500e3f4ec16e8aa92ab0a2a5e542b36ee451a3ab415dfffda80df152566b1484

Analysis

max time kernel
119s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

500e3f4ec16e8aa92ab0a2a5e542b36ee451a3ab415dfffda80df152566b1484.exe
Size

320KB
MD5

1f9101dceffb196f639efd0a02039067
SHA1

43b6d2792e27b676cfb38c6ab7c4ed600476545f
SHA256

500e3f4ec16e8aa92ab0a2a5e542b36ee451a3ab415dfffda80df152566b1484
SHA512

251fbef1d2093945e4ec8d3c154c906c3c6ba0926a194db55605393c82ee873867e1e5db582498d1b9fefdd5a8c86cb738ba18b1fbccf077887514b838e9e941
SSDEEP

6144:kGszmSPXuapoaCPXbo92ynnZlVrtv35CPXbo92ynn8sbeWDSpaH8n:kGYuqFHRFbeE8n

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdaheq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apalea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohhkjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blmfea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeenochi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ookmfk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	500e3f4ec16e8aa92ab0a2a5e542b36ee451a3ab415dfffda80df152566b1484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	500e3f4ec16e8aa92ab0a2a5e542b36ee451a3ab415dfffda80df152566b1484.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcfqkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcfqkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Annbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apalea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhohda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhhfdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melfncqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookmfk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okdkal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhohda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okdkal32.exe

Executes dropped EXE 33 IoCs

pid	Process
2856	Lcfqkl32.exe
2452	Mhhfdo32.exe
2640	Melfncqb.exe
2220	Ngdifkpi.exe
2712	Nlcnda32.exe
2372	Npagjpcd.exe
2872	Nhohda32.exe
1624	Ookmfk32.exe
2732	Okdkal32.exe
1868	Ohhkjp32.exe
1728	Pdaheq32.exe
536	Pnimnfpc.exe
2608	Pfgngh32.exe
1648	Pkdgpo32.exe
2928	Qijdocfj.exe
2200	Aaheie32.exe
2252	Aeenochi.exe
2820	Annbhi32.exe
2984	Apalea32.exe
1244	Ajgpbj32.exe
240	Apdhjq32.exe
1180	Bilmcf32.exe
1072	Bnielm32.exe
2992	Bhajdblk.exe
2184	Blmfea32.exe
2788	Biafnecn.exe
2816	Bhfcpb32.exe
1684	Baohhgnf.exe
1692	Bdmddc32.exe
2308	Bobhal32.exe
2940	Baadng32.exe
2700	Ckiigmcd.exe
2676	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2180	500e3f4ec16e8aa92ab0a2a5e542b36ee451a3ab415dfffda80df152566b1484.exe
2180	500e3f4ec16e8aa92ab0a2a5e542b36ee451a3ab415dfffda80df152566b1484.exe
2856	Lcfqkl32.exe
2856	Lcfqkl32.exe
2452	Mhhfdo32.exe
2452	Mhhfdo32.exe
2640	Melfncqb.exe
2640	Melfncqb.exe
2220	Ngdifkpi.exe
2220	Ngdifkpi.exe
2712	Nlcnda32.exe
2712	Nlcnda32.exe
2372	Npagjpcd.exe
2372	Npagjpcd.exe
2872	Nhohda32.exe
2872	Nhohda32.exe
1624	Ookmfk32.exe
1624	Ookmfk32.exe
2732	Okdkal32.exe
2732	Okdkal32.exe
1868	Ohhkjp32.exe
1868	Ohhkjp32.exe
1728	Pdaheq32.exe
1728	Pdaheq32.exe
536	Pnimnfpc.exe
536	Pnimnfpc.exe
2608	Pfgngh32.exe
2608	Pfgngh32.exe
1648	Pkdgpo32.exe
1648	Pkdgpo32.exe
2928	Qijdocfj.exe
2928	Qijdocfj.exe
2200	Aaheie32.exe
2200	Aaheie32.exe
2252	Aeenochi.exe
2252	Aeenochi.exe
2820	Annbhi32.exe
2820	Annbhi32.exe
2984	Apalea32.exe
2984	Apalea32.exe
1244	Ajgpbj32.exe
1244	Ajgpbj32.exe
240	Apdhjq32.exe
240	Apdhjq32.exe
1180	Bilmcf32.exe
1180	Bilmcf32.exe
1072	Bnielm32.exe
1072	Bnielm32.exe
2992	Bhajdblk.exe
2992	Bhajdblk.exe
2184	Blmfea32.exe
2184	Blmfea32.exe
2788	Biafnecn.exe
2788	Biafnecn.exe
2816	Bhfcpb32.exe
2816	Bhfcpb32.exe
1684	Baohhgnf.exe
1684	Baohhgnf.exe
1692	Bdmddc32.exe
1692	Bdmddc32.exe
2308	Bobhal32.exe
2308	Bobhal32.exe
2940	Baadng32.exe
2940	Baadng32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pfgngh32.exe	Pnimnfpc.exe
File opened for modification	C:\Windows\SysWOW64\Aaheie32.exe	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Nhohda32.exe	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Npagjpcd.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Aeenochi.exe	Aaheie32.exe
File created	C:\Windows\SysWOW64\Naaffn32.dll	Aaheie32.exe
File created	C:\Windows\SysWOW64\Fbpljhnf.dll	Melfncqb.exe
File created	C:\Windows\SysWOW64\Jbdipkfe.dll	Aeenochi.exe
File opened for modification	C:\Windows\SysWOW64\Apalea32.exe	Annbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Mhhfdo32.exe	Lcfqkl32.exe
File created	C:\Windows\SysWOW64\Pnimnfpc.exe	Pdaheq32.exe
File created	C:\Windows\SysWOW64\Ldeamlkj.dll	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Qijdocfj.exe	Pkdgpo32.exe
File opened for modification	C:\Windows\SysWOW64\Bilmcf32.exe	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Ggfblnnh.dll	Lcfqkl32.exe
File created	C:\Windows\SysWOW64\Hnablp32.dll	Pnimnfpc.exe
File opened for modification	C:\Windows\SysWOW64\Annbhi32.exe	Aeenochi.exe
File created	C:\Windows\SysWOW64\Njelgo32.dll	Ajgpbj32.exe
File opened for modification	C:\Windows\SysWOW64\Ohhkjp32.exe	Okdkal32.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Ikhkppkn.dll	Okdkal32.exe
File opened for modification	C:\Windows\SysWOW64\Pkdgpo32.exe	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Mhhfdo32.exe	Lcfqkl32.exe
File created	C:\Windows\SysWOW64\Bmnbjfam.dll	Apalea32.exe
File created	C:\Windows\SysWOW64\Bhajdblk.exe	Bnielm32.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Okdkal32.exe	Ookmfk32.exe
File opened for modification	C:\Windows\SysWOW64\Bhajdblk.exe	Bnielm32.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Bdmddc32.exe	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Lcfqkl32.exe	500e3f4ec16e8aa92ab0a2a5e542b36ee451a3ab415dfffda80df152566b1484.exe
File opened for modification	C:\Windows\SysWOW64\Nhohda32.exe	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Idlgcclp.dll	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Ngdifkpi.exe	Melfncqb.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Lgahjhop.dll	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Negoebdd.dll	500e3f4ec16e8aa92ab0a2a5e542b36ee451a3ab415dfffda80df152566b1484.exe
File opened for modification	C:\Windows\SysWOW64\Melfncqb.exe	Mhhfdo32.exe
File created	C:\Windows\SysWOW64\Ennlme32.dll	Bilmcf32.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Melfncqb.exe	Mhhfdo32.exe
File created	C:\Windows\SysWOW64\Npagjpcd.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Edobgb32.dll	Ookmfk32.exe
File created	C:\Windows\SysWOW64\Aaheie32.exe	Qijdocfj.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	Blmfea32.exe
File created	C:\Windows\SysWOW64\Blmfea32.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Bdmddc32.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Apalea32.exe	Annbhi32.exe
File created	C:\Windows\SysWOW64\Lcfqkl32.exe	500e3f4ec16e8aa92ab0a2a5e542b36ee451a3ab415dfffda80df152566b1484.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Nmqalo32.dll	Pdaheq32.exe
File opened for modification	C:\Windows\SysWOW64\Pfgngh32.exe	Pnimnfpc.exe
File opened for modification	C:\Windows\SysWOW64\Ajgpbj32.exe	Apalea32.exe
File opened for modification	C:\Windows\SysWOW64\Bnielm32.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Cifmcd32.dll	Bnielm32.exe
File created	C:\Windows\SysWOW64\Annbhi32.exe	Aeenochi.exe
File opened for modification	C:\Windows\SysWOW64\Blmfea32.exe	Bhajdblk.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Hbappj32.dll	Annbhi32.exe
File created	C:\Windows\SysWOW64\Ajgpbj32.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Bhfcpb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2624	2676	WerFault.exe	60

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	500e3f4ec16e8aa92ab0a2a5e542b36ee451a3ab415dfffda80df152566b1484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Annbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhohda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll"	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ookmfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okdkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Annbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll"	Pdaheq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbappj32.dll"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	500e3f4ec16e8aa92ab0a2a5e542b36ee451a3ab415dfffda80df152566b1484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmnipm.dll"	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnbjfam.dll"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdnehnn.dll"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edobgb32.dll"	Ookmfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll"	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njelgo32.dll"	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnablp32.dll"	Pnimnfpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikhkppkn.dll"	Okdkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeamlkj.dll"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeenochi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	500e3f4ec16e8aa92ab0a2a5e542b36ee451a3ab415dfffda80df152566b1484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcfqkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlcnda32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2856	2180	500e3f4ec16e8aa92ab0a2a5e542b36ee451a3ab415dfffda80df152566b1484.exe	28
PID 2180 wrote to memory of 2856	2180	500e3f4ec16e8aa92ab0a2a5e542b36ee451a3ab415dfffda80df152566b1484.exe	28
PID 2180 wrote to memory of 2856	2180	500e3f4ec16e8aa92ab0a2a5e542b36ee451a3ab415dfffda80df152566b1484.exe	28
PID 2180 wrote to memory of 2856	2180	500e3f4ec16e8aa92ab0a2a5e542b36ee451a3ab415dfffda80df152566b1484.exe	28
PID 2856 wrote to memory of 2452	2856	Lcfqkl32.exe	29
PID 2856 wrote to memory of 2452	2856	Lcfqkl32.exe	29
PID 2856 wrote to memory of 2452	2856	Lcfqkl32.exe	29
PID 2856 wrote to memory of 2452	2856	Lcfqkl32.exe	29
PID 2452 wrote to memory of 2640	2452	Mhhfdo32.exe	30
PID 2452 wrote to memory of 2640	2452	Mhhfdo32.exe	30
PID 2452 wrote to memory of 2640	2452	Mhhfdo32.exe	30
PID 2452 wrote to memory of 2640	2452	Mhhfdo32.exe	30
PID 2640 wrote to memory of 2220	2640	Melfncqb.exe	31
PID 2640 wrote to memory of 2220	2640	Melfncqb.exe	31
PID 2640 wrote to memory of 2220	2640	Melfncqb.exe	31
PID 2640 wrote to memory of 2220	2640	Melfncqb.exe	31
PID 2220 wrote to memory of 2712	2220	Ngdifkpi.exe	32
PID 2220 wrote to memory of 2712	2220	Ngdifkpi.exe	32
PID 2220 wrote to memory of 2712	2220	Ngdifkpi.exe	32
PID 2220 wrote to memory of 2712	2220	Ngdifkpi.exe	32
PID 2712 wrote to memory of 2372	2712	Nlcnda32.exe	33
PID 2712 wrote to memory of 2372	2712	Nlcnda32.exe	33
PID 2712 wrote to memory of 2372	2712	Nlcnda32.exe	33
PID 2712 wrote to memory of 2372	2712	Nlcnda32.exe	33
PID 2372 wrote to memory of 2872	2372	Npagjpcd.exe	34
PID 2372 wrote to memory of 2872	2372	Npagjpcd.exe	34
PID 2372 wrote to memory of 2872	2372	Npagjpcd.exe	34
PID 2372 wrote to memory of 2872	2372	Npagjpcd.exe	34
PID 2872 wrote to memory of 1624	2872	Nhohda32.exe	35
PID 2872 wrote to memory of 1624	2872	Nhohda32.exe	35
PID 2872 wrote to memory of 1624	2872	Nhohda32.exe	35
PID 2872 wrote to memory of 1624	2872	Nhohda32.exe	35
PID 1624 wrote to memory of 2732	1624	Ookmfk32.exe	36
PID 1624 wrote to memory of 2732	1624	Ookmfk32.exe	36
PID 1624 wrote to memory of 2732	1624	Ookmfk32.exe	36
PID 1624 wrote to memory of 2732	1624	Ookmfk32.exe	36
PID 2732 wrote to memory of 1868	2732	Okdkal32.exe	37
PID 2732 wrote to memory of 1868	2732	Okdkal32.exe	37
PID 2732 wrote to memory of 1868	2732	Okdkal32.exe	37
PID 2732 wrote to memory of 1868	2732	Okdkal32.exe	37
PID 1868 wrote to memory of 1728	1868	Ohhkjp32.exe	38
PID 1868 wrote to memory of 1728	1868	Ohhkjp32.exe	38
PID 1868 wrote to memory of 1728	1868	Ohhkjp32.exe	38
PID 1868 wrote to memory of 1728	1868	Ohhkjp32.exe	38
PID 1728 wrote to memory of 536	1728	Pdaheq32.exe	39
PID 1728 wrote to memory of 536	1728	Pdaheq32.exe	39
PID 1728 wrote to memory of 536	1728	Pdaheq32.exe	39
PID 1728 wrote to memory of 536	1728	Pdaheq32.exe	39
PID 536 wrote to memory of 2608	536	Pnimnfpc.exe	40
PID 536 wrote to memory of 2608	536	Pnimnfpc.exe	40
PID 536 wrote to memory of 2608	536	Pnimnfpc.exe	40
PID 536 wrote to memory of 2608	536	Pnimnfpc.exe	40
PID 2608 wrote to memory of 1648	2608	Pfgngh32.exe	41
PID 2608 wrote to memory of 1648	2608	Pfgngh32.exe	41
PID 2608 wrote to memory of 1648	2608	Pfgngh32.exe	41
PID 2608 wrote to memory of 1648	2608	Pfgngh32.exe	41
PID 1648 wrote to memory of 2928	1648	Pkdgpo32.exe	42
PID 1648 wrote to memory of 2928	1648	Pkdgpo32.exe	42
PID 1648 wrote to memory of 2928	1648	Pkdgpo32.exe	42
PID 1648 wrote to memory of 2928	1648	Pkdgpo32.exe	42
PID 2928 wrote to memory of 2200	2928	Qijdocfj.exe	43
PID 2928 wrote to memory of 2200	2928	Qijdocfj.exe	43
PID 2928 wrote to memory of 2200	2928	Qijdocfj.exe	43
PID 2928 wrote to memory of 2200	2928	Qijdocfj.exe	43

C:\Users\Admin\AppData\Local\Temp\500e3f4ec16e8aa92ab0a2a5e542b36ee451a3ab415dfffda80df152566b1484.exe
"C:\Users\Admin\AppData\Local\Temp\500e3f4ec16e8aa92ab0a2a5e542b36ee451a3ab415dfffda80df152566b1484.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\Lcfqkl32.exe
  C:\Windows\system32\Lcfqkl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\Mhhfdo32.exe
    C:\Windows\system32\Mhhfdo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\SysWOW64\Melfncqb.exe
      C:\Windows\system32\Melfncqb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\Ngdifkpi.exe
        
        C:\Windows\system32\Ngdifkpi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2220
      - C:\Windows\SysWOW64\Nlcnda32.exe
        
        C:\Windows\system32\Nlcnda32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Npagjpcd.exe
        
        C:\Windows\system32\Npagjpcd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Nhohda32.exe
        
        C:\Windows\system32\Nhohda32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Ookmfk32.exe
        
        C:\Windows\system32\Ookmfk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Okdkal32.exe
        
        C:\Windows\system32\Okdkal32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Ohhkjp32.exe
        
        C:\Windows\system32\Ohhkjp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Pdaheq32.exe
        
        C:\Windows\system32\Pdaheq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Pnimnfpc.exe
        
        C:\Windows\system32\Pnimnfpc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Pkdgpo32.exe
        
        C:\Windows\system32\Pkdgpo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:240
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        34⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 140
        35⤵
        Program crash
        
        PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeenochi.exe

Filesize
320KB

MD5
ab8237f8b89489a58a68b28b8bf5002b

SHA1
01273951bec211129fa0113abb86cd9518de539c

SHA256
1347391c184d13aeb98e52b95c3ad5757b240ad0dbefdf270281eef54e3dc21e

SHA512
a81854524644693c4660286fa4699fda3befa2e2eb700fdb21ac00cf396ac8862053954cb86ef217002db5ff3c86b4f62b4fffd39dd1149b5cf425e3de2f361d

Download Submit
C:\Windows\SysWOW64\Ajgpbj32.exe

Filesize
320KB

MD5
bec01dfb83446e7ba6c26e3836de1de7

SHA1
d6fc50743fb45497917e613de67727c326d80114

SHA256
23aeb19fc5f6288b9fb43b3f0a9a42ed0bf5050bd99f3c66c8c1ae3610dfe08b

SHA512
9691424010e08fe5719df88635a8aabc0f7404dc1a21af04001bbd3080a6b3847fee1c2cd020830dd1dafaaaacc59c3e84e48a9957fe99d236549c4a2b471458

Download Submit
C:\Windows\SysWOW64\Annbhi32.exe

Filesize
320KB

MD5
cd78e8f7aacc851fe190a69a96d4d69a

SHA1
9a711fbced77551ace1f00d4129530447c065b10

SHA256
ca2b394d7b6d016990e9bf09c8e167a1066fa3a8fc1393213d36d2b7554fdbbd

SHA512
2d6784a55be98671e6495b12253f7522d8f6f4c399857e31927b315e4d165d863bdf05b702a368451928189d4f582438c572910a81477742a3284f5149426f40

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
320KB

MD5
4deb189f44949d2b4cb2f4baaf24b79c

SHA1
561462fc43925ab2256b1fe6088a3fc62c5d6abf

SHA256
08f6ac88510aa619109eeb6540c53c7892ef49a4b8c24f9d9954c1c094108047

SHA512
f61bce853d6ef0b9b57f3a819a680b7690eb57cc1de3aa2979d84dcd67ea90cd4f561a97e55293fa836695bb00fe23dba2682f884ca890fbe390cc1b56be0413

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
320KB

MD5
23ef172ed1d8cf516ec3ced5c0dcdd6f

SHA1
d8dd8a840615e6d39231d0b0a88834ed8350fe40

SHA256
fc0325905a1be9284c6ce4e44bc5cfa72491a975ddd2032735293c4051de9a4d

SHA512
382c9a54ea50cfaf6fb3eb7f19b0376612b8afd0501f59bd73a43d6d7ca84b6d3ec9c011e7733300c3f85bb266f43bf0749e589c8333fa70b54ab119198ef4b2

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
320KB

MD5
2d3391fa19e65e4fbb7fd913575fb5d1

SHA1
481760aa5a3b9abb09b1dd0e879636f978930dcf

SHA256
907f97a9fbdd0e933ff6f8aaee226a95a0cb3792c63b3369104b86879dd552f4

SHA512
74fda1fab684db452e802eef770b1ca189d167bb213da1857beeef18220f47ea64072963c10635850f24427b4c7a9adb7b1309d4f1a42134e6bbe021e57d34ce

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
320KB

MD5
e9dd9f63d2b31aa35768cc1bda0de4f5

SHA1
3c59fe52641a4ea658436c24d030e64752ea7710

SHA256
7408414592627c8825eb624e1b6e71025aa951969c9da42e0258aa1f3ab67046

SHA512
79436fd5bc71123888940226048c84afe4f96546a5a9a08d1f9bc9ae0c300a9c62b4854e6ad36dca2065a3e2554e87e125a0dcc59289f2b8c9e5e63ec85d05b6

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
320KB

MD5
2b9403754879671d436c4afd4b55cda2

SHA1
d6a34c7a6f7a554903f8251b9f382c9dc0d82577

SHA256
98c8e6b84dd024232279b347544dc807ec0dc5b1f7fd53f3395fd4f4fa0756fe

SHA512
f43ee762b2c2a02c626f5063f6a0dd88f4051a3379e268afee2dc5903e948e74caf0bf1417278d632ac17edb083e3734d84f98a93aebf1e5d248ae50cf672f44

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
320KB

MD5
9559efbda306449e3b01de7c141290ec

SHA1
d6a2f5aa4efe4ae2608b89227ee80a0f26fba627

SHA256
d0114f42a0ba8e78ed7d7c7dc45c0f192756bdebc8c57d10d8348935a9265ed9

SHA512
5ec29a6d369cefb6aeb6386614695ec65d81bcbca1a681b42a0773ac36a6fe7da386b0a4164a5d44ad44cdbcc2c20565b4e3cdf9434f56870d885268c7c7a8bc

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
320KB

MD5
5df2b3b81d9afebd27304498587953c6

SHA1
d08d517391c972a041d0ca5d6e8ee40567cfd9c0

SHA256
4bc20073fd35111643d60d19f55888fd137ed2d53249cfaa07c2e90bb78dbcd0

SHA512
16fe0b8848a4ab8c229eab995581bdbc3c05b9bca64d85df580dcfa620fb18f1bb6d9a5cc915ccf9739d1da562f5fa6d1eef971d7130d98044ccacdd1ad1bab6

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
320KB

MD5
e3f0888d7852543cadf6edd58b5b5f4a

SHA1
a9b4e044ae18622e53a26e59699be7cd5238ee7c

SHA256
17ea54457cf961946757e0f8d359668777e161343e683a82d597420cd39e44f1

SHA512
dd7329de6912b109d91a3bb90ecd5682ddf0996f3939e0d421d704a1b45deb6293230e6fcd8c093773e1881b1d0d2580e3c48beb188aa57c702f60eb3b60198a

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
320KB

MD5
02b9796ddc3cf5e6787a7c89e50fc831

SHA1
253fa7242bea9ee50d7a6a9d5e9a47a294a0733f

SHA256
75de97931bd06a89eb0d03a2b390204d4823255eaad3c2d0d31078d978cae7f6

SHA512
979f1c00e39300aa1d696b6892d4ac3c91e3488b7c8d86afaa7955428a62ed25b0015202d70f1ea7cc99f76e3a5081a2e76945a72c3c0b8c38830cfec54efa82

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
320KB

MD5
e58d7e1139fc009485a377bb8bb79966

SHA1
c9d4038012f71d3277ce9e5944cc6e75044dbaa7

SHA256
0305926d15b770d3ce91294f9de0bd4e17bfbe5fb500b1b62d55632554e486da

SHA512
1079a3899c597f89e6d3638ba53119c730c199fb60e24bb2067d0a5a3803634d4c635fcb639ba4f75e1cee8731433b7d104e1b02f2bda34cca9b8bc8d295ee5d

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
320KB

MD5
b86fb2ff850449288e437780fea76ab2

SHA1
a9c3cdd359b7e21ada73f728d2927db48f470a46

SHA256
5169a608028952ed81748368f18d0e037f36d2197d3fcbb6a460a5d21477413b

SHA512
2c32528f08d74dad9dc53fbbd788c1d38c68609c18cefb8d85b4481abfce6ac2e044abd3e716ad3cec3f5778d805dc8d004a08069ba623f6cc39869e637ecffd

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
320KB

MD5
1286102410c44b273e8971c4530ad37d

SHA1
7ca60df8b840ae512e3f4d1fd7451a9e30554535

SHA256
1a7328b27bc5e67351841252e0f4d9b470640a2f4d58532eade568828a2ccd81

SHA512
cc3ba06c4eb4fc2f57506d517839bdd0326edc067a07e5fe2ddaa1e8eace382586e1454cc790d88318635227224224757633c23e33c859f4e983e3692f7c7afc

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
320KB

MD5
cb160d66857b1ae095c220651b6730c8

SHA1
3e9ec93fb9f03199a4e4e8a6985cfbc4d509bd53

SHA256
5cd3c2fc3b71068ec6dcc058581aae53b837c5ef1d1c1ec21d23f8ca221a372b

SHA512
bc368179eb569f005960541aa310246e5fe89898523deba105efae339216c8dd558b3ca3ac637bc13c532bdc63a7e2af80e37edb00727e090ecba5ed79d6dbad

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
320KB

MD5
614e1cb1488d4afa1012000664b1f404

SHA1
7d34662643c4420dac15d8568eddb51f1f9602c4

SHA256
aa2adf81df73f54cf0a7ec10b2a170eaa74e9611331052f5e608185d35efd0d0

SHA512
91c76ad1d0347a78b4e3691fabc415e81d3c7bab4f1e1ceb987243d0ec8f50f134282c072e0835f19306d1756c1f7b47a6b995e9428ee2b3509d22f1ff277358

Download Submit
C:\Windows\SysWOW64\Ohhkjp32.exe

Filesize
320KB

MD5
a096f068f63bdcc2308f58530ade3477

SHA1
b228267a15184eca758be9622fcd8288e703890e

SHA256
117f635ca3a916749eff6dd90be12992d64762da6dbf212f4aa53b83ba2da178

SHA512
8b7d1007979b20fdd68aeb08cc2742e7d60e86a2e3de658dfee5b7bb5cdaf7c81047d25dbe7b5c808720ea29fa4ea653335711fa0e23dd51b531327d0b0bf17d

Download Submit
C:\Windows\SysWOW64\Ookmfk32.exe

Filesize
320KB

MD5
27c6b5e255818ffe82891665c561e4e2

SHA1
b81331aa157e21b40fb21a87ea93cb2c58dfc2e0

SHA256
55468e5cff6a23bca0705d3f2a712d436b344d0a4b2a679ac81a4a9ad1535130

SHA512
084604324c38801d50fb5da776bb4fcb5d792ef74d04b2672ab8a46546ceec78c84c4d1329b6c1780545a0509a78c5df2c7fdefd68c7e122769b62debe7b3e64

Download Submit
C:\Windows\SysWOW64\Pdaheq32.exe

Filesize
320KB

MD5
ae929a866e50c8604ea04011da019786

SHA1
8448e3976d7fea26c3f147a570cfc9b062b191ef

SHA256
fb1c68ecddc9c97a64f059b3859785f3ef3f28463d9d56fda4d9cadd27a6a17a

SHA512
37d2897249e9ddf40b4bfbbfb704ba882e6e1246ad48d4c5797bbd245f27d6b0eb0ec45d281bf5a2ce6078e57c136ae5435190d51e8ccd1be7ab932b4b5af417

Download Submit
C:\Windows\SysWOW64\Pfgngh32.exe

Filesize
320KB

MD5
adc65f4601fa9be1184f08762ea3fa78

SHA1
42958ccba8015bdf744b2470b046931e192fd9b7

SHA256
8d75077979f8ffda6bad3ede1beb995c58ab0244e378ec2168b26a7b24acf142

SHA512
351ec892288d7c54c796c66b825593a13976b50234a2b66cd5666623fe0761e3f22a03cce7d3ae44dd00639a15ab1eeb6f1ab00638b4949cc486f1b8e8de465d

Download Submit
\Windows\SysWOW64\Aaheie32.exe

Filesize
320KB

MD5
22525d7881584cd5dd122fcca1358a06

SHA1
7658f3ce53d3cad2e3402c2988fd283a4a61844d

SHA256
c9f4a26934a2ec06754a0b9c09f0d5d2c3ad89ea346f73be7a6b8c0b00074e50

SHA512
547c05d4097cd85f732320e0d84aeaffc78ceccea4153546c466a448c18f6981bf148a9bbe98c2e3869c138f09b5d560c59bf8a711a9e5eec756ab158f358b16

Download Submit
\Windows\SysWOW64\Lcfqkl32.exe

Filesize
320KB

MD5
046ca59ed6118e5c11c6f7d5535b6fe5

SHA1
3dc9bb6634b1f7fbd402bfa1d4bcfbb5336543ec

SHA256
597ae6ff5f8cf08e20158ae99b42063e6e22537753a497584241ba6b7d206330

SHA512
4a8075558c1c8a2de864ea4fd3417c74a1e49563e9eb95ef59ab03f40f03fc3f002000669b6f7e999b96d606e265c244cce0c3563bcffd963d3fbff8a0dd3b4c

Download Submit
\Windows\SysWOW64\Melfncqb.exe

Filesize
320KB

MD5
ab76f968b439dfda56b0df1f496d564a

SHA1
876fff1c0d3bf53996d4587deba5ec2ba7629a6e

SHA256
fad58bd3bb6c49e90354f5333d50061d0245715acc217dacd25333c9623f94d1

SHA512
c3fb88b0687bf2cc14d0698e20b4dbd943d1943bbdb9c470beddfc6592dd3bc7cd14e2ea501cc256bac3363d2daa1b27168806fec00de01bfab5ba725b3be01e

Download Submit
\Windows\SysWOW64\Mhhfdo32.exe

Filesize
320KB

MD5
a74b9f046d6506980180f59a64d0e3f9

SHA1
ebf696c4adde86914660f4bd9564abbb93f714c1

SHA256
453179be9cae0244f6934255ce78b9dade4c4ca6ed97e4b081de1e71c287a900

SHA512
a256ab88d3a0c0cae49b807e11a95e4b513861e54f9fe283524a8ecc966ecf9e0c3e79dd55b375be4a376818fb54c78b19c01eb7f217f53798f5dea5ba9f4eea

Download Submit
\Windows\SysWOW64\Ngdifkpi.exe

Filesize
320KB

MD5
70793a0e61ea82636a81ba73ef394553

SHA1
1f6f5e103e046330d9fb24d4cfd26ba4b118cfb3

SHA256
6cb57bd963127603f3fee1ed13a6473f0b7b3311a990dd466b65ff9c8cb6e9a9

SHA512
9587ab4e9c7ee4890c48efa7f6fbfe600afb64b7151a7eed1323438812b83ef37afcdc57109b385625932f8dcb33c7be8a6c2b11fbc18d85057c9295c27b5f0f

Download Submit
\Windows\SysWOW64\Nhohda32.exe

Filesize
320KB

MD5
bf8db7ea65b31c3ca164cb2ba13ea13b

SHA1
8da7fe79fdfa1e95812de2915fa76e7853b73bcd

SHA256
f37e720c769d9234618c7bd7b7c7f488cf981e028ef04e1e971ba687e22935ba

SHA512
800a8183788d61aed32191740b67d9f58bdabf9cca97dc44adaf37ad31a5c06ebdbd4c364a0fc3e165319b6b9537f4dede02a7a0b49374bd1ff2927c5ce76355

Download Submit
\Windows\SysWOW64\Nlcnda32.exe

Filesize
320KB

MD5
c9514f0e2ab6bd98b5dcec330934a2fd

SHA1
f056b3e752e39875ff76c9a532b3fdaeb56e2529

SHA256
a3258ec21c540a411600051c025b9eaf75ba9ff079c0c30749ec723eb26abfd3

SHA512
87a0573e951c6f2a84adae022e7606c8b89810de3ca55a7b97cd181b180a1ad8c89f2714eeddd7a56a5ef59d44f8b3e48c0e0ee5ac3bcc5f90a6e4786cf79266

Download Submit
\Windows\SysWOW64\Npagjpcd.exe

Filesize
320KB

MD5
3b8dc6b0f1d0e88df5aecb493ffe45a9

SHA1
852c308ff95eb84e724f1eadce22e52a2d4473fc

SHA256
9a34dd8a29be4c6a2abfdcc1005e1c19d02fde14d5a62901ff036691b4b27f9b

SHA512
d7dff504664069865b50a4c121fd019bf9f47a05288ea81dd97c24e159401e4419760c092754f1bad2abb09de47b047a8db0ad086c284ae5d5ab8a699c35b5a9

Download Submit
\Windows\SysWOW64\Okdkal32.exe

Filesize
320KB

MD5
0cec361be735f5862c6482664c0bfe1e

SHA1
485a534b8cc0fd56629e961bffaace848d652026

SHA256
8f1ccb4eec3f1a278488e8824aa0796ad3993e5cb74916e10676ac9661ea73b5

SHA512
f7a0e06b38a00f972dcd8a098e1a11bdc784e6ffa6f1b4d4226d4e1d2d7be8070173bf1d03cdd37c2ef8df7494a7f8b24188da2e2c22b7b26c5771ca9c5c3141

Download Submit
\Windows\SysWOW64\Pkdgpo32.exe

Filesize
320KB

MD5
67f610835d2b1be9a01bb03b5afae64f

SHA1
9aa30507498baf96e0894c97f10ff010dfb0345d

SHA256
d4f370eea25c36129e88c01b42ccb51f285aa06bc2c24d3f9aac242dabd6b479

SHA512
16c483f3de11ad9000e4f4656bd40af3b9af265f0bcf9f049d5e34a8c399304918554393d68a488bbf921bb67dc57d2b9915104df2fe0e424153398293a30c9f

Download Submit
\Windows\SysWOW64\Pnimnfpc.exe

Filesize
320KB

MD5
a77671bc545051e5ee03e0d5174da196

SHA1
166ff009f3ac16fbdc37b256f6de1e5cb9a7245c

SHA256
8d7c0067dec4ea3418799ec855acf8dd8aea20f813d3543158f98ec327b73200

SHA512
c6339573aed0f64e890632d0acc323f76c67cd4c7b96635f1ca3077a98c5a71dcc322a5a51ace0bb310424146e66c58d02e367e41264154952c9e83661356c50

Download Submit
\Windows\SysWOW64\Qijdocfj.exe

Filesize
320KB

MD5
551d711341770e93c72252c3b286c42d

SHA1
f7a0bba0d7adafa6b32036a0f66d06f9d9b6aa9c

SHA256
a85e22c79b48e11fb270afdf81264933f30ed4a4d00a5c17b7f4ebf029f742c7

SHA512
9cb8edfb02bd94a8c8b553bce22dd4ad69478ffeace3ec265fa94bb92b5ebf3f928f7ec102cc4eb35cea131c841ea500d76622ad67b8bbe01fe9af77ad5fa5af

Download Submit
memory/240-272-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/240-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/536-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1072-300-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/1072-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1180-282-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1180-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1244-262-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1244-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-198-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1684-386-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1692-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1728-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1868-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1868-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2180-6-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2180-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2180-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2184-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-379-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2220-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2220-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2220-63-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2252-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2252-233-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2252-227-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2308-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-82-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2452-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2452-39-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/2608-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2640-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2640-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2640-53-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2700-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-69-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2788-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2816-385-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-381-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-243-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2820-242-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2856-24-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2856-31-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2856-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2872-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2872-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2928-208-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2928-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2928-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2940-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-252-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2992-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads