713b689e8c6bbacb91b4d30d21897792712f26d5508e90093c02e3bed8bcf5bf

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43f05b2447e3b284ffe78fec9cd8c54b.exe
Size

161KB
MD5

43f05b2447e3b284ffe78fec9cd8c54b
SHA1

b1f2e729f00bf9102fcaf2179f4fe049115bc76c
SHA256

713b689e8c6bbacb91b4d30d21897792712f26d5508e90093c02e3bed8bcf5bf
SHA512

a460b16447867e0e619b7491801d22225a3145c1bdf5f702b0335c3bef3167e53320b75220642891396f1a31ccc190f9c86805c13df1c94712f4b4b217f8484f
SSDEEP

3072:ZWbkcPzk1O//VlD6kHVwtCJXeex7rrIRZK8K8/kv:ko1yWkHVwtmeetrIyR

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Leihbeib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klimip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhoqj32.exe

Executes dropped EXE 64 IoCs

pid	Process
4372	Kdnidn32.exe
916	Klimip32.exe
4788	Kmijbcpl.exe
3260	Kbfbkj32.exe
1904	Kbhoqj32.exe
4444	Kmncnb32.exe
2688	Leihbeib.exe
4488	Ldjhpl32.exe
1460	Lekehdgp.exe
1196	Lfkaag32.exe
4540	Lphoelqn.exe
836	Njefqo32.exe
4944	Ocnjidkf.exe
2088	Odmgcgbi.exe
1568	Ocbddc32.exe
4852	Onhhamgg.exe
4796	Ogpmjb32.exe
4108	Oddmdf32.exe
4240	Pnlaml32.exe
2992	Pfhfan32.exe
4528	Pclgkb32.exe
5044	Pdkcde32.exe
3104	Pjhlml32.exe
4256	Pcppfaka.exe
376	Pnfdcjkg.exe
5032	Qnhahj32.exe
2524	Qfcfml32.exe
4320	Qffbbldm.exe
2692	Ageolo32.exe
1640	Aeiofcji.exe
2820	Ajfhnjhq.exe
4156	Ajhddjfn.exe
2720	Acqimo32.exe
3536	Ajkaii32.exe
4316	Accfbokl.exe
3356	Bfabnjjp.exe
2676	Bmkjkd32.exe
1356	Bcebhoii.exe
2012	Bjokdipf.exe
3572	Bchomn32.exe
1872	Beglgani.exe
4468	Bjddphlq.exe
760	Bhhdil32.exe
3896	Bjfaeh32.exe
2580	Belebq32.exe
316	Cfmajipb.exe
2084	Cmgjgcgo.exe
4336	Cdabcm32.exe
224	Cjkjpgfi.exe
4620	Caebma32.exe
1576	Cdcoim32.exe
4204	Cfbkeh32.exe
992	Cmlcbbcj.exe
3248	Chagok32.exe
2168	Cajlhqjp.exe
5064	Cffdpghg.exe
2272	Cmqmma32.exe
3784	Cegdnopg.exe
2812	Dhfajjoj.exe
2336	Dopigd32.exe
3364	Ddmaok32.exe
4216	Djgjlelk.exe
1256	Daqbip32.exe
2068	Dkifae32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Lekehdgp.exe	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Kmncnb32.exe	Kbhoqj32.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Lphoelqn.exe	Lfkaag32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Kdnidn32.exe	43f05b2447e3b284ffe78fec9cd8c54b.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Klimip32.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Kmijbcpl.exe	Klimip32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Kbfbkj32.exe	Kmijbcpl.exe
File opened for modification	C:\Windows\SysWOW64\Ldjhpl32.exe	Leihbeib.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Ncmlocln.dll	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Phkjck32.dll	Lfkaag32.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4688	3180	WerFault.exe	160

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfnbea32.dll"	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakipgan.dll"	Kbhoqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4372	4880	43f05b2447e3b284ffe78fec9cd8c54b.exe	86
PID 4880 wrote to memory of 4372	4880	43f05b2447e3b284ffe78fec9cd8c54b.exe	86
PID 4880 wrote to memory of 4372	4880	43f05b2447e3b284ffe78fec9cd8c54b.exe	86
PID 4372 wrote to memory of 916	4372	Kdnidn32.exe	87
PID 4372 wrote to memory of 916	4372	Kdnidn32.exe	87
PID 4372 wrote to memory of 916	4372	Kdnidn32.exe	87
PID 916 wrote to memory of 4788	916	Klimip32.exe	88
PID 916 wrote to memory of 4788	916	Klimip32.exe	88
PID 916 wrote to memory of 4788	916	Klimip32.exe	88
PID 4788 wrote to memory of 3260	4788	Kmijbcpl.exe	89
PID 4788 wrote to memory of 3260	4788	Kmijbcpl.exe	89
PID 4788 wrote to memory of 3260	4788	Kmijbcpl.exe	89
PID 3260 wrote to memory of 1904	3260	Kbfbkj32.exe	90
PID 3260 wrote to memory of 1904	3260	Kbfbkj32.exe	90
PID 3260 wrote to memory of 1904	3260	Kbfbkj32.exe	90
PID 1904 wrote to memory of 4444	1904	Kbhoqj32.exe	91
PID 1904 wrote to memory of 4444	1904	Kbhoqj32.exe	91
PID 1904 wrote to memory of 4444	1904	Kbhoqj32.exe	91
PID 4444 wrote to memory of 2688	4444	Kmncnb32.exe	92
PID 4444 wrote to memory of 2688	4444	Kmncnb32.exe	92
PID 4444 wrote to memory of 2688	4444	Kmncnb32.exe	92
PID 2688 wrote to memory of 4488	2688	Leihbeib.exe	93
PID 2688 wrote to memory of 4488	2688	Leihbeib.exe	93
PID 2688 wrote to memory of 4488	2688	Leihbeib.exe	93
PID 4488 wrote to memory of 1460	4488	Ldjhpl32.exe	94
PID 4488 wrote to memory of 1460	4488	Ldjhpl32.exe	94
PID 4488 wrote to memory of 1460	4488	Ldjhpl32.exe	94
PID 1460 wrote to memory of 1196	1460	Lekehdgp.exe	96
PID 1460 wrote to memory of 1196	1460	Lekehdgp.exe	96
PID 1460 wrote to memory of 1196	1460	Lekehdgp.exe	96
PID 1196 wrote to memory of 4540	1196	Lfkaag32.exe	97
PID 1196 wrote to memory of 4540	1196	Lfkaag32.exe	97
PID 1196 wrote to memory of 4540	1196	Lfkaag32.exe	97
PID 4540 wrote to memory of 836	4540	Lphoelqn.exe	98
PID 4540 wrote to memory of 836	4540	Lphoelqn.exe	98
PID 4540 wrote to memory of 836	4540	Lphoelqn.exe	98
PID 836 wrote to memory of 4944	836	Njefqo32.exe	100
PID 836 wrote to memory of 4944	836	Njefqo32.exe	100
PID 836 wrote to memory of 4944	836	Njefqo32.exe	100
PID 4944 wrote to memory of 2088	4944	Ocnjidkf.exe	101
PID 4944 wrote to memory of 2088	4944	Ocnjidkf.exe	101
PID 4944 wrote to memory of 2088	4944	Ocnjidkf.exe	101
PID 2088 wrote to memory of 1568	2088	Odmgcgbi.exe	102
PID 2088 wrote to memory of 1568	2088	Odmgcgbi.exe	102
PID 2088 wrote to memory of 1568	2088	Odmgcgbi.exe	102
PID 1568 wrote to memory of 4852	1568	Ocbddc32.exe	103
PID 1568 wrote to memory of 4852	1568	Ocbddc32.exe	103
PID 1568 wrote to memory of 4852	1568	Ocbddc32.exe	103
PID 4852 wrote to memory of 4796	4852	Onhhamgg.exe	104
PID 4852 wrote to memory of 4796	4852	Onhhamgg.exe	104
PID 4852 wrote to memory of 4796	4852	Onhhamgg.exe	104
PID 4796 wrote to memory of 4108	4796	Ogpmjb32.exe	105
PID 4796 wrote to memory of 4108	4796	Ogpmjb32.exe	105
PID 4796 wrote to memory of 4108	4796	Ogpmjb32.exe	105
PID 4108 wrote to memory of 4240	4108	Oddmdf32.exe	106
PID 4108 wrote to memory of 4240	4108	Oddmdf32.exe	106
PID 4108 wrote to memory of 4240	4108	Oddmdf32.exe	106
PID 4240 wrote to memory of 2992	4240	Pnlaml32.exe	107
PID 4240 wrote to memory of 2992	4240	Pnlaml32.exe	107
PID 4240 wrote to memory of 2992	4240	Pnlaml32.exe	107
PID 2992 wrote to memory of 4528	2992	Pfhfan32.exe	108
PID 2992 wrote to memory of 4528	2992	Pfhfan32.exe	108
PID 2992 wrote to memory of 4528	2992	Pfhfan32.exe	108
PID 4528 wrote to memory of 5044	4528	Pclgkb32.exe	109

C:\Users\Admin\AppData\Local\Temp\43f05b2447e3b284ffe78fec9cd8c54b.exe
"C:\Users\Admin\AppData\Local\Temp\43f05b2447e3b284ffe78fec9cd8c54b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\SysWOW64\Kdnidn32.exe
  C:\Windows\system32\Kdnidn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\Klimip32.exe
    C:\Windows\system32\Klimip32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\SysWOW64\Kmijbcpl.exe
      C:\Windows\system32\Kmijbcpl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4788
    - - C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3260
      - C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:376
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1872
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:316
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:992
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        70⤵
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        71⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 228
        72⤵
        Program crash
        
        PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3180 -ip 3180
1⤵
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
161KB

MD5
1ddbd9fd792e68ecf29b03b6c08f059d

SHA1
4aadd42bea06901e1cb09bd18aa7fa0fa538af6f

SHA256
112be70e8614741259d8fe9e4056ca35aaebe998107476baef68b4591d7f4fb1

SHA512
2829925e6276ca688489de39aad090f1bfd7b4366784527c3700281efeb65e21d7a61f98ddfd0faeab4ec2e91530776b2ffaeee7707f7343b74106536cc6c2ef

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
161KB

MD5
58e422d931862aaec8906c45b4ee0afd

SHA1
26d1b44412dbe52a500f4889cc8f1b30d453fd4e

SHA256
2d81d176348e036ac547f0f0a236589fdfd904463558ea46af8daadefb89b5ee

SHA512
c294d96d86303b2cd25c9205a45da7843608ee248e96dee7626a548876e8cb11d3e6c8613fda1bb68e2f5b1b2ef9fe9319bf1a4dc15f1a5ed81ec2e0d27cf7bb

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
161KB

MD5
c385f1dc7a5b7971a7f3eb5d0c94b639

SHA1
bbc66514b2a58706626dd76db012417a6f6372d7

SHA256
f572a3a0ef36ab3162ee32a0652f5a4b8db16fc9abaad31fdfb74acd0d89eadb

SHA512
8f66fd18a8b750a1c00b39187ea41deff9fd23bedcebf5e17df8e5e489bac847b0171faa55f7b8c72958562c2c99a2dff1f87af4b295bc95921e520309d751ee

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
161KB

MD5
da2890e41c8b2d9ebb8b84c13ed42a34

SHA1
0a804b0bb3c860f6993a0712ce5d3fe579b390f3

SHA256
2926aaf278d4ce09d46b3bed932f10ebe38f64e12b05883b45efd52d775cdc88

SHA512
247c12a84bd0c318bcc4b310263de3e5fc9cde83aba7a3c327660226f352a55fba4336e9272a7c08e1a89a1440ba2ed538f9eb32d399fc54942ff1b0d236dcef

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
161KB

MD5
1bd749fe9c7f177f7dbb00a5f16acab5

SHA1
b75d986c453a2c33c8c40c2cc0c9cba07d5c9b48

SHA256
2f4adf050c86a18f9b5ba88dfc356a523db56e29f745c2a674306d95265cc061

SHA512
e1cabeb46574c6a6725ed88b3d863c24cbb7d04860a848792532a0b4b0a4199a61ff6d71b6628d9116d2118afd23152d45eeae7be7654ba0bfc5c96dd7ea9257

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
161KB

MD5
50f4b5e224b1bb764444511bef8dae9d

SHA1
466dc5fcaa738b1901442a441df88c1597d19a20

SHA256
12457f3ff593ea4e1970d6171e9b54105fd4e4c0a756efbd3c0c19d7ef6891f4

SHA512
0bf9a6197b93998e4156e9758d77baff14ceedaa08389bcc6eacc7a81e4124773f772c9046725982edb08789c2bc2a11b71d4fe5953685cbc22376e036aa5486

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
161KB

MD5
a1232c619b3d323a229ec814f6272948

SHA1
931d6ee6537a98d0e248f8ac7e736062aacf7925

SHA256
5d6919888dd4948b12b9ce1a3549ac2c0bb62bfa00cbd6b413ee90adb924e3a2

SHA512
5223657599dcecace9f0c7c2a63df7e225bf1007ac87376ee7368ad8b775f5b9f96bf94fe84d491540c8e9ec89dc82e4c9f18e0919a78d1f5c89c6a72948c3ad

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
161KB

MD5
f4316b8210f76553479d2c69a17bc911

SHA1
5328576aef64f28f5a5bf24b7a52d73a139c4021

SHA256
33e2b3f82fc72468c19a1ee32e71900ccb119f8640bc29cd991a64114f3d8660

SHA512
9c2f6cdd3a751d01a766578da9a8ade6c78e1ee12ae8eedfc5fa364705f1964a50cb0a6a25281a4668ff76fe8f3d8185093976455d5bae746565ab76d183dbff

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
161KB

MD5
accea2fa1ea6f8ce88ae608afac3ca59

SHA1
137295357a89ed41123ade6e222cb9ac77438784

SHA256
df2f5723b9beffe669e7847e3b63df59dc5adb6daac0f1242521ed57a8785356

SHA512
aff6a58163b390160f8c9afbf99d8d4d6392368174ba372167d70178733a2ae3f55acecee2b524d7855485f67e07a4d8afacce9dbdfd53d6167719e1c9f7847c

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
161KB

MD5
1704ddf9eb71633078e4af5bc68b7872

SHA1
c5b2a312587220d372eba020a0de9ad14056eec0

SHA256
e9e8841295ceae362407f5e39693eb382c2cbd0432ecb17fdb45cdf1df8a60a5

SHA512
45c867e9368051c3b7a93ff3f14ca4ddcbba020e774cee1d436c423bb7dc6e2c9e1db44cb2e484eb9243251daf169a93b3f68b5abea3f26e51d1dc79d193d978

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
161KB

MD5
25da0cdd0c08101da97d69d7786c4446

SHA1
508ce98370cabf86df9212de76b2cbc86f21f980

SHA256
c4b8e87810a92aaf3b0545fd9246a355223d80792500a95319df23ce2b04caae

SHA512
c2b3749f0f0b9af1f619fbb0a46fdae8f66d239c27f9eda6b5fc22f92ba9a06adf38a4b655c6ec33e8b89a277e6e13e7de986a2537719625fa40b35b8e38eb9f

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
161KB

MD5
fb94860e2bf590770727bb49d4dec5bf

SHA1
f63357f118763c00e0e97554f26749e1ef7983d0

SHA256
325e30854e5ead2be4e58255cba45ad651d82cf0481c5adf32ce66e7a139e712

SHA512
26390bb4e5ce7977aa7709d71ac50918dab47799630a1d7e3775d267cacb39ed64002860a15252509716e39c59d89bf4cfc0231aecf4f18110e5a85fdbc03bea

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
161KB

MD5
52251023eb69c0c29ac762f9d410d5e7

SHA1
e97c23ebf8905df49c3b32a2a835e0d71a46bc35

SHA256
3d2a4610616d15bc444ef2660db4665ad4ee1e47b2592ddb4aeb0ba045a37fe2

SHA512
cec9ffdcb555aef261ef9dd55ed6be3d28073932bbe6eef45800dc632c444c016bc3ea749fbbdb08a07e80b86b2c70ea4c57af7199103a04eb8cf4371d170588

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
161KB

MD5
37432852a56f8d091ca8dd24c2b2b62a

SHA1
9d7f7f0f42c7fe55ea153e0f2143e9f8e4e1403b

SHA256
6044a0b3b46b958fbe4819b4d9fbfb79753d549eb473b94ef03aef3448309827

SHA512
7dc7817178217951a0b57ba61f1aff90335ac9c727cda5b9116b2f48f1df49c2b141932981c31310d32134dc2289955cab2e11090dd7c1ae90a1d27f59a44938

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
161KB

MD5
b87ff5b4b2441d4f29479d9355af7522

SHA1
8f1f0ea29e0c7f5cd2f37646a3b3abbfe0674b6e

SHA256
2e139f5f8492a94aa4d41314b4bed235fe2d8e4ea209b0fed998a06f1bcbf54f

SHA512
056703ccac51b83f52b48d00de745a6372421734136639beadabedfae08b643635a6f119174f873e5ad39c423068144d3b1d029d268c620f22260d078cd0170a

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
161KB

MD5
4abc52b4f93da86ad8534472767107f2

SHA1
ef36dac098a02d1d79d4c58739703a7248527aeb

SHA256
bf98e7675adc7b9ba8fd724f60d34938e9827a8731b47842930f536a6c7cc73b

SHA512
79ee6666e506ea456f6cc98ccc608842454e9544f44115b99a3c0a25f9c0d9f1a9992f6ff3751ac3b2a789486acb44c01b3db8bcbe1ae489b7df52a0138be3fe

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
161KB

MD5
febbf8e85e8235ef67f88c93c6737f0f

SHA1
2d0e9ff721fdf41e7596fb164a5eb5fe15b6f022

SHA256
0fea510ed7b84b0a625dc83aa6f6611542a2d6eacbf3ba953df65a362a051e34

SHA512
d6812cc298d1f7035825dce55323faa18de54568db27d7b50d579a63b0847c4453f1a00593d6f52d27be755b0c13e9fc2c3b459146cbf05855aadd83858d14b3

Download Submit
C:\Windows\SysWOW64\Nkbjac32.dll

Filesize
7KB

MD5
13ad437da155a9b36b007d9676ce81bb

SHA1
5d2da7bda94af58b947713e4aabce344f4c18486

SHA256
0f209c9e296ce9d253702736c962f1a8c2eda800f353abdefbfca50ac8727afc

SHA512
e95e21e96f3b467e27876783154d292556e1b13bdecad89f392f13ea360d67fd0da9015d198af40bd520945f8846511f95e6bdee00472ceb494e403435a6b84a

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
161KB

MD5
520d39cbf46a9b40be748c97d15319e2

SHA1
55e95d2c046a7c43766a29f601f240c677efb9e3

SHA256
f1842bdf7f21eb65294dbb82fd5770c6656cc059c334a7bc2d234318c58a0f95

SHA512
5e7f701371827c05b9a2d0337a640e10f52750517e683cc7cb5263699288406fa2ac18f9b4207fb2a6f0bef2a80ad721a630194756a9c0406525b157166e2e3b

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
161KB

MD5
d803321c95b9ade0e3dcb55d0f88d95c

SHA1
6728ea3e7b6856d3f8b6b3a8795dcd8195fb4808

SHA256
3fd446e3eec2d7dc7ca34ae337d66c0b23173e913672dd801c14b934999f30d6

SHA512
26a6a8e5f9781eee07c91ff37493591d1162d6d2856e7d3b88b8d7fb91a60a6881ecc36cee5249b6f3439996eb740c0d077c7f5b03294d6f0f680c7dae7aa9a0

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
161KB

MD5
e6ebc52cfdb6a1bf0bd82dab3b4715d2

SHA1
6f5d0d06be2af99a539bef0e6de0a08a775d990f

SHA256
be9f592d4d39165d5c64093f0d4c0855ec048f71533ef47a05bd848289956dbb

SHA512
1fcea63f16960d52d2b2956886541eb96c883eddf4389624c999684989a010a10baf04d33e2d9910fa6976de515093157155d85ab240aa727dc7589035a9b552

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
161KB

MD5
ced7c28a3851ad2e16470475e46b7c7a

SHA1
0307185af19775336dd9f47b03304a5ae0896720

SHA256
16e2f0d9520234de6e53e8cd2a7b4da423683f246465d65ab2535c66c1064b84

SHA512
80fa53752d62d2e869857813a0864a50d4da41bd944f288c62b9de103c75819d4217f7a6870a42cd8d5ea98d4489b1deb52c6965daa36eb4c14121d1a75a4821

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
161KB

MD5
f25470302c71f41c88b877604352d7b1

SHA1
d166b7059bad49e67936ca74afa2f4e5a3a19b13

SHA256
e9e723a593b337151738c2225fcad6e050f9e34d40e9b0740d4a6282cca529be

SHA512
5bf62d9bea7b50717095cf4d0baabe2e5fd1a08aa34a5dbd89585c745553369dc5a9e869148d79dabfb502d5c36b4c2045f99dd42444c7678ff5b4f0cce9a798

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
161KB

MD5
392966ad1c6526550239e0c7935718f9

SHA1
c7eecee105e60012ec5a3c0301fe1056de7d8336

SHA256
966107e36d69eeaf5b55acf318cb4c44bb5e82def93efbd19fee0722ec35fb74

SHA512
83d991a457e1fcdc6e6d96731253872ae6409abc99c86976fe418d9d947aa6e8a36e39370ff1f08b04a1622db21e91c687991f14bdbf60d598c822d108dc2d60

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
161KB

MD5
9e69d8cbd15173b9504746e2f1accf07

SHA1
724615861f83ae47ef8aaf5b686c1310f060e1c6

SHA256
94203fdf98f0ea65146be3af39e770bd094cb7e2f9f3f9d0a77443f122c2ac8a

SHA512
47e365c8b95eb77e6b98df5b08da7a5ce3fb3c93b7074be5ecb0ae8379c6f1d8b328085020501bc455f84270c576ee99dd84b91d462b9e3d61e5b83ec622c12b

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
161KB

MD5
ed078344b0e863fb79488a4c050edbae

SHA1
ffe39178d5115e56f042b013463fa7c8f0275fce

SHA256
8e4eb371355b5c094cbbf8b974d716bad19d88a4e1f74b9f769076f746fd0f1e

SHA512
9a9397758fcc1e4772816b389d93165a5fbced0de8da985892c544c016a6bf1296e2b5e909879d6e4648d5b67b7cc25ca52eb6f26c45939a32ec5bc9a5577164

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
161KB

MD5
0cd9dab3d3c8d072131fc0b2fdc2a0a9

SHA1
5c34d15325e9326b034c085bff253e3abb2f2cfd

SHA256
c3a3278baedaa2584822f59f6c5b00bfbea118a556f4e5947c6e588d955bee34

SHA512
38bfdd9a01b75e8a5dc6c4b7fd35ba8f8403e4ce674d088013fdb9e5d2fd38a68a6da47ece152132c998ed4a534c9a0f003f726c8fd01567f2c596b7311d3850

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
161KB

MD5
8d1e673a14d9887584d9734afbe8c347

SHA1
1f9c63b48c62c5df7d7c95f0e803b64a9611391a

SHA256
4beb5ec2018bac2b8e5400431b23d719e3b77e2000956255e4ec5fa4444febe8

SHA512
3eb1bc25c45b3c4db984c23e323cd9b6a9d39102042b27dbec329a128b5397309ce78f188618299dd0ea6187f62fae20a962f4966d0c6b0b48d5a31b122644ef

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
161KB

MD5
f16a0114a5503f6ba24dfcf1ac30db41

SHA1
38d0d572c9995b3985ecd89dd4d36eeb32852720

SHA256
09a8bbc4f4d90dc059628d647c78372ce9bd8305699351407b37f76d872640c9

SHA512
05badcde9b1a0304de2b8f5e780f48bff34dedf6609501866355ba4fb7a17ce56a1258227dc1809e93c67ff885d70fbbe4e7599c1dff212b9cd0f0dffad19dd4

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
161KB

MD5
fef481fa9b48452e05bae66b24c08ac3

SHA1
65941ea0c4815b024a0e6e7c033c2e1743e95ef3

SHA256
9ac6cd0c4a6d1a245066992150ef9b12b023a8071632124dce6ecab8a177c422

SHA512
d9a7d0f003a9c5e860b3674783cea106d209c80e716dba795815d52cf20831c8b47248431113841474a410a6b6a05466863c219f2ac0efed47b8cc1fd0caad8a

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
161KB

MD5
6ce73fe11788f60cc234bd3e98c8da87

SHA1
dc9c3ae4e264cb3e5273e6529a2aef68d2e65a0f

SHA256
8ef2dc3275ebd8797b4525adb036f7faa952fd38733f3d92907813e8475b694f

SHA512
b431cdf67da19e900977a6e1e82bee00dd2653e41e573dabc04726ce2c9830c345fc9e50f212c61a71de08c54cae9642895c4ad57684c0b217ecc429cd5873ee

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
161KB

MD5
759ffa56bafaf29f29429186069ade95

SHA1
8e8e9a77806763a50760aef7cf36c6fe50b5d3b7

SHA256
24b3f9b7bd6f3c6404359077c3cc9206d99314651bfc2b49df77e1904a54d7f9

SHA512
5de2b5629b674549ff72cf08400b1fd577bf64fd7fc28925701a58850f4d503221c98a1887d2043b752618370d900da9dd7b549a4e610c7244dbea2f1e3bd650

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
161KB

MD5
cfb3ca9f007e23ad38a258ef3780de94

SHA1
07f73670204eb77ac84f62a37af35729c10c2d3c

SHA256
e30dde6992475ead32ee23c3437a6acceafc7dc9e3d4a86bcbe4ec4dc22fcdb4

SHA512
4309aaf04b3a13580fd904524debd5acb011ec395a598a9ed279d70bf0ca4ed40b91c079d5870458796e70bdf709f009b65fe30909e4c06a768f369ad25aa077

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
161KB

MD5
85d6f1e11ab2f29bfafe7d4cb1a28ee9

SHA1
614f37a6c9117b068e32d78b153b5457ac9a9fe0

SHA256
9d8711c8c2c298e670c14a95008ce4f8b27395b1824114bf0ce15909573e13ad

SHA512
659650e01858f07c72db0c3ab457372873829721ba1bb85517668bcad417cb7ef7860ccecfb633aabe4a1d018aa614f7dbcf6ffeb483c6b39b5534a0de72320a

Download Submit
memory/376-213-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/376-289-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/836-99-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/836-186-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/916-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/916-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1196-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1196-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1356-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1460-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1460-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1568-130-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1640-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1640-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1872-330-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1904-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1904-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2012-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2088-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2088-209-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2524-303-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2524-230-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2676-308-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2688-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2688-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2692-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2720-277-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2820-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2820-323-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-174-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3104-201-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3260-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3260-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3356-301-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3536-283-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3572-324-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4108-238-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4108-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4156-336-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4156-271-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4240-165-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4256-210-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4316-295-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4320-243-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4372-12-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4372-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4444-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4444-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4468-337-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4488-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4528-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4540-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4540-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4788-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4788-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4796-149-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4852-139-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4880-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4880-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4944-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4944-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5032-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5032-222-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5044-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads