141ce9a3722d4b42191a94c6116652935a205e5b07e5499d87a60096ebe49b87

Analysis

max time kernel
174s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

199b2d175990e0eec5f1a93cbb79f020_exe32_JC.exe
Size

92KB
MD5

199b2d175990e0eec5f1a93cbb79f020
SHA1

6c31827e4c8ddb70246a0627ad80157f321c7334
SHA256

141ce9a3722d4b42191a94c6116652935a205e5b07e5499d87a60096ebe49b87
SHA512

0fb73d367bfaeb8774f93e7b1246b435d4193474bcdbe27399e4f5f84395d5d13200c7e105f8f83a200d4cc236206e51dfaabff6799362d53f5e3d67a0ccce96
SSDEEP

1536:fRVnFsvdE+IZfSWdr/XnRSoY37gtNZS5851bRQ7Mn2RzBvrk3HR96TC+qRbDb1SY:fR3wd6J5drfncoYrGZ4ihe7G203H/6Ts

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppjbmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dafppp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Omgmeigd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oghghb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	199b2d175990e0eec5f1a93cbb79f020_exe32_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajqda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	199b2d175990e0eec5f1a93cbb79f020_exe32_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhmbqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qaqegecm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ppjbmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qaqegecm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnlme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chiblk32.exe

Executes dropped EXE 28 IoCs

pid	Process
1408	Ocjoadei.exe
4812	Oghghb32.exe
3988	Oaplqh32.exe
4256	Ocohmc32.exe
1228	Omgmeigd.exe
1796	Ohlqcagj.exe
3484	Pccahbmn.exe
4556	Pnifekmd.exe
1904	Ppjbmc32.exe
1104	Pnkbkk32.exe
5024	Pnmopk32.exe
4064	Qaqegecm.exe
1892	Afpjel32.exe
4780	Amnlme32.exe
3696	Amcehdod.exe
4700	Bgnffj32.exe
4976	Bhmbqm32.exe
3316	Bhpofl32.exe
1984	Bahdob32.exe
4688	Bkphhgfc.exe
4892	Bajqda32.exe
4420	Chdialdl.exe
1784	Cammjakm.exe
3236	Chiblk32.exe
2788	Cpfcfmlp.exe
760	Dafppp32.exe
1420	Dahmfpap.exe
2192	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mnokgcbe.dll	Oghghb32.exe
File opened for modification	C:\Windows\SysWOW64\Pnifekmd.exe	Pccahbmn.exe
File created	C:\Windows\SysWOW64\Domdocba.dll	Bhpofl32.exe
File created	C:\Windows\SysWOW64\Bghgmioe.dll	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Omgmeigd.exe	Ocohmc32.exe
File opened for modification	C:\Windows\SysWOW64\Qaqegecm.exe	Pnmopk32.exe
File created	C:\Windows\SysWOW64\Cklgfgfg.dll	Bkphhgfc.exe
File created	C:\Windows\SysWOW64\Dafppp32.exe	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Ilgonc32.dll	Ppjbmc32.exe
File opened for modification	C:\Windows\SysWOW64\Bgnffj32.exe	Amcehdod.exe
File created	C:\Windows\SysWOW64\Hlfpph32.dll	Amcehdod.exe
File created	C:\Windows\SysWOW64\Cammjakm.exe	Chdialdl.exe
File opened for modification	C:\Windows\SysWOW64\Dahmfpap.exe	Dafppp32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dahmfpap.exe
File opened for modification	C:\Windows\SysWOW64\Oghghb32.exe	Ocjoadei.exe
File created	C:\Windows\SysWOW64\Pccahbmn.exe	Ohlqcagj.exe
File opened for modification	C:\Windows\SysWOW64\Amcehdod.exe	Amnlme32.exe
File created	C:\Windows\SysWOW64\Gpojkp32.dll	Bahdob32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dahmfpap.exe
File opened for modification	C:\Windows\SysWOW64\Ppjbmc32.exe	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Amcehdod.exe	Amnlme32.exe
File created	C:\Windows\SysWOW64\Mmihfl32.dll	Chdialdl.exe
File created	C:\Windows\SysWOW64\Fomnhddq.dll	Chiblk32.exe
File created	C:\Windows\SysWOW64\Ipjijkpg.dll	Dafppp32.exe
File created	C:\Windows\SysWOW64\Ojenek32.dll	Ocjoadei.exe
File created	C:\Windows\SysWOW64\Nnahhegq.dll	Oaplqh32.exe
File opened for modification	C:\Windows\SysWOW64\Omgmeigd.exe	Ocohmc32.exe
File opened for modification	C:\Windows\SysWOW64\Ohlqcagj.exe	Omgmeigd.exe
File created	C:\Windows\SysWOW64\Bhmbqm32.exe	Bgnffj32.exe
File opened for modification	C:\Windows\SysWOW64\Bajqda32.exe	Bkphhgfc.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Chiblk32.exe	Cammjakm.exe
File opened for modification	C:\Windows\SysWOW64\Ocohmc32.exe	Oaplqh32.exe
File created	C:\Windows\SysWOW64\Ohlqcagj.exe	Omgmeigd.exe
File created	C:\Windows\SysWOW64\Fidhnlin.dll	Pccahbmn.exe
File opened for modification	C:\Windows\SysWOW64\Pnkbkk32.exe	Ppjbmc32.exe
File created	C:\Windows\SysWOW64\Pnmopk32.exe	Pnkbkk32.exe
File created	C:\Windows\SysWOW64\Mkfefigf.dll	Pnmopk32.exe
File created	C:\Windows\SysWOW64\Ppjbmc32.exe	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Afpjel32.exe	Qaqegecm.exe
File opened for modification	C:\Windows\SysWOW64\Cammjakm.exe	Chdialdl.exe
File opened for modification	C:\Windows\SysWOW64\Dafppp32.exe	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Amnlme32.exe	Afpjel32.exe
File created	C:\Windows\SysWOW64\Bgnffj32.exe	Amcehdod.exe
File created	C:\Windows\SysWOW64\Bhpofl32.exe	Bhmbqm32.exe
File created	C:\Windows\SysWOW64\Dmncdk32.dll	Bhmbqm32.exe
File opened for modification	C:\Windows\SysWOW64\Bahdob32.exe	Bhpofl32.exe
File opened for modification	C:\Windows\SysWOW64\Chdialdl.exe	Bajqda32.exe
File created	C:\Windows\SysWOW64\Dhhmleng.dll	Ocohmc32.exe
File created	C:\Windows\SysWOW64\Pnifekmd.exe	Pccahbmn.exe
File opened for modification	C:\Windows\SysWOW64\Bhmbqm32.exe	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Mmlmhc32.dll	Cammjakm.exe
File created	C:\Windows\SysWOW64\Ocjoadei.exe	199b2d175990e0eec5f1a93cbb79f020_exe32_JC.exe
File created	C:\Windows\SysWOW64\Oaplqh32.exe	Oghghb32.exe
File created	C:\Windows\SysWOW64\Lhdbgapf.dll	Ohlqcagj.exe
File created	C:\Windows\SysWOW64\Pnkbkk32.exe	Ppjbmc32.exe
File created	C:\Windows\SysWOW64\Pjllddpj.dll	Bgnffj32.exe
File opened for modification	C:\Windows\SysWOW64\Bhpofl32.exe	Bhmbqm32.exe
File created	C:\Windows\SysWOW64\Bahdob32.exe	Bhpofl32.exe
File created	C:\Windows\SysWOW64\Bhqndghj.dll	Bajqda32.exe
File opened for modification	C:\Windows\SysWOW64\Ocjoadei.exe	199b2d175990e0eec5f1a93cbb79f020_exe32_JC.exe
File created	C:\Windows\SysWOW64\Lpghll32.dll	199b2d175990e0eec5f1a93cbb79f020_exe32_JC.exe
File created	C:\Windows\SysWOW64\Pnpkdp32.dll	Omgmeigd.exe
File created	C:\Windows\SysWOW64\Qaqegecm.exe	Pnmopk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1220	2192	WerFault.exe	112

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdebopdl.dll"	Afpjel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhmbqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	199b2d175990e0eec5f1a93cbb79f020_exe32_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll"	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	199b2d175990e0eec5f1a93cbb79f020_exe32_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amnlme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpghll32.dll"	199b2d175990e0eec5f1a93cbb79f020_exe32_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidhnlin.dll"	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogakfe32.dll"	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egilaj32.dll"	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll"	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpkdp32.dll"	Omgmeigd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afpjel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjijkpg.dll"	Dafppp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	199b2d175990e0eec5f1a93cbb79f020_exe32_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnahhegq.dll"	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgonc32.dll"	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oghghb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokgcbe.dll"	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdbgapf.dll"	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jponoqjl.dll"	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfefigf.dll"	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll"	Bhmbqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oaplqh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chiblk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 1408	3596	199b2d175990e0eec5f1a93cbb79f020_exe32_JC.exe	85
PID 3596 wrote to memory of 1408	3596	199b2d175990e0eec5f1a93cbb79f020_exe32_JC.exe	85
PID 3596 wrote to memory of 1408	3596	199b2d175990e0eec5f1a93cbb79f020_exe32_JC.exe	85
PID 1408 wrote to memory of 4812	1408	Ocjoadei.exe	86
PID 1408 wrote to memory of 4812	1408	Ocjoadei.exe	86
PID 1408 wrote to memory of 4812	1408	Ocjoadei.exe	86
PID 4812 wrote to memory of 3988	4812	Oghghb32.exe	87
PID 4812 wrote to memory of 3988	4812	Oghghb32.exe	87
PID 4812 wrote to memory of 3988	4812	Oghghb32.exe	87
PID 3988 wrote to memory of 4256	3988	Oaplqh32.exe	88
PID 3988 wrote to memory of 4256	3988	Oaplqh32.exe	88
PID 3988 wrote to memory of 4256	3988	Oaplqh32.exe	88
PID 4256 wrote to memory of 1228	4256	Ocohmc32.exe	89
PID 4256 wrote to memory of 1228	4256	Ocohmc32.exe	89
PID 4256 wrote to memory of 1228	4256	Ocohmc32.exe	89
PID 1228 wrote to memory of 1796	1228	Omgmeigd.exe	90
PID 1228 wrote to memory of 1796	1228	Omgmeigd.exe	90
PID 1228 wrote to memory of 1796	1228	Omgmeigd.exe	90
PID 1796 wrote to memory of 3484	1796	Ohlqcagj.exe	91
PID 1796 wrote to memory of 3484	1796	Ohlqcagj.exe	91
PID 1796 wrote to memory of 3484	1796	Ohlqcagj.exe	91
PID 3484 wrote to memory of 4556	3484	Pccahbmn.exe	92
PID 3484 wrote to memory of 4556	3484	Pccahbmn.exe	92
PID 3484 wrote to memory of 4556	3484	Pccahbmn.exe	92
PID 4556 wrote to memory of 1904	4556	Pnifekmd.exe	93
PID 4556 wrote to memory of 1904	4556	Pnifekmd.exe	93
PID 4556 wrote to memory of 1904	4556	Pnifekmd.exe	93
PID 1904 wrote to memory of 1104	1904	Ppjbmc32.exe	94
PID 1904 wrote to memory of 1104	1904	Ppjbmc32.exe	94
PID 1904 wrote to memory of 1104	1904	Ppjbmc32.exe	94
PID 1104 wrote to memory of 5024	1104	Pnkbkk32.exe	95
PID 1104 wrote to memory of 5024	1104	Pnkbkk32.exe	95
PID 1104 wrote to memory of 5024	1104	Pnkbkk32.exe	95
PID 5024 wrote to memory of 4064	5024	Pnmopk32.exe	96
PID 5024 wrote to memory of 4064	5024	Pnmopk32.exe	96
PID 5024 wrote to memory of 4064	5024	Pnmopk32.exe	96
PID 4064 wrote to memory of 1892	4064	Qaqegecm.exe	97
PID 4064 wrote to memory of 1892	4064	Qaqegecm.exe	97
PID 4064 wrote to memory of 1892	4064	Qaqegecm.exe	97
PID 1892 wrote to memory of 4780	1892	Afpjel32.exe	98
PID 1892 wrote to memory of 4780	1892	Afpjel32.exe	98
PID 1892 wrote to memory of 4780	1892	Afpjel32.exe	98
PID 4780 wrote to memory of 3696	4780	Amnlme32.exe	99
PID 4780 wrote to memory of 3696	4780	Amnlme32.exe	99
PID 4780 wrote to memory of 3696	4780	Amnlme32.exe	99
PID 3696 wrote to memory of 4700	3696	Amcehdod.exe	100
PID 3696 wrote to memory of 4700	3696	Amcehdod.exe	100
PID 3696 wrote to memory of 4700	3696	Amcehdod.exe	100
PID 4700 wrote to memory of 4976	4700	Bgnffj32.exe	101
PID 4700 wrote to memory of 4976	4700	Bgnffj32.exe	101
PID 4700 wrote to memory of 4976	4700	Bgnffj32.exe	101
PID 4976 wrote to memory of 3316	4976	Bhmbqm32.exe	102
PID 4976 wrote to memory of 3316	4976	Bhmbqm32.exe	102
PID 4976 wrote to memory of 3316	4976	Bhmbqm32.exe	102
PID 3316 wrote to memory of 1984	3316	Bhpofl32.exe	103
PID 3316 wrote to memory of 1984	3316	Bhpofl32.exe	103
PID 3316 wrote to memory of 1984	3316	Bhpofl32.exe	103
PID 1984 wrote to memory of 4688	1984	Bahdob32.exe	104
PID 1984 wrote to memory of 4688	1984	Bahdob32.exe	104
PID 1984 wrote to memory of 4688	1984	Bahdob32.exe	104
PID 4688 wrote to memory of 4892	4688	Bkphhgfc.exe	105
PID 4688 wrote to memory of 4892	4688	Bkphhgfc.exe	105
PID 4688 wrote to memory of 4892	4688	Bkphhgfc.exe	105
PID 4892 wrote to memory of 4420	4892	Bajqda32.exe	106

C:\Users\Admin\AppData\Local\Temp\199b2d175990e0eec5f1a93cbb79f020_exe32_JC.exe
"C:\Users\Admin\AppData\Local\Temp\199b2d175990e0eec5f1a93cbb79f020_exe32_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\SysWOW64\Ocjoadei.exe
  C:\Windows\system32\Ocjoadei.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\SysWOW64\Oghghb32.exe
    C:\Windows\system32\Oghghb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\SysWOW64\Oaplqh32.exe
      C:\Windows\system32\Oaplqh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3988
    - - C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
      - C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        29⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 412
        30⤵
        Program crash
        
        PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2192 -ip 2192
1⤵
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afpjel32.exe

Filesize
92KB

MD5
0c450c1153d8372b69cc3aded63fc074

SHA1
3ec5d869e1a9a3e62bc34e54d975d47e959935eb

SHA256
446a9139651412c77f54f0fd96292197b80d992dacdf4ddd499ebb2509d2805c

SHA512
147dd1b5a1c4da53e7dcdec251c9b818539ea32eae44ab50ff191d58c763b03ae7457965bd3f2e3628cf0f7949c9b711f54d0ce463684a783bb91d822967f9ba

Download Submit
C:\Windows\SysWOW64\Afpjel32.exe

Filesize
92KB

MD5
0c450c1153d8372b69cc3aded63fc074

SHA1
3ec5d869e1a9a3e62bc34e54d975d47e959935eb

SHA256
446a9139651412c77f54f0fd96292197b80d992dacdf4ddd499ebb2509d2805c

SHA512
147dd1b5a1c4da53e7dcdec251c9b818539ea32eae44ab50ff191d58c763b03ae7457965bd3f2e3628cf0f7949c9b711f54d0ce463684a783bb91d822967f9ba

Download Submit
C:\Windows\SysWOW64\Amcehdod.exe

Filesize
92KB

MD5
aef76c0096d820fc7bce2af5b9022a14

SHA1
4e82f8284f47dd7ce3214b1ff50972822a060eb7

SHA256
d1e0c031615c8a68455ba112929a78992a1be3e62e3fe864a7175d0dd736812e

SHA512
749d5a08ecd3447119b00133fe1ebd4c623a572e9af54d1032d5b285403cb187f789a6b579017ab54127deb2d1e7406997f56193427fa8d59fa636025f37472d

Download Submit
C:\Windows\SysWOW64\Amcehdod.exe

Filesize
92KB

MD5
aef76c0096d820fc7bce2af5b9022a14

SHA1
4e82f8284f47dd7ce3214b1ff50972822a060eb7

SHA256
d1e0c031615c8a68455ba112929a78992a1be3e62e3fe864a7175d0dd736812e

SHA512
749d5a08ecd3447119b00133fe1ebd4c623a572e9af54d1032d5b285403cb187f789a6b579017ab54127deb2d1e7406997f56193427fa8d59fa636025f37472d

Download Submit
C:\Windows\SysWOW64\Amnlme32.exe

Filesize
92KB

MD5
de695d5d40aa18da9fed8ee71da9412b

SHA1
c1c9df1b7bc41f01b49421325ea7cee29441beea

SHA256
5b5260ea7aeb4ffdad29300496b6367411aaff2cf9291edf01ef70ccafa6bbc3

SHA512
256a7063bf4a25f90ac488b07fdbc42443aa95f002ab7a71aa362b41c67cdc602c21e512b4b9f23bea829e43dabfd995c6cba0b44fbcb2d7783a8a587e2f6539

Download Submit
C:\Windows\SysWOW64\Amnlme32.exe

Filesize
92KB

MD5
de695d5d40aa18da9fed8ee71da9412b

SHA1
c1c9df1b7bc41f01b49421325ea7cee29441beea

SHA256
5b5260ea7aeb4ffdad29300496b6367411aaff2cf9291edf01ef70ccafa6bbc3

SHA512
256a7063bf4a25f90ac488b07fdbc42443aa95f002ab7a71aa362b41c67cdc602c21e512b4b9f23bea829e43dabfd995c6cba0b44fbcb2d7783a8a587e2f6539

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
92KB

MD5
0c98d124997075dadbc271f697423a7f

SHA1
2d410ff9dc4a077a18a0bd9bd2a2a4d1bbb85781

SHA256
de7a49c7bed67de670478ca12633bf8170f9cc349599731bd97673d8018c038a

SHA512
713dc6ed5a6299e7974c37968f5a00192ce60e8b8e82239e083aae1c15cedf0a17d0ef3e021036f16c5e6ae799c54c8d31f86d9c2287602c373a3c411f3033fb

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
92KB

MD5
0c98d124997075dadbc271f697423a7f

SHA1
2d410ff9dc4a077a18a0bd9bd2a2a4d1bbb85781

SHA256
de7a49c7bed67de670478ca12633bf8170f9cc349599731bd97673d8018c038a

SHA512
713dc6ed5a6299e7974c37968f5a00192ce60e8b8e82239e083aae1c15cedf0a17d0ef3e021036f16c5e6ae799c54c8d31f86d9c2287602c373a3c411f3033fb

Download Submit
C:\Windows\SysWOW64\Bajqda32.exe

Filesize
92KB

MD5
2310a2dc8bd82be674c4b5dae9528522

SHA1
37bead5bcff477326c6cbbe2af6abdcba618b4c3

SHA256
80a89931772e673f9c23ab5d55a7a524ce0d0a9cd5c83c65c5ff90e446c5afc0

SHA512
8770af10ddf817229854b5d850f7ad43f523ef48ecafc74493865bf0483d95591065b4e1228aa7f5bc0cd533cf1bce729937cc91c539417e5bd87178726dda36

Download Submit
C:\Windows\SysWOW64\Bajqda32.exe

Filesize
92KB

MD5
2310a2dc8bd82be674c4b5dae9528522

SHA1
37bead5bcff477326c6cbbe2af6abdcba618b4c3

SHA256
80a89931772e673f9c23ab5d55a7a524ce0d0a9cd5c83c65c5ff90e446c5afc0

SHA512
8770af10ddf817229854b5d850f7ad43f523ef48ecafc74493865bf0483d95591065b4e1228aa7f5bc0cd533cf1bce729937cc91c539417e5bd87178726dda36

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
92KB

MD5
ec87dd3d25bc76b2a99b518b6a7e07f2

SHA1
dcd28d853038451f072a4ca0f68bccfa0548e3e5

SHA256
5e19451ad2c403566de6db0786f80495d97188aca2083507f59b432de0abf5a6

SHA512
3ed6794bde03a1c8184bffea15ffb6eac9145a6f884e1dce24107b88107114cacc03a0bc6edac5e46e5f068197b567a639bd5ace0ecb210638626d67555a84bc

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
92KB

MD5
ec87dd3d25bc76b2a99b518b6a7e07f2

SHA1
dcd28d853038451f072a4ca0f68bccfa0548e3e5

SHA256
5e19451ad2c403566de6db0786f80495d97188aca2083507f59b432de0abf5a6

SHA512
3ed6794bde03a1c8184bffea15ffb6eac9145a6f884e1dce24107b88107114cacc03a0bc6edac5e46e5f068197b567a639bd5ace0ecb210638626d67555a84bc

Download Submit
C:\Windows\SysWOW64\Bhmbqm32.exe

Filesize
92KB

MD5
f7e361618d7da89ce6b3f6183db1020a

SHA1
f70ca3b785f65d3b03066eae2df62f49ab76c1c4

SHA256
dcb85e71e766b360649d205a58fd393d6a957b64687dae7bbd5563d7c5630426

SHA512
dae11becd968be50f92928e6862d8ee1fcf7e5179f38fa12d49c9842b9da1237f9912a48835af527757653cca474ee9a4fb9dc3609159054976d592ec5dbde3b

Download Submit
C:\Windows\SysWOW64\Bhmbqm32.exe

Filesize
92KB

MD5
f7e361618d7da89ce6b3f6183db1020a

SHA1
f70ca3b785f65d3b03066eae2df62f49ab76c1c4

SHA256
dcb85e71e766b360649d205a58fd393d6a957b64687dae7bbd5563d7c5630426

SHA512
dae11becd968be50f92928e6862d8ee1fcf7e5179f38fa12d49c9842b9da1237f9912a48835af527757653cca474ee9a4fb9dc3609159054976d592ec5dbde3b

Download Submit
C:\Windows\SysWOW64\Bhpofl32.exe

Filesize
92KB

MD5
c29dbaae519551a29c6cc585ecd91642

SHA1
f31104e28a74cf773789875e26a4c6b0c2952838

SHA256
f8d03f39adb8b1c94abed8c5b0f8e3261506757dba5c5fa2a527d3a6058b17d2

SHA512
88c6c438ffa569e9c88264f224113ae6c35f17c0249cd3026814698ec999e0364095821a27b8cf9bde1ba0d36854e7c155f8a7ecd32ec6a6f85af89fbc34884e

Download Submit
C:\Windows\SysWOW64\Bhpofl32.exe

Filesize
92KB

MD5
c29dbaae519551a29c6cc585ecd91642

SHA1
f31104e28a74cf773789875e26a4c6b0c2952838

SHA256
f8d03f39adb8b1c94abed8c5b0f8e3261506757dba5c5fa2a527d3a6058b17d2

SHA512
88c6c438ffa569e9c88264f224113ae6c35f17c0249cd3026814698ec999e0364095821a27b8cf9bde1ba0d36854e7c155f8a7ecd32ec6a6f85af89fbc34884e

Download Submit
C:\Windows\SysWOW64\Bkphhgfc.exe

Filesize
92KB

MD5
71625d388a966d8d95e7406f835acf07

SHA1
5045008d38d01dcd40bce6d7c657dc278bee3092

SHA256
f90021f18f302156ac7ad092339f9f15165ef9176a336094035eb64f8f186540

SHA512
71318d1d89d6551228af0aedb050e85b0ac30b123abd8673d78e9d63ab1f8a0ce55668c273e8062c0b5f76ed3bc47ad00b63b49d4eb096d8ba1f330750efffeb

Download Submit
C:\Windows\SysWOW64\Bkphhgfc.exe

Filesize
92KB

MD5
71625d388a966d8d95e7406f835acf07

SHA1
5045008d38d01dcd40bce6d7c657dc278bee3092

SHA256
f90021f18f302156ac7ad092339f9f15165ef9176a336094035eb64f8f186540

SHA512
71318d1d89d6551228af0aedb050e85b0ac30b123abd8673d78e9d63ab1f8a0ce55668c273e8062c0b5f76ed3bc47ad00b63b49d4eb096d8ba1f330750efffeb

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
92KB

MD5
b520ef97a2df9b1ced579fd1a79ab971

SHA1
b1b60a3655aff1c167893f3cd30f3bee16d50fad

SHA256
ff76648c7cf854f9a212be3caae89ca12afe6c8fc0824dc962d03937d84994be

SHA512
4bc49a24115e9b5cabe53a9cbf3b0808db8efb6745ebead26f11001c020302da97f6b16c6f99bd12a48efbb6b2fa127d760073dc32010f34b4d740d727e62464

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
92KB

MD5
b520ef97a2df9b1ced579fd1a79ab971

SHA1
b1b60a3655aff1c167893f3cd30f3bee16d50fad

SHA256
ff76648c7cf854f9a212be3caae89ca12afe6c8fc0824dc962d03937d84994be

SHA512
4bc49a24115e9b5cabe53a9cbf3b0808db8efb6745ebead26f11001c020302da97f6b16c6f99bd12a48efbb6b2fa127d760073dc32010f34b4d740d727e62464

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
92KB

MD5
b520ef97a2df9b1ced579fd1a79ab971

SHA1
b1b60a3655aff1c167893f3cd30f3bee16d50fad

SHA256
ff76648c7cf854f9a212be3caae89ca12afe6c8fc0824dc962d03937d84994be

SHA512
4bc49a24115e9b5cabe53a9cbf3b0808db8efb6745ebead26f11001c020302da97f6b16c6f99bd12a48efbb6b2fa127d760073dc32010f34b4d740d727e62464

Download Submit
C:\Windows\SysWOW64\Chdialdl.exe

Filesize
92KB

MD5
05c40dd69b16142ee1866d9f53be7953

SHA1
3054450cb30ffd305cefdeca45ad1213cb63e052

SHA256
5397b504bb434cac8ff41dd38df47c6e235afb30e843bb3e8515874817a7514b

SHA512
8b6d4140e1ebde29770c71a9a29b56620263e506a57f6b3c684a7251ae384fa444abe9841677faf33ae38c72441e70a92fb3af46ed762cea366efe10e3df5707

Download Submit
C:\Windows\SysWOW64\Chdialdl.exe

Filesize
92KB

MD5
05c40dd69b16142ee1866d9f53be7953

SHA1
3054450cb30ffd305cefdeca45ad1213cb63e052

SHA256
5397b504bb434cac8ff41dd38df47c6e235afb30e843bb3e8515874817a7514b

SHA512
8b6d4140e1ebde29770c71a9a29b56620263e506a57f6b3c684a7251ae384fa444abe9841677faf33ae38c72441e70a92fb3af46ed762cea366efe10e3df5707

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
92KB

MD5
b520ef97a2df9b1ced579fd1a79ab971

SHA1
b1b60a3655aff1c167893f3cd30f3bee16d50fad

SHA256
ff76648c7cf854f9a212be3caae89ca12afe6c8fc0824dc962d03937d84994be

SHA512
4bc49a24115e9b5cabe53a9cbf3b0808db8efb6745ebead26f11001c020302da97f6b16c6f99bd12a48efbb6b2fa127d760073dc32010f34b4d740d727e62464

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
92KB

MD5
67056eedbb4ab66cc4b83f946a53bf7e

SHA1
d652230fdd067d37ed0e86c1dcab4b9121834cc4

SHA256
60f97c0d8250711dc1c7bb5248859f433b4d6ac2430971072615ff8b12ac7a89

SHA512
2c434a838468c1910bdacc97be96bcad7fc7f90b558ca8c4802fa10d4a684b3991a963aa2c6e79df2798add4d58ec87f6211ba46ca2d1a6c12a7f8462c1e29ff

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
92KB

MD5
67056eedbb4ab66cc4b83f946a53bf7e

SHA1
d652230fdd067d37ed0e86c1dcab4b9121834cc4

SHA256
60f97c0d8250711dc1c7bb5248859f433b4d6ac2430971072615ff8b12ac7a89

SHA512
2c434a838468c1910bdacc97be96bcad7fc7f90b558ca8c4802fa10d4a684b3991a963aa2c6e79df2798add4d58ec87f6211ba46ca2d1a6c12a7f8462c1e29ff

Download Submit
C:\Windows\SysWOW64\Cpfcfmlp.exe

Filesize
92KB

MD5
96e80901d34d13cc9ddfa2a103cefdfa

SHA1
44db2063c2eccc9a9b6b9cc6defca8f24d8f5d0a

SHA256
d64e6e251e047e8e841db520ceffe74f2199bb8d2e01fe87cd532ee08e60d913

SHA512
0546bdb341e6daf21eb1babcb57470029d6d2f191a22abf9b622ef19e2bff874c27e51d6fe7c9764d7fedd55121e2c5a856d5384edbb37023d5c57de37fa2999

Download Submit
C:\Windows\SysWOW64\Cpfcfmlp.exe

Filesize
92KB

MD5
96e80901d34d13cc9ddfa2a103cefdfa

SHA1
44db2063c2eccc9a9b6b9cc6defca8f24d8f5d0a

SHA256
d64e6e251e047e8e841db520ceffe74f2199bb8d2e01fe87cd532ee08e60d913

SHA512
0546bdb341e6daf21eb1babcb57470029d6d2f191a22abf9b622ef19e2bff874c27e51d6fe7c9764d7fedd55121e2c5a856d5384edbb37023d5c57de37fa2999

Download Submit
C:\Windows\SysWOW64\Dafppp32.exe

Filesize
92KB

MD5
6692c2cfde240e33467bcd526b8bf84a

SHA1
348f7ffa9d16fe011e604963d79b95f7ba3bf26e

SHA256
d6ebf9f567d87d5cd37f52df2bfdf3a85980e37134fc7913ab4d0783a3b432b4

SHA512
cfaaec67c2135809837ea3bcf18183dee792f31ece0c5972e506c10b498106aa00db45550e921d8bc0fed2ce14df4d2cf4a8612b890bd0bd581f5b84309847f7

Download Submit
C:\Windows\SysWOW64\Dafppp32.exe

Filesize
92KB

MD5
6692c2cfde240e33467bcd526b8bf84a

SHA1
348f7ffa9d16fe011e604963d79b95f7ba3bf26e

SHA256
d6ebf9f567d87d5cd37f52df2bfdf3a85980e37134fc7913ab4d0783a3b432b4

SHA512
cfaaec67c2135809837ea3bcf18183dee792f31ece0c5972e506c10b498106aa00db45550e921d8bc0fed2ce14df4d2cf4a8612b890bd0bd581f5b84309847f7

Download Submit
C:\Windows\SysWOW64\Dahmfpap.exe

Filesize
92KB

MD5
6692c2cfde240e33467bcd526b8bf84a

SHA1
348f7ffa9d16fe011e604963d79b95f7ba3bf26e

SHA256
d6ebf9f567d87d5cd37f52df2bfdf3a85980e37134fc7913ab4d0783a3b432b4

SHA512
cfaaec67c2135809837ea3bcf18183dee792f31ece0c5972e506c10b498106aa00db45550e921d8bc0fed2ce14df4d2cf4a8612b890bd0bd581f5b84309847f7

Download Submit
C:\Windows\SysWOW64\Dahmfpap.exe

Filesize
92KB

MD5
20e1f656cc77f8f808bc55d5cfd06a07

SHA1
8b2f454a9c1a9d5ceb2bebbe7cae59db71329748

SHA256
bb900434b9e9ff095c198eb53ddea81290ddd2e47c234ac913eb6bdd142a2bc7

SHA512
cbccb75ea866cde06c9ca32d8e3cb94a1315254bfefdfad747ad798f824b995ec212350aa9523f42a75ad191870444e88422cc505e53dcad8783869a421ea0b6

Download Submit
C:\Windows\SysWOW64\Dahmfpap.exe

Filesize
92KB

MD5
20e1f656cc77f8f808bc55d5cfd06a07

SHA1
8b2f454a9c1a9d5ceb2bebbe7cae59db71329748

SHA256
bb900434b9e9ff095c198eb53ddea81290ddd2e47c234ac913eb6bdd142a2bc7

SHA512
cbccb75ea866cde06c9ca32d8e3cb94a1315254bfefdfad747ad798f824b995ec212350aa9523f42a75ad191870444e88422cc505e53dcad8783869a421ea0b6

Download Submit
C:\Windows\SysWOW64\Dhhmleng.dll

Filesize
7KB

MD5
f42b4706b916e095a665b534d65be2b3

SHA1
f927379ee95a945b631709e273e66db28487a7fe

SHA256
4b56a006f73e014a694992b0dbb5b9fe2ac0f21716e2eba9771cc84f729e83be

SHA512
6d6be4b98fe7929de607b0d9c03a39b9633b3eb764f5fb5ac4d8780559e108a3bbc1ad6d1628cd0ecbf83d14b4bda48856638fd8dab014c9d86516640ef2c948

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
92KB

MD5
e4b7b11e492f8a01f7ca0d6da53b13ec

SHA1
9969e8c3ba53d1e02edee37e5922442448c4825e

SHA256
4cb9c06dadc6947ccfde57f7b71fd499ead8d121c4b86f272ba3840d13a4b1ad

SHA512
d6b7015e07b4244ee7d524cac0c7d4271480e490de7d4d2fd1fb72aa16ed00737fd04eec39a8c06385161ac6b6d09639ccfe14334c6946433b0667b29747a2fc

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
92KB

MD5
e4b7b11e492f8a01f7ca0d6da53b13ec

SHA1
9969e8c3ba53d1e02edee37e5922442448c4825e

SHA256
4cb9c06dadc6947ccfde57f7b71fd499ead8d121c4b86f272ba3840d13a4b1ad

SHA512
d6b7015e07b4244ee7d524cac0c7d4271480e490de7d4d2fd1fb72aa16ed00737fd04eec39a8c06385161ac6b6d09639ccfe14334c6946433b0667b29747a2fc

Download Submit
C:\Windows\SysWOW64\Oaplqh32.exe

Filesize
92KB

MD5
4f2c519945ad741cfbba5a55e04e8c23

SHA1
ac172f8c4c7301a9521cac98bd12a77af5e2d27e

SHA256
f14da3e6de68b069fd93b847e8036c06a39965909b8fb1a7a0e31e768b10fe32

SHA512
1fa7f57562b20fa9e0a528c74a9d7d90852f8e03ab0a94d4c6a0aa5a59c173815693aba40d81adaf267e27096dbe3a535323ce6394f405c5dcd8680d608342c4

Download Submit
C:\Windows\SysWOW64\Oaplqh32.exe

Filesize
92KB

MD5
4f2c519945ad741cfbba5a55e04e8c23

SHA1
ac172f8c4c7301a9521cac98bd12a77af5e2d27e

SHA256
f14da3e6de68b069fd93b847e8036c06a39965909b8fb1a7a0e31e768b10fe32

SHA512
1fa7f57562b20fa9e0a528c74a9d7d90852f8e03ab0a94d4c6a0aa5a59c173815693aba40d81adaf267e27096dbe3a535323ce6394f405c5dcd8680d608342c4

Download Submit
C:\Windows\SysWOW64\Ocjoadei.exe

Filesize
92KB

MD5
2a5761641c7950a817f48967b6d61768

SHA1
aa1f10054ba62aa6bdcc36894428e257d7efdd86

SHA256
7a1cfbd34cea5c8d2dc0f968481289cafc35cdd8159ca8af2a63a38725a9bc0d

SHA512
f28f2b225bd43898070f859fb136c67f30726d0687cf224153d4aaac14a08b56e6f7ab37e2f33c32051fae037cbbcda9caa38b11e5ab7149ac6ddc601a23c485

Download Submit
C:\Windows\SysWOW64\Ocjoadei.exe

Filesize
92KB

MD5
2a5761641c7950a817f48967b6d61768

SHA1
aa1f10054ba62aa6bdcc36894428e257d7efdd86

SHA256
7a1cfbd34cea5c8d2dc0f968481289cafc35cdd8159ca8af2a63a38725a9bc0d

SHA512
f28f2b225bd43898070f859fb136c67f30726d0687cf224153d4aaac14a08b56e6f7ab37e2f33c32051fae037cbbcda9caa38b11e5ab7149ac6ddc601a23c485

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe

Filesize
92KB

MD5
bb2cf4e1b55977f19f56f16af3f76916

SHA1
56acfbb572480461c440dcd6bde34cebe6c60b27

SHA256
05f35cde63786453f508260a18d71a1d4ecba6904d9bf1431c9008644a389af5

SHA512
aa20396db88aac4b7f401a7a5e82c57fd523b1a46f64141851d80e34275ecaec8cf662dd223743a4c3922db507137021b266493b6cb54ff4f6b4ea3990ebb9b0

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe

Filesize
92KB

MD5
bb2cf4e1b55977f19f56f16af3f76916

SHA1
56acfbb572480461c440dcd6bde34cebe6c60b27

SHA256
05f35cde63786453f508260a18d71a1d4ecba6904d9bf1431c9008644a389af5

SHA512
aa20396db88aac4b7f401a7a5e82c57fd523b1a46f64141851d80e34275ecaec8cf662dd223743a4c3922db507137021b266493b6cb54ff4f6b4ea3990ebb9b0

Download Submit
C:\Windows\SysWOW64\Oghghb32.exe

Filesize
92KB

MD5
b89e859228cadf3187471924215fdaa2

SHA1
a0c72447377381c8a59cd52811af3a2b977f19ea

SHA256
76ce3ed932d7996bbe8a29571b59189d2b70e8572a362803b893caf15dc2b1de

SHA512
e6389a517a2811c712776e42372a6ef0709b514c09b8a01727cff372e87693a307793ad7573ee54e18bbe894e92718d4e808fb25481bff64396b780bf9fab5cb

Download Submit
C:\Windows\SysWOW64\Oghghb32.exe

Filesize
92KB

MD5
b89e859228cadf3187471924215fdaa2

SHA1
a0c72447377381c8a59cd52811af3a2b977f19ea

SHA256
76ce3ed932d7996bbe8a29571b59189d2b70e8572a362803b893caf15dc2b1de

SHA512
e6389a517a2811c712776e42372a6ef0709b514c09b8a01727cff372e87693a307793ad7573ee54e18bbe894e92718d4e808fb25481bff64396b780bf9fab5cb

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
92KB

MD5
27ee18495984629717f4ecbec4acc582

SHA1
fedba8b8e75bd2e576b94e133750ec990ce44b48

SHA256
8b8487ac26f8199c8025e7cf412bef9b02db1749b75b9e0a6830cd05c6b16748

SHA512
5654a6f7701caabe53ab480346cb180089cfd627f87fe1c86f1d38e5c440bec8564aa1bdfc2621391a2012807b15da3d88edadc4ea4b2379b92036a0402b18ad

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
92KB

MD5
27ee18495984629717f4ecbec4acc582

SHA1
fedba8b8e75bd2e576b94e133750ec990ce44b48

SHA256
8b8487ac26f8199c8025e7cf412bef9b02db1749b75b9e0a6830cd05c6b16748

SHA512
5654a6f7701caabe53ab480346cb180089cfd627f87fe1c86f1d38e5c440bec8564aa1bdfc2621391a2012807b15da3d88edadc4ea4b2379b92036a0402b18ad

Download Submit
C:\Windows\SysWOW64\Omgmeigd.exe

Filesize
92KB

MD5
2c2bb59a8281804d0b0effccde6a7465

SHA1
3b084f6b0fb5f61b638a0ce53260d86c613a0523

SHA256
660aeaa39209e85ef8bdb6e1cece496eef732703fc65e8ca5f4d7ac8c248c8e6

SHA512
ff17fdd094bc8168061b231a157c6c8ff097299050138e9cadbec196c36a6d21b284b4511dec6648ed844a8a84db5ba27deb70d1461fe8344dc94a84e1302baa

Download Submit
C:\Windows\SysWOW64\Omgmeigd.exe

Filesize
92KB

MD5
2c2bb59a8281804d0b0effccde6a7465

SHA1
3b084f6b0fb5f61b638a0ce53260d86c613a0523

SHA256
660aeaa39209e85ef8bdb6e1cece496eef732703fc65e8ca5f4d7ac8c248c8e6

SHA512
ff17fdd094bc8168061b231a157c6c8ff097299050138e9cadbec196c36a6d21b284b4511dec6648ed844a8a84db5ba27deb70d1461fe8344dc94a84e1302baa

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
92KB

MD5
bb0e3d328efa9724412edf71c7a6e6e6

SHA1
907f554404405b407661690d57b9350816c9a786

SHA256
e788ed7f270fda8c16181f4f395bdaea018bb3eb596abe30803a19325151e889

SHA512
8c094c588e96c596c5ac4acf79e68db066e266205f7ef86fbffa9500438e4e6685a138166c413aeaef1c19ea87df7f19b52e3ba1bbd22660709a1f141e0983aa

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
92KB

MD5
bb0e3d328efa9724412edf71c7a6e6e6

SHA1
907f554404405b407661690d57b9350816c9a786

SHA256
e788ed7f270fda8c16181f4f395bdaea018bb3eb596abe30803a19325151e889

SHA512
8c094c588e96c596c5ac4acf79e68db066e266205f7ef86fbffa9500438e4e6685a138166c413aeaef1c19ea87df7f19b52e3ba1bbd22660709a1f141e0983aa

Download Submit
C:\Windows\SysWOW64\Pnifekmd.exe

Filesize
92KB

MD5
fe7fecd4a3819af88a1d51d1fb81f7de

SHA1
07c80e3c4f886d19969e7c0c665c467ec1fbc99e

SHA256
aae1bc31218ec283fae901f6b77c5fbc45baf464db9f9daaef82a080da22fa12

SHA512
e4db66a18b184b98d66d8cf3eb5aa8389e550bd77f3c1e25b58614330cdb7b6c4b84dedc0a6b3fc1c4f772d428b4eefb82f6920e76028bd16f90fcb888c96f9c

Download Submit
C:\Windows\SysWOW64\Pnifekmd.exe

Filesize
92KB

MD5
fe7fecd4a3819af88a1d51d1fb81f7de

SHA1
07c80e3c4f886d19969e7c0c665c467ec1fbc99e

SHA256
aae1bc31218ec283fae901f6b77c5fbc45baf464db9f9daaef82a080da22fa12

SHA512
e4db66a18b184b98d66d8cf3eb5aa8389e550bd77f3c1e25b58614330cdb7b6c4b84dedc0a6b3fc1c4f772d428b4eefb82f6920e76028bd16f90fcb888c96f9c

Download Submit
C:\Windows\SysWOW64\Pnkbkk32.exe

Filesize
92KB

MD5
3b4523dcb1315f1c69a6d26c59483b7f

SHA1
026434fd11403e19901d9e3677f158ad1750dcee

SHA256
63396494593d4c64039a7f93d624b6b52e1ef6e8353f0391f38e7a1d86319fcf

SHA512
1bcca57b6b9298ac8dcb4052798fe038a81b70f9b353038f1be21c98c82ea8d3018fb5fdac76c461a4924a2030e6d7aab637b96ecdfa826a6a9d69e0fba8e283

Download Submit
C:\Windows\SysWOW64\Pnkbkk32.exe

Filesize
92KB

MD5
3b4523dcb1315f1c69a6d26c59483b7f

SHA1
026434fd11403e19901d9e3677f158ad1750dcee

SHA256
63396494593d4c64039a7f93d624b6b52e1ef6e8353f0391f38e7a1d86319fcf

SHA512
1bcca57b6b9298ac8dcb4052798fe038a81b70f9b353038f1be21c98c82ea8d3018fb5fdac76c461a4924a2030e6d7aab637b96ecdfa826a6a9d69e0fba8e283

Download Submit
C:\Windows\SysWOW64\Pnmopk32.exe

Filesize
92KB

MD5
bf8478567204bdddb394badefc3eb7ad

SHA1
d703507a93cd0367d92269543deafa0e5fad568c

SHA256
9dbc4283975714fccf2811d074282a3afcf7b8f3d47d644ce5f07eaf9fe5b576

SHA512
fac0c16c27bca3826ee39611d74b5658f423932a52867a811643d250e80be67ffffa5da296ad522472d3448a88e74b0e930c1d47dbb7cadbf9833c95d37bb1ee

Download Submit
C:\Windows\SysWOW64\Pnmopk32.exe

Filesize
92KB

MD5
bf8478567204bdddb394badefc3eb7ad

SHA1
d703507a93cd0367d92269543deafa0e5fad568c

SHA256
9dbc4283975714fccf2811d074282a3afcf7b8f3d47d644ce5f07eaf9fe5b576

SHA512
fac0c16c27bca3826ee39611d74b5658f423932a52867a811643d250e80be67ffffa5da296ad522472d3448a88e74b0e930c1d47dbb7cadbf9833c95d37bb1ee

Download Submit
C:\Windows\SysWOW64\Ppjbmc32.exe

Filesize
92KB

MD5
48bd036fc5beca55bebf687219831ba3

SHA1
c99f9c5d4b5c61cc858624f2eff68f0f9cdd9cdf

SHA256
539793cc2380a08ec5b45cc5b250d74a07e8c71746bcb6fd843d03730d79aec0

SHA512
be1d8e9d8f9276d1e35f414309ecdbab2420fbf7d9cf48a2804e21c2280953f7e15809b32d9debf3d76454253e82e5703cc9e45db52d53a77872f08876d44a34

Download Submit
C:\Windows\SysWOW64\Ppjbmc32.exe

Filesize
92KB

MD5
48bd036fc5beca55bebf687219831ba3

SHA1
c99f9c5d4b5c61cc858624f2eff68f0f9cdd9cdf

SHA256
539793cc2380a08ec5b45cc5b250d74a07e8c71746bcb6fd843d03730d79aec0

SHA512
be1d8e9d8f9276d1e35f414309ecdbab2420fbf7d9cf48a2804e21c2280953f7e15809b32d9debf3d76454253e82e5703cc9e45db52d53a77872f08876d44a34

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
92KB

MD5
17bc2c94629f2073ce6fe6e79f004572

SHA1
bab7290dbeb468beadd586ded67ba8124915d00b

SHA256
0745e2d7dc52d00730121a632cdd235db86042b802e67fecaa2e5ee3ce532b38

SHA512
ad4d795a1a148716179b4bbeb6a7dee89de4ecb364189220937e1dba62e53b77892a3a2601956b321527654ffc99b50d0446db087ac59afda280835222f9e3d9

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
92KB

MD5
17bc2c94629f2073ce6fe6e79f004572

SHA1
bab7290dbeb468beadd586ded67ba8124915d00b

SHA256
0745e2d7dc52d00730121a632cdd235db86042b802e67fecaa2e5ee3ce532b38

SHA512
ad4d795a1a148716179b4bbeb6a7dee89de4ecb364189220937e1dba62e53b77892a3a2601956b321527654ffc99b50d0446db087ac59afda280835222f9e3d9

Download Submit
memory/760-207-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/760-250-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1104-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1104-238-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1228-243-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1228-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1408-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1408-246-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1420-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1420-215-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1784-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1784-227-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1796-242-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1796-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1892-234-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1892-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1904-239-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1904-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1984-231-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1984-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2192-251-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2192-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2788-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2788-199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3236-191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3236-226-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3316-148-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3484-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3484-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3596-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3596-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3696-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3696-119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3988-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4064-95-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4064-237-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4256-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4256-244-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4420-230-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4420-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4556-68-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4556-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4688-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4688-229-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4700-132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4780-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4780-235-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4812-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4812-245-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-228-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-167-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4976-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4976-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-236-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads