d197698fcbbe066b60b75963876ccca34b8d027976e7cf6cb68d8922253b2d17

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d197698fcbbe066b60b75963876ccca34b8d027976e7cf6cb68d8922253b2d17.exe
Size

187KB
MD5

2896f7a798f8a140ed13cd89f32fd4e6
SHA1

fd413384521e728a0210fe180b9f663966c20ede
SHA256

d197698fcbbe066b60b75963876ccca34b8d027976e7cf6cb68d8922253b2d17
SHA512

ce6f80a6f0f38ea24798331e788a3cee3e2a7f270f877efa6ea0b501a37b5272458f5303ed2c87cf92fe39383efc44fd66eb67f451491c766a084c94e761ba35
SSDEEP

3072:CWOTF/QjcxppMVgtRQ2c+tlB5xpWJLM77OkeCK2+hDueH:CWOZo8ppMV+tbFOLM77OLLt

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d197698fcbbe066b60b75963876ccca34b8d027976e7cf6cb68d8922253b2d17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	d197698fcbbe066b60b75963876ccca34b8d027976e7cf6cb68d8922253b2d17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe

Executes dropped EXE 60 IoCs

pid	Process
2112	Migjoaaf.exe
3960	Mdmnlj32.exe
1372	Mlhbal32.exe
2700	Ncbknfed.exe
5056	Nilcjp32.exe
2428	Npfkgjdn.exe
2780	Nphhmj32.exe
2148	Ngbpidjh.exe
4200	Ngdmod32.exe
2036	Npmagine.exe
212	Nfjjppmm.exe
2388	Olcbmj32.exe
4216	Olfobjbg.exe
1384	Ocpgod32.exe
3000	Ocbddc32.exe
3768	Olkhmi32.exe
2160	Ogpmjb32.exe
3900	Oqhacgdh.exe
4676	Pnlaml32.exe
3084	Pcijeb32.exe
1172	Pqmjog32.exe
3712	Pfjcgn32.exe
4164	Pcncpbmd.exe
1420	Pqbdjfln.exe
3024	Pjjhbl32.exe
564	Pgnilpah.exe
1108	Qmkadgpo.exe
4868	Qceiaa32.exe
3668	Qnjnnj32.exe
4548	Qffbbldm.exe
4628	Adgbpc32.exe
1416	Andqdh32.exe
4788	Afoeiklb.exe
4416	Bnhjohkb.exe
3436	Bganhm32.exe
1640	Bchomn32.exe
1624	Bjagjhnc.exe
4040	Bmpcfdmg.exe
4596	Bgehcmmm.exe
3108	Bjddphlq.exe
2880	Banllbdn.exe
4760	Bhhdil32.exe
2056	Bnbmefbg.exe
1544	Chjaol32.exe
1548	Cmgjgcgo.exe
2916	Cnffqf32.exe
3740	Cnicfe32.exe
3476	Ceckcp32.exe
2400	Cfdhkhjj.exe
1092	Ceehho32.exe
1460	Cnnlaehj.exe
3516	Ddjejl32.exe
1784	Dmcibama.exe
1960	Ddmaok32.exe
900	Dobfld32.exe
2256	Daqbip32.exe
1188	Dhkjej32.exe
4908	Dmjocp32.exe
1600	Dhocqigp.exe
4796	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Ngbpidjh.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Migjoaaf.exe	d197698fcbbe066b60b75963876ccca34b8d027976e7cf6cb68d8922253b2d17.exe
File created	C:\Windows\SysWOW64\Jgefkimp.dll	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Ncbknfed.exe	Mlhbal32.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Nilcjp32.exe	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	Npfkgjdn.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhbal32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1268	4796	WerFault.exe	147

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	d197698fcbbe066b60b75963876ccca34b8d027976e7cf6cb68d8922253b2d17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffpf32.dll"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3816 wrote to memory of 2112	3816	d197698fcbbe066b60b75963876ccca34b8d027976e7cf6cb68d8922253b2d17.exe	82
PID 3816 wrote to memory of 2112	3816	d197698fcbbe066b60b75963876ccca34b8d027976e7cf6cb68d8922253b2d17.exe	82
PID 3816 wrote to memory of 2112	3816	d197698fcbbe066b60b75963876ccca34b8d027976e7cf6cb68d8922253b2d17.exe	82
PID 2112 wrote to memory of 3960	2112	Migjoaaf.exe	83
PID 2112 wrote to memory of 3960	2112	Migjoaaf.exe	83
PID 2112 wrote to memory of 3960	2112	Migjoaaf.exe	83
PID 3960 wrote to memory of 1372	3960	Mdmnlj32.exe	85
PID 3960 wrote to memory of 1372	3960	Mdmnlj32.exe	85
PID 3960 wrote to memory of 1372	3960	Mdmnlj32.exe	85
PID 1372 wrote to memory of 2700	1372	Mlhbal32.exe	86
PID 1372 wrote to memory of 2700	1372	Mlhbal32.exe	86
PID 1372 wrote to memory of 2700	1372	Mlhbal32.exe	86
PID 2700 wrote to memory of 5056	2700	Ncbknfed.exe	87
PID 2700 wrote to memory of 5056	2700	Ncbknfed.exe	87
PID 2700 wrote to memory of 5056	2700	Ncbknfed.exe	87
PID 5056 wrote to memory of 2428	5056	Nilcjp32.exe	88
PID 5056 wrote to memory of 2428	5056	Nilcjp32.exe	88
PID 5056 wrote to memory of 2428	5056	Nilcjp32.exe	88
PID 2428 wrote to memory of 2780	2428	Npfkgjdn.exe	89
PID 2428 wrote to memory of 2780	2428	Npfkgjdn.exe	89
PID 2428 wrote to memory of 2780	2428	Npfkgjdn.exe	89
PID 2780 wrote to memory of 2148	2780	Nphhmj32.exe	90
PID 2780 wrote to memory of 2148	2780	Nphhmj32.exe	90
PID 2780 wrote to memory of 2148	2780	Nphhmj32.exe	90
PID 2148 wrote to memory of 4200	2148	Ngbpidjh.exe	91
PID 2148 wrote to memory of 4200	2148	Ngbpidjh.exe	91
PID 2148 wrote to memory of 4200	2148	Ngbpidjh.exe	91
PID 4200 wrote to memory of 2036	4200	Ngdmod32.exe	94
PID 4200 wrote to memory of 2036	4200	Ngdmod32.exe	94
PID 4200 wrote to memory of 2036	4200	Ngdmod32.exe	94
PID 2036 wrote to memory of 212	2036	Npmagine.exe	95
PID 2036 wrote to memory of 212	2036	Npmagine.exe	95
PID 2036 wrote to memory of 212	2036	Npmagine.exe	95
PID 212 wrote to memory of 2388	212	Nfjjppmm.exe	96
PID 212 wrote to memory of 2388	212	Nfjjppmm.exe	96
PID 212 wrote to memory of 2388	212	Nfjjppmm.exe	96
PID 2388 wrote to memory of 4216	2388	Olcbmj32.exe	97
PID 2388 wrote to memory of 4216	2388	Olcbmj32.exe	97
PID 2388 wrote to memory of 4216	2388	Olcbmj32.exe	97
PID 4216 wrote to memory of 1384	4216	Olfobjbg.exe	98
PID 4216 wrote to memory of 1384	4216	Olfobjbg.exe	98
PID 4216 wrote to memory of 1384	4216	Olfobjbg.exe	98
PID 1384 wrote to memory of 3000	1384	Ocpgod32.exe	99
PID 1384 wrote to memory of 3000	1384	Ocpgod32.exe	99
PID 1384 wrote to memory of 3000	1384	Ocpgod32.exe	99
PID 3000 wrote to memory of 3768	3000	Ocbddc32.exe	101
PID 3000 wrote to memory of 3768	3000	Ocbddc32.exe	101
PID 3000 wrote to memory of 3768	3000	Ocbddc32.exe	101
PID 3768 wrote to memory of 2160	3768	Olkhmi32.exe	102
PID 3768 wrote to memory of 2160	3768	Olkhmi32.exe	102
PID 3768 wrote to memory of 2160	3768	Olkhmi32.exe	102
PID 2160 wrote to memory of 3900	2160	Ogpmjb32.exe	103
PID 2160 wrote to memory of 3900	2160	Ogpmjb32.exe	103
PID 2160 wrote to memory of 3900	2160	Ogpmjb32.exe	103
PID 3900 wrote to memory of 4676	3900	Oqhacgdh.exe	104
PID 3900 wrote to memory of 4676	3900	Oqhacgdh.exe	104
PID 3900 wrote to memory of 4676	3900	Oqhacgdh.exe	104
PID 4676 wrote to memory of 3084	4676	Pnlaml32.exe	105
PID 4676 wrote to memory of 3084	4676	Pnlaml32.exe	105
PID 4676 wrote to memory of 3084	4676	Pnlaml32.exe	105
PID 3084 wrote to memory of 1172	3084	Pcijeb32.exe	106
PID 3084 wrote to memory of 1172	3084	Pcijeb32.exe	106
PID 3084 wrote to memory of 1172	3084	Pcijeb32.exe	106
PID 1172 wrote to memory of 3712	1172	Pqmjog32.exe	107

C:\Users\Admin\AppData\Local\Temp\d197698fcbbe066b60b75963876ccca34b8d027976e7cf6cb68d8922253b2d17.exe
"C:\Users\Admin\AppData\Local\Temp\d197698fcbbe066b60b75963876ccca34b8d027976e7cf6cb68d8922253b2d17.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Windows\SysWOW64\Migjoaaf.exe
  C:\Windows\system32\Migjoaaf.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\Mdmnlj32.exe
    C:\Windows\system32\Mdmnlj32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3960
  - - C:\Windows\SysWOW64\Mlhbal32.exe
      C:\Windows\system32\Mlhbal32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1372
    - - C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3712
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1420
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:564
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3516
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1188
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        61⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 416
        62⤵
        Program crash
        
        PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4796 -ip 4796
1⤵
PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
187KB

MD5
a1aa8889e641168cf5ca6472a0bc5080

SHA1
bab425e5781536518d7ab86434a4fcbbd7a2d6ad

SHA256
0aea0ebcead1cebf0678242b95b8c0b39385f39ac28ecbf33aee430e921365f4

SHA512
4f6120f47690e2b6c179653f83101bfd95646f59d4a6a54f09d3d6899c8bdcd8a0110740039f10cf90cd2de22c55fddc45b4d6d55d2d59ebfbb9bcd48b5e65d8

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
187KB

MD5
a87e5a0d1b78d4bee9dbeea8ba028c9d

SHA1
261cd18a60b405db9d44fb412ce964149e54df91

SHA256
7831871899998479fb1864b2deaa3510436162e7157604b477b3ad2c9c8247c1

SHA512
77f7fb02276cf3e3e1ba2969052df24ca79ce191590049620e0bebf3c70725082895bf40f30b2e20127d2704e3c773958944a53bcfd3f6acab6dda85c2eb39ce

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
187KB

MD5
5738f29af32f3571e2ee8dab6a5bafcc

SHA1
0e9c96d952c0846b94aec7f6a4f0ef0dffe00ae1

SHA256
eb35a67066742483d830f29a5aee50a0290c4633a25d396fdf7fa539ef658055

SHA512
86aabc46408e8a08adc5b817aed68406b132815cba48b745d1cdc6aafc27b5e7ba4eb2f201263ba14a8a4db3d346234a7c4ad61226e2d9074f658a7ae9f9aec1

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
187KB

MD5
ba71b01cd16bcd1bf5c823c33d1f04f9

SHA1
4fbeec6ff9535d9a7b39c6b123f43ae46e843ea1

SHA256
c40dc53b5937c2c158412a349cf53afefad6a06cb22bd15a5401825f5c31afd8

SHA512
9f8f3c3faef20206efaabdf746f273672e3a7a66f1d96ac9bb155e960eae92c65e923ac8d0a1f72a0c2b0f818adb81c8bbc7ba4121629d0cd497215febbaa04c

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
187KB

MD5
a30ceb8954d80e920fdb0a5c373f205e

SHA1
d4676e23ed7cf81f2813af89aeba607210323c88

SHA256
6799b7ebca48907a12e80907fd4954ddf12cb92bd78a9eb259494286c9f161fb

SHA512
36aa502854d0659eb2b58656c0ae46c0ad027d307b48cfbbf06945c5672d18b65429a0b85000be4165f8cf6c54061f2240fb1ff5081f2a2a88622f37872992fd

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
187KB

MD5
460b3344fdd03fd9df1eb473c916edd2

SHA1
a9bfe94bd20ded4562757478b0005aa1e18aa703

SHA256
1a6bd689c5f549e054da4798f9b009676347f4ec3e5fc52503276f014bfc4962

SHA512
26b8e7d277ca1b9dc29a0378eb193dff382d73ad0df7448d81c36b34676044c99e8443787502a160bcb655d90515044f738c4bdb7c97569f2eb095216e65be06

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
187KB

MD5
79b43616caea681a8fbe652b3129fd1a

SHA1
b61597dd076b28c4ead28b0782abeaf5aac9e7f2

SHA256
8997a79c18548a7b82fcd0967f71b3e5824aef6398ba62f5ab0d3d70c26e0085

SHA512
793556891449812fd6870d00146bb6e7034af402b999c31f7b5bd186bd76e0f32660828e6838ae049551dcbdfe0a0040e5e88efabf4e6459f6e3078dc35ccbd4

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
187KB

MD5
b662a89add54ef41f0ceca6d5ef83f87

SHA1
59572f03e552f2e63f2aaa52cd705a5a35dcfab7

SHA256
82f43162f82b5ef8bc18d6de2357a2c88bff9efee018980eaf67aab220ab2f6c

SHA512
40603b48b6724f401940b71bf21ef74ee6c7c98498e1440beba1fc56b17942319d994175fe376e082c4a2ba48c4b54c6332813521c376fe8c92120f01f137ce7

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
187KB

MD5
dbdf7385315c78ba4d574dc1f33173ac

SHA1
05bcce7540a90866361e1926d60819c6d3f6d5ef

SHA256
ca949a4649bd15ae7a90ccb85f603ee60a43706ca17d09736b181557288be931

SHA512
2d14946d8febfeaa044fe7965fc92743ce2d29fc1b057f23c38b86f3ad93a6fde3e4af56d24550ebc7b2ed053a20f566140004ca164f4baab9fbf8e5cd871f57

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
187KB

MD5
f37a91a347cf3a1f2958900ba5f0a5bd

SHA1
87b9182a34af800341126d60badf7700cecd0720

SHA256
f211b203eb75234779188ac0674cfee0d1c3716f7a69084b2996c73903552a6e

SHA512
a79fbf8fac5933311b347861f9f513b4cf0acf8619fe9fcc5a24b14a900d1109aca7db2c2d6e7490d4b61e7e98cfa9bbe895b7df3ea923a73f6097a797a1d9bb

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
187KB

MD5
f45400edf05b5b225e82f0973893c950

SHA1
e7c53d339cab20d8534803eaa39276a464d639e6

SHA256
6e0daeb4d09fbda385c8050a95de700ef8d0e19bc05c52cdf747c35fb4eaf999

SHA512
c9d7486829bd44d5a8e416f6199c0bd074d4bdce95c998081caa48779cc006f805245abe78b2b9f8951d077a1d2130c42edf0d01ca9a11de6540c41055e8ea39

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
187KB

MD5
8561bfe23895965a77cbe74422379dcd

SHA1
ece67c0f9e481f32a876bf84975f75c1e3c47340

SHA256
b866c8de5e32160ca20713e76cb5cc5ccc75b3de3a9d50d526a9eb389bc42922

SHA512
c5ec9c308b9130094c5bb524daf16b031277e288efd9382451ef23148729670d4b02eecc3234a95f89d52390ad4c7ba9d2caa7014e151761b42eeeed40171882

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
187KB

MD5
67df501b8177adda5ccbeda4de0d766d

SHA1
6d00ae2c345e18e47daea89926861398e0c8cce6

SHA256
4e17fd6dd3a4fd61bc18a19d10475cf931d908950303510ef404b007cc4f4150

SHA512
d159ff6a81cd4e123b0f53917bfc38fd957c1e5549bbdb44a2cb5ec71204129ca1bd6597375c9810104c976c6137aca50e52045d68f0b6b0805896660626674f

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
187KB

MD5
db0d8a999694c33f4e85900d56fc56df

SHA1
64ba9ddbe9519e9cef16331770e62bd12a3d9d2e

SHA256
3ce8fb8a155836dae2a94108c108e4b2e8b065ee72ec682b0bca87375ac7a5bc

SHA512
bf820f4ec8f31438d8941fe19560286025378a91d7e9939e0ed33bff3b21d0d3646c9e71a737f5aa6b3d83333c6c474bff9ea1982197f978ddfce95e8a4e0eb1

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
187KB

MD5
ac6121a6a102e3bbccb2e79a82b91515

SHA1
b6ca1bb666b14d8cd76926c113da0678d7fb04b6

SHA256
975e86eadab25b5cc515134b2a0553555777881985c4c11d75d641bb1e691865

SHA512
400176d6ab3b09b92c9ce0c0447981c6d45df8ada3813273068c8cd3fe542de179d2deaad2410b52930a6605c3a29f986aa9965cef5ee0641425956cc4b688a5

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
187KB

MD5
2d7436b818383d5ec21988c713cb3978

SHA1
aa3e08b3c84e7a8d5d836c92b59f6697cfa8509f

SHA256
f2b01080cb27820653d8943af3e0015afaf29549684d0ae040a5d4fb37a3e817

SHA512
a75fb10d194496859107c8c67b4526919de1b13b3524a41896434f206917d7b1652ead800a6e81428e91690413bc4d39731c11848b3b2505370655fd1dde6dfb

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
187KB

MD5
5926285ac5f8b1783993f42211aef0d4

SHA1
59feac830fbd43b8b4c6b6d74450fe88bef6ffe5

SHA256
f0ed1b066e1dc3157678348a2907723d1e33d8a97eaea297af3ee2468e6736c4

SHA512
63338bf415a9a9cc0f728792e5247278b3dadc450433969ca0ed0873266de7c4624a59995df814127f70db38983d1e87c49cb629dcf17bfd9046c63badb2e427

Download Submit
C:\Windows\SysWOW64\Odgdacjh.dll

Filesize
7KB

MD5
0302c697797288d65d488a3be1cf82a9

SHA1
368ff0f45a9604f201f4784b428b6dadfbec295b

SHA256
52e29f250e66da2e5d240b7af2a4862468fcd15dd9761b79065934a8f8b12f9c

SHA512
880756381bf5b3f52b7a7a0a2403ae90adfe8671f68a003cfc97549ce2cbae3c46c28c5f061f3f758435c0163c645ccfe7e3a05985ffac3e26514f8d39a5b864

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
187KB

MD5
99b697e5bd06d8e2c6d45f49c3c14967

SHA1
53e9a1a9a397445eb1c614bbc867cb1c3e46c8b4

SHA256
61f30e09de6d5a2381cb3cf9d91b1691ed9d937a829f09f6d5db89edad1261ce

SHA512
5eee6d436cf90df7794015af79e4328b8bf79d3d928de09e3a37087c3737035ed9cc618b3f3de163c3f8b53a63d291d92bff5d623a05f863942fa6e2f0942929

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
187KB

MD5
bd0cab46a87b5336a3fb85d434110839

SHA1
a306aba06f3cbdb95a5ada1229bc591e9b05041b

SHA256
064841530f6ef0b4f5b49d339907f2e326424b54dca8ede09927573c58872d4a

SHA512
8f1e7f8fe5435ae1a6d22e0b194d679055ea7ee386edcb0ed1b01f565423fb24661d1c6ec8029ca33c39be67e14dfd1849f863eab2612fb4b024e7bc4326de68

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
187KB

MD5
a758dbf4e74ba8c1db94ef830ac3536c

SHA1
b3986237181632e08b67f0118cf12848a5125785

SHA256
6ff26fd3cfd9f684974cdae450c37fb07b59269e02b9f29a77f146dd255c7959

SHA512
d9f036d948c5b83e5eff9fed194feb173dda830f3e79a1657d9d6264bf30de16ca2983d87b6b7a6c34141c4fb238a45e7514706fbd8662ea01b98ea6c8f0ab46

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
187KB

MD5
abed85bd45ac51f76f0fe37f8f66c4e5

SHA1
ad8ae7118e500547d174e0918a0f56c94a82981d

SHA256
bf84ef92468ca76b88b0efb5d8997ee3f027f4a2253946424ffec3b942ecd9ef

SHA512
0e40f1632d431ff085f2d11c991b8be62417686b8d0eed50574ff496a6baf2bb594df0c053a765239e3ba4c01ffaa614e1fb1a6c404f980263424884bdd6869a

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
187KB

MD5
09a13c5bad3d1ae11ccf6d4937d74cfe

SHA1
2fab87172009b9ecf0191e54acd9cd3b2fc8079f

SHA256
694c995fba62b27e36647758567f344a375887b6d780249a4aeeac5fa63cc4f7

SHA512
8cfdb26dda58a970f8f9c01e03b84f12ba5736244b1768e1e66d1fc08d534061335527e9c20a825558c56052c53ed65cf7800aa2777d6bbee4da952aab896aa8

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
187KB

MD5
42d3e0bd220682afc9b8eb991dcb0919

SHA1
b0b37397e0239fa500430120af60c6442569b861

SHA256
bd5c17f39322c661ea9137ef84f7a323259e86bf0ae9fa438f7dd97062d74409

SHA512
a5b5f67ea4387c95b275de3acbb2c242efeab645366059f0da27f5536fc2954ae3493ff78e88bf4787d3d939cefb4a77b9daede2c77d9a49b78df8f31a328c7e

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
187KB

MD5
118c415fd155289d1c8512d831ca387d

SHA1
6c7988932a6cb3806396c269af3563f663027952

SHA256
7f618895c5fc25076ddd52605f8c42092f570900af39be6175152cb36bb269e6

SHA512
13b2a15d86a517669ec88a264039e687e90c8613d3979a5805cda0150740e0e2b7902c1b2d85f53187356f7a3d043d7e47f6f9bdf3f4628709dfac6a5ff86dce

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
187KB

MD5
68a163d4bbef9b6ee218c96f60426c4c

SHA1
ee970b3cec8cae618c47033cc2fb31a12d01dcd5

SHA256
864e5ee89c376e56eb18691a86a38e703fd9e05eff7b4c417f6addcb7d3ce610

SHA512
8d94ca4df1b884f2fa29bca007eaf91a4d4122dcb9fffd1b6e9c95405aebc8cb2ae9fb44f02ca07b2c9c574a58fff1d1934cf384b06b2ce099d85a30ac2f0491

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
187KB

MD5
fc4987a3f25f369bf302cdf3722b9944

SHA1
ce2e2098b968cd4880417d2614d7bce7076c7009

SHA256
98a8251a57aa3a81be4cf5396653d49469ca91fff898747437e3e2531ed5e577

SHA512
92f681aec7b7f4d2398a59c531b0f9d74fadfadbf1aaaf2f856cbe77db5d9b89378b3537ac9b0b5992445e3b16f1e856ce21959373f2b77de074dd74a237b44a

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
187KB

MD5
1bff1cc342de0de5d00e4c977670adc8

SHA1
175e18e76415d01c88e68c77011e7858ecf42fdf

SHA256
7c1c5d11dc7a9e5e498cefaeb56fa4f97b6bf11fccbffe4b51d915d148df1640

SHA512
8138f04f840c088a51def880006c9ec88ac4beaf0637561e0d909c42889261367209d9d695555879abedb54c2f4d94e6e3ea679267a5a8b8fe418b69f16af2f4

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
187KB

MD5
8f3b48e85bdeff918e235388e123662c

SHA1
4ee7478b4da59d5e8247165e585601b6a260cd9a

SHA256
5e61f827e50f972cc1dd52d2a6b330b2971f7a36eb5d7765817f81fa8d09c48f

SHA512
1efca7c879747d7a26e17da192d0f18f791ec217925e6a9dda564ad6389166df85fdca9a8bae50a5a3c9733bab99d1e2519322b721578e1e25e571eaa79da91f

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
187KB

MD5
bfc186096b04f0302bf1b619b0584d6b

SHA1
1ecb5bdaf536589b5b4552723bbe639d3f164d7b

SHA256
e21ecca13b8b699e5e80303a993a3c80649c9d956a3090ca3d76718e175c817a

SHA512
066b881087f96d691a3768c9242e4d8d5d32a84ff495de2cc4d81e07cc8a0c163a249865d5e060d21913542826028146a587fab90ff15d51eef5a573eb3d6766

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
187KB

MD5
3e457e7437945a9d79c12559a1ca8f7b

SHA1
bc2c7d00b1873831e7e5a2b208b21ebe80e27a56

SHA256
d9ad9f6faf9ce1089c68df69d2b88e931011d6b306ba15c038013a8bd7514a8c

SHA512
8df0e5b4f52949b55d888c869123ed186fd1b88b9d88144acf599c81946113150fe04bbf5d32b89eb487e4a6709214e27e2c15bf10dbfea42bcf03a6575e94cc

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
187KB

MD5
135919b091c5f8a2983314a6e97544d3

SHA1
ecf741246ad0d0ff5a2ed23a8c7d11c153fb426c

SHA256
85d87b628482d2e72606aac6831762e4ce5ea0ed75063f40a2956b1178a22dd5

SHA512
9351102eaf54e3fa7bd048a1bcfccefd96138705cd777a0149951ed07d4047374654465d0948155f1d60194ba0d288fe53093ef7c806f7280dc55e5f7669bfc0

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
187KB

MD5
baf2e596dc6d4ba73d1d13b19d2ea0ea

SHA1
f333c9ba16bdea0e7a584aa5a65b4ecdec319053

SHA256
822392d30e3e38b219aa025d22935992f368ea9dd915bd5a609811fce267aac6

SHA512
3507ea1748cc44647631897678631cb0370c1f84c15e3e03c3cb305a65aba4cd88ca0923f1f978c311c00caab3a54b16bbb282082c1645a4ee76ac2682c0a0c6

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
187KB

MD5
f4e17c4edbb266f79dbcc4ea2c411885

SHA1
b5f1e94289259d948b4507fa912ecc55101168f2

SHA256
c1b2d9ba6419128f4f337a97ddd89fb0092d48b38d9995339b01618eca80e8fc

SHA512
468b1b2ff46a131c1811c2e7bbd7dc6b3267d08c75bf824aeaf88d306ebf90e3a252a9866cd4358a270c832283a707008b33ba3bed8a66a479369b3d35146435

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
187KB

MD5
78231ea6e63aabb8a39c3322b61a6241

SHA1
a54069aa4520e0329ff34794a72f42e2740c887d

SHA256
ee2278b798ad9ce42a12c6b2544f48d9e4e69cfc484b562617923349d07320d4

SHA512
91931118f7b82265830ed10c4275b3229129427285926bda26f26f0a467c773989b92fa44fc8d7da5813c1c40587890fecedd5cda734b8f0a050411841afa928

Download Submit
memory/212-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/212-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/900-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/900-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1372-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1384-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1384-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1420-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1420-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-468-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4200-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4200-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4216-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4216-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads