dac99e962f318f0342fedd8919a35a897d3d5b3d8feaec21e358df5cf4218be3

Analysis

max time kernel
115s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2023 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df414799af1b564827d69b249fcbaf90_exe32.exe
Size

109KB
MD5

df414799af1b564827d69b249fcbaf90
SHA1

36e86e4037c434cf2dbe8c6c472b09edee73e8ad
SHA256

dac99e962f318f0342fedd8919a35a897d3d5b3d8feaec21e358df5cf4218be3
SHA512

36d79dac164189e6629181cde372d77a4ac88f9bcf8412c75ba144b7ded1a303994e2677efa531aa9bbd7eb17577c9bc4c351a1c2e0152d216fa4444c5cae73f
SSDEEP

3072:tUoTD/q3bUmJ9yLCqwzBu1DjHLMVDqqkSpR:vvob1J9Gwtu1DjrFqhz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mebkge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhknhabf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlqloo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nconfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfdgg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oloipmfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlgbon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okceaikl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokanf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hebcao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndlacapp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	df414799af1b564827d69b249fcbaf90_exe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hebcao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhknhabf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mepnaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mebkge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlqloo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nconfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obpkcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	df414799af1b564827d69b249fcbaf90_exe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mepnaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oloipmfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akihcfid.exe

Executes dropped EXE 24 IoCs

pid	Process
2200	Hebcao32.exe
2056	Lolcnman.exe
1648	Mhknhabf.exe
832	Mepnaf32.exe
2180	Mebkge32.exe
1644	Mdghhb32.exe
1688	Nlqloo32.exe
1176	Ndlacapp.exe
2184	Ndnnianm.exe
2736	Nconfh32.exe
348	Nlgbon32.exe
228	Okmpqjad.exe
2600	Ocfdgg32.exe
2448	Oloipmfd.exe
4952	Okceaikl.exe
4964	Obpkcc32.exe
4796	Pbbgicnd.exe
4604	Pcbdcf32.exe
1056	Pokanf32.exe
4156	Pmoagk32.exe
1832	Qkdohg32.exe
1196	Qmckbjdl.exe
2308	Akihcfid.exe
4736	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Oloipmfd.exe	Ocfdgg32.exe
File created	C:\Windows\SysWOW64\Ghnkilod.dll	Okceaikl.exe
File created	C:\Windows\SysWOW64\Kkpdnm32.dll	Pcbdcf32.exe
File created	C:\Windows\SysWOW64\Amhdmi32.exe	Akihcfid.exe
File created	C:\Windows\SysWOW64\Mepnaf32.exe	Mhknhabf.exe
File created	C:\Windows\SysWOW64\Ndebln32.dll	Mhknhabf.exe
File created	C:\Windows\SysWOW64\Oloipmfd.exe	Ocfdgg32.exe
File opened for modification	C:\Windows\SysWOW64\Qmckbjdl.exe	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Mfppnk32.dll	Qkdohg32.exe
File opened for modification	C:\Windows\SysWOW64\Lolcnman.exe	Hebcao32.exe
File opened for modification	C:\Windows\SysWOW64\Ndnnianm.exe	Ndlacapp.exe
File created	C:\Windows\SysWOW64\Nlgbon32.exe	Nconfh32.exe
File created	C:\Windows\SysWOW64\Ocfdgg32.exe	Okmpqjad.exe
File opened for modification	C:\Windows\SysWOW64\Okceaikl.exe	Oloipmfd.exe
File created	C:\Windows\SysWOW64\Pmoagk32.exe	Pokanf32.exe
File created	C:\Windows\SysWOW64\Mebkge32.exe	Mepnaf32.exe
File created	C:\Windows\SysWOW64\Ohhbfe32.dll	Mebkge32.exe
File created	C:\Windows\SysWOW64\Nlqloo32.exe	Mdghhb32.exe
File opened for modification	C:\Windows\SysWOW64\Nlgbon32.exe	Nconfh32.exe
File created	C:\Windows\SysWOW64\Eflmkg32.dll	Obpkcc32.exe
File created	C:\Windows\SysWOW64\Mhknhabf.exe	Lolcnman.exe
File created	C:\Windows\SysWOW64\Ndnnianm.exe	Ndlacapp.exe
File created	C:\Windows\SysWOW64\Nconfh32.exe	Ndnnianm.exe
File created	C:\Windows\SysWOW64\Qkdohg32.exe	Pmoagk32.exe
File opened for modification	C:\Windows\SysWOW64\Mhknhabf.exe	Lolcnman.exe
File opened for modification	C:\Windows\SysWOW64\Nlqloo32.exe	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Omclnn32.dll	Ndnnianm.exe
File created	C:\Windows\SysWOW64\Joboincl.dll	Nlgbon32.exe
File created	C:\Windows\SysWOW64\Oofial32.dll	Hebcao32.exe
File created	C:\Windows\SysWOW64\Lggfcd32.dll	Lolcnman.exe
File created	C:\Windows\SysWOW64\Conkjj32.dll	Nconfh32.exe
File created	C:\Windows\SysWOW64\Dbooabbb.dll	Pmoagk32.exe
File created	C:\Windows\SysWOW64\Ecdleo32.dll	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Ndlacapp.exe	Nlqloo32.exe
File created	C:\Windows\SysWOW64\Okceaikl.exe	Oloipmfd.exe
File opened for modification	C:\Windows\SysWOW64\Obpkcc32.exe	Okceaikl.exe
File created	C:\Windows\SysWOW64\Pbbgicnd.exe	Obpkcc32.exe
File created	C:\Windows\SysWOW64\Mqkbjk32.dll	Qmckbjdl.exe
File created	C:\Windows\SysWOW64\Qmckbjdl.exe	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Lolcnman.exe	Hebcao32.exe
File created	C:\Windows\SysWOW64\Mdghhb32.exe	Mebkge32.exe
File opened for modification	C:\Windows\SysWOW64\Mdghhb32.exe	Mebkge32.exe
File created	C:\Windows\SysWOW64\Hfdgep32.dll	Ocfdgg32.exe
File created	C:\Windows\SysWOW64\Obpkcc32.exe	Okceaikl.exe
File created	C:\Windows\SysWOW64\Pokanf32.exe	Pcbdcf32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoagk32.exe	Pokanf32.exe
File created	C:\Windows\SysWOW64\Akihcfid.exe	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Mepnaf32.exe	Mhknhabf.exe
File opened for modification	C:\Windows\SysWOW64\Nconfh32.exe	Ndnnianm.exe
File created	C:\Windows\SysWOW64\Odemep32.dll	Ndlacapp.exe
File created	C:\Windows\SysWOW64\Okmpqjad.exe	Nlgbon32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbdcf32.exe	Pbbgicnd.exe
File opened for modification	C:\Windows\SysWOW64\Amhdmi32.exe	Akihcfid.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Akihcfid.exe
File created	C:\Windows\SysWOW64\Fpqifh32.dll	Okmpqjad.exe
File opened for modification	C:\Windows\SysWOW64\Pbbgicnd.exe	Obpkcc32.exe
File created	C:\Windows\SysWOW64\Cieonn32.dll	Pbbgicnd.exe
File opened for modification	C:\Windows\SysWOW64\Akihcfid.exe	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Hebcao32.exe	df414799af1b564827d69b249fcbaf90_exe32.exe
File opened for modification	C:\Windows\SysWOW64\Mebkge32.exe	Mepnaf32.exe
File opened for modification	C:\Windows\SysWOW64\Ndlacapp.exe	Nlqloo32.exe
File created	C:\Windows\SysWOW64\Ckmpakdh.dll	Nlqloo32.exe
File created	C:\Windows\SysWOW64\Paajfjdm.dll	Oloipmfd.exe
File created	C:\Windows\SysWOW64\Pcbdcf32.exe	Pbbgicnd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hebcao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mebkge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflmkg32.dll"	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Obpkcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omclnn32.dll"	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpqifh32.dll"	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okceaikl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnkilod.dll"	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkpdnm32.dll"	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hblaceei.dll"	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqkbjk32.dll"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndlacapp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conkjj32.dll"	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joboincl.dll"	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlgbon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mepnaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlqloo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paajfjdm.dll"	Oloipmfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	df414799af1b564827d69b249fcbaf90_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohhbfe32.dll"	Mebkge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdleo32.dll"	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdgep32.dll"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndebln32.dll"	Mhknhabf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mepnaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojbfccl.dll"	Mepnaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odemep32.dll"	Ndlacapp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oloipmfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cieonn32.dll"	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pokanf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mebkge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	df414799af1b564827d69b249fcbaf90_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndnnianm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	df414799af1b564827d69b249fcbaf90_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lggfcd32.dll"	Lolcnman.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhknhabf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmpakdh.dll"	Nlqloo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lolcnman.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlqloo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	df414799af1b564827d69b249fcbaf90_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndlacapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 2200	4892	df414799af1b564827d69b249fcbaf90_exe32.exe	84
PID 4892 wrote to memory of 2200	4892	df414799af1b564827d69b249fcbaf90_exe32.exe	84
PID 4892 wrote to memory of 2200	4892	df414799af1b564827d69b249fcbaf90_exe32.exe	84
PID 2200 wrote to memory of 2056	2200	Hebcao32.exe	85
PID 2200 wrote to memory of 2056	2200	Hebcao32.exe	85
PID 2200 wrote to memory of 2056	2200	Hebcao32.exe	85
PID 2056 wrote to memory of 1648	2056	Lolcnman.exe	86
PID 2056 wrote to memory of 1648	2056	Lolcnman.exe	86
PID 2056 wrote to memory of 1648	2056	Lolcnman.exe	86
PID 1648 wrote to memory of 832	1648	Mhknhabf.exe	87
PID 1648 wrote to memory of 832	1648	Mhknhabf.exe	87
PID 1648 wrote to memory of 832	1648	Mhknhabf.exe	87
PID 832 wrote to memory of 2180	832	Mepnaf32.exe	88
PID 832 wrote to memory of 2180	832	Mepnaf32.exe	88
PID 832 wrote to memory of 2180	832	Mepnaf32.exe	88
PID 2180 wrote to memory of 1644	2180	Mebkge32.exe	89
PID 2180 wrote to memory of 1644	2180	Mebkge32.exe	89
PID 2180 wrote to memory of 1644	2180	Mebkge32.exe	89
PID 1644 wrote to memory of 1688	1644	Mdghhb32.exe	90
PID 1644 wrote to memory of 1688	1644	Mdghhb32.exe	90
PID 1644 wrote to memory of 1688	1644	Mdghhb32.exe	90
PID 1688 wrote to memory of 1176	1688	Nlqloo32.exe	91
PID 1688 wrote to memory of 1176	1688	Nlqloo32.exe	91
PID 1688 wrote to memory of 1176	1688	Nlqloo32.exe	91
PID 1176 wrote to memory of 2184	1176	Ndlacapp.exe	92
PID 1176 wrote to memory of 2184	1176	Ndlacapp.exe	92
PID 1176 wrote to memory of 2184	1176	Ndlacapp.exe	92
PID 2184 wrote to memory of 2736	2184	Ndnnianm.exe	93
PID 2184 wrote to memory of 2736	2184	Ndnnianm.exe	93
PID 2184 wrote to memory of 2736	2184	Ndnnianm.exe	93
PID 2736 wrote to memory of 348	2736	Nconfh32.exe	94
PID 2736 wrote to memory of 348	2736	Nconfh32.exe	94
PID 2736 wrote to memory of 348	2736	Nconfh32.exe	94
PID 348 wrote to memory of 228	348	Nlgbon32.exe	95
PID 348 wrote to memory of 228	348	Nlgbon32.exe	95
PID 348 wrote to memory of 228	348	Nlgbon32.exe	95
PID 228 wrote to memory of 2600	228	Okmpqjad.exe	96
PID 228 wrote to memory of 2600	228	Okmpqjad.exe	96
PID 228 wrote to memory of 2600	228	Okmpqjad.exe	96
PID 2600 wrote to memory of 2448	2600	Ocfdgg32.exe	97
PID 2600 wrote to memory of 2448	2600	Ocfdgg32.exe	97
PID 2600 wrote to memory of 2448	2600	Ocfdgg32.exe	97
PID 2448 wrote to memory of 4952	2448	Oloipmfd.exe	98
PID 2448 wrote to memory of 4952	2448	Oloipmfd.exe	98
PID 2448 wrote to memory of 4952	2448	Oloipmfd.exe	98
PID 4952 wrote to memory of 4964	4952	Okceaikl.exe	99
PID 4952 wrote to memory of 4964	4952	Okceaikl.exe	99
PID 4952 wrote to memory of 4964	4952	Okceaikl.exe	99
PID 4964 wrote to memory of 4796	4964	Obpkcc32.exe	100
PID 4964 wrote to memory of 4796	4964	Obpkcc32.exe	100
PID 4964 wrote to memory of 4796	4964	Obpkcc32.exe	100
PID 4796 wrote to memory of 4604	4796	Pbbgicnd.exe	101
PID 4796 wrote to memory of 4604	4796	Pbbgicnd.exe	101
PID 4796 wrote to memory of 4604	4796	Pbbgicnd.exe	101
PID 4604 wrote to memory of 1056	4604	Pcbdcf32.exe	102
PID 4604 wrote to memory of 1056	4604	Pcbdcf32.exe	102
PID 4604 wrote to memory of 1056	4604	Pcbdcf32.exe	102
PID 1056 wrote to memory of 4156	1056	Pokanf32.exe	103
PID 1056 wrote to memory of 4156	1056	Pokanf32.exe	103
PID 1056 wrote to memory of 4156	1056	Pokanf32.exe	103
PID 4156 wrote to memory of 1832	4156	Pmoagk32.exe	104
PID 4156 wrote to memory of 1832	4156	Pmoagk32.exe	104
PID 4156 wrote to memory of 1832	4156	Pmoagk32.exe	104
PID 1832 wrote to memory of 1196	1832	Qkdohg32.exe	105

C:\Users\Admin\AppData\Local\Temp\df414799af1b564827d69b249fcbaf90_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\df414799af1b564827d69b249fcbaf90_exe32.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\Hebcao32.exe
  C:\Windows\system32\Hebcao32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\Lolcnman.exe
    C:\Windows\system32\Lolcnman.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\SysWOW64\Mhknhabf.exe
      C:\Windows\system32\Mhknhabf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Windows\SysWOW64\Mepnaf32.exe
        
        C:\Windows\system32\Mepnaf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
      - C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        25⤵
        Executes dropped EXE
        
        PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akihcfid.exe

Filesize
109KB

MD5
038242dc57823beefaf48500840c33a3

SHA1
af0f3db10335c1a612cd944482d5a778478fcc1a

SHA256
dff4fee113e04cc6e6e65c03158dd90ff5bec8c68346512776dbdf6b3c8d811f

SHA512
ea5584e9e29bc0b23f8f5e1b4a11ed561d23f829ecf3b61a3f2fc4cf4fdb19b572c6b7a29c637b12f6f102ac09b120487cb8df79247b0ce59b3eeec56f4741ae

Download Submit
C:\Windows\SysWOW64\Akihcfid.exe

Filesize
109KB

MD5
038242dc57823beefaf48500840c33a3

SHA1
af0f3db10335c1a612cd944482d5a778478fcc1a

SHA256
dff4fee113e04cc6e6e65c03158dd90ff5bec8c68346512776dbdf6b3c8d811f

SHA512
ea5584e9e29bc0b23f8f5e1b4a11ed561d23f829ecf3b61a3f2fc4cf4fdb19b572c6b7a29c637b12f6f102ac09b120487cb8df79247b0ce59b3eeec56f4741ae

Download Submit
C:\Windows\SysWOW64\Amhdmi32.exe

Filesize
109KB

MD5
d7a335cd9a9cf76e41aefb36c540443c

SHA1
80346ecc92deca321776eccce1b9283e21c83392

SHA256
46fdb5272dcfae53b92bb47b573d82b64f87fa46b8766e83568b8e508616981e

SHA512
dd311523713d9bee498b819d15687517c871073434c836a8c40f1c58a803a2ee53e172eb1f6451f8a481089caaa8800dd5a5afe3d1575552d597f5a739950f3a

Download Submit
C:\Windows\SysWOW64\Amhdmi32.exe

Filesize
109KB

MD5
d7a335cd9a9cf76e41aefb36c540443c

SHA1
80346ecc92deca321776eccce1b9283e21c83392

SHA256
46fdb5272dcfae53b92bb47b573d82b64f87fa46b8766e83568b8e508616981e

SHA512
dd311523713d9bee498b819d15687517c871073434c836a8c40f1c58a803a2ee53e172eb1f6451f8a481089caaa8800dd5a5afe3d1575552d597f5a739950f3a

Download Submit
C:\Windows\SysWOW64\Aojbfccl.dll

Filesize
7KB

MD5
88f876782d58f1f00528fd47f4cedb6f

SHA1
ec1d65d9217033e632f990ec14872a58cf316026

SHA256
cb9babf343593975b2da4b0915b6129817656a4f1793c54b12134b33b181bbdf

SHA512
bd563f217eb7063035d6ee2344ad93e297635fe273f502d3aae520541e1c8ad42822698609de41dc5f37888c56705cf8f3981f9b5d38a41b4a86014b0d89b864

Download Submit
C:\Windows\SysWOW64\Hebcao32.exe

Filesize
109KB

MD5
43dcedd9008ba5a957a6b9ae72cc8d9c

SHA1
763326ecafcec5e538f927ba9e769ce567ef6a6c

SHA256
8a5433e9d80d09767f93f05ab2d43c4ae513a6819214796b32d9ed3e905c1817

SHA512
5d139b22dd059bc2316872c02355a9c75626f1c8477388f579b13fed80aec49e2cab8cedd7381c1e36f376b0f4134de242cabc0da188c82d29ce877b154a825b

Download Submit
C:\Windows\SysWOW64\Hebcao32.exe

Filesize
109KB

MD5
43dcedd9008ba5a957a6b9ae72cc8d9c

SHA1
763326ecafcec5e538f927ba9e769ce567ef6a6c

SHA256
8a5433e9d80d09767f93f05ab2d43c4ae513a6819214796b32d9ed3e905c1817

SHA512
5d139b22dd059bc2316872c02355a9c75626f1c8477388f579b13fed80aec49e2cab8cedd7381c1e36f376b0f4134de242cabc0da188c82d29ce877b154a825b

Download Submit
C:\Windows\SysWOW64\Lolcnman.exe

Filesize
109KB

MD5
c88f1394b12f8c0409619a45a1598b38

SHA1
8f6af256f2dd0cfd81f074c0408f0b4371798a85

SHA256
706ab10d30aac053a934a8800b123f229248d4e29ac02383806563992e3624c0

SHA512
d9bcbd1d63a7fb9e408d0b0d6da2c7c8af196b4f3c20f526c3b0d8ad0e906f5bb4fdcbf436926ddd5cf2d24624e9e4ca9733fcf84ee5ec113fad5793d473ccd9

Download Submit
C:\Windows\SysWOW64\Lolcnman.exe

Filesize
109KB

MD5
c88f1394b12f8c0409619a45a1598b38

SHA1
8f6af256f2dd0cfd81f074c0408f0b4371798a85

SHA256
706ab10d30aac053a934a8800b123f229248d4e29ac02383806563992e3624c0

SHA512
d9bcbd1d63a7fb9e408d0b0d6da2c7c8af196b4f3c20f526c3b0d8ad0e906f5bb4fdcbf436926ddd5cf2d24624e9e4ca9733fcf84ee5ec113fad5793d473ccd9

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
109KB

MD5
b001edb379e421cadebc417cb9a420ad

SHA1
3e450af5260c35c5e5a2fb4ad67bb94480884722

SHA256
ca01f1c7d7ee8614f5f684e131381b2d73daacaaec6de3429908f703c0a84551

SHA512
7edd431b99c994cccd2d7a567807b466d6aa574059b5213441087bb2b31e42e73aa9597f1045e4efcec8c65d0bad04b8db9da544767edd5d7badcf296e99c2bf

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
109KB

MD5
b001edb379e421cadebc417cb9a420ad

SHA1
3e450af5260c35c5e5a2fb4ad67bb94480884722

SHA256
ca01f1c7d7ee8614f5f684e131381b2d73daacaaec6de3429908f703c0a84551

SHA512
7edd431b99c994cccd2d7a567807b466d6aa574059b5213441087bb2b31e42e73aa9597f1045e4efcec8c65d0bad04b8db9da544767edd5d7badcf296e99c2bf

Download Submit
C:\Windows\SysWOW64\Mebkge32.exe

Filesize
109KB

MD5
cfee0a4a731bc4af1609fce15445998f

SHA1
910412f05485660d393a5bc155aad267eeb3b628

SHA256
737b227e1252215735bd57d0fb17ab9270055dfa2868ff6d645932f7957a3cef

SHA512
5ca733c943c427769031febbb58d4977b90aff5440a3b22222b77c9b4874254a0c064cc47d06819a848ee53e3ec428f902736c5bc99a1968b48cfa1cd1357f90

Download Submit
C:\Windows\SysWOW64\Mebkge32.exe

Filesize
109KB

MD5
cfee0a4a731bc4af1609fce15445998f

SHA1
910412f05485660d393a5bc155aad267eeb3b628

SHA256
737b227e1252215735bd57d0fb17ab9270055dfa2868ff6d645932f7957a3cef

SHA512
5ca733c943c427769031febbb58d4977b90aff5440a3b22222b77c9b4874254a0c064cc47d06819a848ee53e3ec428f902736c5bc99a1968b48cfa1cd1357f90

Download Submit
C:\Windows\SysWOW64\Mepnaf32.exe

Filesize
109KB

MD5
395d4973b47c82f8b9a43ecd93a5ab40

SHA1
58be79436a137417a2d2d75c73635edeb8c5b5eb

SHA256
469c27a4685f771021a8de6123aba620276d99d140276e7d565a014e361674b4

SHA512
37156f381c3519aad031a5501f74c8218cede37bd37a3349fa7a559de0f8e6d63390926a97b31d40b5bde0c67ecdca1a7db7189744be48c69abb938acf4e7d84

Download Submit
C:\Windows\SysWOW64\Mepnaf32.exe

Filesize
109KB

MD5
395d4973b47c82f8b9a43ecd93a5ab40

SHA1
58be79436a137417a2d2d75c73635edeb8c5b5eb

SHA256
469c27a4685f771021a8de6123aba620276d99d140276e7d565a014e361674b4

SHA512
37156f381c3519aad031a5501f74c8218cede37bd37a3349fa7a559de0f8e6d63390926a97b31d40b5bde0c67ecdca1a7db7189744be48c69abb938acf4e7d84

Download Submit
C:\Windows\SysWOW64\Mhknhabf.exe

Filesize
109KB

MD5
43121977ff1c00dc3fd8041529c9ef79

SHA1
e7f8845761e0935494dacdd5e9e86ddf554da5f2

SHA256
8b52988c0d87ea3f60fc9956da83d62139f3792b07d11db0973ce24b3df7552c

SHA512
35cf0479aab97bca88248557288735caaff193461a9fb10400d1fe84b1acd02b0a6fcab3c8aeb899f47b61cbaa56aa8fa2b19d74d31e3f54b1e64da37f1a33ad

Download Submit
C:\Windows\SysWOW64\Mhknhabf.exe

Filesize
109KB

MD5
43121977ff1c00dc3fd8041529c9ef79

SHA1
e7f8845761e0935494dacdd5e9e86ddf554da5f2

SHA256
8b52988c0d87ea3f60fc9956da83d62139f3792b07d11db0973ce24b3df7552c

SHA512
35cf0479aab97bca88248557288735caaff193461a9fb10400d1fe84b1acd02b0a6fcab3c8aeb899f47b61cbaa56aa8fa2b19d74d31e3f54b1e64da37f1a33ad

Download Submit
C:\Windows\SysWOW64\Nconfh32.exe

Filesize
109KB

MD5
be7c415c056d0ecdc90999493b09d3fe

SHA1
d8df3c4ffb3c99b14a223d3d9dbf0dd9a1d9686e

SHA256
aecaa9a6ff227d9ad158b793a41ccae50b438a22d28917acf8eb280628d5a6f3

SHA512
894ffb4b6178cf8de90c9d1c707ae4a2a0606be96b13ee0f721c1119ca4c1af849b3d122fe2b414f80c7acb2e8a025c6825ece0f9fe832704397175638522401

Download Submit
C:\Windows\SysWOW64\Nconfh32.exe

Filesize
109KB

MD5
be7c415c056d0ecdc90999493b09d3fe

SHA1
d8df3c4ffb3c99b14a223d3d9dbf0dd9a1d9686e

SHA256
aecaa9a6ff227d9ad158b793a41ccae50b438a22d28917acf8eb280628d5a6f3

SHA512
894ffb4b6178cf8de90c9d1c707ae4a2a0606be96b13ee0f721c1119ca4c1af849b3d122fe2b414f80c7acb2e8a025c6825ece0f9fe832704397175638522401

Download Submit
C:\Windows\SysWOW64\Ndlacapp.exe

Filesize
109KB

MD5
426736eb09534554b6b18939ba158468

SHA1
aa94bc572db3735c0b26c6b1841bb577c98ef46e

SHA256
64e205afd136238c1721daf3d58ed47aaa205fb84d3c2b21cdc6d59b30924c7a

SHA512
cc10ccd037d47ed1faab4b443ab5638e748e38f96045fafa2ce644e2b931ffce6a2be0a1a67912c57f213d24fb722cb70023d96912d2d5dd64f31a731c36963a

Download Submit
C:\Windows\SysWOW64\Ndlacapp.exe

Filesize
109KB

MD5
426736eb09534554b6b18939ba158468

SHA1
aa94bc572db3735c0b26c6b1841bb577c98ef46e

SHA256
64e205afd136238c1721daf3d58ed47aaa205fb84d3c2b21cdc6d59b30924c7a

SHA512
cc10ccd037d47ed1faab4b443ab5638e748e38f96045fafa2ce644e2b931ffce6a2be0a1a67912c57f213d24fb722cb70023d96912d2d5dd64f31a731c36963a

Download Submit
C:\Windows\SysWOW64\Ndnnianm.exe

Filesize
109KB

MD5
f944a4037bfcfe162713bf1f7a72908a

SHA1
0926243ac55091ecb0c153b3fd0de88e7338d403

SHA256
8339dc496219344aea6f9519361921df130972616f0b7d0f29b9ce9adfb408d4

SHA512
6d86c30c3962e2544dc2421876b32ef0874b4a0268e105f07193ba771517d085044a6998548bbe68cd05f09b59c28a4a64aed3d5f87b0aa21e384207544b12cb

Download Submit
C:\Windows\SysWOW64\Ndnnianm.exe

Filesize
109KB

MD5
f944a4037bfcfe162713bf1f7a72908a

SHA1
0926243ac55091ecb0c153b3fd0de88e7338d403

SHA256
8339dc496219344aea6f9519361921df130972616f0b7d0f29b9ce9adfb408d4

SHA512
6d86c30c3962e2544dc2421876b32ef0874b4a0268e105f07193ba771517d085044a6998548bbe68cd05f09b59c28a4a64aed3d5f87b0aa21e384207544b12cb

Download Submit
C:\Windows\SysWOW64\Nlgbon32.exe

Filesize
109KB

MD5
a6da5c46a64950ac731c6d6761a8ee2a

SHA1
662095b8ad8b9b863845289a51b17b60ef022d4c

SHA256
bb33aecbb8f04871480b149b30c6d8eccabf7480c63e2161a9cd3894db103044

SHA512
b9dfc0ee0f1beb9e7bc29d256c3461efdad1ab6f7cc7f02f87251846a3acc860c0b478cb98ef95e1c70b27fc6fce2436af720dc1cea4247512fc5b181ca664fa

Download Submit
C:\Windows\SysWOW64\Nlgbon32.exe

Filesize
109KB

MD5
a6da5c46a64950ac731c6d6761a8ee2a

SHA1
662095b8ad8b9b863845289a51b17b60ef022d4c

SHA256
bb33aecbb8f04871480b149b30c6d8eccabf7480c63e2161a9cd3894db103044

SHA512
b9dfc0ee0f1beb9e7bc29d256c3461efdad1ab6f7cc7f02f87251846a3acc860c0b478cb98ef95e1c70b27fc6fce2436af720dc1cea4247512fc5b181ca664fa

Download Submit
C:\Windows\SysWOW64\Nlqloo32.exe

Filesize
109KB

MD5
abaf2c1fcbbcdc5ed6114f3bd281bbd4

SHA1
1f99530fe6972aee93a10337be425861d4dadd8a

SHA256
1aefcc509902179c155d36124c16b27f308ca7a02954b3b4efdb6789c7abe10d

SHA512
e5b356e381cc09c74c72889373bb9b778b100479abb159b4166203e594575a52457400b71a5221ed852b21decc979ee3c7ea21242cc549b70d92c6e0863ec920

Download Submit
C:\Windows\SysWOW64\Nlqloo32.exe

Filesize
109KB

MD5
abaf2c1fcbbcdc5ed6114f3bd281bbd4

SHA1
1f99530fe6972aee93a10337be425861d4dadd8a

SHA256
1aefcc509902179c155d36124c16b27f308ca7a02954b3b4efdb6789c7abe10d

SHA512
e5b356e381cc09c74c72889373bb9b778b100479abb159b4166203e594575a52457400b71a5221ed852b21decc979ee3c7ea21242cc549b70d92c6e0863ec920

Download Submit
C:\Windows\SysWOW64\Obpkcc32.exe

Filesize
109KB

MD5
e44f697e8f7f94e7550266d57f7f2de3

SHA1
9d6d31eb2af2a9c9858884cde8eaed832429e0ea

SHA256
2d6ece7bb9f1866c505d7726e85abe5194b286930d2891742b49375a940edc70

SHA512
c826132bb6ad5b890c55e8e5193c4537dec0a6dbcbd5262b0ed107c2c7d81b42778f4e9119a810141eb9e21e659b09ea3fd480e474e2371c41a0861d99801641

Download Submit
C:\Windows\SysWOW64\Obpkcc32.exe

Filesize
109KB

MD5
e44f697e8f7f94e7550266d57f7f2de3

SHA1
9d6d31eb2af2a9c9858884cde8eaed832429e0ea

SHA256
2d6ece7bb9f1866c505d7726e85abe5194b286930d2891742b49375a940edc70

SHA512
c826132bb6ad5b890c55e8e5193c4537dec0a6dbcbd5262b0ed107c2c7d81b42778f4e9119a810141eb9e21e659b09ea3fd480e474e2371c41a0861d99801641

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
109KB

MD5
987bad815639fe0997dd05485d78c430

SHA1
dda122eddac1ce4db2cddd73ef21ab7130f0b2a8

SHA256
d9296a06f0eed3b62794e59943eb0ed28756847897ea067d0dce710433f0958c

SHA512
9afdb635f9a6f5abcee568f6f689e173ca4209eb8898ceaab8f899c7813db274ab0ede54b4df16633b1f46f51dc04e1ca8b721110d2abb915b6816897382b0f9

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
109KB

MD5
987bad815639fe0997dd05485d78c430

SHA1
dda122eddac1ce4db2cddd73ef21ab7130f0b2a8

SHA256
d9296a06f0eed3b62794e59943eb0ed28756847897ea067d0dce710433f0958c

SHA512
9afdb635f9a6f5abcee568f6f689e173ca4209eb8898ceaab8f899c7813db274ab0ede54b4df16633b1f46f51dc04e1ca8b721110d2abb915b6816897382b0f9

Download Submit
C:\Windows\SysWOW64\Okceaikl.exe

Filesize
109KB

MD5
4732681d9295bd5250ac8328b4e8a71c

SHA1
c0be109f8aa40501742bfef1214eddf4ea85ed59

SHA256
fe9ffd5b47b6335ff96312e8fa29acd9530b22c9e0be0f0fd28d2bbf5683912a

SHA512
8dd6c40a429f20a6d66f3072c1cfcb8fdade0398a4a42a6b34100dd1730bba76ac5d1e082cb9b2ae7aefa7df064a07b06a4b17600f0c590ba23cff7bc3aa9276

Download Submit
C:\Windows\SysWOW64\Okceaikl.exe

Filesize
109KB

MD5
4732681d9295bd5250ac8328b4e8a71c

SHA1
c0be109f8aa40501742bfef1214eddf4ea85ed59

SHA256
fe9ffd5b47b6335ff96312e8fa29acd9530b22c9e0be0f0fd28d2bbf5683912a

SHA512
8dd6c40a429f20a6d66f3072c1cfcb8fdade0398a4a42a6b34100dd1730bba76ac5d1e082cb9b2ae7aefa7df064a07b06a4b17600f0c590ba23cff7bc3aa9276

Download Submit
C:\Windows\SysWOW64\Okmpqjad.exe

Filesize
109KB

MD5
6b36959c0ab9042b4b3b0d3a263fca39

SHA1
ba614411a2dd7c258ce5edf8d41c37a334399458

SHA256
c9a85779b48a7f78597f969e5472f643c1b19a44e5dc7fc98f2a7980d3cf4c70

SHA512
9d71b133fbf9d3cc871f4a52490cf6ae07fb5279b2a46b2b383c10a3140b4cd10419f787180f328f5fdb33f03ac625a4ae4fb39cb442cf6ab0085b52f7957060

Download Submit
C:\Windows\SysWOW64\Okmpqjad.exe

Filesize
109KB

MD5
6b36959c0ab9042b4b3b0d3a263fca39

SHA1
ba614411a2dd7c258ce5edf8d41c37a334399458

SHA256
c9a85779b48a7f78597f969e5472f643c1b19a44e5dc7fc98f2a7980d3cf4c70

SHA512
9d71b133fbf9d3cc871f4a52490cf6ae07fb5279b2a46b2b383c10a3140b4cd10419f787180f328f5fdb33f03ac625a4ae4fb39cb442cf6ab0085b52f7957060

Download Submit
C:\Windows\SysWOW64\Oloipmfd.exe

Filesize
109KB

MD5
91d1cc773381f5f3c20fa2a59bf9a746

SHA1
5c03fb6f18f7a7ab0993e7571e442d548e164a46

SHA256
64a90ebc44e4980932084c669fcf43475d9282107fce478d8833718b332f7d1e

SHA512
5429e9059937bfb92d8df58cc82c7a9864dc8891a82930f21d1a7832d21c0f1bdc83a8865d3e011da0353740a6d6eabe1d7fd88870d1e82f1a317a7d1f60aa15

Download Submit
C:\Windows\SysWOW64\Oloipmfd.exe

Filesize
109KB

MD5
91d1cc773381f5f3c20fa2a59bf9a746

SHA1
5c03fb6f18f7a7ab0993e7571e442d548e164a46

SHA256
64a90ebc44e4980932084c669fcf43475d9282107fce478d8833718b332f7d1e

SHA512
5429e9059937bfb92d8df58cc82c7a9864dc8891a82930f21d1a7832d21c0f1bdc83a8865d3e011da0353740a6d6eabe1d7fd88870d1e82f1a317a7d1f60aa15

Download Submit
C:\Windows\SysWOW64\Pbbgicnd.exe

Filesize
109KB

MD5
cee8b9b02dac201e092d44245e50dbaf

SHA1
b8410caa2ad0ff6659e72b38711c6c1cfd15dec2

SHA256
0d1e750b48efd6dcaf772dfaf0673090dbe51389d65d4e00248b57a30692bb25

SHA512
86be172acc0b3da7a831afb5995d4eddeca4dce6ba32fc5d05120750061340c230f7ac5f6010c38214d15f03d32de4c938dc3b45b853b11429106f0345867d66

Download Submit
C:\Windows\SysWOW64\Pbbgicnd.exe

Filesize
109KB

MD5
cee8b9b02dac201e092d44245e50dbaf

SHA1
b8410caa2ad0ff6659e72b38711c6c1cfd15dec2

SHA256
0d1e750b48efd6dcaf772dfaf0673090dbe51389d65d4e00248b57a30692bb25

SHA512
86be172acc0b3da7a831afb5995d4eddeca4dce6ba32fc5d05120750061340c230f7ac5f6010c38214d15f03d32de4c938dc3b45b853b11429106f0345867d66

Download Submit
C:\Windows\SysWOW64\Pcbdcf32.exe

Filesize
109KB

MD5
0e900f6252aaa100ea75735cbcaeda37

SHA1
ebd6230a705eaf5178e05d8865446eb7191797c3

SHA256
37e5ed5db226a300025b1880698fd1172f026a7a362dd30f54819f887e0eab9a

SHA512
09040caf49375805769a6e3ee258b76e587f1c022d89e1e1fbc8a9532746aedc17280d07c1616bd8974e1cf9c911d6a94d95951966e2c2c4c079f811b13f9a2e

Download Submit
C:\Windows\SysWOW64\Pcbdcf32.exe

Filesize
109KB

MD5
0e900f6252aaa100ea75735cbcaeda37

SHA1
ebd6230a705eaf5178e05d8865446eb7191797c3

SHA256
37e5ed5db226a300025b1880698fd1172f026a7a362dd30f54819f887e0eab9a

SHA512
09040caf49375805769a6e3ee258b76e587f1c022d89e1e1fbc8a9532746aedc17280d07c1616bd8974e1cf9c911d6a94d95951966e2c2c4c079f811b13f9a2e

Download Submit
C:\Windows\SysWOW64\Pmoagk32.exe

Filesize
109KB

MD5
e3bd4f82dac657df86137efd6256e418

SHA1
1c8344e092fe81a63b8f8fe246a6ef11477e4f2d

SHA256
dfe975de84520aa5a7c15b7bdf6a655dbf219961c5ba8a3545a236973be9b526

SHA512
e9c7db5314c966931402993e0b74a94918f210e3e0bc999bc255a571b75ff107d371bdc3372a2e1d2bd2cc6cfc147905ccc43582534d365588293c553210d20d

Download Submit
C:\Windows\SysWOW64\Pmoagk32.exe

Filesize
109KB

MD5
e3bd4f82dac657df86137efd6256e418

SHA1
1c8344e092fe81a63b8f8fe246a6ef11477e4f2d

SHA256
dfe975de84520aa5a7c15b7bdf6a655dbf219961c5ba8a3545a236973be9b526

SHA512
e9c7db5314c966931402993e0b74a94918f210e3e0bc999bc255a571b75ff107d371bdc3372a2e1d2bd2cc6cfc147905ccc43582534d365588293c553210d20d

Download Submit
C:\Windows\SysWOW64\Pokanf32.exe

Filesize
109KB

MD5
476867efa569c85e8fae1ceb98090d8f

SHA1
6699458d5042e1a6932f2e3073053a1d303ceb05

SHA256
528de76089b57499d33101f15f9d4389761122b1fdd326119740f5588602a820

SHA512
db851fa690d852d1dd09a0f404eba17ae089f3d0780e3f9476e57bb83aa258babc6462d56e3ecaa585288902e717b0227372c05638975c90d84d99c4034471a5

Download Submit
C:\Windows\SysWOW64\Pokanf32.exe

Filesize
109KB

MD5
476867efa569c85e8fae1ceb98090d8f

SHA1
6699458d5042e1a6932f2e3073053a1d303ceb05

SHA256
528de76089b57499d33101f15f9d4389761122b1fdd326119740f5588602a820

SHA512
db851fa690d852d1dd09a0f404eba17ae089f3d0780e3f9476e57bb83aa258babc6462d56e3ecaa585288902e717b0227372c05638975c90d84d99c4034471a5

Download Submit
C:\Windows\SysWOW64\Qkdohg32.exe

Filesize
109KB

MD5
e40e79968cca9443baa76029cebfcddb

SHA1
97a8d09f9b70981c025f6537cf34918c0ac44827

SHA256
22c5a0ed5264a3c9dce3d5eef63bc2a865b8a84474f7ea4730f12634f913ec8e

SHA512
afcf5cfde7a0f2904d1f48b3232d811fa6e4ea512fbd20b00051e095f0da2d3c5d35cd3b775adc9ba97e171491b7176e00dd0f99283fc497f0153d4f3283302b

Download Submit
C:\Windows\SysWOW64\Qkdohg32.exe

Filesize
109KB

MD5
e40e79968cca9443baa76029cebfcddb

SHA1
97a8d09f9b70981c025f6537cf34918c0ac44827

SHA256
22c5a0ed5264a3c9dce3d5eef63bc2a865b8a84474f7ea4730f12634f913ec8e

SHA512
afcf5cfde7a0f2904d1f48b3232d811fa6e4ea512fbd20b00051e095f0da2d3c5d35cd3b775adc9ba97e171491b7176e00dd0f99283fc497f0153d4f3283302b

Download Submit
C:\Windows\SysWOW64\Qmckbjdl.exe

Filesize
109KB

MD5
3834a0feeec83107c5767c83b447486c

SHA1
de68a615a7cdd2505a21f30f0e34a1d6bb46a1a2

SHA256
1b04afdf748d11eb6b318700209c9c0fe5a149c94b68a820c7ea63cf1909a237

SHA512
930143b1b5407de9509df899a72f9a78e932af5aea1f915f7481aa2620d3cfe01b89dc378f245e9763759da14e30e4f2c92252cd81bf130595ca7cfaa7ca0730

Download Submit
C:\Windows\SysWOW64\Qmckbjdl.exe

Filesize
109KB

MD5
3834a0feeec83107c5767c83b447486c

SHA1
de68a615a7cdd2505a21f30f0e34a1d6bb46a1a2

SHA256
1b04afdf748d11eb6b318700209c9c0fe5a149c94b68a820c7ea63cf1909a237

SHA512
930143b1b5407de9509df899a72f9a78e932af5aea1f915f7481aa2620d3cfe01b89dc378f245e9763759da14e30e4f2c92252cd81bf130595ca7cfaa7ca0730

Download Submit
memory/228-95-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/228-205-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/348-87-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/348-204-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/832-31-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/832-197-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1056-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1056-212-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1176-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1176-201-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1196-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1196-175-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1644-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1644-199-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1648-196-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1648-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1688-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1688-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1832-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1832-214-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2056-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2056-195-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2180-198-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2180-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2184-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2184-202-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2200-194-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2200-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-216-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-184-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2448-207-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2448-111-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2600-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2600-206-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2736-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2736-203-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4156-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4156-213-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4604-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4604-211-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4736-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4736-217-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4796-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4796-210-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4892-193-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4892-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4952-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4952-119-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4964-127-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4964-209-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads