Hkaeih32.exe
File created	C:\Windows\SysWOW64\Dbnefjjd.dll	Ijbbfc32.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dfonnk32.exe
File opened for modification	C:\Windows\SysWOW64\Qkfkng32.exe	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Aknmjgje.dll	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Agdghm32.dll	Bclppboi.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbpf32.exe	Jdopjh32.exe
File created	C:\Windows\SysWOW64\Ndnoffic.dll	Jdopjh32.exe
File created	C:\Windows\SysWOW64\Afnlpohj.exe	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Efiopa32.dll	Bfoegm32.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dfonnk32.exe
File created	C:\Windows\SysWOW64\Bmaoca32.dll	122dc58c9f7049c24f48d321b41e4fa4fbce762cb59ea5cc342f135010820f68.exe
File created	C:\Windows\SysWOW64\Bllolf32.dll	Nfpghccm.exe
File opened for modification	C:\Windows\SysWOW64\Odgqopeb.exe	Ofbdncaj.exe
File opened for modification	C:\Windows\SysWOW64\Pmjhlklg.exe	Pdqcenmg.exe
File created	C:\Windows\SysWOW64\Cogcho32.dll	Pdqcenmg.exe
File created	C:\Windows\SysWOW64\Hkaeih32.exe	122dc58c9f7049c24f48d321b41e4fa4fbce762cb59ea5cc342f135010820f68.exe
File created	C:\Windows\SysWOW64\Iagpbgig.dll	Lamlphoo.exe
File opened for modification	C:\Windows\SysWOW64\Napameoi.exe	Nefdbekh.exe
File created	C:\Windows\SysWOW64\Ofbdncaj.exe	Nfpghccm.exe
File created	C:\Windows\SysWOW64\Cplckbmc.exe	Bedbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Lddble32.exe	Kdpiqehp.exe
File created	C:\Windows\SysWOW64\Hbfhni32.dll	Lddble32.exe
File created	C:\Windows\SysWOW64\Nfpghccm.exe	Napameoi.exe
File opened for modification	C:\Windows\SysWOW64\Cplckbmc.exe	Bedbhi32.exe
File created	C:\Windows\SysWOW64\Adlafb32.dll	Cplckbmc.exe
File created	C:\Windows\SysWOW64\Mojopk32.exe	Mcabej32.exe
File opened for modification	C:\Windows\SysWOW64\Mojopk32.exe	Mcabej32.exe
File opened for modification	C:\Windows\SysWOW64\Aiabhj32.exe	Amkabind.exe
File opened for modification	C:\Windows\SysWOW64\Ofbdncaj.exe	Nfpghccm.exe
File created	C:\Windows\SysWOW64\Iilpao32.dll	Qkdohg32.exe
File opened for modification	C:\Windows\SysWOW64\Bcicjbal.exe	Aiabhj32.exe
File created	C:\Windows\SysWOW64\Bedbhi32.exe	Bfoegm32.exe
File created	C:\Windows\SysWOW64\Lfijgnnj.dll	Bedbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Ijbbfc32.exe	Iajmmm32.exe
File opened for modification	C:\Windows\SysWOW64\Kdpiqehp.exe	Kdhbpf32.exe
File created	C:\Windows\SysWOW64\Oimlepla.dll	Mojopk32.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Dfonnk32.exe
File opened for modification	C:\Windows\SysWOW64\Bedbhi32.exe	Bfoegm32.exe
File created	C:\Windows\SysWOW64\Dfonnk32.exe	Cplckbmc.exe
File created	C:\Windows\SysWOW64\Napameoi.exe	Nefdbekh.exe
File opened for modification	C:\Windows\SysWOW64\Pmeoqlpl.exe	Oheienli.exe
File created	C:\Windows\SysWOW64\Aiabhj32.exe	Amkabind.exe
File created	C:\Windows\SysWOW64\Kdhbpf32.exe	Jdopjh32.exe
File opened for modification	C:\Windows\SysWOW64\Nefdbekh.exe	Mojopk32.exe
File opened for modification	C:\Windows\SysWOW64\Nfpghccm.exe	Napameoi.exe
File created	C:\Windows\SysWOW64\Odgqopeb.exe	Ofbdncaj.exe
File created	C:\Windows\SysWOW64\Odpldj32.dll	Ofbdncaj.exe
File created	C:\Windows\SysWOW64\Ijbbfc32.exe	Iajmmm32.exe
File created	C:\Windows\SysWOW64\Jdopjh32.exe	Ijbbfc32.exe
File opened for modification	C:\Windows\SysWOW64\Jdopjh32.exe	Ijbbfc32.exe
File created	C:\Windows\SysWOW64\Odlpkg32.dll	Pmjhlklg.exe
File opened for modification	C:\Windows\SysWOW64\Afnlpohj.exe	Qkfkng32.exe
File opened for modification	C:\Windows\SysWOW64\Amkabind.exe	Afnlpohj.exe
File opened for modification	C:\Windows\SysWOW64\Oheienli.exe	Odgqopeb.exe
File created	C:\Windows\SysWOW64\Pmeoqlpl.exe	Oheienli.exe
File created	C:\Windows\SysWOW64\Gkhikf32.dll	Pmeoqlpl.exe
File created	C:\Windows\SysWOW64\Pfeijqqe.exe	Pmjhlklg.exe
File created	C:\Windows\SysWOW64\Dbooabbb.dll	Pfeijqqe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5416	5276	WerFault.exe	135

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nefdbekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aiabhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfoegm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncgmcgd.dll"	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclppboi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lamlphoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcabej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amkabind.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpgfeb32.dll"	Bcicjbal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbddhbhn.dll"	Iajmmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lajokiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lamlphoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iilpao32.dll"	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	122dc58c9f7049c24f48d321b41e4fa4fbce762cb59ea5cc342f135010820f68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iagpbgig.dll"	Lamlphoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdqcenmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdqcenmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Napameoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfpghccm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Napameoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahmla32.dll"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcabej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbooabbb.dll"	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	122dc58c9f7049c24f48d321b41e4fa4fbce762cb59ea5cc342f135010820f68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epqblnhh.dll"	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aiabhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclppboi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	122dc58c9f7049c24f48d321b41e4fa4fbce762cb59ea5cc342f135010820f68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	122dc58c9f7049c24f48d321b41e4fa4fbce762cb59ea5cc342f135010820f68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimlepla.dll"	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdopjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddble32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcicjbal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllolf32.dll"	Nfpghccm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofbdncaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjmqdci.dll"	Aiabhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agdghm32.dll"	Bclppboi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfonnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlpkg32.dll"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknmjgje.dll"	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkaeih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfoegm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkafdjmc.dll"	Amkabind.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcicjbal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nefdbekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofbdncaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iajmmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfhni32.dll"	Lddble32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2408	1744	122dc58c9f7049c24f48d321b41e4fa4fbce762cb59ea5cc342f135010820f68.exe	99
PID 1744 wrote to memory of 2408	1744	122dc58c9f7049c24f48d321b41e4fa4fbce762cb59ea5cc342f135010820f68.exe	99
PID 1744 wrote to memory of 2408	1744	122dc58c9f7049c24f48d321b41e4fa4fbce762cb59ea5cc342f135010820f68.exe	99
PID 2408 wrote to memory of 2716	2408	Hkaeih32.exe	100
PID 2408 wrote to memory of 2716	2408	Hkaeih32.exe	100
PID 2408 wrote to memory of 2716	2408	Hkaeih32.exe	100
PID 2716 wrote to memory of 768	2716	Iajmmm32.exe	101
PID 2716 wrote to memory of 768	2716	Iajmmm32.exe	101
PID 2716 wrote to memory of 768	2716	Iajmmm32.exe	101
PID 768 wrote to memory of 1252	768	Ijbbfc32.exe	102
PID 768 wrote to memory of 1252	768	Ijbbfc32.exe	102
PID 768 wrote to memory of 1252	768	Ijbbfc32.exe	102
PID 1252 wrote to memory of 3836	1252	Jdopjh32.exe	103
PID 1252 wrote to memory of 3836	1252	Jdopjh32.exe	103
PID 1252 wrote to memory of 3836	1252	Jdopjh32.exe	103
PID 3836 wrote to memory of 4012	3836	Kdhbpf32.exe	104
PID 3836 wrote to memory of 4012	3836	Kdhbpf32.exe	104
PID 3836 wrote to memory of 4012	3836	Kdhbpf32.exe	104
PID 4012 wrote to memory of 1776	4012	Kdpiqehp.exe	105
PID 4012 wrote to memory of 1776	4012	Kdpiqehp.exe	105
PID 4012 wrote to memory of 1776	4012	Kdpiqehp.exe	105
PID 1776 wrote to memory of 872	1776	Lddble32.exe	106
PID 1776 wrote to memory of 872	1776	Lddble32.exe	106
PID 1776 wrote to memory of 872	1776	Lddble32.exe	106
PID 872 wrote to memory of 1344	872	Lajokiaa.exe	107
PID 872 wrote to memory of 1344	872	Lajokiaa.exe	107
PID 872 wrote to memory of 1344	872	Lajokiaa.exe	107
PID 1344 wrote to memory of 224	1344	Lamlphoo.exe	108
PID 1344 wrote to memory of 224	1344	Lamlphoo.exe	108
PID 1344 wrote to memory of 224	1344	Lamlphoo.exe	108
PID 224 wrote to memory of 5052	224	Mcabej32.exe	109
PID 224 wrote to memory of 5052	224	Mcabej32.exe	109
PID 224 wrote to memory of 5052	224	Mcabej32.exe	109
PID 5052 wrote to memory of 876	5052	Mojopk32.exe	110
PID 5052 wrote to memory of 876	5052	Mojopk32.exe	110
PID 5052 wrote to memory of 876	5052	Mojopk32.exe	110
PID 876 wrote to memory of 1380	876	Nefdbekh.exe	111
PID 876 wrote to memory of 1380	876	Nefdbekh.exe	111
PID 876 wrote to memory of 1380	876	Nefdbekh.exe	111
PID 1380 wrote to memory of 3180	1380	Napameoi.exe	113
PID 1380 wrote to memory of 3180	1380	Napameoi.exe	113
PID 1380 wrote to memory of 3180	1380	Napameoi.exe	113
PID 3180 wrote to memory of 3308	3180	Nfpghccm.exe	114
PID 3180 wrote to memory of 3308	3180	Nfpghccm.exe	114
PID 3180 wrote to memory of 3308	3180	Nfpghccm.exe	114
PID 3308 wrote to memory of 5040	3308	Ofbdncaj.exe	115
PID 3308 wrote to memory of 5040	3308	Ofbdncaj.exe	115
PID 3308 wrote to memory of 5040	3308	Ofbdncaj.exe	115
PID 5040 wrote to memory of 852	5040	Odgqopeb.exe	116
PID 5040 wrote to memory of 852	5040	Odgqopeb.exe	116
PID 5040 wrote to memory of 852	5040	Odgqopeb.exe	116
PID 852 wrote to memory of 4952	852	Oheienli.exe	117
PID 852 wrote to memory of 4952	852	Oheienli.exe	117
PID 852 wrote to memory of 4952	852	Oheienli.exe	117
PID 4952 wrote to memory of 4352	4952	Pmeoqlpl.exe	118
PID 4952 wrote to memory of 4352	4952	Pmeoqlpl.exe	118
PID 4952 wrote to memory of 4352	4952	Pmeoqlpl.exe	118
PID 4352 wrote to memory of 3396	4352	Pdqcenmg.exe	119
PID 4352 wrote to memory of 3396	4352	Pdqcenmg.exe	119
PID 4352 wrote to memory of 3396	4352	Pdqcenmg.exe	119
PID 3396 wrote to memory of 3284	3396	Pmjhlklg.exe	120
PID 3396 wrote to memory of 3284	3396	Pmjhlklg.exe	120
PID 3396 wrote to memory of 3284	3396	Pmjhlklg.exe	120
PID 3284 wrote to memory of 652	3284	Pfeijqqe.exe	121

C:\Users\Admin\AppData\Local\Temp\122dc58c9f7049c24f48d321b41e4fa4fbce762cb59ea5cc342f135010820f68.exe
"C:\Users\Admin\AppData\Local\Temp\122dc58c9f7049c24f48d321b41e4fa4fbce762cb59ea5cc342f135010820f68.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\Hkaeih32.exe
  C:\Windows\system32\Hkaeih32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\Iajmmm32.exe
    C:\Windows\system32\Iajmmm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\Ijbbfc32.exe
      C:\Windows\system32\Ijbbfc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\SysWOW64\Jdopjh32.exe
        
        C:\Windows\system32\Jdopjh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
      - C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Lamlphoo.exe
        
        C:\Windows\system32\Lamlphoo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Mcabej32.exe
        
        C:\Windows\system32\Mcabej32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Nefdbekh.exe
        
        C:\Windows\system32\Nefdbekh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Amkabind.exe
        
        C:\Windows\system32\Amkabind.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Aiabhj32.exe
        
        C:\Windows\system32\Aiabhj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Bcicjbal.exe
        
        C:\Windows\system32\Bcicjbal.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Bclppboi.exe
        
        C:\Windows\system32\Bclppboi.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Bfoegm32.exe
        
        C:\Windows\system32\Bfoegm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Bedbhi32.exe
        
        C:\Windows\system32\Bedbhi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        34⤵
        Executes dropped EXE
        
        PID:5276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 400
        35⤵
        Program crash
        
        PID:5416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5276 -ip 5276
1⤵
PID:5328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:5676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afnlpohj.exe

Filesize
59KB

MD5
81e142ffd4ec28683021bb55e36bb510

SHA1
89592de4b27b541a6f1fe1a08cbaa35d2a35c488

SHA256
b6805d618666fa5ea0a3c4a5b107ce9e1845f5f8064fbc1789e871e0fb3157c5

SHA512
660244475d9f3746fa78a7a507afa3600688ce846c7ad58e2c18c9bce1cbdfc494235233c99e4c4e322ea1a19ea7fda9f00abce44b0d18bd2429ce9cf1183ce2

Download Submit
C:\Windows\SysWOW64\Aiabhj32.exe

Filesize
59KB

MD5
3e9dc39622c30ddc4994821ed3a7ff2a

SHA1
21e602d1f0a5446cfaff6d9891a5ed36ebc4dca3

SHA256
3f2d5c4ad6d337a00fbcb162e8b3176517271295aa8842566e3ffc35f8556c59

SHA512
813980632ed2f5463af130a450c6b4601da82611078c733b75495c0456c14da4537735f20665db3a8d1ef141be77108f2a5d40362b42f0dd32bc06c6804d7a3e

Download Submit
C:\Windows\SysWOW64\Amkabind.exe

Filesize
59KB

MD5
9c28728fe04cc45b7a1ee38333c365dd

SHA1
51815d4fc5af9491519fd3699e564731436a8102

SHA256
ca7e16405e618c07047f843392ec075aec1b34d5cc8c44b9f4ceefc2e4a37215

SHA512
2fdd7924f248a2486a47c4e78a53afeaf3faf6bc35913858945576c32cdfe73abde2bce228bab820a8feced3021980adeadf56d4037d9023e60e797e62bae7a1

Download Submit
C:\Windows\SysWOW64\Bcicjbal.exe

Filesize
59KB

MD5
2af893c445792d60be4386ac398b0daf

SHA1
4173ddd27d0b0d35bb559529f2c9cf95e6a22cd9

SHA256
ec2363fc82a04240705061bb930468b4246d8c3c596ba94c27c64afce405a30f

SHA512
9793105a59238b2f3551eff36070a9b547f68783df9c7943a5428648568e3d916064d48622c77bf730ae4b3df23e834f7e956048cd8478d48fdfa090a2f6029d

Download Submit
C:\Windows\SysWOW64\Bedbhi32.exe

Filesize
59KB

MD5
535ebc03c324bf6398e48889d40ad6f9

SHA1
4c978e27cc3295f90400fd7f0e8dfd27b1894b89

SHA256
2258d350a7597759fd75f58d9f533407e36a1664dd84778334ea926bb9dfc1f2

SHA512
2eed47cef187c59aebc2be8801ad6a5788821c918257775b2a62190a4d5b133d9fd957271c05643d96395a1c25456aaac796d1175bce7368db20707b9e2fc895

Download Submit
C:\Windows\SysWOW64\Bfoegm32.exe

Filesize
59KB

MD5
349a9fb327ca0d0717dfb7117aa9d0e8

SHA1
a17bdad2ff33d4833975835f73b2adab92157f68

SHA256
886459b15f03c3f3d09e52fdc098c409d8109eefb389cd3da3fcfb40d52c2e6b

SHA512
0102c34fbaf90a7bfecff17f20c6e735e95efbb08c59f1548f22ee8e02c13b239928ff2aaf49dee763361acb1e6c85aadebf8b712b83b0ac132143c19f47df4c

Download Submit
C:\Windows\SysWOW64\Cplckbmc.exe

Filesize
59KB

MD5
670e4265525c9f76cb37846a8f9d9c1c

SHA1
c346d0824f33e313f93a2ce0b4c73f066893ee34

SHA256
f192f56d0ca259aa59059dc4138cfc1bc826515fcf8e639039c891e08896c0b7

SHA512
2f38b5bb66c8c5aa3bfc1f989e567e83aef91104d71fb68de98828b403f0ea0c87ce0e04550d6bb0c72586614e0c606b5fe58e9c84c92718e9e72e63703e1016

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
59KB

MD5
71854cbc5c304764cebf1f3569c991d9

SHA1
e33577ae45b1e2f2d2992b5109739d1c0dd8738f

SHA256
f8af580a7530912cbbd4ab463c3f99c5927b3f827ea6657903f4c704d18e612a

SHA512
097c4fcaa5fe39f543a7d918464afc83cd778cda0386bcb8b5b16fe67ad81c8aa76e9edfaadadfa4eb0b4174535688c5bc0237261e99e8417384cfc24c9372ea

Download Submit
C:\Windows\SysWOW64\Dfonnk32.exe

Filesize
59KB

MD5
5bb355b3f67706c59a09f58512979c10

SHA1
3f6147dce9f39c81a7d502392ebe952fcf5fd992

SHA256
5092a9f09fb58fe26bd88edb305752ce7ef50e039c0eebb8075a869066351e0d

SHA512
8f66f72319199902f57a8e581efd71ed478a1daa60ea8587e381582594c06715e24ddc2c0c83e08ff1d17c35ebaf5415a0017be74b47aafae5729628595c8d62

Download Submit
C:\Windows\SysWOW64\Hkaeih32.exe

Filesize
59KB

MD5
6b6c29982867d06e3ddeb424048459dd

SHA1
828958dceb4fab7a26c6fa4c47fea1339a5b693f

SHA256
a2b3d54ab11532086518e8f35d678c8dfc339a03168c49460c9be89633c813b0

SHA512
83fd19386a1743cad9fba7a21b0a4ccadfb4bb597a92c5f2a589e9945ed1b68163b42ce5458ba92812c95cc7abda40d4024058dbc90bfefaf5b233e912ddbbe4

Download Submit
C:\Windows\SysWOW64\Iajmmm32.exe

Filesize
59KB

MD5
f0d27270708b753f0e28acec70b61be0

SHA1
17e1ac198a213da270dd99a42a8ef1df37320257

SHA256
c7d9688a1e78847aaade20f3fd7234766ff8148512b72f8c08da4af963d35b34

SHA512
3e90b1ac6273b8470eb5c096912efaa277bdc31c5af426cdd15087975330f64fc2f6d83c953180d25c91f4363e553821add61bbf43662c59d7b7deb0b9c5a074

Download Submit
C:\Windows\SysWOW64\Ijbbfc32.exe

Filesize
59KB

MD5
c2a9dbd11b5d422d2e3c06aa5a4e26f2

SHA1
4bf1a9c9c6e37e077b52d74389b601b2c887acce

SHA256
c921271cad74ee4f120eb37bffd98a945a159c89e507646182c15c12aad84fa5

SHA512
8cf714a9c1687dc0fbbed1a34df9682028299a66dadbc5574e9ad971dfe4e7d76d97c92fc3c7e195c69d509f93bd1329c8dc2fb1805341ab7496923a2b32b21a

Download Submit
C:\Windows\SysWOW64\Jdopjh32.exe

Filesize
59KB

MD5
d88ffafa92282345342e2b478312bd4f

SHA1
23b402e5509b3f47cbdfd0bebdfc76c2e584996d

SHA256
601ac2776e3de3aac6edd661d2d5e18f78ba5dd5db62873b959fa9b1828136cc

SHA512
a07e3c9d257a20f03804bf12d85a29afa897bc8c2d6f067dce9af525e812177ddbce9eabcb1001b2d48b0db09c9179f14284b532cab49bdd28333f6a0e55f510

Download Submit
C:\Windows\SysWOW64\Kdhbpf32.exe

Filesize
59KB

MD5
e90f6b1d8245445de8e142f3e7b4fe62

SHA1
1a6c57c9d185958eef903163ea77c91e58398118

SHA256
42ca816d70f4fa444bfe78b7e0267f16d26b68db41b7c0e462e93037cd006618

SHA512
b11a32a3e2fe7c52b6baa1651e1f2e827bcb51dce268ba9c73e1d187e838df63cdd1d31fcb364a2bb42b3793ba267b777f71257ae84a0651f47c49049fe7c7f6

Download Submit
C:\Windows\SysWOW64\Kdpiqehp.exe

Filesize
59KB

MD5
705e008c052578cf382723b5864740d2

SHA1
f47dba8890ef8a24cc27e2152be3ec2ea6f7aa98

SHA256
bc426338a67459b9e44e0c6f6ca3fea6f874a181a8332709ea1269760426704a

SHA512
96ee29fb238b87a35679adddeafd5041f11a681d40b865094bd7d157e833eea876423abd9f4d563079ae35447d12fe9b3789412ed7524d42d1ccd3a6d953a49b

Download Submit
C:\Windows\SysWOW64\Lajokiaa.exe

Filesize
59KB

MD5
c000e20b00427d39b4448c12ae86b6f9

SHA1
68e65e8a0a040bdfb2586ddcd48bea1c6acff544

SHA256
0d9987d8056fcdfc115020dff8187892ef6a66302f2e0d49080a30236d71e1b3

SHA512
a8f36b347e1f9724be19c505a9dacbd8ed9cf16b5cae184eee5bd361df97fc90fc4deddc3a7495d4fec2eab9a883d4f9d3a315bae6762b692d518c39e52a6695

Download Submit
C:\Windows\SysWOW64\Lamlphoo.exe

Filesize
59KB

MD5
8c423a13cf196613dd36500e1f393cfb

SHA1
88ed81c83b890fa7d3d0285ac8fd8b2d57b038aa

SHA256
a52dde0f0ab8e6639fb8ae76bd3cc837f334e00e009c86f5f83574b703261642

SHA512
9216e2cf8a21cb3f8aa897f5da06fe15dc7aefef736ee3fabf403a0f61734224021b059f0308c144a1cf426a779d1b9b2d8467a5fc70da126ffff3d6227282b7

Download Submit
C:\Windows\SysWOW64\Lddble32.exe

Filesize
59KB

MD5
1d2edf0b8bba656451cdfa45a24961a2

SHA1
d2bea33642447bdba866c65ea68a0ffdd29c5ba2

SHA256
ec97e7064fc21ed712bfa65e5f662b3193571c858b99baa173589b37f6f62f75

SHA512
be34a711161c9108da216f8f2714b4b8bf529543e93775759a6a102db85f34fcece01aaef38ca7956a88302572f1f7f9905dee233d422a0c500f41406d7df5fd

Download Submit
C:\Windows\SysWOW64\Mcabej32.exe

Filesize
59KB

MD5
528d0358a8baf48156ea03b0616eb555

SHA1
f4a790fddf30d383e68fd98b006ca8cf7b6ab3b4

SHA256
33922c28e107e50fbc79c3cbdc9fcd436e42e6042970a36e8e72b1488f2f6704

SHA512
1f8e55a0292b5d1659bee05c4a7f3a5004974a5ff84efff7fbfa6ef0a626805654f3ca82969d81eb33e122c382f0030a0a1031027bc37466238e6e6e73fa81ad

Download Submit
C:\Windows\SysWOW64\Mojopk32.exe

Filesize
59KB

MD5
5d3405c8e51993269e4cc5b75b62b213

SHA1
287704afa9024be880ff98a32ad61d21fa1d4092

SHA256
0d874137c0c316a39d9c3c115a3126bead7c4c381dbc1071fcf06055b3d90094

SHA512
93abe38b7c6f288a579d35bcaa17bb804b65c556648172aea8428c596505e734deaeddb74e6fe29d723774b40141ab50ed4283bb8945d82461f04130d5a50707

Download Submit
C:\Windows\SysWOW64\Napameoi.exe

Filesize
59KB

MD5
0bc725135eca464090e9013f83c565c9

SHA1
7775119b4fc881546616d9e28ba9795aa8ff9a3a

SHA256
bf128b23d15b1e103ea12084d406bab482522e01c4ec93bee907b3f1c502730b

SHA512
535a7157f123ff2801f799537f9ceb9629a99e6a2d7177226c052209261b44045675cdd1935413c645ca6b2fef8a8e069569bf6f6c8d2e8ffc54c0b04722a0ad

Download Submit
C:\Windows\SysWOW64\Nefdbekh.exe

Filesize
59KB

MD5
6f5a2e30f0aa8b02b04344178d0c314f

SHA1
b856c59b1b2d906909096eeb8cd91931e1dff6df

SHA256
cb1b4a5ab4101f6115249968e3208076ea5d75dc3776775331fa86d227ee0e95

SHA512
5376143601b47ae217c149b7e27708ed647e4adba487a61e5a28a5d2944474263e9899fe008648951deb427741578cb2f637253df284d69eee5e7d4b9190eee2

Download Submit
C:\Windows\SysWOW64\Nfpghccm.exe

Filesize
59KB

MD5
22b307ab3d026c88f733474313284d70

SHA1
b9e92ad6af3de7265bb59424705757359e78382b

SHA256
c22de53897f6906b570433546ccefc012e1cf1d022d522c2b2b5bb195c8200cb

SHA512
a7feca22519b92db40d3177c1c7717acf0322b8a2f9a5fd05cb1fce0f0af4cb48cae8b31db387013f5fbc0b629685ad62253593abf9b4e41744ce9e124ca6cd1

Download Submit
C:\Windows\SysWOW64\Odgqopeb.exe

Filesize
59KB

MD5
97c32f2e85fa8475992e4159a9715c5c

SHA1
2c2277f204fe1f493720a1527f0bb9bae227ab12

SHA256
b6175b7cc934d7485652ddb32c977ba718d716c3befac5be572031771a87997f

SHA512
de6fd00fff5df10e14593edf288e516d793da7eda8246447b4259db5074e560d80b4af8638155d9fe14c7fe982c27ac04b12a0fc27049a2b9159976996b1b5a3

Download Submit
C:\Windows\SysWOW64\Ofbdncaj.exe

Filesize
59KB

MD5
d3c60db49212e9c756417e2fd9c65c22

SHA1
c2ccc85a6c06180a22f5306b40237d9985fc0684

SHA256
f52c32b149040656ddb9cfaebeb06c6c6961d684f7283bddfa4483890d310664

SHA512
c2015e8ade99e2b6bf6a4d236a7661cc942a66469d02fce5efc73780589e957a700b0eaaec6f7a80cc430c2dcb04dc9db5f2a014f459a36b83a298d013ddc3b4

Download Submit
C:\Windows\SysWOW64\Oheienli.exe

Filesize
59KB

MD5
8fc3fc59bf03cf454884424a45c313f8

SHA1
482a4bf416c10baaea3aac1a992b69f8d92f7665

SHA256
35cff5894d4f0d163c7524ffbf1d8a142d78a7c23b19281f210bb53688c52fb0

SHA512
b1baa5c8b7f0889a5dc0e5a566187e246f4977c7dce87917d791e745652b5a2c60d18cc532defad7a724fa965016e1f8a889072d67e65434a7b2b0ae74bbeb86

Download Submit
C:\Windows\SysWOW64\Pdqcenmg.exe

Filesize
59KB

MD5
9d3182b16d751485ca06c1d2ebf6a4ed

SHA1
c56205410ddd5c6cf011c5d4da53e35a6004b16e

SHA256
e89904a7b47bbdd0fca8207facfd750e7b45189d3c0c926a35b7a1064909619b

SHA512
7752cf159b446ffa967bd3da4a6069c78d3b4c8dc0454f9be3eaf2b150df0485b7ebdc7461743aee6eb46f0d451855b96ebce7992721baaffb524aeca138e8d9

Download Submit
C:\Windows\SysWOW64\Pfeijqqe.exe

Filesize
59KB

MD5
6acd4fd37a2baa281cf08cd2f31608db

SHA1
ddbae6b9af454bdd488df769f517ef1397df1481

SHA256
938bdc24e417d424cd8f57a416712994377c722ea5b4be235fee95eb9c906d10

SHA512
b5623173a0d213dd4ef374055cb4c1cb73a67795223a7d33a04866499fe7fe825055a69e00cdd524f80c13c5c939224014d43385d6c9373e13e6894086846bd7

Download Submit
C:\Windows\SysWOW64\Pmeoqlpl.exe

Filesize
59KB

MD5
fa2f14562c30616376415bf611cbcc05

SHA1
92256f01a2ffe8b5e7c81447e112fe3ee2618e3b

SHA256
0ef94d8a7b41ae4cdddf5fa1ad01913776e83f089aff5618dc63f6adfcbdd518

SHA512
202b0959137dc9d39877ddeb9b97ab5d744b807b27160a472078e2dfa78fd402041eefe97a343252ad6e8d2ee86bc515f6d0ba050c677330bfdc235a1550f5f2

Download Submit
C:\Windows\SysWOW64\Pmjhlklg.exe

Filesize
59KB

MD5
6da7a41c081cf5d24276a1714e616ddc

SHA1
f3441864a9945c28c737da017c15b5b6cbc6adfb

SHA256
761793aa7fa7baec85a9ec4edeca88445eeb513ee825f8657ae5ebf882e01fc8

SHA512
6699c46298e0cc76350c37cedf98b8eed6407287cdb5df01691b911f5ad38dc3acf8892f804736b284f66b1300b4d5819603b005c3b782e767ff9eded4bd3c51

Download Submit
C:\Windows\SysWOW64\Qkdohg32.exe

Filesize
59KB

MD5
9d6d4da926dac9284b118c6296b717eb

SHA1
90001690f29e37c7b1070cb9a4bc0d6a758849ca

SHA256
a1294979fc20e9b49512a2af41e787bb3f4e6c269bda5ada32f81be7363cfab9

SHA512
d431c5516b3cb95dc541d14b4102616a48546e6cd8d9fe3e9bdd7714d9827ecea2eef09ac2fbdfd074d2fb157fd8a131efdd462c5957f8c51bcbd6eff65d7a3d

Download Submit
C:\Windows\SysWOW64\Qkfkng32.exe

Filesize
59KB

MD5
8447787bbe30f9a6ce81c14e92ff4f54

SHA1
fdd3900ea6a024e1c7635d563739c5c637707766

SHA256
f0364278e5299086b2c42246f38602d44fd00df9d6f3b0bcd9ca9042f9425c0c

SHA512
ee381c202234bec075280078ca34ace7043325033a03efeed9be16bf00ac202e293bed27629cfbda841e0ddd3e6d61b08d7a262b407921ba18e529d740e0b471

Download Submit
memory/224-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/652-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/652-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1252-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1252-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1344-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1344-75-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-2-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-218-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-195-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5160-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5160-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5216-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5216-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5276-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5276-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads