a6ffb5dac81cd6f58e4df0016e31cb6ac377391c65a1af932c11450503a6cd26

Analysis

max time kernel
92s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6ffb5dac81cd6f58e4df0016e31cb6ac377391c65a1af932c11450503a6cd26.exe
Size

3.7MB
MD5

376a1a3d45a991b8cb522dfe1d077e86
SHA1

d558bc436f9bf3d1ea8217b1de0677bb37b675da
SHA256

a6ffb5dac81cd6f58e4df0016e31cb6ac377391c65a1af932c11450503a6cd26
SHA512

260fe3dd90d2bc89a35d77dfd928922cab36a27deec16483e12016a76ea3a36799bd2e38d2b095e4ccfedf9d72fe67c17baeac4f6e7c17038b4969b246243f98
SSDEEP

98304:u6r6HaSHFaZRBEYyqmS2DiHPKQgmZ0aUgUjvha/4wzlF65T:kaSHFaZRBEYyqmS2DiHPKQgwUgUjvhoU

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcojed32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkojgao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkopnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aegikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmeobkq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aegikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcfqfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a6ffb5dac81cd6f58e4df0016e31cb6ac377391c65a1af932c11450503a6cd26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a6ffb5dac81cd6f58e4df0016e31cb6ac377391c65a1af932c11450503a6cd26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cecbmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkopnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qloebdig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcdmga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cecbmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehgqln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qloebdig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmflf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boepel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehgqln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ednaqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hofdacke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cddecc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkkojgao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hofdacke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ednaqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcfqfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjcdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boepel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcojed32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcdmga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhfjljd.exe

Executes dropped EXE 37 IoCs

pid	Process
4292	Qloebdig.exe
4064	Aegikj32.exe
3316	Acmflf32.exe
2112	Boepel32.exe
2012	Chmeobkq.exe
968	Cddecc32.exe
4308	Cecbmf32.exe
4568	Ehgqln32.exe
3964	Ednaqo32.exe
1496	Fkopnh32.exe
3812	Gcojed32.exe
1964	Gkkojgao.exe
1016	Gcfqfc32.exe
4816	Hofdacke.exe
5088	Hcdmga32.exe
624	Jbhfjljd.exe
4084	Kemhff32.exe
3844	Kpjcdn32.exe
4768	Lpnlpnih.exe
3720	Lmdina32.exe
5072	Mgfqmfde.exe
3716	Npcoakfp.exe
3168	Ndcdmikd.exe
2128	Ocpgod32.exe
1096	Oddmdf32.exe
4392	Pmannhhj.exe
920	Pncgmkmj.exe
764	Pcbmka32.exe
2472	Ajfhnjhq.exe
756	Bebblb32.exe
4320	Cfmajipb.exe
5096	Cenahpha.exe
3920	Cmlcbbcj.exe
1764	Delnin32.exe
4908	Deokon32.exe
1504	Dogogcpo.exe
5048	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aegikj32.exe	Qloebdig.exe
File created	C:\Windows\SysWOW64\Cecbmf32.exe	Cddecc32.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Acmflf32.exe	Aegikj32.exe
File opened for modification	C:\Windows\SysWOW64\Cddecc32.exe	Chmeobkq.exe
File created	C:\Windows\SysWOW64\Djhgpa32.dll	Ehgqln32.exe
File opened for modification	C:\Windows\SysWOW64\Hofdacke.exe	Gcfqfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Gkkojgao.exe	Gcojed32.exe
File opened for modification	C:\Windows\SysWOW64\Lpnlpnih.exe	Kpjcdn32.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Mgfqmfde.exe
File opened for modification	C:\Windows\SysWOW64\Qloebdig.exe	a6ffb5dac81cd6f58e4df0016e31cb6ac377391c65a1af932c11450503a6cd26.exe
File created	C:\Windows\SysWOW64\Fkopnh32.exe	Ednaqo32.exe
File created	C:\Windows\SysWOW64\Ngknngal.dll	Fkopnh32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Copfjgjf.dll	Qloebdig.exe
File created	C:\Windows\SysWOW64\Lpnlpnih.exe	Kpjcdn32.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Flfelggh.dll	Lmdina32.exe
File opened for modification	C:\Windows\SysWOW64\Cecbmf32.exe	Cddecc32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjcdn32.exe	Kemhff32.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Chmeobkq.exe	Boepel32.exe
File created	C:\Windows\SysWOW64\Fnhfnh32.dll	Boepel32.exe
File created	C:\Windows\SysWOW64\Ednaqo32.exe	Ehgqln32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Jbhfjljd.exe	Hcdmga32.exe
File opened for modification	C:\Windows\SysWOW64\Kemhff32.exe	Jbhfjljd.exe
File created	C:\Windows\SysWOW64\Efjecajf.dll	Kemhff32.exe
File created	C:\Windows\SysWOW64\Boepel32.exe	Acmflf32.exe
File created	C:\Windows\SysWOW64\Lfkgaokd.dll	Ednaqo32.exe
File opened for modification	C:\Windows\SysWOW64\Gcfqfc32.exe	Gkkojgao.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Fkopnh32.exe	Ednaqo32.exe
File created	C:\Windows\SysWOW64\Hofdacke.exe	Gcfqfc32.exe
File created	C:\Windows\SysWOW64\Hcdmga32.exe	Hofdacke.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jccejahl.dll	a6ffb5dac81cd6f58e4df0016e31cb6ac377391c65a1af932c11450503a6cd26.exe
File opened for modification	C:\Windows\SysWOW64\Gcojed32.exe	Fkopnh32.exe
File created	C:\Windows\SysWOW64\Mgfqmfde.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Olgkhn32.dll	Cecbmf32.exe
File created	C:\Windows\SysWOW64\Bjjplc32.dll	Jbhfjljd.exe
File created	C:\Windows\SysWOW64\Npcoakfp.exe	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Ednaqo32.exe	Ehgqln32.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Acmflf32.exe	Aegikj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1852	5048	WerFault.exe	122

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnhfnh32.dll"	Boepel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cddecc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjecajf.dll"	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehgqln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfkgaokd.dll"	Ednaqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cecbmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boepel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olgkhn32.dll"	Cecbmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keajjc32.dll"	Hofdacke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcdmga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ednaqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjplc32.dll"	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilabfj32.dll"	Acmflf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlpijopg.dll"	Cddecc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjcdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a6ffb5dac81cd6f58e4df0016e31cb6ac377391c65a1af932c11450503a6cd26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkkojgao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laffdj32.dll"	Gcfqfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcdmga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qloebdig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikhen32.dll"	Gcojed32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcfqfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkkojgao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcfqfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cecbmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hofdacke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmdina32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a6ffb5dac81cd6f58e4df0016e31cb6ac377391c65a1af932c11450503a6cd26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhgpa32.dll"	Ehgqln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehgqln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a6ffb5dac81cd6f58e4df0016e31cb6ac377391c65a1af932c11450503a6cd26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmeobkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hofdacke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpmkplp.dll"	Hcdmga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojdamdma.dll"	Chmeobkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkopnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcojed32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 4292	4680	a6ffb5dac81cd6f58e4df0016e31cb6ac377391c65a1af932c11450503a6cd26.exe	81
PID 4680 wrote to memory of 4292	4680	a6ffb5dac81cd6f58e4df0016e31cb6ac377391c65a1af932c11450503a6cd26.exe	81
PID 4680 wrote to memory of 4292	4680	a6ffb5dac81cd6f58e4df0016e31cb6ac377391c65a1af932c11450503a6cd26.exe	81
PID 4292 wrote to memory of 4064	4292	Qloebdig.exe	82
PID 4292 wrote to memory of 4064	4292	Qloebdig.exe	82
PID 4292 wrote to memory of 4064	4292	Qloebdig.exe	82
PID 4064 wrote to memory of 3316	4064	Aegikj32.exe	86
PID 4064 wrote to memory of 3316	4064	Aegikj32.exe	86
PID 4064 wrote to memory of 3316	4064	Aegikj32.exe	86
PID 3316 wrote to memory of 2112	3316	Acmflf32.exe	87
PID 3316 wrote to memory of 2112	3316	Acmflf32.exe	87
PID 3316 wrote to memory of 2112	3316	Acmflf32.exe	87
PID 2112 wrote to memory of 2012	2112	Boepel32.exe	88
PID 2112 wrote to memory of 2012	2112	Boepel32.exe	88
PID 2112 wrote to memory of 2012	2112	Boepel32.exe	88
PID 2012 wrote to memory of 968	2012	Chmeobkq.exe	89
PID 2012 wrote to memory of 968	2012	Chmeobkq.exe	89
PID 2012 wrote to memory of 968	2012	Chmeobkq.exe	89
PID 968 wrote to memory of 4308	968	Cddecc32.exe	90
PID 968 wrote to memory of 4308	968	Cddecc32.exe	90
PID 968 wrote to memory of 4308	968	Cddecc32.exe	90
PID 4308 wrote to memory of 4568	4308	Cecbmf32.exe	91
PID 4308 wrote to memory of 4568	4308	Cecbmf32.exe	91
PID 4308 wrote to memory of 4568	4308	Cecbmf32.exe	91
PID 4568 wrote to memory of 3964	4568	Ehgqln32.exe	92
PID 4568 wrote to memory of 3964	4568	Ehgqln32.exe	92
PID 4568 wrote to memory of 3964	4568	Ehgqln32.exe	92
PID 3964 wrote to memory of 1496	3964	Ednaqo32.exe	94
PID 3964 wrote to memory of 1496	3964	Ednaqo32.exe	94
PID 3964 wrote to memory of 1496	3964	Ednaqo32.exe	94
PID 1496 wrote to memory of 3812	1496	Fkopnh32.exe	95
PID 1496 wrote to memory of 3812	1496	Fkopnh32.exe	95
PID 1496 wrote to memory of 3812	1496	Fkopnh32.exe	95
PID 3812 wrote to memory of 1964	3812	Gcojed32.exe	96
PID 3812 wrote to memory of 1964	3812	Gcojed32.exe	96
PID 3812 wrote to memory of 1964	3812	Gcojed32.exe	96
PID 1964 wrote to memory of 1016	1964	Gkkojgao.exe	97
PID 1964 wrote to memory of 1016	1964	Gkkojgao.exe	97
PID 1964 wrote to memory of 1016	1964	Gkkojgao.exe	97
PID 1016 wrote to memory of 4816	1016	Gcfqfc32.exe	99
PID 1016 wrote to memory of 4816	1016	Gcfqfc32.exe	99
PID 1016 wrote to memory of 4816	1016	Gcfqfc32.exe	99
PID 4816 wrote to memory of 5088	4816	Hofdacke.exe	100
PID 4816 wrote to memory of 5088	4816	Hofdacke.exe	100
PID 4816 wrote to memory of 5088	4816	Hofdacke.exe	100
PID 5088 wrote to memory of 624	5088	Hcdmga32.exe	101
PID 5088 wrote to memory of 624	5088	Hcdmga32.exe	101
PID 5088 wrote to memory of 624	5088	Hcdmga32.exe	101
PID 624 wrote to memory of 4084	624	Jbhfjljd.exe	102
PID 624 wrote to memory of 4084	624	Jbhfjljd.exe	102
PID 624 wrote to memory of 4084	624	Jbhfjljd.exe	102
PID 4084 wrote to memory of 3844	4084	Kemhff32.exe	103
PID 4084 wrote to memory of 3844	4084	Kemhff32.exe	103
PID 4084 wrote to memory of 3844	4084	Kemhff32.exe	103
PID 3844 wrote to memory of 4768	3844	Kpjcdn32.exe	104
PID 3844 wrote to memory of 4768	3844	Kpjcdn32.exe	104
PID 3844 wrote to memory of 4768	3844	Kpjcdn32.exe	104
PID 4768 wrote to memory of 3720	4768	Lpnlpnih.exe	105
PID 4768 wrote to memory of 3720	4768	Lpnlpnih.exe	105
PID 4768 wrote to memory of 3720	4768	Lpnlpnih.exe	105
PID 3720 wrote to memory of 5072	3720	Lmdina32.exe	106
PID 3720 wrote to memory of 5072	3720	Lmdina32.exe	106
PID 3720 wrote to memory of 5072	3720	Lmdina32.exe	106
PID 5072 wrote to memory of 3716	5072	Mgfqmfde.exe	107

C:\Users\Admin\AppData\Local\Temp\a6ffb5dac81cd6f58e4df0016e31cb6ac377391c65a1af932c11450503a6cd26.exe
"C:\Users\Admin\AppData\Local\Temp\a6ffb5dac81cd6f58e4df0016e31cb6ac377391c65a1af932c11450503a6cd26.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\SysWOW64\Qloebdig.exe
  C:\Windows\system32\Qloebdig.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Windows\SysWOW64\Aegikj32.exe
    C:\Windows\system32\Aegikj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4064
  - - C:\Windows\SysWOW64\Acmflf32.exe
      C:\Windows\system32\Acmflf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3316
    - - C:\Windows\SysWOW64\Boepel32.exe
        
        C:\Windows\system32\Boepel32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Windows\SysWOW64\Chmeobkq.exe
        
        C:\Windows\system32\Chmeobkq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Cddecc32.exe
        
        C:\Windows\system32\Cddecc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1096
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        38⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 400
        39⤵
        Program crash
        
        PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5048 -ip 5048
1⤵
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acmflf32.exe

Filesize
3.7MB

MD5
859332de7a5ea278c6af4e7b24e969dd

SHA1
8fa119b30d7dfeacb9894a03792cebd1a38eeee2

SHA256
920f99da86715f78a6c00597bf719e4c1cd1817a79711726bc326ad3b9f64ab6

SHA512
72fe63b070ca0bfd07ed9723332a11673e157438773d64279e95b99001cef1c20f1f3071a953b48227be81ad0887a1bfdeae7bee250b034beb5bb91beaa9be71

Download Submit
C:\Windows\SysWOW64\Aegikj32.exe

Filesize
3.7MB

MD5
edfb9e55d578c09ec6b0b2f58fd487be

SHA1
4943eb8fc4df281930bbdc99b9294414a5186cf5

SHA256
d53dcd6427849ff4630b0bfab359895fe97a85ec0917f267d6d7434f286fab55

SHA512
5dca0b3ca032cefc04a8a3fc00296b79adc476882a11ded7dc1f96191dd25c55394e7f3b81ad359ddd9134228fa604c8acb5a67124e0f87aeaee7e4e9217dc1a

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
3.7MB

MD5
b94d66c8086da8168dafea030a013390

SHA1
b4ae9199bfe924acf262dbf2d89463d0ba933a37

SHA256
72dba04dd205b00e1dc1401f4becf22d17050fa425dea07d01ddbdb34262ec5e

SHA512
cd9e5bd0852da4a793fdea1d89ecbe4cb766c1ae7da285f381fe99b8e0b390a6dbe2350df461636c0e2aef0aa2cd3c53ae899a7d0ca4ab080d7dd7ab39c326d9

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
3.7MB

MD5
44383afe2c9ca25f7bdb4e3c3c7f649a

SHA1
eed866e84ddaf0d179479f94208ac36fb40cf537

SHA256
c7e4dbfdfc3ac834d288d6c013e33c9a44b27ff9069c2e505c008d61e4f49ee7

SHA512
32a4de8882e0a82b662ac54159245ae9a03f387a1879dda0725e5b0bbecbfdddf1f5e9be7892593aa20a2daa79e50843d2fe7c61f29bdc0213ca2bfcdcf78656

Download Submit
C:\Windows\SysWOW64\Boepel32.exe

Filesize
3.7MB

MD5
b5cf925c4af6063abcb425403a32c93e

SHA1
762fc20f193c67b52ca17dd9cced792c96271c69

SHA256
f9a2d917765e321bbd5cd0d3806cba60e734a52e69318f7404884cb99b8011e1

SHA512
8f7b6f5ee8ec7e3589099c0d82fbd25b8393ae6dc979eb19343859671975953d01e8a7850983227463e4eee85109322874e48e984314b39fb4c6c603e61b8b9d

Download Submit
C:\Windows\SysWOW64\Cddecc32.exe

Filesize
3.7MB

MD5
504d79ca7b2cea6ca9accdfe78d51635

SHA1
91a3fc6f1b59ed912c4d4c5b4faf51cefadfcded

SHA256
c69de6577186203fd00b698b40fa337239725053dba222f639b00608e99eb755

SHA512
f08fd383767f5abc8e315af089f2b4e182bc71fa29d70ea2d0058774b89f0dc09207e68f15149c71855457ed6250d4e91fd79b1fe43b380487688246b591698d

Download Submit
C:\Windows\SysWOW64\Cecbmf32.exe

Filesize
3.7MB

MD5
6cc20afb54a5253320a1548b2ea42615

SHA1
6c10bc57ce6b6fefca2695f4f551bd9ed677d520

SHA256
34cd0ee3a30e156f4879fceb33052e76e4ca549809b05f43b2f2ea4437e199cb

SHA512
9b0336267f1322828e3968689575a89fe452ad6d104f3e344888986e0f37e3b6c5eccd1d6d12a3bf97d950e5fe273d04e354448f8e67d0630bb779a1947bb474

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
3.7MB

MD5
b551031aa8720983011f95e75d46d459

SHA1
4c536d06739553d92b6e150e83552c7c25eb4daa

SHA256
c1253a1d306f9cf1151e6d46bd3f837be182e9b8a3683f4c0a79148c60163c71

SHA512
0546dd8ade90bbf2b10200001d24d9c336815225d7b6b4295d27d836da7691470709433cff84f5997f2997b3cf9f512082d85b3754c1a6cd23f2105876e37a67

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
3.7MB

MD5
c2f289e180479118e2d0fb109a813e4b

SHA1
1b3147074ce93c2ff82d4f55fd926a57c8872b9a

SHA256
7737be558c2727bf2f6a2b4b190580a6103f5510aa2fdbdd53405133dc07f22b

SHA512
d7434f492a15c29bef4c69e3de2fc95ce1c56d56ab0daa646a04a48d1d581fee549445f77f666ba24d391c0b52dfdb8c1dd0b6e3eb0f3176c657aa50779a3db0

Download Submit
C:\Windows\SysWOW64\Chmeobkq.exe

Filesize
3.7MB

MD5
ba9502b5796e1fa7b689970ca2e38f83

SHA1
7d10030d30873ac0e2b9a56e0d01f854dbdf0e44

SHA256
8afd2a9fba238f31033dd11c8d30c2e6ca2c5f5b2603cd5d4b21c9e195a4ae68

SHA512
45be42b287b5cd88faa136bc202c3dac433972895e7a141275589e93084ed6a4436c5599e56d8071224b99f449655599ba120006c5d2017395afe215ee136a70

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
3.7MB

MD5
484c2f7c7846cc80cf3dbcb612921610

SHA1
19336f4ba17762729de1dfa4ea2b672a7c444f77

SHA256
bbf07b7c129b0a7ae31d4fcc35e9c54bb20dc06c8eb7d53b49237eb029544f3f

SHA512
c735dffb489fbf33a8584cf33232c3b27d9f0b0a1cdd8949f56e8b72c03b2152583ce1abd373c06daefd66c674db1ce6082f4f6dc244bb69ca2ca0030f6e466d

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
3.7MB

MD5
68cba61170d249c4f5e4d86359f252a0

SHA1
4883182a03378500b527fce7d24671a8fd1fc953

SHA256
0d7f3d45df51e9896499ebc3f49dd509d0c05faa5277833e9a871c9233b58710

SHA512
686b8f965957104b3a36160f1506af2e0f9b39566a11ff8cfcd6fe4f024a980187a4d3fb4ea45c67428fd0fa389fb2fa7a6c3a0b52fdbc35dc744baccc74762f

Download Submit
C:\Windows\SysWOW64\Ednaqo32.exe

Filesize
3.7MB

MD5
dbe2bed926a805fe3137861f2f5decad

SHA1
9fcf4742c476710936f70f7669ed4366037b427f

SHA256
78a5d7f9413a3145cfb47d2ab0e8b21fe67646ed399baa04e2c6f6cbee0d5bab

SHA512
6c6eb33b5e7b6a57260634f64c60ae9a7b93b905e861428139517e0662c1e67f4721c3ae0fc8f6dcab436ae08ce561e39513de56851de9ae602695c2d1f7d34e

Download Submit
C:\Windows\SysWOW64\Ehgqln32.exe

Filesize
3.7MB

MD5
08132c35c937acdb4dc85aa174d81cfc

SHA1
938539b4287ac72b114f3f99c49f36d7e7d76e02

SHA256
49b3268fd58e8066f7e136567f3c519e7f9fb1419e2bc968ad006c061d4bb18e

SHA512
6fcd9d0928e66b9d09fa88497e23df81c11cbb0513d4756c68b8935921420ff12ccca994d7248659d3756536cd9449e35390cf955f4f21f42528c8ef31a19836

Download Submit
C:\Windows\SysWOW64\Fkopnh32.exe

Filesize
3.7MB

MD5
623fa04c8a4a4c76efd209bcd7d6a1fb

SHA1
8b8026de8472e39b50bc9f5fa2e73fdafecab10c

SHA256
c98313bc8c18d1892c0423cab33e12b75aa916ddfbebbb3b984620a94bb7ecd4

SHA512
42474f8cb22c5e079b835909cfa0485a012785417cf9227e4fae64a54ee7e47f73c0e87bfcff0528ea528d7e1183f8ab15acb26aba225662946a3dd6dc7e9ca5

Download Submit
C:\Windows\SysWOW64\Gcfqfc32.exe

Filesize
3.7MB

MD5
8d3ee4061321011775c3e13cda6136bf

SHA1
d600bc97780f8fbe5a259d08cb1e4cf9349533fb

SHA256
b2616f4e66c7a84fb931258a5798bc482765be6688233b82fc6bc2f35c1d9b74

SHA512
b9d513c04508f818bd3fb00bffbeb499204279e4ae03722564deb5588f0ce967f7789d6a38a31cf2a6daa354fa67ecb2556a37dd077fc4a6d5dcfaeb03560599

Download Submit
C:\Windows\SysWOW64\Gcojed32.exe

Filesize
3.7MB

MD5
29766d8f64a917022b8ca18def03f3ee

SHA1
09696ed5a34c8745f92f75189aec17c7b2e734c4

SHA256
041a10043ecf7e951cce9f8f205f8763ea3bb9190f09d6962b83ccaab129d7c8

SHA512
2fcd0663af66e50e0b865f66b99ec2473c32c4137f272f6b8414aee3b2f5f876b21c9250669fbb3e7d9bb5a473de180bf8bf8aabb97c54099bd7b4b597551b08

Download Submit
C:\Windows\SysWOW64\Gkkojgao.exe

Filesize
3.7MB

MD5
271907f90b4897ec36db8e9fcdd51dd9

SHA1
a2f322016e91591ea2e4f484ec91e20c39e50d37

SHA256
c43e8b434f4918e57a7d950902d5c9d5190c5e76a5700d52117b5754f174ee11

SHA512
8e76871dea25dad9dbfead4e096cb8f9ac6461318850feec46f868370d571502cb05cee705b0ea0e536d64f6517ea22a1a551aeae26d95f1e0ace9f866cb6b8f

Download Submit
C:\Windows\SysWOW64\Hcdmga32.exe

Filesize
3.7MB

MD5
e786854f254db8762bf84015b0e6a8d6

SHA1
bc657de5c716ae6b51053dc151f2e8f6b11d0a8c

SHA256
8a1af5212a4de3fd68d119d5ac475f91597cc90973e665905a1d2bc6db0cd42e

SHA512
7b11f863edfd31f4ef6329d9f53a2168e68bb8051ac5348848212ead3567ed97e2e3554ee91bdb44bf140730dbb3302af6b6ece9387862dc2e8177a1ef2c01d5

Download Submit
C:\Windows\SysWOW64\Hofdacke.exe

Filesize
3.7MB

MD5
8f3c503d9c28be584c687f8e2225b782

SHA1
64fc499dc7bff36bd430d7e6152d4b8eb7db0518

SHA256
7316e35fd682c62c97fb3f7b2cb7253b4217227a2fce24512d66892bed2501d2

SHA512
0f3846f4703b90ba4286007b0272e5bfb76ebb385a3024d0c9347d8b93b0c11e18ebd37fac43be8ca8496c818c4f8e3551a4f5f603a66ec8fbc3b54bc97ab9a7

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
3.7MB

MD5
5f7ab4cb8f16777716b83ef862b34938

SHA1
bd3aec26002ea6bfcaa310cee7c25a825a2ead28

SHA256
b5ecb34458a43c4be844db357998c54dec3dafbff2f16730ffabda64f087166a

SHA512
a7c01f28226a4bd0b762b92133d2dead3a870ea7e9dbd5f27ef2c684e2084a31d5509b23448ff43cfa765fd54815db67cac7d029c4179164300bb76eb2159754

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
3.7MB

MD5
a6260ab07e2dca1f0df3dc0112072342

SHA1
c79a5ba7e47cfe955163c3d53eafbbddec8293a6

SHA256
820d2dc369959544fe3c535ab806b98782dd2482d774399066f005d5f6a4f10a

SHA512
7dec6b3ae7157a593519d0b6ca60193f606327fdff486a9734c9cbbd4e1e8054e0c7bc0f69b6b40434c7af4db0a7dadbd887eada7c049608772ffebd34428724

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
3.7MB

MD5
fa5db1cf73396ab2d32a6ea054dfd4fa

SHA1
c5feec6245b0f763b9f6479a2fb60d6d0a93585e

SHA256
0ab5486eec7caab8bad811a8ac0c9007cb0a41bce5ab0d16c64c913d3f056701

SHA512
c849b7c90c716c03f4e332ac2afac3c4e93dbf0fc976b8da3cb96c9dc6f5d1a2401d35494ab82914731a36d340ed3d124afa2d335e4d237256c99e7dd0c75529

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
3.7MB

MD5
b8de22caea16681e012a3dd3944dc174

SHA1
f70b5ffec8324a9e4db501bcef655e558fbc467a

SHA256
25d0a533c3614c032f89cd2fe66abe2da83259e8ad84947fbf3e3f438db838f3

SHA512
699e34c66a12f40ee4b219607f1cb1af989ef2c42d59d65cee65ab203f4feccfcb98c65cd409cbf1acf83ae0126c19dbe677c2efea77ff7b2d50fb99ab596081

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
3.7MB

MD5
f741a69041165fefd1189802c90e003a

SHA1
30e562285913bedecb420efa4b86369811318da5

SHA256
2127025e77b26d7f8f32d35f2eb9eea7b59d27064c2a4352a2df474f38f050da

SHA512
cca1017e393dd610c1221d36a8692e149efd765536f3280732059e5b02afee860f261f756088d31b4f69b263574b72df51e51628d89daa26c3c972d04478d965

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
3.7MB

MD5
857097d46ccd5640dcbd66289f5d5455

SHA1
b2fd2f391f0c130c13bd7a22899c0e90e6171709

SHA256
0e860ce66affc21e07ef7fc36af7fdae386c6fbd34d5d00e46f2f8db8c87a23b

SHA512
1820ac792210be0394ecf4b3a934a5c89b3b6b9335647490fe7c014411704151e41e3c06917b1a4fcfe6da88abf566ec63aaa8e9bf29598b7144ebe07d3c627d

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
3.7MB

MD5
707b22e88aa54d4b5e2c4c502228617f

SHA1
bc376a59aca63cee7dfddbc682387f9f0279586e

SHA256
205826671026b07bc847c50f92b4287cd4bc847c5a523319969e0df2ef0d8e73

SHA512
c56e195aeb27db41b8e3affe458a6edc4ef2d2c111133df91e863589137ce7ace81d0f44fa6df61fe01f31aba05c6b33a83cd4def7a199c8c2db1c9a97f570cd

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
3.7MB

MD5
1abf709e1a49d9fe92181742171d92e8

SHA1
7ae3db0c8cf53ba24b4dc286844d0d1803e93e87

SHA256
885e879e3bd3348e5c2020132517667aa3b35cfb276555ab240dc8712fe26c88

SHA512
4d4086df96d1b10e0ba96bded92c0e2284e3e5feaec4310544de4345c509b35d44d5e0740366175a42e182ff0439f1e53066c796397d11af8f36a8ed1cc8457e

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
3.7MB

MD5
1d6e5fcbe95ca6527d99110ec40cd50d

SHA1
3c4f4ef4ba40a7efb0ad44f37275547159489e14

SHA256
a9cb026a4b157738fbce31c4a42e6cecd3fac93c577ce636ecb807d90a4bc06b

SHA512
4e572d42d4f19a1addf2c806ea6428110962cfbc56a59d7e301058d90a810f7474808ac868029e1ccf085c36571ad530093bee8684937bdf1dc3eba521223437

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
3.7MB

MD5
bf23cae8bbf60685bc3a9639f4d8a029

SHA1
37fd5870d62f54193da0ade2e8101fa65df23804

SHA256
04fe59965bbb39e58a50aecb896f913cc4e97bc298ebe1f5e4649965342fa68a

SHA512
e7200906c4b870b44828aedafa0751609da72598a7e4aa4f25bd4602f662f66225fd3b0663a1621f6ac815c7fe77f2ef0ad85729bb1de87fc5011da55c015974

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
3.7MB

MD5
ed4a6c90ec1d4bc89dbdd7296f789963

SHA1
a1208eed0f50b53f9340bd944c7887bab5a28687

SHA256
b3ee75eb857219261df9e888cdbf913b9b1d541f79fee746bca994d0fde7987e

SHA512
ee800a1c4f31c25509d4f628363f49daaae92cbe4a04c7b289bf7c6825a953d4a2225bbc08fb0e0bab15bda338e41c605875274ca211c5e00ebfce0eaeb7f4ea

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
3.7MB

MD5
93cf222d57ec53712f2dfe9141bbe244

SHA1
4a492a51e39354cf7f5db6c20487c4fc9ca4c981

SHA256
2c1cd54d26bc13da391a4eebe4d9b9268ea2b02b5aad08c27b533ec22e1ba494

SHA512
8155c97343e28ec25c68b112f8e9a1a7af76aee6d5f0feb0551733e840b9c4c0d2f8b2ab9a9d57d2313afe678a8d591e15b68acecb69a1fe4bb32b40c6ce83b3

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
3.7MB

MD5
32858e9291d29567368b60e0a6f1703a

SHA1
afc5caf10f80f81a81f07692118af00681ba4c4f

SHA256
b629c80bc7dd3816dcd2ed2fb74b9dc4581ee630e6c8033281f4c0c8e43c8f85

SHA512
5abe5ab55ba29b850bea3e7716f0e1ab9c9034600ae6b3d3919305a17dedf7866e24aef8dbad2b8fb02132deea4631a77b15d0b012798cab3db289e5c2526724

Download Submit
C:\Windows\SysWOW64\Qloebdig.exe

Filesize
3.7MB

MD5
00fc080baf8409bbd9f4c3e7957088b7

SHA1
7c0761895868a34394ecc4244a6867f910618ec1

SHA256
deb0fea77b091967d4e9a27e77c7345e285267a3861ce1d68b55aecece408ff5

SHA512
1ccb5d5f280aac2901e42ff655d194423052fbd5ac650c2363cb1acfb90ce5155b39562d963957b942aac91e6b804fad737052776213bee40948423758e96600

Download Submit
memory/624-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4680-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads