9ec577e720fba12e3db33616ae6d0682e4d5a914526752ec2cc7d5823d2cc996

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ec577e720fba12e3db33616ae6d0682e4d5a914526752ec2cc7d5823d2cc996.exe
Size

669KB
MD5

07a1e176587c4908c32f25b22d9b9926
SHA1

e1f01ea01d2087e95f8d6ad3a75b95a883c7a2da
SHA256

9ec577e720fba12e3db33616ae6d0682e4d5a914526752ec2cc7d5823d2cc996
SHA512

ea95efdb67afcf9baf1bab84831103a22f1594becb0df3535ff6797758a3ce2e45594d9b6c0541ee5bfb0c189b5665810b4ba5e6deff9cd16c3234ab50a83337
SSDEEP

12288:8FVeVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:8CchMpQnqrdX72LbY6x46uR/qYglMi

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofjfhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qlkdkd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aefeijle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhpiojfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efcfga32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpdbloof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pflomnkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aplifb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emieil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qabcjgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apimacnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aplifb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnopfoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhpiojfb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aefeijle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anafhopc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lajhofao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkclhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdnkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njlockkm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflomnkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogefd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efaibbij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9ec577e720fba12e3db33616ae6d0682e4d5a914526752ec2cc7d5823d2cc996.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbcpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qedhdjnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfoqmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfffnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejhlgaeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfokbnip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfffnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpdbloof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adnopfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnaocmmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emieil32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lajhofao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdnkb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njlockkm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pamiog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anafhopc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfoqmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpfkqb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofjfhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pamiog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfokbnip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apimacnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqijej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbcpd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qabcjgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qlkdkd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qedhdjnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aidnohbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogefd32.exe

Executes dropped EXE 37 IoCs

pid	Process
2208	Lpdbloof.exe
2968	Lajhofao.exe
2672	Mkclhl32.exe
2704	Mpdnkb32.exe
2648	Mpfkqb32.exe
2744	Njlockkm.exe
1988	Ndbcpd32.exe
2388	Ofjfhk32.exe
2384	Pamiog32.exe
1392	Pflomnkb.exe
592	Qabcjgkh.exe
1040	Qfokbnip.exe
1480	Qlkdkd32.exe
800	Qedhdjnh.exe
2652	Apimacnn.exe
2332	Aefeijle.exe
2104	Aplifb32.exe
528	Aidnohbk.exe
1516	Anafhopc.exe
396	Adnopfoj.exe
2348	Cnaocmmi.exe
700	Dfoqmo32.exe
956	Dogefd32.exe
3016	Dhpiojfb.exe
960	Dkqbaecc.exe
1412	Dfffnn32.exe
1548	Dookgcij.exe
1340	Eqpgol32.exe
1508	Ejhlgaeh.exe
112	Ecqqpgli.exe
1604	Emieil32.exe
2404	Efaibbij.exe
2700	Eqgnokip.exe
2452	Efcfga32.exe
2824	Eqijej32.exe
2560	Ebjglbml.exe
2712	Fkckeh32.exe

Loads dropped DLL 64 IoCs

pid	Process
2256	9ec577e720fba12e3db33616ae6d0682e4d5a914526752ec2cc7d5823d2cc996.exe
2256	9ec577e720fba12e3db33616ae6d0682e4d5a914526752ec2cc7d5823d2cc996.exe
2208	Lpdbloof.exe
2208	Lpdbloof.exe
2968	Lajhofao.exe
2968	Lajhofao.exe
2672	Mkclhl32.exe
2672	Mkclhl32.exe
2704	Mpdnkb32.exe
2704	Mpdnkb32.exe
2648	Mpfkqb32.exe
2648	Mpfkqb32.exe
2744	Njlockkm.exe
2744	Njlockkm.exe
1988	Ndbcpd32.exe
1988	Ndbcpd32.exe
2388	Ofjfhk32.exe
2388	Ofjfhk32.exe
2384	Pamiog32.exe
2384	Pamiog32.exe
1392	Pflomnkb.exe
1392	Pflomnkb.exe
592	Qabcjgkh.exe
592	Qabcjgkh.exe
1040	Qfokbnip.exe
1040	Qfokbnip.exe
1480	Qlkdkd32.exe
1480	Qlkdkd32.exe
800	Qedhdjnh.exe
800	Qedhdjnh.exe
2652	Apimacnn.exe
2652	Apimacnn.exe
2332	Aefeijle.exe
2332	Aefeijle.exe
2104	Aplifb32.exe
2104	Aplifb32.exe
528	Aidnohbk.exe
528	Aidnohbk.exe
1516	Anafhopc.exe
1516	Anafhopc.exe
396	Adnopfoj.exe
396	Adnopfoj.exe
2348	Cnaocmmi.exe
2348	Cnaocmmi.exe
700	Dfoqmo32.exe
700	Dfoqmo32.exe
956	Dogefd32.exe
956	Dogefd32.exe
3016	Dhpiojfb.exe
3016	Dhpiojfb.exe
960	Dkqbaecc.exe
960	Dkqbaecc.exe
1412	Dfffnn32.exe
1412	Dfffnn32.exe
1548	Dookgcij.exe
1548	Dookgcij.exe
1340	Eqpgol32.exe
1340	Eqpgol32.exe
1508	Ejhlgaeh.exe
1508	Ejhlgaeh.exe
112	Ecqqpgli.exe
112	Ecqqpgli.exe
1604	Emieil32.exe
1604	Emieil32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qlkdkd32.exe	Qfokbnip.exe
File created	C:\Windows\SysWOW64\Kkgklabn.dll	Qlkdkd32.exe
File created	C:\Windows\SysWOW64\Adnopfoj.exe	Anafhopc.exe
File created	C:\Windows\SysWOW64\Mpdnkb32.exe	Mkclhl32.exe
File created	C:\Windows\SysWOW64\Ofbjgh32.dll	Mpdnkb32.exe
File created	C:\Windows\SysWOW64\Hojgbclk.dll	Aefeijle.exe
File created	C:\Windows\SysWOW64\Ckgkkllh.dll	Dhpiojfb.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Ebjglbml.exe
File created	C:\Windows\SysWOW64\Lajhofao.exe	Lpdbloof.exe
File created	C:\Windows\SysWOW64\Ofjfhk32.exe	Ndbcpd32.exe
File opened for modification	C:\Windows\SysWOW64\Dfoqmo32.exe	Cnaocmmi.exe
File created	C:\Windows\SysWOW64\Ecqqpgli.exe	Ejhlgaeh.exe
File opened for modification	C:\Windows\SysWOW64\Eqgnokip.exe	Efaibbij.exe
File created	C:\Windows\SysWOW64\Aefeijle.exe	Apimacnn.exe
File created	C:\Windows\SysWOW64\Mcfidhng.dll	Cnaocmmi.exe
File opened for modification	C:\Windows\SysWOW64\Dhpiojfb.exe	Dogefd32.exe
File created	C:\Windows\SysWOW64\Jkhgfq32.dll	Dfffnn32.exe
File opened for modification	C:\Windows\SysWOW64\Ecqqpgli.exe	Ejhlgaeh.exe
File created	C:\Windows\SysWOW64\Dmkmmi32.dll	Eqijej32.exe
File created	C:\Windows\SysWOW64\Ionkallc.dll	Ndbcpd32.exe
File opened for modification	C:\Windows\SysWOW64\Pamiog32.exe	Ofjfhk32.exe
File created	C:\Windows\SysWOW64\Gjchig32.dll	Aidnohbk.exe
File created	C:\Windows\SysWOW64\Dinhacjp.dll	Ejhlgaeh.exe
File opened for modification	C:\Windows\SysWOW64\Eqijej32.exe	Efcfga32.exe
File created	C:\Windows\SysWOW64\Qedhdjnh.exe	Qlkdkd32.exe
File opened for modification	C:\Windows\SysWOW64\Aplifb32.exe	Aefeijle.exe
File created	C:\Windows\SysWOW64\Dkqbaecc.exe	Dhpiojfb.exe
File created	C:\Windows\SysWOW64\Lbadbn32.dll	Emieil32.exe
File created	C:\Windows\SysWOW64\Dogefd32.exe	Dfoqmo32.exe
File created	C:\Windows\SysWOW64\Dfffnn32.exe	Dkqbaecc.exe
File created	C:\Windows\SysWOW64\Dhhlgc32.dll	Eqpgol32.exe
File opened for modification	C:\Windows\SysWOW64\Emieil32.exe	Ecqqpgli.exe
File created	C:\Windows\SysWOW64\Oceaboqg.dll	Mpfkqb32.exe
File created	C:\Windows\SysWOW64\Anafhopc.exe	Aidnohbk.exe
File created	C:\Windows\SysWOW64\Eaklqfem.dll	Dogefd32.exe
File created	C:\Windows\SysWOW64\Jaqddb32.dll	Efaibbij.exe
File opened for modification	C:\Windows\SysWOW64\Apimacnn.exe	Qedhdjnh.exe
File created	C:\Windows\SysWOW64\Efkdgmla.dll	Aplifb32.exe
File created	C:\Windows\SysWOW64\Lklohbmo.dll	Adnopfoj.exe
File created	C:\Windows\SysWOW64\Abjlmo32.dll	Qedhdjnh.exe
File created	C:\Windows\SysWOW64\Jchafg32.dll	Dfoqmo32.exe
File created	C:\Windows\SysWOW64\Emieil32.exe	Ecqqpgli.exe
File created	C:\Windows\SysWOW64\Efaibbij.exe	Emieil32.exe
File opened for modification	C:\Windows\SysWOW64\Mkclhl32.exe	Lajhofao.exe
File created	C:\Windows\SysWOW64\Kjmbgl32.dll	Njlockkm.exe
File created	C:\Windows\SysWOW64\Ecfhengk.dll	Pamiog32.exe
File created	C:\Windows\SysWOW64\Apimacnn.exe	Qedhdjnh.exe
File created	C:\Windows\SysWOW64\Ebjglbml.exe	Eqijej32.exe
File created	C:\Windows\SysWOW64\Hgeegb32.dll	Lajhofao.exe
File created	C:\Windows\SysWOW64\Mnjdbp32.dll	Qabcjgkh.exe
File created	C:\Windows\SysWOW64\Mpioaoic.dll	Qfokbnip.exe
File created	C:\Windows\SysWOW64\Eqpgol32.exe	Dookgcij.exe
File opened for modification	C:\Windows\SysWOW64\Ejhlgaeh.exe	Eqpgol32.exe
File created	C:\Windows\SysWOW64\Mkclhl32.exe	Lajhofao.exe
File created	C:\Windows\SysWOW64\Qlkdkd32.exe	Qfokbnip.exe
File created	C:\Windows\SysWOW64\Hhijaf32.dll	Dookgcij.exe
File created	C:\Windows\SysWOW64\Eqijej32.exe	Efcfga32.exe
File opened for modification	C:\Windows\SysWOW64\Adnopfoj.exe	Anafhopc.exe
File created	C:\Windows\SysWOW64\Focnmm32.dll	Dkqbaecc.exe
File opened for modification	C:\Windows\SysWOW64\Dookgcij.exe	Dfffnn32.exe
File created	C:\Windows\SysWOW64\Fdilpjih.dll	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Klmkof32.dll	Efcfga32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Ebjglbml.exe
File created	C:\Windows\SysWOW64\Pflomnkb.exe	Pamiog32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2696	2712	WerFault.exe	64

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmbgl32.dll"	Njlockkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amaipodm.dll"	Pflomnkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfokbnip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhijaf32.dll"	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adnopfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchafg32.dll"	Dfoqmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dookgcij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emieil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adnopfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oceaboqg.dll"	Mpfkqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojgbclk.dll"	Aefeijle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efkdgmla.dll"	Aplifb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anafhopc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdnkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkgklabn.dll"	Qlkdkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfidhng.dll"	Cnaocmmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfffnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhpiojfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpfkqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofjfhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apimacnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfhengk.dll"	Pamiog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbjgh32.dll"	Mpdnkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aplifb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aidnohbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbnnqb32.dll"	Ofjfhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqddb32.dll"	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmkof32.dll"	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lajhofao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelpgepb.dll"	Anafhopc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqpgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dinhacjp.dll"	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Focnmm32.dll"	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkdneid.dll"	9ec577e720fba12e3db33616ae6d0682e4d5a914526752ec2cc7d5823d2cc996.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeegb32.dll"	Lajhofao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjdbp32.dll"	Qabcjgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaklqfem.dll"	Dogefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qedhdjnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjchig32.dll"	Aidnohbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfffnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqijej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpdbloof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qlkdkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhpiojfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkclhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njlockkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aefeijle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pflomnkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebjglbml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pflomnkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qabcjgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emieil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	9ec577e720fba12e3db33616ae6d0682e4d5a914526752ec2cc7d5823d2cc996.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aidnohbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogefd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2208	2256	9ec577e720fba12e3db33616ae6d0682e4d5a914526752ec2cc7d5823d2cc996.exe	28
PID 2256 wrote to memory of 2208	2256	9ec577e720fba12e3db33616ae6d0682e4d5a914526752ec2cc7d5823d2cc996.exe	28
PID 2256 wrote to memory of 2208	2256	9ec577e720fba12e3db33616ae6d0682e4d5a914526752ec2cc7d5823d2cc996.exe	28
PID 2256 wrote to memory of 2208	2256	9ec577e720fba12e3db33616ae6d0682e4d5a914526752ec2cc7d5823d2cc996.exe	28
PID 2208 wrote to memory of 2968	2208	Lpdbloof.exe	29
PID 2208 wrote to memory of 2968	2208	Lpdbloof.exe	29
PID 2208 wrote to memory of 2968	2208	Lpdbloof.exe	29
PID 2208 wrote to memory of 2968	2208	Lpdbloof.exe	29
PID 2968 wrote to memory of 2672	2968	Lajhofao.exe	30
PID 2968 wrote to memory of 2672	2968	Lajhofao.exe	30
PID 2968 wrote to memory of 2672	2968	Lajhofao.exe	30
PID 2968 wrote to memory of 2672	2968	Lajhofao.exe	30
PID 2672 wrote to memory of 2704	2672	Mkclhl32.exe	31
PID 2672 wrote to memory of 2704	2672	Mkclhl32.exe	31
PID 2672 wrote to memory of 2704	2672	Mkclhl32.exe	31
PID 2672 wrote to memory of 2704	2672	Mkclhl32.exe	31
PID 2704 wrote to memory of 2648	2704	Mpdnkb32.exe	32
PID 2704 wrote to memory of 2648	2704	Mpdnkb32.exe	32
PID 2704 wrote to memory of 2648	2704	Mpdnkb32.exe	32
PID 2704 wrote to memory of 2648	2704	Mpdnkb32.exe	32
PID 2648 wrote to memory of 2744	2648	Mpfkqb32.exe	33
PID 2648 wrote to memory of 2744	2648	Mpfkqb32.exe	33
PID 2648 wrote to memory of 2744	2648	Mpfkqb32.exe	33
PID 2648 wrote to memory of 2744	2648	Mpfkqb32.exe	33
PID 2744 wrote to memory of 1988	2744	Njlockkm.exe	34
PID 2744 wrote to memory of 1988	2744	Njlockkm.exe	34
PID 2744 wrote to memory of 1988	2744	Njlockkm.exe	34
PID 2744 wrote to memory of 1988	2744	Njlockkm.exe	34
PID 1988 wrote to memory of 2388	1988	Ndbcpd32.exe	35
PID 1988 wrote to memory of 2388	1988	Ndbcpd32.exe	35
PID 1988 wrote to memory of 2388	1988	Ndbcpd32.exe	35
PID 1988 wrote to memory of 2388	1988	Ndbcpd32.exe	35
PID 2388 wrote to memory of 2384	2388	Ofjfhk32.exe	36
PID 2388 wrote to memory of 2384	2388	Ofjfhk32.exe	36
PID 2388 wrote to memory of 2384	2388	Ofjfhk32.exe	36
PID 2388 wrote to memory of 2384	2388	Ofjfhk32.exe	36
PID 2384 wrote to memory of 1392	2384	Pamiog32.exe	37
PID 2384 wrote to memory of 1392	2384	Pamiog32.exe	37
PID 2384 wrote to memory of 1392	2384	Pamiog32.exe	37
PID 2384 wrote to memory of 1392	2384	Pamiog32.exe	37
PID 1392 wrote to memory of 592	1392	Pflomnkb.exe	38
PID 1392 wrote to memory of 592	1392	Pflomnkb.exe	38
PID 1392 wrote to memory of 592	1392	Pflomnkb.exe	38
PID 1392 wrote to memory of 592	1392	Pflomnkb.exe	38
PID 592 wrote to memory of 1040	592	Qabcjgkh.exe	39
PID 592 wrote to memory of 1040	592	Qabcjgkh.exe	39
PID 592 wrote to memory of 1040	592	Qabcjgkh.exe	39
PID 592 wrote to memory of 1040	592	Qabcjgkh.exe	39
PID 1040 wrote to memory of 1480	1040	Qfokbnip.exe	40
PID 1040 wrote to memory of 1480	1040	Qfokbnip.exe	40
PID 1040 wrote to memory of 1480	1040	Qfokbnip.exe	40
PID 1040 wrote to memory of 1480	1040	Qfokbnip.exe	40
PID 1480 wrote to memory of 800	1480	Qlkdkd32.exe	41
PID 1480 wrote to memory of 800	1480	Qlkdkd32.exe	41
PID 1480 wrote to memory of 800	1480	Qlkdkd32.exe	41
PID 1480 wrote to memory of 800	1480	Qlkdkd32.exe	41
PID 800 wrote to memory of 2652	800	Qedhdjnh.exe	42
PID 800 wrote to memory of 2652	800	Qedhdjnh.exe	42
PID 800 wrote to memory of 2652	800	Qedhdjnh.exe	42
PID 800 wrote to memory of 2652	800	Qedhdjnh.exe	42
PID 2652 wrote to memory of 2332	2652	Apimacnn.exe	43
PID 2652 wrote to memory of 2332	2652	Apimacnn.exe	43
PID 2652 wrote to memory of 2332	2652	Apimacnn.exe	43
PID 2652 wrote to memory of 2332	2652	Apimacnn.exe	43

C:\Users\Admin\AppData\Local\Temp\9ec577e720fba12e3db33616ae6d0682e4d5a914526752ec2cc7d5823d2cc996.exe
"C:\Users\Admin\AppData\Local\Temp\9ec577e720fba12e3db33616ae6d0682e4d5a914526752ec2cc7d5823d2cc996.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\Lpdbloof.exe
  C:\Windows\system32\Lpdbloof.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\Lajhofao.exe
    C:\Windows\system32\Lajhofao.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\Mkclhl32.exe
      C:\Windows\system32\Mkclhl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\Mpdnkb32.exe
        
        C:\Windows\system32\Mpdnkb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Windows\SysWOW64\Mpfkqb32.exe
        
        C:\Windows\system32\Mpfkqb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Njlockkm.exe
        
        C:\Windows\system32\Njlockkm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Ndbcpd32.exe
        
        C:\Windows\system32\Ndbcpd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Ofjfhk32.exe
        
        C:\Windows\system32\Ofjfhk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Pamiog32.exe
        
        C:\Windows\system32\Pamiog32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Pflomnkb.exe
        
        C:\Windows\system32\Pflomnkb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Qabcjgkh.exe
        
        C:\Windows\system32\Qabcjgkh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Qfokbnip.exe
        
        C:\Windows\system32\Qfokbnip.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Qlkdkd32.exe
        
        C:\Windows\system32\Qlkdkd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Qedhdjnh.exe
        
        C:\Windows\system32\Qedhdjnh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Apimacnn.exe
        
        C:\Windows\system32\Apimacnn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Aefeijle.exe
        
        C:\Windows\system32\Aefeijle.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Aplifb32.exe
        
        C:\Windows\system32\Aplifb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Aidnohbk.exe
        
        C:\Windows\system32\Aidnohbk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Anafhopc.exe
        
        C:\Windows\system32\Anafhopc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Adnopfoj.exe
        
        C:\Windows\system32\Adnopfoj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Cnaocmmi.exe
        
        C:\Windows\system32\Cnaocmmi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Dfoqmo32.exe
        
        C:\Windows\system32\Dfoqmo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Dogefd32.exe
        
        C:\Windows\system32\Dogefd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Dhpiojfb.exe
        
        C:\Windows\system32\Dhpiojfb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Dkqbaecc.exe
        
        C:\Windows\system32\Dkqbaecc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Dfffnn32.exe
        
        C:\Windows\system32\Dfffnn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Dookgcij.exe
        
        C:\Windows\system32\Dookgcij.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Eqpgol32.exe
        
        C:\Windows\system32\Eqpgol32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Ejhlgaeh.exe
        
        C:\Windows\system32\Ejhlgaeh.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Ecqqpgli.exe
        
        C:\Windows\system32\Ecqqpgli.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:112
        
        C:\Windows\SysWOW64\Emieil32.exe
        
        C:\Windows\system32\Emieil32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Efaibbij.exe
        
        C:\Windows\system32\Efaibbij.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Eqgnokip.exe
        
        C:\Windows\system32\Eqgnokip.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\Efcfga32.exe
        
        C:\Windows\system32\Efcfga32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Eqijej32.exe
        
        C:\Windows\system32\Eqijej32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Ebjglbml.exe
        
        C:\Windows\system32\Ebjglbml.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        38⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 140
        39⤵
        Program crash
        
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adnopfoj.exe

Filesize
669KB

MD5
5467bd03717f299d023a2e81aebadb98

SHA1
9472ca05dcbf1590fed3a1f74a4e9361d6b9a27d

SHA256
a3e432997ea9d26e5bb9d897454070e8469dcdad0834c6cc019e9d11460f642b

SHA512
7060b4116a03921165526ae9130fbaf925872897e08404d32ec49351a2d736254e63e5397ec0bd234e418c4f480f244fe02a3b4a88d7425a2c0d73f23f28d828

Download Submit
C:\Windows\SysWOW64\Aefeijle.exe

Filesize
669KB

MD5
69f95779094ecc42ca4d25aba0e65356

SHA1
ab932db6599fa5be056587620ef8d830f3b29526

SHA256
edc2e49a30005e71735b8781937c0426b9111eaaeb18866e62ca89a63333dbdb

SHA512
6fe7f462c534e3c8893d157baf1ce35c2ca1b895140e1e742cfc291336d46b949d817def68c179ebc2b0328adc50f2d71ee3f41b2bacb4d39f6f7c0d95d77fd3

Download Submit
C:\Windows\SysWOW64\Aidnohbk.exe

Filesize
669KB

MD5
7e717d7ae44ba15aad14637dd5c403a9

SHA1
fd1dd482f937ea83b76ef7ce1401a05411d2254d

SHA256
48d59d5d652776c4a6a403b13249b8a48efd22fbc81b55e84b5e0b881509c104

SHA512
5487f4e6df383b9908325693ab00ea5adbbf8ddcc23d0e78e6dc634efbefadc0582cc43290dde2198ee5620ec14067fc91ae8a9feb49e7b9b18a1913d65ee602

Download Submit
C:\Windows\SysWOW64\Anafhopc.exe

Filesize
669KB

MD5
536b4d6bf09e5c7d7d2670b746b3f5f8

SHA1
8d27842c22f85f1930b6b48e3a5185fe9d469218

SHA256
6462e30e5db73ccfc1e0d28bc9136128b5e7cdb2fb677aa5e807cd52c395291c

SHA512
4f235d7ebe89b92e656892ed86194f49f3ee391e18194539d463425bdb4bd22d73b0f5089fe69e16500d0ff3c59de99e31b047e155b45fc8993d077934516867

Download Submit
C:\Windows\SysWOW64\Apimacnn.exe

Filesize
669KB

MD5
4c1f240b2a0a7179f77b7b79c077062f

SHA1
857622c1bfa89a6bf54eb9513e7274da19c87eb7

SHA256
bfc9ca7df6476cafdb4c627f67ceef20e8d77ab315c6292c10b6ed22b12e6d43

SHA512
a01d762effc432a2a4ed5a7e6178ae828620b432dd6d667155db10b789c352da0a9980545aed55dfa9b5fc20567d116ddd159039fb2256c6943e4fb44bffd75b

Download Submit
C:\Windows\SysWOW64\Aplifb32.exe

Filesize
669KB

MD5
d11a178b7bd41b8eb19a9a2f20323bc7

SHA1
e064e7f665f0271a009df3f8f4ad085a752be5ba

SHA256
8927cbc601b4e66a139a645b049c43c48d7665a11c42c74fc41bbaf28e0bfab0

SHA512
34986300b1e76336453ce0184a622e894b6a0c2839688435c57956b8675441507da74893b25eb3d801eaecb20bfec010f6f6a086aa82c6ebb9ade6689c246e12

Download Submit
C:\Windows\SysWOW64\Cnaocmmi.exe

Filesize
669KB

MD5
6d89f362f307875be1b824c14406b3d1

SHA1
328a70659b17ce4028aa5e1f3945211fe935fa74

SHA256
1d1dbe69c28e90d1189203d93f230e449bccbe95d681f4077ac05a5ea6576edd

SHA512
9b894dfa9f826db7fc34e0a2795b6a611f293eb385110bffb8081688a3b9a47466150312038cf61c5cd961e4a852e16d77f8235d89abc894ea529a9cf01dee9f

Download Submit
C:\Windows\SysWOW64\Dfffnn32.exe

Filesize
669KB

MD5
0bcddaf25248f6f7101d95631dc08896

SHA1
822cc71b70fb50fd52cef1d75f9a5d6b9efb121e

SHA256
7ee1bba0841d48026f8381de27f57af1d04c9703ccd9ff86c0ecc5743c5986f3

SHA512
e83becc1db277fee0c021c05e25fdcb8a8ecaa04a4ed76c38700e45971faca1af4e247f5de7d0275d1306959edc40901a773943ab240bde6dc2d46cb551dde7a

Download Submit
C:\Windows\SysWOW64\Dfoqmo32.exe

Filesize
669KB

MD5
015fb60dac90c5b7b477733d4293eeaf

SHA1
8bc8212475171c51d9665f07d90173809b9a2386

SHA256
65dd3b3154a860a3cc502313a526160bc946b67bdc5b0fb24203ba04268400f5

SHA512
b3c2759571b9029f3d2a30b8943433cd7313937fc8a1efe90ccce5d511bcd545d62aadce9c0f76c72c24f121e2f3f709ddb3243700a8e64c980948e4a319bf9f

Download Submit
C:\Windows\SysWOW64\Dhpiojfb.exe

Filesize
669KB

MD5
fd5c95c303cd35596e391acc32b933dc

SHA1
258de451e6a795db8cc44142c50bb9d1c627b090

SHA256
b68ba0e3343162d85ae310826c72b0a144f2c2a226582c7045ac516e4f2bc758

SHA512
799389a3778b447b6578675191c64a1a70c3fcdc84a5fd990b4c2187f44bc2ab234f558952bfd06398a7a8982aabf61c3a74c7a50fd2cf13a459d64bf71e3926

Download Submit
C:\Windows\SysWOW64\Dkqbaecc.exe

Filesize
669KB

MD5
f04518b9400f23ade08c88bd9644fc58

SHA1
7f32c994e07b42c0924460bfab845d3f359ca97b

SHA256
117f70f53343ddc4dba28f5f536ae9d63dae110105a4888000e976f085407f9f

SHA512
5cb53a627ff957556404a652b04787a0324ea9608ce5d22e7c81b3e76490ebadee8c32827b2fb5199158bc8ddb038992538559339b85241c27021e6cf14935de

Download Submit
C:\Windows\SysWOW64\Dogefd32.exe

Filesize
669KB

MD5
6217945ecf70b11833339247362ab053

SHA1
946fa314411ca50a1d9d8a161ac32e48ad40d8f0

SHA256
8b9dd4584b06322ef7612bf4f958e8a87278a71f0ba7d0258e9db3177d810b4d

SHA512
618ba2b1b085449f61d90dcc4cfc2f4c47971d6d454f058a54599bfde8aca6e9e59e2b7adc46419cc5fdfc25e4e730f4d3b80ece2468f310d19e1270903176b3

Download Submit
C:\Windows\SysWOW64\Dookgcij.exe

Filesize
669KB

MD5
4969ac70d840356c5ec8d89f4de1fc19

SHA1
3e94f90c8085c0d807ca8ea55b8f7a058b2b9349

SHA256
7cf8a28a9c90378b308a59906915903119eb3bfbf3b2b3f6ab35cc5dd23a4764

SHA512
078c49514cd6a427425256e454bb522a3035111cbbeb136c8c4b616d30935489e9add8f44932a589d40738ded6e1d73551908bcaf16a8143d497ad9fa3291dfb

Download Submit
C:\Windows\SysWOW64\Ebjglbml.exe

Filesize
669KB

MD5
265474b8cdf8cb4f930fd0d447755139

SHA1
8b7e317bf04fb1551e5f612a041ca80c98e689f9

SHA256
6fd9fdcc11c2d9a05db7f5a67ae24dc56803bce66adab42c1a124754f064669e

SHA512
8e7c647be97d9a47b557da3fbf79492f910a33c13724e76ec8fb8254491a69d006709791fa306a75afddfd8d19dee87c6eb96b653ab261d3023ba1f43529ee35

Download Submit
C:\Windows\SysWOW64\Ecqqpgli.exe

Filesize
669KB

MD5
40fe765554e4a5f9cd2cf2255a7a8267

SHA1
2f3ce0134706c9941198620235b1c16c87a2a61d

SHA256
bef1324ff0f20321cafd1f391104cb2dd2ecb70871bd6b34d1d2e51f1ef1fc6a

SHA512
87530b979e81fb07181d85d69c64153d185365303cdf107c586a1f48a2cb9e1ce6cc2f18700b2bf70e28d8f975cfbeffec3a64bed532d6bf3487c58651f27bbf

Download Submit
C:\Windows\SysWOW64\Efaibbij.exe

Filesize
669KB

MD5
db692fe4a296cfe3eddcc188ce2504ae

SHA1
d700da9671b316bdf29117c57c92f1247ac2d96b

SHA256
ec67987788c96c9382dc49b4296ac2f192034da6df4a2e82ba556a390e692aa7

SHA512
5446989cc80f9850bae1bda552c285fe8253cac0824330027aae15a8cab18872ffeef49ac7797a9f0a859e0170945fc62808cd2bf688c0ec037ae99a3b9a8cb3

Download Submit
C:\Windows\SysWOW64\Efcfga32.exe

Filesize
669KB

MD5
bd8c9f95ae5c95dabd60e5c951fb6d98

SHA1
4d7405b396db7e6456b22eb4d726d2b4169f4f7f

SHA256
1ba4a2a0a8f93eaeaccc700c53c095a6cd06749fd32c0d51c3cedaa20226d778

SHA512
a3252ced88bcf2910329b14eadbb7d19627383802ecb78338f3b7ad52da4ac74e3b62608a515774862fd313feb87c0f2527c9d5e28e09a15a7d87f9a37733f87

Download Submit
C:\Windows\SysWOW64\Ejhlgaeh.exe

Filesize
669KB

MD5
3dd18c43b576e5ea094a16e0a190915e

SHA1
bcebb410a936e9dc36b6202606390cd9bce253f7

SHA256
297b56deec467590e1917446b49555cab2950c7b8f9b1ac9b362fda3d0162032

SHA512
b57cdb4183f5d69c4e0e8de9c3646aabaa222d177286e3c661caa4761edfd8c25121b22a93465d564c65f1169f743702223765893e6258d659ee8cae91986c5c

Download Submit
C:\Windows\SysWOW64\Emieil32.exe

Filesize
669KB

MD5
7b8f30660f536bf7940ec4e9c90d9b64

SHA1
b5bcc32853e8ac614d50c0b37515fda66a75efe8

SHA256
d96f2ce6d6bc6724ee72e600b06bcfefcba46c47b1b649d1f66d693ae03b730f

SHA512
255ee6375cffbe86a129c6c5564909a08e67bcd5c47197a9b4d6303a1631e7fd52f5dce080968f08a04efc9b9c07bba4a192624b395f4c465e7338246e7b7dc3

Download Submit
C:\Windows\SysWOW64\Eqgnokip.exe

Filesize
669KB

MD5
8270b2c1eabf29a923e788b2d2a3ff89

SHA1
dbe0d3ed2cfdd1bb6cff236620dcf853ce1a71bc

SHA256
8fe61dbfe6fa6ceedf62fa1d07f7d825f78dab3b10776ac5c416ac0cc16b0120

SHA512
f63233e9095315dd52f07b7262861d08f3edde73d011b86c97fd314dda37426c78e5869138f975cf3982dd526814cc295599d423d6106b5d8ecf54fbc0e35e28

Download Submit
C:\Windows\SysWOW64\Eqijej32.exe

Filesize
669KB

MD5
7c484b164f889e50cdcabd50e1508866

SHA1
67c29393f273d2d9bd8074b690184279113b12bf

SHA256
6d3247a9fb699c71f4576ff604a5bcd79b482d0dd2b6ba754a0e98ccc3512920

SHA512
e5cbf5f8860c7b712d31b5397634f8009e7906a25b9792a9d24dfaacb774420ab586a2ab4b85063b2945541809afbed4bfa620fd365791ab8d92af95f1286c65

Download Submit
C:\Windows\SysWOW64\Eqpgol32.exe

Filesize
669KB

MD5
1fc29c18b4099d6dc4ae1da4312cdcbe

SHA1
4305c698e464ebd0e153ff49d1743c5f167ed60b

SHA256
d834a9d640ef4f2dd04fba02635a99ede2d4e73af09802e6942ebea605998f93

SHA512
cdcb48f4c98bb1a4e6a39779474e79b02aedde95aef9a69f41f5251bf23c59018f1b024f6a6c96494c673047d9eb835af18cfb6598b6728551992ae1d8969eda

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
669KB

MD5
0f0f525a6b81e50ec94aca81e0b60945

SHA1
97a21333d4d2dec984a6664a4ec37a1ff1759d9d

SHA256
664565c25b42424822ecdb62fc871ac5d859c124d60be20b5012649979abc8bc

SHA512
bc7a8b4b772e910fe63c99949ec84307be2950f130861bf1f454979cad6572903a6255b06a63c71df866597b49761fb1d20182b587c62f8157bab7a616bafbe9

Download Submit
C:\Windows\SysWOW64\Lajhofao.exe

Filesize
669KB

MD5
65e78bdf29a12c0da65986dcd9febaa2

SHA1
0f47bbde173a2a9cf6048a7b36a5a9ed22fa325f

SHA256
25817a4fbcf133b9889f18bc48e7f44ff846df58f7c311b7535e0465346e57d7

SHA512
204222d764a7d33f7890563b1fb2effe95d56f48811e498c7ab7e840762ba7966115594d9ec8bbf4d8a4b986eb0f5f1ce7b89ddc54229cdc61cea52446ffce0c

Download Submit
C:\Windows\SysWOW64\Mkclhl32.exe

Filesize
669KB

MD5
a610e3fcdfa4bf1b01339354da4fe7b8

SHA1
7c6f1ce2f1751378e3c18f3f8e4c7aab7b60ea4b

SHA256
285d8445fca8246749848c076f9acd530ce60fdfade669b8afbbad84557a7164

SHA512
73c35613c8d3ef9f7e1987052c55ec993ba7a200e18b4ccfb294aed8a37c1751baaa74087eb32c34a9cc0488dd7d0fa12c9aaaed33e18d56c4d9cf30af05e8e2

Download Submit
C:\Windows\SysWOW64\Mpdnkb32.exe

Filesize
669KB

MD5
608fd5a2327d2f750772aa8177d58feb

SHA1
b851f0ea3d1e8b6bcb8477bb3f4d6bed5533793e

SHA256
8630e33656efba39c3d4115a299209f47c6a4ca6c0a4f7df1abb0e05af489764

SHA512
0b96a11854f534ef11de900b72ef4df104cb57bf78e64f2101e1abb168186546071108620cfaa5935a9325b6d2c4d60890a28d2f85f7fd1f7ccf0623bccd91fc

Download Submit
C:\Windows\SysWOW64\Mpfkqb32.exe

Filesize
669KB

MD5
bd86290309f1bf5b687de7585de84f3c

SHA1
c7c165eadf2888431e0437adb4eb959ce703362c

SHA256
5f8297936e3ac25114cf6f9559801d17b654474ef229a0909d8654fbd97633bf

SHA512
1f048e811db3f65be0b7db71960fe397c33b5b84cde7e75a73703ae48b447efb2860cfeb8aab5325091e9523ae423c2edbeb9720f9bcfb9316d911e3670fb86b

Download Submit
C:\Windows\SysWOW64\Ndbcpd32.exe

Filesize
669KB

MD5
bc341fdbef27e30d743723debbee3b02

SHA1
8520d1b7aa773d668b75e8adfd89d17bbab1d480

SHA256
188e378c1da2885de0a7d107fe8db9b965d1d4b647845f39c1858c4c8af1cd51

SHA512
d26b4ffb97ce29a3219cf4a9f96ecf102edd0a0693468282922e1ca0d1556a352716c85f217f74f35d27983878bfbca530d5b5098701d336bdb24aad120a1fcb

Download Submit
C:\Windows\SysWOW64\Njlockkm.exe

Filesize
669KB

MD5
035a80cab4258eee778954b819e5009f

SHA1
edb99efc1e067efb120a9d9fe92a30870dda9b9a

SHA256
66ed22e56b2bbe42e7b33366546ff8ecb280736d697a7581e01daf8f684c8fa2

SHA512
5ba2a8f37e363768715cf27c1f72055c53b42e4b70f72ebc284fd05bc0a72f9b340385a5e6fd6228aa5f621d7f358c82307b48f663c8c6c401917816080e623f

Download Submit
C:\Windows\SysWOW64\Obdkcckg.dll

Filesize
7KB

MD5
f5f6fd85f4458e633c5c9b25221e1d16

SHA1
a18840a45a5bca7f12dfb5197816edc61d8c3b8e

SHA256
7c605d46cf64a8a1754755c222ada27e4b4efb95eb7d64470e81972b119d5bd7

SHA512
a6da8b7ed2713a22817dd0a6431884e1b25591408ab27835d996fe03c11ab038d30cfe3dde9e1c7fa3ca007308da211a15680cc71ed5ce8e5971e091fec14189

Download Submit
C:\Windows\SysWOW64\Pflomnkb.exe

Filesize
669KB

MD5
c9e1b4fe185b40f2f6dedd56d89b40d1

SHA1
581184a0f465501786002d7c56f70ea47940dbc4

SHA256
c88ad4894ea0ae3dae5b37a8649954259040a2261a1d1d735db5f0a55ebb064d

SHA512
32e02d1dbb689e4f1c6adc51569dfcd7d69bdf4ec0eac12fb8258a9d709cd656f09d6a39af57ac3569f9943ccbb6932c742dfcbaec85b035287bdd7e2c58806d

Download Submit
C:\Windows\SysWOW64\Qabcjgkh.exe

Filesize
669KB

MD5
97a8514dad4d345b5d7fd1808b4da9ca

SHA1
daf93bc18f0686e3ee0f9bc86aaac5a6f23b5af3

SHA256
2d492c83df887a656ef3f0f6dd7ff0a576720b0a9e1e447804fe3496bd559056

SHA512
fa41b90ba731f47b8c17f343dfd62757cb08cf3056dfb0a7d88000a61c1a8e7663c5491bb44e98551a1702f9db1c9ff9763fb46687f594c5a2f87c6f9fa5cd38

Download Submit
C:\Windows\SysWOW64\Qedhdjnh.exe

Filesize
669KB

MD5
03ce56307a99f7e0226ef49aff81049d

SHA1
2c14d3bb7418bdf9712f1f6f776bbd064b75cfbc

SHA256
d27b7178a02e73375e7c46ad8c85e2e74fe777d32daeda819aac3502edfe7fa1

SHA512
afd92cb7c8e7398607ef38c9e2622eb2339217db45a984bcc98abfec55555a42db46f8fb1114178d74100a23e048a0652b53496e17dc289387b494fcbbe525df

Download Submit
C:\Windows\SysWOW64\Qfokbnip.exe

Filesize
669KB

MD5
7ca24bd3cecb473bbedef8f352f7f5b3

SHA1
6615dccafba4a7441351561c6aabb34db926a546

SHA256
c45ead723a20827842a451473de423d4379245a592b6e98e00093926599c947b

SHA512
e271afd4b175418ad9e9608b110102445723e1d29bc753d3277ca3bd515996df9aaa049be98d825fe24fc3172f4043356aa13842bb8e06f94dcabdafcb6a51c8

Download Submit
C:\Windows\SysWOW64\Qlkdkd32.exe

Filesize
669KB

MD5
208b395f0088e3caa37cb972cc42b6b5

SHA1
4b43cebf64dd8728800a3b22483d979d16b1f9cb

SHA256
467279ad2843b5a06037f0f87af143bb6f30aef9d13e66f63bc3d05457748967

SHA512
7d6671102f609dfcc100a1b823185a4ae13fa848092cab7c9246bf3c181aa31804d1ddfc4a6b28c6c45977c304b07838b31be83491fa48df4c65c9b17bcc4e1d

Download Submit
\Windows\SysWOW64\Lpdbloof.exe

Filesize
669KB

MD5
e653d5d5c65bec5d973bd355d8b460eb

SHA1
2cc41a777f74389d3efe4225d0d7da1aea68700b

SHA256
0651cfabbf015ea7ae22981fbbfeacaa92e02d003af497f2ec8605c5a5a782a0

SHA512
9ad17754b8d0c65a93846f617fd66880ec517314b999d2ef0be44bcd0cbba64293c38f892f6089e819091282aac900858c4d1ee607648b9ae6fd3977e4aeb432

Download Submit
\Windows\SysWOW64\Ofjfhk32.exe

Filesize
669KB

MD5
5028b48df70a02f10a191f9c0de9e21c

SHA1
8f874885a5428aa54cff334fb5a810df25d5a2bd

SHA256
19c4f9b949e96c8e3653f679e199c5f9224a227f8f828c7e98a5e60939f730dd

SHA512
7b18a122405a57f516924946f7a37f405bd05d8435aefbbe651a7672a1d16842e3e15a3c3932663367c574f7d51ea083a2179c3616dc336667e7deb506948e36

Download Submit
\Windows\SysWOW64\Pamiog32.exe

Filesize
669KB

MD5
1963bdcfcf7644197a9f2257bbe46ca7

SHA1
202f5008e12e06481ddbb501dc754308bd903e3a

SHA256
a88769853d24179067745d2ed2c81a4b2e03917042a6dc576e98544cd7ffcae9

SHA512
447536d61d8860498b7411855ba21f11dc032aafba3b9994ee39ed45281db9e6c8e4d4ad5266ad6249c26e2de383af255630a0fb1735cf4893dd81b4ad03c876

Download Submit
memory/112-418-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/112-417-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/112-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-391-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/396-390-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/528-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/592-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/700-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/700-396-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/700-397-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/800-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-399-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/960-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/960-403-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1040-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-411-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1340-412-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1340-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-406-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/1412-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-405-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/1480-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-414-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1508-415-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1516-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-388-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1548-408-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1548-409-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1548-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-420-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/1604-421-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/1604-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-108-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1988-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-32-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2208-25-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2208-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-6-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2256-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2256-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-393-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2348-394-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2384-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-376-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/2388-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-423-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2404-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-92-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2704-93-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2704-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-401-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/3016-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads