67f9fea3f08cf05c02359da86f4da8d460ba53435159be092e5fd012de2000db

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 22:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3b5d258c11e64b974df1ea7bc046ce7e.exe
Size

224KB
MD5

3b5d258c11e64b974df1ea7bc046ce7e
SHA1

c5349c78b75d3d35b06e05cf2ef162faea7c8d44
SHA256

67f9fea3f08cf05c02359da86f4da8d460ba53435159be092e5fd012de2000db
SHA512

f576f053d12f09902019e6969d9d2af2df9af077870977b07e0af3a3e3ff507015683ca1dd73bd7cc3cb472e192c1c1f02fe73636b4247d7df728dbc3c12d60b
SSDEEP

6144:79qm6mjSoLOgzL2V4cpC0L4AY7YWT63cpq:kmnjS0L2/p9i7drpq

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3b5d258c11e64b974df1ea7bc046ce7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgeaifia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iacngdgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iafkld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkabjbih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhmmjbkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbbagk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkcadhgm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlhih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhdlao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkcadhgm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgeaifia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdpkflfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiknlagg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pidabppl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llmhaold.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfheo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laqhhi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oifeab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaajed32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkhgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkabjbih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlkepaam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkenjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aakebqbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfheo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pojcjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihbdplfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idieem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdpkflfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jqglkmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbpdblmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhdlao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pojcjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idieem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oklkdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihbdplfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laqhhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pedlgbkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llmhaold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikndgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oklkdi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakebqbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lldopb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbbagk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlkepaam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olbdhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaajed32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pedlgbkh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkenjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iacngdgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakiia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbpdblmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pakllc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pakllc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkhgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lldopb32.exe

Executes dropped EXE 38 IoCs

pid	Process
3336	Bgeaifia.exe
4856	Ikndgg32.exe
4084	Ihbdplfi.exe
4052	Iakiia32.exe
4984	Idieem32.exe
1976	Ijfnmc32.exe
1388	Jkhgmf32.exe
1120	Jdpkflfe.exe
408	Jqglkmlj.exe
3172	Jbfheo32.exe
1608	Lkabjbih.exe
5044	Lldopb32.exe
1128	Laqhhi32.exe
1472	Lbpdblmo.exe
2880	Lhmmjbkf.exe
2304	Mbbagk32.exe
2124	Mlkepaam.exe
1164	Nhdlao32.exe
1600	Olbdhn32.exe
4332	Oifeab32.exe
456	Oaajed32.exe
208	Oiknlagg.exe
1204	Oklkdi32.exe
1644	Pojcjh32.exe
4436	Pedlgbkh.exe
868	Pakllc32.exe
1300	Pkcadhgm.exe
1876	Pidabppl.exe
4120	Pkenjh32.exe
1424	Plejdkmm.exe
3752	Aakebqbj.exe
3820	Llmhaold.exe
4300	Ehlhih32.exe
748	Iacngdgj.exe
3552	Iafkld32.exe
1852	Fcneeo32.exe
2596	Fcbnpnme.exe
1872	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Laqhhi32.exe	Lldopb32.exe
File created	C:\Windows\SysWOW64\Nhdlao32.exe	Mlkepaam.exe
File opened for modification	C:\Windows\SysWOW64\Nhdlao32.exe	Mlkepaam.exe
File opened for modification	C:\Windows\SysWOW64\Olbdhn32.exe	Nhdlao32.exe
File created	C:\Windows\SysWOW64\Mnbepb32.dll	Llmhaold.exe
File opened for modification	C:\Windows\SysWOW64\Fcbnpnme.exe	Fcneeo32.exe
File opened for modification	C:\Windows\SysWOW64\Idieem32.exe	Iakiia32.exe
File opened for modification	C:\Windows\SysWOW64\Oifeab32.exe	Olbdhn32.exe
File opened for modification	C:\Windows\SysWOW64\Pedlgbkh.exe	Pojcjh32.exe
File opened for modification	C:\Windows\SysWOW64\Plejdkmm.exe	Pkenjh32.exe
File created	C:\Windows\SysWOW64\Ijfnmc32.exe	Idieem32.exe
File opened for modification	C:\Windows\SysWOW64\Laqhhi32.exe	Lldopb32.exe
File created	C:\Windows\SysWOW64\Bpkajf32.dll	Oaajed32.exe
File opened for modification	C:\Windows\SysWOW64\Pojcjh32.exe	Oklkdi32.exe
File created	C:\Windows\SysWOW64\Aalebkhm.dll	Lldopb32.exe
File created	C:\Windows\SysWOW64\Oklkdi32.exe	Oiknlagg.exe
File opened for modification	C:\Windows\SysWOW64\Llmhaold.exe	Aakebqbj.exe
File opened for modification	C:\Windows\SysWOW64\Iacngdgj.exe	Ehlhih32.exe
File created	C:\Windows\SysWOW64\Looknpmn.dll	3b5d258c11e64b974df1ea7bc046ce7e.exe
File created	C:\Windows\SysWOW64\Hglppijc.dll	Iakiia32.exe
File created	C:\Windows\SysWOW64\Ecbfdd32.dll	Lkabjbih.exe
File created	C:\Windows\SysWOW64\Camfoh32.dll	Lbpdblmo.exe
File opened for modification	C:\Windows\SysWOW64\Pidabppl.exe	Pkcadhgm.exe
File created	C:\Windows\SysWOW64\Paihbi32.dll	Ijfnmc32.exe
File created	C:\Windows\SysWOW64\Ajjjof32.dll	Oifeab32.exe
File created	C:\Windows\SysWOW64\Jqglkmlj.exe	Jdpkflfe.exe
File opened for modification	C:\Windows\SysWOW64\Mbbagk32.exe	Lhmmjbkf.exe
File created	C:\Windows\SysWOW64\Pakllc32.exe	Pedlgbkh.exe
File opened for modification	C:\Windows\SysWOW64\Jdpkflfe.exe	Jkhgmf32.exe
File created	C:\Windows\SysWOW64\Pkenjh32.exe	Pidabppl.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Pgnnnnod.dll	Jkhgmf32.exe
File opened for modification	C:\Windows\SysWOW64\Pkenjh32.exe	Pidabppl.exe
File created	C:\Windows\SysWOW64\Iacngdgj.exe	Ehlhih32.exe
File created	C:\Windows\SysWOW64\Lhjlnlii.dll	Pojcjh32.exe
File created	C:\Windows\SysWOW64\Feaabknn.dll	Pkcadhgm.exe
File created	C:\Windows\SysWOW64\Dckhejil.dll	Bgeaifia.exe
File created	C:\Windows\SysWOW64\Bkfpfg32.dll	Idieem32.exe
File created	C:\Windows\SysWOW64\Hmkqgckn.dll	Aakebqbj.exe
File created	C:\Windows\SysWOW64\Fcneeo32.exe	Iafkld32.exe
File created	C:\Windows\SysWOW64\Jbfheo32.exe	Jqglkmlj.exe
File created	C:\Windows\SysWOW64\Oaajed32.exe	Oifeab32.exe
File opened for modification	C:\Windows\SysWOW64\Ijfnmc32.exe	Idieem32.exe
File created	C:\Windows\SysWOW64\Edeleklf.dll	Laqhhi32.exe
File created	C:\Windows\SysWOW64\Jofbdcmb.dll	Pedlgbkh.exe
File created	C:\Windows\SysWOW64\Pognhd32.dll	Mbbagk32.exe
File opened for modification	C:\Windows\SysWOW64\Oiknlagg.exe	Oaajed32.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Fcbnpnme.exe	Fcneeo32.exe
File created	C:\Windows\SysWOW64\Olbdhn32.exe	Nhdlao32.exe
File created	C:\Windows\SysWOW64\Ingcceof.dll	Nhdlao32.exe
File created	C:\Windows\SysWOW64\Pedlgbkh.exe	Pojcjh32.exe
File created	C:\Windows\SysWOW64\Hnlonj32.dll	Jdpkflfe.exe
File opened for modification	C:\Windows\SysWOW64\Oklkdi32.exe	Oiknlagg.exe
File created	C:\Windows\SysWOW64\Hnnpaa32.dll	Oklkdi32.exe
File created	C:\Windows\SysWOW64\Bgeaifia.exe	3b5d258c11e64b974df1ea7bc046ce7e.exe
File created	C:\Windows\SysWOW64\Enqjamin.dll	Jqglkmlj.exe
File created	C:\Windows\SysWOW64\Ogpcqnei.dll	Pidabppl.exe
File created	C:\Windows\SysWOW64\Cgieglah.dll	Pkenjh32.exe
File created	C:\Windows\SysWOW64\Ffdihjbp.dll	Ehlhih32.exe
File created	C:\Windows\SysWOW64\Ddnnfbmk.dll	Ihbdplfi.exe
File opened for modification	C:\Windows\SysWOW64\Jkhgmf32.exe	Ijfnmc32.exe
File opened for modification	C:\Windows\SysWOW64\Jqglkmlj.exe	Jdpkflfe.exe
File created	C:\Windows\SysWOW64\Mlkepaam.exe	Mbbagk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4504	1872	WerFault.exe	129

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinnnm32.dll"	Lhmmjbkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pojcjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feaabknn.dll"	Pkcadhgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbpdblmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnnfbmk.dll"	Ihbdplfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhdlao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pakllc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikndgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkabjbih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llmhaold.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idieem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laqhhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Plejdkmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3b5d258c11e64b974df1ea7bc046ce7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkabjbih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnpaa32.dll"	Oklkdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdpkflfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olbdhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklaah32.dll"	Ikndgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oiknlagg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pakllc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Plejdkmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3b5d258c11e64b974df1ea7bc046ce7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hglppijc.dll"	Iakiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfheo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oifeab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgfkbgm.dll"	Oiknlagg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3b5d258c11e64b974df1ea7bc046ce7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edeleklf.dll"	Laqhhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oiknlagg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pidabppl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pidabppl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aakebqbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll"	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paihbi32.dll"	Ijfnmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhmmjbkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oifeab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehlhih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgeaifia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oaajed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llmhaold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iakiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camfoh32.dll"	Lbpdblmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olbdhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfmjef32.dll"	Pakllc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkcadhgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdihjbp.dll"	Ehlhih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgnnnnod.dll"	Jkhgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihbdplfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecbfdd32.dll"	Lkabjbih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iacngdgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkhgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofbdcmb.dll"	Pedlgbkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjlnlii.dll"	Pojcjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmkqgckn.dll"	Aakebqbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlkhbi32.dll"	Iacngdgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkhgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jqglkmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhmmjbkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgieglah.dll"	Pkenjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jqglkmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djaiilmd.dll"	Jbfheo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 3336	3108	3b5d258c11e64b974df1ea7bc046ce7e.exe	87
PID 3108 wrote to memory of 3336	3108	3b5d258c11e64b974df1ea7bc046ce7e.exe	87
PID 3108 wrote to memory of 3336	3108	3b5d258c11e64b974df1ea7bc046ce7e.exe	87
PID 3336 wrote to memory of 4856	3336	Bgeaifia.exe	88
PID 3336 wrote to memory of 4856	3336	Bgeaifia.exe	88
PID 3336 wrote to memory of 4856	3336	Bgeaifia.exe	88
PID 4856 wrote to memory of 4084	4856	Ikndgg32.exe	90
PID 4856 wrote to memory of 4084	4856	Ikndgg32.exe	90
PID 4856 wrote to memory of 4084	4856	Ikndgg32.exe	90
PID 4084 wrote to memory of 4052	4084	Ihbdplfi.exe	91
PID 4084 wrote to memory of 4052	4084	Ihbdplfi.exe	91
PID 4084 wrote to memory of 4052	4084	Ihbdplfi.exe	91
PID 4052 wrote to memory of 4984	4052	Iakiia32.exe	92
PID 4052 wrote to memory of 4984	4052	Iakiia32.exe	92
PID 4052 wrote to memory of 4984	4052	Iakiia32.exe	92
PID 4984 wrote to memory of 1976	4984	Idieem32.exe	93
PID 4984 wrote to memory of 1976	4984	Idieem32.exe	93
PID 4984 wrote to memory of 1976	4984	Idieem32.exe	93
PID 1976 wrote to memory of 1388	1976	Ijfnmc32.exe	94
PID 1976 wrote to memory of 1388	1976	Ijfnmc32.exe	94
PID 1976 wrote to memory of 1388	1976	Ijfnmc32.exe	94
PID 1388 wrote to memory of 1120	1388	Jkhgmf32.exe	95
PID 1388 wrote to memory of 1120	1388	Jkhgmf32.exe	95
PID 1388 wrote to memory of 1120	1388	Jkhgmf32.exe	95
PID 1120 wrote to memory of 408	1120	Jdpkflfe.exe	96
PID 1120 wrote to memory of 408	1120	Jdpkflfe.exe	96
PID 1120 wrote to memory of 408	1120	Jdpkflfe.exe	96
PID 408 wrote to memory of 3172	408	Jqglkmlj.exe	97
PID 408 wrote to memory of 3172	408	Jqglkmlj.exe	97
PID 408 wrote to memory of 3172	408	Jqglkmlj.exe	97
PID 3172 wrote to memory of 1608	3172	Jbfheo32.exe	98
PID 3172 wrote to memory of 1608	3172	Jbfheo32.exe	98
PID 3172 wrote to memory of 1608	3172	Jbfheo32.exe	98
PID 1608 wrote to memory of 5044	1608	Lkabjbih.exe	99
PID 1608 wrote to memory of 5044	1608	Lkabjbih.exe	99
PID 1608 wrote to memory of 5044	1608	Lkabjbih.exe	99
PID 5044 wrote to memory of 1128	5044	Lldopb32.exe	100
PID 5044 wrote to memory of 1128	5044	Lldopb32.exe	100
PID 5044 wrote to memory of 1128	5044	Lldopb32.exe	100
PID 1128 wrote to memory of 1472	1128	Laqhhi32.exe	101
PID 1128 wrote to memory of 1472	1128	Laqhhi32.exe	101
PID 1128 wrote to memory of 1472	1128	Laqhhi32.exe	101
PID 1472 wrote to memory of 2880	1472	Lbpdblmo.exe	102
PID 1472 wrote to memory of 2880	1472	Lbpdblmo.exe	102
PID 1472 wrote to memory of 2880	1472	Lbpdblmo.exe	102
PID 2880 wrote to memory of 2304	2880	Lhmmjbkf.exe	103
PID 2880 wrote to memory of 2304	2880	Lhmmjbkf.exe	103
PID 2880 wrote to memory of 2304	2880	Lhmmjbkf.exe	103
PID 2304 wrote to memory of 2124	2304	Mbbagk32.exe	104
PID 2304 wrote to memory of 2124	2304	Mbbagk32.exe	104
PID 2304 wrote to memory of 2124	2304	Mbbagk32.exe	104
PID 2124 wrote to memory of 1164	2124	Mlkepaam.exe	105
PID 2124 wrote to memory of 1164	2124	Mlkepaam.exe	105
PID 2124 wrote to memory of 1164	2124	Mlkepaam.exe	105
PID 1164 wrote to memory of 1600	1164	Nhdlao32.exe	106
PID 1164 wrote to memory of 1600	1164	Nhdlao32.exe	106
PID 1164 wrote to memory of 1600	1164	Nhdlao32.exe	106
PID 1600 wrote to memory of 4332	1600	Olbdhn32.exe	107
PID 1600 wrote to memory of 4332	1600	Olbdhn32.exe	107
PID 1600 wrote to memory of 4332	1600	Olbdhn32.exe	107
PID 4332 wrote to memory of 456	4332	Oifeab32.exe	108
PID 4332 wrote to memory of 456	4332	Oifeab32.exe	108
PID 4332 wrote to memory of 456	4332	Oifeab32.exe	108
PID 456 wrote to memory of 208	456	Oaajed32.exe	109

C:\Users\Admin\AppData\Local\Temp\3b5d258c11e64b974df1ea7bc046ce7e.exe
"C:\Users\Admin\AppData\Local\Temp\3b5d258c11e64b974df1ea7bc046ce7e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\SysWOW64\Bgeaifia.exe
  C:\Windows\system32\Bgeaifia.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\SysWOW64\Ikndgg32.exe
    C:\Windows\system32\Ikndgg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Windows\SysWOW64\Ihbdplfi.exe
      C:\Windows\system32\Ihbdplfi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4084
    - - C:\Windows\SysWOW64\Iakiia32.exe
        
        C:\Windows\system32\Iakiia32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
      - C:\Windows\SysWOW64\Idieem32.exe
        
        C:\Windows\system32\Idieem32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Ijfnmc32.exe
        
        C:\Windows\system32\Ijfnmc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Jkhgmf32.exe
        
        C:\Windows\system32\Jkhgmf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Jdpkflfe.exe
        
        C:\Windows\system32\Jdpkflfe.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Jqglkmlj.exe
        
        C:\Windows\system32\Jqglkmlj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Jbfheo32.exe
        
        C:\Windows\system32\Jbfheo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Lkabjbih.exe
        
        C:\Windows\system32\Lkabjbih.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Lldopb32.exe
        
        C:\Windows\system32\Lldopb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Laqhhi32.exe
        
        C:\Windows\system32\Laqhhi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Lbpdblmo.exe
        
        C:\Windows\system32\Lbpdblmo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Lhmmjbkf.exe
        
        C:\Windows\system32\Lhmmjbkf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Mbbagk32.exe
        
        C:\Windows\system32\Mbbagk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Mlkepaam.exe
        
        C:\Windows\system32\Mlkepaam.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Nhdlao32.exe
        
        C:\Windows\system32\Nhdlao32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Olbdhn32.exe
        
        C:\Windows\system32\Olbdhn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Oifeab32.exe
        
        C:\Windows\system32\Oifeab32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Oaajed32.exe
        
        C:\Windows\system32\Oaajed32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Oiknlagg.exe
        
        C:\Windows\system32\Oiknlagg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Oklkdi32.exe
        
        C:\Windows\system32\Oklkdi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Pojcjh32.exe
        
        C:\Windows\system32\Pojcjh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Pedlgbkh.exe
        
        C:\Windows\system32\Pedlgbkh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Pakllc32.exe
        
        C:\Windows\system32\Pakllc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Pkcadhgm.exe
        
        C:\Windows\system32\Pkcadhgm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Pidabppl.exe
        
        C:\Windows\system32\Pidabppl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Pkenjh32.exe
        
        C:\Windows\system32\Pkenjh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Plejdkmm.exe
        
        C:\Windows\system32\Plejdkmm.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Aakebqbj.exe
        
        C:\Windows\system32\Aakebqbj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Ehlhih32.exe
        
        C:\Windows\system32\Ehlhih32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        39⤵
        Executes dropped EXE
        
        PID:1872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 400
        40⤵
        Program crash
        
        PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1872 -ip 1872
1⤵
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakebqbj.exe

Filesize
224KB

MD5
d12e4bfaa112ac74cf6315ef9580a229

SHA1
4847b31932eed4cb177fb30deb2b77500638fd68

SHA256
cbd37c3f3d36cf9a21e838f77cb1546158247efafa6bd7ddca865074e4425f5d

SHA512
db382b6ec93ccbf9cb04a9d60fdb88ecd853e7cedadfe7fd64b71affd9ac4a93395e9db8ed0431564d3aec1e08d0041e3312f26e23d79df6d50235be4a7fa9b5

Download Submit
C:\Windows\SysWOW64\Bgeaifia.exe

Filesize
224KB

MD5
57f93e9cb4f46f09e7a244c56e91ad51

SHA1
cff6cad6f04db111ce7496d266c89959bf19d3f3

SHA256
ccd712154472ffd95edfc722eafdb0d8d6154c042932cf02c3963430f20571f3

SHA512
875ba01ebe8c62cf8232d38ab5b82535c788e759c11a50fdb207cdbc362788442f575af19347e68affabcc4497f21d4a85522f98926bb0f61e98f41207c0421c

Download Submit
C:\Windows\SysWOW64\Iacngdgj.exe

Filesize
224KB

MD5
1687eae8e0d89ebb3f7c9079957566d3

SHA1
c10d2154d1451e7d4acd99671695c1034598b064

SHA256
c25dd96390f06dd5cce047447af7b5599d6a94859d351827f93e6fa75a4ae1cc

SHA512
ac622cd7d43b7ac405fb104f00d8e7ba92f738edad982628254b4f908875410bbfee524812aede529b857feacb30c78f5428af65574964b4508950153919d545

Download Submit
C:\Windows\SysWOW64\Iakiia32.exe

Filesize
224KB

MD5
75092093e3f39281c4aebfca4e77a3bb

SHA1
5d07f74e23c436c89d06eb5f553977edde940905

SHA256
db7382e06e124efc99121a18f9f393da09a4a74a33e26ca41a02fc200d0ce61f

SHA512
070a8bae32c53f06a0a8b8e16d3691b84072f2f3208a765521a0f98cc506be7964db1a1dee6884fd1942eccb5b423c3fab70aefc070bb6f6ced7f89e11292a48

Download Submit
C:\Windows\SysWOW64\Idieem32.exe

Filesize
224KB

MD5
a4e38db0faedaed54596b4d5484e0103

SHA1
feec56098d078711f28f4dc9fed737fb722b4f8a

SHA256
9e6c48ce21403a543d2d5a047c66a1ed2db65830f06a184c18ae2760fced0a06

SHA512
5e6c23fccda5df81080f94205e99a22022e0bbe8f9995c36ef5359c3ed7558cfcfae88fbe3511877e8861f41efe884f8ebf301b59d24226e23b5b994b5b69c36

Download Submit
C:\Windows\SysWOW64\Ihbdplfi.exe

Filesize
224KB

MD5
de4b4dd3831d351fcf00663fc2688de9

SHA1
cfc404b5ea0f1480c2db427b6bb7a0584187f844

SHA256
8d0fafb0043837b1036532f5f10757251617c12dbfdf360b89079f9f1c719781

SHA512
a929cd25c0ec36c32c185f2212463a3642716f99f784d93c37a47b873890509079dd997a21c5581e0ef913975b7144cae2e979108cc00edd72dd2b78b36bfbbc

Download Submit
C:\Windows\SysWOW64\Ijfnmc32.exe

Filesize
224KB

MD5
1ba87f5c36e3324080026f7210772f0b

SHA1
db69a3c3570515e877c507de924157a430bd2f8b

SHA256
197d64506002773c9bcd5bd36592f1d9910b4e4f5cb52885b0fb8545008511a0

SHA512
1f0168a4133a9568ef5411efc7c6fd866357c9878774dde34c971aa35aed4c889ecfbb7498771ba856ad23845924f628c27d84604f92a6173b0bbe2be3e05965

Download Submit
C:\Windows\SysWOW64\Ikndgg32.exe

Filesize
224KB

MD5
addc212bd08943babd9160292e12acc9

SHA1
6250b61ac0e3a6aa054a11cb94325f56507e0704

SHA256
cc6398d30c4f2e2642beeec2ce95f9445f8e90916aab15204383bd66aec374c7

SHA512
3b698a61591b82fb7a5bc74de20a63387f50b5e2cf9153158ecfc2b207c568bbb2342a1dd46370c99deaa1b7472da2d2129f2fe3a3fc7f02895fe9d8d91aaa83

Download Submit
C:\Windows\SysWOW64\Jbfheo32.exe

Filesize
224KB

MD5
d3ab098289318bba920f2a7080e927e5

SHA1
cb260a764e4c570225e999924728f7214fd624c0

SHA256
872066576ca30b202a5658501ba8d6101d061136e8907fa38723e1a07abfa5ff

SHA512
3644f9568c4f1d02d1d6265d9c3dd74fa606f6b97b274a17edeac19b05f5a54112ba8ae60252c33e677a95acb12c85c7269c6bf2ca4775ce482de7edfe82c4a3

Download Submit
C:\Windows\SysWOW64\Jdpkflfe.exe

Filesize
224KB

MD5
c1c32a2e86837143de7eae307f78d98f

SHA1
a7d2a3c6863e9469dee62179b7affb6fde88e243

SHA256
21f388f3f1ce61d6d4bc6f5f7044adc281cb472b19ee7ef11263b848c3389ab8

SHA512
c78ad00fbca5af5ee69e1bffe2b9d7775e8d0944800bce7738fc26dac2f30db823a2d61082af71b46bc0b82e380c6d4740d048c674d7023126e6f36f5e46a11f

Download Submit
C:\Windows\SysWOW64\Jkhgmf32.exe

Filesize
224KB

MD5
9d2c272eae5642a0b476bcdaa1850e40

SHA1
d9ba67a1b65faec9a1b2baf694a048958200d3ad

SHA256
f64fa65714bb930fc23a240154b11f808dd5bfba475249999d866e244cc8a2b9

SHA512
1d7b91a2ee259e6c1e8aaac039ec9b91018b86ce72fedae34fc51c7df191f969b28d2af7c9be69e006cf0b26fb7fb9dbd7f699e1116c1ec6bf46e21301986363

Download Submit
C:\Windows\SysWOW64\Jqglkmlj.exe

Filesize
224KB

MD5
87bc8073e07fd8166241e814c7c2fb0b

SHA1
2068aec8b0300c3fa54e644d35f8b56716e57406

SHA256
d8e17b2bc8f8d2a6a76be6bf9c51da57d0e1af1a2a49611ad00a25a49eb48899

SHA512
0b0513cbbb8e5cdc653aec9ab0ef8a15b5ea057135777428db7e612377412bd66021600a4f287fd1611928992f7134a590be27ebfb4cdabcb6ced478b6c5cfdd

Download Submit
C:\Windows\SysWOW64\Laqhhi32.exe

Filesize
224KB

MD5
960daacfc76a8d2385b0a56523205df0

SHA1
d63185b858aae9261311aebe8815ff8c4ac0eb1a

SHA256
25af32929aeff9e791ac2b08b95f766700486a42943237121d8f4f26a3052fa2

SHA512
d479bb54f21826b0063d30d328f6bc48840ea1d990a74c6d26b75be6b53f7a736640017dd303ec4a2679b470093d462c2832a14fbffc402ae344c9f664f79ce6

Download Submit
C:\Windows\SysWOW64\Lbpdblmo.exe

Filesize
224KB

MD5
c3b5537a831e39fe096d1c22ece940dd

SHA1
affdcd8c74cdb23f5afc1c06190fd50c42243e49

SHA256
e6fc871e381e84c5a10708df60be3c47f1eeda623179b22f8706e3da703478a7

SHA512
98cec27a2aef92f41961cd376af6e224e440c7dbbc460761ffe5995e3f810a3978a8f1b438daec861a7ba971bb384ad4f1e7344ddfb0d609087544a8173613c5

Download Submit
C:\Windows\SysWOW64\Lhmmjbkf.exe

Filesize
224KB

MD5
62c56b1be3361e283e18cbbe5f4a099b

SHA1
b79ab3c9cc51ca07c7680f167555d77177ffc641

SHA256
9dfab95d3d5b62b0688d8bbde6e64cde85bca0d115837df196a353cf51bfe33f

SHA512
400dcf25ff686cc4103467a6479f15fa59d15e8c403b3b810025336449d81d8e08864c4b58154eb5b9432f53a3adc3a5d9ba4ccb81b5f8a8db159f6b0e5c487d

Download Submit
C:\Windows\SysWOW64\Lkabjbih.exe

Filesize
224KB

MD5
f57bae206a040f99272e1f669ceba0f8

SHA1
687257175a1d41be089163084ff277899cf40c20

SHA256
86f7d4a546edc807f20ae8b013c3cb9397dca4c2083cc17e3bd3b2b0e8f25196

SHA512
bd817f664e6b7b82b9fd284d8671d7940f8a3b985a4e642d9b20464f8b6a42469010fdbbb9a2c60481375179941c2c2e7a47443087272ffa96c6ba0c02b26603

Download Submit
C:\Windows\SysWOW64\Lldopb32.exe

Filesize
224KB

MD5
d67298ec5072a86fa9319eba6c12d24c

SHA1
da3856f8776046c04e6fb8b2e6b7ae255489d1dc

SHA256
c3c2e13eaee6f54436c1f7fde29b7587ba10299d23dfb84d3dda329bb24279bf

SHA512
6380ca35fead6d58083bc5daacd226b955e5d080227062f72f76a4002bd6e0072036029e0ff64bf3c8a638532bfd44462946041b9c1a0265327980dea81c92b5

Download Submit
C:\Windows\SysWOW64\Llmhaold.exe

Filesize
224KB

MD5
6c6045767d8b8d8f15870935e224ca34

SHA1
c44669aeb5a67afb7002b0d2e26b8cd78fba6451

SHA256
f4da9fda2a2af388a029323dac75a8731cdff8f5596f2bcb4e1022bbca080dd4

SHA512
6c774a939d7f662acc8858795bf13dfd3f8399871008cdab2a8a2b3a29cfd027d77535bf868eea76621a767703a93f000e17dd7d69156f32d35e2990a2cd6b82

Download Submit
C:\Windows\SysWOW64\Mbbagk32.exe

Filesize
224KB

MD5
ab884c1bc407d2dc12bdcd9b37140ecf

SHA1
d6226735e7ed818f66a1b01767d6480b1bccab71

SHA256
c4a265d63204d32c65e3d6fabeeb9d9c9d5944924a6037c11777219994611d67

SHA512
77c7a94669010c660d9f88c38ad9e2b31338b6272cd63d6fda1767dde53594edda0b058936da509a4ed2c67ad6c9a5ab3d3270524e5a3b826a051352d2646f08

Download Submit
C:\Windows\SysWOW64\Mlkepaam.exe

Filesize
224KB

MD5
2a2669921828ca5ab6a63b4f6f19d38c

SHA1
42cfc2cf3eaee327444b6953151135fa176343d1

SHA256
eff82dd530e305ec866f62cec01d8246f732904e0b452c77c63369665bf10136

SHA512
c4a440eb7459f5a3988b872d3c9c12e3c9b0a49fe27bfa4cd17b79a296fa9cb2dc22692133e40398c6d3d7e199df5f8a18670532c975380d908a87decbc81b92

Download Submit
C:\Windows\SysWOW64\Nhdlao32.exe

Filesize
224KB

MD5
4cfde2ccaeae172ec67fcc5c52fc7ba4

SHA1
252a09d44aab8fc8fedcae43be032f0b15cf8340

SHA256
989e9036be6e2e2b90db6d9cbb8ba2d7bfa6b5a0ce7d89fc4f10ef96423c6550

SHA512
c5a71a0c3f6ecfa292b92efee89860e0010ced1e63302be00287c745d0f750f382d6dcccb398b6cfdce131eeece6a27d310f95080c8948c1021e9e4868cb5512

Download Submit
C:\Windows\SysWOW64\Oaajed32.exe

Filesize
224KB

MD5
1ed000b46a112cadd0459d860d1e6fb4

SHA1
c104b3fc67cee2d0e533d8be1156dc04cd930f65

SHA256
d57530fb1ffca3dd9eb5ffa4a98314f7049508e1d3c5d128c056830a8f447400

SHA512
36f71884ecad9eb1b1f2c7754244e3e25bdec87f33649921646f0d46f35415099d73d417d4aa1cd8f4af2dd4a3fee4bf14978d0299088e4512bded294af2450a

Download Submit
C:\Windows\SysWOW64\Oifeab32.exe

Filesize
224KB

MD5
2e0e0cf604e2dcb8801d96b827c50e30

SHA1
0903c532b7eb95c8a92b7a901b9e00a6a4c9aa9f

SHA256
6ab6f33738aa6cf25c1f48729661c31b119dc1c43a9acfce96945c2d8772382c

SHA512
76ae2d3ad5d1e356621b7ab9c9fe48e0517255578d23a3efe3b13dcdadc6d3be7834cf36754a261f6e13e0d2a512d3ba6772f335d19f46b18fbbea5216761d6d

Download Submit
C:\Windows\SysWOW64\Oiknlagg.exe

Filesize
224KB

MD5
5776ccc188021e2501a76d44c190de20

SHA1
3aad254e0a5a28e768695444cb2bcf830628e49a

SHA256
d343c957bdab7864f762d71e9c784b864a6f8ab22919e5f6119175358a6e0d88

SHA512
3391fb0e18bf2bf7452409d3ffe9af90c5b3aaef5ffd93f75871400f86b658c57f504bb63e8ee03af46d17182bfc99200c7c2bbdbf03f6048e2a33da3f4df7b8

Download Submit
C:\Windows\SysWOW64\Oklkdi32.exe

Filesize
224KB

MD5
b2a14b427c7390469486045266db06fb

SHA1
490d26a533e080fc41d9e52654f6594659b66e87

SHA256
eceda03b23b5b4460c5a5d57a10892e039ed70c9018ab6550cdbcbd75455d2d6

SHA512
28d7b0432b242b5a8cd018c492669f32a97d1986f7c84a99909f40e0722dc9bd5f3d6bb8988940b8e1e47f8243594584e71c7c57fa6fa1e6728f328e004841d2

Download Submit
C:\Windows\SysWOW64\Olbdhn32.exe

Filesize
224KB

MD5
4017ce98d2c766309ffe9460e6f68b91

SHA1
78dc4cade20b7c792f081f906401265791b3b8f8

SHA256
544f423d8c98c55c83ec2fa66593a6088fc1e97b434798e60d20ab905749af9f

SHA512
5b5c864fc97ec3f016529dccbab5c66278f0a15f1cad0c0755b895df9e2eef1569c869a0b974e71fb0eb7ab999ddb34fb4071f61dd05fa54a0b620523657f992

Download Submit
C:\Windows\SysWOW64\Pakllc32.exe

Filesize
224KB

MD5
999872e0dbed215b87531957505ea3cc

SHA1
5b43747b130f2232c70cda63e59c9966e98bc4f3

SHA256
a9d0b697fa9b7d32f5b53d3efa7607908062e1dca207e24065c0cb0726a885cc

SHA512
9407c2985761e5b25b67e49e0de08d6deaf20804b6530db627201238e460933a5dfc3fd00590995d7fa97577f455252cec6bca964262501187bc1c279c56899a

Download Submit
C:\Windows\SysWOW64\Pedlgbkh.exe

Filesize
224KB

MD5
98805d677e04d20538ca0c8f12c6b9d6

SHA1
f57190713edc9982b8fffbbcae55dabfd7048e49

SHA256
44523b1eae6d1ea53511a9f73ab3757bff48f29e1a2050cd07b16f7cad89f848

SHA512
9cb13e23db72f66758cb93635f6575f9f0a21049df7f5b35a553631366126034479bc9fbda88726fca076ba991a664f93f9a914abfcd62f1847f6c853b08ed92

Download Submit
C:\Windows\SysWOW64\Pidabppl.exe

Filesize
224KB

MD5
3fec00d917ae6d9320ce78cde4f6f37c

SHA1
043d49495d292002a6052e19eb34487af82ed10c

SHA256
a92f159aaf4951081ab2e8c1db99b7f2eb1a12d33f06d1e1537e8f44f92e2769

SHA512
c17d83b39f0cc28c5d2bd1a704048c83b859353c37a2ab6ac41815275667c29556da9749ff03679db5c823f6aabf09a9b5500bc2fba425fe53ffcb4effc34c22

Download Submit
C:\Windows\SysWOW64\Pkcadhgm.exe

Filesize
224KB

MD5
d23785027d0cbb5a0fd581a5c39c24a1

SHA1
4d47465ec7a1d8f2d210e0306e05546f70be86fc

SHA256
48302b5891d5a3e0ab44602bcb403e60fef47c07f14df0dce001efbafa507265

SHA512
816b492b25e07a9e7480f34cca191da36caed91c507c511bd0bb68522432e3f26f40ef4a54bb527bf2f997547f3566175f5217fe51919417b77f824dfe16c4a3

Download Submit
C:\Windows\SysWOW64\Pkenjh32.exe

Filesize
224KB

MD5
19b4e98a5f974f270d8d2a6dfd24616e

SHA1
60d46f07a3a5e12931495d0827eaf58d1545ce37

SHA256
c6fddca9a361074d00828d5252fcb664b577e94e6f7aac83b47f86b61b504b7b

SHA512
7734266f0cefe5f384901c7aa5acb0c1e208dba30160408a317f2460fe7895742ce26bad8c56604d6a8e8b8debfdcec4b68bed2a0d8c9779de3b69cf1e867865

Download Submit
C:\Windows\SysWOW64\Plejdkmm.exe

Filesize
224KB

MD5
049d95f5fe7292d42fb57e7bc522c71c

SHA1
e23cceb13ce48e2c34f529d124bf0e77752dbc57

SHA256
cdcc38ba4fc36dc22ef456c6cc67ef975a3cd291ef94cbd4bf2c0ac41c6fcc60

SHA512
ce2c6663528b60559ae370a19f77e08cb9a32fe266ca3c35812539e11106f20034aa08a5c25daa7412f72cce0fd7e248ca06c1aa87f88d902bb9a8a922e0b070

Download Submit
C:\Windows\SysWOW64\Pojcjh32.exe

Filesize
224KB

MD5
74af529d0c7664b18079b48ff7400fcf

SHA1
b0eb2dd37768e90567f2c522d39d89b3797abe8c

SHA256
026ceb51632ce2c1aa186b6527848abc5b16ecf1647daf3cde64ca0151d55dee

SHA512
572624341206b3cf4354f5f03aac7e6dca45c3c3984b63e8ca2284dc5c715a861c2a25dc4c2fbf56ad674ee4573f3ec648e6a4d31734368f35fca9091c91d3e7

Download Submit
memory/208-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/408-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/408-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/456-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/456-254-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/748-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/748-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/868-220-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/868-258-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1120-66-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1120-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1128-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1164-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1204-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1204-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1300-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1388-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1388-58-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1424-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1424-272-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1472-129-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1600-163-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1600-236-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1608-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1644-203-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1644-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1852-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1872-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1876-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1976-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1976-140-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2124-149-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2304-139-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2596-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3108-1-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3108-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3108-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3172-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3172-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3336-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3336-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3552-318-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3552-294-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3752-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3752-265-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3820-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3820-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4052-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4052-34-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4084-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4084-27-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4120-267-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4120-245-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4300-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4300-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4332-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4436-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4436-212-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4856-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4856-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4984-43-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4984-130-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5044-106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads