7a076ba66ef4a2d0ae90d6be89a38dfb2facb58f24d932368a29114043eb92ab

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08-04-2024 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a076ba66ef4a2d0ae90d6be89a38dfb2facb58f24d932368a29114043eb92ab.exe
Size

390KB
MD5

a44ab64b91d9819db35fc624ca6e3eb3
SHA1

a1773b76eb59064240437d8e991102235bea47bc
SHA256

7a076ba66ef4a2d0ae90d6be89a38dfb2facb58f24d932368a29114043eb92ab
SHA512

f6f967c0623cc0bb00cb4c1814cd0795bdc3c1a00d3f77f2c86e8a5fbe6e4dabae315b7196e2bc44f1700e75dba980ef22ecd8c5816c5660318a7c6d5ead652b
SSDEEP

6144:5svA1YwA66b+X0RjtdgOPAUvgkNRgdgOPAUvgkG:fUngEiM2gEif

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdmaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oalfhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oalfhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookmfk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odhfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abphal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfbelipa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ookmfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oappcfmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqemdbaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojigbhlp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfbelipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pokieo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7a076ba66ef4a2d0ae90d6be89a38dfb2facb58f24d932368a29114043eb92ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acmhepko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neplhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojigbhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	7a076ba66ef4a2d0ae90d6be89a38dfb2facb58f24d932368a29114043eb92ab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odjbdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmojocel.exe

Executes dropped EXE 43 IoCs

pid	Process
3068	Npagjpcd.exe
2560	Nhllob32.exe
2688	Neplhf32.exe
3032	Ocdmaj32.exe
2896	Ookmfk32.exe
2464	Odhfob32.exe
2488	Oalfhf32.exe
784	Odjbdb32.exe
1956	Ojigbhlp.exe
768	Oappcfmb.exe
2216	Pmjqcc32.exe
2024	Pqemdbaj.exe
1068	Pfbelipa.exe
1200	Pokieo32.exe
956	Pmojocel.exe
1836	Pjbjhgde.exe
1620	Pkdgpo32.exe
2568	Pkfceo32.exe
1080	Qflhbhgg.exe
1356	Qbbhgi32.exe
568	Aaloddnn.exe
2904	Ackkppma.exe
1936	Acmhepko.exe
2328	Abphal32.exe
1724	Alhmjbhj.exe
1592	Afnagk32.exe
2708	Bilmcf32.exe
3028	Bpfeppop.exe
2672	Bbdallnd.exe
2600	Bhajdblk.exe
2760	Bphbeplm.exe
2504	Bbgnak32.exe
2580	Biafnecn.exe
2500	Bonoflae.exe
1712	Bdkgocpm.exe
2340	Baohhgnf.exe
1792	Bhhpeafc.exe
2256	Bfkpqn32.exe
1804	Baadng32.exe
2232	Cpceidcn.exe
2080	Chkmkacq.exe
2376	Ckiigmcd.exe
1672	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2988	7a076ba66ef4a2d0ae90d6be89a38dfb2facb58f24d932368a29114043eb92ab.exe
2988	7a076ba66ef4a2d0ae90d6be89a38dfb2facb58f24d932368a29114043eb92ab.exe
3068	Npagjpcd.exe
3068	Npagjpcd.exe
2560	Nhllob32.exe
2560	Nhllob32.exe
2688	Neplhf32.exe
2688	Neplhf32.exe
3032	Ocdmaj32.exe
3032	Ocdmaj32.exe
2896	Ookmfk32.exe
2896	Ookmfk32.exe
2464	Odhfob32.exe
2464	Odhfob32.exe
2488	Oalfhf32.exe
2488	Oalfhf32.exe
784	Odjbdb32.exe
784	Odjbdb32.exe
1956	Ojigbhlp.exe
1956	Ojigbhlp.exe
768	Oappcfmb.exe
768	Oappcfmb.exe
2216	Pmjqcc32.exe
2216	Pmjqcc32.exe
2024	Pqemdbaj.exe
2024	Pqemdbaj.exe
1068	Pfbelipa.exe
1068	Pfbelipa.exe
1200	Pokieo32.exe
1200	Pokieo32.exe
956	Pmojocel.exe
956	Pmojocel.exe
1836	Pjbjhgde.exe
1836	Pjbjhgde.exe
1620	Pkdgpo32.exe
1620	Pkdgpo32.exe
2568	Pkfceo32.exe
2568	Pkfceo32.exe
1080	Qflhbhgg.exe
1080	Qflhbhgg.exe
1356	Qbbhgi32.exe
1356	Qbbhgi32.exe
568	Aaloddnn.exe
568	Aaloddnn.exe
2904	Ackkppma.exe
2904	Ackkppma.exe
1936	Acmhepko.exe
1936	Acmhepko.exe
2328	Abphal32.exe
2328	Abphal32.exe
1724	Alhmjbhj.exe
1724	Alhmjbhj.exe
1592	Afnagk32.exe
1592	Afnagk32.exe
2708	Bilmcf32.exe
2708	Bilmcf32.exe
3028	Bpfeppop.exe
3028	Bpfeppop.exe
2672	Bbdallnd.exe
2672	Bbdallnd.exe
2600	Bhajdblk.exe
2600	Bhajdblk.exe
2760	Bphbeplm.exe
2760	Bphbeplm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bonoflae.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Chdqghfp.dll	Odjbdb32.exe
File created	C:\Windows\SysWOW64\Pkfceo32.exe	Pkdgpo32.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Afnagk32.exe
File created	C:\Windows\SysWOW64\Chkmkacq.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Kgfkcnlb.dll	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bfkpqn32.exe
File opened for modification	C:\Windows\SysWOW64\Odhfob32.exe	Ookmfk32.exe
File opened for modification	C:\Windows\SysWOW64\Pkdgpo32.exe	Pjbjhgde.exe
File created	C:\Windows\SysWOW64\Aipheffp.dll	Pkdgpo32.exe
File opened for modification	C:\Windows\SysWOW64\Oalfhf32.exe	Odhfob32.exe
File opened for modification	C:\Windows\SysWOW64\Odjbdb32.exe	Oalfhf32.exe
File created	C:\Windows\SysWOW64\Pfbelipa.exe	Pqemdbaj.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Pfbelipa.exe	Pqemdbaj.exe
File created	C:\Windows\SysWOW64\Bonoflae.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Blkepk32.dll	Neplhf32.exe
File created	C:\Windows\SysWOW64\Gdplpd32.dll	Pmojocel.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Kjcceqko.dll	Pqemdbaj.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Ckiigmcd.exe
File opened for modification	C:\Windows\SysWOW64\Ocdmaj32.exe	Neplhf32.exe
File opened for modification	C:\Windows\SysWOW64\Qflhbhgg.exe	Pkfceo32.exe
File created	C:\Windows\SysWOW64\Koldhi32.dll	Abphal32.exe
File created	C:\Windows\SysWOW64\Pqncgcah.dll	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Ocdmaj32.exe	Neplhf32.exe
File created	C:\Windows\SysWOW64\Pmojocel.exe	Pokieo32.exe
File created	C:\Windows\SysWOW64\Ackkppma.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Lfobiqka.dll	Acmhepko.exe
File created	C:\Windows\SysWOW64\Alhmjbhj.exe	Abphal32.exe
File opened for modification	C:\Windows\SysWOW64\Bhajdblk.exe	Bbdallnd.exe
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Oappcfmb.exe	Ojigbhlp.exe
File opened for modification	C:\Windows\SysWOW64\Alhmjbhj.exe	Abphal32.exe
File opened for modification	C:\Windows\SysWOW64\Chkmkacq.exe	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Pqemdbaj.exe	Pmjqcc32.exe
File opened for modification	C:\Windows\SysWOW64\Pqemdbaj.exe	Pmjqcc32.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Jcbemfmf.dll	Pmjqcc32.exe
File opened for modification	C:\Windows\SysWOW64\Pmojocel.exe	Pokieo32.exe
File created	C:\Windows\SysWOW64\Adagkoae.dll	Pokieo32.exe
File opened for modification	C:\Windows\SysWOW64\Pjbjhgde.exe	Pmojocel.exe
File created	C:\Windows\SysWOW64\Ldeamlkj.dll	Pjbjhgde.exe
File opened for modification	C:\Windows\SysWOW64\Aaloddnn.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Pkfaka32.dll	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Hmomkh32.dll	Pfbelipa.exe
File opened for modification	C:\Windows\SysWOW64\Bbgnak32.exe	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Bfkpqn32.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Mahqjm32.dll	7a076ba66ef4a2d0ae90d6be89a38dfb2facb58f24d932368a29114043eb92ab.exe
File created	C:\Windows\SysWOW64\Oalfhf32.exe	Odhfob32.exe
File opened for modification	C:\Windows\SysWOW64\Ackkppma.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Afnagk32.exe	Alhmjbhj.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Nhllob32.exe	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Neplhf32.exe	Nhllob32.exe
File created	C:\Windows\SysWOW64\Pkdgpo32.exe	Pjbjhgde.exe
File created	C:\Windows\SysWOW64\Hhppho32.dll	Nhllob32.exe
File opened for modification	C:\Windows\SysWOW64\Ookmfk32.exe	Ocdmaj32.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Fhhiii32.dll	Npagjpcd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1696	1672	WerFault.exe	70

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Neplhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpgcm32.dll"	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdqghfp.dll"	Odjbdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfbelipa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odhfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ookmfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojigbhlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	7a076ba66ef4a2d0ae90d6be89a38dfb2facb58f24d932368a29114043eb92ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odjbdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eebghjja.dll"	Ojigbhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmjqcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7a076ba66ef4a2d0ae90d6be89a38dfb2facb58f24d932368a29114043eb92ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oappcfmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmjqcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	7a076ba66ef4a2d0ae90d6be89a38dfb2facb58f24d932368a29114043eb92ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhiii32.dll"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momeefin.dll"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokbacp.dll"	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oalfhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pokieo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odhfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdneocc.dll"	Oappcfmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcceqko.dll"	Pqemdbaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfbelipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhppho32.dll"	Nhllob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdmaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afnagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	7a076ba66ef4a2d0ae90d6be89a38dfb2facb58f24d932368a29114043eb92ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjcep32.dll"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcfjgdj.dll"	Oalfhf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 3068	2988	7a076ba66ef4a2d0ae90d6be89a38dfb2facb58f24d932368a29114043eb92ab.exe	28
PID 2988 wrote to memory of 3068	2988	7a076ba66ef4a2d0ae90d6be89a38dfb2facb58f24d932368a29114043eb92ab.exe	28
PID 2988 wrote to memory of 3068	2988	7a076ba66ef4a2d0ae90d6be89a38dfb2facb58f24d932368a29114043eb92ab.exe	28
PID 2988 wrote to memory of 3068	2988	7a076ba66ef4a2d0ae90d6be89a38dfb2facb58f24d932368a29114043eb92ab.exe	28
PID 3068 wrote to memory of 2560	3068	Npagjpcd.exe	29
PID 3068 wrote to memory of 2560	3068	Npagjpcd.exe	29
PID 3068 wrote to memory of 2560	3068	Npagjpcd.exe	29
PID 3068 wrote to memory of 2560	3068	Npagjpcd.exe	29
PID 2560 wrote to memory of 2688	2560	Nhllob32.exe	30
PID 2560 wrote to memory of 2688	2560	Nhllob32.exe	30
PID 2560 wrote to memory of 2688	2560	Nhllob32.exe	30
PID 2560 wrote to memory of 2688	2560	Nhllob32.exe	30
PID 2688 wrote to memory of 3032	2688	Neplhf32.exe	31
PID 2688 wrote to memory of 3032	2688	Neplhf32.exe	31
PID 2688 wrote to memory of 3032	2688	Neplhf32.exe	31
PID 2688 wrote to memory of 3032	2688	Neplhf32.exe	31
PID 3032 wrote to memory of 2896	3032	Ocdmaj32.exe	32
PID 3032 wrote to memory of 2896	3032	Ocdmaj32.exe	32
PID 3032 wrote to memory of 2896	3032	Ocdmaj32.exe	32
PID 3032 wrote to memory of 2896	3032	Ocdmaj32.exe	32
PID 2896 wrote to memory of 2464	2896	Ookmfk32.exe	33
PID 2896 wrote to memory of 2464	2896	Ookmfk32.exe	33
PID 2896 wrote to memory of 2464	2896	Ookmfk32.exe	33
PID 2896 wrote to memory of 2464	2896	Ookmfk32.exe	33
PID 2464 wrote to memory of 2488	2464	Odhfob32.exe	34
PID 2464 wrote to memory of 2488	2464	Odhfob32.exe	34
PID 2464 wrote to memory of 2488	2464	Odhfob32.exe	34
PID 2464 wrote to memory of 2488	2464	Odhfob32.exe	34
PID 2488 wrote to memory of 784	2488	Oalfhf32.exe	35
PID 2488 wrote to memory of 784	2488	Oalfhf32.exe	35
PID 2488 wrote to memory of 784	2488	Oalfhf32.exe	35
PID 2488 wrote to memory of 784	2488	Oalfhf32.exe	35
PID 784 wrote to memory of 1956	784	Odjbdb32.exe	36
PID 784 wrote to memory of 1956	784	Odjbdb32.exe	36
PID 784 wrote to memory of 1956	784	Odjbdb32.exe	36
PID 784 wrote to memory of 1956	784	Odjbdb32.exe	36
PID 1956 wrote to memory of 768	1956	Ojigbhlp.exe	37
PID 1956 wrote to memory of 768	1956	Ojigbhlp.exe	37
PID 1956 wrote to memory of 768	1956	Ojigbhlp.exe	37
PID 1956 wrote to memory of 768	1956	Ojigbhlp.exe	37
PID 768 wrote to memory of 2216	768	Oappcfmb.exe	38
PID 768 wrote to memory of 2216	768	Oappcfmb.exe	38
PID 768 wrote to memory of 2216	768	Oappcfmb.exe	38
PID 768 wrote to memory of 2216	768	Oappcfmb.exe	38
PID 2216 wrote to memory of 2024	2216	Pmjqcc32.exe	39
PID 2216 wrote to memory of 2024	2216	Pmjqcc32.exe	39
PID 2216 wrote to memory of 2024	2216	Pmjqcc32.exe	39
PID 2216 wrote to memory of 2024	2216	Pmjqcc32.exe	39
PID 2024 wrote to memory of 1068	2024	Pqemdbaj.exe	40
PID 2024 wrote to memory of 1068	2024	Pqemdbaj.exe	40
PID 2024 wrote to memory of 1068	2024	Pqemdbaj.exe	40
PID 2024 wrote to memory of 1068	2024	Pqemdbaj.exe	40
PID 1068 wrote to memory of 1200	1068	Pfbelipa.exe	41
PID 1068 wrote to memory of 1200	1068	Pfbelipa.exe	41
PID 1068 wrote to memory of 1200	1068	Pfbelipa.exe	41
PID 1068 wrote to memory of 1200	1068	Pfbelipa.exe	41
PID 1200 wrote to memory of 956	1200	Pokieo32.exe	42
PID 1200 wrote to memory of 956	1200	Pokieo32.exe	42
PID 1200 wrote to memory of 956	1200	Pokieo32.exe	42
PID 1200 wrote to memory of 956	1200	Pokieo32.exe	42
PID 956 wrote to memory of 1836	956	Pmojocel.exe	43
PID 956 wrote to memory of 1836	956	Pmojocel.exe	43
PID 956 wrote to memory of 1836	956	Pmojocel.exe	43
PID 956 wrote to memory of 1836	956	Pmojocel.exe	43

C:\Users\Admin\AppData\Local\Temp\7a076ba66ef4a2d0ae90d6be89a38dfb2facb58f24d932368a29114043eb92ab.exe
"C:\Users\Admin\AppData\Local\Temp\7a076ba66ef4a2d0ae90d6be89a38dfb2facb58f24d932368a29114043eb92ab.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\Npagjpcd.exe
  C:\Windows\system32\Npagjpcd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\Nhllob32.exe
    C:\Windows\system32\Nhllob32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\Neplhf32.exe
      C:\Windows\system32\Neplhf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\Ocdmaj32.exe
        
        C:\Windows\system32\Ocdmaj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\SysWOW64\Ookmfk32.exe
        
        C:\Windows\system32\Ookmfk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Odhfob32.exe
        
        C:\Windows\system32\Odhfob32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Oalfhf32.exe
        
        C:\Windows\system32\Oalfhf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Odjbdb32.exe
        
        C:\Windows\system32\Odjbdb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\Ojigbhlp.exe
        
        C:\Windows\system32\Ojigbhlp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Oappcfmb.exe
        
        C:\Windows\system32\Oappcfmb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Pmjqcc32.exe
        
        C:\Windows\system32\Pmjqcc32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Pqemdbaj.exe
        
        C:\Windows\system32\Pqemdbaj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Pfbelipa.exe
        
        C:\Windows\system32\Pfbelipa.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Pokieo32.exe
        
        C:\Windows\system32\Pokieo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Pmojocel.exe
        
        C:\Windows\system32\Pmojocel.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Pjbjhgde.exe
        
        C:\Windows\system32\Pjbjhgde.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Pkdgpo32.exe
        
        C:\Windows\system32\Pkdgpo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\Pkfceo32.exe
        
        C:\Windows\system32\Pkfceo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Qflhbhgg.exe
        
        C:\Windows\system32\Qflhbhgg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        44⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 140
        45⤵
        Program crash
        
        PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
390KB

MD5
6d8197eba6649a7f9a8c83d038877836

SHA1
52c40a88e862355fa3ad1dbb810878e932ff5357

SHA256
9b548d969cc0d335776fc748d0b206f846c17391679f65f2dd8ee66fa7c9052b

SHA512
b717567259175d89f3e24ad3e33597be439f66f5ce824884295f2646ba16f6ebc0b7fb771e6690546f780d74e4f64ec5ca585b8ad44d0aef0ff324d75512700c

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
390KB

MD5
7a1c26741debdf18a8e4a0bdf65aabfc

SHA1
2e4b499a85e84c9b2d98c97ed531d73b34236879

SHA256
5694975a12efdc0b83a336db2ecd1692ac8bac2239aff7533e439e2c5eac4281

SHA512
336f877ef90e545134801036cf87c9a41c909fb20fe605bbf39236c1bfd118297d8a24bc33794961bf42a4bc4ec0ebc10117ac409cec16964cd6eae3eda37ad6

Download Submit
C:\Windows\SysWOW64\Ackkppma.exe

Filesize
390KB

MD5
faf844075cf087f16062665ea016b32c

SHA1
b2d3ffda4d2e0db36809476eff80f9c8e663a8b1

SHA256
ed07046e2f420dc03b197b8c36c6e8126fc702970549f27963c24964fdba6eff

SHA512
690122523ee90b0f8a630fb0c58d8efe4f2a3d9a91335ef73321c1f78edbe09dfb8dc9882aafe506a61e1be32efbdf5a69fc5d0544e1e33d06cdbc8ad1e1ce0d

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
390KB

MD5
aebdc63e75ef5297082b390a5c32e0a7

SHA1
bfa17390bc722da33a9915bb92c006d235943a5a

SHA256
3faf55bb688da3ec6fbab420c9b309cff16f2dc37b9059eeb4b8ad4dad31337e

SHA512
8c9eea66f370b66907857c3bf48a6bbc56ed27835ea7fcc00ab8912729403e49d6eb6a6d9873456f410d07c1fe15cb8428a987b0cdf383087d40616b4ef2c4be

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
390KB

MD5
d2148e529a1117ead7613a16bddbcb0e

SHA1
97569c060903d8b192deadef6e6a43b10977cfbd

SHA256
e2858262d553d8020e4c1b3cbaba92313ce4da9f8a1dd8bf00b36c5b58d0d48b

SHA512
d0588ea665f40b77bfaebe4673841c23e2f0eea505a64cb9f90622298aa783b354ac44094a8b7a079e958aa19f7232745815c38b9ff9430742330bc7e19d15a8

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
390KB

MD5
0e18ef1d18b6b01c8aea16e32d61ce93

SHA1
03f703613a8f28df2ab995ec080b509eed5c38a7

SHA256
5ac4ea9735a2307d95234d4ce142e56725a0f116de00a492a5cb55948d7a654d

SHA512
1957f30acdd3973a1e33e12eb6d833f2fed870030a5b9a2a9b338a8fcd7311516f8034dc98ce832a516491458333603ecc8c2f455845a8d8101e498dd26e6e9f

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
390KB

MD5
cfb737ecc2f090d2734d2f3e2630b3f2

SHA1
ef9d15c53322e9dc66b589f105a950831e03d147

SHA256
65dcec459204b1edd73b46d276c397c628e1d7bdfd0d7913f7cadc6928592519

SHA512
0309a5cbc8719dcfb1b611c71e70e12c8dd9090dcc378098e2a7d9a172d54db3eef7a20d20d814c71ea25803344a320506e310c50405cec9880b8801e1e72c41

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
390KB

MD5
03c071606cdd35f089a4b057558e2cce

SHA1
ff889b494a9ce41747b9bde63dfe810e07e3a916

SHA256
5f9285eb309d3c7f873d1d46e65200d92575c96e1619275112f21318cbb3e4ee

SHA512
db29cc574502076579fd6167566f4cfdb1c206df5a2b43c163a185c487b754818c89dbf0a56f42e0794a91dddcadc32c7dbf7670e375727cc08ef5a48bb650cb

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
390KB

MD5
31e6b3dfcaea665cf347df7de1222e9c

SHA1
0caa03a2c40aec2c94dacd60ff4b1a352822ac07

SHA256
60bf25b0b301999b7674329fd15ea1cc436a17b9a2f0d95039d8190ecfde45a9

SHA512
9650c65713a88282c1a3754a3733f866fa97453057246087f1fe837ebead0ce754503bba73bbe445eed64d7c167acad79ad21c27b8b78e1b495df3ecddd04d61

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
390KB

MD5
abba9fea597847eac4ffe2ce02179fef

SHA1
b5c33b532dde54571201861aea2d8b2090927fea

SHA256
a9b5d21ae71d981d14cacacc086141b2f177641c7c2e59b502f83e74e44535b6

SHA512
293fbf2f374f969361c882df2a18f6cf093cf1f13fe82c955a05933f0316d0aecb48c8afc286343c56b6d403335e9115bc57f2f335d661c1d2d3eb7bf87b80ac

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
390KB

MD5
63da208ed14b9bd7c31baf1f854a129d

SHA1
7171e935ea07363aad9f6ea05933e7ccddff3f1b

SHA256
bf7728323d7f5e0ed841b5f2c4cfcff56af0d896ddf89e234a73d8f4bbcb830a

SHA512
ca9fae1c1b8016a8b919076ceae69382d694db575e8a2e172b803daefcafc4ad88b519c770b4f5fd9dc725e467746230162662ce88a82c53cca38c32abe83de8

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
390KB

MD5
8a6d9439bda9c0198ff6ea1c225270d9

SHA1
8b2f062141aceb4c819955f4f1071203c790b2f5

SHA256
4805fd86d9c0ffe2ff720edf14b0a4a0b14c1e17cfab48d4119a859c8f323d94

SHA512
ab1b6899669d093d79d104b1649e110055b083ee38dc78574d4f1e2a3819b63199b2f3fd6bd6d24a0d6485f6abc5f367f7f30e3020751a3c3c28d64bec67eec9

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
390KB

MD5
10b9b980117d90a0ac4a89b7b7c304bf

SHA1
bfd53e9d978057ee10a968f2c8024125baf22bdc

SHA256
7de7d60b394a8376832f22cf6b5e0059705dc32097fb09fcdeae0f56478a3a0d

SHA512
8f4b39858fed21f5439d1d74adec3095622e5767ba8b2c7774029b968fb0e1f283b6b29215f998243cb2f102b8f2ed810d98df1313459489e895e775806dacf9

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
390KB

MD5
a45190355f4f5891cbf0275c6f515e60

SHA1
5ac2c7f37fdf56c7c949297bd8dd7fb56c4f0a97

SHA256
bfb4a5c90267bc4080602a5d8504dcbca4dd5c0b2afa0c6be187d16b212541c6

SHA512
0276257962d5ccb536663f7d15a06ad696ee88785c6a55729c55a2787c6c3a7dd97bff34747cc5b487c6d392a323a527999a0e527a77719e7bfb1fa9889b8f8b

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
390KB

MD5
fd8a909e09bdf089141c2c0e952dee9f

SHA1
bf2db18bc6a96c28539f2ab4061d12668b90a3f9

SHA256
7640d9248f0f2f58449116585720a4915d2d22e69e840f61bf954f346f739db5

SHA512
20398100fe3ce2e17ce5c3a90436dc98218df7e97b8f8e34845a73fdd432e98775203de6ca4fb2b164c072217060021b1611f1f6ff59ad3d98bdab8bfe93dcb9

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
390KB

MD5
41f3c5d62a3c4e3ccc995e49b78b54c6

SHA1
9e188c4c5d49c733c4ad133f00f640140a47de84

SHA256
112dc08fedfa2e71fa21f51901be4adbf4fc3aefc5b93060bb210510670e3d53

SHA512
15a8f7f732374022338f21ae5fb0b906b7f8a24fa0210b41241179cf02b26a29dba7238326a3203d20ff1acbc251dcf63ff271e3994be301451f6c6b3fc673a1

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
390KB

MD5
fd97a196731d280dc34ab5ab8ec66fc0

SHA1
e63aabb87a4f6f85bcc022ab5a850bbdb82c5e68

SHA256
00c7b62d0758febc2a1203380257a13405949767d75e6c8661d36c51681cdbb9

SHA512
25318ad0bbba7a3c400b81bf5c7e324e34d1dbe8a3bef9be5f833ce02c56a9e7170e7aca94ee0acd6749ffb439ba6a2580f20a6825ada9828afa70e228b7800c

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
390KB

MD5
ce40cae52037731af8da9888f5d4aed4

SHA1
ec14dcab9955ade71230b51188e2290308c845ea

SHA256
7570a9d3341fc61350fce9ff2446b7149ce211aa64aa2f0ca462dedc8cf070c2

SHA512
6fadb634a05857663a723ff11cc4a63e84d4209cf9010c9b27b3b52b0434faa5e0d652d8cd773f3a42fa7ae8e7084f40332355d7f5e43c3462ac5788b78beb1a

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
390KB

MD5
ac6637ce5ad84a717b5f1bb2440513b1

SHA1
6bb105a646adc6271e9a89cc1d34d13891ccac78

SHA256
9381f71ea4d56555ba6bff5af3444ac956c8f23f6e9e13c190df144f29bd3c7f

SHA512
7980e6b048d9be95bac8948a41ce64b2234ae498f01e95ed53c5d7a75238bf55975742dd076f42fabfb2e2317ca78eaf2d77d58c0cb4b41ea036feeb8d7bf588

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
390KB

MD5
396314bd979c3fed0e8f573255d2a9ab

SHA1
1dcb223b4604cffd2e3ea7124120c8a5de67bc85

SHA256
7670af3d0540f26e65da48a40eaa8d6649c667a864121abc23018e109c013a43

SHA512
8a363ec7d7518345a4b3f6a58b4fac6513d4dd96050b4ef405873d5aa5b0cd2d87d2b7a27977c1971ee527bb5742dc470a8ed5165c8798d191e4db0eb0cbb874

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
390KB

MD5
c9854d381d9825758acc2a4dbff568f0

SHA1
75c88a0a6ac8cca706a077ac9898d76b7fb77783

SHA256
126b8655079f6c1110fae8e1200cc4dfe71a276e2ded673835449a64916c6c48

SHA512
58317904324dd0a2fb76811585157f05ba4f0e479a4baffd97c8241d8cf24e36ff1d98fb330ae48e45433b06bf087df8f3eb83dc07b4ea5b58f5902c38687750

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
390KB

MD5
cadafbb9abf6ebc6c797d81f10dcd816

SHA1
d4d899bdb0df6a6a9d6697f6ab8c3a167056e257

SHA256
bda8b620f32e3533cd6ff11489d4aaf3f5c66adf59bfa1ef15964a0ace4a0ef3

SHA512
f3ee7d5cda63cfb6f1b12ac2020538852c3c73d58d35ab66c43306175b7d8d5434b3f9f5481c0468da2cb3f2176213a03df51f0c24047da93e2f63a5a72218a3

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
390KB

MD5
81720804ea4513ce30d044279568333f

SHA1
ddfc18b4b5861e6b70072cc46175d1407d7d4440

SHA256
8d7df9ede3a245eee0d3acffb5702f4adfd496a5f744e74af6e701fe0a250192

SHA512
4fe817d20ca21400ad64966c2b05fa70eb4cffc44dd6c227144313bdd405f285395104f180ba4a708aa21c4c57b693e6e600a8f17f0df0c35648d54336b43e72

Download Submit
C:\Windows\SysWOW64\Lmpgcm32.dll

Filesize
7KB

MD5
7032ae6e86b4b414fc78f81167f96b18

SHA1
e6dfaef592f061034d0a7645a8c04fcee5825ff0

SHA256
cb8f9738f46d835014beb06e4c165565406fd7b3abee939ff67c4ba63aa7076f

SHA512
890dfdd4c56f2234e22d89e181bae7ae46042c741e61bb813c4930987381c2ce8241e3ec2c733de65903dd973709db857061c413ecda180a6f1e4f6e95db65e6

Download Submit
C:\Windows\SysWOW64\Oalfhf32.exe

Filesize
390KB

MD5
fe6cb5d0561b5e9b88db061fd073281c

SHA1
3566730d767ffc966b649f9753da8164b44c4c35

SHA256
9b229b00c7760ca99dc2badf77e5ec58fd7f46e4b0ac7b74e35302b466e55819

SHA512
e99803ce014db88125a23a48c518ca9c101bc4d92bc5822c4cc2b3dc7a9cad61d359cbad448c248da04ac1fc5a9e64d22139a43730c695372ed27fd6b63b73ed

Download Submit
C:\Windows\SysWOW64\Oappcfmb.exe

Filesize
390KB

MD5
7aeca54f1e43c295415ef647936e5040

SHA1
cabd6cfb98251c1a8e49211fec61f9da137cbfa5

SHA256
cf3e0634ed81dedd208a348137bf668ec51f5bcb3b60819719b69fd515735e72

SHA512
c089a4b187d3c1681146504d89099bb5debd5a1894fa1160999c6ceb850755983d9832b41257dd1f374f2bd074b78db71896cd0b208af20139e97c385515e95e

Download Submit
C:\Windows\SysWOW64\Ojigbhlp.exe

Filesize
390KB

MD5
29bed5aef99832be8a44368e570b4e8f

SHA1
136ecb578fafa5ef90a85c0dbf52170af3034bd0

SHA256
38562aaed9b721d45388ee03dc0c0634d1a557cbbb6e6aeab84ee3a322aa31db

SHA512
f293cfe9626d8c251071a1d2470450dfdd478ca3ce624c6a500bb021c3dce613516093f85c057eab1b9d043bf4291a389ef711820aa201ffe477f5d8a1c798dc

Download Submit
C:\Windows\SysWOW64\Ookmfk32.exe

Filesize
390KB

MD5
30c66c18f36da77e6bd5daabd02d7a2d

SHA1
4238b289295b3fcbffc812fdd423ad8249c61909

SHA256
03c78685de0abe59666b68999deb2e8f8375fae5f6492d03a38e87bdadd1f317

SHA512
fee1eaf081dcaa4a7fedc6db3091b7c14d52411e0525c0a78255a4e9cc8fc46301ebea156cd8a955fb2c0890ad3db93c38aab50e6ba07236c59036374cfa0cf0

Download Submit
C:\Windows\SysWOW64\Pfbelipa.exe

Filesize
390KB

MD5
4c05040b7a8bf2ee80bd64faa6984a1d

SHA1
8838b60e46ccab9888b4433a5e0d8178c186494b

SHA256
9413c554135f726043fe4d73953a5368aff18bdd6f0f6bd1c7ec65be94657dca

SHA512
b86786ab99f244ab43c8f47fb3126961b35ec079399dbafbb6ee244d271a8d56aa6a9d3d0383e4c2018dcdc19cc3f5939e23017ad0d04ad007deebf383966e9b

Download Submit
C:\Windows\SysWOW64\Pjbjhgde.exe

Filesize
390KB

MD5
6a2ba8b501543f715762d1ddc7053ddc

SHA1
c346494f8826a3d98f4fff0e9729109572118161

SHA256
33637108dd118e608ba1f06b2b97f6306e551683ac5e5d825a473c7d5d058300

SHA512
56930afc15540831983b0e742a0ba5af4abd20c88ec51ab995cbf5f6d76b769cd4df3d2d85439452bd52c9b2157b207b84ddd38aa9d048a3437600de59b18692

Download Submit
C:\Windows\SysWOW64\Pkdgpo32.exe

Filesize
390KB

MD5
d5e4f6caafa7aa8219a3aca6dc013a87

SHA1
5e7a89c439a659f2feed08d28d03a159aaed30e8

SHA256
ba1d322ab3f7bd89f4fbe4c55c74df08690cd7a83cee1c34150743085a6000f0

SHA512
0286b2136c56594b7c4de92e7d6b6975f49802c700b56c5de0a35dfdfd00b395c5187fb610bd654293ed6a80419e52c7d616a8b8d6ea95a0e30bc2fc565d6dd6

Download Submit
C:\Windows\SysWOW64\Pkfceo32.exe

Filesize
390KB

MD5
f629b2105697e2e1cb2762d938e4460b

SHA1
f91c9181a90fc798a90da1224ce33f58916add13

SHA256
30d7199fcc37d6fcbe6e03fb7d1fa5bb66bdae422c70895a1f42373f3b703ee1

SHA512
297ee48c6b08cadae6500b78ab95d349a1a71c3e0ac55ff2103259fc5a3734d04f2404c47c78a196fa29e8c721b61da70501e894bf77a5b0b2a53ed6453054db

Download Submit
C:\Windows\SysWOW64\Pokieo32.exe

Filesize
390KB

MD5
934553342f5a6740c710a1b2010fa475

SHA1
a8f7da722fd5966ac341a83ccc77e07974622d3e

SHA256
e539a9e0dd30031c3ee1baf43315ffef8174c59be2b136b6c823d00f8d9c5e63

SHA512
e9af1fd302e67dca7b96a6495e658c5115fdd07f15f541d0e9ef3521ab73510f1c138e7968fab5d714170f62866b2041861c305e218c7181246cbb6a142c3f9a

Download Submit
C:\Windows\SysWOW64\Pqemdbaj.exe

Filesize
390KB

MD5
356f392b7fab93481043d111e1b1ce2d

SHA1
d9afc227da698da157c0093234f3ee17f7065227

SHA256
da50f048990e5f6e3b95463178dd75621b838372eb3659e95d3692085ea97d68

SHA512
b66374bb28200d58515acb7aab06c9760dd96815d085c5d77326877a275f5766b5b8f87af952b97c48c75e8796d09aac170058b38e7ed43f51f9ee4f1ccc267c

Download Submit
C:\Windows\SysWOW64\Qbbhgi32.exe

Filesize
390KB

MD5
6b6fc20ebe35ceb82b18a229c2bd1435

SHA1
629e60ab32ede55e21c12d46a39c81deb3dbf9ef

SHA256
d647ee3094d1d87019f56a14029f8cfdb752c4e3558f6e602a5ad40db0aea7dd

SHA512
04b561137ab275030fce4ada8b7dcf6b2fb823d2b6cf9398a9e0d77ce1598d3f6dfe5f0eaba2c168d596a98a23d3ac7b4b6125b570098243eb2c165120afc1cd

Download Submit
C:\Windows\SysWOW64\Qflhbhgg.exe

Filesize
390KB

MD5
11ade6b4062510994b3164f1df2dcf07

SHA1
1b90bd322304083134577945636c0512e5a90cbc

SHA256
dfb4c5855cbb41ac48de6bab05d86505e5d121e006a35aea64512f059b51dd9c

SHA512
df7ffe52d8eaf2e144ff4628ee524c7da6b871c4f31f64c340eeaf6dc4eb9e09b582702d18e91f0d8056ecdf8c083d7869ec4dace5019675b2f9924504e0c14f

Download Submit
\Windows\SysWOW64\Neplhf32.exe

Filesize
390KB

MD5
b855d7b6acfc72c59b4b5bb02c5b770a

SHA1
895b62c2f6615ba1d0698049ce283b82f6f4143a

SHA256
03d82b5e22cf95d86950cf9fde02b16c1414829a5b734a58a2d5126575c761c3

SHA512
d3f63eae4fb09548e79a7dcc333e6aabd5f31da4b2d290247b7e145cc0e56443e36622326b5d3323dc12b158f1368da5a5f57318684c5d68bb79ff64f831ea0f

Download Submit
\Windows\SysWOW64\Nhllob32.exe

Filesize
390KB

MD5
64e47f5d367d12e7a09550e693aa6dc0

SHA1
5eb648728c6145435ad7d0a8dc9ecc0be379f06e

SHA256
7a48c151441b117bbad2b3e225418618a9cc860ed57398e8b65220e05d519e38

SHA512
1febbb2a567827ecba07f6dd7344a37300d2e5bc588df281a4db8ef0bd722926d96685b2db3628e428e558301301f5911ddfe04d31ab5d1ab1673771bd874407

Download Submit
\Windows\SysWOW64\Npagjpcd.exe

Filesize
390KB

MD5
304dfebabba056bf27a2e489837a03e7

SHA1
d5ec0f2d8dcd2961b109adfe40c5f42bdb803511

SHA256
0ee645ff0369bb8fc0287867ea357dabf402665fab362646f9cfcf0f28301b94

SHA512
adaa539f033d312f7f511b7ccb47363f961c85103cca532cf68c22abfed376186c3970f2be857459d5f7ad244e912a3c086ba1347a6d4289a7fd4c3fd4eb9a9f

Download Submit
\Windows\SysWOW64\Ocdmaj32.exe

Filesize
390KB

MD5
43d3ff7cac3cbc317312c55b6b9ff953

SHA1
4e996403fae8ac8d3789c7b4e70f006b29eafa71

SHA256
a57d73a26a0c3ec1d30ef0115722f4fa9fd48a0f7e954390ee8370410bb9f99f

SHA512
0a1a6a1fca61df242a1249337bce86afa29c98ca64fe0eb4bdd94f46a13e1ddb79b218b30802c59fd80f92542e8f07148e3d89145a45b463296a83575a40e135

Download Submit
\Windows\SysWOW64\Odhfob32.exe

Filesize
390KB

MD5
b557bbfd08974551b83c72723b45528f

SHA1
cb91c7d73b24de1f21629865b294aa7f75322d10

SHA256
18d7afc35cdbfd01ec12b3de4e19fcd97690d390fb124b0cd681cd83f7367a71

SHA512
43d06d2d9dfdbcc6cf96d12ee582f7338546139d00331237630a5e6ee428c00ed0bf3a53c2c1b6edd05e7fa29e335b7f64cbbf2ca0964df568577d97b5ec3f7c

Download Submit
\Windows\SysWOW64\Odjbdb32.exe

Filesize
390KB

MD5
a6006ce97f5ce5128690af364b4bfde7

SHA1
0f08448307bb06365c45023a01208c47b6982f87

SHA256
0a782575801622b938057c94938d730da71239ef56df362283969ef16f64e936

SHA512
d5de627b792c5aea5d7d493db1109f592a0d03b6d30a962859a5973171d8916eaa9fe175290402c316e6d86afbadf8c6b1117aff12e8be070706bff991cdc4f4

Download Submit
\Windows\SysWOW64\Pmjqcc32.exe

Filesize
390KB

MD5
65cad41bb081a1d62694227bccd65bba

SHA1
ed990299a7cbe4dd4e9df59e03731fbbd9f891d3

SHA256
ef2561f9f7ef218d5b5ebb6ec9db35ff67153ec3eb4e6ef4a0f0957ca190221c

SHA512
0f05ddab2e13d928f23b3d71c89059e0e77cdc95343574bd3532aa11f3ce187c83c6269f8d3c27142c5dd713dbc640b0986c8e00120644af68243f84ec17faa1

Download Submit
\Windows\SysWOW64\Pmojocel.exe

Filesize
390KB

MD5
cdb52015b0ac124b3fb2cfc0ec3a65c7

SHA1
331c6b2e2236b8582814aaebcbfc3da53e9255cc

SHA256
5a45786d5552a3ec956a82090a3b36407d631c4fcd3cae9f5f5f6556aca5245d

SHA512
231ee00484641ba19c22365e76466f29c86e5820f99db314e35cb1f6af4e8de84722a7cd6bc9810b85ed89625f3e9b24d26661cd1a40a45b71ee086fb20d39f7

Download Submit
memory/568-301-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/568-295-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/568-281-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/768-133-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/768-153-0x0000000000480000-0x00000000004F7000-memory.dmp

Filesize
476KB

Download
memory/768-152-0x0000000000480000-0x00000000004F7000-memory.dmp

Filesize
476KB

Download
memory/956-252-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/956-242-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/956-243-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/1068-213-0x0000000000360000-0x00000000003D7000-memory.dmp

Filesize
476KB

Download
memory/1068-251-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1068-223-0x0000000000360000-0x00000000003D7000-memory.dmp

Filesize
476KB

Download
memory/1080-269-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/1080-274-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/1080-256-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1200-233-0x0000000000310000-0x0000000000387000-memory.dmp

Filesize
476KB

Download
memory/1200-232-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1356-280-0x0000000000480000-0x00000000004F7000-memory.dmp

Filesize
476KB

Download
memory/1356-282-0x0000000000480000-0x00000000004F7000-memory.dmp

Filesize
476KB

Download
memory/1356-279-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1592-362-0x0000000000290000-0x0000000000307000-memory.dmp

Filesize
476KB

Download
memory/1620-254-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1620-247-0x00000000002F0000-0x0000000000367000-memory.dmp

Filesize
476KB

Download
memory/1620-246-0x00000000002F0000-0x0000000000367000-memory.dmp

Filesize
476KB

Download
memory/1724-353-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1836-245-0x0000000000300000-0x0000000000377000-memory.dmp

Filesize
476KB

Download
memory/1836-253-0x0000000000300000-0x0000000000377000-memory.dmp

Filesize
476KB

Download
memory/1836-244-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1936-307-0x00000000002F0000-0x0000000000367000-memory.dmp

Filesize
476KB

Download
memory/1936-330-0x00000000002F0000-0x0000000000367000-memory.dmp

Filesize
476KB

Download
memory/1936-303-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1956-139-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/1956-120-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2024-250-0x0000000000340000-0x00000000003B7000-memory.dmp

Filesize
476KB

Download
memory/2024-192-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2024-199-0x0000000000340000-0x00000000003B7000-memory.dmp

Filesize
476KB

Download
memory/2216-161-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2216-173-0x0000000000480000-0x00000000004F7000-memory.dmp

Filesize
476KB

Download
memory/2216-249-0x0000000000480000-0x00000000004F7000-memory.dmp

Filesize
476KB

Download
memory/2328-335-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2328-344-0x0000000000280000-0x00000000002F7000-memory.dmp

Filesize
476KB

Download
memory/2488-106-0x0000000000480000-0x00000000004F7000-memory.dmp

Filesize
476KB

Download
memory/2488-94-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2560-35-0x0000000000480000-0x00000000004F7000-memory.dmp

Filesize
476KB

Download
memory/2560-27-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2568-255-0x0000000000300000-0x0000000000377000-memory.dmp

Filesize
476KB

Download
memory/2568-248-0x0000000000300000-0x0000000000377000-memory.dmp

Filesize
476KB

Download
memory/2672-402-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2672-407-0x00000000006E0000-0x0000000000757000-memory.dmp

Filesize
476KB

Download
memory/2688-49-0x0000000000260000-0x00000000002D7000-memory.dmp

Filesize
476KB

Download
memory/2688-41-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2708-375-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2708-384-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/2896-68-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2896-77-0x0000000000480000-0x00000000004F7000-memory.dmp

Filesize
476KB

Download
memory/2904-302-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2904-316-0x0000000000380000-0x00000000003F7000-memory.dmp

Filesize
476KB

Download
memory/2904-325-0x0000000000380000-0x00000000003F7000-memory.dmp

Filesize
476KB

Download
memory/2988-4-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2988-6-0x0000000000340000-0x00000000003B7000-memory.dmp

Filesize
476KB

Download
memory/3028-389-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/3032-60-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3068-21-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/3068-13-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads