60434249db3eb0b0ca7cfa7ed7c23b059b24da37c757c5753e9044ff06fbd2b1

Analysis

max time kernel
36s
max time network
33s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 16:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ef88bd9b7f60182923f94665f791f3e2.exe
Size

236KB
MD5

ef88bd9b7f60182923f94665f791f3e2
SHA1

dc482629cf42a07e169d2d5aab2467213c3f8f89
SHA256

60434249db3eb0b0ca7cfa7ed7c23b059b24da37c757c5753e9044ff06fbd2b1
SHA512

2bb78045a2e21035cd7de71cb7336c8875031038cd8cfa0e41d85336227a20450bd932b6a51ce1dd4c0146042befd670c336131e2611835b2568fa2ff98aceeb
SSDEEP

3072:A1OiavMdZAbdJjqnX2tJ9IDlRxyhTbhgu+tAcrbFAJc+RsUi1aVDkOvhJjvJUp:AzUMdeBJjqXGsDshsrtMsQB4

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgjccb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adifpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndqkleln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odchbe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plgolf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phnpagdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odchbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnghel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfmcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnafnopi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Objaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olbfagca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njhfcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olpilg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olpilg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paiaplin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phnpagdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmkhjncg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkhjncg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdlggg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ef88bd9b7f60182923f94665f791f3e2.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnafnopi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oippjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Plgolf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njhfcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndqkleln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onfoin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oemgplgo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Objaha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofhjopbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Allefimb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhjjgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oemgplgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odedge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgcmbcih.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adifpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ef88bd9b7f60182923f94665f791f3e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nplimbka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhjjgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oippjl32.exe

Executes dropped EXE 46 IoCs

pid	Process
2648	Nplimbka.exe
2132	Nnafnopi.exe
2560	Nhjjgd32.exe
2576	Njhfcp32.exe
2572	Ndqkleln.exe
2344	Onfoin32.exe
592	Odchbe32.exe
704	Oippjl32.exe
2860	Odedge32.exe
572	Olpilg32.exe
2488	Objaha32.exe
1976	Olbfagca.exe
1236	Ofhjopbg.exe
628	Oemgplgo.exe
2360	Plgolf32.exe
2076	Phnpagdp.exe
2316	Pmkhjncg.exe
1784	Pgcmbcih.exe
1848	Paiaplin.exe
2108	Pcljmdmj.exe
1132	Qdlggg32.exe
2164	Qgjccb32.exe
1676	Qlgkki32.exe
2380	Qcachc32.exe
2444	Qnghel32.exe
2656	Aohdmdoh.exe
3032	Allefimb.exe
1072	Acfmcc32.exe
2864	Ajpepm32.exe
1344	Aomnhd32.exe
2472	Adifpk32.exe
1548	Alqnah32.exe
2824	Abmgjo32.exe
2868	Ahgofi32.exe
1916	Akfkbd32.exe
1692	Abpcooea.exe
1940	Bgllgedi.exe
2088	Bnknoogp.exe
2564	Bkegah32.exe
324	Cpfmmf32.exe
564	Ckmnbg32.exe
1044	Cgcnghpl.exe
2700	Calcpm32.exe
1760	Cgfkmgnj.exe
440	Djdgic32.exe
780	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2060	ef88bd9b7f60182923f94665f791f3e2.exe
2060	ef88bd9b7f60182923f94665f791f3e2.exe
2648	Nplimbka.exe
2648	Nplimbka.exe
2132	Nnafnopi.exe
2132	Nnafnopi.exe
2560	Nhjjgd32.exe
2560	Nhjjgd32.exe
2576	Njhfcp32.exe
2576	Njhfcp32.exe
2572	Ndqkleln.exe
2572	Ndqkleln.exe
2344	Onfoin32.exe
2344	Onfoin32.exe
592	Odchbe32.exe
592	Odchbe32.exe
704	Oippjl32.exe
704	Oippjl32.exe
2860	Odedge32.exe
2860	Odedge32.exe
572	Olpilg32.exe
572	Olpilg32.exe
2488	Objaha32.exe
2488	Objaha32.exe
1976	Olbfagca.exe
1976	Olbfagca.exe
1236	Ofhjopbg.exe
1236	Ofhjopbg.exe
628	Oemgplgo.exe
628	Oemgplgo.exe
2360	Plgolf32.exe
2360	Plgolf32.exe
2076	Phnpagdp.exe
2076	Phnpagdp.exe
2316	Pmkhjncg.exe
2316	Pmkhjncg.exe
1784	Pgcmbcih.exe
1784	Pgcmbcih.exe
1848	Paiaplin.exe
1848	Paiaplin.exe
2108	Pcljmdmj.exe
2108	Pcljmdmj.exe
1132	Qdlggg32.exe
1132	Qdlggg32.exe
2164	Qgjccb32.exe
2164	Qgjccb32.exe
1676	Qlgkki32.exe
1676	Qlgkki32.exe
2380	Qcachc32.exe
2380	Qcachc32.exe
2444	Qnghel32.exe
2444	Qnghel32.exe
2656	Aohdmdoh.exe
2656	Aohdmdoh.exe
3032	Allefimb.exe
3032	Allefimb.exe
1072	Acfmcc32.exe
1072	Acfmcc32.exe
2864	Ajpepm32.exe
2864	Ajpepm32.exe
1344	Aomnhd32.exe
1344	Aomnhd32.exe
2472	Adifpk32.exe
2472	Adifpk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bibjaofg.dll	Phnpagdp.exe
File created	C:\Windows\SysWOW64\Allefimb.exe	Aohdmdoh.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Oomgdcce.dll	Onfoin32.exe
File created	C:\Windows\SysWOW64\Pcljmdmj.exe	Paiaplin.exe
File created	C:\Windows\SysWOW64\Adifpk32.exe	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Djiqcmnn.dll	Ndqkleln.exe
File created	C:\Windows\SysWOW64\Ameaio32.dll	Paiaplin.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Jjmeignj.dll	Abpcooea.exe
File opened for modification	C:\Windows\SysWOW64\Njhfcp32.exe	Nhjjgd32.exe
File created	C:\Windows\SysWOW64\Phnpagdp.exe	Plgolf32.exe
File opened for modification	C:\Windows\SysWOW64\Qcachc32.exe	Qlgkki32.exe
File created	C:\Windows\SysWOW64\Gfnafi32.dll	Akfkbd32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Abmgjo32.exe	Alqnah32.exe
File created	C:\Windows\SysWOW64\Akfkbd32.exe	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Boljgg32.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Nhjjgd32.exe	Nnafnopi.exe
File opened for modification	C:\Windows\SysWOW64\Odchbe32.exe	Onfoin32.exe
File created	C:\Windows\SysWOW64\Dombicdm.dll	Olbfagca.exe
File created	C:\Windows\SysWOW64\Jhbcjo32.dll	Pcljmdmj.exe
File created	C:\Windows\SysWOW64\Olpecfkn.dll	Qdlggg32.exe
File created	C:\Windows\SysWOW64\Pmmgmc32.dll	Ajpepm32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Bdclnelo.dll	Njhfcp32.exe
File created	C:\Windows\SysWOW64\Gbfkdo32.dll	Odchbe32.exe
File created	C:\Windows\SysWOW64\Oemgplgo.exe	Ofhjopbg.exe
File opened for modification	C:\Windows\SysWOW64\Qlgkki32.exe	Qgjccb32.exe
File created	C:\Windows\SysWOW64\Lflhon32.dll	Oippjl32.exe
File opened for modification	C:\Windows\SysWOW64\Pcljmdmj.exe	Paiaplin.exe
File created	C:\Windows\SysWOW64\Fbbnekdd.dll	Qgjccb32.exe
File created	C:\Windows\SysWOW64\Aomnhd32.exe	Ajpepm32.exe
File created	C:\Windows\SysWOW64\Oippjl32.exe	Odchbe32.exe
File created	C:\Windows\SysWOW64\Olpilg32.exe	Odedge32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Nplimbka.exe	ef88bd9b7f60182923f94665f791f3e2.exe
File created	C:\Windows\SysWOW64\Dahapj32.dll	Pgcmbcih.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bgllgedi.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Nnafnopi.exe	Nplimbka.exe
File created	C:\Windows\SysWOW64\Lkpidd32.dll	Oemgplgo.exe
File created	C:\Windows\SysWOW64\Hdaehcom.dll	Acfmcc32.exe
File created	C:\Windows\SysWOW64\Bnknoogp.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Dfqnol32.dll	Qlgkki32.exe
File created	C:\Windows\SysWOW64\Paodbg32.dll	Nhjjgd32.exe
File created	C:\Windows\SysWOW64\Objaha32.exe	Olpilg32.exe
File created	C:\Windows\SysWOW64\Onfoin32.exe	Ndqkleln.exe
File opened for modification	C:\Windows\SysWOW64\Aohdmdoh.exe	Qnghel32.exe
File created	C:\Windows\SysWOW64\Imafcg32.dll	Qnghel32.exe
File opened for modification	C:\Windows\SysWOW64\Acfmcc32.exe	Allefimb.exe
File created	C:\Windows\SysWOW64\Odchbe32.exe	Onfoin32.exe
File opened for modification	C:\Windows\SysWOW64\Phnpagdp.exe	Plgolf32.exe
File created	C:\Windows\SysWOW64\Bdoaqh32.dll	Aohdmdoh.exe
File created	C:\Windows\SysWOW64\Aacinhhc.dll	Allefimb.exe
File created	C:\Windows\SysWOW64\Hnoefj32.dll	Nnafnopi.exe
File created	C:\Windows\SysWOW64\Ndqkleln.exe	Njhfcp32.exe
File created	C:\Windows\SysWOW64\Qgjccb32.exe	Qdlggg32.exe
File created	C:\Windows\SysWOW64\Gggpgo32.dll	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Aebfidim.dll	Alqnah32.exe

Program crash 1 IoCs

pid	pid_target	Process
2512	780	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlhoigp.dll"	Olpilg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phnpagdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oippjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahapj32.dll"	Pgcmbcih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdoaqh32.dll"	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmgmc32.dll"	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ef88bd9b7f60182923f94665f791f3e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phnpagdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnoefj32.dll"	Nnafnopi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paodbg32.dll"	Nhjjgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ef88bd9b7f60182923f94665f791f3e2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odedge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oemgplgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll"	Alqnah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomgdcce.dll"	Onfoin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmkhjncg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcljmdmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmkhjncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olpilg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddaafojo.dll"	Objaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oemgplgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alqnah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ef88bd9b7f60182923f94665f791f3e2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgcmbcih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbkdn32.dll"	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odedge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Plgolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imafcg32.dll"	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cgfkmgnj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2648	2060	ef88bd9b7f60182923f94665f791f3e2.exe	66
PID 2060 wrote to memory of 2648	2060	ef88bd9b7f60182923f94665f791f3e2.exe	66
PID 2060 wrote to memory of 2648	2060	ef88bd9b7f60182923f94665f791f3e2.exe	66
PID 2060 wrote to memory of 2648	2060	ef88bd9b7f60182923f94665f791f3e2.exe	66
PID 2648 wrote to memory of 2132	2648	Nplimbka.exe	65
PID 2648 wrote to memory of 2132	2648	Nplimbka.exe	65
PID 2648 wrote to memory of 2132	2648	Nplimbka.exe	65
PID 2648 wrote to memory of 2132	2648	Nplimbka.exe	65
PID 2132 wrote to memory of 2560	2132	Nnafnopi.exe	64
PID 2132 wrote to memory of 2560	2132	Nnafnopi.exe	64
PID 2132 wrote to memory of 2560	2132	Nnafnopi.exe	64
PID 2132 wrote to memory of 2560	2132	Nnafnopi.exe	64
PID 2560 wrote to memory of 2576	2560	Nhjjgd32.exe	63
PID 2560 wrote to memory of 2576	2560	Nhjjgd32.exe	63
PID 2560 wrote to memory of 2576	2560	Nhjjgd32.exe	63
PID 2560 wrote to memory of 2576	2560	Nhjjgd32.exe	63
PID 2576 wrote to memory of 2572	2576	Njhfcp32.exe	62
PID 2576 wrote to memory of 2572	2576	Njhfcp32.exe	62
PID 2576 wrote to memory of 2572	2576	Njhfcp32.exe	62
PID 2576 wrote to memory of 2572	2576	Njhfcp32.exe	62
PID 2572 wrote to memory of 2344	2572	Ndqkleln.exe	61
PID 2572 wrote to memory of 2344	2572	Ndqkleln.exe	61
PID 2572 wrote to memory of 2344	2572	Ndqkleln.exe	61
PID 2572 wrote to memory of 2344	2572	Ndqkleln.exe	61
PID 2344 wrote to memory of 592	2344	Onfoin32.exe	60
PID 2344 wrote to memory of 592	2344	Onfoin32.exe	60
PID 2344 wrote to memory of 592	2344	Onfoin32.exe	60
PID 2344 wrote to memory of 592	2344	Onfoin32.exe	60
PID 592 wrote to memory of 704	592	Odchbe32.exe	59
PID 592 wrote to memory of 704	592	Odchbe32.exe	59
PID 592 wrote to memory of 704	592	Odchbe32.exe	59
PID 592 wrote to memory of 704	592	Odchbe32.exe	59
PID 704 wrote to memory of 2860	704	Oippjl32.exe	58
PID 704 wrote to memory of 2860	704	Oippjl32.exe	58
PID 704 wrote to memory of 2860	704	Oippjl32.exe	58
PID 704 wrote to memory of 2860	704	Oippjl32.exe	58
PID 2860 wrote to memory of 572	2860	Odedge32.exe	57
PID 2860 wrote to memory of 572	2860	Odedge32.exe	57
PID 2860 wrote to memory of 572	2860	Odedge32.exe	57
PID 2860 wrote to memory of 572	2860	Odedge32.exe	57
PID 572 wrote to memory of 2488	572	Olpilg32.exe	56
PID 572 wrote to memory of 2488	572	Olpilg32.exe	56
PID 572 wrote to memory of 2488	572	Olpilg32.exe	56
PID 572 wrote to memory of 2488	572	Olpilg32.exe	56
PID 2488 wrote to memory of 1976	2488	Objaha32.exe	55
PID 2488 wrote to memory of 1976	2488	Objaha32.exe	55
PID 2488 wrote to memory of 1976	2488	Objaha32.exe	55
PID 2488 wrote to memory of 1976	2488	Objaha32.exe	55
PID 1976 wrote to memory of 1236	1976	Olbfagca.exe	54
PID 1976 wrote to memory of 1236	1976	Olbfagca.exe	54
PID 1976 wrote to memory of 1236	1976	Olbfagca.exe	54
PID 1976 wrote to memory of 1236	1976	Olbfagca.exe	54
PID 1236 wrote to memory of 628	1236	Ofhjopbg.exe	53
PID 1236 wrote to memory of 628	1236	Ofhjopbg.exe	53
PID 1236 wrote to memory of 628	1236	Ofhjopbg.exe	53
PID 1236 wrote to memory of 628	1236	Ofhjopbg.exe	53
PID 628 wrote to memory of 2360	628	Oemgplgo.exe	51
PID 628 wrote to memory of 2360	628	Oemgplgo.exe	51
PID 628 wrote to memory of 2360	628	Oemgplgo.exe	51
PID 628 wrote to memory of 2360	628	Oemgplgo.exe	51
PID 2360 wrote to memory of 2076	2360	Plgolf32.exe	50
PID 2360 wrote to memory of 2076	2360	Plgolf32.exe	50
PID 2360 wrote to memory of 2076	2360	Plgolf32.exe	50
PID 2360 wrote to memory of 2076	2360	Plgolf32.exe	50

C:\Users\Admin\AppData\Local\Temp\ef88bd9b7f60182923f94665f791f3e2.exe
"C:\Users\Admin\AppData\Local\Temp\ef88bd9b7f60182923f94665f791f3e2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\Nplimbka.exe
  C:\Windows\system32\Nplimbka.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2648

C:\Windows\SysWOW64\Paiaplin.exe
C:\Windows\system32\Paiaplin.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1848
- C:\Windows\SysWOW64\Pcljmdmj.exe
  C:\Windows\system32\Pcljmdmj.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  PID:2108

C:\Windows\SysWOW64\Qcachc32.exe
C:\Windows\system32\Qcachc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2380
- C:\Windows\SysWOW64\Qnghel32.exe
  C:\Windows\system32\Qnghel32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  PID:2444

C:\Windows\SysWOW64\Aohdmdoh.exe
C:\Windows\system32\Aohdmdoh.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2656
- C:\Windows\SysWOW64\Allefimb.exe
  C:\Windows\system32\Allefimb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  PID:3032
- - C:\Windows\SysWOW64\Acfmcc32.exe
    C:\Windows\system32\Acfmcc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:1072
  - - C:\Windows\SysWOW64\Ajpepm32.exe
      C:\Windows\system32\Ajpepm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      PID:2864
    - - C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1344

C:\Windows\SysWOW64\Abpcooea.exe
C:\Windows\system32\Abpcooea.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1692
- C:\Windows\SysWOW64\Bgllgedi.exe
  C:\Windows\system32\Bgllgedi.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1940

C:\Windows\SysWOW64\Akfkbd32.exe
C:\Windows\system32\Akfkbd32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1916

C:\Windows\SysWOW64\Ahgofi32.exe
C:\Windows\system32\Ahgofi32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2868

C:\Windows\SysWOW64\Abmgjo32.exe
C:\Windows\system32\Abmgjo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2824

C:\Windows\SysWOW64\Alqnah32.exe
C:\Windows\system32\Alqnah32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1548

C:\Windows\SysWOW64\Bnknoogp.exe
C:\Windows\system32\Bnknoogp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2088
- C:\Windows\SysWOW64\Boljgg32.exe
  C:\Windows\system32\Boljgg32.exe
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  PID:2764
- - C:\Windows\SysWOW64\Bkegah32.exe
    C:\Windows\system32\Bkegah32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:2564
  - - C:\Windows\SysWOW64\Cpfmmf32.exe
      C:\Windows\system32\Cpfmmf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      PID:324
    - - C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:564

C:\Windows\SysWOW64\Adifpk32.exe
C:\Windows\system32\Adifpk32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 144
1⤵
- Program crash
PID:2512

C:\Windows\SysWOW64\Dpapaj32.exe
C:\Windows\system32\Dpapaj32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:780

C:\Windows\SysWOW64\Djdgic32.exe
C:\Windows\system32\Djdgic32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:440

C:\Windows\SysWOW64\Cgfkmgnj.exe
C:\Windows\system32\Cgfkmgnj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1760

C:\Windows\SysWOW64\Calcpm32.exe
C:\Windows\system32\Calcpm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2700

C:\Windows\SysWOW64\Cgcnghpl.exe
C:\Windows\system32\Cgcnghpl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1044

C:\Windows\SysWOW64\Qlgkki32.exe
C:\Windows\system32\Qlgkki32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1676

C:\Windows\SysWOW64\Qgjccb32.exe
C:\Windows\system32\Qgjccb32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2164

C:\Windows\SysWOW64\Qdlggg32.exe
C:\Windows\system32\Qdlggg32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1132

C:\Windows\SysWOW64\Pgcmbcih.exe
C:\Windows\system32\Pgcmbcih.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1784

C:\Windows\SysWOW64\Pmkhjncg.exe
C:\Windows\system32\Pmkhjncg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2316

C:\Windows\SysWOW64\Phnpagdp.exe
C:\Windows\system32\Phnpagdp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2076

C:\Windows\SysWOW64\Plgolf32.exe
C:\Windows\system32\Plgolf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\Oemgplgo.exe
C:\Windows\system32\Oemgplgo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\Ofhjopbg.exe
C:\Windows\system32\Ofhjopbg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\Olbfagca.exe
C:\Windows\system32\Olbfagca.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\Objaha32.exe
C:\Windows\system32\Objaha32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\Olpilg32.exe
C:\Windows\system32\Olpilg32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\Odedge32.exe
C:\Windows\system32\Odedge32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\Oippjl32.exe
C:\Windows\system32\Oippjl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWOW64\Odchbe32.exe
C:\Windows\system32\Odchbe32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\Onfoin32.exe
C:\Windows\system32\Onfoin32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\Ndqkleln.exe
C:\Windows\system32\Ndqkleln.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\Njhfcp32.exe
C:\Windows\system32\Njhfcp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\Nhjjgd32.exe
C:\Windows\system32\Nhjjgd32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\Nnafnopi.exe
C:\Windows\system32\Nnafnopi.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aohdmdoh.exe

Filesize
28KB

MD5
431c5de7d6b0716b7134bc7d4b3c27a1

SHA1
61f1a46b4add03c95934710ca0b0fcbffc595d7b

SHA256
4f7f9500c8b0d7231ca87719d7696bf4b66d88627d931416f1cfab3a9f02fa93

SHA512
c938100da7e759236c454563617d03af449541bfba063f0fd60efe04bbcee3aa9aa4e6a787c6cccb6dea40ae8850f122f7e3879609552bea0c9f02f44091e808

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
83KB

MD5
7376d665d210af993cee13cb485a875d

SHA1
3f8b65b823fca404b65e5c705cf2a3a7e8a066cc

SHA256
9b91a6c7844ec329d6ae1610df046f170fc7d597f5f20d58b3293777399d1b83

SHA512
caae2a7af71574c136706cedf04615baea15e6aec3ddefc3326695573a6bc16a7a20eeae3d1410a4b94143007ceb18c06116fc7a812565cf7bab60f625fdc42f

Download Submit
C:\Windows\SysWOW64\Nhjjgd32.exe

Filesize
83KB

MD5
73a00bfd06b8beaa6c09bf5b0c2aba5b

SHA1
0dc144ca6086d817d2e9efc8f0df218f6e89b0be

SHA256
07f6d43928d9dc502498e83e2094e8dcc3188b250312a2850d5aaf1781a969c7

SHA512
433b7c4d178dedcb0ce194ccce70e9a86e2832e467fe845b2aa2596665391e47edb7c038ca2c51592d145ed45343aee70a76daff56fa4f96037cbae2710b40e2

Download Submit
C:\Windows\SysWOW64\Nhjjgd32.exe

Filesize
57KB

MD5
084fdaa4967603057978971efe87d546

SHA1
c99109fd573b75e9ed0048accd4745ee732ed0ee

SHA256
af9704ffb2f5d23b43b5d234b16e801da05a3a518341536674ab5b3f76e3f09d

SHA512
a4730d8efe48560f3764a3fd4e246061b103692c38ad9765b5bdf26b0fd38ccd2f51cc983f17e0f3b8dc6697519ae01df9779a24b05d4b8b8d6c747031d20e47

Download Submit
C:\Windows\SysWOW64\Nhjjgd32.exe

Filesize
26KB

MD5
b557f4d8df63b3f39e91175b2667a4bf

SHA1
45a653314b3be8e9fa6396fdbf87acd5ce7b98b1

SHA256
b58bb5877737f562275b836ad99b20da5e2f28bdb5644eb17f1eec5e20035cb7

SHA512
48d19d27bac1b6c20e330925c7b02974656948b1471a2b3af5c79cd53fb42e628f73da4e610d95b9a2849e5fba236e93b20cd13a61a5d20230a80c46d7b9f06f

Download Submit
C:\Windows\SysWOW64\Njhfcp32.exe

Filesize
10KB

MD5
9b7f2238b4aa75e68e00d7b5dfc633ab

SHA1
685e4b2b0a056015279e29ef44fc0bcd5104467c

SHA256
91e823daa7af72b71aec3d5dd21a6f33bc83b781683ea18b437b1fc16f4ef7f8

SHA512
b9f7dd3d5217e9e2df6e920280aaf958b32b50dd9cf3cc666df3d6029ceaa32547fd9de099a911a245077a6e8bc2ee87226968be58026a34671279d475effbec

Download Submit
C:\Windows\SysWOW64\Nnafnopi.exe

Filesize
42KB

MD5
59fa5bbb49c824d8f826a10a3179ee14

SHA1
e73c5fd90afe5b730200dd082e1c2707dc42a3ec

SHA256
dec0e285b79e8c00b4dd4757b094884fba5d435835c26221394dca7adb2184a6

SHA512
16905d68377d26379fd1a46c3ad0532c0a1e3dcb97ef506302623d69b6fe8ec8800d56dcf1a535b30be57b61ea563a9f4869198688d8a85f5a760e80617d27dc

Download Submit
C:\Windows\SysWOW64\Nnafnopi.exe

Filesize
69KB

MD5
2512ef4fd0fc740dfb66edc7c836152b

SHA1
039479a7e8b7f095d53e67505535e97c5146625e

SHA256
262e279f52477675bbb3956261327cf5994239a7846407238b65f47a8c001666

SHA512
1a3d0b316708c9a1949e3f99164968bd4448d8088097b9300b88fc48819bc058c7b78ccebc5c266cc97835e2685e99eab84d0530a3531a7d3ea59e9111d7dd13

Download Submit
C:\Windows\SysWOW64\Nnafnopi.exe

Filesize
108KB

MD5
674acbf1a9fff26f8b815033f2667400

SHA1
583b38233ec60ea765dc51aa1b7bea516312ad43

SHA256
bdcc4c423218e5044431bb7bef751cc7d55986de0ca90d972f9017a4acb4110e

SHA512
4100b32ec395982920c628f2a0fedc5f341f1b5db4fd603dfe40ec209fe9f0d3d639071f632423b1398a803082ecf62aaab75c38ce8741f60edfd5e1d3627270

Download Submit
C:\Windows\SysWOW64\Nplimbka.exe

Filesize
46KB

MD5
dbe86b9d557afdf0d9edfd5e3c461997

SHA1
f62d906a3b9c66613a061ef9ae654a6c72696dd6

SHA256
baf952087aeb60c6e45f579136fccdb80cc26e8d1eda847d9589b04f1a2db014

SHA512
eea391c119a865e97bc204bb51f7ffb30ab658d403a0399657f2a53ae1a266d765fbe3bec4d1a64003fcac849e2349c965e7878cb05cd57758e1e01fe503f26b

Download Submit
C:\Windows\SysWOW64\Nplimbka.exe

Filesize
96KB

MD5
5d304cf66c0c940d5fbc5d8fcc795dc1

SHA1
ad71483fddb8974c0a6a76cd515067d7de4cf4f1

SHA256
1aa11b37693bb22749368b00f6318ce03ed789b656debd252aa2fd715df0c936

SHA512
2260fc01b30aa3c1f4e13e887106a4b07e64121b575fe51691639131b7cf9bdb98ada6681b286d927f27ebff634e0486faa0da01e6426ef135372e3829b470ae

Download Submit
C:\Windows\SysWOW64\Nplimbka.exe

Filesize
85KB

MD5
023cd48822979e6fcd60bd850392b586

SHA1
545e31902292a9a9fdf28e98756da4ae5d2eb128

SHA256
a52eeaf7811c6b882ef583be0b7500547de892025fa414999af351e6e7b4d1be

SHA512
f29b4b2fc615f01effbd26346a58a424942b344297ae3be16634f77c7aa9034406cb292e557ff629eb1e51df0b4587789e27970620583cedbd20e746048f7d57

Download Submit
C:\Windows\SysWOW64\Objaha32.exe

Filesize
71KB

MD5
1251bd05356bdb33349ed76365e0852c

SHA1
5dfd45baed3e89a886e667bdc29ecebddbeb20a5

SHA256
121d11d0cc677b54f186cc461e60679e29273d66be4c82c2abf82c27aeea74a4

SHA512
540422553df0c548a5b9d9a1c53dec2fe2982b88302bd3c77b54c927bcf18247db5f68484836abe46e59b302d17ab389b715fd7ce51e3066d2047cc2f6e1ab93

Download Submit
C:\Windows\SysWOW64\Objaha32.exe

Filesize
87KB

MD5
5f31bf39414ccadc66b8a2b967c97be9

SHA1
2099a989870dca414898bd8a086b36aa9dbbc05d

SHA256
bc3acec76d8204cd638ac1a34d8ffcde479ce7c531ec20b206e41233a21347e3

SHA512
1b7dcf438cb921fa95e91c89300a9036e0b467652d9ce2054bee12369b5f48907b78c95c1a10e1a3b2eeb3137ba857691c7eaaea4edfa400ff4a812a8f3c2d9e

Download Submit
C:\Windows\SysWOW64\Objaha32.exe

Filesize
38KB

MD5
e2e05272a819a17ec344b8367673c956

SHA1
d2c2aedadc7d9498038faff30cb5acd367229519

SHA256
9a8fee9b5bbbef0724c42702748ab09fb0c3e49da274ddb4a37b8f28e52bc2d4

SHA512
0bbdee336634fb8490beb6a08a36c2e20b30fa033cdc6e41869c696675e0a190727e2cf6ce67bea74be1baa6bfd781a1d0a31785c186ecf32730e9b61ef7b5f4

Download Submit
C:\Windows\SysWOW64\Odedge32.exe

Filesize
99KB

MD5
70b2485156ba7a0ec2d150c140f1b703

SHA1
a81453ff34f12237e8b6e7e2c70166b11724d96d

SHA256
f6a98d399ca6bc3fb8c8cfb896df2361f3c73741c7591cc7fe648a85cc565fdd

SHA512
a8c20c2e99fa76a089ff541dc63db1ae798986f3b76f25a1e264fc0d10db51c14049fa72bb5d54c4668e5b35e2b03dce99cab3b973283480d00ecbce02240ee3

Download Submit
C:\Windows\SysWOW64\Oemgplgo.exe

Filesize
236KB

MD5
94d1f534f5fd818e7c2b4901d958067b

SHA1
d771bc2834a1d1827366a3a8970f3696836bfe70

SHA256
25b34c1af2b2953f2f78afef2fdbd2b65f1a732a767cabe649cf43d56d3f1895

SHA512
25b2c4ae9791e25d18046a64b9093a08f8cdf0dd6008f4b1796cf0e72bd9a6923113b94766e140c08a7915d2f2f76b1864d7cb6238d0f143b75a40b7570829c8

Download Submit
C:\Windows\SysWOW64\Ofhjopbg.exe

Filesize
236KB

MD5
2d531be6c9f6364c2a82b06c4def3fd9

SHA1
0820306b6cb73802e403f52b995699ab85e5024e

SHA256
efaf75f8685958fb4f4324f101e6725551d1941753ae7f8ec42b4aa5fa377267

SHA512
6cb8117f6b45f71cb564304a67925de74a228fb58e2f1bfcc5fb10220f001c66cec0875f0e051d1b8797448f726556bd8c23256e01fae4ae840a5d5663123b08

Download Submit
C:\Windows\SysWOW64\Olbfagca.exe

Filesize
130KB

MD5
6f326fd7fc67747f45d80b095a1971ad

SHA1
78d1e99463c5444d9e92d9b27dc5a665e30d97bc

SHA256
7a36a469c5a7f1d2997e22bf766710960b938a3d8e52e052b0c14808cb3face3

SHA512
6667c482ccbaa4ae6b6cc372d142aa5767533d7e8930a8b4145315ebc65d37a9ce627e4173116be7e42fe5d42ac732b77aec6a0c7a1c6a6f5bebed1f2a1f32db

Download Submit
C:\Windows\SysWOW64\Olbfagca.exe

Filesize
236KB

MD5
98ca7cd933f95255d1aca1eac38568f2

SHA1
1ccc0a980f4e7a67e5446182afbbef0089a61d9c

SHA256
64abe356990a92fcfa78f178c05f8396f288735dabd5fc1044c90b2c4d395f2c

SHA512
b7ce05f6ef65f3323918bd00c495bff63e1fb5b0ceceb96aa74523eb13aa9e4345a3282ee0abbb622626ab72b68f16d81076cc8104a092c1eabdc0fe1785bac6

Download Submit
C:\Windows\SysWOW64\Olpilg32.exe

Filesize
65KB

MD5
6e40dcf41daf3062eed1cd94db03c636

SHA1
fa742aad7d53c5a020f0c0e1b8f7f93949deefa6

SHA256
cbae7525c78ba8c02446adb232da6ceb291807c1d6cb0d9902645130ebeed73d

SHA512
1a0bfd6f0548c1086554c3111db4977a36b691f4e7b880f1bb6d79d1078d9869c1a6b6681f8b91c10bc55e8205cdd5f6f919fa49d8d4c8a66866e4d323e3a9e9

Download Submit
C:\Windows\SysWOW64\Olpilg32.exe

Filesize
87KB

MD5
0a03d1b6d6ba572289da8e7cfad90c99

SHA1
eaf74e2d289aa34c035a25947ce3cfbdf2d2f360

SHA256
2d71aaae1f0ddfc92c1cd3576bfce004b40c72f8eb0df4a61d0ef1d6648e15af

SHA512
2c176f5bced3f132b8457d5f90012c277afb48a7b0fc48824d878ffb2f7752e8ab4d0e367b051de161befe5d3b76690ba89e7e61c14f3c081666e17c7e6cc3e8

Download Submit
C:\Windows\SysWOW64\Olpilg32.exe

Filesize
19KB

MD5
e48f0cf484d45255a964d43e7d905432

SHA1
408f03a7ebe748fc54abe1b9e74f4eb44de24ef7

SHA256
7b11104b5de83035fdb0d6ba5841ac27fea9b470317392a62c52b1f5d41a7bf9

SHA512
3cb6a51df67748491924de2af90ad4f05d7c447af1e72aab6879a903477a5909a83481dd525467f45f68a7005a83868ac68f602ad558d6149d5483040ee87f7a

Download Submit
C:\Windows\SysWOW64\Paiaplin.exe

Filesize
236KB

MD5
29721bfee58a96b62cb591afc46a3bde

SHA1
f303b76342fa1638d7ac1074356c440da4c2d560

SHA256
15c7a9960222e874d566fd593626fa4cdefbe82cdbab80bb0ed2f6be8b824e7b

SHA512
a97337224c1f7a15289e1d7ee7f9eb79e5705ffaf94e4278c18c3093bbfd6d9e4940e87b01b6015129a3e7ef6917f43635c3b775a1ec1a4963fa2573eb987e2a

Download Submit
C:\Windows\SysWOW64\Pgcmbcih.exe

Filesize
36KB

MD5
74b62a3d144f99969df81f2b4f473a86

SHA1
f1d9b26d480024c735eb0a1ceddbe993452f91fb

SHA256
7cdc4849a10880e3a5e18272bc2240d53fb42d5ea92b4ddf57d97ea5706dc64b

SHA512
7254973878d5499f8dc9ba058d617d987d48de3e421d9dd8545d2dbc8d27e4a78d64a139313d054009d73120c636b5bbffda9577ec929c4c6e2895fde0332f24

Download Submit
C:\Windows\SysWOW64\Phnpagdp.exe

Filesize
236KB

MD5
d234fd9dfb9085f4c60dccf80f8df60b

SHA1
36c5ab7e2167e004885810965b16238a9340c165

SHA256
9146cb24a13622f4c09bf664679c9311b5eb58fed7b247c2b34e553295006362

SHA512
79aafadb1d6aeb02557c41d457fe29e6591175b9ffb12cb388c5c393522fc02d8f157e6309234da1f99fc72e10248db390d73e434da2838b2041b83cd99cb85e

Download Submit
C:\Windows\SysWOW64\Plgolf32.exe

Filesize
236KB

MD5
e71ad27070032646d8d6481242c6f4a7

SHA1
ed2e993b6464fc2460f34e783bc5c6c8a7e88fe7

SHA256
ca07c219b9a7888c408855e97052d30409cae465e418b748358bc4739f94e38e

SHA512
70f0f2e61dd9c2938a060ac1816ea602a133e7f343f92fa022b5dba625b03289ea30e0fad683e738a0d93eb8f689f84414150dc36cbb1d034691a29519f35a06

Download Submit
C:\Windows\SysWOW64\Pmkhjncg.exe

Filesize
236KB

MD5
f9885f3c9c0230a2a4ede171345c72cb

SHA1
d89f6551351a17bb11ab4e9c7d5dac4ac3110c17

SHA256
58ccc1b354ab7332043e5c89b1a082fa01f8043c1960f28b9dca324df2bb9c8e

SHA512
09b8a7f058fe051e51a7cb50e06a8e42c0f5bb01312bb7d3ae5d561f2b890392e2b7271184d8f25b1ed57ef2738abcb38b960897c5bedbe91c3523bfce779acc

Download Submit
C:\Windows\SysWOW64\Qcachc32.exe

Filesize
75KB

MD5
87c0150e20b75c82a15caf56dbc12de6

SHA1
3f6dbb0e8e7938f5016a4ad03ae9d83e826a8b1a

SHA256
fe203434b038b45658c2047fd249e3d7c3c4b6eb0f5385c4621cfee27cfc5330

SHA512
9574832c558ea427c8c50706308f5c1c8d4ce763dc0358f75330cefa6d150f1baf11cdd42591e2d5e361fd14a9dbee8b8d37e8897af00277b1fc6f94543ec60a

Download Submit
\Windows\SysWOW64\Ndqkleln.exe

Filesize
4KB

MD5
51026de75af0fe4c96e70b527d6b9b46

SHA1
cd377945e21a608ce07c18b5a5f03fe791520f96

SHA256
1b4150d303fb353f8e770a210ea38e2890f7e4582a6d0e2b2e085838270aa570

SHA512
2ef3f29ffa74c3b7071951546d976b1cc877d9beaa15ee07ee39e54e7e3824f45a998102a5d3b2c098b7adfc26221683e5729833633090c99bed520f8aa72f07

Download Submit
\Windows\SysWOW64\Nhjjgd32.exe

Filesize
52KB

MD5
5eaf320e785f423f3adf7cbce864425c

SHA1
a4105fdf7ac315bebbbc6f48a734ce530bde0f25

SHA256
77a4ff149b47088e226cd23a8fb4ddd5a05f5fbacfc53893566adba889eeb29f

SHA512
af49b5e34ec352fe525209c0d5bcb57f311d6dc4cdfcd2c639d28a0252b866a3e3ccecaf1d7cd6ef77027d2e7efa2bd023c42a4b3947839aaf642622aac2e34c

Download Submit
\Windows\SysWOW64\Nhjjgd32.exe

Filesize
84KB

MD5
70abfd7ff1669def36cd66cf889eb146

SHA1
4bba810a5b9e222ce69a3de7142e489f69ee665f

SHA256
3ae541d65d671969dac1517d2ace817604ae2f10ad0be7b24c96abfee1b5717e

SHA512
d57cb9481145fc4b3bcc03eb4ca4a3a04bd0fe1c706e94b7b07a8bc960d1a47015e044331aa18a57b355aac61f3959cb5e5c8087a88ccfb90e1a9b4b78e8d428

Download Submit
\Windows\SysWOW64\Njhfcp32.exe

Filesize
18KB

MD5
58e660a7c1cf50d1bb38abb44ef76665

SHA1
6a5f035d31be9f2324505a5d5f4eb77ff40ee49c

SHA256
d6252d414d5593e69e1fbb841261b19aad760f31f39336f417ff7d5863b6a29f

SHA512
0b877a6f80f65c2dff19b1f4dc046cd06f60eccd2b97e8e6db266f9e4d49dde4071101c01c6c82eed63fcd8e2d81dfa0a157ddc7432721c3cdd5230f951e4c7c

Download Submit
\Windows\SysWOW64\Njhfcp32.exe

Filesize
35KB

MD5
bed647172f9de3f0ce648cec9962dbed

SHA1
aac0e862436ba7fca4cc6ab8e273d8eb337dbb5a

SHA256
e20fa1719170f0724e543f4c77e3430df92a3065efcbb68f487341f619e6d781

SHA512
79f257c18f65794d96e319ba1ce8bc679a82041148e846828a0e0523bfdc388afe12f3730e9ab793b1038f7f484e8d92d330aaf72be0050914f498c932bce9a3

Download Submit
\Windows\SysWOW64\Nnafnopi.exe

Filesize
38KB

MD5
91a2c658723e016ecac2a36c60746b2e

SHA1
c76dc7f3be0d3f4083599c1f0a5b666447b3f6b8

SHA256
7ee56a1d26c9d23b291d72c263a721d5ba549991e3c0f251029a96e94718b562

SHA512
4d159bc1a73c21d7f9a278b4c25ee4d94fc0e18391a5715e55745185818b1e71a4940ee149f2003e18d54a942c4596748b2c53e74c90c3cf3994ab4740b4249d

Download Submit
\Windows\SysWOW64\Nnafnopi.exe

Filesize
33KB

MD5
4552aeeebdbf274525fd84ddb1079abd

SHA1
2982a477d5ca62b9ef295645fef1b6b175dd60d4

SHA256
fac34f2429fda0797fcb8201ff43536836616dbf30b337a7290ea9dc35f15e30

SHA512
da2248f44c8f84e86b2ce80cb208724530980eb6aecaf3b97d5439fef5b05fbdf8425f21b8f79a3142c8cea475a2770b1d0565ca124744f141254f79ada3b511

Download Submit
\Windows\SysWOW64\Nplimbka.exe

Filesize
69KB

MD5
19553b32a16146f794b0a24d0830e354

SHA1
0b31755a52367e4f8bc0f3f3f1f65a9c11b61338

SHA256
dea826874e2dd0e274ec0a25eec8407cd5d6e15ac13b93a4971f61802e809e3c

SHA512
a5b57708c2c9425bfa7fd1012f4763e4e7f0489ccd8275e18237a118768433cf5f4084d49be11e2d32ee680e30e28e24881c58be9a6889e6a37eaa34f612e5c0

Download Submit
\Windows\SysWOW64\Nplimbka.exe

Filesize
65KB

MD5
9afed105c3d5047d34a25f26e74f348c

SHA1
21332c086e57764d9c0e58a36c32f5c15aaa6c61

SHA256
1cd45db5d90fefa2e547a8a932ee3e642afd9bf4fdaeb6aacf70ffd37f6ca8b5

SHA512
4d273e3b073893fcf03d70e0c7bfa2757d04eb213d8a8833201ce7910263354e210c3c103e2f4b2d8a4160b51579b03560787104bcb3a5f2e373ccf63d84e072

Download Submit
\Windows\SysWOW64\Objaha32.exe

Filesize
48KB

MD5
aaadcc6ff4e757e0cb64d90d6efbfa4a

SHA1
49f1f32cbff86758dbf593c602fe2663b31604d7

SHA256
60512f872ae2807770bfb030e5c2486b6ac3a282e46b98cd234831366c0b2e54

SHA512
4b7954fbe0dbf1025ae2f97f1b5503657d37cade706443189db1fb1b94d46155065c50fadbd52044b924d8b677ed85f066062de6b10aa8ca8ee83cf546368701

Download Submit
\Windows\SysWOW64\Objaha32.exe

Filesize
58KB

MD5
bbb46c15594bbc8d17b9165237f48211

SHA1
64836c7162a3666c089a8192e7b0f555b24ef997

SHA256
76b8891f58b092e94b4771f9f343b00d974bedaa63ed5ebedaa3e113fcbf4c56

SHA512
583b9b714febbd8f71f163a416a1a4442595ff7ca270ba021fcfa2ca2a160b84f7bbabb7d7c0396c7fc2c10f599f699af70b3ce75e6df4c256d794b290626f1b

Download Submit
\Windows\SysWOW64\Olbfagca.exe

Filesize
49KB

MD5
9c5c1b68b75bd4571547f771200c3c73

SHA1
800bcb4cf42eeefe4ffeb240ab5beb8ceca38108

SHA256
012e9a6f6401e476f41026f35b4256a188395c44c89bf7becd56e7e5dce4790e

SHA512
ac8627380e6dbe15d71027be369cbbd1b140721a006b7b20725013a2f47c76502fd46e4532ed11d00409286699dede5b03c129dddea0ff3a86a30aa8271e9b59

Download Submit
\Windows\SysWOW64\Olbfagca.exe

Filesize
74KB

MD5
a9c182f3fde1e5c110c99f1fbdf0540a

SHA1
fd96f3ee7742f49b70650998c55480bec5e2a8bf

SHA256
59fa1fd456782e548339022b1da0b2a6cd77f192e7fec2abdbb97ad23476a3b9

SHA512
78ad79d3eff77284d389937f3e9d310fcda8f97fcf7282340b1b36722ceb3c0a87ea1c9b3f00813b95320155dba46b40ef33595328e889493112ecc95c093dc6

Download Submit
\Windows\SysWOW64\Olpilg32.exe

Filesize
127KB

MD5
0e0c0c2d4f112441b3d8f6e995964b60

SHA1
7eb602f7fc2ec488f8e3eb83d1db54cab4ae1338

SHA256
4ae6a849f779fbcdad83809f3ff644f8736c95b5507310251281db5ac73d4315

SHA512
a36b758bbd942145603b93845c6b15dc5c9b7da5c3f642c16b967dcc75c08ec2d1eabf710245fde2ec5d97ca7aeb982b064409da5d82d5cd61b590fa29f46d56

Download Submit
\Windows\SysWOW64\Olpilg32.exe

Filesize
92KB

MD5
a2673077d6ff569c507967e1e451038c

SHA1
7e198c6cab6e28e0218abbcc719a4903f97302e7

SHA256
472769d3cfb36e153aeb27ca01bb72f7d2c311b0d0cec18244b764537c2f7e3b

SHA512
9554e6ab7bb21a5c85eeb277ecb7b89e81d0b4fcad22cf6afdf2e4d158e167495cf740e23a9a43d5cfe98fffeb09ebd72f9cd5f0f45418251022393a3164072f

Download Submit
\Windows\SysWOW64\Plgolf32.exe

Filesize
54KB

MD5
9ece44678b0493197e66dfb4bf8fcf8e

SHA1
e83a22b7bbdac60235e0b8d203aa2ad704e9b690

SHA256
ff94e4c3a8a686b3982102e5ba64d767f998fd935930868364923d8e332ea174

SHA512
77063d920751899ef6b9bb3f5d939cd16986c8bd76efc734819421dfa5dc921cf96aa2b4a46a3501bb352622ba5372e4a0d4f49440f58d8b367a7fdc9a2e5312

Download Submit
memory/572-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/572-149-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/592-103-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/628-206-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/628-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/628-212-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/704-116-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/704-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1132-279-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1132-286-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1132-291-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1236-197-0x0000000001B60000-0x0000000001BA0000-memory.dmp

Filesize
256KB

Download
memory/1236-191-0x0000000001B60000-0x0000000001BA0000-memory.dmp

Filesize
256KB

Download
memory/1236-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-308-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1676-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-309-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1784-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1784-253-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/1784-258-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/1848-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1848-264-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1848-269-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1976-171-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1976-176-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1976-163-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2060-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2060-6-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2060-13-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2076-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2076-232-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2108-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2108-281-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2108-275-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2132-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2164-302-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2164-301-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2164-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2316-242-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2316-247-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2316-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-95-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2360-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2360-221-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2380-319-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/2380-320-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/2380-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2444-327-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2444-334-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2444-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2488-155-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2560-49-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2560-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2572-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2572-80-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2576-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-22-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2648-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-344-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2656-340-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2860-135-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/3032-351-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/3032-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads