ba5a8dd2be75dce0340f33b1d035f5667b4dd07b9759330c5f317efe96f1ef3a

Analysis

max time kernel
145s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba5a8dd2be75dce0340f33b1d035f5667b4dd07b9759330c5f317efe96f1ef3a.exe
Size

110KB
MD5

1ceb5ac3b4490a4f2486a7c2f34e8996
SHA1

1df9763b068391a41efe3f2bd0fad26cdc63c263
SHA256

ba5a8dd2be75dce0340f33b1d035f5667b4dd07b9759330c5f317efe96f1ef3a
SHA512

37bbd8db8ed1d4894a3da5d986b231d355b52a4ff0010f18ee070a120813ddb78ce955ddd8b945504bd4ef5fab2d4a6407a5e70f90a1b28dd42adde8f6fd3972
SSDEEP

1536:hqhAodrNwA3oJ+DjOBZ+JtsccXErLU2LuQS2BOWvI6dIjVjJ8FPws2LTH:WfKA3okDjKEVuQS2BPvvdcJEPwlb

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqccfed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ba5a8dd2be75dce0340f33b1d035f5667b4dd07b9759330c5f317efe96f1ef3a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nofdklgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcdipnqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdlkiepd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ollajp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nofdklgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ollajp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkkmqnck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oeeecekc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oeeecekc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnimnfpc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomfkndo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ba5a8dd2be75dce0340f33b1d035f5667b4dd07b9759330c5f317efe96f1ef3a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oohqqlei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojigbhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojigbhlp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkidlk32.exe

Executes dropped EXE 36 IoCs

pid	Process
2368	Niebhf32.exe
1620	Nekbmgcn.exe
2556	Nmbknddp.exe
2520	Nenobfak.exe
2344	Nofdklgl.exe
2416	Oohqqlei.exe
2888	Ollajp32.exe
1556	Oeeecekc.exe
2736	Oopfakpa.exe
2176	Ojigbhlp.exe
1684	Pkidlk32.exe
240	Pcdipnqn.exe
1520	Pnimnfpc.exe
828	Pomfkndo.exe
2036	Pfgngh32.exe
2092	Pmagdbci.exe
2296	Pdlkiepd.exe
1028	Qgmdjp32.exe
3024	Qqeicede.exe
1660	Qkkmqnck.exe
1852	Aaheie32.exe
960	Anlfbi32.exe
2868	Agdjkogm.exe
2196	Amqccfed.exe
2088	Agfgqo32.exe
2848	Aaolidlk.exe
1136	Afkdakjb.exe
2200	Biojif32.exe
2544	Bajomhbl.exe
2612	Bonoflae.exe
1600	Behgcf32.exe
2424	Boplllob.exe
2356	Bdmddc32.exe
2412	Bmeimhdj.exe
2460	Ckiigmcd.exe
2524	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2084	ba5a8dd2be75dce0340f33b1d035f5667b4dd07b9759330c5f317efe96f1ef3a.exe
2084	ba5a8dd2be75dce0340f33b1d035f5667b4dd07b9759330c5f317efe96f1ef3a.exe
2368	Niebhf32.exe
2368	Niebhf32.exe
1620	Nekbmgcn.exe
1620	Nekbmgcn.exe
2556	Nmbknddp.exe
2556	Nmbknddp.exe
2520	Nenobfak.exe
2520	Nenobfak.exe
2344	Nofdklgl.exe
2344	Nofdklgl.exe
2416	Oohqqlei.exe
2416	Oohqqlei.exe
2888	Ollajp32.exe
2888	Ollajp32.exe
1556	Oeeecekc.exe
1556	Oeeecekc.exe
2736	Oopfakpa.exe
2736	Oopfakpa.exe
2176	Ojigbhlp.exe
2176	Ojigbhlp.exe
1684	Pkidlk32.exe
1684	Pkidlk32.exe
240	Pcdipnqn.exe
240	Pcdipnqn.exe
1520	Pnimnfpc.exe
1520	Pnimnfpc.exe
828	Pomfkndo.exe
828	Pomfkndo.exe
2036	Pfgngh32.exe
2036	Pfgngh32.exe
2092	Pmagdbci.exe
2092	Pmagdbci.exe
2296	Pdlkiepd.exe
2296	Pdlkiepd.exe
1028	Qgmdjp32.exe
1028	Qgmdjp32.exe
3024	Qqeicede.exe
3024	Qqeicede.exe
1660	Qkkmqnck.exe
1660	Qkkmqnck.exe
1852	Aaheie32.exe
1852	Aaheie32.exe
960	Anlfbi32.exe
960	Anlfbi32.exe
2868	Agdjkogm.exe
2868	Agdjkogm.exe
2196	Amqccfed.exe
2196	Amqccfed.exe
2088	Agfgqo32.exe
2088	Agfgqo32.exe
2848	Aaolidlk.exe
2848	Aaolidlk.exe
1136	Afkdakjb.exe
1136	Afkdakjb.exe
2200	Biojif32.exe
2200	Biojif32.exe
2544	Bajomhbl.exe
2544	Bajomhbl.exe
2612	Bonoflae.exe
2612	Bonoflae.exe
1600	Behgcf32.exe
1600	Behgcf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oopfakpa.exe	Oeeecekc.exe
File opened for modification	C:\Windows\SysWOW64\Qgmdjp32.exe	Pdlkiepd.exe
File opened for modification	C:\Windows\SysWOW64\Agdjkogm.exe	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Bdmddc32.exe	Boplllob.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Oeeecekc.exe	Ollajp32.exe
File opened for modification	C:\Windows\SysWOW64\Pfgngh32.exe	Pomfkndo.exe
File created	C:\Windows\SysWOW64\Qkkmqnck.exe	Qqeicede.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Pjclpeak.dll	Niebhf32.exe
File created	C:\Windows\SysWOW64\Nmqalo32.dll	Pcdipnqn.exe
File created	C:\Windows\SysWOW64\Lhnnjk32.dll	Pfgngh32.exe
File opened for modification	C:\Windows\SysWOW64\Pdlkiepd.exe	Pmagdbci.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Ckiigmcd.exe
File opened for modification	C:\Windows\SysWOW64\Niebhf32.exe	ba5a8dd2be75dce0340f33b1d035f5667b4dd07b9759330c5f317efe96f1ef3a.exe
File created	C:\Windows\SysWOW64\Oflcmqaa.dll	Oeeecekc.exe
File created	C:\Windows\SysWOW64\Pomfkndo.exe	Pnimnfpc.exe
File created	C:\Windows\SysWOW64\Ejaekc32.dll	Qqeicede.exe
File opened for modification	C:\Windows\SysWOW64\Boplllob.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Nmbknddp.exe	Nekbmgcn.exe
File opened for modification	C:\Windows\SysWOW64\Pcdipnqn.exe	Pkidlk32.exe
File created	C:\Windows\SysWOW64\Bfbdiclb.dll	Pkidlk32.exe
File created	C:\Windows\SysWOW64\Doojhgfa.dll	Pdlkiepd.exe
File created	C:\Windows\SysWOW64\Ojigbhlp.exe	Oopfakpa.exe
File created	C:\Windows\SysWOW64\Imjcfnhk.dll	Qgmdjp32.exe
File created	C:\Windows\SysWOW64\Idlgcclp.dll	Qkkmqnck.exe
File opened for modification	C:\Windows\SysWOW64\Amqccfed.exe	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	Bonoflae.exe
File created	C:\Windows\SysWOW64\Liggabfp.dll	Behgcf32.exe
File created	C:\Windows\SysWOW64\Lmmlmd32.dll	Aaolidlk.exe
File opened for modification	C:\Windows\SysWOW64\Bajomhbl.exe	Biojif32.exe
File opened for modification	C:\Windows\SysWOW64\Nekbmgcn.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Nenobfak.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Faflglmh.dll	Ojigbhlp.exe
File created	C:\Windows\SysWOW64\Hnablp32.dll	Pomfkndo.exe
File created	C:\Windows\SysWOW64\Pdlkiepd.exe	Pmagdbci.exe
File created	C:\Windows\SysWOW64\Qgmdjp32.exe	Pdlkiepd.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Bonoflae.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Pcdipnqn.exe	Pkidlk32.exe
File opened for modification	C:\Windows\SysWOW64\Anlfbi32.exe	Aaheie32.exe
File created	C:\Windows\SysWOW64\Afkdakjb.exe	Aaolidlk.exe
File opened for modification	C:\Windows\SysWOW64\Nenobfak.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Docdkd32.dll	Nenobfak.exe
File opened for modification	C:\Windows\SysWOW64\Pnimnfpc.exe	Pcdipnqn.exe
File created	C:\Windows\SysWOW64\Aaheie32.exe	Qkkmqnck.exe
File created	C:\Windows\SysWOW64\Biojif32.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Bajomhbl.exe	Biojif32.exe
File created	C:\Windows\SysWOW64\Oohqqlei.exe	Nofdklgl.exe
File created	C:\Windows\SysWOW64\Jaofqdkb.dll	Ollajp32.exe
File created	C:\Windows\SysWOW64\Mbkbki32.dll	Amqccfed.exe
File created	C:\Windows\SysWOW64\Bonoflae.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	Bonoflae.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Oeeecekc.exe	Ollajp32.exe
File opened for modification	C:\Windows\SysWOW64\Oopfakpa.exe	Oeeecekc.exe
File opened for modification	C:\Windows\SysWOW64\Ojigbhlp.exe	Oopfakpa.exe
File created	C:\Windows\SysWOW64\Aaolidlk.exe	Agfgqo32.exe
File opened for modification	C:\Windows\SysWOW64\Oohqqlei.exe	Nofdklgl.exe
File opened for modification	C:\Windows\SysWOW64\Pomfkndo.exe	Pnimnfpc.exe
File opened for modification	C:\Windows\SysWOW64\Aaheie32.exe	Qkkmqnck.exe
File created	C:\Windows\SysWOW64\Bfqgjgep.dll	Agfgqo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
748	2524	WerFault.exe	63

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdqghfp.dll"	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faflglmh.dll"	Ojigbhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll"	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ba5a8dd2be75dce0340f33b1d035f5667b4dd07b9759330c5f317efe96f1ef3a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkkmqnck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ba5a8dd2be75dce0340f33b1d035f5667b4dd07b9759330c5f317efe96f1ef3a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nenobfak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejaekc32.dll"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ba5a8dd2be75dce0340f33b1d035f5667b4dd07b9759330c5f317efe96f1ef3a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkidlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ollajp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofpoogh.dll"	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nofdklgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfbdiclb.dll"	Pkidlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ba5a8dd2be75dce0340f33b1d035f5667b4dd07b9759330c5f317efe96f1ef3a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehjml32.dll"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll"	ba5a8dd2be75dce0340f33b1d035f5667b4dd07b9759330c5f317efe96f1ef3a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojigbhlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcdipnqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkidlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmoin32.dll"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqeicede.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hanedg32.dll"	Nofdklgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hibeif32.dll"	Oohqqlei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pomfkndo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaheie32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2368	2084	ba5a8dd2be75dce0340f33b1d035f5667b4dd07b9759330c5f317efe96f1ef3a.exe	28
PID 2084 wrote to memory of 2368	2084	ba5a8dd2be75dce0340f33b1d035f5667b4dd07b9759330c5f317efe96f1ef3a.exe	28
PID 2084 wrote to memory of 2368	2084	ba5a8dd2be75dce0340f33b1d035f5667b4dd07b9759330c5f317efe96f1ef3a.exe	28
PID 2084 wrote to memory of 2368	2084	ba5a8dd2be75dce0340f33b1d035f5667b4dd07b9759330c5f317efe96f1ef3a.exe	28
PID 2368 wrote to memory of 1620	2368	Niebhf32.exe	29
PID 2368 wrote to memory of 1620	2368	Niebhf32.exe	29
PID 2368 wrote to memory of 1620	2368	Niebhf32.exe	29
PID 2368 wrote to memory of 1620	2368	Niebhf32.exe	29
PID 1620 wrote to memory of 2556	1620	Nekbmgcn.exe	30
PID 1620 wrote to memory of 2556	1620	Nekbmgcn.exe	30
PID 1620 wrote to memory of 2556	1620	Nekbmgcn.exe	30
PID 1620 wrote to memory of 2556	1620	Nekbmgcn.exe	30
PID 2556 wrote to memory of 2520	2556	Nmbknddp.exe	31
PID 2556 wrote to memory of 2520	2556	Nmbknddp.exe	31
PID 2556 wrote to memory of 2520	2556	Nmbknddp.exe	31
PID 2556 wrote to memory of 2520	2556	Nmbknddp.exe	31
PID 2520 wrote to memory of 2344	2520	Nenobfak.exe	32
PID 2520 wrote to memory of 2344	2520	Nenobfak.exe	32
PID 2520 wrote to memory of 2344	2520	Nenobfak.exe	32
PID 2520 wrote to memory of 2344	2520	Nenobfak.exe	32
PID 2344 wrote to memory of 2416	2344	Nofdklgl.exe	33
PID 2344 wrote to memory of 2416	2344	Nofdklgl.exe	33
PID 2344 wrote to memory of 2416	2344	Nofdklgl.exe	33
PID 2344 wrote to memory of 2416	2344	Nofdklgl.exe	33
PID 2416 wrote to memory of 2888	2416	Oohqqlei.exe	34
PID 2416 wrote to memory of 2888	2416	Oohqqlei.exe	34
PID 2416 wrote to memory of 2888	2416	Oohqqlei.exe	34
PID 2416 wrote to memory of 2888	2416	Oohqqlei.exe	34
PID 2888 wrote to memory of 1556	2888	Ollajp32.exe	35
PID 2888 wrote to memory of 1556	2888	Ollajp32.exe	35
PID 2888 wrote to memory of 1556	2888	Ollajp32.exe	35
PID 2888 wrote to memory of 1556	2888	Ollajp32.exe	35
PID 1556 wrote to memory of 2736	1556	Oeeecekc.exe	36
PID 1556 wrote to memory of 2736	1556	Oeeecekc.exe	36
PID 1556 wrote to memory of 2736	1556	Oeeecekc.exe	36
PID 1556 wrote to memory of 2736	1556	Oeeecekc.exe	36
PID 2736 wrote to memory of 2176	2736	Oopfakpa.exe	37
PID 2736 wrote to memory of 2176	2736	Oopfakpa.exe	37
PID 2736 wrote to memory of 2176	2736	Oopfakpa.exe	37
PID 2736 wrote to memory of 2176	2736	Oopfakpa.exe	37
PID 2176 wrote to memory of 1684	2176	Ojigbhlp.exe	38
PID 2176 wrote to memory of 1684	2176	Ojigbhlp.exe	38
PID 2176 wrote to memory of 1684	2176	Ojigbhlp.exe	38
PID 2176 wrote to memory of 1684	2176	Ojigbhlp.exe	38
PID 1684 wrote to memory of 240	1684	Pkidlk32.exe	39
PID 1684 wrote to memory of 240	1684	Pkidlk32.exe	39
PID 1684 wrote to memory of 240	1684	Pkidlk32.exe	39
PID 1684 wrote to memory of 240	1684	Pkidlk32.exe	39
PID 240 wrote to memory of 1520	240	Pcdipnqn.exe	40
PID 240 wrote to memory of 1520	240	Pcdipnqn.exe	40
PID 240 wrote to memory of 1520	240	Pcdipnqn.exe	40
PID 240 wrote to memory of 1520	240	Pcdipnqn.exe	40
PID 1520 wrote to memory of 828	1520	Pnimnfpc.exe	41
PID 1520 wrote to memory of 828	1520	Pnimnfpc.exe	41
PID 1520 wrote to memory of 828	1520	Pnimnfpc.exe	41
PID 1520 wrote to memory of 828	1520	Pnimnfpc.exe	41
PID 828 wrote to memory of 2036	828	Pomfkndo.exe	42
PID 828 wrote to memory of 2036	828	Pomfkndo.exe	42
PID 828 wrote to memory of 2036	828	Pomfkndo.exe	42
PID 828 wrote to memory of 2036	828	Pomfkndo.exe	42
PID 2036 wrote to memory of 2092	2036	Pfgngh32.exe	43
PID 2036 wrote to memory of 2092	2036	Pfgngh32.exe	43
PID 2036 wrote to memory of 2092	2036	Pfgngh32.exe	43
PID 2036 wrote to memory of 2092	2036	Pfgngh32.exe	43

C:\Users\Admin\AppData\Local\Temp\ba5a8dd2be75dce0340f33b1d035f5667b4dd07b9759330c5f317efe96f1ef3a.exe
"C:\Users\Admin\AppData\Local\Temp\ba5a8dd2be75dce0340f33b1d035f5667b4dd07b9759330c5f317efe96f1ef3a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\Niebhf32.exe
  C:\Windows\system32\Niebhf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\Nekbmgcn.exe
    C:\Windows\system32\Nekbmgcn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Windows\SysWOW64\Nmbknddp.exe
      C:\Windows\system32\Nmbknddp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\SysWOW64\Nenobfak.exe
        
        C:\Windows\system32\Nenobfak.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\SysWOW64\Nofdklgl.exe
        
        C:\Windows\system32\Nofdklgl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Oohqqlei.exe
        
        C:\Windows\system32\Oohqqlei.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Ollajp32.exe
        
        C:\Windows\system32\Ollajp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Oeeecekc.exe
        
        C:\Windows\system32\Oeeecekc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Oopfakpa.exe
        
        C:\Windows\system32\Oopfakpa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Ojigbhlp.exe
        
        C:\Windows\system32\Ojigbhlp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Pkidlk32.exe
        
        C:\Windows\system32\Pkidlk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Pcdipnqn.exe
        
        C:\Windows\system32\Pcdipnqn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:240
        
        C:\Windows\SysWOW64\Pnimnfpc.exe
        
        C:\Windows\system32\Pnimnfpc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Pomfkndo.exe
        
        C:\Windows\system32\Pomfkndo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Pmagdbci.exe
        
        C:\Windows\system32\Pmagdbci.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Pdlkiepd.exe
        
        C:\Windows\system32\Pdlkiepd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\Qgmdjp32.exe
        
        C:\Windows\system32\Qgmdjp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Qkkmqnck.exe
        
        C:\Windows\system32\Qkkmqnck.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        37⤵
        Executes dropped EXE
        
        PID:2524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 140
        38⤵
        Program crash
        
        PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaheie32.exe

Filesize
110KB

MD5
46d4baeded87603d8492ab49787f1619

SHA1
7517d8a41029658c19f91656170bc7fba21a1c48

SHA256
9a13f3a05781b9a34e0916f66ab1c8032a2c55f018aa6c3b306a72a2f352fd6f

SHA512
b6e917085b2196111ab8754bb83e910acf20e3269cfdc41e3685c26bfb6a8f4bb29e8b9be149895967f5ae7f91369286222854a89a088c68f1fd895bc9b3db80

Download Submit
C:\Windows\SysWOW64\Aaolidlk.exe

Filesize
110KB

MD5
9fd3c6ae1e904603a75112b8fc72db75

SHA1
244d94194aafa9fc50c04c4a641209d06c68d777

SHA256
7f856ceb8d99893d784f74fcae1e52c9a7c099e496f9cbf9bae9f8a4394b9cfb

SHA512
a5a66fec85a1b5097a8f49e4b5f169f4162a0e39f1089fc895d39d06e44c02cf61bf7d7d137cbcbcc479b40eb3463dc503cb8bdff4a73fd2d8e434531e55266d

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
110KB

MD5
9dcbcdfecc5218cc07ca4654bdebcc87

SHA1
292a85cb859faf7a336562d6b7c9b16a70ed8794

SHA256
f1c39277cca01d4bf433d36037f68e4fc70e1f9793df86051bf8b73c3969d6bc

SHA512
1b24aacc260fa6953e86762abf4ae636b74a028377fda9e763909062447b1a29a1fa536cb5f9529dad809a820698c7af3ce1ce2928eb19d68bed144313258d84

Download Submit
C:\Windows\SysWOW64\Agdjkogm.exe

Filesize
110KB

MD5
aff0f24b261720971ffd0191be4fa3fa

SHA1
547c93cd40d42836445ce8ab0f721af7cb5e29ec

SHA256
ca8a8b7163d5d5428fb2520700066ac4599e7c879b1754633e0648a0da68b18e

SHA512
6b2b9c538e07f77b3f4097a54dc0eda2532b6183e483c5410df4f7a35d5d82e52894ae7095ce4acaa7814d190af57618c33dd9ca48c4ec78cf35a60ac9b71479

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
110KB

MD5
14d69221bbdcda346ac2bdd4b7f426ca

SHA1
4e57689b924e5c0c4a6fade8f77d1179107dda47

SHA256
e4708f2a10a952fcb765cf25c92847d04793c059290a46adf1b912114ced4c68

SHA512
cf6e6888b3c43a824a65237b9ea405f135fda5eb0b472603eec4228696c2b940f11ec413c6ffef4c500f9722fcfb086b5e6d76c25af4a0b2b6b0ef411e702dbc

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
110KB

MD5
13f6f1b1594b7c44d201456069e1bc68

SHA1
e8b8caa9ea7c64159b240bc87ead15ac34727485

SHA256
dc539ca2eb2cc3d377657b07b374f4d8719d9ae8495ee7fe452a324c6001649a

SHA512
34f5034f4001e3728a635fa48674a6cfcbb5f83af66a3ea5bec5b3eb5fe4bc72f5e0c32c1cb9bb93b57acb622974522a1a294e4de6fe6bf6c4cea9439c496451

Download Submit
C:\Windows\SysWOW64\Anlfbi32.exe

Filesize
110KB

MD5
23d26e0b2966cefbfba6fd48f18b167e

SHA1
3e4c96d479ee6add8c403f4613c916b7ef2fdb86

SHA256
2720793e66338a530f5fb9ba5cbbeb8ef8963018f58f7ccd4a05ba8a20a66acf

SHA512
f34597b4992b7045cae0f7f0f13c7dc6c14b66fc904c9c6907f202b4a98909f5b50094163e89b7fd57f4a185e8e857f081ebeeb9ad114ec2e22dadd5edbd97ae

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
110KB

MD5
ee7dd8a3beadfacf716a8442b4946741

SHA1
3e599a7fb0aeb7054d78bad0a8dee5b2d54921f1

SHA256
cc8d06765d46319600bc21a7740e7101f1030bfd71e27673d8d9924a78f1aee6

SHA512
2a661ed0842eb9babc9e61d1ba304f6ddb8203e71fe34d3e356ef35ef0f599f02f593e8706cabb80486129897a29c33d53ea1912cb2c24c286a6f85ff313a6c7

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
110KB

MD5
92fc23285d7c35fc505246f50c7fdd32

SHA1
5b969223ff4eaf0158dbf00e8f777f9a2975b323

SHA256
7042d27e277c43f228e4b471fe747168679b76cd3dc8bd1affc636ea7b469ed4

SHA512
0c897b69f31721db9adcb9fd329b3e7d1e2b6cf4c0631d8824de40094670887b17e90b4ec948a5b56e59f51ff25c1e114a23ce2868c5f56c0d3ee1334ff4041a

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
110KB

MD5
739f06b84fd820cff5d369f747d0dfd3

SHA1
27108ed1df9e1bc9e4a50345fb48e218975a9543

SHA256
445798942fe9d2b631a46ef38f991961b87083144eede115796e440ffe1e57e5

SHA512
ee99665cd29c158a2a8956521d8998168f5d52c0e8c2fba568875d4f9097b26de437e93220603445cf1aaf582e3504039ec24344dd5b2f8ce4b6293d724a47f7

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
110KB

MD5
71518f1e28b10964ceedf80e014b7796

SHA1
00dd33741b1f5b89c7df01f938ea1895baa3a850

SHA256
28c3d15febf3cdfd8de9e587061b414e16e1cd6f56edc940cbd01b0aadce4815

SHA512
f50f26ee2d7027863da79f31960f1495cb7f7eb16e2523298e00d3f67acd8dfb135d62ec564c2191344c58fa8ea3ba6dfc163c807d2f479ca5279292f522aaa3

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
110KB

MD5
241fed5775229988e609af962fe50265

SHA1
0f4e88c2e7cd362e3a2a0f871bee3a8db5192d49

SHA256
409dbed84d9585ca48567422668068444e49f56e0fbf8547e429e8f511e5b41c

SHA512
4e901d22e794ea6ea12db5132549544b6cbc9d39e32d7428f0ee651e3f4765e351c463c75470364c99688e870fffef0fad7575558de26dfa1777933180b8f19f

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
110KB

MD5
cf2bb73ad612b3a9a7c5f7727a2675e3

SHA1
5d11c834e444ab9e1a0bb97ad28aa9437675bd06

SHA256
cae461bea25084b47670fa4a8b2927c0b8fa102efac568c417d726f4c666881d

SHA512
d33e72b00c6b9190f85b87930aea1eca36275e565246539e63ea98f5832725119d603b30b113345ba117f9ebbab3594a7de7de82ddee392f19985839684018a4

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
110KB

MD5
f4acc455c02e238e3bcf3e2cca4da914

SHA1
5682fab4eafbf7147fdc57e2628eaeb3b4621c55

SHA256
8b7067b102a0562a48a913fb12a6bba3fc13285d98762e820456586a71448d95

SHA512
c5e92cd7791bb9fddb24602a24a004ba9c97410d0ca8803622e4de9da6c9aecf4ea75957ba015576c32cd0ed7b63152d5bc29c9bc42cf28b516abbca2e751ea8

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
110KB

MD5
73d401d3c609856e6b30a54c2ce1b47a

SHA1
d4a4209f04f3264899411d06bb2add70e2125198

SHA256
7a42f307b470d22f177c49b187efc6b0af8c95f79e3664a468e56500e70bdd14

SHA512
2297dc4213b6876c3bbd4c4b3082fdc1e47fae0362037bda555077fafd1ca59be0df40985ed9ef6a3fc9f55f629db90ea7b4d4e6e0981c677d5c0f7241ffcefc

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
110KB

MD5
8fd2980604bc0b961a78c9c19fb84620

SHA1
3edf3e6f52776f517351af7f009d056acb209972

SHA256
23a89915984a7b677508591168c8297d5ffa17bd5ce23355a91390a86ee0b066

SHA512
f7238bc40ed7c35639aad10b3705c65b7c35357fae5d8cb6c281afcdaa7dcb3789045d36859ce083c97a05da7903154182a705cd2e84f409cc121ab6c2b7a5e2

Download Submit
C:\Windows\SysWOW64\Nmbknddp.exe

Filesize
110KB

MD5
ebaf23d501c623dc34dd4184fbabab11

SHA1
17cafefa10168579cf336d3e27e9d2cd60353c9f

SHA256
304d1aeb324304a9b56545827047fd43c95a9081d6c4297145bede4cc419a8e2

SHA512
bbe82365fb3ab02043da4a9a6a432edd65df34fc9e3b52a0969298a02bd4d6850dcf32c4e5c4158defe58959021643f1279f04b71fe1be600344e1407f128b4e

Download Submit
C:\Windows\SysWOW64\Nofdklgl.exe

Filesize
110KB

MD5
b93aadda46decfe771525166f9a7e309

SHA1
7fab4076f5c3461ceeb408710809210b70922b46

SHA256
3480070cf6a8c6bf7e28de7c283638534822e79b8d25ad482ccb57cc86e9e198

SHA512
eb2288a95df81b637f593d74cba001385580c1a0e42f112c84464a0cdeb213ee28b17b5e55ed426f0932a268e9689389f803225673c6d820bcdf121d1acc0ee4

Download Submit
C:\Windows\SysWOW64\Ojigbhlp.exe

Filesize
110KB

MD5
87bbfcc77385809c32ca0fd94685a47d

SHA1
ba7b2da7e0af6bf438c5b06616d6db9206d739c4

SHA256
313552a6b1028208fa4be78dd8bdbd02c749fa7296aa5d3d637f73187ad98124

SHA512
06b665cca76576148f027a9584006746934481e1b6bb80a3cf7682a4e2c03d6fef9132df26c9f7e359160e55036672ef8482c218ab5b1da184f99b7671b7613b

Download Submit
C:\Windows\SysWOW64\Ollajp32.exe

Filesize
110KB

MD5
bb846ef5f1e50ae2bc3a088395548a3a

SHA1
cf4bfeb112efec30ac14c2265e355855f20d7a66

SHA256
fa045e7eb1ab38b49252a613c970ced4078a8a8ef0c1855b570aa99b004cd798

SHA512
93a854d31565ee0c748ef39259a431824b180fe710fb4ec60637db99a094e195e8c837729f312afa72e3470602b305b1bad3447f6591780e947a650d04808c5d

Download Submit
C:\Windows\SysWOW64\Oopfakpa.exe

Filesize
110KB

MD5
f393d6f54112a28d72c05572ef4f3c4e

SHA1
1edb1c0bb4000fd1094ef61591052cd3d4c34845

SHA256
dd9d7f80a03c8e108ef3c058196b053a119f42e0bb39112fc9593fc287e2bb41

SHA512
c96a2392caec8ae735f725f8a839de9d8e917b1755281aaa9fde4f2d4e4f36d5a1866988753a5eeb51de325e79af89888af783aeace57cc72b7b640ee54c3a01

Download Submit
C:\Windows\SysWOW64\Pcdipnqn.exe

Filesize
110KB

MD5
e37f5575aba75d7f8c8585bb74ca6481

SHA1
04a742e107d15348f040446346be0ebf02d43e1a

SHA256
33b1abf45596dcf2e91d994dff4b874c4e9b4fe418386afdfe9c126b24c332ed

SHA512
b37ba8b0ba8edce4fc7db9d74b7204562fd1ba5371081174f694702557bf7ceff7b44fc9fe72bb2c409219883ace4b09ccecbe5bed35d66574bbc2fc318e64eb

Download Submit
C:\Windows\SysWOW64\Pdlkiepd.exe

Filesize
110KB

MD5
eb231986f95001d970e1819e525f3726

SHA1
e2d6a9570283f3b0e5622a6365b9d10a9c5c5d92

SHA256
85868e78c99c80cb80950b383f23e6050d21f0be13820a1b0dde39b2332e551c

SHA512
a9709a48408dab8bdc4753e0cb06061d5c06167325746998142f7a9586dcd037727cde89742a22ad72dca0e0b481b6e9c73711f5f8c9254dce32770338f387ef

Download Submit
C:\Windows\SysWOW64\Pfgngh32.exe

Filesize
110KB

MD5
f61cf1742fbfb6637121da28fc061bf7

SHA1
a8e570b231a65c7217b58e51a2821b53bd019817

SHA256
8aae545dfbf7bcaa6aac7e994df8f5593b7da3f6bf8da92e79f410df4c56a107

SHA512
028463c5393e8ed54f128ae29814d64a665b165ffdc2ca576f445adedbc9392644787b71f3b7caed5815dfd04f9d920ade9a333fd508e90051030c113242359b

Download Submit
C:\Windows\SysWOW64\Pmagdbci.exe

Filesize
110KB

MD5
fb6aed716b68b6e94d09524ee9e195da

SHA1
6d90ad379fa796a19e3dfefac85adf63d19691e0

SHA256
afff21c37bd098f02ff9995d38c4271859b3cc26b61a68bf1ee7d5f2500d9538

SHA512
64b3023c1916ca84285bc644a04c154d5a8378b0005f7162528501b79d57d7b20bd3f3abc9721ef1f3224081c115106bd590ea60c4f4fb7c6cd6594227eb706f

Download Submit
C:\Windows\SysWOW64\Pomfkndo.exe

Filesize
110KB

MD5
bd09a9b5f2917c6cdc7c55833b4f4b0c

SHA1
09985667142255c895fa71a059faef6897bc5f93

SHA256
aa22e2171302e66fbdbef9634e4c988ae24e4d2465f59068159e05bd91839be3

SHA512
d1922d02b4effdda23724b9dc6079cafae04bf75aa8b25a563a3e8a7919bcba21ad80f7f22adfd7771ea1824be6437381ea84d92ae86567e4cf035070ed7972b

Download Submit
C:\Windows\SysWOW64\Qgmdjp32.exe

Filesize
110KB

MD5
e375b913efe24f7c5f06c5f8f8e75cdb

SHA1
42808c061e69030e2216bcd7b89198e0446ef91a

SHA256
95f8a59507c6f6252f978f12fd443fab67419fb62fa5f7f09b72a2b146381d9e

SHA512
48fcbad23c3a94e820e436a63a27014b200142dec2c42ccdf08cb12d360cab0dde1d1863b3c68d642f2f6c168017b5d992e7265ffd3636449222d1eaf8749896

Download Submit
C:\Windows\SysWOW64\Qkkmqnck.exe

Filesize
110KB

MD5
dc9f176290763be5f7e25b12aad5e217

SHA1
cc145c69b86e2a6b453c1db17122b287d73f0998

SHA256
3324d138af60ffb3dded77711fdde31a188158226b7775c1a35f43698769959c

SHA512
4de14bd099e4855e50c9298008dbc474d3f2090408d5f74101d41713dc88cf4933737786305b328ae5dfcb61a8d44feb4a308a1ab290a1c5647aabba26e68eec

Download Submit
C:\Windows\SysWOW64\Qqeicede.exe

Filesize
110KB

MD5
2c5d813b1c9bbde40c8222a7bdd1b876

SHA1
078a724368c3ce2d5ce26dccab0664e3f8a9a295

SHA256
7571cf9688c865bd5b5f9cffebf5071003941601633c5526acc1fd55678727ba

SHA512
d36a64e3e2cb2f46245f894006427a3c9f6814d27d91a1a038ae499f95d6fb433463334768f819d66ef9732392a61792b7354fc2e8aa58aa12bd22cb8cadc2e4

Download Submit
\Windows\SysWOW64\Nekbmgcn.exe

Filesize
110KB

MD5
12268021346a2bea19c81ba1718bba36

SHA1
9430889039245fd616957cc36d96fa6586a2cb34

SHA256
3ca5d775f83ba9244a2e763ca19d7c901232aa1dc72138788da268af54c82521

SHA512
d6eef5733afa5887eda78b6e3d1bd5ce34d6e9b72c82d1cd7756d67a3827e5cf59aa988fe618180a6eafe4c4f1645c8f4477129fd4047e43cfdf17d96039bbed

Download Submit
\Windows\SysWOW64\Nenobfak.exe

Filesize
110KB

MD5
7d178af13f6287a706c5444b125eceb0

SHA1
f5dd89ecd42ef2ec7d8d5c4476453da642c6dd4f

SHA256
9e121e3d9e1074f4e69505ee3ee2a4d219a498ee2a48e4a20efd76daff345389

SHA512
cfc05f5056e090a6074db22ad0f98ee7b4c6c89b8025caa14485eddd63e26ba2ba126ad4b6b724df4109ca40d52a31387e6dd304525ddc0f09163a729382eb42

Download Submit
\Windows\SysWOW64\Niebhf32.exe

Filesize
110KB

MD5
acaf02bd144729b9eaef81380c57a33d

SHA1
b0dec809f503e5e897ae793e625837caaaec5535

SHA256
57b7993112e66993736696e940467277e04ef364e542dda291c3c18504efb593

SHA512
741a827d488d9ac11fb17a751b874da6e92adad852bac4c43e0f5f06012c620ad7d4bf166885254d1e8e231b279cbd520726e6d3dc0b55a5d9606bdf94b52c91

Download Submit
\Windows\SysWOW64\Oeeecekc.exe

Filesize
110KB

MD5
7b686a0b1814022e2f985984bf1e92f4

SHA1
b0a0d429b459adfcdcbb2bbd7b7626e236aaf7eb

SHA256
526e8d8a68469cc6fcda8a6d939de173c6e17bdccf05f021c67b8fc060ade323

SHA512
3835c6a828bb664e42f07bc5e883444d8114dd51dcfc1049075b4554c4f700ae892088fb423facb3d3d7277db14a23f75c152a297e804c551c8b1be95c9205ab

Download Submit
\Windows\SysWOW64\Oohqqlei.exe

Filesize
110KB

MD5
d7bc34223d811adb030749eae6129dde

SHA1
6fd602645af832e27fa9bd0ff076596c235d7b94

SHA256
2f0047e5634688103a3fa3a89d2eeaf0728e5159a89ba2b375741d6df30c78cb

SHA512
739dc1d8a755a497451336cdcc9da171ce00515e87bb9fd18da52fda8afddad468832e77be057bb495f72a73ebfc81294f8de2d3ef23aa25749f925f2944c3c3

Download Submit
\Windows\SysWOW64\Pkidlk32.exe

Filesize
110KB

MD5
48d34f2de440eb5bcc44ab15e75c130f

SHA1
57b871d4d87475b2d1477311b7a1e8feda13cc1a

SHA256
9d1fc68d7087028e330d92a9243e148d61293346a8c90da0ec8dd79d8dce14c4

SHA512
a21590d83bd48851189c94aa365af7ca186a0df37ce63594f5382e0a1db82a9814dbd3b6ea5948c00b371b0fc2495f2f073428715c36b4ead51ec78324f318c7

Download Submit
\Windows\SysWOW64\Pnimnfpc.exe

Filesize
110KB

MD5
de17a0cc982ece3f6bc4ce861c15222c

SHA1
457d7c2425cfaf4ce19766970d2593a71033a20c

SHA256
66efa7727ab2097fd542b6de3397ac3288e937432d4a214322aba9bba892e8e9

SHA512
b02184fcfcdede09cbf60eaf57498bb8169bf34e0cc063d4d1dfd12ee623717e2dcc86b62d298d5285614f9b239ae938a6ae5fc61860ff2f2fcdc745ae37e60b

Download Submit
memory/240-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/240-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-278-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/960-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-330-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1136-326-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1136-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-392-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1600-387-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1620-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-257-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1660-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-174-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1852-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-6-0x0000000001B60000-0x0000000001B93000-memory.dmp

Filesize
204KB

Download
memory/2084-12-0x0000000001B60000-0x0000000001B93000-memory.dmp

Filesize
204KB

Download
memory/2084-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-311-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2088-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-146-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2196-302-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2196-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-318-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2200-340-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2200-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-345-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2296-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-402-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2368-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-414-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2416-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-97-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2424-411-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2424-412-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2424-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-367-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2544-404-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2544-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-382-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2612-374-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2736-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-317-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2868-288-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2868-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-101-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2888-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-106-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3024-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads