c6f2a691cde15ca317f5755981313c95423eb1905f725812ec05947f8e46d4e5

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 01:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c6f2a691cde15ca317f5755981313c95423eb1905f725812ec05947f8e46d4e5.exe
Size

224KB
MD5

ad318751a1f3a36049c15e6f52785eff
SHA1

3a22015a13b4d1e507e7751e639315efb1b984d7
SHA256

c6f2a691cde15ca317f5755981313c95423eb1905f725812ec05947f8e46d4e5
SHA512

0afb400c55bc0ef72ed22f99b85678ab83568d0865d79123c35bc471dff92045a8341e3eef3c4d04e47f1e84b6b0feaa91cfc3dd4d5829a10c62afec1a5bc2c3
SSDEEP

6144:gDUAIdNTNuMZxit6mPNE4f9FIUpOVw86CmOJfTo9FIUIhrcflDML:e4ZaAD6RrI1+lDML

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onmdoioa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Behnnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbdjhmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqijej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqijej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojcecjee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcpofbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnkicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecejkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pedleg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oobjaqaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aaaoij32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpkbdiqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dolnad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onmdoioa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcnbablo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbokmqie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caknol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqpgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejmebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oobjaqaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abmbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhndldcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Efcfga32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pedleg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pggbla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdeeqehb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bblogakg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkcofe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Blgpef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdbdjhmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cppkph32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obcccl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djhphncm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dolnad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecejkf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odobjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qedhdjnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aehboi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaaoij32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeeqehb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddaphkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cddaphkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfdjhndl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c6f2a691cde15ca317f5755981313c95423eb1905f725812ec05947f8e46d4e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	c6f2a691cde15ca317f5755981313c95423eb1905f725812ec05947f8e46d4e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Obcccl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkpagq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpkbdiqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkcofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqdajkkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caknol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Egllae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqdajkkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejmebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqpgol32.exe

Executes dropped EXE 40 IoCs

pid	Process
1728	Onmdoioa.exe
2952	Ojcecjee.exe
2572	Oobjaqaj.exe
2556	Odobjg32.exe
2780	Obcccl32.exe
2472	Pedleg32.exe
1444	Pkpagq32.exe
1904	Pggbla32.exe
320	Pcnbablo.exe
1944	Qcpofbjl.exe
592	Qedhdjnh.exe
2768	Aehboi32.exe
1360	Abmbhn32.exe
2804	Aaaoij32.exe
1192	Bhndldcn.exe
2300	Bdeeqehb.exe
3048	Behnnm32.exe
2376	Bblogakg.exe
3012	Bbokmqie.exe
1820	Blgpef32.exe
1256	Cdbdjhmp.exe
1756	Cnkicn32.exe
568	Cddaphkn.exe
2168	Cpkbdiqb.exe
2276	Caknol32.exe
1656	Cppkph32.exe
2164	Djhphncm.exe
1632	Dhnmij32.exe
2240	Dbfabp32.exe
2996	Dfdjhndl.exe
2676	Dolnad32.exe
1220	Dkcofe32.exe
1744	Eqpgol32.exe
2444	Egllae32.exe
2404	Eqdajkkb.exe
2220	Ejmebq32.exe
1532	Ecejkf32.exe
2396	Efcfga32.exe
2600	Eqijej32.exe
876	Fkckeh32.exe

Loads dropped DLL 64 IoCs

pid	Process
1996	c6f2a691cde15ca317f5755981313c95423eb1905f725812ec05947f8e46d4e5.exe
1996	c6f2a691cde15ca317f5755981313c95423eb1905f725812ec05947f8e46d4e5.exe
1728	Onmdoioa.exe
1728	Onmdoioa.exe
2952	Ojcecjee.exe
2952	Ojcecjee.exe
2572	Oobjaqaj.exe
2572	Oobjaqaj.exe
2556	Odobjg32.exe
2556	Odobjg32.exe
2780	Obcccl32.exe
2780	Obcccl32.exe
2472	Pedleg32.exe
2472	Pedleg32.exe
1444	Pkpagq32.exe
1444	Pkpagq32.exe
1904	Pggbla32.exe
1904	Pggbla32.exe
320	Pcnbablo.exe
320	Pcnbablo.exe
1944	Qcpofbjl.exe
1944	Qcpofbjl.exe
592	Qedhdjnh.exe
592	Qedhdjnh.exe
2768	Aehboi32.exe
2768	Aehboi32.exe
1360	Abmbhn32.exe
1360	Abmbhn32.exe
2804	Aaaoij32.exe
2804	Aaaoij32.exe
1192	Bhndldcn.exe
1192	Bhndldcn.exe
2300	Bdeeqehb.exe
2300	Bdeeqehb.exe
3048	Behnnm32.exe
3048	Behnnm32.exe
2376	Bblogakg.exe
2376	Bblogakg.exe
3012	Bbokmqie.exe
3012	Bbokmqie.exe
1820	Blgpef32.exe
1820	Blgpef32.exe
1256	Cdbdjhmp.exe
1256	Cdbdjhmp.exe
1756	Cnkicn32.exe
1756	Cnkicn32.exe
568	Cddaphkn.exe
568	Cddaphkn.exe
2168	Cpkbdiqb.exe
2168	Cpkbdiqb.exe
2276	Caknol32.exe
2276	Caknol32.exe
1656	Cppkph32.exe
1656	Cppkph32.exe
2164	Djhphncm.exe
2164	Djhphncm.exe
1632	Dhnmij32.exe
1632	Dhnmij32.exe
2240	Dbfabp32.exe
2240	Dbfabp32.exe
2996	Dfdjhndl.exe
2996	Dfdjhndl.exe
2676	Dolnad32.exe
2676	Dolnad32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cnkicn32.exe	Cdbdjhmp.exe
File created	C:\Windows\SysWOW64\Galmmc32.dll	Dfdjhndl.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Eqijej32.exe
File created	C:\Windows\SysWOW64\Ojcecjee.exe	Onmdoioa.exe
File created	C:\Windows\SysWOW64\Aaaoij32.exe	Abmbhn32.exe
File opened for modification	C:\Windows\SysWOW64\Eqdajkkb.exe	Egllae32.exe
File opened for modification	C:\Windows\SysWOW64\Ejmebq32.exe	Eqdajkkb.exe
File created	C:\Windows\SysWOW64\Pggbla32.exe	Pkpagq32.exe
File created	C:\Windows\SysWOW64\Bnilfo32.dll	Pggbla32.exe
File created	C:\Windows\SysWOW64\Behnnm32.exe	Bdeeqehb.exe
File opened for modification	C:\Windows\SysWOW64\Dfdjhndl.exe	Dbfabp32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Eqijej32.exe
File created	C:\Windows\SysWOW64\Pedleg32.exe	Obcccl32.exe
File opened for modification	C:\Windows\SysWOW64\Pkpagq32.exe	Pedleg32.exe
File created	C:\Windows\SysWOW64\Bdacap32.dll	Ejmebq32.exe
File created	C:\Windows\SysWOW64\Cbcodmih.dll	Dolnad32.exe
File opened for modification	C:\Windows\SysWOW64\Eqpgol32.exe	Dkcofe32.exe
File created	C:\Windows\SysWOW64\Gdidec32.dll	Cddaphkn.exe
File created	C:\Windows\SysWOW64\Ecdjal32.dll	Dhnmij32.exe
File created	C:\Windows\SysWOW64\Hjkbhikj.dll	Pcnbablo.exe
File opened for modification	C:\Windows\SysWOW64\Aaaoij32.exe	Abmbhn32.exe
File created	C:\Windows\SysWOW64\Pbkafj32.dll	Blgpef32.exe
File created	C:\Windows\SysWOW64\Jdjfho32.dll	Dbfabp32.exe
File created	C:\Windows\SysWOW64\Eqpgol32.exe	Dkcofe32.exe
File created	C:\Windows\SysWOW64\Eqijej32.exe	Efcfga32.exe
File created	C:\Windows\SysWOW64\Pcnbablo.exe	Pggbla32.exe
File created	C:\Windows\SysWOW64\Bpooed32.dll	Bbokmqie.exe
File opened for modification	C:\Windows\SysWOW64\Egllae32.exe	Eqpgol32.exe
File created	C:\Windows\SysWOW64\Odobjg32.exe	Oobjaqaj.exe
File opened for modification	C:\Windows\SysWOW64\Bdeeqehb.exe	Bhndldcn.exe
File created	C:\Windows\SysWOW64\Nanbpedg.dll	Cnkicn32.exe
File opened for modification	C:\Windows\SysWOW64\Caknol32.exe	Cpkbdiqb.exe
File opened for modification	C:\Windows\SysWOW64\Cpkbdiqb.exe	Cddaphkn.exe
File created	C:\Windows\SysWOW64\Bplpldoa.dll	Bdeeqehb.exe
File opened for modification	C:\Windows\SysWOW64\Bbokmqie.exe	Bblogakg.exe
File created	C:\Windows\SysWOW64\Oglegn32.dll	Abmbhn32.exe
File created	C:\Windows\SysWOW64\Mhkdik32.dll	Caknol32.exe
File created	C:\Windows\SysWOW64\Gljilnja.dll	Pedleg32.exe
File created	C:\Windows\SysWOW64\Abmbhn32.exe	Aehboi32.exe
File created	C:\Windows\SysWOW64\Cddaphkn.exe	Cnkicn32.exe
File opened for modification	C:\Windows\SysWOW64\Ojcecjee.exe	Onmdoioa.exe
File created	C:\Windows\SysWOW64\Kaplbi32.dll	Obcccl32.exe
File opened for modification	C:\Windows\SysWOW64\Dhnmij32.exe	Djhphncm.exe
File opened for modification	C:\Windows\SysWOW64\Dkcofe32.exe	Dolnad32.exe
File created	C:\Windows\SysWOW64\Qiejdkkn.dll	Oobjaqaj.exe
File opened for modification	C:\Windows\SysWOW64\Aehboi32.exe	Qedhdjnh.exe
File created	C:\Windows\SysWOW64\Fdilpjih.dll	Ecejkf32.exe
File opened for modification	C:\Windows\SysWOW64\Onmdoioa.exe	c6f2a691cde15ca317f5755981313c95423eb1905f725812ec05947f8e46d4e5.exe
File created	C:\Windows\SysWOW64\Kcbabf32.dll	Eqpgol32.exe
File created	C:\Windows\SysWOW64\Bblogakg.exe	Behnnm32.exe
File opened for modification	C:\Windows\SysWOW64\Oobjaqaj.exe	Ojcecjee.exe
File created	C:\Windows\SysWOW64\Bgmefakc.dll	Odobjg32.exe
File created	C:\Windows\SysWOW64\Dolnad32.exe	Dfdjhndl.exe
File created	C:\Windows\SysWOW64\Njabih32.dll	Behnnm32.exe
File created	C:\Windows\SysWOW64\Caknol32.exe	Cpkbdiqb.exe
File opened for modification	C:\Windows\SysWOW64\Bblogakg.exe	Behnnm32.exe
File created	C:\Windows\SysWOW64\Dhnmij32.exe	Djhphncm.exe
File created	C:\Windows\SysWOW64\Obcccl32.exe	Odobjg32.exe
File opened for modification	C:\Windows\SysWOW64\Behnnm32.exe	Bdeeqehb.exe
File opened for modification	C:\Windows\SysWOW64\Eqijej32.exe	Efcfga32.exe
File created	C:\Windows\SysWOW64\Onmdoioa.exe	c6f2a691cde15ca317f5755981313c95423eb1905f725812ec05947f8e46d4e5.exe
File opened for modification	C:\Windows\SysWOW64\Bhndldcn.exe	Aaaoij32.exe
File created	C:\Windows\SysWOW64\Ecejkf32.exe	Ejmebq32.exe
File created	C:\Windows\SysWOW64\Pkpagq32.exe	Pedleg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
476	876	WerFault.exe	67

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccnnibig.dll"	Aehboi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	c6f2a691cde15ca317f5755981313c95423eb1905f725812ec05947f8e46d4e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oobjaqaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qcpofbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oglegn32.dll"	Abmbhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdbdjhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fileil32.dll"	Djhphncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojcecjee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knlafm32.dll"	Ojcecjee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcnbablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdeeqehb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaegglem.dll"	Cppkph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gljilnja.dll"	Pedleg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bblogakg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c6f2a691cde15ca317f5755981313c95423eb1905f725812ec05947f8e46d4e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkgklabn.dll"	Qcpofbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qcpofbjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aehboi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfdjhndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cppkph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djhphncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odobjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Obcccl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjkbhikj.dll"	Pcnbablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Behnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpooed32.dll"	Bbokmqie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ecejkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abmbhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdeeqehb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkafj32.dll"	Blgpef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caknol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	c6f2a691cde15ca317f5755981313c95423eb1905f725812ec05947f8e46d4e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhndldcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkcofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdjal32.dll"	Dhnmij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Onmdoioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiejdkkn.dll"	Oobjaqaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkpagq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abmbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjajfei.dll"	Bblogakg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ejmebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nanbpedg.dll"	Cnkicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djhphncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmefakc.dll"	Odobjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkcofe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Egllae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkpagq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aaaoij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpiddoma.dll"	Cdbdjhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obmhdd32.dll"	Pkpagq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcnbablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eqpgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illjbiak.dll"	Eqdajkkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffmipmp.dll"	Egllae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbikjlnd.dll"	Onmdoioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaplbi32.dll"	Obcccl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pedleg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qedhdjnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Behnnm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1728	1996	c6f2a691cde15ca317f5755981313c95423eb1905f725812ec05947f8e46d4e5.exe	28
PID 1996 wrote to memory of 1728	1996	c6f2a691cde15ca317f5755981313c95423eb1905f725812ec05947f8e46d4e5.exe	28
PID 1996 wrote to memory of 1728	1996	c6f2a691cde15ca317f5755981313c95423eb1905f725812ec05947f8e46d4e5.exe	28
PID 1996 wrote to memory of 1728	1996	c6f2a691cde15ca317f5755981313c95423eb1905f725812ec05947f8e46d4e5.exe	28
PID 1728 wrote to memory of 2952	1728	Onmdoioa.exe	29
PID 1728 wrote to memory of 2952	1728	Onmdoioa.exe	29
PID 1728 wrote to memory of 2952	1728	Onmdoioa.exe	29
PID 1728 wrote to memory of 2952	1728	Onmdoioa.exe	29
PID 2952 wrote to memory of 2572	2952	Ojcecjee.exe	30
PID 2952 wrote to memory of 2572	2952	Ojcecjee.exe	30
PID 2952 wrote to memory of 2572	2952	Ojcecjee.exe	30
PID 2952 wrote to memory of 2572	2952	Ojcecjee.exe	30
PID 2572 wrote to memory of 2556	2572	Oobjaqaj.exe	31
PID 2572 wrote to memory of 2556	2572	Oobjaqaj.exe	31
PID 2572 wrote to memory of 2556	2572	Oobjaqaj.exe	31
PID 2572 wrote to memory of 2556	2572	Oobjaqaj.exe	31
PID 2556 wrote to memory of 2780	2556	Odobjg32.exe	32
PID 2556 wrote to memory of 2780	2556	Odobjg32.exe	32
PID 2556 wrote to memory of 2780	2556	Odobjg32.exe	32
PID 2556 wrote to memory of 2780	2556	Odobjg32.exe	32
PID 2780 wrote to memory of 2472	2780	Obcccl32.exe	33
PID 2780 wrote to memory of 2472	2780	Obcccl32.exe	33
PID 2780 wrote to memory of 2472	2780	Obcccl32.exe	33
PID 2780 wrote to memory of 2472	2780	Obcccl32.exe	33
PID 2472 wrote to memory of 1444	2472	Pedleg32.exe	34
PID 2472 wrote to memory of 1444	2472	Pedleg32.exe	34
PID 2472 wrote to memory of 1444	2472	Pedleg32.exe	34
PID 2472 wrote to memory of 1444	2472	Pedleg32.exe	34
PID 1444 wrote to memory of 1904	1444	Pkpagq32.exe	35
PID 1444 wrote to memory of 1904	1444	Pkpagq32.exe	35
PID 1444 wrote to memory of 1904	1444	Pkpagq32.exe	35
PID 1444 wrote to memory of 1904	1444	Pkpagq32.exe	35
PID 1904 wrote to memory of 320	1904	Pggbla32.exe	36
PID 1904 wrote to memory of 320	1904	Pggbla32.exe	36
PID 1904 wrote to memory of 320	1904	Pggbla32.exe	36
PID 1904 wrote to memory of 320	1904	Pggbla32.exe	36
PID 320 wrote to memory of 1944	320	Pcnbablo.exe	37
PID 320 wrote to memory of 1944	320	Pcnbablo.exe	37
PID 320 wrote to memory of 1944	320	Pcnbablo.exe	37
PID 320 wrote to memory of 1944	320	Pcnbablo.exe	37
PID 1944 wrote to memory of 592	1944	Qcpofbjl.exe	38
PID 1944 wrote to memory of 592	1944	Qcpofbjl.exe	38
PID 1944 wrote to memory of 592	1944	Qcpofbjl.exe	38
PID 1944 wrote to memory of 592	1944	Qcpofbjl.exe	38
PID 592 wrote to memory of 2768	592	Qedhdjnh.exe	39
PID 592 wrote to memory of 2768	592	Qedhdjnh.exe	39
PID 592 wrote to memory of 2768	592	Qedhdjnh.exe	39
PID 592 wrote to memory of 2768	592	Qedhdjnh.exe	39
PID 2768 wrote to memory of 1360	2768	Aehboi32.exe	40
PID 2768 wrote to memory of 1360	2768	Aehboi32.exe	40
PID 2768 wrote to memory of 1360	2768	Aehboi32.exe	40
PID 2768 wrote to memory of 1360	2768	Aehboi32.exe	40
PID 1360 wrote to memory of 2804	1360	Abmbhn32.exe	41
PID 1360 wrote to memory of 2804	1360	Abmbhn32.exe	41
PID 1360 wrote to memory of 2804	1360	Abmbhn32.exe	41
PID 1360 wrote to memory of 2804	1360	Abmbhn32.exe	41
PID 2804 wrote to memory of 1192	2804	Aaaoij32.exe	42
PID 2804 wrote to memory of 1192	2804	Aaaoij32.exe	42
PID 2804 wrote to memory of 1192	2804	Aaaoij32.exe	42
PID 2804 wrote to memory of 1192	2804	Aaaoij32.exe	42
PID 1192 wrote to memory of 2300	1192	Bhndldcn.exe	43
PID 1192 wrote to memory of 2300	1192	Bhndldcn.exe	43
PID 1192 wrote to memory of 2300	1192	Bhndldcn.exe	43
PID 1192 wrote to memory of 2300	1192	Bhndldcn.exe	43

C:\Users\Admin\AppData\Local\Temp\c6f2a691cde15ca317f5755981313c95423eb1905f725812ec05947f8e46d4e5.exe
"C:\Users\Admin\AppData\Local\Temp\c6f2a691cde15ca317f5755981313c95423eb1905f725812ec05947f8e46d4e5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\Onmdoioa.exe
  C:\Windows\system32\Onmdoioa.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\Ojcecjee.exe
    C:\Windows\system32\Ojcecjee.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\Oobjaqaj.exe
      C:\Windows\system32\Oobjaqaj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\Odobjg32.exe
        
        C:\Windows\system32\Odobjg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\SysWOW64\Obcccl32.exe
        
        C:\Windows\system32\Obcccl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Pedleg32.exe
        
        C:\Windows\system32\Pedleg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Pkpagq32.exe
        
        C:\Windows\system32\Pkpagq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Pggbla32.exe
        
        C:\Windows\system32\Pggbla32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Pcnbablo.exe
        
        C:\Windows\system32\Pcnbablo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Qcpofbjl.exe
        
        C:\Windows\system32\Qcpofbjl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Qedhdjnh.exe
        
        C:\Windows\system32\Qedhdjnh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Aehboi32.exe
        
        C:\Windows\system32\Aehboi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Abmbhn32.exe
        
        C:\Windows\system32\Abmbhn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Aaaoij32.exe
        
        C:\Windows\system32\Aaaoij32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Bhndldcn.exe
        
        C:\Windows\system32\Bhndldcn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Bdeeqehb.exe
        
        C:\Windows\system32\Bdeeqehb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Behnnm32.exe
        
        C:\Windows\system32\Behnnm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Bblogakg.exe
        
        C:\Windows\system32\Bblogakg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Bbokmqie.exe
        
        C:\Windows\system32\Bbokmqie.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Blgpef32.exe
        
        C:\Windows\system32\Blgpef32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Cdbdjhmp.exe
        
        C:\Windows\system32\Cdbdjhmp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Cnkicn32.exe
        
        C:\Windows\system32\Cnkicn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Cddaphkn.exe
        
        C:\Windows\system32\Cddaphkn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:568
        
        C:\Windows\SysWOW64\Cpkbdiqb.exe
        
        C:\Windows\system32\Cpkbdiqb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\Caknol32.exe
        
        C:\Windows\system32\Caknol32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Cppkph32.exe
        
        C:\Windows\system32\Cppkph32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Djhphncm.exe
        
        C:\Windows\system32\Djhphncm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Dhnmij32.exe
        
        C:\Windows\system32\Dhnmij32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Dbfabp32.exe
        
        C:\Windows\system32\Dbfabp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Dfdjhndl.exe
        
        C:\Windows\system32\Dfdjhndl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Dolnad32.exe
        
        C:\Windows\system32\Dolnad32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Dkcofe32.exe
        
        C:\Windows\system32\Dkcofe32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Eqpgol32.exe
        
        C:\Windows\system32\Eqpgol32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Egllae32.exe
        
        C:\Windows\system32\Egllae32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Eqdajkkb.exe
        
        C:\Windows\system32\Eqdajkkb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Ejmebq32.exe
        
        C:\Windows\system32\Ejmebq32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Ecejkf32.exe
        
        C:\Windows\system32\Ecejkf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Efcfga32.exe
        
        C:\Windows\system32\Efcfga32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Eqijej32.exe
        
        C:\Windows\system32\Eqijej32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        41⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 140
        42⤵
        Program crash
        
        PID:476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaaoij32.exe

Filesize
224KB

MD5
a5adf39db7a77a71d9395838dd2953b4

SHA1
c618f034230a0598b20be82aa48ca5f628c66cf3

SHA256
6d945bb78b310ee38062f04433c4cabebaacfefc67c6063c4facdd2807f5b786

SHA512
59c0d11ae2c855298ca3eb986bf27cfcf86b50d7dd855a4bf66e4d59775072837da63d00d6b66c2d8cbf65990eb6df7ac2e05c222b31314b8f8ef6d92799e0c3

Download Submit
C:\Windows\SysWOW64\Bblogakg.exe

Filesize
224KB

MD5
ba468833b24a31b4d107d5ec3f7d6dc7

SHA1
afa89b992300709c336bc5bdadea3429419350af

SHA256
451e7fc575b24d3690d4a934894e49062bef5f68b9ca4ddba9c60225528d1465

SHA512
1ddbd5ff3389838cea7bea683ec25fe3f3b9380663c4cdd24cd837885d18c4bfb5c64584fd8b5cad85140c84d731e2ba6ddcb0168ae7ae344cf8b2af177d320e

Download Submit
C:\Windows\SysWOW64\Bbokmqie.exe

Filesize
224KB

MD5
10b17fcb695e7733f489730d5b741296

SHA1
c9da73aeeb6f4d64092a5fa27b652f3741a43c48

SHA256
946cb3af64e68e5103c6b2d9c13ea47e7537b0495745b1776a321fff4cb4d780

SHA512
e612bb190e55d853800fa657c7961a8fcb2a40c6c1864ac62554387d2f95d811bc0aa5d2ea1188429714762e1d9e22b5fa25b5d7cd9d02c76cf00253664e9e33

Download Submit
C:\Windows\SysWOW64\Bdeeqehb.exe

Filesize
224KB

MD5
02a09e59a0e55ba002cf6ed2df574cee

SHA1
38483443fcec992a283a24beafdbc44f5febf32e

SHA256
b89d7614535bedf4c56902b3bbfc524fe5137327f90296da0c56e8e9d3f8dacc

SHA512
5e8a9c00dad54aa53e67b17b657d5bc337a6b088f69e91b14d881c18517682c55f47dcc47d5a6724ff1633ee2bfb77b3de8e7f41a3041adf52d6094697b66263

Download Submit
C:\Windows\SysWOW64\Behnnm32.exe

Filesize
224KB

MD5
7a4faf6b4f51a324c722a6dca6a4567c

SHA1
40db618059ac2d820b43966007fe0ec2525616ac

SHA256
b94ebf8800a296725f040f3278a97d6349c08a0b0b7962e33826d97ae2bd5e9e

SHA512
b20c1f8ef554aeba583101a71df55c271a632973346ed6dff12f361b24e15887c4e6e31479006032ef09d0d4c5aba1cc06f33f6fe6d35d3fd608002026dcbdba

Download Submit
C:\Windows\SysWOW64\Bgmefakc.dll

Filesize
7KB

MD5
fddb4a05a192a7229207b78bff597a95

SHA1
744794fae33df39944cf263b1b0dd75b6799d2ab

SHA256
283906307581b6f8364bd838afcbc27e55d121ac8a66561243ee93ab50b03b26

SHA512
9fee3d5b9edb2c3611ad21738fcc52bd9bd270cb5eb88dc2f3e7791d6ce57f450efef9b9089ca932c95524a0824a71da07ea27169f579481e01cd32f3b6f2f98

Download Submit
C:\Windows\SysWOW64\Bhndldcn.exe

Filesize
224KB

MD5
341285efe58a66bc7bf1550746a8a55f

SHA1
47908631a2105d2cf03776032cb4118920e2192b

SHA256
ca4ed991842928ed12c7f3dfc9007d7f379be9c6d32240358b4e04618efe0a0e

SHA512
6a172b1c4475961bdb9c9f92f83bfc727dcc95d1e00632ed46cea6ac600e54fef37cfb6728cdd4b4a11d2d3182a1e25046fbdd3908489cb2e67deea53a695dd7

Download Submit
C:\Windows\SysWOW64\Blgpef32.exe

Filesize
224KB

MD5
175fa26e393e2bd31ca71a4cd9ecb1a6

SHA1
f6379d29bfb0d3342d409e41c5f24f0d7cd1085e

SHA256
3f7d6e6253a46d11883631a989410c2f3fc53a954d1ecbaffef4d5f7281aeee7

SHA512
92e8f12b2f39127b384c49ae4307f108a178968eb3f2dbfe7944a54b5cc571a981a645cdedee3f88e543938f185e71d1b53ee4967fe24eca877f1bee25be5856

Download Submit
C:\Windows\SysWOW64\Caknol32.exe

Filesize
224KB

MD5
f93ff20e754e9c4c718a678e909258d7

SHA1
92f9e5a4475cae551ab2ff46cb774af6e89eed9a

SHA256
115a037f7ead76da21e547c064da20ffd78fcb2385b57406457ef0ea7d9f013f

SHA512
7221fc9483881ae7f97946835917d3f4d9be816724e416fec404d22bb8fface534d036fe05091aefc2562383cb35e10d8462bf8d27bd44f311acc13279187f8f

Download Submit
C:\Windows\SysWOW64\Cdbdjhmp.exe

Filesize
224KB

MD5
adb5db7b8509c4b7cdbe625d2e7c0b03

SHA1
37527cd714d882396da70dbb5518889b070f5eea

SHA256
46cd433e331b653d921bfc01211a756d769546e8b115f4c3ee91f9a5eaa69b5f

SHA512
23d3296a121b1bada2869b66c024e0f2e9d32a57657d08b5ec78d56cf89a4cf91459eb2e3984d4501939126aa780e837465bbeaaf0c6c168c5f443b02c4eae96

Download Submit
C:\Windows\SysWOW64\Cddaphkn.exe

Filesize
224KB

MD5
0ffa09f79a1605187ee71933d88f7c90

SHA1
8cfd3046e00867c8dbe4398e8415b54c487a8cf3

SHA256
a906e0cf5ad8f99c5ffeaba66b31c9536a140648aa1d74e52976c43658d09d92

SHA512
12e6cf1a2ca2e38b2f40b0fe497701fffe15953aa561f24c34020cc98d65c113b95814e8726fc13f7295b5d8e51478b94b9fbcade65045d1c44eba874c53453f

Download Submit
C:\Windows\SysWOW64\Cnkicn32.exe

Filesize
224KB

MD5
204e570f3b8d9c13a6a3b8bc9ab6142a

SHA1
2d007de2073fd0313dcb90b20cd612d2ce01ed63

SHA256
ffbda77f993047ff56064a5cb2d659586eb9310d732347c17fe45fa8abf39124

SHA512
bb321691a076bf28c2d1744e4b23f500facc911925f785ae546ca39cf511d2ac98d3a3e93acdbb855f7c005a21399ac3baa8597d99f2558df29c4e93e192b28e

Download Submit
C:\Windows\SysWOW64\Cpkbdiqb.exe

Filesize
224KB

MD5
78050db36d659b4c26f2a3dc2b67c9f9

SHA1
4bca0f02545bda8795a645197a7124784c511cf7

SHA256
929de4a975f34781b6933c23266d7e5bddfa84e099b22fe4d5e1c577f8a50de1

SHA512
e744fde0bc8dcf1def17df79d0a895006840f089f7a6c1995bb71cb970776d0ed9ecb0369836feed21a0cfd17c40e9fa2239fb7f3b66f60efc6c516f4744987c

Download Submit
C:\Windows\SysWOW64\Cppkph32.exe

Filesize
224KB

MD5
917405873a5b2cc26c52e03200218a97

SHA1
8b94e4b7f64e9515147de846258f6fe25ec92eea

SHA256
5205f0c41049b013f872d94c58c1aead8e51dc2ce9fe6c9364a0c1259114b95d

SHA512
915147ab82fd612dc2f3a17fa91e16cf73c33bac487e5601110ed607a42da94ef5ebe9fd55a206fe97a6551597beae306fe9bd844acf47cd4a61b312191b20ec

Download Submit
C:\Windows\SysWOW64\Dbfabp32.exe

Filesize
224KB

MD5
3c8b93c04a9b7fc8a0a30a2a18da8b0d

SHA1
6903d7c085aecf0ee601cf9f95b126cacc8d6ff9

SHA256
5e11e97e5649790e0765267ebc2f7f98b4c5f05082d05d65efc3b4540f65647f

SHA512
7058e1b466b2482d3993212816103da719fafe1bd95683d0c62ea36dd849b8105cbadbb519772830872439786101e02275e2510e6553c46e2da3d1666ad7c58b

Download Submit
C:\Windows\SysWOW64\Dfdjhndl.exe

Filesize
224KB

MD5
d9cb8aabee6c57c2b78c3f9a3b1aa639

SHA1
27e3091c190c9afe643d3d37e6db84d4cf85f27d

SHA256
87048f1b94e6dc962c93b1a5785e55b51ccfa38f36b123fd5640fa5c4de42792

SHA512
93fd34d0aff8ce8438edf74f0d41b38998fc650b5ce85c8be98d1537fff6c5f8a8c42e3839c897c14cec6560c0d5cf0525b833247b23d52b70a0df31d5da9acc

Download Submit
C:\Windows\SysWOW64\Dhnmij32.exe

Filesize
224KB

MD5
8c0d3c181d116f4e87b935426ba87b62

SHA1
beb12602bc5cd0c749b1fb6ef82d649a9671e659

SHA256
c71c446fc3134b60448027c46453ad3b14149d7938c7e9323924f66c367fe1ab

SHA512
20138934b7719431b1c44c67c387eac4d6d1ed53579f563a0b164a4afe901d75572afb90a086f8c7c7cc3e4f64ed8c73799d28e07c58fd447806b73b761e8e3e

Download Submit
C:\Windows\SysWOW64\Djhphncm.exe

Filesize
224KB

MD5
8e6be47ffe0a546949fd3379c760aa30

SHA1
c7173ec54cb87fe37c9a31ab8174ea71926497d9

SHA256
8d40a1165c9d41708458bb8ff8288280788f254122c3f7b080887f16b04d877e

SHA512
c8e8f1e98ffb314a39336154b00c38ceda19d3cb71d132eb938efd93a2efc4e86fb2fc2756e61466f6990ab8cd7b6803646b49a4e7a8c26f2670d87e2684d2e0

Download Submit
C:\Windows\SysWOW64\Dkcofe32.exe

Filesize
224KB

MD5
a07d331651cdffc8177ac9b399e0e4fb

SHA1
44f25bfdea2de15e91d99507ffba66019b17a88c

SHA256
b83a46464a8603dc7541c1c02fe31401be02dca8ebc6200addb9a569aee03ed8

SHA512
9ff0d32b8cf5f5e4799fd94c4f44093f893b9018186955d2706b2613691d4b38142daff760e3541c94d5bc6b1ffe3c124ca1645c23a224b984eb6b3b5c4c049d

Download Submit
C:\Windows\SysWOW64\Dolnad32.exe

Filesize
224KB

MD5
32b2298df1ff01be3a86ffeca5dbe691

SHA1
c649371fdf2a70c929b6c29b952d76c447c0cfea

SHA256
cbb30f605acf96f076a9de5253cecd836a18c6a1d5dd272d3c2b693ed362843c

SHA512
6ca594c8e466dcb977e4121c46a0a1bbf99170dfc9111dcc6b61d8f80bd67418d6f5cc8dea10037ae34b75df033fb71701e76f458ade36a17b1ea8e5bf8e59c1

Download Submit
C:\Windows\SysWOW64\Ecejkf32.exe

Filesize
224KB

MD5
d526e0391bb9daf297299c6e6bb0d801

SHA1
1082a5f45265689bb2c2588d3dde4ea31b79a9ae

SHA256
e45932d7cd3336fffd7ed3b19b74f98a4c82485858f7424032f84bcdbe7adafa

SHA512
dc5a6228df21829c9816d4b010c81d984b95b85b06a63ed60af974113997d41473065988d2310923b5761e647de4fe08e2a7c197369437a4ea1ecb26af0b4e44

Download Submit
C:\Windows\SysWOW64\Efcfga32.exe

Filesize
224KB

MD5
b9ea820437ec0cfb2f2fce2b0e048f9f

SHA1
f906dd05b0d189d59a66664a562d4abb1f80a58c

SHA256
98bf7230393334740087acc3e1c05c4ab3eddd54927ab460dcf026e5a07cf0c8

SHA512
36333610b4eded5a9bc66ab77280851b741c9c644b096416b6da5d48944553f57528612c49a82661220c4cb02901983d84a224412d359320c80f56d2795f570b

Download Submit
C:\Windows\SysWOW64\Egllae32.exe

Filesize
224KB

MD5
bd66900c516e8be7b9d776f031c61ffe

SHA1
39eaffad4db206fd8eef36e66e66d51965a3ad49

SHA256
8b3593425964fbf18edab194645a5734add45d3de516d6d81b881bad60787aec

SHA512
0eb26412aaefbca45fef93fad5b1f62d5bd24f016315cfefa7f4bed5217511760e8ee580c0652d8ce72158d0cf16a59fc9a3bc709c674408fd6286cfa6a00018

Download Submit
C:\Windows\SysWOW64\Ejmebq32.exe

Filesize
224KB

MD5
0859af20ebabe1adce15c9f7b1fd30fa

SHA1
ee61402e98fa9185ef04ad71778278b8ac9d280a

SHA256
4a4feeb6771231becd2c327b25001e98615650b5ddb2d272a57d84e44137063e

SHA512
0ef97646ad6d4237da34403dc733447c094bf8c1c85f439f4d55555b22418135baf4b6c6c15ac0846d9886b8265382f8c2e063a518910fa3baf0304800033e62

Download Submit
C:\Windows\SysWOW64\Eqdajkkb.exe

Filesize
224KB

MD5
307158912287fdb1df1857afb06a13da

SHA1
7f84848dc49ea92763324068eafdf540b54f12ca

SHA256
be74dd50e94c827736023007becc77f557f79586cce6906f73160440a3989da0

SHA512
579e844a384212f1712991d3ad10980996ac0a4b01ef080c49a26ab0977b6462d9208143df0d50eccb1754ebcc6d4df78fe8b5228c4a4af1289a4ac9f532b9c2

Download Submit
C:\Windows\SysWOW64\Eqijej32.exe

Filesize
224KB

MD5
a2f4861109a85853e6723ef91695fa61

SHA1
ba63f1cb8366410253283491e545c25b52dece79

SHA256
dba7c44a3a21dc42a4ba63823c30d3cf43a1f4935f4610b1357972d459809bc3

SHA512
afd7e827a0d9a4072b45ea4a91a0a224cc31a69393ecd02e0c5a72ea60980c8516d787e0fc99743872e551f1e868dc7ec8b941873dc0a6cce11264ee385d820f

Download Submit
C:\Windows\SysWOW64\Eqpgol32.exe

Filesize
224KB

MD5
a074deb1d95136469422bb3ecc764b21

SHA1
6ade8c23033742935ed671b72db91796411bfe15

SHA256
5ce3ef298d42473ea25092b7afc5e63ccc02bd76b2d9410047ec38e1f9af2170

SHA512
31955cde7da7f01dbca32771adaa13806a5e8501ebff87a556225a19337457abf9f3de92abc14a30e293c1acc13b10a0336483e1228e2cc14604f08d105ff145

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
224KB

MD5
17294f2cc77dfa959323784b05656770

SHA1
b2d6c2dce5cda220598ec63cdadfeacdb03a4c36

SHA256
71e8c23ccc261e5f4402234387e41a87117b3aa80454c14a04d522db3b98b022

SHA512
6bb41196c32b96d7245017fc8f4faa687fe6f743e076456e2248dab1d584db129690d84f8b12a5328ea20ca53a8447bb45aaeaaa6d67724e684654b8246f13db

Download Submit
C:\Windows\SysWOW64\Odobjg32.exe

Filesize
224KB

MD5
df18151ca9781af51c365537a650bae3

SHA1
72686c5a3ae4715a97497765ca769014faf8a2c1

SHA256
5df2743070cb6079c556678d07ee7c1818a7499b6df70fa434691e2a9bb3635f

SHA512
56d527e3603493a0352ee3ccb5ea961a3f2d74fefb79dc7e00b010fe2fbcec050176af79e3311bf242a5f44926524458f81f762123364698869d809ae8e50fa2

Download Submit
C:\Windows\SysWOW64\Ojcecjee.exe

Filesize
224KB

MD5
a7cb5e0b53d9491133793c2ab5a35b90

SHA1
9a95dcb66a564d8724b33e3f44a6e987021306d5

SHA256
7337207fffc20a68171236570a66152eb974b1d48260802e93eb4bbd1f5ff463

SHA512
ebac685ba660f79fe9f4e67e22a021e750750f223bf4a8e741572d2e59333ff205c6583d56fbaea7d6f6d39bb0224f228ed4b43f79a429f1ee4354e712d4a0bf

Download Submit
C:\Windows\SysWOW64\Oobjaqaj.exe

Filesize
224KB

MD5
7271e4b20f2735fa5d7f65baa06fcf23

SHA1
bab089097f80b463b4de198119ebe8d1bb78d463

SHA256
014e94a63d4a7ffdbd65b66f7c250e64c5431435b6d06ad41b117aa0bf289bc2

SHA512
b72d8a176cbe56184b1431673b81d61f306462c9bd045542863e6dd53481b57e48be456c68454c3b19030c63148a58e091035b047905a7ec51c73594a7fb6116

Download Submit
C:\Windows\SysWOW64\Pcnbablo.exe

Filesize
224KB

MD5
69760913b1861203c05b3e1c42bb6a5a

SHA1
548f8cae2229e500d23632fdc1504378e422d35d

SHA256
22362baa15b23376627b6aeeea2389896b347eff20a04cc62b884dae5ad1ff19

SHA512
4d84e80eb4199b9cdd517c478efc6fb5c49da08b94236b12b8288d48339eebb2934a3e6675411fed72b6d7307f2e1ba124056ef637b195dac0f77495aad3cc84

Download Submit
C:\Windows\SysWOW64\Pedleg32.exe

Filesize
224KB

MD5
2304f9cb3df09bdb3ca08dec73fe842d

SHA1
3a6c49e99afb2b081863aeef16bcf6d4200f4f32

SHA256
00fd15620eb5403cd781460a772ff397d598edc4f26b6c4f030ad43b94d7f2d8

SHA512
b3433ebb3d5fd3b5556f9b688208cf54026fb5cebf40b7e257bbab1b88dc6d16e4d55c7282246c29043a3bb45dcc9efe4a5e3ec57889bf1f6ede9ddfea141c49

Download Submit
\Windows\SysWOW64\Abmbhn32.exe

Filesize
224KB

MD5
597a06ef23a0ae2842bbeb599c0be2b2

SHA1
001be9ee52db7512c7798ca366d5c9e7f7ab2d86

SHA256
23ced4678183534924606c22899df8ebc4dde8356c0f53549e94860f4da36995

SHA512
e4a0a5398e5ceff163a67ebb448f9d5b7a81eee9c6e4ce60c8766ac8c064a5762f786d55b88e23753b5c12d7486cf8289655e0b56fc3ce85995881a481fa36ad

Download Submit
\Windows\SysWOW64\Aehboi32.exe

Filesize
224KB

MD5
d6edc9336851d9eff5e55ef76dd89048

SHA1
bfa3e440f492fca85c1fb6dc3dd7dc9537806cfe

SHA256
66f9a98399f6ae0ceefbce47119f55c629fab2c43e896d40d4489c192184a78b

SHA512
8ed6a618c4578c031ff9c9dcca27aa70a3cab68c87f28e8f991a758fe5e4448c77a099e936e67b64a3c6f13822ca5e9b5fd6697c2d5849fe321a86357493d152

Download Submit
\Windows\SysWOW64\Obcccl32.exe

Filesize
224KB

MD5
f6b1326d741c3b1a8fe3de5b294ff81b

SHA1
7668d495e491e6a301c8dcefe1638c00539d4e4c

SHA256
4c8179a1878588611f6af464e3ba98ffdfd5f14ad9e7c0d5c66a5239cb991e13

SHA512
03303ea99ce559b694d71cb78726e39e2bc06b8ec622428a6adb3cf60c6c4c5b593779b5d8e2ef4483ee965171f43c84422af1936bb60fa4b745d2be62194d64

Download Submit
\Windows\SysWOW64\Onmdoioa.exe

Filesize
224KB

MD5
9b6518662f89b25b40e6a7fbba002bc5

SHA1
6ba465e460c0823046e7003e2df8c9ff7c766744

SHA256
415811a75ad21372f2e92b1c6383df1701ff604eeab9be471a2a33576996f572

SHA512
bcc16234351e5589a0ff2fe27d74f5945a52e9184f2a69b6d726a3bd3bed15bd6593bd64b2f8fcdecda6fd06c2979da6524be40cdd918291245d1b672538a375

Download Submit
\Windows\SysWOW64\Pggbla32.exe

Filesize
224KB

MD5
2915b54d9c661ceaa27d75c314646595

SHA1
4f1e20f616c65808843cdc9bef30f64a5ffe63e3

SHA256
a9e546f6f02839b3a941606397ea7b9f5466c0f4271339f2152ef5f5df02970f

SHA512
33232ff699155889121826cdf26a2e87515a8d94025e4ade57edfd7f62798ab66c3b2b978b39df87609c25202645b4694156978ddc0121cd0cdb8acc6486b5e8

Download Submit
\Windows\SysWOW64\Pkpagq32.exe

Filesize
224KB

MD5
bccb0ed2118c5db64db83bf2f8a87bdd

SHA1
4c84e63969fd5dec5c209c4c4c2532853220d655

SHA256
91605f27e32d7cee135413768e6daa1ebab57bb41b90aaa12838f82f66b4fb38

SHA512
014474633f8de83249cd8cee7d71193265f10cde8fb7113bfb3a77a5461e8f1267c7c2269a7145843a49dbe272ec9481b75170da81c9ae97c99b79f7522c576f

Download Submit
\Windows\SysWOW64\Qcpofbjl.exe

Filesize
224KB

MD5
f0db52911b7b3482afa3bdd68439aaf8

SHA1
420b339d6824a392aa4c3558e98e948762ee5bf6

SHA256
68809e86496223df093ca6c9a6975346ffa1b8f9b4fcd56eaa49213ab7340f3a

SHA512
d0209bd3546e67a1c7c0011b264ae2705b56fcc1876d4d90ff36ff4e7377f7f0cc93c34e6469b00cca5d9da421c07e23f8079f56d4bf77dc5e8364411f49dd97

Download Submit
\Windows\SysWOW64\Qedhdjnh.exe

Filesize
224KB

MD5
405dc6d565f03039b113fbeb5d01d226

SHA1
294fb5e90a434dd1c22feba500c5dd7af5816016

SHA256
fe2deaeb2ca2ac4c389c481ab01e10cb5e6fa2617ba6fdf9c794cac98728b092

SHA512
3b42496b5b219bac91aac7a90fac0cb4580e0d98a5239cdc30ad2d9aa0372eeda529efeef87da0c2ae8aa4f3280e53caeb569ff050f065bb867d364039c28fc3

Download Submit
memory/320-128-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/568-302-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/568-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/592-150-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1192-217-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1256-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1256-280-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/1256-279-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/1360-197-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1360-195-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1444-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1632-344-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1632-351-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1656-329-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1656-318-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1656-334-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1728-14-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1728-27-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1756-281-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1756-283-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/1756-293-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/1820-256-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1820-273-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1904-108-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1904-125-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1904-127-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1944-147-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1944-136-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1996-13-0x0000000000480000-0x00000000004B9000-memory.dmp

Filesize
228KB

Download
memory/1996-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1996-6-0x0000000000480000-0x00000000004B9000-memory.dmp

Filesize
228KB

Download
memory/2164-345-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2164-346-0x00000000005D0000-0x0000000000609000-memory.dmp

Filesize
228KB

Download
memory/2164-343-0x00000000005D0000-0x0000000000609000-memory.dmp

Filesize
228KB

Download
memory/2168-307-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2168-308-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2168-297-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2240-366-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2240-356-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2276-324-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2276-323-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2276-313-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2300-222-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2376-246-0x00000000001B0000-0x00000000001E9000-memory.dmp

Filesize
228KB

Download
memory/2472-83-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2556-62-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2572-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2676-381-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2676-386-0x00000000003C0000-0x00000000003F9000-memory.dmp

Filesize
228KB

Download
memory/2676-387-0x00000000003C0000-0x00000000003F9000-memory.dmp

Filesize
228KB

Download
memory/2768-163-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2768-175-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2780-81-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2780-69-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2804-223-0x00000000001B0000-0x00000000001E9000-memory.dmp

Filesize
228KB

Download
memory/2804-190-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2952-46-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2952-33-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2996-374-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2996-371-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2996-361-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3012-251-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3048-232-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3048-234-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads