5ba662f9f04a41497b9cb0a560fa61bce9a1428a553c5af9853ca44d9c7ec1d0

Analysis

max time kernel
148s
max time network
130s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ba662f9f04a41497b9cb0a560fa61bce9a1428a553c5af9853ca44d9c7ec1d0.exe
Size

243KB
MD5

c68b211f2b67c55a01b45501afb63fcd
SHA1

dfbd23486c1d96ba76fa5c4f827d01c1e561821b
SHA256

5ba662f9f04a41497b9cb0a560fa61bce9a1428a553c5af9853ca44d9c7ec1d0
SHA512

85f1efc6621b0bb073186ba3558ed3f38e12fe9035b5330cf456b02c89df3e15527ce407d2b1c3ee20e4f1a2f4284a7cc91c99d724b1acb4115cb57066eb65a7
SSDEEP

3072:9pOIukSU+jwKz8lHXtlU2Nhluy78nwTxyIvXQWBaolfC4VJ62Q:7OIuc+jwKzwdlU2zlNgwTnAWtlhjQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leimip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oappcfmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Picnndmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onecbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohaeia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oomjlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meijhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfbelipa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcibkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meijhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhhfdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcaoajg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfknbe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlekia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niikceid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oancnfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kofopj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onecbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdabino.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kohkfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohendqhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljkomfjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nadpgggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcpjmcb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mabgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfbelipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nibebfpl.exe

Detects executables built or packed with MPress PE compressor 64 IoCs

resource	yara_rule
behavioral1/files/0x0028000000015c2d-26.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0007000000015c85-38.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0007000000015cc2-51.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x00080000000165ae-64.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x00080000000165ae-66.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x00080000000165ae-54.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0007000000015cc2-53.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000018ae5-71.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0007000000015cc2-47.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000018b27-92.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000018b46-97.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000018b6f-111.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000018b9c-132.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0028000000015c44-137.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0005000000019338-170.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000400000001939f-198.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0004000000019405-212.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0005000000019baf-406.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0005000000019c07-419.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0005000000019c1b-429.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0005000000019ff9-452.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a3ba-471.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a3c0-492.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a3bd-482.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a408-506.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a419-517.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a42c-528.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a436-549.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a43e-568.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a442-580.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a444-593.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a44e-623.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a452-635.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a456-648.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a45a-658.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a466-688.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a46e-708.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a46a-699.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a462-677.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a45e-667.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a44a-613.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a448-604.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a43a-559.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a432-537.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a27d-461.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001a4f8-724.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0005000000019ea7-441.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0005000000019529-354.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x00050000000194eb-313.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x00040000000194db-301.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x00040000000194a7-280.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0004000000019469-249.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000400000001944f-236.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0004000000019421-225.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000400000001938e-188.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x00050000000192f8-160.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2508-152-0x0000000000400000-0x0000000000467000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000c00000001223a-14.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001aa93-736.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001ad4d-745.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001c361-755.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001c71d-765.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001c78a-775.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001c82c-785.dat	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 64 IoCs

pid	Process
2680	Jfknbe32.exe
2612	Kocbkk32.exe
2264	Kbbngf32.exe
2256	Kofopj32.exe
2580	Kohkfj32.exe
2456	Kgcpjmcb.exe
1944	Kjdilgpc.exe
2944	Leimip32.exe
1260	Lmebnb32.exe
2684	Lcagpl32.exe
2508	Ljkomfjl.exe
1492	Lfbpag32.exe
580	Lpjdjmfp.exe
1208	Legmbd32.exe
2088	Mlaeonld.exe
2240	Meijhc32.exe
1668	Mhhfdo32.exe
400	Mbmjah32.exe
1920	Migbnb32.exe
684	Mabgcd32.exe
2040	Mmihhelk.exe
676	Mholen32.exe
2292	Mmldme32.exe
1488	Ndemjoae.exe
2232	Nibebfpl.exe
2228	Ndhipoob.exe
2556	Nmpnhdfc.exe
1596	Nekbmgcn.exe
2644	Nlekia32.exe
1572	Ncpcfkbg.exe
2424	Niikceid.exe
2520	Nadpgggp.exe
2868	Ocdmaj32.exe
2660	Ohaeia32.exe
2448	Ocfigjlp.exe
1940	Ohcaoajg.exe
760	Oomjlk32.exe
1480	Ohendqhd.exe
1420	Okdkal32.exe
1856	Oancnfoe.exe
528	Ohhkjp32.exe
1380	Onecbg32.exe
1648	Oappcfmb.exe
324	Pngphgbf.exe
2028	Pfbelipa.exe
2324	Pqhijbog.exe
872	Pfdabino.exe
1280	Picnndmb.exe
2604	Pcibkm32.exe
2624	Pjbjhgde.exe
2524	Pkdgpo32.exe
1728	Pmccjbaf.exe
2648	Qbplbi32.exe
2468	Qeohnd32.exe
2992	Qgmdjp32.exe
1140	Qqeicede.exe
2460	Qkkmqnck.exe
1776	Acfaeq32.exe
2748	Aganeoip.exe
1936	Ajpjakhc.exe
1320	Aajbne32.exe
768	Agdjkogm.exe
968	Ajbggjfq.exe
1624	Biojif32.exe

Loads dropped DLL 64 IoCs

pid	Process
2332	5ba662f9f04a41497b9cb0a560fa61bce9a1428a553c5af9853ca44d9c7ec1d0.exe
2332	5ba662f9f04a41497b9cb0a560fa61bce9a1428a553c5af9853ca44d9c7ec1d0.exe
2680	Jfknbe32.exe
2680	Jfknbe32.exe
2612	Kocbkk32.exe
2612	Kocbkk32.exe
2264	Kbbngf32.exe
2264	Kbbngf32.exe
2256	Kofopj32.exe
2256	Kofopj32.exe
2580	Kohkfj32.exe
2580	Kohkfj32.exe
2456	Kgcpjmcb.exe
2456	Kgcpjmcb.exe
1944	Kjdilgpc.exe
1944	Kjdilgpc.exe
2944	Leimip32.exe
2944	Leimip32.exe
1260	Lmebnb32.exe
1260	Lmebnb32.exe
2684	Lcagpl32.exe
2684	Lcagpl32.exe
2508	Ljkomfjl.exe
2508	Ljkomfjl.exe
1492	Lfbpag32.exe
1492	Lfbpag32.exe
580	Lpjdjmfp.exe
580	Lpjdjmfp.exe
1208	Legmbd32.exe
1208	Legmbd32.exe
2088	Mlaeonld.exe
2088	Mlaeonld.exe
2240	Meijhc32.exe
2240	Meijhc32.exe
1668	Mhhfdo32.exe
1668	Mhhfdo32.exe
400	Mbmjah32.exe
400	Mbmjah32.exe
1920	Migbnb32.exe
1920	Migbnb32.exe
684	Mabgcd32.exe
684	Mabgcd32.exe
2040	Mmihhelk.exe
2040	Mmihhelk.exe
676	Mholen32.exe
676	Mholen32.exe
2292	Mmldme32.exe
2292	Mmldme32.exe
1488	Ndemjoae.exe
1488	Ndemjoae.exe
2232	Nibebfpl.exe
2232	Nibebfpl.exe
2228	Ndhipoob.exe
2228	Ndhipoob.exe
2556	Nmpnhdfc.exe
2556	Nmpnhdfc.exe
1596	Nekbmgcn.exe
1596	Nekbmgcn.exe
2644	Nlekia32.exe
2644	Nlekia32.exe
1572	Ncpcfkbg.exe
1572	Ncpcfkbg.exe
2424	Niikceid.exe
2424	Niikceid.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pngphgbf.exe	Oappcfmb.exe
File created	C:\Windows\SysWOW64\Cenaioaq.dll	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Jmihnd32.dll	Ohcaoajg.exe
File opened for modification	C:\Windows\SysWOW64\Nlekia32.exe	Nekbmgcn.exe
File opened for modification	C:\Windows\SysWOW64\Ohhkjp32.exe	Oancnfoe.exe
File created	C:\Windows\SysWOW64\Pfdmil32.dll	Nlekia32.exe
File created	C:\Windows\SysWOW64\Njfppiho.dll	Mhhfdo32.exe
File opened for modification	C:\Windows\SysWOW64\Ohcaoajg.exe	Ocfigjlp.exe
File opened for modification	C:\Windows\SysWOW64\Bhfcpb32.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Ljkomfjl.exe	Lcagpl32.exe
File created	C:\Windows\SysWOW64\Ncpcfkbg.exe	Nlekia32.exe
File created	C:\Windows\SysWOW64\Ibafdk32.dll	Niikceid.exe
File created	C:\Windows\SysWOW64\Djmffb32.dll	Lmebnb32.exe
File opened for modification	C:\Windows\SysWOW64\Ncpcfkbg.exe	Nlekia32.exe
File created	C:\Windows\SysWOW64\Edobgb32.dll	Ohendqhd.exe
File created	C:\Windows\SysWOW64\Jbhihkig.dll	Ohhkjp32.exe
File opened for modification	C:\Windows\SysWOW64\Lmebnb32.exe	Leimip32.exe
File created	C:\Windows\SysWOW64\Mbmjah32.exe	Mhhfdo32.exe
File opened for modification	C:\Windows\SysWOW64\Nadpgggp.exe	Niikceid.exe
File created	C:\Windows\SysWOW64\Ocdmaj32.exe	Nadpgggp.exe
File created	C:\Windows\SysWOW64\Qbplbi32.exe	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Ajbggjfq.exe	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Jfknbe32.exe	5ba662f9f04a41497b9cb0a560fa61bce9a1428a553c5af9853ca44d9c7ec1d0.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Kgcpjmcb.exe	Kohkfj32.exe
File created	C:\Windows\SysWOW64\Phmkjbfe.dll	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Aganeoip.exe	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Aajbne32.exe	Ajpjakhc.exe
File opened for modification	C:\Windows\SysWOW64\Nekbmgcn.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Kofopj32.exe	Kbbngf32.exe
File created	C:\Windows\SysWOW64\Kocbkk32.exe	Jfknbe32.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	Bonoflae.exe
File created	C:\Windows\SysWOW64\Nibebfpl.exe	Ndemjoae.exe
File created	C:\Windows\SysWOW64\Aeqmqeba.dll	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Noomnjpj.dll	Mmldme32.exe
File opened for modification	C:\Windows\SysWOW64\Migbnb32.exe	Mbmjah32.exe
File created	C:\Windows\SysWOW64\Pjclpeak.dll	Nmpnhdfc.exe
File opened for modification	C:\Windows\SysWOW64\Oappcfmb.exe	Onecbg32.exe
File created	C:\Windows\SysWOW64\Kjdilgpc.exe	Kgcpjmcb.exe
File opened for modification	C:\Windows\SysWOW64\Kohkfj32.exe	Kofopj32.exe
File created	C:\Windows\SysWOW64\Dhbkakib.dll	Pqhijbog.exe
File opened for modification	C:\Windows\SysWOW64\Kocbkk32.exe	Jfknbe32.exe
File created	C:\Windows\SysWOW64\Meijhc32.exe	Mlaeonld.exe
File opened for modification	C:\Windows\SysWOW64\Mholen32.exe	Mmihhelk.exe
File opened for modification	C:\Windows\SysWOW64\Mmldme32.exe	Mholen32.exe
File created	C:\Windows\SysWOW64\Lcnaga32.dll	Ohaeia32.exe
File created	C:\Windows\SysWOW64\Hbcicn32.dll	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Kbbngf32.exe	Kocbkk32.exe
File created	C:\Windows\SysWOW64\Doojhgfa.dll	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Ejaekc32.dll	Qqeicede.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Gcgnbi32.dll	Kocbkk32.exe
File created	C:\Windows\SysWOW64\Pjbjhgde.exe	Pcibkm32.exe
File created	C:\Windows\SysWOW64\Ldeamlkj.dll	Pjbjhgde.exe
File created	C:\Windows\SysWOW64\Lfbpag32.exe	Ljkomfjl.exe
File created	C:\Windows\SysWOW64\Ohendqhd.exe	Oomjlk32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Mholen32.exe	Mmihhelk.exe
File created	C:\Windows\SysWOW64\Lmnppf32.dll	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Pcibkm32.exe	Picnndmb.exe
File opened for modification	C:\Windows\SysWOW64\Agdjkogm.exe	Aajbne32.exe
File created	C:\Windows\SysWOW64\Pecomlgc.dll	Legmbd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2152	2516	WerFault.exe	100

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nadpgggp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oappcfmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfbelipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocfigjlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okdkal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfblnnh.dll"	Meijhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomnjpj.dll"	Mmldme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohaeia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbbngf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edobgb32.dll"	Ohendqhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll"	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnek32.dll"	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5ba662f9f04a41497b9cb0a560fa61bce9a1428a553c5af9853ca44d9c7ec1d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdleb32.dll"	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oomjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aajbne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohendqhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aliolp32.dll"	Okdkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oancnfoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Legmbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pngphgbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Migbnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnppf32.dll"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopcmhp.dll"	Jfknbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogikcfnb.dll"	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfdabino.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nadpgggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeghkck.dll"	Mabgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnhob32.dll"	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onecbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocfigjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbbngf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2680	2332	5ba662f9f04a41497b9cb0a560fa61bce9a1428a553c5af9853ca44d9c7ec1d0.exe	28
PID 2332 wrote to memory of 2680	2332	5ba662f9f04a41497b9cb0a560fa61bce9a1428a553c5af9853ca44d9c7ec1d0.exe	28
PID 2332 wrote to memory of 2680	2332	5ba662f9f04a41497b9cb0a560fa61bce9a1428a553c5af9853ca44d9c7ec1d0.exe	28
PID 2332 wrote to memory of 2680	2332	5ba662f9f04a41497b9cb0a560fa61bce9a1428a553c5af9853ca44d9c7ec1d0.exe	28
PID 2680 wrote to memory of 2612	2680	Jfknbe32.exe	29
PID 2680 wrote to memory of 2612	2680	Jfknbe32.exe	29
PID 2680 wrote to memory of 2612	2680	Jfknbe32.exe	29
PID 2680 wrote to memory of 2612	2680	Jfknbe32.exe	29
PID 2612 wrote to memory of 2264	2612	Kocbkk32.exe	30
PID 2612 wrote to memory of 2264	2612	Kocbkk32.exe	30
PID 2612 wrote to memory of 2264	2612	Kocbkk32.exe	30
PID 2612 wrote to memory of 2264	2612	Kocbkk32.exe	30
PID 2264 wrote to memory of 2256	2264	Kbbngf32.exe	31
PID 2264 wrote to memory of 2256	2264	Kbbngf32.exe	31
PID 2264 wrote to memory of 2256	2264	Kbbngf32.exe	31
PID 2264 wrote to memory of 2256	2264	Kbbngf32.exe	31
PID 2256 wrote to memory of 2580	2256	Kofopj32.exe	32
PID 2256 wrote to memory of 2580	2256	Kofopj32.exe	32
PID 2256 wrote to memory of 2580	2256	Kofopj32.exe	32
PID 2256 wrote to memory of 2580	2256	Kofopj32.exe	32
PID 2580 wrote to memory of 2456	2580	Kohkfj32.exe	33
PID 2580 wrote to memory of 2456	2580	Kohkfj32.exe	33
PID 2580 wrote to memory of 2456	2580	Kohkfj32.exe	33
PID 2580 wrote to memory of 2456	2580	Kohkfj32.exe	33
PID 2456 wrote to memory of 1944	2456	Kgcpjmcb.exe	34
PID 2456 wrote to memory of 1944	2456	Kgcpjmcb.exe	34
PID 2456 wrote to memory of 1944	2456	Kgcpjmcb.exe	34
PID 2456 wrote to memory of 1944	2456	Kgcpjmcb.exe	34
PID 1944 wrote to memory of 2944	1944	Kjdilgpc.exe	35
PID 1944 wrote to memory of 2944	1944	Kjdilgpc.exe	35
PID 1944 wrote to memory of 2944	1944	Kjdilgpc.exe	35
PID 1944 wrote to memory of 2944	1944	Kjdilgpc.exe	35
PID 2944 wrote to memory of 1260	2944	Leimip32.exe	36
PID 2944 wrote to memory of 1260	2944	Leimip32.exe	36
PID 2944 wrote to memory of 1260	2944	Leimip32.exe	36
PID 2944 wrote to memory of 1260	2944	Leimip32.exe	36
PID 1260 wrote to memory of 2684	1260	Lmebnb32.exe	37
PID 1260 wrote to memory of 2684	1260	Lmebnb32.exe	37
PID 1260 wrote to memory of 2684	1260	Lmebnb32.exe	37
PID 1260 wrote to memory of 2684	1260	Lmebnb32.exe	37
PID 2684 wrote to memory of 2508	2684	Lcagpl32.exe	38
PID 2684 wrote to memory of 2508	2684	Lcagpl32.exe	38
PID 2684 wrote to memory of 2508	2684	Lcagpl32.exe	38
PID 2684 wrote to memory of 2508	2684	Lcagpl32.exe	38
PID 2508 wrote to memory of 1492	2508	Ljkomfjl.exe	39
PID 2508 wrote to memory of 1492	2508	Ljkomfjl.exe	39
PID 2508 wrote to memory of 1492	2508	Ljkomfjl.exe	39
PID 2508 wrote to memory of 1492	2508	Ljkomfjl.exe	39
PID 1492 wrote to memory of 580	1492	Lfbpag32.exe	40
PID 1492 wrote to memory of 580	1492	Lfbpag32.exe	40
PID 1492 wrote to memory of 580	1492	Lfbpag32.exe	40
PID 1492 wrote to memory of 580	1492	Lfbpag32.exe	40
PID 580 wrote to memory of 1208	580	Lpjdjmfp.exe	41
PID 580 wrote to memory of 1208	580	Lpjdjmfp.exe	41
PID 580 wrote to memory of 1208	580	Lpjdjmfp.exe	41
PID 580 wrote to memory of 1208	580	Lpjdjmfp.exe	41
PID 1208 wrote to memory of 2088	1208	Legmbd32.exe	42
PID 1208 wrote to memory of 2088	1208	Legmbd32.exe	42
PID 1208 wrote to memory of 2088	1208	Legmbd32.exe	42
PID 1208 wrote to memory of 2088	1208	Legmbd32.exe	42
PID 2088 wrote to memory of 2240	2088	Mlaeonld.exe	43
PID 2088 wrote to memory of 2240	2088	Mlaeonld.exe	43
PID 2088 wrote to memory of 2240	2088	Mlaeonld.exe	43
PID 2088 wrote to memory of 2240	2088	Mlaeonld.exe	43

C:\Users\Admin\AppData\Local\Temp\5ba662f9f04a41497b9cb0a560fa61bce9a1428a553c5af9853ca44d9c7ec1d0.exe
"C:\Users\Admin\AppData\Local\Temp\5ba662f9f04a41497b9cb0a560fa61bce9a1428a553c5af9853ca44d9c7ec1d0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\Jfknbe32.exe
  C:\Windows\system32\Jfknbe32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\Kocbkk32.exe
    C:\Windows\system32\Kocbkk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\Kbbngf32.exe
      C:\Windows\system32\Kbbngf32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Windows\SysWOW64\Kofopj32.exe
        
        C:\Windows\system32\Kofopj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2256
      - C:\Windows\SysWOW64\Kohkfj32.exe
        
        C:\Windows\system32\Kohkfj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Kgcpjmcb.exe
        
        C:\Windows\system32\Kgcpjmcb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Kjdilgpc.exe
        
        C:\Windows\system32\Kjdilgpc.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Leimip32.exe
        
        C:\Windows\system32\Leimip32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Lmebnb32.exe
        
        C:\Windows\system32\Lmebnb32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Lcagpl32.exe
        
        C:\Windows\system32\Lcagpl32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Ljkomfjl.exe
        
        C:\Windows\system32\Ljkomfjl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Lfbpag32.exe
        
        C:\Windows\system32\Lfbpag32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Lpjdjmfp.exe
        
        C:\Windows\system32\Lpjdjmfp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Legmbd32.exe
        
        C:\Windows\system32\Legmbd32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Mlaeonld.exe
        
        C:\Windows\system32\Mlaeonld.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Meijhc32.exe
        
        C:\Windows\system32\Meijhc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Mhhfdo32.exe
        
        C:\Windows\system32\Mhhfdo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\Mbmjah32.exe
        
        C:\Windows\system32\Mbmjah32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Migbnb32.exe
        
        C:\Windows\system32\Migbnb32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Mabgcd32.exe
        
        C:\Windows\system32\Mabgcd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Mmihhelk.exe
        
        C:\Windows\system32\Mmihhelk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Mholen32.exe
        
        C:\Windows\system32\Mholen32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\Mmldme32.exe
        
        C:\Windows\system32\Mmldme32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Ndemjoae.exe
        
        C:\Windows\system32\Ndemjoae.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Nibebfpl.exe
        
        C:\Windows\system32\Nibebfpl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Ndhipoob.exe
        
        C:\Windows\system32\Ndhipoob.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Nmpnhdfc.exe
        
        C:\Windows\system32\Nmpnhdfc.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Nekbmgcn.exe
        
        C:\Windows\system32\Nekbmgcn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\Nlekia32.exe
        
        C:\Windows\system32\Nlekia32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Niikceid.exe
        
        C:\Windows\system32\Niikceid.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\Nadpgggp.exe
        
        C:\Windows\system32\Nadpgggp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Ocdmaj32.exe
        
        C:\Windows\system32\Ocdmaj32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Ohaeia32.exe
        
        C:\Windows\system32\Ohaeia32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Ocfigjlp.exe
        
        C:\Windows\system32\Ocfigjlp.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Ohcaoajg.exe
        
        C:\Windows\system32\Ohcaoajg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\Oomjlk32.exe
        
        C:\Windows\system32\Oomjlk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Ohendqhd.exe
        
        C:\Windows\system32\Ohendqhd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Okdkal32.exe
        
        C:\Windows\system32\Okdkal32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Oancnfoe.exe
        
        C:\Windows\system32\Oancnfoe.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Ohhkjp32.exe
        
        C:\Windows\system32\Ohhkjp32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\Onecbg32.exe
        
        C:\Windows\system32\Onecbg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Oappcfmb.exe
        
        C:\Windows\system32\Oappcfmb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Pngphgbf.exe
        
        C:\Windows\system32\Pngphgbf.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:324
        
        C:\Windows\SysWOW64\Pfbelipa.exe
        
        C:\Windows\system32\Pfbelipa.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Pqhijbog.exe
        
        C:\Windows\system32\Pqhijbog.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Pfdabino.exe
        
        C:\Windows\system32\Pfdabino.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Picnndmb.exe
        
        C:\Windows\system32\Picnndmb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1280
        
        C:\Windows\SysWOW64\Pcibkm32.exe
        
        C:\Windows\system32\Pcibkm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\Pjbjhgde.exe
        
        C:\Windows\system32\Pjbjhgde.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Pkdgpo32.exe
        
        C:\Windows\system32\Pkdgpo32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Qbplbi32.exe
        
        C:\Windows\system32\Qbplbi32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Qgmdjp32.exe
        
        C:\Windows\system32\Qgmdjp32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Qkkmqnck.exe
        
        C:\Windows\system32\Qkkmqnck.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        66⤵
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1312
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:984
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        74⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 140
        75⤵
        Program crash
        
        PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajbne32.exe

Filesize
128KB

MD5
d52a643e774dd96df84cf95bbbae373e

SHA1
a3bf0f13eabf3e2c7104d1cc06536c7d8a05541d

SHA256
fcfde06ea627e1f01721509b9df04ebc5330f2a61a1ef6b2aeac7e2d92449b50

SHA512
1ac7761cb379dbb6c01e4e2727178eeb7fb1ecc1ac09226f4b6db4c91daf5427b272c4495a4e02517440f2bff42f84cde8883c46171802f283fc55a9943a6ddb

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
128KB

MD5
a5a2c457c255a40925a50479eb739951

SHA1
03e878f3b4a41fcb9176450d5c99cdbd208eef39

SHA256
d9093d165f3e6b1b279764942d985004768c2be7707960cb1d07a24c0827dca3

SHA512
a9704f90fc9ef7f6bd60b87144fea5cab89731ae742f645a6104f85fb3a2d5dcbd77b512b6c1e93edd9bd705ed70d453d892ecd777df80c9300a8f0b93d30d08

Download Submit
C:\Windows\SysWOW64\Aganeoip.exe

Filesize
128KB

MD5
74f74ed14a113386f0536bf376bc461c

SHA1
22c786f1180ff93f0592e8bf5c611322717c6379

SHA256
82c5f374c742ca8b713e7a6e6e4345d3d4066ab5a03c4928730c865c203d7399

SHA512
3ef3224335c1bd084efb946664545475e78093707c4ba41ca8cbf1a53a89d95c72d62c303f9000df82790f07c3687c0bb42b37beb6abdc434b31eb5575421497

Download Submit
C:\Windows\SysWOW64\Agdjkogm.exe

Filesize
128KB

MD5
5cda49a23d83bb1d6efcbf6baab39de5

SHA1
1d55a85e47774a9956d76e1813446764d5c1c2ba

SHA256
98086edb85631db9f5dfb858e23b29dd72642c98d092bcb49b843a3611da4cf0

SHA512
ae11506e4a2b48e225ce26f950ce16fe231261347a1a3f3a1aeada16ac640575050e7e019aceed36e82a95b50f3669054f0d78d7529977dc54182b421f7ff1ef

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
243KB

MD5
9c1fcfe5dfc6b25e96e50635250fefab

SHA1
fe5c33263eaf9ddeebb88064c44c174cfa598a4c

SHA256
a8cbe105043cf3877adfc45ec175c5b5d6c83c79baf890cf801082a7a8a4c3e4

SHA512
b8c92f9e1833e4d8801cf2b75db69945ed84b2bce606c88b1f2c56d4dbdf7f924926251bfafef74e73f3a4c080ab228ffa36d68820d7493ab13ee8ad214b3622

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
128KB

MD5
776399a3c575ebc52ac0ba9633d5fabd

SHA1
d039c6d5a204633ccbef36e122e829e2ddbfd300

SHA256
fd41cb1a891c3d4bd3b75729894e00258cf535d94e819fd351ce05a5dc8253cd

SHA512
e0b12bb970ee33fabfb8314ef52ed90a50e053d73d9518a260c2d881a0ee20c8407490f5db470f07ef8249245003a7d380fe3ea6738d0e3f2a73e105565d1efc

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
243KB

MD5
5f582df25c4e3ccef06120e35b5a7c94

SHA1
b96abf8e6e84299ecaf8168993cc67d25086c9f7

SHA256
15d50bce6cd577daae3c1e75c26d2628e881cfa0c5ef4abd2091c669422f59b3

SHA512
ecc675a5967fc55e9b37096ac09581d566c42320dbb1bd413e2bafeff126e5e59693985fe66ec44d5899aae85a58550140e206d6e6e82b9d18c4063ea736f3cb

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
243KB

MD5
e421acd9971437f895644333796ec81c

SHA1
ab7618a00046cafc9e8deb6a1dac5bfe34fb2d41

SHA256
2df320b428f71f576a4fb49fe43105c895de475c1a2cb479857b796cd6633a26

SHA512
8d919decda62cf28b374f60fd50b3545742d1826d837cfa0e1e7db25e0b9a5a140cd0fd34e4b421db0432c04a0647ddacc62a9ce43867387a18c2076ced3f643

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
243KB

MD5
deae9a86bb785d70281319d6ad78400c

SHA1
6cddc4fcd0cad19f09028b93b3cb63071fe5bf1b

SHA256
0fe93d9b9f3ca98acaf798a16e3fca07fa7a7015c43f16c412ed5eaea7b7b4e7

SHA512
ef221bc575f44b31a5366132e8b0bb0ea4c986c7c9a6f0bcf52a7e463e9e0b774be52c7e47168f3f5d1a485313aa9ea862f512452de367b20fa7c98c94633ff2

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
243KB

MD5
c446870d4a510ee3f7d03fca6a087d9f

SHA1
97dcc56cbbbf82f2c9a3fa2717dfc8154b3dfa1b

SHA256
8c49ca49f3be2613f172243ceaabe374f70ccdc75a7bad7f87ec277f0c41eef9

SHA512
3b46502b2d36ed996428016e5e58ea46af7fccb22266bcf179d63090659b309e235f9959af95abb5ea80a4267e1f0fe24c83c8d53f1f7846494093bb163f6b39

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
243KB

MD5
ed24f7b962f4f588f75f5d9c2d214137

SHA1
1cdb66870fc6588d2ed57fe8b9d7adfe344483b6

SHA256
61c4f7c45154cf0fd86b0fc1b5aff3cf217682c8ec2ccb4b801280226621601d

SHA512
e2cd81f84a05ce924bf0e0a911376d63b4a235da557d8ca44bcaa2145c40c9285f6ef437ddd1321bf2cf9e2c113b80507880d53615bdec198a838e0c5ee5afd5

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
243KB

MD5
dd6414c5178983221c3ff3aee747e924

SHA1
1cc3935eacccff75b8334be7c4a8035f77be13de

SHA256
66cf9ae26d45c487e85609e422a37ffc2d2044816812c93ea30ceea2e333121f

SHA512
c9a75ff2f586679f18f1eb61feb1d753f0abddb03a2effd4a5829474adb4adc6b7bee7799110f43e013733a7e9f7b850b464b84968982658d65044021fd86d32

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
243KB

MD5
76e8ab8663f71ff9fb1d1864273dd353

SHA1
96708325b2c8276928dd6d621bd6fb4e9482b112

SHA256
69c57e626e3e48d683ae4272c6ae9c45d621205b10626c83f64f9ea09b06fd16

SHA512
7a4d5a7774288e0c03c8ad16ee402ef3c3d3e7a1170b418b6e11017a84511440a5f28dbec01aa50dc9a8f16fefab646a42fa6b0e68e61040a9df3ae2977ec933

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
243KB

MD5
a0fa3f68af711d3f80c2d1b9f5849bf8

SHA1
7df092c1b6fa15c46d647aab14e9786dc5647ae7

SHA256
70ba057a741c1de25d526d721544fda495efcbd4728f0c8a13c6acecd6508d79

SHA512
d65ebb88e4392d00a8917e901b5bb66801b14b10d888f53a9e368fb3196a12be36457f156d3c90a09bf730325905d8509f28a9a86e15548d82ca41e9773c4db5

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
243KB

MD5
7a84afbb4eebd009da7d3768a6e48512

SHA1
ef62c7bacf051d55f4244c5d7972527f675a46d1

SHA256
6fd718f6581b5a9ede5378bba7a0980f3a9fdb19724c2307fa29840eac6c12cb

SHA512
7ceeb1287f289e0f99879466ad3f2ad4b1f03dd81b18ac82ba70e7ba9360da68c0818c16d5a8071d46be2258cc22d27f1abb2558d940d092b260d861453adde3

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
243KB

MD5
7fdec6bde4fb5cc34f55186dc8c708cb

SHA1
73d78a3ec5ed8da2e405433f58cfa09b7f8901a1

SHA256
b12aa991f842e3c150b69e4aea714b9b76f0787c37ae0aa6318ba649d00aa8b3

SHA512
f25a5aef7cd049015e4f0837e0f9114194d56572397a34180af2aa5b54e92aa4f5ae0871b63277202d0ea76b6ae2705db0e3baae7ac855b22be3e8e55bbf6339

Download Submit
C:\Windows\SysWOW64\Jfknbe32.exe

Filesize
243KB

MD5
72d870d41bace0e943b1a0ec399d6239

SHA1
f48d92abcfd4367aade31e308c37b55cdd873e34

SHA256
fe3eb65127f8dd9efb87ca1e7697f18ef5eae4756d17f83da0c03e2dca8695c6

SHA512
fad572424d01fbc9955191101c09f5eb67fdfd1301441077e5b522b4f6040679538e7cdcd7787d79bc5fca8c7555cfda6430e0d09b1a2596c2c953b9f9daa80e

Download Submit
C:\Windows\SysWOW64\Kbbngf32.exe

Filesize
243KB

MD5
cb7831a5889bb6d9e9b4d1f8a83b5b74

SHA1
d5b47ffbbc2e8604486c31a22f9979c8c32f6f87

SHA256
10e36ae73ad66a5d8eb05411beffe21f3a208e34fb8e5f5c8ff645c704538db5

SHA512
c59ea47d81df2960d006a03211d2c383338eba1e23ef235ced529aebe097e790059d8e260667bc7ac88c7e82b9f9d4085e1cec90c71a73f9d8236e38414a698f

Download Submit
C:\Windows\SysWOW64\Kjdilgpc.exe

Filesize
243KB

MD5
e1ea17a49c764e3e21cf0f9f55834001

SHA1
7b5c7935d140189a52d8851ccdef76beda39cca2

SHA256
2774c1849a19e097550172b77a44d537b9ab02d586d64a571c06cb65978187c0

SHA512
4d73f54a7a80c5a9963eb27c39cd649a400d5fc5ddc0b8f2d54234782c09aab053ff321d8650169eb5d40a86961b2bf59059776cabc5489e62eb2bc0638e3ffd

Download Submit
C:\Windows\SysWOW64\Kocbkk32.exe

Filesize
243KB

MD5
603c600129db9c96d3be6b62e857599b

SHA1
22df156ff48e1021d056055c8d925cfd959b88d8

SHA256
faf4b98378b9ae060b0b3d4ab226da97c6abc7b8ec5a0defb8b9334c548095fb

SHA512
5217bfc15c7e38fd86806734130bee671e230edf2977e3f78c9e05454e22f9412d20d554391af2e0b30464fbae7b5b89e289ad980fcd76dcb44d705a363941fb

Download Submit
C:\Windows\SysWOW64\Kofopj32.exe

Filesize
192KB

MD5
51284976725586f41385050e41bed895

SHA1
99b8b981dbefc9d2e5afdfa161d774cab4d4f1be

SHA256
9adfeb33e87495dadd04b59ac7609d91b468220aeb53345ce94fad4da7753017

SHA512
fbbe46b655849f04b388757ac6a25f453f84dc9afce60306fd2393834288c42855125bc196c9f7280bfd9a3375f77a839268a344ba8a29ae442b75fbaf235b7a

Download Submit
C:\Windows\SysWOW64\Kofopj32.exe

Filesize
128KB

MD5
0c7ebe87c6b30687b2bdf90c5b9e7f33

SHA1
614d8e3cdae2bd59fd58f3460f205afc92a44138

SHA256
bb13f4e5e319c92bc2a83716a46c863be04b006aa8ab1243b91d61ed777e8e9a

SHA512
a13b7b471cd869b6099e0152b3887c43eedfdf2d3665a96fa40aab5fad84ad2430e984861871c0bce45fdeec967333e80b7bb701c33563be99990000870a2674

Download Submit
C:\Windows\SysWOW64\Kohkfj32.exe

Filesize
128KB

MD5
b6123bb9778167de90b580fc1d7d9c3c

SHA1
60819959fe29a15a6a1beee69d41896543f0e826

SHA256
b4245a033de497e97e28216f5a774061a493b69ea1e874493db5c0fa926b8435

SHA512
ea7152c0b2073b9df533ddd0536daddfb85cbfa3416876b0e5f36a6c5d34a700e7a3e411bed838c2c4330a4a7c1e9c674c5a66b6952aaf84bca43ee123f3d28d

Download Submit
C:\Windows\SysWOW64\Kohkfj32.exe

Filesize
243KB

MD5
a16d34d635599333fedb41b273950981

SHA1
d375bf73d2ec9b5114ac9ba851e7aad35c81d6a9

SHA256
31272a020d53ba778b5be797dc2a54861d524720f7e706770fa8211854a035ae

SHA512
c1160b237e08050541846c414a83485af4271be048181029b81f8cfbb2aecca554d6c8082b86d9e9f527956ad20ecd41c6880e2b4fa1dbc2a66203e13eefdaab

Download Submit
C:\Windows\SysWOW64\Kohkfj32.exe

Filesize
192KB

MD5
ac3d706b2d1243f2e54c42ade3527c57

SHA1
6ec53498dd78262239151017569b9eff9c52b936

SHA256
ae0b78224e14608a022f58ee1ce31678d8f418ea4d6de2778dcc9fe4a6be3836

SHA512
08290c6e42685a1919b3301c5c3126a3b57dcc3d1c945f667c0ab24113ae06ddad0bb35822739c58c910de64bfc7c93337305dcec191bcca9261780d5da91577

Download Submit
C:\Windows\SysWOW64\Lcagpl32.exe

Filesize
243KB

MD5
e52cd720bf34e2327ef497f374676f10

SHA1
863c51cb3069a5a30371a3b59925ab9a17db1890

SHA256
913e0ae96d435e96bfa30eda72e2cf45a90e6aac7e0ece97383cdb5ab6d09a33

SHA512
c46a0138446d54e53f0dbb43cc60d9ec3eed7f1437c708929a20bdc75da18ea0bb2abbf93ade8cf2621c54ca4e64bd1a046dc128aad1a317b35147683962be9e

Download Submit
C:\Windows\SysWOW64\Legmbd32.exe

Filesize
243KB

MD5
d1774a231ccfd4bcafcee63bc9e7b6eb

SHA1
dc7caad62e38426379b916c68b40a57963f73f71

SHA256
84238eaa5f711a155669b59b4042493d408b5156e55747bd217a3a46e63dd4f3

SHA512
f414ab22f0abe38fe612ac84f6ca61d1d1cd6c3fbebd175e744ffd47ab43bf0ca3272a174406f1a4d2136fcf0cb472822269d64c8221ebb3b15f5e959a92ee80

Download Submit
C:\Windows\SysWOW64\Lfbpag32.exe

Filesize
243KB

MD5
b437ac784de916b7e072e8d4e925d8ad

SHA1
5729f548aa3aed735d4bb1af9f6ac353cfe963fb

SHA256
0145b64a4ebc6165f1a190fde4118f06d7fe08de38b2c9a9380b5f3121c36818

SHA512
f1be0d160c36a9f2ef76ee49b861448a471e721d27ca1115675a500cb29eeea47f997f1b7e5aae7f342bbcdd366452175f9ae174894f23cae70ef724ee6f9b19

Download Submit
C:\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
243KB

MD5
4f0fa3019dd156f06c2807754774e039

SHA1
591279c60606e2d77f0cff478b70b603f0c2b2b9

SHA256
b6d934271516dbe79955eb68e7c199e7a051b4c81129e18c03e57d036ea69aff

SHA512
3818275ce14b03a7d3f55c16f76e373f3017d0ff767bf34e04fad330dd54db98e88aa6eafc2016c74af2211cadc80eb51e068de80847fdf13e5f5a257ac17cb3

Download Submit
C:\Windows\SysWOW64\Mbmjah32.exe

Filesize
243KB

MD5
7278e20632a303231b74e856508f01fb

SHA1
b0bb549b49c35ee8b4afa731f9e55c2cf079041e

SHA256
ab4c3615070aad03e0a23a39d6c1d608577db6b2fe4b32d515fb58687bb21e73

SHA512
9dfea4b6d00fbe376b66970f5fb7fb9c57425e0e968ea9630d7589c1a969be19560d8703c18b89f5873b5bf1b8b18a6ad1fe483e461a85473c152d515d63f26a

Download Submit
C:\Windows\SysWOW64\Meijhc32.exe

Filesize
243KB

MD5
a933008744c4c4f7f69d67292343f969

SHA1
c8d1c9611b55b8e18817a4806e386d429735bd81

SHA256
7559577777b82f368994a1c4733bcd1eae14af0ad5042ac397f358b0c4f09186

SHA512
d433d79e39e8b22b2f1135add4228533b1920136cea16e0d32168033b3daebe29f8b565934fec21c0426bcef846cc75f46ae957f4daa907a3866f570ccba8e57

Download Submit
C:\Windows\SysWOW64\Mhhfdo32.exe

Filesize
243KB

MD5
3a8dad0f18eb4e07af805f2814e66d08

SHA1
862a556400c41732609ae806ed28ec05b840ee4b

SHA256
ba44d5da10fb57c2c14e2e391c7a3071750b2c45bd630d0740fa08a0a1792a02

SHA512
96a0135579e34236945a0c3e580467f9f18bb54249249057cf7cd30ec9025701f0784b58257c391d58685a57dcf95eafead24bbd4f5a8407fb3fd8f5658f22f9

Download Submit
C:\Windows\SysWOW64\Mholen32.exe

Filesize
243KB

MD5
d42799559f3e6befae1d7f74bb9ad8e7

SHA1
28c2d3e5577e87fa95a01c555626d2f490ed9b65

SHA256
26889e0322d7399b38844ef64feae8cf1f4cc39a3dec4701df03554bac9cda4d

SHA512
da03bd663f0159472c5d8f166f7788ab5dfa102debb4daa054a1f6cdb8dd4e1f163b9191b34ff19fca1965b5f436e79d5f476db5b75912d6b11998defc6aa422

Download Submit
C:\Windows\SysWOW64\Migbnb32.exe

Filesize
243KB

MD5
9533910b5a9fe15c323bf5bc05d48c4f

SHA1
b28a042e1a790edd4b2e3a18c2e2169679861e43

SHA256
5be7ccd4cb058d51b0054f2a27f9287ba318390e15c9766e5807b71ef2f13856

SHA512
49265d594ca919b0676ba3432b4ff36733f9a2181e63ba9e4de80cfa5a91486f1d21212e84595df0329feee72030c3ab2cbca16f110cff0d85c0e42ebd37ddd5

Download Submit
C:\Windows\SysWOW64\Mlaeonld.exe

Filesize
243KB

MD5
f4ad46290ce54cca69894b0782ccb5d4

SHA1
3dd52258544e0e8955bd93e73313967ec4ccb843

SHA256
424295690ae57d50c3a5bef12a11d584d51457cca0d86e99cac17a6fff71f2b1

SHA512
b24baf11dcdfa045903c0580b86eebb5cf4473a9e2f6401431f5251e8afd88b305efc36131f481dd1723a03c1e2dcced24bfc3b52abc2344778ae271de42804e

Download Submit
C:\Windows\SysWOW64\Ndemjoae.exe

Filesize
243KB

MD5
e62e6d861aec22b82da54e9c1c75f2c9

SHA1
165557b20799049c6139aa5598ca3637cb6b8f12

SHA256
71d3f7f09b601560db088d14697500f6b6025e73cde4f44f75d3cd13964412b3

SHA512
1bb0e41e1a6878d4e1a1e2c9e68cd4b50494765bba979c8cb954607505c0f78dc429a2e7a475fc956327357f55d0a3a2a02f461fc6c49823e08d32d5e35f6ade

Download Submit
C:\Windows\SysWOW64\Nibebfpl.exe

Filesize
243KB

MD5
2ffddd917773c18be1bd4435f9a7a789

SHA1
755386f3eed281a01bccc1ac2ef853b6920e4373

SHA256
4dd02d35bceb813b8db074a1be751dec830167a5ba5558a9470211344b79e285

SHA512
2f4e60c31fc91518d636094341a2536a281897c1bde1bf1cf4bb954a64aec5cdf9474218daa90af145f9582ebf1c4a55e68599e6f612ed0b421327cde8a958b9

Download Submit
C:\Windows\SysWOW64\Nlekia32.exe

Filesize
243KB

MD5
4a1ee4e1caa9afcc914af81fb8c736a6

SHA1
e18d67d90c4f18748ab6db38152dba11c266feec

SHA256
8eed6113e120ea22507e0e5b4fb7491f14b3074278bf911ac3980be2374f37fb

SHA512
f937d0d3758ff7e13942828a979816ddf2f0f5795abf97728df77e855c2bdcba07598fe3d28b6854a4663595da7d558feda785fe9ce3193cf1eda6ff1ee3bf30

Download Submit
C:\Windows\SysWOW64\Oancnfoe.exe

Filesize
243KB

MD5
bd7ae057ae596adab655fe2e7c9142fd

SHA1
2aedb9c976713f229ac07b1ae3c23c74202185c1

SHA256
916f7cc16b5bfb71f4a6ccb36b5580c64464af923b94de5fc21ad8fdbf7eb42c

SHA512
7a2d9293c27f7cb43e5fa1c473f10a9a8b61d6c7a07918d87d5b37f55e55cf380b55457d43af59eae81320af4cd578508f2be899d2c6f632cea1d541b4e8d4ab

Download Submit
C:\Windows\SysWOW64\Oappcfmb.exe

Filesize
243KB

MD5
da03eb347498dc39b03ea2b39731fa07

SHA1
e83a4dbe76572c46a9ca2249ed5ebaa1938f505d

SHA256
2988e46d1265126cb214b9abfcd0e0907194d4f39584947ee2a9e2eb359050be

SHA512
31d83d11fe186c510146387e84da8ccd790c4c10c163a0311982cefc20f2487839a9ad3af6253197b317245dc369211cae02de76a42f85cb083d5fde89dceb22

Download Submit
C:\Windows\SysWOW64\Ocfigjlp.exe

Filesize
243KB

MD5
bcb005f8ffa36861a9eab5b0a178b8bd

SHA1
78d640db1cd046c51f333a4fc4812e96b1ba0682

SHA256
7c358dff03cfb31119809b3eef574f9731883b85c26d04c481f8a8cfa4aab58a

SHA512
2c56b0045896a4d61c5c15696199a4eea54f3700d64a63ac7007e06e7657df6a61df66c6c0eeab0caa771f8dc787f6eac720e25ce3d95084b4ccabf18b020946

Download Submit
C:\Windows\SysWOW64\Ohaeia32.exe

Filesize
243KB

MD5
defde637216990d48459a3731bf0da6e

SHA1
c95abfe7669227a257221483299db8ad895f21f7

SHA256
4b86d63350ad4419d57e57f19db0a2cdc8af876119bc4f0f1f43da8afd7f03f6

SHA512
6e0eb9b8c0ca3da0b578facdab201f97f4646a6871748ab39657730ae0fe9981466acf33e1327008c844ae45a18b8f65a377081233de876089bf66f70dcfd156

Download Submit
C:\Windows\SysWOW64\Ohcaoajg.exe

Filesize
243KB

MD5
66a4a84f02133870c71e564e2784c06d

SHA1
8056908f05b66cd6b4e6068838075afbe2f0f370

SHA256
f97cf07f8637b6ca14c4696a4ba67c275b72a090811c5042827bef4df2ec30bc

SHA512
91119d1ea0d0bd6834cc521a697dcf38a96eaf9d57b013b5e8ad3a02d6168801e765c0e8457f265f40f576d61db642e5b06e343bcda514f48d4ed9379045c5de

Download Submit
C:\Windows\SysWOW64\Ohendqhd.exe

Filesize
243KB

MD5
e1dc669e2e424475c1a97013cbac1755

SHA1
6754d47c3726cc583dfeca576d8fa7a3c0e787bb

SHA256
9742a31ce563f1a29896d74c0dabadb5d51c76cb788da4bd65e2094db52e58f4

SHA512
d8628dba2f6ec1a1ac5e6497390213594609e52df9928552612ebc96b750412af6c67f86d5e75157fb84b1bee53c51daa30d2eec671dc76a719d04c8d77407ca

Download Submit
C:\Windows\SysWOW64\Ohhkjp32.exe

Filesize
243KB

MD5
1c44e66a10e4f4f72ff3c457d10baeb7

SHA1
d58d135d0f13098dfe9b5c6989b7d48c442b76ff

SHA256
07ba2830b72d4d6177890f1032e81ca8ca65db2452ab8d6f3a8505af8cb62222

SHA512
f818f68c9b18ae82c187af711aa53fc31d6af496b79d95ddcae000418c5a142c33f24061cc1c55e75895f030a89db3ad7ae36303efa64fa17032123e9e4b3cf8

Download Submit
C:\Windows\SysWOW64\Okdkal32.exe

Filesize
243KB

MD5
cc3e3118adf348a7211d20df9105f876

SHA1
1602577f4f5dff705b5a43ff7fa3dcea496c66a0

SHA256
293e3aacdf822b2ef73bbaeb782a9ed1c58e3516c5a0229ef93fd5f676dc89a3

SHA512
5fd0dea7002edcf46efcafac56a537794eedcaa3c95933d1938e8f2247e3c7a874e05ada9e51464dcc3cf02c89a828f994c92a2aba93972f713b94477c1a52cb

Download Submit
C:\Windows\SysWOW64\Onecbg32.exe

Filesize
243KB

MD5
93bb74bb66059e13b21e04a0a6c8810e

SHA1
fddf4e7a98834bef7e8a5f1dfcbb42a5bdb90d1d

SHA256
c04300d555f4e292e9e6083e9adf5d5864af52f71d2d9eff89efd3ce54a7bd3f

SHA512
bc0cc97a6930c65589d7dc438763cb9db39e660e08133bd1149e049faf2d5236ed3c360e2cb6f0a40daeff4449fc4631a7e5eadcfd018ddb2aadba3c598a840c

Download Submit
C:\Windows\SysWOW64\Oomjlk32.exe

Filesize
243KB

MD5
a7e92092115e18321442dd9daa4381a5

SHA1
b8a314f0841c178ad10d18571891ef96e2f732b4

SHA256
fd3767073418a4b6e822b8e16e46943b4a8568651ef159286d49c7b594708417

SHA512
d8a97b1ae3bd1a46fa0324c81d75571acc45e7425af76743a5c34009f695606f4b8ffb823d2f8a8c972f4f3d85ff603fa5697066a9452ba1c6c2717510da8bf6

Download Submit
C:\Windows\SysWOW64\Pcibkm32.exe

Filesize
243KB

MD5
bf5c8dba39d45e3aca8a4e315e94217a

SHA1
6597a82329bedf53491fa218b9e6f51126f09eb8

SHA256
167d51f4e6127f29529018616d29acf0d18ca29df65ae08d9d2d4d368eb56bd0

SHA512
780b57986f8a5999023fbe4c66cadf479c4aa934fa81a393b2a0a2d29578cb07d9806e60dabbd736a608cd4c850d0f512491b1e8198f123e9d98c243719a0f4f

Download Submit
C:\Windows\SysWOW64\Pfbelipa.exe

Filesize
243KB

MD5
00d8f316eb8d6b84dd6e02c4ea4a317f

SHA1
e17f16cf9d4cc1f385048305a70d36fcb996d147

SHA256
a07059dcf2b9efb11c4c7f5a534f535051e303a161efc1b6e290c05249855047

SHA512
415ee681bc2dce564126b6540c471b2efb75428c95d75259ba9ebe643633544b33901383920c25e2e4dbb36b588a4ab55bbcfdf3fd25a0c47ad617cb94f0c30c

Download Submit
C:\Windows\SysWOW64\Pfdabino.exe

Filesize
243KB

MD5
ee63aaa3f9c60f60d3576835a25e13df

SHA1
339dbd7001eb07b5ec4c689df3ca939f6b8f0e2b

SHA256
1e2eeb3a740063e0946de28adb555467281995519be32d4480c6c79cd3588210

SHA512
abf3d0947d9e7dfcdb14e343ff662935e727aa3af676dce30af7b453f50da9b8046f1e05e5b9341e47ae67adb42e42b4487132d05edaa77f2e524c23866bc283

Download Submit
C:\Windows\SysWOW64\Picnndmb.exe

Filesize
243KB

MD5
85d8a98d1f10be3b8259090e197b32f9

SHA1
1d87f0c41594d9b742b500ff36a2f3b908c10dc8

SHA256
2f25ceef0f4f764a02e816870a70ff30bd3cbdaf8ffca1387547e888501ff091

SHA512
225d85c9ed3de0c40f1cda32725851f7cf7bc04fe125c74c74efa69ef01e8ef8cf217a7ce3776b074a40935c1cbd85a85af8208df3376833d1141ab8de22b1ec

Download Submit
C:\Windows\SysWOW64\Pjbjhgde.exe

Filesize
243KB

MD5
5a95471e3f5aee8188182001d1d35efc

SHA1
b85ce3d3b8bb5f1569055ff3fe6f957ee4f48bf4

SHA256
ca4888f4a75aa6b65c46f097d4a226e928c172cee2ad95dbef5a90b4bf861c67

SHA512
0aa1be30330d02e6afb12e04ac54a8b0e0065e16004ab4feb2ccf4bcb0148ddf14b7d6a5b21ba8e266c49bd2885afb4e907c07810e7e43d841f38880b03e63ea

Download Submit
C:\Windows\SysWOW64\Pkdgpo32.exe

Filesize
243KB

MD5
1c8526305b72e6f37a8f888409a9977e

SHA1
bfabf2a60ce58d578943e149c3a7ec92933aedc8

SHA256
c9bee481d91a1418989090b5d2653bcb47f7cd19116444848f69ce6b3ab817a3

SHA512
3c892d6d140c6b38732d9d8364ae2446b08595569926a1972dee0553329ca2367aae7adaff5959730a9efb97384e3ed49014ae9a9ddadd84137a56d02bec2d9f

Download Submit
C:\Windows\SysWOW64\Pmccjbaf.exe

Filesize
243KB

MD5
cab74fd3373f6fd8113c4beeae72ad39

SHA1
e9c506a870d96b808ca5e2f2133e96588d46b777

SHA256
dc25ca4c704b2b581c8b6e58ba7920625eec98c7d3d534ded768a381a04e0c8d

SHA512
fd98e7b49e5b185513d01c1a99557599cde5ad0b6346561602684401e46aaf62ed4331287d3f8d4b82cb274ac41f70aed3da6f765c9e2bf27704c64754bce4e1

Download Submit
C:\Windows\SysWOW64\Pngphgbf.exe

Filesize
243KB

MD5
b7a22a786665126cc6e5acbbc6bfbdc2

SHA1
ac0ed9db31cddb3367dd80d01e68f2d0d0c20daf

SHA256
82d757178afa8681d0257ee282062cf2cf545711c985a7ce35e09b961d2fa8f3

SHA512
df1a9ef6dd9d618dbfa8f8f5c0fe7508e995435d2efdbe65396eaf47e9f518af9a32b6dfe8bd1257e53098471e9c8a8084adb2d9ea999cd3c975bb8715914d71

Download Submit
C:\Windows\SysWOW64\Pqhijbog.exe

Filesize
243KB

MD5
e1686f8d3de76c7249cd5ad32486bd77

SHA1
54fb4172f939baf91c77839b24821ef050fa9416

SHA256
6051c41df9fbe20bff0cac16266ac06c04c2e4b28d00c8c8ac3eaf13ef78a805

SHA512
52be3be836afc79619299583f5ff850b8f136e84bbcdcc51c1df76cadb8eb4b78661fd06486ddee81c0375cf2c7a726a6908bcccbbb59f10cc7344df681ad17f

Download Submit
C:\Windows\SysWOW64\Qbplbi32.exe

Filesize
243KB

MD5
ddf6e52d6e4ad31a9cc08bfa9ac2bbf0

SHA1
509f4c1013f3008c095afe513941cec4e1dda933

SHA256
e60d346101a96b137ea0210c0afc251147326ee152db0e58d74fa8dbcd60fb79

SHA512
8b2dd9b9af95ba9d9004a8b36b3b3d06dcc446d021725c38fdb0a9f7b16c928626fe4a6fa60644c9679c3ce9afaf8cfbaf6088f46346372917be7690b837f79a

Download Submit
C:\Windows\SysWOW64\Qeohnd32.exe

Filesize
243KB

MD5
5c306095314b791ad38b997fd214d037

SHA1
37cd8efcb753e0fff6f1430647b211e6d6c8bbb0

SHA256
488c462b6a00dec6e18ac6faba266023d5a02aea75e01da8dca8849793d3521e

SHA512
98be8236dbb857bd92d53b995e571a28e8b3620e0c555242f3069d33d002e2a042228d5511a53373a6a9c4a6feedad9e7e9f645f0d8ed30b91ef7d7801127b73

Download Submit
C:\Windows\SysWOW64\Qgmdjp32.exe

Filesize
243KB

MD5
255f49cc5df7818438599c71116fa18a

SHA1
491cd44787f088b673386fabfbbf06a6af187ff4

SHA256
a2d8f42df54faf05092d2dc3309abe7956f94b8553cba201fd216448e17a28d7

SHA512
288bd4c0f5a8335789f9fbb470f5f77001ea6e5cf79e96db517fd76cb656746b0d2cfe0625702968a88a5185076a005fb344ad29c84de3b3ae539cd9842136c5

Download Submit
C:\Windows\SysWOW64\Qkkmqnck.exe

Filesize
167KB

MD5
d19985724b77a2087eb4e0e3305a187d

SHA1
8b4a1b6b0127a5299e699b8fbba970a9cfb65e8a

SHA256
0c0865895a55eac4967234760dd654ad876100a80bce7b8ae7ded3d33278bbd1

SHA512
71323c050425ccd41d569a3daef210bc3e311844fee4d5253c825dc09a633c9e22a0bbbf4184556f7ac372c53bdd955ca88db04860b9d2e6d7be36da6cae3858

Download Submit
C:\Windows\SysWOW64\Qqeicede.exe

Filesize
243KB

MD5
d0b9e5a25bf09be91d241aa3facb0d57

SHA1
f51071dfecf4bced92c210252216e511413afe88

SHA256
1002b01bd5b9819295a4a057e6901bb05fbeadd1c90c05ef10e0092ef401f4bb

SHA512
273494e1607445c95fd1e46d43acf52c1dc3e818f416d450b4f492edd9e5b2e3417f50778134dc1f31382c4988b3f5bb6774d20a809f96c445c98b42b0e0ba6b

Download Submit
\Windows\SysWOW64\Kgcpjmcb.exe

Filesize
243KB

MD5
a42f1486dc0dd02693f94e25e66048e4

SHA1
aafa0886c81ffd2fd5b51e44234964db1cb695c0

SHA256
36ca8f635eb476a13ea4ee4f75fd3520368550afc6b6791e57900990d10d301b

SHA512
105e8bb5d9c8869254f75f22f5f099685fe5ce1e2c275c7861152013758a6b11785f92f963e018b32e7e759c760b2cb220087d7a31c29d473e0e5494bb5002e5

Download Submit
\Windows\SysWOW64\Kofopj32.exe

Filesize
243KB

MD5
92dd60772794dd058566887252be3b6e

SHA1
beb0b19d4b2e4381e43ff5207d4d78113f1e807b

SHA256
a55b4178e6032ddbd4f57f346911431087af6b11377f91f0a657f04cb8b5904f

SHA512
88b62daae18259dfe51b66a6696e97a997690dc6ae5609d5244369c26bc701e8bf4f39c1a353a222738923765317d8010104295a520325e90be2249279dbe5ce

Download Submit
\Windows\SysWOW64\Leimip32.exe

Filesize
243KB

MD5
16d2b675d1b734ff27482d0fd72f34b7

SHA1
4658adba1119a1ffc3d2800add318f097f805907

SHA256
bb6ab87252f97926b0d87e159a111e7fecc1df6c4e8eb4164a1052f194bc2289

SHA512
8058b8f4ffee8ac24d9e6ebbbc122bc920ad2732fcbe33f55ee1273cabf8e42ccca191ebc884fc06813f495505dd753e01715b490de12785fc2ca556a29bf753

Download Submit
\Windows\SysWOW64\Ljkomfjl.exe

Filesize
243KB

MD5
92db3903967b05daf04e8959f37d22b4

SHA1
fda80b6960963d336a90e02fea48ac0847f2ab21

SHA256
b74af53a674216678a2f6944e01507ef32f419e6753bd6de6e5390c9e73d6634

SHA512
27f0b7b96063ee598b6134c19502bfb816a2f6af40b5be3ec57fb77916fb4312830e0a1d4de6f5f9624dbd8c0fbaa3060c80f0f30afd9032718d0778940dfaa0

Download Submit
\Windows\SysWOW64\Lmebnb32.exe

Filesize
243KB

MD5
9bc19c4f192458f7e477a0d62d4a6428

SHA1
522dd320f70fea8529c8a2669eefe7d92f5d0409

SHA256
6b88582c533ec05439679478064d760e3a3d41a0dd773f81463c11eafc760a61

SHA512
eb103d0c54652b9329bf147f066941e25260a7faaca3be2f8e6dffe0d74ad8b7b405e384c97f29f0380cfa3c24951b599e57ffaedd1a8926d5047b172dcf3f60

Download Submit
memory/400-248-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/400-267-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/580-182-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/580-201-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/580-209-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/676-289-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/676-309-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/676-298-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/684-262-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/684-273-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/684-278-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/1208-223-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/1208-193-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1208-231-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/1260-131-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/1488-307-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1488-320-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/1488-321-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/1492-165-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1492-174-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/1492-196-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/1596-362-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1596-357-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1596-371-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1668-245-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/1668-244-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1920-268-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/1920-261-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/1920-256-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1944-103-0x0000000001C00000-0x0000000001C67000-memory.dmp

Filesize
412KB

Download
memory/1944-106-0x0000000001C00000-0x0000000001C67000-memory.dmp

Filesize
412KB

Download
memory/2040-284-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2040-283-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2088-221-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/2088-234-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/2088-233-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2228-337-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/2228-332-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2228-338-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/2232-331-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/2232-326-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/2240-246-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2240-222-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2240-243-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2256-52-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2264-44-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2292-311-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/2292-310-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/2292-300-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2332-6-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/2332-12-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/2332-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2456-79-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2508-159-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/2508-166-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/2508-152-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2556-343-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2556-348-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/2580-73-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2580-65-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2680-25-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2684-139-0x0000000001B90000-0x0000000001BF7000-memory.dmp

Filesize
412KB

Download
memory/2684-145-0x0000000001B90000-0x0000000001BF7000-memory.dmp

Filesize
412KB

Download
memory/2944-117-0x0000000001B90000-0x0000000001BF7000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads