07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5.exe
Size

64KB
MD5

27925b707ccdc2a09a7730a55d944462
SHA1

eb840ccdbcbb3e96f949950c45e2587959627269
SHA256

07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5
SHA512

f8d1c3f323b5a2951ec011db87107d13fea6d2931b1b5375975ab158b79719613b711c879417bf6adb7cfe39945eae29e72d53db8e9746dfa70bf4cd4a54b384
SSDEEP

768:H6AaNOUza5XwGSRBbEDhJtblO8neRFX/eEjyrJ+TVJlZo2p/1H5w8RXdnhYakM8J:Hp3URGeBSjtblOYgdeJMo2LvAMCeW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjhkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjhkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojigbhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odoloalf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcdipnqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfpgmdog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfmffhde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohcaoajg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqccfed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnbbbffj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llohjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdacop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcaoajg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojigbhlp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neplhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomfkndo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdacop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookmfk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjldghjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knpemf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knpemf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnbbbffj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llohjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjldghjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neplhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmdjp32.exe

Executes dropped EXE 47 IoCs

pid	Process
3032	Kfpgmdog.exe
2624	Kpjhkjde.exe
2524	Knpemf32.exe
2420	Lnbbbffj.exe
2404	Lfmffhde.exe
2452	Lfbpag32.exe
652	Llohjo32.exe
2772	Mlaeonld.exe
2792	Mieeibkn.exe
1788	Melfncqb.exe
304	Mdacop32.exe
2224	Mofglh32.exe
2580	Nkpegi32.exe
2140	Nigome32.exe
2168	Nenobfak.exe
2892	Neplhf32.exe
2160	Ocdmaj32.exe
2316	Ookmfk32.exe
1164	Ohcaoajg.exe
824	Oopfakpa.exe
1796	Ojigbhlp.exe
1828	Odoloalf.exe
1956	Pjldghjm.exe
2232	Pqemdbaj.exe
1104	Pcdipnqn.exe
2256	Pnimnfpc.exe
884	Pjpnbg32.exe
2116	Pomfkndo.exe
1880	Piekcd32.exe
1444	Pkdgpo32.exe
2608	Pbnoliap.exe
2552	Qgmdjp32.exe
2660	Qeaedd32.exe
2960	Aecaidjl.exe
2368	Amnfnfgg.exe
1644	Ajbggjfq.exe
620	Amqccfed.exe
2812	Abbeflpf.exe
2852	Bnielm32.exe
1940	Blobjaba.exe
1612	Baohhgnf.exe
2000	Bhhpeafc.exe
1808	Bobhal32.exe
1716	Cpceidcn.exe
1720	Cfnmfn32.exe
292	Cilibi32.exe
2904	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
3068	07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5.exe
3068	07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5.exe
3032	Kfpgmdog.exe
3032	Kfpgmdog.exe
2624	Kpjhkjde.exe
2624	Kpjhkjde.exe
2524	Knpemf32.exe
2524	Knpemf32.exe
2420	Lnbbbffj.exe
2420	Lnbbbffj.exe
2404	Lfmffhde.exe
2404	Lfmffhde.exe
2452	Lfbpag32.exe
2452	Lfbpag32.exe
652	Llohjo32.exe
652	Llohjo32.exe
2772	Mlaeonld.exe
2772	Mlaeonld.exe
2792	Mieeibkn.exe
2792	Mieeibkn.exe
1788	Melfncqb.exe
1788	Melfncqb.exe
304	Mdacop32.exe
304	Mdacop32.exe
2224	Mofglh32.exe
2224	Mofglh32.exe
2580	Nkpegi32.exe
2580	Nkpegi32.exe
2140	Nigome32.exe
2140	Nigome32.exe
2168	Nenobfak.exe
2168	Nenobfak.exe
2892	Neplhf32.exe
2892	Neplhf32.exe
2160	Ocdmaj32.exe
2160	Ocdmaj32.exe
2316	Ookmfk32.exe
2316	Ookmfk32.exe
1164	Ohcaoajg.exe
1164	Ohcaoajg.exe
824	Oopfakpa.exe
824	Oopfakpa.exe
1796	Ojigbhlp.exe
1796	Ojigbhlp.exe
1828	Odoloalf.exe
1828	Odoloalf.exe
1956	Pjldghjm.exe
1956	Pjldghjm.exe
2232	Pqemdbaj.exe
2232	Pqemdbaj.exe
1104	Pcdipnqn.exe
1104	Pcdipnqn.exe
2256	Pnimnfpc.exe
2256	Pnimnfpc.exe
884	Pjpnbg32.exe
884	Pjpnbg32.exe
2116	Pomfkndo.exe
2116	Pomfkndo.exe
1880	Piekcd32.exe
1880	Piekcd32.exe
1444	Pkdgpo32.exe
1444	Pkdgpo32.exe
2608	Pbnoliap.exe
2608	Pbnoliap.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ojigbhlp.exe	Oopfakpa.exe
File created	C:\Windows\SysWOW64\Ldeamlkj.dll	Piekcd32.exe
File opened for modification	C:\Windows\SysWOW64\Qeaedd32.exe	Qgmdjp32.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Mlaeonld.exe	Llohjo32.exe
File created	C:\Windows\SysWOW64\Nigome32.exe	Nkpegi32.exe
File opened for modification	C:\Windows\SysWOW64\Oopfakpa.exe	Ohcaoajg.exe
File opened for modification	C:\Windows\SysWOW64\Lfmffhde.exe	Lnbbbffj.exe
File opened for modification	C:\Windows\SysWOW64\Mlaeonld.exe	Llohjo32.exe
File created	C:\Windows\SysWOW64\Melfncqb.exe	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Ookmfk32.exe	Ocdmaj32.exe
File created	C:\Windows\SysWOW64\Chdqghfp.dll	Oopfakpa.exe
File created	C:\Windows\SysWOW64\Qofpoogh.dll	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Bjdmohgl.dll	Lnbbbffj.exe
File created	C:\Windows\SysWOW64\Llohjo32.exe	Lfbpag32.exe
File created	C:\Windows\SysWOW64\Nkpegi32.exe	Mofglh32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdmaj32.exe	Neplhf32.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Ancjqghh.dll	Kfpgmdog.exe
File created	C:\Windows\SysWOW64\Ihclng32.dll	Kpjhkjde.exe
File created	C:\Windows\SysWOW64\Oopfakpa.exe	Ohcaoajg.exe
File created	C:\Windows\SysWOW64\Odoloalf.exe	Ojigbhlp.exe
File created	C:\Windows\SysWOW64\Pcdipnqn.exe	Pqemdbaj.exe
File opened for modification	C:\Windows\SysWOW64\Pbnoliap.exe	Pkdgpo32.exe
File created	C:\Windows\SysWOW64\Kfpgmdog.exe	07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5.exe
File created	C:\Windows\SysWOW64\Oflcmqaa.dll	Ohcaoajg.exe
File created	C:\Windows\SysWOW64\Ajdlmi32.dll	Mlaeonld.exe
File created	C:\Windows\SysWOW64\Ekebnbmn.dll	Mdacop32.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Blobjaba.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Llohjo32.exe	Lfbpag32.exe
File created	C:\Windows\SysWOW64\Lapefgai.dll	Pomfkndo.exe
File opened for modification	C:\Windows\SysWOW64\Pkdgpo32.exe	Piekcd32.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Ennlme32.dll	Abbeflpf.exe
File opened for modification	C:\Windows\SysWOW64\Mofglh32.exe	Mdacop32.exe
File opened for modification	C:\Windows\SysWOW64\Nenobfak.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Lnhbfpnj.dll	Odoloalf.exe
File created	C:\Windows\SysWOW64\Pjpnbg32.exe	Pnimnfpc.exe
File opened for modification	C:\Windows\SysWOW64\Pomfkndo.exe	Pjpnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Abbeflpf.exe	Amqccfed.exe
File created	C:\Windows\SysWOW64\Bnielm32.exe	Abbeflpf.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Lnbbbffj.exe	Knpemf32.exe
File opened for modification	C:\Windows\SysWOW64\Mieeibkn.exe	Mlaeonld.exe
File opened for modification	C:\Windows\SysWOW64\Neplhf32.exe	Nenobfak.exe
File created	C:\Windows\SysWOW64\Bfbdiclb.dll	Pqemdbaj.exe
File opened for modification	C:\Windows\SysWOW64\Pjpnbg32.exe	Pnimnfpc.exe
File created	C:\Windows\SysWOW64\Cenaioaq.dll	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Lmpgcm32.dll	Ocdmaj32.exe
File created	C:\Windows\SysWOW64\Qeaedd32.exe	Qgmdjp32.exe
File created	C:\Windows\SysWOW64\Knpemf32.exe	Kpjhkjde.exe
File created	C:\Windows\SysWOW64\Qgmdjp32.exe	Pbnoliap.exe
File opened for modification	C:\Windows\SysWOW64\Ajbggjfq.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Nenobfak.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Piekcd32.exe	Pomfkndo.exe
File created	C:\Windows\SysWOW64\Amqccfed.exe	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Abbeflpf.exe	Amqccfed.exe
File opened for modification	C:\Windows\SysWOW64\Knpemf32.exe	Kpjhkjde.exe
File created	C:\Windows\SysWOW64\Pecomlgc.dll	Llohjo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2844	2904	WerFault.exe	74

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdlmi32.dll"	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflcmqaa.dll"	Ohcaoajg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjldghjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihclng32.dll"	Kpjhkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdmohgl.dll"	Lnbbbffj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqpfa32.dll"	Lfmffhde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melfncqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojigbhlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qniedg32.dll"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofpoogh.dll"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohcaoajg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcdipnqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclclfdi.dll"	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfbdiclb.dll"	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odoloalf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doojhgfa.dll"	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjiem32.dll"	Knpemf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfmffhde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llohjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkepk32.dll"	Neplhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll"	Pcdipnqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnimnfpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfpgmdog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecomlgc.dll"	Llohjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llohjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfmffhde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mofglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ookmfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odoloalf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhpeafc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 3032	3068	07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5.exe	28
PID 3068 wrote to memory of 3032	3068	07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5.exe	28
PID 3068 wrote to memory of 3032	3068	07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5.exe	28
PID 3068 wrote to memory of 3032	3068	07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5.exe	28
PID 3032 wrote to memory of 2624	3032	Kfpgmdog.exe	29
PID 3032 wrote to memory of 2624	3032	Kfpgmdog.exe	29
PID 3032 wrote to memory of 2624	3032	Kfpgmdog.exe	29
PID 3032 wrote to memory of 2624	3032	Kfpgmdog.exe	29
PID 2624 wrote to memory of 2524	2624	Kpjhkjde.exe	30
PID 2624 wrote to memory of 2524	2624	Kpjhkjde.exe	30
PID 2624 wrote to memory of 2524	2624	Kpjhkjde.exe	30
PID 2624 wrote to memory of 2524	2624	Kpjhkjde.exe	30
PID 2524 wrote to memory of 2420	2524	Knpemf32.exe	31
PID 2524 wrote to memory of 2420	2524	Knpemf32.exe	31
PID 2524 wrote to memory of 2420	2524	Knpemf32.exe	31
PID 2524 wrote to memory of 2420	2524	Knpemf32.exe	31
PID 2420 wrote to memory of 2404	2420	Lnbbbffj.exe	32
PID 2420 wrote to memory of 2404	2420	Lnbbbffj.exe	32
PID 2420 wrote to memory of 2404	2420	Lnbbbffj.exe	32
PID 2420 wrote to memory of 2404	2420	Lnbbbffj.exe	32
PID 2404 wrote to memory of 2452	2404	Lfmffhde.exe	33
PID 2404 wrote to memory of 2452	2404	Lfmffhde.exe	33
PID 2404 wrote to memory of 2452	2404	Lfmffhde.exe	33
PID 2404 wrote to memory of 2452	2404	Lfmffhde.exe	33
PID 2452 wrote to memory of 652	2452	Lfbpag32.exe	34
PID 2452 wrote to memory of 652	2452	Lfbpag32.exe	34
PID 2452 wrote to memory of 652	2452	Lfbpag32.exe	34
PID 2452 wrote to memory of 652	2452	Lfbpag32.exe	34
PID 652 wrote to memory of 2772	652	Llohjo32.exe	35
PID 652 wrote to memory of 2772	652	Llohjo32.exe	35
PID 652 wrote to memory of 2772	652	Llohjo32.exe	35
PID 652 wrote to memory of 2772	652	Llohjo32.exe	35
PID 2772 wrote to memory of 2792	2772	Mlaeonld.exe	36
PID 2772 wrote to memory of 2792	2772	Mlaeonld.exe	36
PID 2772 wrote to memory of 2792	2772	Mlaeonld.exe	36
PID 2772 wrote to memory of 2792	2772	Mlaeonld.exe	36
PID 2792 wrote to memory of 1788	2792	Mieeibkn.exe	37
PID 2792 wrote to memory of 1788	2792	Mieeibkn.exe	37
PID 2792 wrote to memory of 1788	2792	Mieeibkn.exe	37
PID 2792 wrote to memory of 1788	2792	Mieeibkn.exe	37
PID 1788 wrote to memory of 304	1788	Melfncqb.exe	38
PID 1788 wrote to memory of 304	1788	Melfncqb.exe	38
PID 1788 wrote to memory of 304	1788	Melfncqb.exe	38
PID 1788 wrote to memory of 304	1788	Melfncqb.exe	38
PID 304 wrote to memory of 2224	304	Mdacop32.exe	39
PID 304 wrote to memory of 2224	304	Mdacop32.exe	39
PID 304 wrote to memory of 2224	304	Mdacop32.exe	39
PID 304 wrote to memory of 2224	304	Mdacop32.exe	39
PID 2224 wrote to memory of 2580	2224	Mofglh32.exe	40
PID 2224 wrote to memory of 2580	2224	Mofglh32.exe	40
PID 2224 wrote to memory of 2580	2224	Mofglh32.exe	40
PID 2224 wrote to memory of 2580	2224	Mofglh32.exe	40
PID 2580 wrote to memory of 2140	2580	Nkpegi32.exe	41
PID 2580 wrote to memory of 2140	2580	Nkpegi32.exe	41
PID 2580 wrote to memory of 2140	2580	Nkpegi32.exe	41
PID 2580 wrote to memory of 2140	2580	Nkpegi32.exe	41
PID 2140 wrote to memory of 2168	2140	Nigome32.exe	42
PID 2140 wrote to memory of 2168	2140	Nigome32.exe	42
PID 2140 wrote to memory of 2168	2140	Nigome32.exe	42
PID 2140 wrote to memory of 2168	2140	Nigome32.exe	42
PID 2168 wrote to memory of 2892	2168	Nenobfak.exe	43
PID 2168 wrote to memory of 2892	2168	Nenobfak.exe	43
PID 2168 wrote to memory of 2892	2168	Nenobfak.exe	43
PID 2168 wrote to memory of 2892	2168	Nenobfak.exe	43

C:\Users\Admin\AppData\Local\Temp\07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5.exe
"C:\Users\Admin\AppData\Local\Temp\07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\Kfpgmdog.exe
  C:\Windows\system32\Kfpgmdog.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\Kpjhkjde.exe
    C:\Windows\system32\Kpjhkjde.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\Knpemf32.exe
      C:\Windows\system32\Knpemf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\SysWOW64\Lnbbbffj.exe
        
        C:\Windows\system32\Lnbbbffj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
      - C:\Windows\SysWOW64\Lfmffhde.exe
        
        C:\Windows\system32\Lfmffhde.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Lfbpag32.exe
        
        C:\Windows\system32\Lfbpag32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Llohjo32.exe
        
        C:\Windows\system32\Llohjo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\Mlaeonld.exe
        
        C:\Windows\system32\Mlaeonld.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Mieeibkn.exe
        
        C:\Windows\system32\Mieeibkn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Melfncqb.exe
        
        C:\Windows\system32\Melfncqb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Mdacop32.exe
        
        C:\Windows\system32\Mdacop32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:304
        
        C:\Windows\SysWOW64\Mofglh32.exe
        
        C:\Windows\system32\Mofglh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Nkpegi32.exe
        
        C:\Windows\system32\Nkpegi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Nigome32.exe
        
        C:\Windows\system32\Nigome32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Nenobfak.exe
        
        C:\Windows\system32\Nenobfak.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Neplhf32.exe
        
        C:\Windows\system32\Neplhf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Ocdmaj32.exe
        
        C:\Windows\system32\Ocdmaj32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Ookmfk32.exe
        
        C:\Windows\system32\Ookmfk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Ohcaoajg.exe
        
        C:\Windows\system32\Ohcaoajg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Oopfakpa.exe
        
        C:\Windows\system32\Oopfakpa.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Ojigbhlp.exe
        
        C:\Windows\system32\Ojigbhlp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Odoloalf.exe
        
        C:\Windows\system32\Odoloalf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Pjldghjm.exe
        
        C:\Windows\system32\Pjldghjm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Pqemdbaj.exe
        
        C:\Windows\system32\Pqemdbaj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Pcdipnqn.exe
        
        C:\Windows\system32\Pcdipnqn.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Pnimnfpc.exe
        
        C:\Windows\system32\Pnimnfpc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Pjpnbg32.exe
        
        C:\Windows\system32\Pjpnbg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\Pomfkndo.exe
        
        C:\Windows\system32\Pomfkndo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Pkdgpo32.exe
        
        C:\Windows\system32\Pkdgpo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Qgmdjp32.exe
        
        C:\Windows\system32\Qgmdjp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:292
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        48⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 140
        49⤵
        Program crash
        
        PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
64KB

MD5
7616f159c218583c288c252fca1c9285

SHA1
40d7c6b4cc6c3e485bf82e7d301740c8ea512a9a

SHA256
5c227f66f77db9ea648a945a9ec520f7a0d7b53d0ac5be2b6e55bfc2bfc5437b

SHA512
c8b8ba6bb9778ce8ae276e342c3a307b4250695b65276546dbb179546ed13fb75459554bfff1b9817a9014b60cf4625ca7ce044f338f82c70072585523436524

Download Submit
C:\Windows\SysWOW64\Aecaidjl.exe

Filesize
64KB

MD5
76b88a7da044ee9a282a2f10224ef07b

SHA1
44843ea587f4b459a4c8febb8b7ab8988f351c30

SHA256
272263b971adc3f561c3f64db053f2dba6776ceda8d85690530ab03c8ca4f7e8

SHA512
c03c6e09c8d1edc80039622f684bd99ac0539fe2387145c9ccf1a72a58946b8761f15257a7c509ca3ce9f2893076abf48a716fa69bf8d2912d25a5f394c9012d

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
64KB

MD5
ae47138de90091c24ff0a1ab2a5eb77d

SHA1
3a83654e01abf23f2f4e85d15c6f2abf4d860706

SHA256
c8e7af510cbfa9e422856ea7659b9f6704d27a89ba3a6e58e72f74acfebb5b86

SHA512
40aac7d05207af224f710793ae3fc174e51834c9923faeb4c436fbcaabb98a63f9182b1605411e209e57d1d4454a9a93c0a8bd9b7daeec9b8f136998e4db8cf7

Download Submit
C:\Windows\SysWOW64\Amnfnfgg.exe

Filesize
64KB

MD5
13122775f69992fe1d07008525b105f6

SHA1
1b0e8ef6d2c7538c0bdbe8d0f2421b60f91cb739

SHA256
86410321ec616df42a0c8f5f27de1e1c678bab7cfdd18717bffde86041c6a281

SHA512
6e31d2204d7b551514d0433afa149b65bf150d2535aa596d1ce8fcf43721115f35ce06304a67d59f8dcf610d881ceb34847ed5c2beb79ab99e88faa49a5a24a2

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
64KB

MD5
101b745e15c0e6e36fbd82fac75f0055

SHA1
77a29e5589902e4f80f10af49a345ed1b06ac4fe

SHA256
862b6967e9e848a5c9d1e091f4adaa01dc567049566cbcd172299837f0ad0118

SHA512
0db55c6e6fde67e05793712e9ea92ac3155e5d2f777fa40fd3cb442759e715e4ba66adb3f92a382d3e061c5a01e5ffa9243ddcdabfefe269569561a6557412ac

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
64KB

MD5
ee50a40adecd557faeeef1a3d54969c5

SHA1
462d0289e268cebeea33b915b30117cabadc7e8c

SHA256
a10e1e0843ed734ac8216ab2a26efd750ebb7a895b43a7a81d9ef50ab643554c

SHA512
472a20f4f38bb18c58ad89aa9a8deba055a921c634251b5388d5d67bc9a9fb26f4475b1d489c64183f2ced06a97b84502408d7ef3821a4c4488443c61fff910c

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
64KB

MD5
99bc5f24a179a93632245fc76be73e5d

SHA1
73da4735256dd9bc775e3fa343eabc5aa6555bbd

SHA256
1c856cff01cba53aafc573a6b94928a843c980a63a543834aae69eda7d8842b5

SHA512
849349d5fc8f80f1fea40cdb54c7156769158f56986ef3cc2dba1ddfc89ba8faa81c06262e122e42bee41f4fcad5873379954ffdd6af981dd84b963aca2c1a4f

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
64KB

MD5
46e3dc6b95ae1ec2905aadbb0dcf4bdb

SHA1
88d4b539195292dba30a628f1c5d5b2472926665

SHA256
0e18f6392d85d8bac2e3f619bf205496f2d1baab27a6e71482ecbf7e39b5bb62

SHA512
26b0d7f0332c9dc717e6a448b4069aba5abd6ca22c8b0172d73e60eb1961d7163f2cc5d9aef122df7ba5ff9184744c8c9134e83e1083de645dc427488ece1f2d

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
64KB

MD5
626345e2969891f40671ced42e1d488e

SHA1
d9c7fc569e95f9fded0f28f7b4d2f5bcedf217a9

SHA256
24d4f6a05bb74c6018988f0b552c00d6fef3a5ffe8ccdc73aaa28c8681a3c908

SHA512
1227c34db6d8b3f71abbc56486e753c28b643635328326c9410a8901b2193a8bb75ee7d52ffaeb870dd270fe431a8c991c2e5a9c74bee367621526b45ca73b27

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
64KB

MD5
43d3e7e82192048b0109277ba3204242

SHA1
5137bbde0d43e5f73fbf354bd7bd5e46d8a51d04

SHA256
569c97ecd34c6deb8db8c9a636ba390bb3295caa74c2255c023046fb48097f9d

SHA512
d251f58eb928190faaccb420a86cc6ab2cb7fcd63bc1f3d6373f8ea6ddf48c540875fe90c0fec0b7c96011d8d1f5fa2d684ebf0be5cae29e69b2da231912bcaa

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
64KB

MD5
952aff5c5fd025239b0944387a7a32cf

SHA1
f095eb869dca0e894c29203be5b91d5b3a842af4

SHA256
5068784f54a0a78b1c2a563aeb1805bf26970ad05d552e068cb6a79c47d0472a

SHA512
e3ec9a4a67e12bad6be9837f6758e6bcfeb7ab51d4abddd21c571fd874cfeba6c026ed1ff130d3e11716929bee913f46608a281e96348533b910281f1f539f3f

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
64KB

MD5
21abea5f1de0b3cd23c91eecd796d29d

SHA1
e8bdde82713a700a2ae78d414180a2e10fd0a1f8

SHA256
7f48542b42110d457b15197fd699ab936e2b9b90aa326ea4faddcd02da957840

SHA512
d71ee41fd8e63a7626f16d6a0086d254da15f1cfa2c29b32f82859ff6dde6a3003a66299691f7ab3a05bff0f58f4e64408593b4bba410769fa5ea4985043cdf2

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
64KB

MD5
974d0cb41adedf213b54a46bb6b9ca06

SHA1
2fdf73d05a88f1323bd790378e18a7894205b1b0

SHA256
9165e34f44c2dfd535f50e18004f3c7acd2279a3eb2e39f237a5a1220243f0ce

SHA512
21827a52b36305a0a1a393b5ca83f8c97fd7c9471d7787eae815cc7afec26920b2cd693dd97c1f4259603f22987ef66330791f020e447778e23275c13e11e7bd

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
64KB

MD5
aed00c1b13bc5e31f0edb76d32f439d8

SHA1
0c928b0508bbf59a5f8bfa6a9062d978c63a6da0

SHA256
9cfef077551560b6175471b295608ead701114f13575273137163c3ba6fcc935

SHA512
e87728c64845e4d3aad241ef0ccc2be5924eedd351a37acce4c19d0d83cac250fdad7b74c5f8052146b2972b4e12c05d3957206f032e2766bea11408671be053

Download Submit
C:\Windows\SysWOW64\Kpjhkjde.exe

Filesize
64KB

MD5
8b631586461538e961a859773bf066de

SHA1
6df37dd21f87f3ba25aa7361e9c56927c99eb881

SHA256
b00ca9419ec681f26d8bde9dc349a4d6b7cf9b5803c18bf66406fe5cdf059b3b

SHA512
fc09f4b7e9cff9aa080d6244fa4e82734b5c8bcb6c1000299458acd857141f41435d5a9bd4f18081ae690a413c614badd2e0fda039435ddd7a8350a233e182a9

Download Submit
C:\Windows\SysWOW64\Mdacop32.exe

Filesize
64KB

MD5
b9932890b0eebca9e07967ee5d33fc17

SHA1
8c47c404691819e663792d696f3ac7a05624a452

SHA256
32299f05f6017ff7a3a7c15619ed774a4dbd8378667f6e308f6a1ca42751303d

SHA512
e37fb65b6845bd3636f9da702035e3f8ac4d13aba153f0dfa53befbca3fd42ce0ae569c0576098532a9b82e258a265259572bb76fbedbd2fa26f3401d0ec541b

Download Submit
C:\Windows\SysWOW64\Melfncqb.exe

Filesize
64KB

MD5
4d4a4b693473344894222079dc0fe10a

SHA1
e224756b0dccc8863b72b263d3646995ebb5b55a

SHA256
68e26d51e8e120685d7e59f342dab0761abaab612fb868e765856e690050ac78

SHA512
59cb27837a9b6f41337a90d11e895bf45e927519ca95414a502bdd0dfd1cb03c7b7d0b977f644df18096b872bb78eb94e09345b2e59d85c64b36af1133d6bb09

Download Submit
C:\Windows\SysWOW64\Mlaeonld.exe

Filesize
64KB

MD5
0b5e4c5aab968a65754e93c51ad94791

SHA1
7862d652f3154e824061a490704085546502f663

SHA256
5b7b330113a628511e47fafc299bc24a3fe26021e83177ac3293bf387064e8ad

SHA512
cd4799e6a1aac28adc21bad7034183a7638c9e76b48e33162fb2649b7090fbabe2594538f27db477db352ded5d7051764fd001544e47d1b18580d735e67f8cf4

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
64KB

MD5
4cb5efa58fb044317104696893b3b91b

SHA1
f954447a3dd237275eda3cbe84583d409ca36894

SHA256
98e1f63e606e955727b899ad6fcbc2ef93f8fc2b9d27ad4355890ed0f138b285

SHA512
41e52b5c97796728d0f4d2fa761526efa22a92748a8ce6a96a059791a7f0fc0ead73d66717521e684774c085c5c0c4f34d83c8028b827416ccccd70632dd7a24

Download Submit
C:\Windows\SysWOW64\Ocdmaj32.exe

Filesize
64KB

MD5
d5d69345c851e22d6de8b42a70c5711a

SHA1
5bcf02fc49e5fc60cac213db22f1c3d9cd97a97c

SHA256
037f2bda0648f690ce427234fa79c9c44eff6e97ffffecd3f2ec2bf73836cd08

SHA512
b4befc8da4118cdb13c65461add9405555823d26f1b5a58d4db83b7bb13149e0331a3b41863c7d3f5e1ea9a572eeee905c34c0cdf236b39824454fcd8d2ddefe

Download Submit
C:\Windows\SysWOW64\Odoloalf.exe

Filesize
64KB

MD5
6634f41431d34cd0c247ea6e437502de

SHA1
d70429822b26428de6975dbf390da0fbabcf333d

SHA256
a69b31be749b5f942ef289496664e5d3c287267816ef917a3a45d5b0b8164e0c

SHA512
ef72a9e16c0597a3bfa4e9e74f139cdcde84687adbfa9d6aee97f819c6229ef7d8b688a0730ec72e751d1a71d953d270c8ae88b38fc0332b10e602671bdfa273

Download Submit
C:\Windows\SysWOW64\Ohcaoajg.exe

Filesize
64KB

MD5
cea8c182dfb9e9022d9a15f1ce986df5

SHA1
3e0fd9cf745cdd6af8be2b31d2d5ab465b5d9a98

SHA256
5c43173986cce9cb2f72628a7b02a5edcd3f905ecda995b240ba4f88b373c7c0

SHA512
4108da5dc1d538b3aa49ac101a9e3a1e7dde7f35fbfec3376e84f1926ca9cacc61f41fc7f747b48e60d165e0cb8b6ba3e82e653c4b2eecdb6991eb4636e91b0b

Download Submit
C:\Windows\SysWOW64\Ojigbhlp.exe

Filesize
64KB

MD5
ff7a4ce66bd1886d557399f68248d216

SHA1
7b970b94ce62488b9be94cf23dc6406da3e7201e

SHA256
b5019374a44cd033d4b85daa3f4c93b69b87739eb1bb04625f388897d0c51706

SHA512
e92f16835e6ce7555cd1885b889e868b536711e588acce67adee04c7b495a17d5924c29c9f91f9770dac4a1decf5af2aebd7e7f2a88a7376a1df363951bcec6f

Download Submit
C:\Windows\SysWOW64\Ookmfk32.exe

Filesize
64KB

MD5
924a8d48f46fd2952318b6d51c00fe2a

SHA1
03cdfe03d5119517d1e77009574580453b0fec17

SHA256
3b8fcafb26a59971a53ef8b588c035ccfc8e2806518de01a2c4ca97274970dcd

SHA512
6c93fce570721c426a19291a2320656024d4d02fd875ca672299caaf3d67506b9f91bbfae3994e7f5d355d845c18880c644740a4cda6150001a9c3d96b186434

Download Submit
C:\Windows\SysWOW64\Oopfakpa.exe

Filesize
64KB

MD5
c927e4e8e6edf50d2bb9c40ec57fac23

SHA1
cf0ce567c619aff330a382361536cfdb7e2b78a6

SHA256
0029512cfc82b8e337ef0a47ad359fb2fef1db2e3ac0500bbe2c53eaa82333fe

SHA512
58de21f0072bff87551f6318a48865e6ad973363dd95f69f32f0eeb665090810f55ce0fa886754183eef6661250ef938e96a701de1fe26e00089386c7b7bf4e7

Download Submit
C:\Windows\SysWOW64\Pbnoliap.exe

Filesize
64KB

MD5
6c5f62f12e5433aee63033984f56dc9d

SHA1
e20cd33ceb8037dc6e251b694ae48fad97b547e5

SHA256
4bea89c0eeef8d6045fa142e7f235b427c601b89def9dc2ae0492290974368ab

SHA512
c69e1df6db20faf6bf1582459e7d6f1a077630a7c2c0d7f55311ab6f8482c91269871685d2288d25d09353805adcb22d7c1f3ddd1df5007ade457587c4c89dbb

Download Submit
C:\Windows\SysWOW64\Pcdipnqn.exe

Filesize
64KB

MD5
ed0d5366bbaff1483ea1c9fd3804b8e6

SHA1
dba5ea289a33a55cb531199dcea6b8f4c5bef459

SHA256
80b4485e42978333441b28255c2dfdafd70e46bd9dd8f3d59a4105476b18f934

SHA512
8d315c4f6d46e1e81b482c5bcf0b1f9d5ec1cfe121203f096e9f381154783824753ef88ab516d8f1a17d6a6ad8cad1d221bef79e50a15410020446cc17ef8fe6

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
64KB

MD5
c91d49b57689625e5018012ba53113be

SHA1
61f7bff29283b7bf9c4d2b1ff4e5e7db1541d653

SHA256
4c8e9e85edf5823cc64c630a24151dc3c3a802f308b9ecb315a9465acee9e524

SHA512
de055130a1d6fc8bb3fb590fe767c61a92ff8ce605c32b72710df8181991cf519da86fcd8efaba34ccddc01a0fe46d16f105e64c618f9a15f03bc7328d7991da

Download Submit
C:\Windows\SysWOW64\Pjldghjm.exe

Filesize
64KB

MD5
6d9b4813483db2ee2e5c91eaa109f601

SHA1
a6cad158bc1736cb0605b2d1e3d305524262c90b

SHA256
bb7da557c8d67acf54c48b8c67c98b044b65be25fc84b2fdefe518835f38fff6

SHA512
13e8c9810bacbe89adbf28da94caa8ea882e60554741bc0f1f91074f4ce874dd5e7333188ea7b7e189c91e5a119037a0436530bf918ce417daec104fa8e64b59

Download Submit
C:\Windows\SysWOW64\Pjpnbg32.exe

Filesize
64KB

MD5
f7f0c0a0ba3d204b1cc8c00520371fad

SHA1
03c72bdc22d9f4536cfcf828df7399583caef00e

SHA256
e82f646a3f4d2a767b33deef8c2aa27c882b1f9e965ccea40e9e4bc7f730cf77

SHA512
e9ef66c897a15dca62dfcd17120dcbf191e5ba4dfd7822805026ce58c5e6413963aa89ca7b581dd5d7b4b98ae93f47180b19964ed05c2bc802013b89ab0c451e

Download Submit
C:\Windows\SysWOW64\Pkdgpo32.exe

Filesize
64KB

MD5
ecd97e17c6b9fcc9291fd6bfa1a97fc3

SHA1
7a016b2ab3c6b3946724f19e415efc55e049cf7f

SHA256
ffc5504b85ec25cbf2c28a751d1d1748fb7ed04762219ab52c90f8c6ff50d3ee

SHA512
7fb43d47e39b67ca70887d618ff418a45eaa3b23db99c1470f28d5ec2cdcc383b5421e6d5a650b4017baa9c4c67fed08adf035d72946654d01b5c88f9523cf92

Download Submit
C:\Windows\SysWOW64\Pnimnfpc.exe

Filesize
64KB

MD5
8a64f2442662d8a9a5b73563340ed625

SHA1
872f4c57a2fb71388511a6b4bbbc4fd2ddd841a5

SHA256
a7c3ca8b9a6a07aeb39df80b874d8243ca399ca0d09e49bbc5ced7feb8ac20f1

SHA512
98ffac9b55fba74dff186b6746fc067a7669e5680cc32806d6e8b79b54891e9028424f34cd6e795b1edbabfea8c3a0f6cd55cc19dc558c9202b8f1c14b68d883

Download Submit
C:\Windows\SysWOW64\Pomfkndo.exe

Filesize
64KB

MD5
135e5a63fde5a9e90ed4bdf0f783678a

SHA1
80b105e7368801120351a9c3495955bd60bff256

SHA256
8d33735eb9ff501d47bc9a99a573a1dc50190260525df5f78ef15ba9150caa24

SHA512
33a2b6ffd613901a6ff21ad7a4c19d552af65e62b6710c38bf7c41ae394ffc04e678e21574125f507944bd057226365c08f94c5ef015a4762a6dcb6fc69e408b

Download Submit
C:\Windows\SysWOW64\Pqemdbaj.exe

Filesize
64KB

MD5
8abe87066d947846508a42a0c5c0df7e

SHA1
3b995901b0f06abbcdd5434daaaf8b261c0f93fc

SHA256
d7b8e8b652f22b869431298b7de4f91ea85fb9f1063cd2478b49c3599368a54f

SHA512
2e9a61416a1168ad3025a30ca69700c74453d84ba85127d7d6df03d41a1ab829057c6f3748c0e146e68292bdf6074ee52075828b04613a2da70d42ae7dcfee86

Download Submit
C:\Windows\SysWOW64\Qeaedd32.exe

Filesize
64KB

MD5
a73e716ea82753387351f6fb2dc72f16

SHA1
98c0339df15a050fa2a029ec0f2db9ecfb5dc287

SHA256
a9d41fee3a4c2c3c127f07cc4a7b4dd6298ec38d249fbe078ee9dadc1dddc265

SHA512
c56d10d5b661ae3411a519aba29a5fb12fe4ee95ccc190f489df4649b22143c0e4b363ff7f349c9da1e04576ea98550d68caf4acc0e6a0510b35011c2a21fe91

Download Submit
C:\Windows\SysWOW64\Qgmdjp32.exe

Filesize
64KB

MD5
798dd4c8b5970383294aa19426cc92c7

SHA1
397c9db546982565f884208b4fafbbc823e8b961

SHA256
855f014dd9cddae4368a7d909d92be2a065bf409f2189bf5521b9066f20278e5

SHA512
d18530a8510026caf198166d84b9110c276bb43db891e56aa8db0337da8f28cec7fd9a97863b26bf244ec7f04b314e008721e375723349bc0b1a13f2ba7efed5

Download Submit
\Windows\SysWOW64\Kfpgmdog.exe

Filesize
64KB

MD5
aba2f2760f87348c6ac0d7b617c45e49

SHA1
811195f65a0e5060d0c3901e8c7a15e24d1adaee

SHA256
a7784e7714156775e68dadb6a7cbd3ca17c08a9ec9415e11ce90a1866be54147

SHA512
6cfe6ba42e337b6b5c4b3bba3116874436d8b19fc1979ee1006c05312a06754ef5230247fe8b95716faab0e64f30c8749fd93449083894afed1b7321b5eb056f

Download Submit
\Windows\SysWOW64\Knpemf32.exe

Filesize
64KB

MD5
8ba9b32272066873b249275595188982

SHA1
4fe6a6abab87c2c7f10f718491c3438ea5a248ef

SHA256
f6a7d44bfd9a06d8395a634c1c3787bb938f54a4885198fb5210cdd4582738e1

SHA512
b780e724e992a19a78b15ec47d8fa4122b71c5c834175f6611ccf1d2d888bf608f3b1d342480a6d2e03506f20d5f4511aefac1d15e1e0007e06492eae1e432f1

Download Submit
\Windows\SysWOW64\Lfbpag32.exe

Filesize
64KB

MD5
56c0592d28296b74ce308f8b47554bea

SHA1
47938d1a0e1e0675437d200324a178f944cfdeef

SHA256
61a81f4c459d9dfea7590edfca5c9de762b37c0615fd0d2250bccdefe94de427

SHA512
2acd0bf203e82941cc061c4ed1af839a4b75b80dd58b05875cc52a9d1f9a6b7fe9ea3112185ca1bd7cd3c7c1acf9f1a0910439460783b38083e7c76ddcce8669

Download Submit
\Windows\SysWOW64\Lfmffhde.exe

Filesize
64KB

MD5
9fe1e1c8dd84d6a13e08ded2842bee46

SHA1
628546fea96ead83cfd547f3e9da4d2e681e2524

SHA256
58f29f29dfe73c6e385e079486c7b5dc2ce4d7d3c809ebdef77e7b8462a297fa

SHA512
0dc53e6ac4fc2e6ea3df134995c987cb0dac024f3ba1eb00678331ef0802f1e73870b0cedb21c9daae69322ed301503b56095a54a04b256beaffd37a6dcd83a6

Download Submit
\Windows\SysWOW64\Llohjo32.exe

Filesize
64KB

MD5
6d5c733f2f99eebf8a54e538e2f55bce

SHA1
d67ada1ad7b3bfd53a3db75b268ebde07a1ab013

SHA256
700ccd6ceb220c52e23cc95c800a70b83bfe507f005bcfaf84dcb89b76024247

SHA512
b250067b568da2e3c827cba10eb80785ba57c75168136c21de50d3cf05d9835a0d0b84384aacc33e63caede38ebec3f50b671ea25e0ac5abc1112a57716fb6ff

Download Submit
\Windows\SysWOW64\Lnbbbffj.exe

Filesize
64KB

MD5
f39831d4bc43c6821c8d28aa7df90a96

SHA1
2cad6859e5da2a3bd03e8464971a6b7d91496674

SHA256
56bc08332336f43fdb58086fccc563a17a5b92d729c3913eddb7f3be95c064f6

SHA512
69b1de8a9faf2c6ed1100476ca4ed24b5540a33babe0c63fe2396cc116af05782fb5360f71babe3aff4c92348fb2f5eae1ecfbea74817bda4d0a27045df8d6b0

Download Submit
\Windows\SysWOW64\Mieeibkn.exe

Filesize
64KB

MD5
72c59628805dc5cab696bb3fee08d9af

SHA1
c9e29cb7f95473462399f9946568a14880356c3c

SHA256
10d124d423789c034485462b3afdf05cfb29e43cfda3528f3a057f26e7305605

SHA512
cec6cb2b1455e090185081365fa9229ffe96c0296527f5f7ad6fd4ac3ddbbfe671826dc3a215e315d64d750651ee16f4e49b07700880a1dddfdd1ab202a9c7ce

Download Submit
\Windows\SysWOW64\Mofglh32.exe

Filesize
64KB

MD5
cd481c54a64a5a20efc28d87799accd1

SHA1
61571681819723e527c0a010df2ce88bb0c1328f

SHA256
215f1f87a2ada84e11ad221830b573a32586c115d2867954c88117ca9496813c

SHA512
b0886d1d8309f86ffbd21297496a11719b1e9877b2fc53c9bdbb6715b80154e43b2c91abe6b72976dab76f1d6cce1c440bfefb4645ed048e08d5858823c104c1

Download Submit
\Windows\SysWOW64\Nenobfak.exe

Filesize
64KB

MD5
31842bdbf88d1c7b1b3cf34590fe8ad4

SHA1
c63c3a00a7d51156227ed68b898c9dd40d65b8e3

SHA256
087a5a38b6ab386679a363c82fc76db8c542535b0fb15c162d0de0849d3390b2

SHA512
dca6bdc5858044f5a25da3e013f491cf0d8de8f77e12b6e28233d1cafd0360d8d60e4334c3208e06ab519d06254bcf67e69fa88766073d82cf159f82ccc87b49

Download Submit
\Windows\SysWOW64\Neplhf32.exe

Filesize
64KB

MD5
5ebdd74fa5889a0305fa9261846a90cf

SHA1
10de2f9c1afc9dc19c4231e166d014237e24d66c

SHA256
cfeab050c98d38e50363c8dd29495ef8d16c727890ac48afdcc4aae99f07c656

SHA512
e3e1469819e4db06b4f70d2e28f2fbd4d263b3d0bb647512aa1eed7c9a556301eb02f05051401d058045ff03e9cefabd602c116c40073094ca3194fe45ee3710

Download Submit
\Windows\SysWOW64\Nkpegi32.exe

Filesize
64KB

MD5
efde48e62763dc8b93007db4381b4c26

SHA1
510ad2c187e2c72191ba91c180a0f2453e8c0366

SHA256
49f50a90c0754cb451889c186bb733316992a1495bf6491afe4cbd3ff41b6e41

SHA512
78c06ac990495ec49d9d7c56cbf575d1c15e226f4c2706bdfb8a7fa805bc152229c2f187045c39d2d01e4e7e89aa95103224e51103065c1a80523c6dab9a8b97

Download Submit
memory/304-147-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/304-158-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/652-97-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/824-264-0x00000000001B0000-0x00000000001EA000-memory.dmp

Filesize
232KB

Download
memory/824-260-0x00000000001B0000-0x00000000001EA000-memory.dmp

Filesize
232KB

Download
memory/884-359-0x00000000002B0000-0x00000000002EA000-memory.dmp

Filesize
232KB

Download
memory/884-358-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/884-374-0x00000000002B0000-0x00000000002EA000-memory.dmp

Filesize
232KB

Download
memory/1104-346-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/1104-351-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/1104-317-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1164-250-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/1164-245-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1444-389-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/1444-386-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/1444-368-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1788-134-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1796-278-0x00000000002B0000-0x00000000002EA000-memory.dmp

Filesize
232KB

Download
memory/1796-273-0x00000000002B0000-0x00000000002EA000-memory.dmp

Filesize
232KB

Download
memory/1828-289-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1828-283-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/1828-297-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/1880-383-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/1880-363-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1880-367-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/1956-328-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/1956-332-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/1956-305-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2116-360-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2116-378-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/2116-362-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/2140-196-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/2140-189-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2160-224-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2160-234-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/2160-233-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/2224-160-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2224-172-0x0000000000230000-0x000000000026A000-memory.dmp

Filesize
232KB

Download
memory/2232-337-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/2232-312-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/2232-308-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2256-356-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2256-322-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/2256-357-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/2316-238-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2316-241-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2420-54-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2420-60-0x00000000001B0000-0x00000000001EA000-memory.dmp

Filesize
232KB

Download
memory/2452-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2452-87-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/2524-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2552-396-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2580-182-0x00000000003C0000-0x00000000003FA000-memory.dmp

Filesize
232KB

Download
memory/2580-179-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2608-393-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2624-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2772-114-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/2772-106-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2792-121-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2892-214-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3032-20-0x00000000001B0000-0x00000000001EA000-memory.dmp

Filesize
232KB

Download
memory/3032-25-0x00000000001B0000-0x00000000001EA000-memory.dmp

Filesize
232KB

Download
memory/3068-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3068-6-0x00000000002B0000-0x00000000002EA000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads