0b766eb4c03971498fb0f7fcc0229dc7a8710d19288597279f0ee34e3365b0ed

Analysis

max time kernel
120s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b766eb4c03971498fb0f7fcc0229dc7a8710d19288597279f0ee34e3365b0ed.exe
Size

844KB
MD5

f13cdb0f95acc3f5534e967a6661f526
SHA1

3f0fc4bc85bea65fdaa541c4af7abad13dc63471
SHA256

0b766eb4c03971498fb0f7fcc0229dc7a8710d19288597279f0ee34e3365b0ed
SHA512

38c9b51ac868898e764fb05b788a0671208c0bf0d462cc28ebec1ceaee0bef9f5ec1fa7a5464450c12086bde3acbc7b00187b16d91b7dec4378a979b66a2cf58
SSDEEP

24576:yX+H5W3TnbQihMpQnqrdX72LbY6x46uR/qYglMi:C+H5W3TbQihw+cdX2x46uhqllMi

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfdmggnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqijej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Febfomdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnmlhchd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmebnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmebnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Linphc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moanaiie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hanlnp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knklagmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaldcb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghcoqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhehek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icfofg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhehek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kincipnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjhkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0b766eb4c03971498fb0f7fcc0229dc7a8710d19288597279f0ee34e3365b0ed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfmffhde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mffimglk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icfofg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnmlhchd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpekon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpekon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moanaiie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgemplap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfmffhde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifkacb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqijej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fpcqaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Febfomdd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpcqaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhloponc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hanlnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifkacb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kincipnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liplnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjhkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Linphc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlekia32.exe

Executes dropped EXE 35 IoCs

pid	Process
2952	Eqijej32.exe
2836	Fpcqaf32.exe
2656	Febfomdd.exe
2684	Ghcoqh32.exe
2556	Hhehek32.exe
2516	Hanlnp32.exe
3012	Icfofg32.exe
1868	Ifkacb32.exe
2008	Jnmlhchd.exe
968	Kofopj32.exe
1792	Kincipnk.exe
756	Knklagmb.exe
2180	Kpjhkjde.exe
960	Kaldcb32.exe
2732	Kgemplap.exe
576	Kbkameaf.exe
2404	Lmebnb32.exe
1336	Lfmffhde.exe
1744	Lpekon32.exe
924	Linphc32.exe
2996	Liplnc32.exe
1552	Lfdmggnm.exe
1564	Mpmapm32.exe
540	Mffimglk.exe
1512	Moanaiie.exe
612	Migbnb32.exe
2052	Mhloponc.exe
1528	Mholen32.exe
2104	Mpjqiq32.exe
2192	Nibebfpl.exe
3008	Nckjkl32.exe
1616	Nmpnhdfc.exe
3056	Ngibaj32.exe
2552	Nlekia32.exe
2672	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
844	0b766eb4c03971498fb0f7fcc0229dc7a8710d19288597279f0ee34e3365b0ed.exe
844	0b766eb4c03971498fb0f7fcc0229dc7a8710d19288597279f0ee34e3365b0ed.exe
2952	Eqijej32.exe
2952	Eqijej32.exe
2836	Fpcqaf32.exe
2836	Fpcqaf32.exe
2656	Febfomdd.exe
2656	Febfomdd.exe
2684	Ghcoqh32.exe
2684	Ghcoqh32.exe
2556	Hhehek32.exe
2556	Hhehek32.exe
2516	Hanlnp32.exe
2516	Hanlnp32.exe
3012	Icfofg32.exe
3012	Icfofg32.exe
1868	Ifkacb32.exe
1868	Ifkacb32.exe
2008	Jnmlhchd.exe
2008	Jnmlhchd.exe
968	Kofopj32.exe
968	Kofopj32.exe
1792	Kincipnk.exe
1792	Kincipnk.exe
756	Knklagmb.exe
756	Knklagmb.exe
2180	Kpjhkjde.exe
2180	Kpjhkjde.exe
960	Kaldcb32.exe
960	Kaldcb32.exe
2732	Kgemplap.exe
2732	Kgemplap.exe
576	Kbkameaf.exe
576	Kbkameaf.exe
2404	Lmebnb32.exe
2404	Lmebnb32.exe
1336	Lfmffhde.exe
1336	Lfmffhde.exe
1744	Lpekon32.exe
1744	Lpekon32.exe
924	Linphc32.exe
924	Linphc32.exe
2996	Liplnc32.exe
2996	Liplnc32.exe
1552	Lfdmggnm.exe
1552	Lfdmggnm.exe
1564	Mpmapm32.exe
1564	Mpmapm32.exe
540	Mffimglk.exe
540	Mffimglk.exe
1512	Moanaiie.exe
1512	Moanaiie.exe
612	Migbnb32.exe
612	Migbnb32.exe
2052	Mhloponc.exe
2052	Mhloponc.exe
1528	Mholen32.exe
1528	Mholen32.exe
2104	Mpjqiq32.exe
2104	Mpjqiq32.exe
2192	Nibebfpl.exe
2192	Nibebfpl.exe
3008	Nckjkl32.exe
3008	Nckjkl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lfdmggnm.exe	Liplnc32.exe
File opened for modification	C:\Windows\SysWOW64\Migbnb32.exe	Moanaiie.exe
File created	C:\Windows\SysWOW64\Mholen32.exe	Mhloponc.exe
File created	C:\Windows\SysWOW64\Bohnbn32.dll	Kpjhkjde.exe
File opened for modification	C:\Windows\SysWOW64\Hanlnp32.exe	Hhehek32.exe
File created	C:\Windows\SysWOW64\Dddaaf32.dll	Hanlnp32.exe
File created	C:\Windows\SysWOW64\Nookinfk.dll	Icfofg32.exe
File created	C:\Windows\SysWOW64\Kgemplap.exe	Kaldcb32.exe
File opened for modification	C:\Windows\SysWOW64\Lmebnb32.exe	Kbkameaf.exe
File created	C:\Windows\SysWOW64\Moanaiie.exe	Mffimglk.exe
File created	C:\Windows\SysWOW64\Nckjkl32.exe	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Hhehek32.exe	Ghcoqh32.exe
File created	C:\Windows\SysWOW64\Lmnppf32.dll	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Biddmpnf.dll	Ghcoqh32.exe
File opened for modification	C:\Windows\SysWOW64\Kincipnk.exe	Kofopj32.exe
File created	C:\Windows\SysWOW64\Kaldcb32.exe	Kpjhkjde.exe
File opened for modification	C:\Windows\SysWOW64\Kaldcb32.exe	Kpjhkjde.exe
File created	C:\Windows\SysWOW64\Pefgcifd.dll	Febfomdd.exe
File created	C:\Windows\SysWOW64\Gabqfggi.dll	Lfmffhde.exe
File created	C:\Windows\SysWOW64\Nlekia32.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nlekia32.exe
File created	C:\Windows\SysWOW64\Eqijej32.exe	0b766eb4c03971498fb0f7fcc0229dc7a8710d19288597279f0ee34e3365b0ed.exe
File created	C:\Windows\SysWOW64\Mhloponc.exe	Migbnb32.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Lgpmbcmh.dll	Linphc32.exe
File created	C:\Windows\SysWOW64\Bjdmohgl.dll	Lmebnb32.exe
File created	C:\Windows\SysWOW64\Lpekon32.exe	Lfmffhde.exe
File opened for modification	C:\Windows\SysWOW64\Nibebfpl.exe	Mpjqiq32.exe
File opened for modification	C:\Windows\SysWOW64\Jnmlhchd.exe	Ifkacb32.exe
File created	C:\Windows\SysWOW64\Qjfhfnim.dll	Kincipnk.exe
File created	C:\Windows\SysWOW64\Lfmffhde.exe	Lmebnb32.exe
File created	C:\Windows\SysWOW64\Gpbgnedh.dll	Mffimglk.exe
File created	C:\Windows\SysWOW64\Agmceh32.dll	Kofopj32.exe
File opened for modification	C:\Windows\SysWOW64\Kofopj32.exe	Jnmlhchd.exe
File created	C:\Windows\SysWOW64\Negpnjgm.dll	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Kofopj32.exe	Jnmlhchd.exe
File created	C:\Windows\SysWOW64\Hoaebk32.dll	Kgemplap.exe
File created	C:\Windows\SysWOW64\Fhhmapcq.dll	Liplnc32.exe
File created	C:\Windows\SysWOW64\Nibebfpl.exe	Mpjqiq32.exe
File created	C:\Windows\SysWOW64\Ghcoqh32.exe	Febfomdd.exe
File opened for modification	C:\Windows\SysWOW64\Hhehek32.exe	Ghcoqh32.exe
File created	C:\Windows\SysWOW64\Phmkjbfe.dll	Ngibaj32.exe
File opened for modification	C:\Windows\SysWOW64\Nmpnhdfc.exe	Nckjkl32.exe
File opened for modification	C:\Windows\SysWOW64\Icfofg32.exe	Hanlnp32.exe
File opened for modification	C:\Windows\SysWOW64\Kbkameaf.exe	Kgemplap.exe
File opened for modification	C:\Windows\SysWOW64\Ghcoqh32.exe	Febfomdd.exe
File opened for modification	C:\Windows\SysWOW64\Linphc32.exe	Lpekon32.exe
File created	C:\Windows\SysWOW64\Mpmapm32.exe	Lfdmggnm.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nlekia32.exe
File opened for modification	C:\Windows\SysWOW64\Knklagmb.exe	Kincipnk.exe
File created	C:\Windows\SysWOW64\Mkoleq32.dll	Jnmlhchd.exe
File opened for modification	C:\Windows\SysWOW64\Kpjhkjde.exe	Knklagmb.exe
File opened for modification	C:\Windows\SysWOW64\Liplnc32.exe	Linphc32.exe
File created	C:\Windows\SysWOW64\Migbnb32.exe	Moanaiie.exe
File opened for modification	C:\Windows\SysWOW64\Mhloponc.exe	Migbnb32.exe
File opened for modification	C:\Windows\SysWOW64\Mholen32.exe	Mhloponc.exe
File created	C:\Windows\SysWOW64\Kcpnnfqg.dll	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Hanlnp32.exe	Hhehek32.exe
File created	C:\Windows\SysWOW64\Nmpnhdfc.exe	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Fnqkpajk.dll	Migbnb32.exe
File created	C:\Windows\SysWOW64\Linphc32.exe	Lpekon32.exe
File created	C:\Windows\SysWOW64\Knklagmb.exe	Kincipnk.exe
File opened for modification	C:\Windows\SysWOW64\Nckjkl32.exe	Nibebfpl.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nlekia32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2172	2672	WerFault.exe	62

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll"	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqijej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnmlhchd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdalp32.dll"	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmkonce.dll"	Fpcqaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghcoqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mffimglk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhehek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmhnm32.dll"	Hhehek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifkacb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ancjqghh.dll"	Knklagmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoleq32.dll"	Jnmlhchd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jnmlhchd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgfgbaoo.dll"	Eqijej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjhkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mffimglk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpbgnedh.dll"	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqijej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pefgcifd.dll"	Febfomdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmebnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoaebk32.dll"	Kgemplap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfmffhde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmkof32.dll"	0b766eb4c03971498fb0f7fcc0229dc7a8710d19288597279f0ee34e3365b0ed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghcoqh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hanlnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaldcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0b766eb4c03971498fb0f7fcc0229dc7a8710d19288597279f0ee34e3365b0ed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpekon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifkacb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdmohgl.dll"	Lmebnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kincipnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agmceh32.dll"	Kofopj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpjhkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll"	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	0b766eb4c03971498fb0f7fcc0229dc7a8710d19288597279f0ee34e3365b0ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddaaf32.dll"	Hanlnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkdmglc.dll"	Mholen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	0b766eb4c03971498fb0f7fcc0229dc7a8710d19288597279f0ee34e3365b0ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Febfomdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcblodlj.dll"	Ifkacb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaldcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icfofg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Linphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negpnjgm.dll"	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlekia32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 2952	844	0b766eb4c03971498fb0f7fcc0229dc7a8710d19288597279f0ee34e3365b0ed.exe	28
PID 844 wrote to memory of 2952	844	0b766eb4c03971498fb0f7fcc0229dc7a8710d19288597279f0ee34e3365b0ed.exe	28
PID 844 wrote to memory of 2952	844	0b766eb4c03971498fb0f7fcc0229dc7a8710d19288597279f0ee34e3365b0ed.exe	28
PID 844 wrote to memory of 2952	844	0b766eb4c03971498fb0f7fcc0229dc7a8710d19288597279f0ee34e3365b0ed.exe	28
PID 2952 wrote to memory of 2836	2952	Eqijej32.exe	29
PID 2952 wrote to memory of 2836	2952	Eqijej32.exe	29
PID 2952 wrote to memory of 2836	2952	Eqijej32.exe	29
PID 2952 wrote to memory of 2836	2952	Eqijej32.exe	29
PID 2836 wrote to memory of 2656	2836	Fpcqaf32.exe	30
PID 2836 wrote to memory of 2656	2836	Fpcqaf32.exe	30
PID 2836 wrote to memory of 2656	2836	Fpcqaf32.exe	30
PID 2836 wrote to memory of 2656	2836	Fpcqaf32.exe	30
PID 2656 wrote to memory of 2684	2656	Febfomdd.exe	31
PID 2656 wrote to memory of 2684	2656	Febfomdd.exe	31
PID 2656 wrote to memory of 2684	2656	Febfomdd.exe	31
PID 2656 wrote to memory of 2684	2656	Febfomdd.exe	31
PID 2684 wrote to memory of 2556	2684	Ghcoqh32.exe	32
PID 2684 wrote to memory of 2556	2684	Ghcoqh32.exe	32
PID 2684 wrote to memory of 2556	2684	Ghcoqh32.exe	32
PID 2684 wrote to memory of 2556	2684	Ghcoqh32.exe	32
PID 2556 wrote to memory of 2516	2556	Hhehek32.exe	33
PID 2556 wrote to memory of 2516	2556	Hhehek32.exe	33
PID 2556 wrote to memory of 2516	2556	Hhehek32.exe	33
PID 2556 wrote to memory of 2516	2556	Hhehek32.exe	33
PID 2516 wrote to memory of 3012	2516	Hanlnp32.exe	34
PID 2516 wrote to memory of 3012	2516	Hanlnp32.exe	34
PID 2516 wrote to memory of 3012	2516	Hanlnp32.exe	34
PID 2516 wrote to memory of 3012	2516	Hanlnp32.exe	34
PID 3012 wrote to memory of 1868	3012	Icfofg32.exe	35
PID 3012 wrote to memory of 1868	3012	Icfofg32.exe	35
PID 3012 wrote to memory of 1868	3012	Icfofg32.exe	35
PID 3012 wrote to memory of 1868	3012	Icfofg32.exe	35
PID 1868 wrote to memory of 2008	1868	Ifkacb32.exe	36
PID 1868 wrote to memory of 2008	1868	Ifkacb32.exe	36
PID 1868 wrote to memory of 2008	1868	Ifkacb32.exe	36
PID 1868 wrote to memory of 2008	1868	Ifkacb32.exe	36
PID 2008 wrote to memory of 968	2008	Jnmlhchd.exe	37
PID 2008 wrote to memory of 968	2008	Jnmlhchd.exe	37
PID 2008 wrote to memory of 968	2008	Jnmlhchd.exe	37
PID 2008 wrote to memory of 968	2008	Jnmlhchd.exe	37
PID 968 wrote to memory of 1792	968	Kofopj32.exe	38
PID 968 wrote to memory of 1792	968	Kofopj32.exe	38
PID 968 wrote to memory of 1792	968	Kofopj32.exe	38
PID 968 wrote to memory of 1792	968	Kofopj32.exe	38
PID 1792 wrote to memory of 756	1792	Kincipnk.exe	39
PID 1792 wrote to memory of 756	1792	Kincipnk.exe	39
PID 1792 wrote to memory of 756	1792	Kincipnk.exe	39
PID 1792 wrote to memory of 756	1792	Kincipnk.exe	39
PID 756 wrote to memory of 2180	756	Knklagmb.exe	40
PID 756 wrote to memory of 2180	756	Knklagmb.exe	40
PID 756 wrote to memory of 2180	756	Knklagmb.exe	40
PID 756 wrote to memory of 2180	756	Knklagmb.exe	40
PID 2180 wrote to memory of 960	2180	Kpjhkjde.exe	41
PID 2180 wrote to memory of 960	2180	Kpjhkjde.exe	41
PID 2180 wrote to memory of 960	2180	Kpjhkjde.exe	41
PID 2180 wrote to memory of 960	2180	Kpjhkjde.exe	41
PID 960 wrote to memory of 2732	960	Kaldcb32.exe	42
PID 960 wrote to memory of 2732	960	Kaldcb32.exe	42
PID 960 wrote to memory of 2732	960	Kaldcb32.exe	42
PID 960 wrote to memory of 2732	960	Kaldcb32.exe	42
PID 2732 wrote to memory of 576	2732	Kgemplap.exe	43
PID 2732 wrote to memory of 576	2732	Kgemplap.exe	43
PID 2732 wrote to memory of 576	2732	Kgemplap.exe	43
PID 2732 wrote to memory of 576	2732	Kgemplap.exe	43

C:\Users\Admin\AppData\Local\Temp\0b766eb4c03971498fb0f7fcc0229dc7a8710d19288597279f0ee34e3365b0ed.exe
"C:\Users\Admin\AppData\Local\Temp\0b766eb4c03971498fb0f7fcc0229dc7a8710d19288597279f0ee34e3365b0ed.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\SysWOW64\Eqijej32.exe
  C:\Windows\system32\Eqijej32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\Fpcqaf32.exe
    C:\Windows\system32\Fpcqaf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\Febfomdd.exe
      C:\Windows\system32\Febfomdd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\SysWOW64\Ghcoqh32.exe
        
        C:\Windows\system32\Ghcoqh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Windows\SysWOW64\Hhehek32.exe
        
        C:\Windows\system32\Hhehek32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Hanlnp32.exe
        
        C:\Windows\system32\Hanlnp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Icfofg32.exe
        
        C:\Windows\system32\Icfofg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Ifkacb32.exe
        
        C:\Windows\system32\Ifkacb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Jnmlhchd.exe
        
        C:\Windows\system32\Jnmlhchd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Kofopj32.exe
        
        C:\Windows\system32\Kofopj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Kincipnk.exe
        
        C:\Windows\system32\Kincipnk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Knklagmb.exe
        
        C:\Windows\system32\Knklagmb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Kpjhkjde.exe
        
        C:\Windows\system32\Kpjhkjde.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Kaldcb32.exe
        
        C:\Windows\system32\Kaldcb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Kgemplap.exe
        
        C:\Windows\system32\Kgemplap.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Kbkameaf.exe
        
        C:\Windows\system32\Kbkameaf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:576
        
        C:\Windows\SysWOW64\Lmebnb32.exe
        
        C:\Windows\system32\Lmebnb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Lfmffhde.exe
        
        C:\Windows\system32\Lfmffhde.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Lpekon32.exe
        
        C:\Windows\system32\Lpekon32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Linphc32.exe
        
        C:\Windows\system32\Linphc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Liplnc32.exe
        
        C:\Windows\system32\Liplnc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Lfdmggnm.exe
        
        C:\Windows\system32\Lfdmggnm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Mpmapm32.exe
        
        C:\Windows\system32\Mpmapm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Mffimglk.exe
        
        C:\Windows\system32\Mffimglk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Moanaiie.exe
        
        C:\Windows\system32\Moanaiie.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Migbnb32.exe
        
        C:\Windows\system32\Migbnb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:612
        
        C:\Windows\SysWOW64\Mhloponc.exe
        
        C:\Windows\system32\Mhloponc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Mholen32.exe
        
        C:\Windows\system32\Mholen32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Mpjqiq32.exe
        
        C:\Windows\system32\Mpjqiq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Nibebfpl.exe
        
        C:\Windows\system32\Nibebfpl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Nckjkl32.exe
        
        C:\Windows\system32\Nckjkl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Nmpnhdfc.exe
        
        C:\Windows\system32\Nmpnhdfc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Nlekia32.exe
        
        C:\Windows\system32\Nlekia32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        36⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 140
        37⤵
        Program crash
        
        PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Biddmpnf.dll

Filesize
7KB

MD5
e0900c0dbdbeef5513bd839f69560302

SHA1
0270b813c51cffed9038779c73bed959493343e2

SHA256
264a5f781245e0e1cd962bfcbc96ec1247e64cb9b2089d08a14c728bea781962

SHA512
55a401b06a42ba1bdf1b8e6d14617624d54c4c809848fc18ae519c0fa441b838ae5e18d7e944a9982501886443f921825935cdca7600b795208fb3d39035892d

Download Submit
C:\Windows\SysWOW64\Febfomdd.exe

Filesize
844KB

MD5
3b88509b755ae34e02d21c4a7d2e38e9

SHA1
040b463ed5a01134fdc6ffa614e02c322678f7b4

SHA256
137585f9c2cdc2201e1026eac4a5ef32e5686f7218750677d7f1cb64635171f3

SHA512
f683c230fc4eeebab54b2f09a90282366b33df1a2db486b201d3f51fd5c79e7f44385fc7e5dc5eca7d3f3bf20675fe6113f51fa4e43f7e11721ff030fe4c3212

Download Submit
C:\Windows\SysWOW64\Fpcqaf32.exe

Filesize
576KB

MD5
75057145b9e4b1aee01fe4429a5209c7

SHA1
f999b3cdfac11a76cab90f13eb8db1e4418b651e

SHA256
3fb29c23f23c6a7fab3bd3033aa1997123f717e264bb84460c96c225f99371ab

SHA512
6645eec70e45b44cf493d0b476953e907af22118646e6ea11bf876c0456beaff050e78605e0e3c8b4ce9f794e51a431942ace3f7e25092cab39e2372023a17b5

Download Submit
C:\Windows\SysWOW64\Fpcqaf32.exe

Filesize
512KB

MD5
7718261e5844ae6821f11d72eec58b38

SHA1
ce389260158ef856083b1cb635f83e576b019c3a

SHA256
d81442d8abcabe9244d082f3e219cd8b7bd487ac084c203169d2f9e38380fb33

SHA512
4218d1b83d7afcde70004b2291ea572c0aced15d6e905f960d0d01927c927700433e726d5d76317b8104242e45547d442f3817405158542a70f86cde00c4c988

Download Submit
C:\Windows\SysWOW64\Fpcqaf32.exe

Filesize
448KB

MD5
34283415100570a34216c66351986ace

SHA1
4ccd2e0b334d206513e388c9b1ac0dfd8b2b3390

SHA256
67f829ae28fd9f9e713c5fc6967adfd56ff2c5c5c433426d5c8f683b4de9b054

SHA512
0f4ced5da09c1c9572092574af3562970096814dbb322c821181c28dd1f4de5cbac943bd93b2c59102bf66ba0c8b87aba2b5e2eb79216e8f3aeca2fed9d49ea7

Download Submit
C:\Windows\SysWOW64\Hanlnp32.exe

Filesize
844KB

MD5
661c26c948b06769e7570b522272c5ab

SHA1
12ef91c739bf4f4b2b4b9827342684862b75e7bc

SHA256
731d64cbc10a8ce66029471e94149601ae35f5e1ee3a7cd79258795ff8c2b208

SHA512
a50dad8fe35ac4354f335db25d67ed27bdf24e2b5e7abca07fa1d596c178121f2ee68fe5dd7424f7200f0ee6a4370bc19e9a224c64a9f02832073e73c1f1eab3

Download Submit
C:\Windows\SysWOW64\Hhehek32.exe

Filesize
844KB

MD5
dfbd22a3c9075ca06de2749d383fa550

SHA1
6940e99b031285d31bc429ba410c73e628d84337

SHA256
13b7dc3fcb0365246344e6d3c863890d39b7e42d6177b65014d1c9f3ce278207

SHA512
7e9065f299fa47cd9a2dd926c3ad6cc6dc0bd5b68128fcfc68ed0e92d833d0ffdaac1f275e9aae6b888d0887fe9111f4a299a35baa504efad2163bebc056d2b2

Download Submit
C:\Windows\SysWOW64\Ifkacb32.exe

Filesize
640KB

MD5
1e1a19b6d3b288f60eefe33cf4c066ef

SHA1
ae6682112d9eca951708e92e930ffdbfd479f6a6

SHA256
60ab40a88dc30c34e9a571ba34d363ffeced959af20770c2497c7af97c06e732

SHA512
3b45cc68878b3391ddf2006e2ed73516424c2000e4132d373788c62defc05f7b1c19555a2dc472292ec75e42c5198208200242cb55684ee9a49eceaf96163c13

Download Submit
C:\Windows\SysWOW64\Ifkacb32.exe

Filesize
576KB

MD5
479840e1e4983580eab5fe887f4c28c2

SHA1
472a1b1731f2a76259d38b5d107ab22bb8dbebbb

SHA256
ed701daad371f640fb7ee370b7c3e2ff00e616edb4d5c319f00a799dfff70efb

SHA512
374df69152df8897ea22099710b556f5c0399eed4159dc9cddc4324e39f16174ff53f266a0f97eaadc7935a4270493669bd85d2b32ace92d7fe7164c8f33417f

Download Submit
C:\Windows\SysWOW64\Jnmlhchd.exe

Filesize
320KB

MD5
466a10811b612473a9c16690879cc04a

SHA1
8e1e0700a6e65db91ed20e567def689d2b4eb611

SHA256
f8fd93ea183e048f017acb3dede03feecd9eee2b9367d72a14d028325acec989

SHA512
74acd2e5c33639578636c7cf1711d69c9c021deb552d8c83d9eae1fce64fc70f3e57641a87f1680b7d78c8d460e83664c49b046b492e8e4fadd01b14e06a4779

Download Submit
C:\Windows\SysWOW64\Jnmlhchd.exe

Filesize
844KB

MD5
22136b22958399b1607e35943a0da385

SHA1
136251a3d199a688f5086c3ac079ece8220645c8

SHA256
c3ad51d3576955164626c7949c8823e7adac9422b8b4492dbb082c63e22e2e03

SHA512
9e3bf2f28f7f8fa6a2bae557dc4e27e67688927a13e2b191b0182509d0111dc131afaff76fd67cf9be2dfbf5b8d0907688f39c438c666a9fe80ad4ab32f2f46e

Download Submit
C:\Windows\SysWOW64\Kaldcb32.exe

Filesize
844KB

MD5
0bdd8290089078bc6719e8f2d5e2b963

SHA1
193ae186455038c7f3b8def4769b3edc6cf990bb

SHA256
7bbcd4ee59f3895b76ab40731e5b73bc1439492781c7746ddec182e69f2f40d7

SHA512
d301f4afb52c99a8d31a5659d764f5c46577b8c2beab1093e10454bae18af8b98b3bebfc7d7dcb5f2fcd250d893099a33f22f5786d48eeca654bdbbcdd3bec8b

Download Submit
C:\Windows\SysWOW64\Kaldcb32.exe

Filesize
256KB

MD5
34a0a178dcb7ef5662cb7b857b282f79

SHA1
a3b7037a3a4712869a070beac91555818be8b6bf

SHA256
0efa222d24b9842f642649a9fbc66cfbfcb75875dc40a66eee43b79ec8a39001

SHA512
f0c6345ec4e7044b23dbd61a0ae78461c5f3e5a523b7df203307915dfb1efb4006afe43d94e9e3f0f2a6b063956fcf605e55c55e550600ce5c09ee6a9e0f0443

Download Submit
C:\Windows\SysWOW64\Kbkameaf.exe

Filesize
844KB

MD5
bded90c7f7118ba332ff6991fd65eccb

SHA1
e5432bd617ea00b251056d82fbd47559242df260

SHA256
d9b6df35b9d39bace07406b647a78cb2922524f09649c2bda8b88faf43c8ee65

SHA512
f0aa02b7b01a3361285b9f6add632d07bed9f5f2713bbf91d48fa24e690fbd05fd2509e5fcbad10a22dfd96cfe45f14995bc68500bd12f33c9b69763f86fe79b

Download Submit
C:\Windows\SysWOW64\Kbkameaf.exe

Filesize
64KB

MD5
1fe3f16dee125cb301a921b65f015ed0

SHA1
db4df466ab086508de98c6dafb8684cc4a3acf87

SHA256
2444800dd4a56b1d65b1a411c628838868e4d3e0b45559dcd40350d51f510a95

SHA512
53ed67d005778545031ce0d0502c077414d38446191530338045eacefbc6155667095cf60d1e8b6885c9cf312ad966a35b605882a2f5c961f2d61a546d9f2c0d

Download Submit
C:\Windows\SysWOW64\Kgemplap.exe

Filesize
844KB

MD5
a619238f97673b71444cb614683bb559

SHA1
c0a9831ef566152a04ee3b08ad00e451ef834f6e

SHA256
fa64ed953c6f3a8c5b794155c7f0eac83be06cf294ac688880a00a69ea96c20d

SHA512
23ee636ae8c256a0a065a0367e0399283db4ab6b21e7fb391417982f010ead50982e4c5c24afa5ff50431f2c4abd7f764c910da9f08c17b4de938b7cef9391dd

Download Submit
C:\Windows\SysWOW64\Kincipnk.exe

Filesize
844KB

MD5
11224ec75c0262b45ecdf7f200d44440

SHA1
c662fec79ebea0062e5021b61a5d27cff1342956

SHA256
778ff097b982652fc0ba0b838d026f7e7ab4ed39ef318bfa69cb003f025d76a8

SHA512
d240091bed50cf023998a3296c8102fc67ed02e21266a8c92e21e9b6362b2606c37a3533256f996c6760919a22946f2a0f01996ba2b1d0357fbdbb56c6b51a89

Download Submit
C:\Windows\SysWOW64\Kincipnk.exe

Filesize
576KB

MD5
8b8583e0baba63cd5b217739e1236180

SHA1
b3d5b95af9c1f3dfc704a3c5584d5a3e55539b30

SHA256
3e31bcf87aed8c739bd2fc6c9c2f8c4f60c42a2a3c0e3e43abaa3c2cc428ac58

SHA512
93dfd5528ab0b24846ca5d42c1651cc6db268af56bc11545183e8a6bda3f572e69b3d4107952f01a009e0e86bc42a835cc9ab2f44d46d844147e5a51e3afde04

Download Submit
C:\Windows\SysWOW64\Knklagmb.exe

Filesize
844KB

MD5
715779f5f355de8542c77c16129a9c3b

SHA1
d49e7602e9d9c9fc8764d99c927c34d068927457

SHA256
d33939ad39df19d4bbfef5c081e4e289f3f39fc892dfe7c35caef891aff358c4

SHA512
950bac59e738d72a1fbbfb4029dd18a8a368dd001f70fc27bec3664e259c1034a9f82cf626a87fad5421820ec3be3802f500033b69825152f3c8ed89a3427459

Download Submit
C:\Windows\SysWOW64\Knklagmb.exe

Filesize
384KB

MD5
e98000c273b5d89dd387323ca898d457

SHA1
6c5c722cfd3401d42022555f3085eeb3a02ccc37

SHA256
15d57f231906e4dab3c32e2ab6cdbb1e2e4771ffcbb63f33ddc28d5ea9e1291f

SHA512
7ca9ed1ebdde4aeaf7aab9defba965622c426db32bc1f7945949cd702102408a03e89764ee47874f2b28856ca3e0547bc4d8daebfded98b2d74687f478629c70

Download Submit
C:\Windows\SysWOW64\Kofopj32.exe

Filesize
844KB

MD5
b56a32f4a88b5bf451d2a5de8b1d414c

SHA1
76c111f052d6aa8d463a8e7dc0b60ce03e68d5f6

SHA256
05935dbfddc955766fa2b707eee5d2d7c76f77b22ebec7c625a592c3ebfcc53d

SHA512
93ef385aacaa9a14479a722ea72198df4c8bb381a6f7281009394e8ea48ae68f56f262b9188d47172fc727e79d59168638874924e639b3cac107c0e7c9958175

Download Submit
C:\Windows\SysWOW64\Kofopj32.exe

Filesize
768KB

MD5
7d37fc03f04458c1d767937956cf35ed

SHA1
6e46c8458877f83ea1a5dfafab940cb154ffdffd

SHA256
43c2a95e416d9dc9612b3cc3d1778d54e939fe2d917eab8dd8976766fe94ff2b

SHA512
ebadd0e8fe64edc1b3ba4abee1d26aebf31da5369742897bf3418a2f51111259b6c6bbee138aa0f5369c1ec64cd28f641df47548f2470c0d2272b26e7427a57a

Download Submit
C:\Windows\SysWOW64\Kpjhkjde.exe

Filesize
844KB

MD5
5d43b4b5d1bfe19f8f0043664bb52a0e

SHA1
2457021a25493877731bf0b62fcc9ab122a67fcf

SHA256
18b63aae6c80cc26aa089efbb933694b20ba28303d82baccff96aa1afde878bc

SHA512
015f0e4fb474aa82786e1d839e182b05ef38c90340325af04e824d7c28ee14ea304cf603837a79dab8b992e7b2e77eaf6e1e6272e86f9f01ec932f8bcc5ac650

Download Submit
C:\Windows\SysWOW64\Kpjhkjde.exe

Filesize
256KB

MD5
217c21cc86a43be0c856b28671377042

SHA1
28b0855a36158a5acc75b5d470303ba3e4a3864d

SHA256
53715727e203b34611e520ca5982f18fa3ef18c360772cf33f946770328681b8

SHA512
81febef5aed31c35124de7ef371e046751123ef9b0159664ebad11f9bcfa1ebe35173a68fcab52511f02f280d0809f26830342b7f0ad9f670f5aaa9ac3a0a7ef

Download Submit
C:\Windows\SysWOW64\Lfdmggnm.exe

Filesize
844KB

MD5
d1ecaf25cdb59bd49f4a24f3d9fc5c37

SHA1
9172e8a6de843c9dedcbd5df93e6ca9c59c2db73

SHA256
2e9a88486a9289ac290fe123f3e86016cc90a9263ad1b140ddade7b0a0c89638

SHA512
ecef16af6fe114dc1ec05a76e0ded66b8deebadd28a28231ee9c04f19290add6e19f8872033b4dd45337b7fef5513450c50fd93aa91c2801c09e53f87ab12433

Download Submit
C:\Windows\SysWOW64\Lfmffhde.exe

Filesize
19KB

MD5
4b6097861a28655b1b4eb9a0d8a8ec3a

SHA1
bb2979ac71edf3f8cf122e87f6277b9a3187b633

SHA256
0d97e7b9efdd392af1d6a516819a0877895f64feefd73920d8fec5b8cde4b6ab

SHA512
6e19cf5191824304b24d0252a1a9721ba4edb4cdc4b2c624de8028885fb815f118ba2677f88f6460c5a8ee228023e9b1c8e77a59a54f9601d705cd7de3ad8700

Download Submit
C:\Windows\SysWOW64\Linphc32.exe

Filesize
8KB

MD5
c6636a614379201fa882713ed643fe9d

SHA1
2994405507d6ecdaffadc8f8c248a01f38297b4c

SHA256
84f91f7ba536b6fd062e55fdc87e87a5a8d44cd29df577b33a3191176732d31b

SHA512
13317b71422ad26e6d30f059bfa7362cb6d765a1917f67d17c74800de3bda313d841c106693c1d46e08f5694e54c4c103f38f9eda5693ed45554390660483f8e

Download Submit
C:\Windows\SysWOW64\Liplnc32.exe

Filesize
844KB

MD5
0411ff6b3a1eb46c562b965fda4b4bca

SHA1
6452d7266a1e682989ec93f0a836c66c047c6286

SHA256
9712de023c43a5385992b9985591590cc3085724a2333e3359398b32c13cf826

SHA512
9e9d2c6182ca4a5df744ce98f616815c4a58f43e30b66757aa4a2bc3234ae8bfc37c21726140ae4d7e0a4febb6acac8b054f66c253bf8dca82ceb6efb55f540a

Download Submit
C:\Windows\SysWOW64\Lmebnb32.exe

Filesize
844KB

MD5
4276beaff8863b6a003995fc182ea10c

SHA1
b7151e3b148a68f455ee1df502f7a83768d31b28

SHA256
00f42a478bc9dd072818436f5744cef85b1122230ed6f3bf16b288bcde9f5c2e

SHA512
8a7d4decb35a6ec7c13e7ac903382bed66e6b68157452988864fbc87f57fec8231961624d5ddf70ae3ed517dd19f370ffdd955901c26ccdc98049b56baa409e6

Download Submit
C:\Windows\SysWOW64\Lpekon32.exe

Filesize
844KB

MD5
e8f48a68676992afc0074deaec362bf7

SHA1
0013174a30ecf06b2dd5b71b54d41f11c71e15d1

SHA256
8b3305f35b3459bcec07007d6bed0a167410815cc6605bfcc4afc2af8b66dc50

SHA512
348212dff49f41776d8d761b1ea6c95d7cd7f99a92a78814bc607dd7e95e62a5a620782728aeb98b2570ceb6ed1fe0523941fadb8f2cbec8d32c3d2a951591e2

Download Submit
C:\Windows\SysWOW64\Mffimglk.exe

Filesize
844KB

MD5
85f30c91524d96b4d4fd2c1f870e4517

SHA1
47c3c3fd6531fb9215b8458fd4d8c38a6b2cd36d

SHA256
53098813c524e143486640158f52be19c8a46a1ca87c5f28de53c7fef17e0d6b

SHA512
533dc4e1e3f0e73ea4354a24f75385689df94ef1b23ce6cdc46a2a3ad074addc0069a337c4a3876aac3eed7a1974c5b7a5c7863171e799a99221db41721fca26

Download Submit
C:\Windows\SysWOW64\Mhloponc.exe

Filesize
844KB

MD5
0a3cdc01823869b0d1428e78ffec6d13

SHA1
21a776a80f5b33f6bd5f2d805df25e48ba5f23cc

SHA256
80f3f58f892766d88236ecc2d9fa12804d04ce3651fb8acd63887131bbabfdfd

SHA512
c983297c6b4cb63d76bf5801e059826c41a33af9b68d32daaabc4699920ab987d3be72f540e5d36b4ab6f8f7969e347253b11240b7817da277304707d4dce020

Download Submit
C:\Windows\SysWOW64\Mholen32.exe

Filesize
844KB

MD5
9e028cde2bc9bf9e6e6426c2d9739e75

SHA1
c2968a08ea4fb9b00eb01d7a02321035066c4096

SHA256
e5968f46041e9f06262eda368b294373c9ea4a8dff899e4bd7b143244b6ca81c

SHA512
85a0a990eac4ec142b80111c0654fa203a09965dd42ae81cdac7968e8e142dc3a1599549c2d4bed51081ee57ef82e5d9858747aa9aa4e65f437522d37df760ec

Download Submit
C:\Windows\SysWOW64\Migbnb32.exe

Filesize
256KB

MD5
2f2451b2d10aab7f1e8bf5d4e7bb2597

SHA1
b11c97fd0d27a3b2a2ad2cde143346b215ae8547

SHA256
b413af79f60043c55044eb65c4dd7e0ad1531e87b5115aa80823d73e62d096ea

SHA512
c2ede4ed6a986e8819b43f000f9717d35a2c11f428fa3501d5b7f5661b153e8b0ddb11c691b63f80617eb2f1913b831bf784dd6a82eb4a1c8b683e87c4f56c60

Download Submit
C:\Windows\SysWOW64\Moanaiie.exe

Filesize
320KB

MD5
770a1a8eb956383fda8b4401b4d306e8

SHA1
d11d92ec3afaf6636aaaa25e7dd7b38544f150a0

SHA256
a189145745f4b81457cbf743d9c44c347058b9f388d6d653a3800d7322b266a4

SHA512
560fa66aa960b03968ceffc4868d4b59a5a70240002ece8493e6cb0fe22467671d9eacc56c9d2f26cbc2b60d6a3c0731534ea8db5de50d59cf42a27ec0466e83

Download Submit
C:\Windows\SysWOW64\Mpjqiq32.exe

Filesize
844KB

MD5
3389daa39e481989270a915a759136e3

SHA1
83141ff25aae9fe21e1423aecc291ebfb6daedd3

SHA256
4476c42bd6c38cc47173bd49ce35b8f4ede1732ef1b3dcd0afda9d0b393a3e71

SHA512
704233c928a33568c68371e5e21d50f9c07aec91f49d3d5e275b90db66afabc21244c6ca295bafe2cacbb885b15d95180dc7ca750b46a74f15a0ee14c058bfe2

Download Submit
C:\Windows\SysWOW64\Mpmapm32.exe

Filesize
844KB

MD5
6c39e63e2a6fb6d7add1c6c4337b5dd8

SHA1
8f968dce82f3571ef37b8c2f8adfc9cac55224e9

SHA256
42780408c2401c5f0d7625fcf14b749ca28b4630aac9d18f43262f4ab7d97762

SHA512
b60698f7b2159c4e2999743c2715b92d5eeba4b4054eb17a49804892f51a5fbfdc7589749c719d71c94b43e6a214054233bf45a2be18bd92add4187f6ab5660f

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
128KB

MD5
2c36e5ba7b4c0ba7fb1bd72987c8acd8

SHA1
c62a174f598f1265fedb16d6e79631f9eed8b986

SHA256
42c128e9bbad3e58e7151d7e5c19d7a0e12f53af86ab782175b03753eee4efd1

SHA512
b8a5c88f70ade92754bac5452ebedb77b4da696055393c7b3f8677e094e52cd721a7e743960d3f118303bf64a09b2d53a5b3364fdc9d28d812c02500fbde9d4e

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
128KB

MD5
020d21cb5c0f20db968762ab62f0cd8e

SHA1
1ec8be40f74f82463c44d923f1237fe6ededdbdd

SHA256
c4f996e586ffbec4e652d99c8ff1dd373e454cbf4afeedad202f8fc6736f711b

SHA512
87fed023769f3d7dd72eb5b55e6ce360662ee749bab4bd0f13dde4bacb556b903b222f3c8d1e8ffa5ca8b62c7b808f422de47957aa0d9ab99fd7f8d82ac1e267

Download Submit
C:\Windows\SysWOW64\Nibebfpl.exe

Filesize
844KB

MD5
d56c269d9a04fc506296257b58c7441c

SHA1
e2612d49c27ef57c3af8fbef2e248ac9b9f15a1b

SHA256
609de6bcc410cf51e31c21861172e80cca261616fafaa7fb1432a486afe50b1e

SHA512
7d0518f8244bc09dfcdda14eb9abaa8a57cab6b6ca39709ddbe6cb0c885fe8005609c2002aa6f24af696654bf59530f177f6aaf31886a0866137edb4618b7ddc

Download Submit
C:\Windows\SysWOW64\Nlekia32.exe

Filesize
64KB

MD5
95ce45ea2e9fbf7a658f191458d6c907

SHA1
41e1dba6ac0f9453e57396f863af0c5973cee6fa

SHA256
b18264ce068bc331aab0808cef3bc62fc7a57c478bb78223a002177482fc5b5c

SHA512
5f3ac637d4ffe7cca65bb1fb7b6e2c7e4ac6f4e2e9ed72c7c2ab31b706d3fb35b330f9510853046902e29e0611d46bdb02d3fb3b2544e35e57084a4e866feb08

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
64KB

MD5
1eb9d6886f07e48865869d0c9f9631fe

SHA1
2a2c9e4b8ddab7e3c5156124b3db49ddc8ad700b

SHA256
0fae82a2cdf18fbee9daea5ff603fc58fd308f16f101c5ea4b51d457d597cb4c

SHA512
14591a4a91ce0eb1014948fe4ecae3112339b0898e0f1bdd44f2a9144bec0487ebca86870ec654e774d9bf9ac8f5e40792dd0d2d9f0146f7bd7f55438e49f378

Download Submit
C:\Windows\SysWOW64\Nmpnhdfc.exe

Filesize
128KB

MD5
07a83faeff0f693a77b745920e78c0b6

SHA1
dcbe6093615b7a21b8cfd6fafe8cdd521fda8e25

SHA256
b4b45ba249dd65eb36b30652740ff5b24a2c3e7d84d753d93e0a9119d1190de6

SHA512
3206aa76d2c432d49919255b2c97ef6c4d7dfef891584707fab7708ff4179b4df338448591c77a4f906da1c829b7a80524b7f30c18a303269932ec2d4748dede

Download Submit
\Windows\SysWOW64\Eqijej32.exe

Filesize
844KB

MD5
29c02057c0e2e8d347a17fa9f518b193

SHA1
612202ab6ccda2caf097f1fbf4e36633344f51d4

SHA256
20b9f5c85681b5e8f7147a1487256df28f2ef69dddd5b0ab7d235844cab9604e

SHA512
a5937b9f6d70c968b88009dfc0e31a946208c76d312acb2ca6a5f05648a5c3ba2d6aee6a49c53443c58c5ba146094fc1488d24ddea52dfc2ec006b720c568425

Download Submit
\Windows\SysWOW64\Fpcqaf32.exe

Filesize
844KB

MD5
09df5dd52059fedfa6eb8137df444b99

SHA1
0e6e400ea54bfa79f91ab34c4e0c232236245f1f

SHA256
f4d942106541d3e156cd37318a63013314a48021f01c48e61f3114c10cff2c7a

SHA512
e3ce32d0ce4d613b169d3a53858abf21210159fc8aa3973c5b96bcee8edc165097813d0f2d5b980ba87826bec770f571f75d202895b33518cc59b1ebfe764389

Download Submit
\Windows\SysWOW64\Fpcqaf32.exe

Filesize
591KB

MD5
70c263dd9f51ffcc49a1a63300869d67

SHA1
d9a297b1f2c8583e82b84eb750147341f634e04f

SHA256
fc66d9fb378a2f0cd58966a20188b30048e7657d0249d59a89f48791a0ae4668

SHA512
3aa4a95487fcf678b73c836e205d204671586f370440b21387eb22b86f624f8b832d4e549230a573e63f20137586aec45fffe01cb7cf2cb782fa07a89a39ffc6

Download Submit
\Windows\SysWOW64\Ghcoqh32.exe

Filesize
844KB

MD5
eaceb5badd70d32e28ed27ff5eddbbf9

SHA1
8240af011954a4502786b4760e73246602cb898d

SHA256
50dcda0d28f885810ae156231f7e9fe216f93d76d46aa802efeb9ef06e3829e4

SHA512
5b3dc317547fcf14428c50dac3a1432a30fb6e2d7e0ee42313d1951711c8705fe6c86bb3230527046903c116cd10340e5e5b4b8487e848aa27ed70d01cbbfbe5

Download Submit
\Windows\SysWOW64\Icfofg32.exe

Filesize
844KB

MD5
52092068752a06ba7cce67ff7385844f

SHA1
8fb9615c09b6a5e7c5f4a316da4132df59b777c7

SHA256
e8c44b92d20622b750aaccb603965f58ffce224ddb4440ace42d2804ea466c0b

SHA512
b9e65a3146b051e564506283808b755e0b7841b0c99fe84360defbcfb04fa93bad797e5db90be165d44f83006ce4dc9e8cdf21a3a9bb6732a9f74b9880d8e0f0

Download Submit
\Windows\SysWOW64\Ifkacb32.exe

Filesize
844KB

MD5
6fc60d4b84727fced7eb39d6f0ecbc3c

SHA1
714aef3bb4e22c4299e8a4e9b9f7366c092870c7

SHA256
a3aac2646eeaf15afd8f5c16e7db92fe95073cf693caf2c769a0e8f702d68ef3

SHA512
8f692a207cec53223138dc3f95d57b5f53db2b924211e81bf342e0c1494cbfc26d017f8a1acd95bdd239597dd925c46040697cea5298e2140fd2dd0915c8183d

Download Submit
\Windows\SysWOW64\Ifkacb32.exe

Filesize
768KB

MD5
4dbdc8951224a283d55ec002098e51bf

SHA1
ce2d22b8ea58d648ef78c83c9f55180d45d1fad3

SHA256
cacbc543dadcf8f793aaf5f6e6516f8a272b8bd9f8c4c2f9fb3d3bef66b7dfc5

SHA512
229001718036178638521c832c7f060ba811d7dacbac4cb1af83b9da753a10bb175fe1f9caec9a63d23367e33477a255c3f00d06ae2f2df9876ef597344cd87a

Download Submit
\Windows\SysWOW64\Jnmlhchd.exe

Filesize
384KB

MD5
ec6f6280410847d9346fcf0abcba4fbb

SHA1
f6dfebf6353a9e83e01be21d6f4e6eec1fe3452c

SHA256
b23b5aa629be83104462e495aa61b27a9be54381825b57e14464f1193fde6cbf

SHA512
00c517422f174b0085b4c7aa8cd2656825f07d702951320800a81bf2dc6639eaac37c3df5e78aacfab1fa8c31c5f5343c01e4b5c38c332f664387bbbe95a1bbf

Download Submit
memory/540-399-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/540-397-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/540-398-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/576-373-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/576-375-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/576-374-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/612-404-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/612-403-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/612-405-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/756-365-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/756-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/844-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/844-6-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/924-385-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/924-387-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/924-386-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/960-367-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/960-369-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/960-368-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/968-362-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1336-379-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1336-380-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/1336-381-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/1512-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1512-401-0x0000000001BB0000-0x0000000001BF3000-memory.dmp

Filesize
268KB

Download
memory/1512-402-0x0000000001BB0000-0x0000000001BF3000-memory.dmp

Filesize
268KB

Download
memory/1552-392-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1552-393-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1552-391-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1564-396-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1564-395-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1564-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1744-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1744-383-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/1744-384-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/1792-363-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1868-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1868-359-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2008-360-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2008-361-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2052-407-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2052-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2180-366-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2404-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2404-377-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2404-378-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2516-89-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/2516-85-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2556-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2656-49-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2656-46-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2684-67-0x0000000000490000-0x00000000004D3000-memory.dmp

Filesize
268KB

Download
memory/2732-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2732-372-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/2732-371-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/2836-39-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/2836-45-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/2952-31-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2952-19-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2996-390-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2996-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2996-389-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/3012-100-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3012-103-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads