82799165ed69b0325a821d6568e68f86c744bb0c7b0bc81550774bd60a6f57fc

Analysis

max time kernel
114s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82799165ed69b0325a821d6568e68f86c744bb0c7b0bc81550774bd60a6f57fc.exe
Size

128KB
MD5

c0195ded515652860675a8ef0e494378
SHA1

135a476d427711211e74256c899f9efb7063fa1b
SHA256

82799165ed69b0325a821d6568e68f86c744bb0c7b0bc81550774bd60a6f57fc
SHA512

e04bba3dbcf5d45cd3071b7e8ac68991833eaa79302bba28af574db1f1c22a97e6428a849f8f6834a69e79a1da16eb0fc2a2fa53cd58d23754c3447147c5d2bc
SSDEEP

3072:myCo4k5FR1wwX5JS5DSCopsIm81+jq2832dp5Xp+7+10l:1CcRZJSZSCZj81+jq4peBl

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	82799165ed69b0325a821d6568e68f86c744bb0c7b0bc81550774bd60a6f57fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeklag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe

Executes dropped EXE 64 IoCs

pid	Process
4924	Jfeopj32.exe
2128	Jeklag32.exe
3752	Jlednamo.exe
1436	Kdnidn32.exe
440	Kmfmmcbo.exe
4388	Kbceejpf.exe
3236	Kmijbcpl.exe
1424	Kedoge32.exe
2104	Kfckahdj.exe
2400	Lmppcbjd.exe
4568	Lbmhlihl.exe
2660	Llemdo32.exe
3704	Lboeaifi.exe
2216	Lpcfkm32.exe
1568	Lgmngglp.exe
5012	Ldanqkki.exe
4424	Lebkhc32.exe
572	Lphoelqn.exe
2120	Mpjlklok.exe
3336	Mchhggno.exe
3068	Mdhdajea.exe
3700	Meiaib32.exe
2440	Mdjagjco.exe
4996	Melnob32.exe
4600	Mgkjhe32.exe
1740	Ndokbi32.exe
3504	Nepgjaeg.exe
4108	Ndaggimg.exe
2528	Nebdoa32.exe
2184	Ncfdie32.exe
3200	Npjebj32.exe
5108	Ncianepl.exe
4956	Npmagine.exe
1696	Njefqo32.exe
3000	Ocnjidkf.exe
3812	Ojgbfocc.exe
4632	Odmgcgbi.exe
4220	Ofnckp32.exe
1244	Odocigqg.exe
3352	Ognpebpj.exe
4520	Onhhamgg.exe
648	Ocdqjceo.exe
1364	Ofeilobp.exe
4152	Pnlaml32.exe
1640	Pcijeb32.exe
3456	Pmannhhj.exe
2280	Pncgmkmj.exe
2468	Pdmpje32.exe
1908	Pfolbmje.exe
692	Pfaigm32.exe
5112	Qmkadgpo.exe
4640	Qgqeappe.exe
212	Qddfkd32.exe
5144	Qgcbgo32.exe
5180	Acjclpcf.exe
5224	Aeiofcji.exe
5264	Afjlnk32.exe
5304	Amddjegd.exe
5352	Aeklkchg.exe
5392	Andqdh32.exe
5432	Aeniabfd.exe
5472	Anfmjhmd.exe
5512	Accfbokl.exe
5552	Bfabnjjp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kbceejpf.exe	Kmfmmcbo.exe
File opened for modification	C:\Windows\SysWOW64\Kbceejpf.exe	Kmfmmcbo.exe
File opened for modification	C:\Windows\SysWOW64\Lphoelqn.exe	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Nnbnoffm.dll	Jfeopj32.exe
File opened for modification	C:\Windows\SysWOW64\Mdjagjco.exe	Meiaib32.exe
File opened for modification	C:\Windows\SysWOW64\Melnob32.exe	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Mpjlklok.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Mdhdajea.exe	Mchhggno.exe
File opened for modification	C:\Windows\SysWOW64\Llemdo32.exe	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Edgbbfnk.dll	Kedoge32.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ffhoqj32.dll	Kbceejpf.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Kdnidn32.exe	Jlednamo.exe
File opened for modification	C:\Windows\SysWOW64\Kfckahdj.exe	Kedoge32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Kmijbcpl.exe	Kbceejpf.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Gjeieojj.dll	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Llemdo32.exe
File created	C:\Windows\SysWOW64\Ndaggimg.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Bhoilahe.dll	Jeklag32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Eghpcp32.dll	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Lboeaifi.exe	Llemdo32.exe
File created	C:\Windows\SysWOW64\Nhgfglco.dll	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Mdjagjco.exe	Meiaib32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6016	5172	WerFault.exe	196

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbbhk32.dll"	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	82799165ed69b0325a821d6568e68f86c744bb0c7b0bc81550774bd60a6f57fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkjck32.dll"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmkaf32.dll"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgbbfnk.dll"	Kedoge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 4924	1892	82799165ed69b0325a821d6568e68f86c744bb0c7b0bc81550774bd60a6f57fc.exe	92
PID 1892 wrote to memory of 4924	1892	82799165ed69b0325a821d6568e68f86c744bb0c7b0bc81550774bd60a6f57fc.exe	92
PID 1892 wrote to memory of 4924	1892	82799165ed69b0325a821d6568e68f86c744bb0c7b0bc81550774bd60a6f57fc.exe	92
PID 4924 wrote to memory of 2128	4924	Jfeopj32.exe	93
PID 4924 wrote to memory of 2128	4924	Jfeopj32.exe	93
PID 4924 wrote to memory of 2128	4924	Jfeopj32.exe	93
PID 2128 wrote to memory of 3752	2128	Jeklag32.exe	94
PID 2128 wrote to memory of 3752	2128	Jeklag32.exe	94
PID 2128 wrote to memory of 3752	2128	Jeklag32.exe	94
PID 3752 wrote to memory of 1436	3752	Jlednamo.exe	95
PID 3752 wrote to memory of 1436	3752	Jlednamo.exe	95
PID 3752 wrote to memory of 1436	3752	Jlednamo.exe	95
PID 1436 wrote to memory of 440	1436	Kdnidn32.exe	96
PID 1436 wrote to memory of 440	1436	Kdnidn32.exe	96
PID 1436 wrote to memory of 440	1436	Kdnidn32.exe	96
PID 440 wrote to memory of 4388	440	Kmfmmcbo.exe	98
PID 440 wrote to memory of 4388	440	Kmfmmcbo.exe	98
PID 440 wrote to memory of 4388	440	Kmfmmcbo.exe	98
PID 4388 wrote to memory of 3236	4388	Kbceejpf.exe	99
PID 4388 wrote to memory of 3236	4388	Kbceejpf.exe	99
PID 4388 wrote to memory of 3236	4388	Kbceejpf.exe	99
PID 3236 wrote to memory of 1424	3236	Kmijbcpl.exe	100
PID 3236 wrote to memory of 1424	3236	Kmijbcpl.exe	100
PID 3236 wrote to memory of 1424	3236	Kmijbcpl.exe	100
PID 1424 wrote to memory of 2104	1424	Kedoge32.exe	101
PID 1424 wrote to memory of 2104	1424	Kedoge32.exe	101
PID 1424 wrote to memory of 2104	1424	Kedoge32.exe	101
PID 2104 wrote to memory of 2400	2104	Kfckahdj.exe	103
PID 2104 wrote to memory of 2400	2104	Kfckahdj.exe	103
PID 2104 wrote to memory of 2400	2104	Kfckahdj.exe	103
PID 2400 wrote to memory of 4568	2400	Lmppcbjd.exe	104
PID 2400 wrote to memory of 4568	2400	Lmppcbjd.exe	104
PID 2400 wrote to memory of 4568	2400	Lmppcbjd.exe	104
PID 4568 wrote to memory of 2660	4568	Lbmhlihl.exe	105
PID 4568 wrote to memory of 2660	4568	Lbmhlihl.exe	105
PID 4568 wrote to memory of 2660	4568	Lbmhlihl.exe	105
PID 2660 wrote to memory of 3704	2660	Llemdo32.exe	106
PID 2660 wrote to memory of 3704	2660	Llemdo32.exe	106
PID 2660 wrote to memory of 3704	2660	Llemdo32.exe	106
PID 3704 wrote to memory of 2216	3704	Lboeaifi.exe	107
PID 3704 wrote to memory of 2216	3704	Lboeaifi.exe	107
PID 3704 wrote to memory of 2216	3704	Lboeaifi.exe	107
PID 2216 wrote to memory of 1568	2216	Lpcfkm32.exe	108
PID 2216 wrote to memory of 1568	2216	Lpcfkm32.exe	108
PID 2216 wrote to memory of 1568	2216	Lpcfkm32.exe	108
PID 1568 wrote to memory of 5012	1568	Lgmngglp.exe	109
PID 1568 wrote to memory of 5012	1568	Lgmngglp.exe	109
PID 1568 wrote to memory of 5012	1568	Lgmngglp.exe	109
PID 5012 wrote to memory of 4424	5012	Ldanqkki.exe	110
PID 5012 wrote to memory of 4424	5012	Ldanqkki.exe	110
PID 5012 wrote to memory of 4424	5012	Ldanqkki.exe	110
PID 4424 wrote to memory of 572	4424	Lebkhc32.exe	111
PID 4424 wrote to memory of 572	4424	Lebkhc32.exe	111
PID 4424 wrote to memory of 572	4424	Lebkhc32.exe	111
PID 572 wrote to memory of 2120	572	Lphoelqn.exe	112
PID 572 wrote to memory of 2120	572	Lphoelqn.exe	112
PID 572 wrote to memory of 2120	572	Lphoelqn.exe	112
PID 2120 wrote to memory of 3336	2120	Mpjlklok.exe	113
PID 2120 wrote to memory of 3336	2120	Mpjlklok.exe	113
PID 2120 wrote to memory of 3336	2120	Mpjlklok.exe	113
PID 3336 wrote to memory of 3068	3336	Mchhggno.exe	114
PID 3336 wrote to memory of 3068	3336	Mchhggno.exe	114
PID 3336 wrote to memory of 3068	3336	Mchhggno.exe	114
PID 3068 wrote to memory of 3700	3068	Mdhdajea.exe	115

C:\Users\Admin\AppData\Local\Temp\82799165ed69b0325a821d6568e68f86c744bb0c7b0bc81550774bd60a6f57fc.exe
"C:\Users\Admin\AppData\Local\Temp\82799165ed69b0325a821d6568e68f86c744bb0c7b0bc81550774bd60a6f57fc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\Jfeopj32.exe
  C:\Windows\system32\Jfeopj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\Jeklag32.exe
    C:\Windows\system32\Jeklag32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\SysWOW64\Jlednamo.exe
      C:\Windows\system32\Jlednamo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3752
    - - C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1436
      - C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2440
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        38⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4220
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5352
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5552
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        72⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        73⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        75⤵
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6072
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        79⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        80⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        86⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        87⤵
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        89⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        92⤵
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        100⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5172 -s 396
        101⤵
        Program crash
        
        PID:6016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5172 -ip 5172
1⤵
PID:5752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4376 --field-trial-handle=2256,i,9172343514068348080,519219714517961765,262144 --variations-seed-version /prefetch:8
1⤵
PID:5216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
128KB

MD5
7ec234ced7a94bdb4ff47b619cbc9859

SHA1
c2606ebc53b3b0091078a4e79e56e3d50875ec78

SHA256
c3d25f7474755c4e14503754b22b5c48113ddd99f870e5acc23d2a41e1606fdf

SHA512
f37f674c672069c4fd767d795f9583991ebe3da58383ced9ec4d76e375bfe9ceb4dd8231566a01be83aa3e73fb2d32dc0b1f6c772c529539dab81542ba7e64e2

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
128KB

MD5
fddb38b2543e8262fffcad4724c7df36

SHA1
936972f441974ed3cbd150257830c5a79c770985

SHA256
ffae469eb9465f66635dd4fd9151b26ac671b69acb76125ea7308fa4fc5ae825

SHA512
fc04545f2e357d3d9a96833262ce45ae5b312ea4ad8495b358ae67a3eae4b793f798726172356629719d8980cb61c888c240cfa849111fde414fc50ef3a92c83

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
128KB

MD5
f6e78c0b93e42318d29d423ada21c4bf

SHA1
74ff514fb0603ccf51f655e05617c384f1f93ba9

SHA256
3ea9fff450bd42fadbbd3e5c8891ebbc049981c70b006776d8c94ed5c38dc6c1

SHA512
2d5339d1ca5b4b300125d490262940bf373261bce59276be0349c8e774954b4d1490e815e2cf0e4d03585bc99815e5cf4ea7ce1a0893886acac6d1789dfdd315

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
128KB

MD5
34d4420c68ea94115754f557b1c5fc25

SHA1
06f2df26412e793d8ff055bfb6dcd8a3968d647f

SHA256
b893137d061135ed5b4da0711e9c1c20df53275f17dec6d6e98cc56f10eb93d1

SHA512
39372f4d9cf9319a4568e3cca48e420ec51295d399136726245e3aa0c009d7e51bab6d7355a6f48e87ff6f5725d2f048e2fcfcd4c30d581d538ddc2d5bfe3415

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
128KB

MD5
ff6c647ea553b5b119a1909c23a680d7

SHA1
edeb0c92dc0d246f326628f4714642956a1dc1d1

SHA256
f9fdcf80c7922df2287c6cd025b85072d4814c93aded1ebfe7c88ec608a5397f

SHA512
377271b67c66e49b76d70b23447a05ebeb128f89bd9c029a3dfefd82f2ef54d7a10af5670f5fd8a0daecbd4e1dd6acef2061fa76739c222856664d34f53afbd5

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
128KB

MD5
cfb53358397eacff07b94c431c28109d

SHA1
b30088e9c3a24f8e733fda0733e7c7ab455d8cb7

SHA256
366f1422bdad1ffbe7d2876a765e940f7bdb8dc8f89bff2fd4a548dc93d05f44

SHA512
b1846d777fd63fd7d9c5df9d021c12c8f7ed4c7f27f7cc6a1ce9a93e7b1c07084a5f8d60b58f7b90602a6a0c773b86e1d3fcce0980f02345e60d2b90a0f4bdb6

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
128KB

MD5
aac2af645b7089525bd2a7da5c61e62a

SHA1
69caf6997705e304abf48f92da7955ba9401e159

SHA256
bf8bc280dc1ce5f1a2f9f482bc8fc3c2cdc029166dcad79a5ba7dee4bb5bcb61

SHA512
eee6c5bb3054e794f473d788bebd9e0465f7d634a4310186c902f94b4e98acb61bd74b76911a8977002d9efb7bb9116c773c47d3d7152d5f3a1be04925d269c0

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
128KB

MD5
8b802bd59a6409e89bae566903cfa6de

SHA1
baf2662aa58ca2524df762b9d97b4f3f5d289b9a

SHA256
8f2b22488bc0095e239be0959694be3e9ef006285d4fec3189bcf52935f0dc0b

SHA512
dd39d74527b7c99982b8d5531ec8cc00c5f08eb82ded908f371c31b0d25edc62211082f4aac1de758d759ebc8ee8b3ad78474ec8898707a6c554e9b8c2d36fba

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
128KB

MD5
72f5c7cd87e3609ca2fb281a9bafdaf6

SHA1
b3700bdc40e95e49a4c8591e5466fff5a6e7ab5e

SHA256
10354fda25e1f8f6c1980595f97f7dba0eb8a0f0afa263267b3a26cf99d201e1

SHA512
7d2a38a7972c9bf7eec84725553ea98b4f7901dd2bbecfcb761aa3574da1745ecb00bca8126ea18c69398a78151cc19858ca4b596cd2625ead9d1232e18fa3ca

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
128KB

MD5
49fc4c35e60a124645bced8106abf965

SHA1
d17703fdb4b7edfde7f7c35d5574001d06818cfb

SHA256
61f7ddc6290cfb0af50d2614699ed7b6499e3bec3b40bbb002f95851114b19de

SHA512
23b06f401e4a6e950c37d4a8ab4e964f7b5b4f5808ce4334fd4265bbfbb0f6ee7393754d255e4d2b8fb52c9615f31d0c01cd69eed744ba498e9a3737e6078c8f

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
128KB

MD5
239096d1f4bdb064f3e1e4203b2534cb

SHA1
37d77494ad8b5d7f874c915bdf8ec69dc0a322ff

SHA256
28920fcc209b62f3554aa606296ee8eba8d20264ecc8c19894b0f1fe25b21b86

SHA512
671a5cc07eec9f3c2fdea098bd01db39f03977645137173623226c58f2a89aa1ee983b40dbcaa06c015221d289bf2428b382c54c0d458b10e99c41bf3cb291e8

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
128KB

MD5
eb87eb327de3e63b27cc6c902960a711

SHA1
1ef31630a1ab16e0b27d98e26ece9d4e6911c991

SHA256
9a7bba84c67bba433a5234d132bfe4ff628916ce6a4887b7486551c1bafbdb38

SHA512
94a7bd3b8116ebf7302ab6bddd3b80c95b074ae68cb0704e603c541de79fd061fac30074c6db81ccba9998bde6242bbc7666081fd7fce21e779310756a96a207

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
128KB

MD5
f0849d63a1c4ba59c655ca7b30533b81

SHA1
42ee2be1e3469563570ad6c1964446c4bea3cef2

SHA256
86627acddaf1dec520b212272812d872ae291db54f80d2c978f3fb7a144ac1d9

SHA512
d1b6d32d2fd9c19c43646254ecc1793df31f5a2f694dfeea851ea8417ee8f3fceed5e5c41f042345f888ad08b6a5e3317abe17554fa2ecf3fb690cdac482e238

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
128KB

MD5
ba9cc6326aff9fc18b2370fda2ab7c6e

SHA1
4afc58c3a34b78250c88d885b0795ed2fb1773b2

SHA256
c21a75b536a8b1387ba2e52826ffdba96db5261fc21c98563e6b7f2cf864a2ca

SHA512
90777a05cff9c98071644106d0d36daec59abb33454f95a3943150dff8270600d0b305aecbe2e8f8d637280ad50f9cce3139f90960e364ec13bcb6e16a5dc768

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
128KB

MD5
dd9948ddbdc6c42c8b2b27bd5cd8ff70

SHA1
a32bd5e07b01d3c680985e954e0981db8397a150

SHA256
e236daa8732f225c38121fe65bc59baec7976f3ef791ae9f3df43a1442af346b

SHA512
73032e7e9cb967f8821f4ff4cd4ca94b7bfa20fb42ba4030b9523c1bb4cef87eadc51770acf0ff86aaf38d9f6bc5ea7617ad644d5861f7f53a1f0b63bf3c33f4

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
128KB

MD5
c34c9fd1116b8c73eddb50188db3f656

SHA1
ad615080ed56883c8fb404c65e21bc0b8b0408ad

SHA256
719492983aab0b593b227c54fad2b91069c47029c28c40b4867f8c9f5e0f7e05

SHA512
e3218b4573de266ec827f95cfbbc51026508b4c016afef5513213aad06191d427141b393f248aa23b614982930b1589ed30a91ac367b3866b9a32b3a2c04caad

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
128KB

MD5
ca4993b31335ddc3c43c2cd4002defc7

SHA1
de40042d11456aff536a01e8f59f572dd54cc1fd

SHA256
7d7fc33760296c32560e73fc40910728d931dbbee24b96ffa78d09917d5fd05f

SHA512
b2e70f4dd3d8efa84341d941dff7cc199df0608d941bfa6a439d9fa0237d3f672275572282d6db10fa1eec7fbc0df197eb3bbf13470aecb347ee12395e1d94fd

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
128KB

MD5
67ef1b0ec41e2487ba6bd1f6372abde2

SHA1
781cc186ba6adc825e63b520009dddad0e5aec49

SHA256
8e3d893719aa497375fc67c712b51b34b9de165ba581c9ab8dbfa21c06fa4745

SHA512
ef63f5cf3920e25aa38df89158d2175a6a7c83382dc1285bb862abc1b9c9cee75dbf8367d28dfe11b3fee97a2f513a31b4d493ac9c46aeba9de93e05e275dbb2

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
128KB

MD5
347b3c1f6841b9987a071ff1229cf697

SHA1
b023c565ac70fcd788c4708f7554f8b528526ece

SHA256
e4069e6ae6b9314a284069e83ee11ea0c2a17c8e326f9163356cf393274cfc22

SHA512
fae00fb44a2eff32674605fedb4084dccf40100b0fc9997bd210835f0e4f88229a6e8494bdbe24721b1054b5043960757b97bb2da5efe7549d931a88fd3bdd9c

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
128KB

MD5
9983a95ce5e7d79062bd497d5547fe71

SHA1
4a60dbd67284733fe311df9cb593a4aa140a2a60

SHA256
958356d3840a2dd9c7459ef6ed1af4c33b13687ecc90c4faebce661f184df2ae

SHA512
f1a461837df0f129422918cd6175a53fa6269bc31469c5934540a9ecb1b2cd155a8656429df60f329327f44818056ecc2ad1e9a4729b9f3e73791e4a0ed1a1f7

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
128KB

MD5
12208b54ab01caa499cd908de548fa5d

SHA1
a7066ac8d67101237268d1e9c44459d8e6df9d79

SHA256
7ee4d8bfde876cc5b1f501b9ebd55789ded10669ef8e3efff08e55ed8f9eaa30

SHA512
5aa498bb2a5978b4a564fb4e6814a6d156b1185a929144f30e92e92788cfc52baa6c8548c7343a3b43623c7874cd0e96dc01bcae5e5e8df8f8e73f064eb14a9f

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
128KB

MD5
c6979c7ee9fcc190477e9fa622644181

SHA1
e9cf4c8f834e542af36524289a547e2b6028e16e

SHA256
e059069cf51ee009ece08806f28e885e2c9f79519d66a18f876d35a75701f20e

SHA512
ed8178956dd4684b687825b0f84e205316908416907767aeff5e7cfdfc0d3c4db3a8975c35989919767e8e3835c1e20dfeff390f750fb25734b7d575cb7a5b02

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
128KB

MD5
5fae62bc68b9fdc56bffbfcc7cd04fab

SHA1
517c5c3886f0d96cb737adc90ac921f9eb2402bc

SHA256
4fcdf56426198c365a89c7c7a6edfb1a8d41981963018f37c5904586bd503679

SHA512
425579f25fcb4c34c3f276f2a7cfae0864a8a1da6b75945c13dd409750dae27c45cfb9f6403723dd777f346970ca1624249f8e5e5497c3c04ac72327192b7ffe

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
128KB

MD5
4dd1f4a33ea2f51b9f0a9fa0f2bd8b7d

SHA1
05e7f7fa23dfa4972c1b2e6c442cda5de77f3976

SHA256
25510a6c054aa75966964851b5c0982e5a7505c8303a4995242be02e8a2a9a72

SHA512
d6016f8ae4e1d18569573d1d2f09425a73f940784953f201f37ea21c0948a0f7b8ffcca2893f25e4fea6ccb712c6ea4369d0a1653e08ce77613d40b7481f9443

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
128KB

MD5
61bcc2764dcd49073b31b3c2c4235cfc

SHA1
694bcfb801c53885c0a6aee2af33bb9187c95294

SHA256
9d32591b0746e8d45cafa042cf42e8f71d75e86ecad5c6e44b631b6ec7430691

SHA512
00026b71c29c90de95d367b58a0a947d8dd367afcc3aeffabe415e570b8f10bfca78479e17b73bdc2275912468c846c1a82453b999f383bbc727d831ebfc1fbb

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
128KB

MD5
3ac7b55ac1db73936298934c2accb57f

SHA1
cd57f87f43fad880fe22922dfe96dc22a0408fd9

SHA256
09997c51248992ed2cf718dbe4afc2f2a8f55a391ecd92240d73c993563f6161

SHA512
50a430125a65ee6300b1826e3b1af1a3168109f8c91b3e386083463052c50fd6512604318fa28eb9f58823fd76eddd5dac9d5964f5be41c71f4c0f95d2c3724c

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
128KB

MD5
64ec01dfd61875676b72cb7ab9cd4cc0

SHA1
e80860d72215951f900e84696cd40e45ca1e383d

SHA256
9f001f0c678202f1971691a894fe3d2ec9b834c3205153c1bc7751fec7773d47

SHA512
5da1efaac48847240ab5dae2496319d4b09eb2930da4a3406fccc897b8f70fedaf4de76879658e7ab5455c113989d9c0fbcb60e8087305f8041c0e3dda884c56

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
128KB

MD5
1877f4c7eea4cb8fe3f46db416f1f548

SHA1
b1b3de232f96699e3d1d7138310660253eaae6ed

SHA256
f63127403b6f3d058aa9830001c71c784109e010bb1d4215c576625e49b8e7e1

SHA512
d4ed4c30ff46c22666cd78443ff58e04557e18af352e0a1c4466d41d0c2b0d0f678d597314746e0c964439b88fd5edbd02e096a015b4839c112f2dcc7b92e43a

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
128KB

MD5
088650e65b24d639f3e19757c8a4115c

SHA1
e661faf1ae04ae14104f22a22f5da6e6e9333728

SHA256
4985fe9f2f259d6baf1a144991411419425685408097949cbffe721d031ecefa

SHA512
64b3f52b76161b80b09c12066e31645cd77309966f486a9bedfe846a451c72c308c536e93c791742420f454c6743463955c90b2561d8c3eb4d0c25391752acff

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
128KB

MD5
c6f0caaed1368c4418009132be8b5f16

SHA1
c5c060da4d99d6a2253de26293cc9a6a07b4d0cd

SHA256
25e0629fb5169bd1afa6f5de8f5e0532809274e63e60cff4006ce13fc56068cd

SHA512
9881f9a56ada469bb40493384bc3973fafd749aff42afd5c71f6dd7e596673012d0a49ccf3c1dcdedeff6f0d59ec6f5c77041e56778b9c5a4605587c320ec8a7

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
128KB

MD5
d4732d4b60acf4f37f1e10d12636ee58

SHA1
f520e67d715e280df3f7f47dfe526752b1b28978

SHA256
92cd63077d815e32d527ba55cc8fe44785cd3523898077751f2873e51c6a2d0f

SHA512
d20c2f51109cf928d47125103746d3b0e3b6b0a727d28c303c21c63c154ab0bfe4fccf8f0688454921e521dc4d3e2172a78d7fee0b9fd4860ef7beddd6863077

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
128KB

MD5
352d25071222520e626540b58d915880

SHA1
3228a087a953a0ac0c8ec7aa83650fea4bd28d16

SHA256
580d50010c3f0a92e3d0a2f0111bd2ff591c436d4321d85b39acfa8b974f7219

SHA512
068431ee64243a7084d47fc8d7ff28d04e68d3a90cff84c3a70c8ee8c0087db5aa537d0eae0186e08d9bbcd53d1bbdc337d7c13652f8bd748ecca71897620d8f

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
128KB

MD5
e5748f6907770415fd245ee47b66dc27

SHA1
4a6e8fbb263a34c75c2cc550930faa99f9b10ca5

SHA256
5a97bb3005f2a17b6f6a7060427996f3a2ff49e0c07adf1d372e19c1c53382c6

SHA512
c76ce8a1a9028b7ffb91c292c24e6896f9caca5c8a5cda3c072b66c0e8f3b2f2f39314102342bf3802d8707320f4b5348b6274e91c691b659099177b4fc753e3

Download Submit
memory/212-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/440-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/572-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/648-319-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/692-367-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1244-306-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1364-330-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1424-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1436-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1568-122-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-270-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1740-210-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1892-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1892-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1892-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1908-361-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2104-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2120-158-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2128-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2216-114-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2280-349-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2400-86-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2440-186-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2468-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2528-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2660-98-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3000-276-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3068-175-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3200-250-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3236-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3336-167-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3352-307-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3456-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3504-218-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3700-178-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3704-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3752-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3812-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4108-226-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4152-331-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4220-295-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4388-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4424-142-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4520-313-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4568-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4600-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4632-289-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4640-379-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4924-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4956-264-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4996-194-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5012-134-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5108-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5112-373-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5144-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5180-397-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5224-403-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5264-409-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5304-415-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5352-421-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5392-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5432-433-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads